From 31e034215f59dcfa1f79604c4adcffece7d51de0 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Fri, 6 Aug 2021 18:39:39 -0400 Subject: [PATCH] acl: remove ACLResolver config fields from consul.Config --- agent/agent.go | 16 +--- agent/consul/acl.go | 1 - agent/consul/acl_endpoint.go | 4 +- agent/consul/acl_test.go | 20 ++--- agent/consul/auto_config_endpoint.go | 12 +-- agent/consul/auto_config_endpoint_test.go | 40 +++++----- agent/consul/catalog_endpoint_test.go | 16 ++-- agent/consul/client.go | 12 +-- agent/consul/config.go | 80 +++++++------------ agent/consul/config_endpoint_test.go | 12 +-- agent/consul/connect_ca_endpoint_test.go | 4 +- agent/consul/coordinate_endpoint_test.go | 6 +- agent/consul/discovery_chain_endpoint_test.go | 2 +- .../consul/federation_state_endpoint_test.go | 10 +-- agent/consul/health_endpoint_test.go | 4 +- agent/consul/intention_endpoint_test.go | 18 ++--- agent/consul/internal_endpoint_test.go | 12 +-- agent/consul/kvs_endpoint_test.go | 10 +-- agent/consul/leader_connect_test.go | 4 +- .../consul/leader_federation_state_ae_test.go | 4 +- agent/consul/leader_intentions_test.go | 4 +- agent/consul/leader_test.go | 26 +++--- .../operator_autopilot_endpoint_test.go | 4 +- agent/consul/operator_raft_endpoint_test.go | 6 +- agent/consul/prepared_query_endpoint_test.go | 18 ++--- agent/consul/rpc_test.go | 4 +- agent/consul/server.go | 12 +-- agent/consul/server_test.go | 2 +- agent/consul/session_endpoint_test.go | 6 +- agent/consul/snapshot_endpoint_test.go | 2 +- agent/consul/txn_endpoint_test.go | 4 +- 31 files changed, 155 insertions(+), 220 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index 7c582c20ff..53888ec784 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -1115,21 +1115,7 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co if runtimeCfg.ACLMasterToken != "" { cfg.ACLMasterToken = runtimeCfg.ACLMasterToken } - if runtimeCfg.ACLTokenTTL != 0 { - cfg.ACLTokenTTL = runtimeCfg.ACLTokenTTL - } - if runtimeCfg.ACLPolicyTTL != 0 { - cfg.ACLPolicyTTL = runtimeCfg.ACLPolicyTTL - } - if runtimeCfg.ACLRoleTTL != 0 { - cfg.ACLRoleTTL = runtimeCfg.ACLRoleTTL - } - if runtimeCfg.ACLDefaultPolicy != "" { - cfg.ACLDefaultPolicy = runtimeCfg.ACLDefaultPolicy - } - if runtimeCfg.ACLDownPolicy != "" { - cfg.ACLDownPolicy = runtimeCfg.ACLDownPolicy - } + // TODO: cfg.ACLResolverSettings = runtimeCfg.ACLResolverSettings cfg.ACLTokenReplication = runtimeCfg.ACLTokenReplication cfg.ACLsEnabled = runtimeCfg.ACLsEnabled if runtimeCfg.ACLEnableKeyListPolicy { diff --git a/agent/consul/acl.go b/agent/consul/acl.go index 49fdde84da..87302bb684 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -212,7 +212,6 @@ type ACLResolverConfig struct { Tokens *token.Store } -// TODO: remove these fields from consul.Config and config.RuntimeConfig // TODO: rename the fields to remove the ACL prefix type ACLResolverSettings struct { ACLsEnabled bool diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index ca17ce1702..c6939b1466 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -1390,7 +1390,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru } // Get the policy via the cache - parent := a.srv.config.ACLDefaultPolicy + parent := a.srv.config.ACLResolverSettings.ACLDefaultPolicy ident, policy, err := a.srv.acls.GetMergedPolicyForToken(args.ACL) if err != nil { @@ -1409,7 +1409,7 @@ func (a *ACL) GetPolicy(args *structs.ACLPolicyResolveLegacyRequest, reply *stru // Setup the response reply.ETag = etag - reply.TTL = a.srv.config.ACLTokenTTL + reply.TTL = a.srv.config.ACLResolverSettings.ACLTokenTTL a.srv.setQueryMeta(&reply.QueryMeta) // Only send the policy on an Etag mis-match diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index 