diff --git a/agent/acl_test.go b/agent/acl_test.go index 3102da4fef..cc2249c675 100644 --- a/agent/acl_test.go +++ b/agent/acl_test.go @@ -37,7 +37,7 @@ type TestACLAgent struct { // NewTestACLAgent does just enough so that all the code within agent/acl.go can work // Basically it needs a local state for some of the vet* functions, a logger and a delegate. -// The key is that we are the delegate so we can control the ResolveTokenSecret responses +// The key is that we are the delegate so we can control the ResolveToken responses func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzResolver, resolveIdent identResolver) *TestACLAgent { t.Helper() @@ -89,9 +89,9 @@ func NewTestACLAgent(t *testing.T, name string, hcl string, resolveAuthz authzRe return a } -func (a *TestACLAgent) ResolveTokenSecret(secretID string) (acl.Authorizer, error) { +func (a *TestACLAgent) ResolveToken(secretID string) (acl.Authorizer, error) { if a.resolveAuthzFn == nil { - return nil, fmt.Errorf("ResolveTokenSecret call is unexpected - no authz resolver callback set") + return nil, fmt.Errorf("ResolveToken call is unexpected - no authz resolver callback set") } _, authz, err := a.resolveAuthzFn(secretID) @@ -99,7 +99,7 @@ func (a *TestACLAgent) ResolveTokenSecret(secretID string) (acl.Authorizer, erro } func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext) (resolver.Result, error) { - authz, err := a.ResolveTokenSecret(secretID) + authz, err := a.ResolveToken(secretID) if err != nil { return resolver.Result{}, err } diff --git a/agent/consul/acl.go b/agent/consul/acl.go index a842b736e8..40df5d3ff7 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -993,10 +993,10 @@ func (r *ACLResolver) resolveLocallyManagedToken(token string) (structs.ACLIdent return r.resolveLocallyManagedEnterpriseToken(token) } -// ResolveTokenSecret to an acl.Authorizer and structs.ACLIdentity. The acl.Authorizer +// ResolveToken to an acl.Authorizer and structs.ACLIdentity. The acl.Authorizer // can be used to check permissions granted to the token using its secret, and the // ACLIdentity describes the token and any defaults applied to it. -func (r *ACLResolver) ResolveTokenSecret(tokenSecretID string) (resolver.Result, error) { +func (r *ACLResolver) ResolveToken(tokenSecretID string) (resolver.Result, error) { if !r.ACLsEnabled() { return resolver.Result{Authorizer: acl.ManageAll()}, nil } @@ -1078,7 +1078,7 @@ func (r *ACLResolver) ResolveTokenAndDefaultMeta( entMeta *acl.EnterpriseMeta, authzContext *acl.AuthorizerContext, ) (resolver.Result, error) { - result, err := r.ResolveTokenSecret(tokenSecretID) + result, err := r.ResolveToken(tokenSecretID) if err != nil { return resolver.Result{}, err } @@ -1121,7 +1121,7 @@ func filterACLWithAuthorizer(logger hclog.Logger, authorizer acl.Authorizer, sub // not authorized for read access will be removed from subj. func filterACL(r *ACLResolver, tokenSecretID string, subj interface{}) error { // Get the ACL from the token - authorizer, err := r.ResolveTokenSecret(tokenSecretID) + authorizer, err := r.ResolveToken(tokenSecretID) if err != nil { return err } diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index 51705b5011..1cbea7779b 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -703,7 +703,7 @@ func (a *ACL) TokenBatchRead(args *structs.ACLTokenBatchGetRequest, reply *struc return err } - authz, err := a.srv.ResolveTokenSecret(args.Token) + authz, err := a.srv.ResolveToken(args.Token) if err != nil { return err } @@ -796,7 +796,7 @@ func (a *ACL) PolicyBatchRead(args *structs.ACLPolicyBatchGetRequest, reply *str return err } - authz, err := a.srv.ResolveTokenSecret(args.Token) + authz, err := a.srv.ResolveToken(args.Token) if err != nil { return err } @@ -1182,7 +1182,7 @@ func (a *ACL) RoleBatchRead(args *structs.ACLRoleBatchGetRequest, reply *structs return err } - authz, err := a.srv.ResolveTokenSecret(args.Token) + authz, err := a.srv.ResolveToken(args.Token) if err != nil { return err } @@ -2115,7 +2115,7 @@ func (a *ACL) Authorize(args *structs.RemoteACLAuthorizationRequest, reply *[]st return err } - authz, err := a.srv.ResolveTokenSecret(args.Token) + authz, err := a.srv.ResolveToken(args.Token) if err != nil { return err } diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index eb385d0b4a..b7b28123eb 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -65,13 +65,13 @@ func verifyAuthorizerChain(t *testing.T, expected resolver.Result, actual resolv } func resolveTokenAsync(r *ACLResolver, token string, ch chan *asyncResolutionResult) { - authz, err := r.ResolveTokenSecret(token) + authz, err := r.ResolveToken(token) ch <- &asyncResolutionResult{authz: authz, err: err} } func resolveTokenSecret(t *testing.T, r *ACLResolver, token string) acl.Authorizer { t.Helper() - authz, err := r.ResolveTokenSecret(token) + authz, err := r.ResolveToken(token) require.NoError(t, err) return authz } @@ -732,7 +732,7 @@ func TestACLResolver_Disabled(t *testing.T) { r := newTestACLResolver(t, delegate, nil) - authz, err := r.ResolveTokenSecret("does not exist") + authz, err := r.ResolveToken("does not exist") require.Equal(t, resolver.Result{Authorizer: acl.ManageAll()}, authz) require.Nil(t, err) } @@ -747,19 +747,19 @@ func TestACLResolver_ResolveRootACL(t *testing.T) { r := newTestACLResolver(t, delegate, nil) t.Run("Allow", func(t *testing.T) { - _, err := r.ResolveTokenSecret("allow") + _, err := r.ResolveToken("allow") require.Error(t, err) require.True(t, acl.IsErrRootDenied(err)) }) t.Run("Deny", func(t *testing.T) { - _, err := r.ResolveTokenSecret("deny") + _, err := r.ResolveToken("deny") require.Error(t, err) require.True(t, acl.IsErrRootDenied(err)) }) t.Run("Manage", func(t *testing.T) { - _, err := r.ResolveTokenSecret("manage") + _, err := r.ResolveToken("manage") require.Error(t, err) require.True(t, acl.IsErrRootDenied(err)) }) @@ -805,7 +805,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLDownPolicy = "deny" }) - authz, err := r.ResolveTokenSecret("foo") + authz, err := r.ResolveToken("foo") require.NoError(t, err) require.NotNil(t, authz) expected := resolver.Result{ @@ -833,7 +833,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLDownPolicy = "allow" }) - authz, err := r.ResolveTokenSecret("foo") + authz, err := r.ResolveToken("foo") require.NoError(t, err) require.NotNil(t, authz) expected := resolver.Result{ @@ -862,7 +862,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLRoleTTL = 0 }) - authz, err := r.ResolveTokenSecret("found") + authz, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -871,7 +871,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token // policy cache expired - so we will fail to resolve that policy and use the default policy only - authz2, err := r.ResolveTokenSecret("found") + authz2, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz2) require.NotEqual(t, authz, authz2) @@ -899,13 +899,13 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLRoleTTL = 0 }) - authz, err := r.ResolveTokenSecret("found-role") + authz, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) // role cache expired - so we will fail to resolve that role and use the default policy only - authz2, err := r.ResolveTokenSecret("found-role") + authz2, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz2) require.False(t, authz == authz2) @@ -928,14 +928,14 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLTokenTTL = 0 }) - authz, err := r.ResolveTokenSecret("found") + authz, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) requireIdentityCached(t, r, "found", true, "cached") - authz2, err := r.ResolveTokenSecret("found") + authz2, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz2) verifyAuthorizerChain(t, authz, authz2) @@ -957,7 +957,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLDownPolicy = "extend-cache" }) - authz, err := r.ResolveTokenSecret("not-found") + authz, err := r.ResolveToken("not-found") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil)) @@ -979,14 +979,14 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLTokenTTL = 0 }) - authz, err := r.ResolveTokenSecret("found-role") + authz, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) requireIdentityCached(t, r, "found-role", true, "still cached") - authz2, err := r.ResolveTokenSecret("found-role") + authz2, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz2) // testing