From 1344137ce26a847dff226efd0a0e5468a5c1d45a Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 29 Sep 2021 17:19:59 -0400 Subject: [PATCH] acl: move the legacy ACL struct to the one package where it is used It is now only used for restoring snapshots. We can remove it in phase 2. --- agent/consul/fsm/snapshot_oss.go | 41 ++++++++++++++++++++++++-- agent/consul/fsm/snapshot_oss_test.go | 6 ++-- agent/structs/acl_legacy.go | 42 --------------------------- agent/structs/acl_legacy_test.go | 29 ------------------ agent/structs/acl_test.go | 37 ----------------------- 5 files changed, 41 insertions(+), 114 deletions(-) delete mode 100644 agent/structs/acl_legacy_test.go diff --git a/agent/consul/fsm/snapshot_oss.go b/agent/consul/fsm/snapshot_oss.go index c12ffe5dfe..75a590a95e 100644 --- a/agent/consul/fsm/snapshot_oss.go +++ b/agent/consul/fsm/snapshot_oss.go @@ -15,7 +15,7 @@ func init() { registerRestorer(structs.KVSRequestType, restoreKV) registerRestorer(structs.TombstoneRequestType, restoreTombstone) registerRestorer(structs.SessionRequestType, restoreSession) - registerRestorer(structs.DeprecatedACLRequestType, restoreACL) + registerRestorer(structs.DeprecatedACLRequestType, restoreACL) // TODO(ACL-Legacy-Compat) - remove in phase 2 registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap) // TODO(ACL-Legacy-Compat) - remove in phase 2 registerRestorer(structs.CoordinateBatchUpdateType, restoreCoordinates) registerRestorer(structs.PreparedQueryRequestType, restorePreparedQuery) @@ -562,8 +562,9 @@ func restoreSession(header *SnapshotHeader, restore *state.Restore, decoder *cod return nil } -func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error { - var req structs.ACL +// TODO(ACL-Legacy-Compat) - remove in phase 2 +func restoreACL(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error { + var req LegacyACL if err := decoder.Decode(&req); err != nil { return err } @@ -574,6 +575,40 @@ func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.D return nil } +// TODO(ACL-Legacy-Compat) - remove in phase 2 +type LegacyACL struct { + ID string + Name string + Type string + Rules string + + structs.RaftIndex +} + +// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore +func (a LegacyACL) Convert() *structs.ACLToken { + correctedRules := structs.SanitizeLegacyACLTokenRules(a.Rules) + if correctedRules != "" { + a.Rules = correctedRules + } + + token := &structs.ACLToken{ + AccessorID: "", + SecretID: a.ID, + Description: a.Name, + Policies: nil, + ServiceIdentities: nil, + NodeIdentities: nil, + Type: a.Type, + Rules: a.Rules, + Local: false, + RaftIndex: a.RaftIndex, + } + + token.SetHash(true) + return token +} + // TODO(ACL-Legacy-Compat) - remove in phase 2 func restoreACLBootstrap(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error { type ACLBootstrap struct { diff --git a/agent/consul/fsm/snapshot_oss_test.go b/agent/consul/fsm/snapshot_oss_test.go index 12dc51040a..c4a7b3faa8 100644 --- a/agent/consul/fsm/snapshot_oss_test.go +++ b/agent/consul/fsm/snapshot_oss_test.go @@ -456,7 +456,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) { _, err = sink.Write([]byte{byte(structs.DeprecatedACLRequestType)}) require.NoError(t, err) - acl := structs.ACL{ + acl := LegacyACL{ ID: "1057354f-69ef-4487-94ab-aead3c755445", Name: "test-legacy", Type: "client", @@ -737,12 +737,12 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) { // convertACLTokenToLegacy attempts to convert an ACLToken into an legacy ACL. // TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore -func convertACLTokenToLegacy(tok *structs.ACLToken) (*structs.ACL, error) { +func