804e775f62..d6861fec1a 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -718,21 +718,11 @@ func (d *ACLResolverTestDelegate) RPC(method string, args interface{}, reply int func newTestACLResolver(t *testing.T, delegate *ACLResolverTestDelegate, cb func(*ACLResolverConfig)) *ACLResolver { config := DefaultConfig() - config.ACLDefaultPolicy = "deny" - config.ACLDownPolicy = "extend-cache" - config.ACLsEnabled = delegate.enabled + config.ACLResolverSettings.ACLDefaultPolicy = "deny" + config.ACLResolverSettings.ACLDownPolicy = "extend-cache" + config.ACLResolverSettings.ACLsEnabled = delegate.enabled rconf := &ACLResolverConfig{ - Config: ACLResolverSettings{ - ACLsEnabled: config.ACLsEnabled, - Datacenter: config.Datacenter, - NodeName: config.NodeName, - ACLPolicyTTL: config.ACLPolicyTTL, - ACLTokenTTL: config.ACLTokenTTL, - ACLRoleTTL: config.ACLRoleTTL, - ACLDisabledTTL: config.ACLDisabledTTL, - ACLDownPolicy: config.ACLDownPolicy, - ACLDefaultPolicy: config.ACLDefaultPolicy, - }, + Config: config.ACLResolverSettings, Logger: testutil.Logger(t), CacheConfig: &structs.ACLCachesConfig{ Identities: 4, @@ -2215,7 +2205,7 @@ func TestACL_Replication(t *testing.T) { dir2, s2 := testServerWithConfig(t, func(c *Config) { c.Datacenter = "dc2" c.PrimaryDatacenter = "dc1" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLDownPolicy = aclDownPolicy c.ACLTokenReplication = true c.ACLReplicationRate = 100 diff --git a/agent/consul/auto_config_endpoint.go b/agent/consul/auto_config_endpoint.go index 82c13acbc2..82b59c8695 100644 --- a/agent/consul/auto_config_endpoint.go +++ b/agent/consul/auto_config_endpoint.go @@ -188,12 +188,12 @@ func (ac *AutoConfig) updateTLSCertificatesInConfig(opts AutoConfigOptions, resp func (ac *AutoConfig) updateACLsInConfig(opts AutoConfigOptions, resp *pbautoconf.AutoConfigResponse) error { acl := &pbconfig.ACL{ Enabled: ac.config.ACLsEnabled, - PolicyTTL: ac.config.ACLPolicyTTL.String(), - RoleTTL: ac.config.ACLRoleTTL.String(), - TokenTTL: ac.config.ACLTokenTTL.String(), - DisabledTTL: ac.config.ACLDisabledTTL.String(), - DownPolicy: ac.config.ACLDownPolicy, - DefaultPolicy: ac.config.ACLDefaultPolicy, + PolicyTTL: ac.config.ACLResolverSettings.ACLPolicyTTL.String(), + RoleTTL: ac.config.ACLResolverSettings.ACLRoleTTL.String(), + TokenTTL: ac.config.ACLResolverSettings.ACLTokenTTL.String(), + DisabledTTL: ac.config.ACLResolverSettings.ACLDisabledTTL.String(), + DownPolicy: ac.config.ACLResolverSettings.ACLDownPolicy, + DefaultPolicy: ac.config.ACLResolverSettings.ACLDefaultPolicy, EnableKeyListPolicy: ac.config.ACLEnableKeyListPolicy, } diff --git a/agent/consul/auto_config_endpoint_test.go b/agent/consul/auto_config_endpoint_test.go index 929bd9146c..58335a65c9 100644 --- a/agent/consul/auto_config_endpoint_test.go +++ b/agent/consul/auto_config_endpoint_test.go @@ -716,15 +716,17 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) { cases := map[string]testCase{ "enabled": { config: Config{ - Datacenter: testDC, - PrimaryDatacenter: testDC, - ACLsEnabled: true, - ACLPolicyTTL: 7 * time.Second, - ACLRoleTTL: 10 * time.Second, - ACLTokenTTL: 12 * time.Second, - ACLDisabledTTL: 31 * time.Second, - ACLDefaultPolicy: "allow", - ACLDownPolicy: "deny", + Datacenter: testDC, + PrimaryDatacenter: testDC, + ACLsEnabled: true, + ACLResolverSettings: ACLResolverSettings{ + ACLPolicyTTL: 7 * time.Second, + ACLRoleTTL: 10 * time.Second, + ACLTokenTTL: 12 * time.Second, + ACLDisabledTTL: 31 * time.Second, + ACLDefaultPolicy: "allow", + ACLDownPolicy: "deny", + }, ACLEnableKeyListPolicy: true, }, expectACLToken: true, @@ -748,15 +750,17 @@ func TestAutoConfig_updateACLsInConfig(t *testing.T) { }, "disabled": { config: Config{ - Datacenter: testDC, - PrimaryDatacenter: testDC, - ACLsEnabled: false, - ACLPolicyTTL: 7 * time.Second, - ACLRoleTTL: 10 * time.Second, - ACLTokenTTL: 12 * time.Second, - ACLDisabledTTL: 31 * time.Second, - ACLDefaultPolicy: "allow", - ACLDownPolicy: "deny", + Datacenter: testDC, + PrimaryDatacenter: testDC, + ACLsEnabled: false, + ACLResolverSettings: ACLResolverSettings{ + ACLPolicyTTL: 7 * time.Second, + ACLRoleTTL: 10 * time.Second, + ACLTokenTTL: 12 * time.Second, + ACLDisabledTTL: 31 * time.Second, + ACLDefaultPolicy: "allow", + ACLDownPolicy: "deny", + }, ACLEnableKeyListPolicy: true, }, expectACLToken: false, diff --git a/agent/consul/catalog_endpoint_test.go b/agent/consul/catalog_endpoint_test.go index b160c8dcbc..5b0ea4542e 100644 --- a/agent/consul/catalog_endpoint_test.go +++ b/agent/consul/catalog_endpoint_test.go @@ -183,7 +183,7 @@ func TestCatalog_Register_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -429,7 +429,7 @@ func TestCatalog_Register_ConnectProxy_ACLDestinationServiceName(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -558,7 +558,7 @@ func TestCatalog_Deregister_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1298,7 +1298,7 @@ func TestCatalog_ListNodes_ACLFilter(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2416,7 +2416,7 @@ func TestCatalog_ListServiceNodes_ConnectProxy_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2711,7 +2711,7 @@ func testACLFilterServer(t *testing.T) (dir, token string, srv *Server, codec rp c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) codec = rpcClient(t, srv) @@ -2874,7 +2874,7 @@ func TestCatalog_NodeServices_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -3287,7 +3287,7 @@ func TestCatalog_GatewayServices_ACLFiltering(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/client.go b/agent/consul/client.go index b966919181..c7e8d94c7c 100644 --- a/agent/consul/client.go +++ b/agent/consul/client.go @@ -123,17 +123,7 @@ func NewClient(config *Config, deps Deps) (*Client, error) { c.useNewACLs = 0 aclConfig := ACLResolverConfig{ - Config: ACLResolverSettings{ - ACLsEnabled: config.ACLsEnabled, - Datacenter: config.Datacenter, - NodeName: config.NodeName, - ACLPolicyTTL: config.ACLPolicyTTL, - ACLTokenTTL: config.ACLTokenTTL, - ACLRoleTTL: config.ACLRoleTTL, - ACLDisabledTTL: config.ACLDisabledTTL, - ACLDownPolicy: config.ACLDownPolicy, - ACLDefaultPolicy: config.ACLDefaultPolicy, - }, + Config: config.ACLResolverSettings, Delegate: c, Logger: c.logger, AutoDisable: true, diff --git a/agent/consul/config.go b/agent/consul/config.go index d31dcc478b..eebf48559f 100644 --- a/agent/consul/config.go +++ b/agent/consul/config.go @@ -175,6 +175,8 @@ type Config struct { // operators track which versions are actively deployed Build string + ACLResolverSettings ACLResolverSettings + // ACLEnabled is used to enable ACLs ACLsEnabled bool @@ -183,25 +185,6 @@ type Config struct { // that the Master token is available. This provides the initial token. ACLMasterToken string - // ACLTokenTTL controls the time-to-live of cached ACL tokens. - // It can be set to zero to disable caching, but this adds - // a substantial cost. - ACLTokenTTL time.Duration - - // ACLPolicyTTL controls the time-to-live of cached ACL policies. - // It can be set to zero to disable caching, but this adds - // a substantial cost. - ACLPolicyTTL time.Duration - - // ACLRoleTTL controls the time-to-live of cached ACL roles. - // It can be set to zero to disable caching, but this adds - // a substantial cost. - ACLRoleTTL time.Duration - - // ACLDisabledTTL is the time between checking if ACLs should be - // enabled. This - ACLDisabledTTL time.Duration - // ACLTokenReplication is used to enabled token replication. // // By default policy-only