pointer equality - these will be the same object because it is cached. @@ -1011,7 +1011,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLRoleTTL = 0 }) - authz, err := r.ResolveTokenSecret("found") + authz, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -1020,7 +1020,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token // Will just use the policy cache - authz2, err := r.ResolveTokenSecret("found") + authz2, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz2) verifyAuthorizerChain(t, authz, authz2) @@ -1048,13 +1048,13 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLRoleTTL = 0 }) - authz, err := r.ResolveTokenSecret("found-role") + authz, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) // Will just use the policy cache - authz2, err := r.ResolveTokenSecret("found-role") + authz2, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz2) verifyAuthorizerChain(t, authz, authz2) @@ -1081,7 +1081,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLRoleTTL = 0 }) - authz, err := r.ResolveTokenSecret("found") + authz, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -1090,7 +1090,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token // The identity should have been cached so this should still be valid - authz2, err := r.ResolveTokenSecret("found") + authz2, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz2) // testing pointer equality - these will be the same object because it is cached. @@ -1099,7 +1099,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { // the go routine spawned will eventually return with a authz that doesn't have the policy retry.Run(t, func(t *retry.R) { - authz3, err := r.ResolveTokenSecret("found") + authz3, err := r.ResolveToken("found") assert.NoError(t, err) assert.NotNil(t, authz3) assert.Equal(t, acl.Deny, authz3.NodeWrite("foo", nil)) @@ -1129,13 +1129,13 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLRoleTTL = 0 }) - authz, err := r.ResolveTokenSecret("found-role") + authz, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) // The identity should have been cached so this should still be valid - authz2, err := r.ResolveTokenSecret("found-role") + authz2, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz2) // testing pointer equality - these will be the same object because it is cached. @@ -1144,7 +1144,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { // the go routine spawned will eventually return with a authz that doesn't have the policy retry.Run(t, func(t *retry.R) { - authz3, err := r.ResolveTokenSecret("found-role") + authz3, err := r.ResolveToken("found-role") assert.NoError(t, err) assert.NotNil(t, authz3) assert.Equal(t, acl.Deny, authz3.NodeWrite("foo", nil)) @@ -1170,7 +1170,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLRoleTTL = 0 }) - authz, err := r.ResolveTokenSecret("found") + authz, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -1178,7 +1178,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { requirePolicyCached(t, r, "node-wr", true, "cached") // from "found" token requirePolicyCached(t, r, "dc2-key-wr", true, "cached") // from "found" token - authz2, err := r.ResolveTokenSecret("found") + authz2, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz2) // testing pointer equality - these will be the same object because it is cached. @@ -1206,7 +1206,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLRoleTTL = 0 }) - authz, err := r.ResolveTokenSecret("found-role") + authz, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -1214,7 +1214,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { requirePolicyCached(t, r, "node-wr", true, "still cached") // from "found" token requirePolicyCached(t, r, "dc2-key-wr", true, "still cached") // from "found" token - authz2, err := r.ResolveTokenSecret("found-role") + authz2, err := r.ResolveToken("found-role") require.NoError(t, err) require.NotNil(t, authz2) // testing pointer equality - these will be the same object because it is cached. @@ -1238,7 +1238,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { config.Config.ACLTokenTTL = 0 }) - authz, err := r.ResolveTokenSecret("found") + authz, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -1246,7 +1246,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { requireIdentityCached(t, r, "found", true, "cached") // The identity should have been cached so this should still be valid - authz2, err := r.ResolveTokenSecret("found") + authz2, err := r.ResolveToken("found") require.NoError(t, err) require.NotNil(t, authz2) verifyAuthorizerChain(t, authz, authz2) @@ -1254,7 +1254,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { // the go routine spawned will eventually return and this will be a not found error retry.Run(t, func(t *retry.R) { - _, err := r.ResolveTokenSecret("found") + _, err := r.ResolveToken("found") assert.Error(t, err) assert.True(t, acl.IsErrNotFound(err)) }) @@ -1305,7 +1305,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { }) // Prime the standard caches. - authz, err := r.ResolveTokenSecret(secretID) + authz, err := r.ResolveToken(secretID) require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -1319,7 +1319,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { // during token resolve. r.cache.RemovePolicy("dc2-key-wr") - _, err = r.ResolveTokenSecret(secretID) + _, err = r.ResolveToken(secretID) require.True(t, acl.IsErrNotFound(err)) requireIdentityCached(t, r, secretID, false, "identity not found cached") @@ -1365,7 +1365,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { }) // Prime the standard caches. - authz, err := r.ResolveTokenSecret(secretID) + authz, err := r.ResolveToken(secretID) require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -1379,7 +1379,7 @@ func TestACLResolver_DownPolicy(t *testing.T) { // during token resolve. r.cache.RemovePolicy("dc2-key-wr") - _, err = r.ResolveTokenSecret(secretID) + _, err = r.ResolveToken(secretID) require.True(t, acl.IsErrPermissionDenied(err)) require.Nil(t, r.cache.GetIdentityWithSecretToken(secretID), "identity not stored at all") @@ -1402,7 +1402,7 @@ func TestACLResolver_DatacenterScoping(t *testing.T) { } r := newTestACLResolver(t, delegate, nil) - authz, err := r.ResolveTokenSecret("found") + authz, err := r.ResolveToken("found") require.NotNil(t, authz) require.NoError(t, err) require.Equal(t, acl.Deny, authz.ACLRead(nil)) @@ -1424,7 +1424,7 @@ func TestACLResolver_DatacenterScoping(t *testing.T) { config.Config.Datacenter = "dc2" }) - authz, err := r.ResolveTokenSecret("found") + authz, err := r.ResolveToken("found") require.NotNil(t, authz) require.NoError(t, err) require.Equal(t, acl.Deny, authz.ACLRead(nil)) @@ -1505,7 +1505,7 @@ func TestACLResolver_Client(t *testing.T) { // Must use the token secret here in order for the cached identity // to be removed properly. Many other tests just resolve some other // random name and it wont matter but this one cannot. - authz, err := r.ResolveTokenSecret("a1a54629-5050-4d17-8a4e-560d2423f835") + authz, err := r.ResolveToken("a1a54629-5050-4d17-8a4e-560d2423f835") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) @@ -1522,7 +1522,7 @@ func TestACLResolver_Client(t *testing.T) { // then the policy will be resolved but resolution will return ACL not found // resolution will stop with the not found error (even though we still have the // policies within the cache) - _, err = r.ResolveTokenSecret("a1a54629-5050-4d17-8a4e-560d2423f835") + _, err = r.ResolveToken("a1a54629-5050-4d17-8a4e-560d2423f835") require.EqualError(t, err, acl.ErrNotFound.Error()) require.True(t, modified) @@ -1672,7 +1672,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega runTwiceAndReset("Missing Identity", func(t *testing.T) { delegate.UseTestLocalData(nil) - _, err := r.ResolveTokenSecret("doesn't exist") + _, err := r.ResolveToken("doesn't exist") require.Error(t, err) require.True(t, acl.IsErrNotFound(err)) }) @@ -1981,7 +1981,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega // to verify that the keys for caching synthetic policies don't bleed // over between each other. t.Run("synthetic-policy-1", func(t *testing.T) { // service identity - authz, err := r.ResolveTokenSecret("found-synthetic-policy-1") + authz, err := r.ResolveToken("found-synthetic-policy-1") require.NotNil(t, authz) require.NoError(t, err) // spot check some random perms @@ -1995,7 +1995,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega require.Equal(t, acl.Allow, authz.NodeRead("any-node", nil)) }) t.Run("synthetic-policy-2", func(t *testing.T) { // service identity - authz, err := r.ResolveTokenSecret("found-synthetic-policy-2") + authz, err := r.ResolveToken("found-synthetic-policy-2") require.NotNil(t, authz) require.NoError(t, err) // spot check some random perms @@ -2009,7 +2009,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega require.Equal(t, acl.Allow, authz.NodeRead("any-node", nil)) }) t.Run("synthetic-policy-3", func(t *testing.T) { // node identity - authz, err := r.ResolveTokenSecret("found-synthetic-policy-3") + authz, err := r.ResolveToken("found-synthetic-policy-3") require.NoError(t, err) require.NotNil(t, authz) @@ -2025,7 +2025,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega require.Equal(t, acl.Deny, authz.NodeWrite("test-node-dc2", nil)) }) t.Run("synthetic-policy-4", func(t *testing.T) { // node identity - authz, err := r.ResolveTokenSecret("found-synthetic-policy-4") + authz, err := r.ResolveToken("found-synthetic-policy-4") require.NoError(t, err) require.NotNil(t, authz) @@ -2060,7 +2060,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) - authz, err := r.ResolveTokenSecret("") + authz, err := r.ResolveToken("") require.NotNil(t, authz) require.NoError(t, err) require.Equal(t, acl.Deny, authz.ACLRead(nil)) @@ -2084,7 +2084,7 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) - authz, err := r.ResolveTokenSecret("with-intentions") + authz, err := r.ResolveToken("with-intentions") require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.ServiceRead("", nil)) @@ -2165,7 +2165,7 @@ func TestACLResolver_AgentRecovery(t *testing.T) { tokens.UpdateAgentRecoveryToken("9a184a11-5599-459e-b71a-550e5f9a5a23", token.TokenSourceConfig) - authz, err := r.ResolveTokenSecret("9a184a11-5599-459e-b71a-550e5f9a5a23") + authz, err := r.ResolveToken("9a184a11-5599-459e-b71a-550e5f9a5a23") require.NoError(t, err) require.NotNil(t, authz.ACLIdentity) require.Equal(t, "agent-recovery:foo", authz.ACLIdentity.ID()) @@ -2189,7 +2189,7 @@ func TestACLResolver_ServerManagementToken(t *testing.T) { cfg.Config.NodeName = "foo" }) - authz, err := r.ResolveTokenSecret(testToken) + authz, err := r.ResolveToken(testToken) require.NoError(t, err) require.NotNil(t, authz.ACLIdentity) require.Equal(t, structs.ServerManagementTokenAccessorID, authz.ACLIdentity.ID()) @@ -2292,7 +2292,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) { require.NoError(t, err) testutil.RunStep(t, "first resolve", func(t *testing.T) { - authz, err := srv.ACLResolver.ResolveTokenSecret(token) + authz, err := srv.ACLResolver.ResolveToken(token) require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.KeyRead("foo", nil)) @@ -2311,7 +2311,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) { err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{}) require.NoError(t, err) - authz, err := srv.ACLResolver.ResolveTokenSecret(token) + authz, err := srv.ACLResolver.ResolveToken(token) require.NoError(t, err) require.NotNil(t, authz) require.Equal(t, acl.Deny, authz.KeyRead("foo", nil)) @@ -2327,7 +2327,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) { err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp) require.NoError(t, err) - _, err = srv.ACLResolver.ResolveTokenSecret(token) + _, err = srv.ACLResolver.ResolveToken(token) require.True(t, acl.IsErrNotFound(err), "Error %v is not acl.ErrNotFound", err) }) } diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go index dfd7ee4ed7..29cfc38bec 100644 --- a/agent/consul/connect_ca_endpoint.go +++ b/agent/consul/connect_ca_endpoint.go @@ -60,7 +60,7 @@ func (s *ConnectCA) ConfigurationGet( } // This action requires operator read access. - authz, err := s.srv.ResolveTokenSecret(args.Token) + authz, err := s.srv.ResolveToken(args.Token) if err != nil { return err } @@ -92,7 +92,7 @@ func (s *ConnectCA) ConfigurationSet( } // This action requires operator write access. - authz, err := s.srv.ResolveTokenSecret(args.Token) + authz, err := s.srv.ResolveToken(args.Token) if err != nil { return err } @@ -149,7 +149,7 @@ func (s *ConnectCA) Sign( return err } - authz, err := s.srv.ResolveTokenSecret(args.Token) + authz, err := s.srv.ResolveToken(args.Token) if err != nil { return err } @@ -181,7 +181,7 @@ func (s *ConnectCA) SignIntermediate( } // This action requires operator write access. - authz, err := s.srv.ResolveTokenSecret(args.Token) + authz, err := s.srv.ResolveToken(args.Token) if err != nil { return err } diff --git a/agent/consul/federation_state_endpoint.go b/agent/consul/federation_state_endpoint.go index 69004425a8..6aade94883 100644 --- a/agent/consul/federation_state_endpoint.go +++ b/agent/consul/federation_state_endpoint.go @@ -58,7 +58,7 @@ func (c *FederationState) Apply(args *structs.FederationStateRequest, reply *boo defer metrics.MeasureSince([]string{"federation_state", "apply"}, time.Now()) // Fetch the ACL token, if any. - authz, err := c.srv.ResolveTokenSecret(args.Token) + authz, err := c.srv.ResolveToken(args.Token) if err != nil { return err } @@ -104,7 +104,7 @@ func (c *FederationState) Get(args *structs.FederationStateQuery, reply *structs defer metrics.MeasureSince([]string{"federation_state", "get"}, time.Now()) // Fetch the ACL token, if any. - authz, err := c.srv.ResolveTokenSecret(args.Token) + authz, err := c.srv.ResolveToken(args.Token) if err != nil { return err } @@ -143,7 +143,7 @@ func (c *FederationState) List(args *structs.DCSpecificRequest, reply *structs.I defer metrics.MeasureSince([]string{"federation_state", "list"}, time.Now()) // Fetch the ACL token, if any. - authz, err := c.srv.ResolveTokenSecret(args.Token) + authz, err := c.srv.ResolveToken(args.Token) if err != nil { return err } diff --git a/agent/consul/internal_endpoint.go b/agent/consul/internal_endpoint.go index 8b5c4a5ebd..2b5e8a1942 100644 --- a/agent/consul/internal_endpoint.go +++ b/agent/consul/internal_endpoint.go @@ -780,7 +780,7 @@ func (m *Internal) KeyringOperation( } // Check ACLs - authz, err := m.srv.ACLResolver.ResolveTokenSecret(args.Token) + authz, err := m.srv.ACLResolver.ResolveToken(args.Token) if err != nil { return err } diff --git a/agent/consul/operator_autopilot_endpoint.go b/agent/consul/operator_autopilot_endpoint.go index eefecd92ea..babbb79561 100644 --- a/agent/consul/operator_autopilot_endpoint.go +++ b/agent/consul/operator_autopilot_endpoint.go @@ -16,7 +16,7 @@ func (op *Operator) AutopilotGetConfiguration(args *structs.DCSpecificRequest, r } // This action requires operator read access. - authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token) + authz, err := op.srv.ACLResolver.ResolveToken(args.Token) if err != nil { return err } @@ -49,7 +49,7 @@ func (op *Operator) AutopilotSetConfiguration(args *structs.AutopilotSetConfigRe } // This action requires operator write access. - authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token) + authz, err := op.srv.ACLResolver.ResolveToken(args.Token) if err != nil { return err } @@ -81,7 +81,7 @@ func (op *Operator) ServerHealth(args *structs.DCSpecificRequest, reply *structs } // This action requires operator read access. - authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token) + authz, err := op.srv.ACLResolver.ResolveToken(args.Token) if err != nil { return err } @@ -145,7 +145,7 @@ func (op *Operator) AutopilotState(args *structs.DCSpecificRequest, reply *autop } // This action requires operator read access. - authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token) + authz, err := op.srv.ACLResolver.ResolveToken(args.Token) if err != nil { return err } diff --git a/agent/consul/operator_raft_endpoint.go b/agent/consul/operator_raft_endpoint.go index 35f657afab..328f8ff964 100644 --- a/agent/consul/operator_raft_endpoint.go +++ b/agent/consul/operator_raft_endpoint.go @@ -18,7 +18,7 @@ func (op *Operator) RaftGetConfiguration(args *structs.DCSpecificRequest, reply } // This action requires operator read access. - authz, err := op.srv.ResolveTokenSecret(args.Token) + authz, err := op.srv.ResolveToken(args.Token) if err != nil { return err } @@ -80,7 +80,7 @@ func (op *Operator) RaftRemovePeerByAddress(args *structs.RaftRemovePeerRequest, // This is a super dangerous operation that requires operator write // access. - authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token) + authz, err := op.srv.ACLResolver.ResolveToken(args.Token) if err != nil { return err } @@ -133,7 +133,7 @@ func (op *Operator) RaftRemovePeerByID(args *structs.RaftRemovePeerRequest, repl // This is a super dangerous operation that requires operator write // access. - authz, err := op.srv.ACLResolver.ResolveTokenSecret(args.Token) + authz, err := op.srv.ACLResolver.ResolveToken(args.Token) if err != nil { return err } diff --git a/agent/consul/prepared_query_endpoint.go b/agent/consul/prepared_query_endpoint.go index fbda7924b9..ffa4b5e509 100644 --- a/agent/consul/prepared_query_endpoint.go +++ b/agent/consul/prepared_query_endpoint.go @@ -78,7 +78,7 @@ func (p *PreparedQuery) Apply(args *structs.PreparedQueryRequest, reply *string) *reply = args.Query.ID // Get the ACL token for the request for the checks below. - authz, err := p.srv.ResolveTokenSecret(args.Token) + authz, err := p.srv.ResolveToken(args.Token) if err != nil { return err } diff --git a/agent/consul/snapshot_endpoint.go b/agent/consul/snapshot_endpoint.go index bdbd3426b6..102bc0a38a 100644 --- a/agent/consul/snapshot_endpoint.go +++ b/agent/consul/snapshot_endpoint.go @@ -58,7 +58,7 @@ func (s *Server) dispatchSnapshotRequest(args *structs.SnapshotRequest, in io.Re // Verify token is allowed to operate on snapshots. There's only a // single ACL sense here (not read and write) since reading gets you // all the ACLs and you could escalate from there. - if authz, err := s.ResolveTokenSecret(args.Token); err != nil { + if authz, err := s.ResolveToken(args.Token); err != nil { return nil, err } else if err := authz.ToAllowAuthorizer().SnapshotAllowed(nil); err != nil { return nil, err diff --git a/agent/consul/txn_endpoint.go b/agent/consul/txn_endpoint.go index 855c461fcc..a1977b9196 100644 --- a/agent/consul/txn_endpoint.go +++ b/agent/consul/txn_endpoint.go @@ -147,7 +147,7 @@ func (t *Txn) Apply(args *structs.TxnRequest, reply *structs.TxnResponse) error defer metrics.MeasureSince([]string{"txn", "apply"}, time.Now()) // Run the pre-checks before we send the transaction into Raft. - authz, err := t.srv.ResolveTokenSecret(args.Token) + authz, err := t.srv.ResolveToken(args.Token) if err != nil { return err } @@ -191,7 +191,7 @@ func (t *Txn) Read(args *structs.TxnReadRequest, reply *structs.TxnReadResponse) } // Run the pre-checks before we perform the read. - authz, err := t.srv.ResolveTokenSecret(args.Token) + authz, err := t.srv.ResolveToken(args.Token) if err != nil { return err } diff --git a/agent/xds/server.go b/agent/xds/server.go index 32177b83d1..490b860f8a 100644 --- a/agent/xds/server.go +++ b/agent/xds/server.go @@ -103,11 +103,11 @@ type ProxyConfigSource interface { // A full description of the XDS protocol can be found at // https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol type Server struct { - NodeName string - Logger hclog.Logger - CfgSrc ProxyConfigSource - ResolveTokenSecret ACLResolverFunc - CfgFetcher ConfigFetcher + NodeName string + Logger hclog.Logger + CfgSrc ProxyConfigSource + ResolveToken ACLResolverFunc + CfgFetcher ConfigFetcher // AuthCheckFrequency is how often we should re-check the credentials used // during a long-lived gRPC Stream after it has been initially established. @@ -164,7 +164,7 @@ func NewServer( NodeName: nodeName, Logger: logger, CfgSrc: cfgMgr, - ResolveTokenSecret: resolveTokenSecret, + ResolveToken: resolveTokenSecret, CfgFetcher: cfgFetcher, AuthCheckFrequency: DefaultAuthCheckFrequency, activeStreams: &activeStreamCounters{}, @@ -191,7 +191,7 @@ func (s *Server) authenticate(ctx context.Context) (acl.Authorizer, error) { return nil, status.Errorf(codes.Internal, "error fetching options from context: %v", err) } - authz, err := s.ResolveTokenSecret(options.Token) + authz, err := s.ResolveToken(options.Token) if acl.IsErrNotFound(err) { return nil, status.Errorf(codes.Unauthenticated, "unauthenticated: %v", err) } else if acl.IsErrPermissionDenied(err) {