convertACLTokenToLegacy(tok *structs.ACLToken) (*LegacyACL, error) { if tok.Type == "" { return nil, fmt.Errorf("Cannot convert ACLToken into compat token") } - compat := &structs.ACL{ + compat := &LegacyACL{ ID: tok.SecretID, Name: tok.Description, Type: tok.Type, diff --git a/agent/structs/acl_legacy.go b/agent/structs/acl_legacy.go index 11233b16d5..bc3e4bc1d8 100644 --- a/agent/structs/acl_legacy.go +++ b/agent/structs/acl_legacy.go @@ -14,45 +14,3 @@ const ( // make other tokens and can access all resources. ACLTokenTypeManagement = "management" ) - -// ACL is used to represent a token and its rules -type ACL struct { - ID string - Name string - Type string - Rules string - - RaftIndex -} - -// Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken -// equivalent. This will NOT fill in the other ACLToken fields or perform any other -// upgrade (other than correcting an older HCL syntax that is no longer -// supported). -// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore -func (a *ACL) Convert() *ACLToken { - // Ensure that we correct any old HCL in legacy tokens to prevent old - // syntax from leaking elsewhere into the system. - // - // DEPRECATED (ACL-Legacy-Compat) - correctedRules := SanitizeLegacyACLTokenRules(a.Rules) - if correctedRules != "" { - a.Rules = correctedRules - } - - token := &ACLToken{ - AccessorID: "", - SecretID: a.ID, - Description: a.Name, - Policies: nil, - ServiceIdentities: nil, - NodeIdentities: nil, - Type: a.Type, - Rules: a.Rules, - Local: false, - RaftIndex: a.RaftIndex, - } - - token.SetHash(true) - return token -} diff --git a/agent/structs/acl_legacy_test.go b/agent/structs/acl_legacy_test.go deleted file mode 100644 index 20c643a9de..0000000000 --- a/agent/structs/acl_legacy_test.go +++ /dev/null @@ -1,29 +0,0 @@ -package structs - -import ( - "testing" - - "github.com/stretchr/testify/require" -) - -func TestStructs_ACL_Convert(t *testing.T) { - - acl := &ACL{ - ID: "guid", - Name: "AN ACL for testing", - Type: "client", - Rules: `service "" { policy "read" }`, - } - - token := acl.Convert() - require.Equal(t, "", token.AccessorID) - require.Equal(t, acl.ID, token.SecretID) - require.Equal(t, acl.Type, token.Type) - require.Equal(t, acl.Name, token.Description) - require.Nil(t, token.Policies) - require.False(t, token.Local) - require.Equal(t, acl.Rules, token.Rules) - require.Equal(t, acl.CreateIndex, token.CreateIndex) - require.Equal(t, acl.ModifyIndex, token.ModifyIndex) - require.NotEmpty(t, token.Hash) -} diff --git a/agent/structs/acl_test.go b/agent/structs/acl_test.go index f1e27867c7..64f59661e6 100644 --- a/agent/structs/acl_test.go +++ b/agent/structs/acl_test.go @@ -35,43 +35,6 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) { require.Equal(t, "three", policyIDs[2]) }) - t.Run("Legacy Management", func(t *testing.T) { - - a := &ACL{ - ID: "root", - Type: ACLTokenTypeManagement, - Name: "management", - } - - token := a.Convert() - - policyIDs := token.PolicyIDs() - require.Len(t, policyIDs, 0) - - embedded := token.EmbeddedPolicy() - require.NotNil(t, embedded) - require.Equal(t, ACLPolicyGlobalManagement, embedded.Rules) - }) - - t.Run("Legacy Management With Rules", func(t *testing.T) { - - a := &ACL{ - ID: "root", - Type: ACLTokenTypeManagement, - Name: "management", - Rules: "operator = \"write\"", - } - - token := a.Convert() - - policyIDs := token.PolicyIDs() - require.Len(t, policyIDs, 0) - - embedded := token.EmbeddedPolicy() - require.NotNil(t, embedded) - require.Equal(t, ACLPolicyGlobalManagement, embedded.Rules) - }) - t.Run("No Policies", func(t *testing.T) { token := &ACLToken{}