replication is enabled. When token @@ -209,20 +192,6 @@ type Config struct { // yet upgraded to the new ACLs no replication will be performed ACLTokenReplication bool - // ACLDefaultPolicy is used to control the ACL interaction when - // there is no defined policy. This can be "allow" which means - // ACLs are used to deny-list, or "deny" which means ACLs are - // allow-lists. - ACLDefaultPolicy string - - // ACLDownPolicy controls the behavior of ACLs if the PrimaryDatacenter - // cannot be contacted. It can be either "deny" to deny all requests, - // "extend-cache" or "async-cache" which ignores the ACLCacheInterval and - // uses cached policies. - // If a policy is not in the cache, it acts like deny. - // "allow" can be used to allow all requests. This is not recommended. - ACLDownPolicy string - // ACLReplicationRate is the max number of replication rounds that can // be run per second. Note that either 1 or 2 RPCs are used during each replication // round @@ -438,19 +407,20 @@ func (c *Config) CheckProtocolVersion() error { } // CheckACL validates the ACL configuration. +// TODO: move this to ACLResolverSettings func (c *Config) CheckACL() error { - switch c.ACLDefaultPolicy { + switch c.ACLResolverSettings.ACLDefaultPolicy { case "allow": case "deny": default: - return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLDefaultPolicy) + return fmt.Errorf("Unsupported default ACL policy: %s", c.ACLResolverSettings.ACLDefaultPolicy) } - switch c.ACLDownPolicy { + switch c.ACLResolverSettings.ACLDownPolicy { case "allow": case "deny": case "async-cache", "extend-cache": default: - return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLDownPolicy) + return fmt.Errorf("Unsupported down ACL policy: %s", c.ACLResolverSettings.ACLDownPolicy) } return nil } @@ -463,21 +433,27 @@ func DefaultConfig() *Config { } conf := &Config{ - Build: version.Version, - Datacenter: DefaultDC, - NodeName: hostname, - RPCAddr: DefaultRPCAddr, - RaftConfig: raft.DefaultConfig(), - SerfLANConfig: libserf.DefaultConfig(), - SerfWANConfig: libserf.DefaultConfig(), - SerfFloodInterval: 60 * time.Second, - ReconcileInterval: 60 * time.Second, - ProtocolVersion: ProtocolVersion2Compatible, - ACLRoleTTL: 30 * time.Second, - ACLPolicyTTL: 30 * time.Second, - ACLTokenTTL: 30 * time.Second, - ACLDefaultPolicy: "allow", - ACLDownPolicy: "extend-cache", + Build: version.Version, + Datacenter: DefaultDC, + NodeName: hostname, + RPCAddr: DefaultRPCAddr, + RaftConfig: raft.DefaultConfig(), + SerfLANConfig: libserf.DefaultConfig(), + SerfWANConfig: libserf.DefaultConfig(), + SerfFloodInterval: 60 * time.Second, + ReconcileInterval: 60 * time.Second, + ProtocolVersion: ProtocolVersion2Compatible, + ACLResolverSettings: ACLResolverSettings{ + ACLsEnabled: false, + Datacenter: DefaultDC, + NodeName: hostname, + ACLPolicyTTL: 30 * time.Second, + ACLTokenTTL: 30 * time.Second, + ACLRoleTTL: 30 * time.Second, + ACLDisabledTTL: 30 * time.Second, + ACLDownPolicy: "extend-cache", + ACLDefaultPolicy: "allow", + }, ACLReplicationRate: 1, ACLReplicationBurst: 5, ACLReplicationApplyLimit: 100, // ops / sec diff --git a/agent/consul/config_endpoint_test.go b/agent/consul/config_endpoint_test.go index da45107864..7eba5ad15f 100644 --- a/agent/consul/config_endpoint_test.go +++ b/agent/consul/config_endpoint_test.go @@ -155,7 +155,7 @@ func TestConfigEntry_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -284,7 +284,7 @@ func TestConfigEntry_Get_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -497,7 +497,7 @@ func TestConfigEntry_List_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -582,7 +582,7 @@ func TestConfigEntry_ListAll_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -741,7 +741,7 @@ func