diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go index d3d4e2a517..08ddfb4965 100644 --- a/agent/acl_endpoint.go +++ b/agent/acl_endpoint.go @@ -2,7 +2,6 @@ package agent import ( "fmt" - "io/ioutil" "net/http" "strings" @@ -74,37 +73,6 @@ func (s *HTTPHandlers) ACLReplicationStatus(resp http.ResponseWriter, req *http. return out, nil } -func (s *HTTPHandlers) ACLRulesTranslate(resp http.ResponseWriter, req *http.Request) (interface{}, error) { - if s.checkACLDisabled(resp, req) { - return nil, nil - } - - var token string - s.parseToken(req, &token) - authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, nil, nil) - if err != nil { - return nil, err - } - // Should this require lesser permissions? Really the only reason to require authorization at all is - // to prevent external entities from DoS Consul with repeated rule translation requests - if authz.ACLRead(nil) != acl.Allow { - return nil, acl.ErrPermissionDenied - } - - policyBytes, err := ioutil.ReadAll(req.Body) - if err != nil { - return nil, BadRequestError{Reason: fmt.Sprintf("Failed to read body: %v", err)} - } - - translated, err := acl.TranslateLegacyRules(policyBytes) - if err != nil { - return nil, BadRequestError{Reason: err.Error()} - } - - resp.Write(translated) - return nil, nil -} - func (s *HTTPHandlers) ACLPolicyList(resp http.ResponseWriter, req *http.Request) (interface{}, error) { if s.checkACLDisabled(resp, req) { return nil, nil diff --git a/agent/acl_endpoint_test.go b/agent/acl_endpoint_test.go index 0debb7da80..9c149c60ef 100644 --- a/agent/acl_endpoint_test.go +++ b/agent/acl_endpoint_test.go @@ -45,7 +45,6 @@ func TestACL_Disabled_Response(t *testing.T) { {"ACLBootstrap", a.srv.ACLBootstrap}, {"ACLReplicationStatus", a.srv.ACLReplicationStatus}, {"AgentToken", a.srv.AgentToken}, // See TestAgent_Token - {"ACLRulesTranslate", a.srv.ACLRulesTranslate}, {"ACLPolicyList", a.srv.ACLPolicyList}, {"ACLPolicyCRUD", a.srv.ACLPolicyCRUD}, {"ACLPolicyCreate", a.srv.ACLPolicyCreate}, diff --git a/agent/http_register.go b/agent/http_register.go index 7a7e750820..2e3d98ade1 100644 --- a/agent/http_register.go +++ b/agent/http_register.go @@ -19,8 +19,6 @@ func init() { registerEndpoint("/v1/acl/auth-methods", []string{"GET"}, (*HTTPHandlers).ACLAuthMethodList) registerEndpoint("/v1/acl/auth-method", []string{"PUT"}, (*HTTPHandlers).ACLAuthMethodCreate) registerEndpoint("/v1/acl/auth-method/", []string{"GET", "PUT", "DELETE"}, (*HTTPHandlers).ACLAuthMethodCRUD) - registerEndpoint("/v1/acl/rules/translate", []string{"POST"}, (*HTTPHandlers).ACLRulesTranslate) - registerEndpoint("/v1/acl/rules/translate/", []string{"GET"}, (*HTTPHandlers).ACLLegacy) registerEndpoint("/v1/acl/tokens", []string{"GET"}, (*HTTPHandlers).ACLTokenList) registerEndpoint("/v1/acl/token", []string{"PUT"}, (*HTTPHandlers).ACLTokenCreate) registerEndpoint("/v1/acl/token/self", []string{"GET"}, (*HTTPHandlers).ACLTokenSelf) @@ -126,4 +124,6 @@ func init() { registerEndpoint("/v1/acl/info/", []string{"GET"}, (*HTTPHandlers).ACLLegacy) registerEndpoint("/v1/acl/clone/", []string{"PUT"}, (*HTTPHandlers).ACLLegacy) registerEndpoint("/v1/acl/list", []string{"GET"}, (*HTTPHandlers).ACLLegacy) + registerEndpoint("/v1/acl/rules/translate", []string{"POST"}, (*HTTPHandlers).ACLLegacy) + registerEndpoint("/v1/acl/rules/translate/", []string{"GET"}, (*HTTPHandlers).ACLLegacy) }