TestConfigEntry_Delete_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1963,7 +1963,7 @@ func TestConfigEntry_ResolveServiceConfig_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/connect_ca_endpoint_test.go b/agent/consul/connect_ca_endpoint_test.go index 4482860948..45341fd55f 100644 --- a/agent/consul/connect_ca_endpoint_test.go +++ b/agent/consul/connect_ca_endpoint_test.go @@ -164,7 +164,7 @@ func TestConnectCAConfig_GetSet_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = TestDefaultMasterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1109,7 +1109,7 @@ func TestConnectCASignValidation(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/coordinate_endpoint_test.go b/agent/consul/coordinate_endpoint_test.go index 5d9d183e7a..5741450f7c 100644 --- a/agent/consul/coordinate_endpoint_test.go +++ b/agent/consul/coordinate_endpoint_test.go @@ -197,7 +197,7 @@ func TestCoordinate_Update_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -373,7 +373,7 @@ func TestCoordinate_ListNodes_ACLFilter(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -565,7 +565,7 @@ func TestCoordinate_Node_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/discovery_chain_endpoint_test.go b/agent/consul/discovery_chain_endpoint_test.go index 294a78721c..16e3fb562e 100644 --- a/agent/consul/discovery_chain_endpoint_test.go +++ b/agent/consul/discovery_chain_endpoint_test.go @@ -27,7 +27,7 @@ func TestDiscoveryChainEndpoint_Get(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/federation_state_endpoint_test.go b/agent/consul/federation_state_endpoint_test.go index b48f42b210..9bee48f6a6 100644 --- a/agent/consul/federation_state_endpoint_test.go +++ b/agent/consul/federation_state_endpoint_test.go @@ -117,7 +117,7 @@ func TestFederationState_Apply_Upsert_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -238,7 +238,7 @@ func TestFederationState_Get_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -410,7 +410,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -426,7 +426,7 @@ func TestFederationState_List_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir2) defer s2.Shutdown() @@ -686,7 +686,7 @@ func TestFederationState_Apply_Delete_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/health_endpoint_test.go b/agent/consul/health_endpoint_test.go index 54b8ff86cd..bc34c2c6de 100644 --- a/agent/consul/health_endpoint_test.go +++ b/agent/consul/health_endpoint_test.go @@ -984,7 +984,7 @@ func TestHealth_ServiceNodes_ConnectProxy_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1298,7 +1298,7 @@ func TestHealth_ServiceNodes_Ingress_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/intention_endpoint_test.go b/agent/consul/intention_endpoint_test.go index bef7bedd4b..4857bc09d8 100644 --- a/agent/consul/intention_endpoint_test.go +++ b/agent/consul/intention_endpoint_test.go @@ -863,7 +863,7 @@ func TestIntentionApply_aclDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1268,7 +1268,7 @@ func TestIntentionApply_aclDelete(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1349,7 +1349,7 @@ func TestIntentionApply_aclUpdate(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1418,7 +1418,7 @@ func TestIntentionApply_aclManagement(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1463,7 +1463,7 @@ func TestIntentionApply_aclUpdateChange(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1528,7 +1528,7 @@ func TestIntentionGet_acl(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1932,7 +1932,7 @@ func TestIntentionCheck_defaultACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1968,7 +1968,7 @@ func TestIntentionCheck_defaultACLAllow(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2004,7 +2004,7 @@ func TestIntentionCheck_aclDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/internal_endpoint_test.go b/agent/consul/internal_endpoint_test.go index e03fb6b95f..a4d64d2565 100644 --- a/agent/consul/internal_endpoint_test.go +++ b/agent/consul/internal_endpoint_test.go @@ -563,8 +563,8 @@ func TestInternal_EventFire_Token(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDownPolicy = "deny" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDownPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir) defer srv.Shutdown() @@ -962,7 +962,7 @@ func TestInternal_GatewayServiceDump_Terminating_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1305,7 +1305,7 @@ func TestInternal_GatewayServiceDump_Ingress_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1908,7 +1908,7 @@ func TestInternal_ServiceTopology_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = TestDefaultMasterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2045,7 +2045,7 @@ func TestInternal_IntentionUpstreams_ACL(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = TestDefaultMasterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/kvs_endpoint_test.go b/agent/consul/kvs_endpoint_test.go index 7e62aa8ea0..398e9e305f 100644 --- a/agent/consul/kvs_endpoint_test.go +++ b/agent/consul/kvs_endpoint_test.go @@ -85,7 +85,7 @@ func TestKVS_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -205,7 +205,7 @@ func TestKVS_Get_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -426,7 +426,7 @@ func TestKVSEndpoint_List_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -516,7 +516,7 @@ func TestKVSEndpoint_List_ACLEnableKeyListPolicy(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLEnableKeyListPolicy = true }) defer os.RemoveAll(dir1) @@ -719,7 +719,7 @@ func TestKVSEndpoint_ListKeys_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/leader_connect_test.go b/agent/consul/leader_connect_test.go index 038f2f0ff6..fe32e4ed11 100644 --- a/agent/consul/leader_connect_test.go +++ b/agent/consul/leader_connect_test.go @@ -205,7 +205,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) { c.Build = "1.6.0" c.ACLsEnabled = true c.ACLMasterToken = masterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.CAConfig.Config["PrivateKeyType"] = tc.keyType c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits c.CAConfig.Config["test_state"] = dc1State @@ -223,7 +223,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) { c.PrimaryDatacenter = "primary" c.Build = "1.6.0" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLTokenReplication = true c.CAConfig.Config["PrivateKeyType"] = tc.keyType c.CAConfig.Config["PrivateKeyBits"] = tc.keyBits diff --git a/agent/consul/leader_federation_state_ae_test.go b/agent/consul/leader_federation_state_ae_test.go index f2c483b4f9..8971334969 100644 --- a/agent/consul/leader_federation_state_ae_test.go +++ b/agent/consul/leader_federation_state_ae_test.go @@ -360,7 +360,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -374,7 +374,7 @@ func TestLeader_FederationStateAntiEntropyPruning_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) testrpc.WaitForLeader(t, s2.RPC, "dc2") defer os.RemoveAll(dir2) diff --git a/agent/consul/leader_intentions_test.go b/agent/consul/leader_intentions_test.go index 0294d00949..79f1d771ea 100644 --- a/agent/consul/leader_intentions_test.go +++ b/agent/consul/leader_intentions_test.go @@ -30,7 +30,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.Build = "1.6.0" c.OverrideInitialSerfTags = func(tags map[string]string) { tags["ft_si"] = "0" @@ -64,7 +64,7 @@ func TestLeader_ReplicateIntentions(t *testing.T) { c.Datacenter = "dc2" c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLTokenReplication = false c.Build = "1.6.0" c.OverrideInitialSerfTags = func(tags map[string]string) { diff --git a/agent/consul/leader_test.go b/agent/consul/leader_test.go index 8527ea9e9d..7463b794df 100644 --- a/agent/consul/leader_test.go +++ b/agent/consul/leader_test.go @@ -32,7 +32,7 @@ func TestLeader_RegisterMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -109,7 +109,7 @@ func TestLeader_FailedMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -175,7 +175,7 @@ func TestLeader_LeftMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -227,7 +227,7 @@ func TestLeader_ReapMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -294,7 +294,7 @@ func TestLeader_CheckServersMeta(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = true }) defer os.RemoveAll(dir1) @@ -304,7 +304,7 @@ func TestLeader_CheckServersMeta(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = false }) defer os.RemoveAll(dir2) @@ -314,7 +314,7 @@ func TestLeader_CheckServersMeta(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = false }) defer os.RemoveAll(dir3) @@ -402,7 +402,7 @@ func TestLeader_ReapServer(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = true }) defer os.RemoveAll(dir1) @@ -412,7 +412,7 @@ func TestLeader_ReapServer(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = false }) defer os.RemoveAll(dir2) @@ -422,7 +422,7 @@ func TestLeader_ReapServer(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "allow" + c.ACLResolverSettings.ACLDefaultPolicy = "allow" c.Bootstrap = false }) defer os.RemoveAll(dir3) @@ -483,7 +483,7 @@ func TestLeader_Reconcile_ReapMember(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -537,7 +537,7 @@ func TestLeader_Reconcile(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -892,7 +892,7 @@ func TestLeader_ReapTombstones(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.TombstoneTTL = 50 * time.Millisecond c.TombstoneTTLGranularity = 10 * time.Millisecond }) diff --git a/agent/consul/operator_autopilot_endpoint_test.go b/agent/consul/operator_autopilot_endpoint_test.go index 62a3a3926f..5b8b7b2cd6 100644 --- a/agent/consul/operator_autopilot_endpoint_test.go +++ b/agent/consul/operator_autopilot_endpoint_test.go @@ -55,7 +55,7 @@ func TestOperator_Autopilot_GetConfiguration_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.AutopilotConfig.CleanupDeadServers = false }) defer os.RemoveAll(dir1) @@ -159,7 +159,7 @@ func TestOperator_Autopilot_SetConfiguration_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.AutopilotConfig.CleanupDeadServers = false }) defer os.RemoveAll(dir1) diff --git a/agent/consul/operator_raft_endpoint_test.go b/agent/consul/operator_raft_endpoint_test.go index 53a7752e39..252bd14ba5 100644 --- a/agent/consul/operator_raft_endpoint_test.go +++ b/agent/consul/operator_raft_endpoint_test.go @@ -73,7 +73,7 @@ func TestOperator_RaftGetConfiguration_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -221,7 +221,7 @@ func TestOperator_RaftRemovePeerByAddress_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -350,7 +350,7 @@ func TestOperator_RaftRemovePeerByID_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.RaftConfig.ProtocolVersion = 3 }) defer os.RemoveAll(dir1) diff --git a/agent/consul/prepared_query_endpoint_test.go b/agent/consul/prepared_query_endpoint_test.go index 6ebf05a5c2..64ee6a2276 100644 --- a/agent/consul/prepared_query_endpoint_test.go +++ b/agent/consul/prepared_query_endpoint_test.go @@ -201,7 +201,7 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -647,7 +647,7 @@ func TestPreparedQuery_ACLDeny_Catchall_Template(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -866,7 +866,7 @@ func TestPreparedQuery_Get(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1124,7 +1124,7 @@ func TestPreparedQuery_List(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1337,7 +1337,7 @@ func TestPreparedQuery_Explain(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1478,7 +1478,7 @@ func TestPreparedQuery_Execute(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -1490,7 +1490,7 @@ func TestPreparedQuery_Execute(t *testing.T) { c.Datacenter = "dc2" c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir2) defer s2.Shutdown() @@ -2784,7 +2784,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -2794,7 +2794,7 @@ func TestPreparedQuery_Wrapper(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir2) defer s2.Shutdown() diff --git a/agent/consul/rpc_test.go b/agent/consul/rpc_test.go index 25ac960768..99d174b1da 100644 --- a/agent/consul/rpc_test.go +++ b/agent/consul/rpc_test.go @@ -829,7 +829,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) { dir1, s1 := testServerWithConfig(t, func(c *Config) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLMasterToken = "root" }) defer os.RemoveAll(dir1) @@ -842,7 +842,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) { c.Datacenter = "dc2" c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" c.ACLTokenReplication = true c.ACLReplicationRate = 100 c.ACLReplicationBurst = 100 diff --git a/agent/consul/server.go b/agent/consul/server.go index f9885348d2..97e092a1b8 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -426,17 +426,7 @@ func NewServer(config *Config, flat Deps) (*Server, error) { s.aclConfig = newACLConfig(logger) s.useNewACLs = 0 aclConfig := ACLResolverConfig{ - Config: ACLResolverSettings{ - ACLsEnabled: config.ACLsEnabled, - Datacenter: config.Datacenter, - NodeName: config.NodeName, - ACLPolicyTTL: config.ACLPolicyTTL, - ACLTokenTTL: config.ACLTokenTTL, - ACLRoleTTL: config.ACLRoleTTL, - ACLDisabledTTL: config.ACLDisabledTTL, - ACLDownPolicy: config.ACLDownPolicy, - ACLDefaultPolicy: config.ACLDefaultPolicy, - }, + Config: config.ACLResolverSettings, Delegate: s, CacheConfig: serverACLCacheConfig, AutoDisable: false, diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index 0dd19156c5..ce57c44dc3 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -77,7 +77,7 @@ func testServerACLConfig(cb func(*Config)) func(*Config) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = TestDefaultMasterToken - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" if cb != nil { cb(c) diff --git a/agent/consul/session_endpoint_test.go b/agent/consul/session_endpoint_test.go index a3476cd1fa..8615f8715a 100644 --- a/agent/consul/session_endpoint_test.go +++ b/agent/consul/session_endpoint_test.go @@ -157,7 +157,7 @@ func TestSession_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -395,7 +395,7 @@ func TestSession_Get_List_NodeSessions_ACLFilter(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -754,7 +754,7 @@ func TestSession_Renew_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/snapshot_endpoint_test.go b/agent/consul/snapshot_endpoint_test.go index a1fa1efb89..44f0dda432 100644 --- a/agent/consul/snapshot_endpoint_test.go +++ b/agent/consul/snapshot_endpoint_test.go @@ -272,7 +272,7 @@ func TestSnapshot_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() diff --git a/agent/consul/txn_endpoint_test.go b/agent/consul/txn_endpoint_test.go index a23cdf1929..53f9b36ded 100644 --- a/agent/consul/txn_endpoint_test.go +++ b/agent/consul/txn_endpoint_test.go @@ -322,7 +322,7 @@ func TestTxn_Apply_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown() @@ -857,7 +857,7 @@ func TestTxn_Read_ACLDeny(t *testing.T) { c.PrimaryDatacenter = "dc1" c.ACLsEnabled = true c.ACLMasterToken = "root" - c.ACLDefaultPolicy = "deny" + c.ACLResolverSettings.ACLDefaultPolicy = "deny" }) defer os.RemoveAll(dir1) defer s1.Shutdown()