From 3885835e8c57eb9f3d86efdb8c78d7531f13ff28 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 17 Nov 2020 18:15:07 -0500 Subject: [PATCH] acl: remove a test-only method --- agent/consul/acl.go | 7 +------ agent/consul/acl_test.go | 43 +++++++++++++++++++++++----------------- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/agent/consul/acl.go b/agent/consul/acl.go index fcef154c4d..acd1fa787d 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -1187,11 +1187,6 @@ func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs return identity, acl.NewChainedAuthorizer(chain), nil } -func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) { - _, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token) - return authz, err -} - func (r *ACLResolver) ResolveTokenToIdentity(token string) (structs.ACLIdentity, error) { if !r.ACLsEnabled() { return nil, nil @@ -1975,7 +1970,7 @@ func (r *ACLResolver) filterACLWithAuthorizer(authorizer acl.Authorizer, subj in // rules configured for the provided token. func (r *ACLResolver) filterACL(token string, subj interface{}) error { // Get the ACL from the token - authorizer, err := r.ResolveToken(token) + _, authorizer, err := r.ResolveTokenToIdentityAndAuthorizer(token) if err != nil { return err } diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index 2544ad79af..68d18e451a 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -9,14 +9,15 @@ import ( "testing" "time" + "github.com/mitchellh/copystructure" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/api" "github.com/hashicorp/consul/sdk/testutil" "github.com/hashicorp/consul/sdk/testutil/retry" - "github.com/mitchellh/copystructure" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" ) var testACLPolicy = ` @@ -61,10 +62,23 @@ func verifyAuthorizerChain(t *testing.T, expected acl.Authorizer, actual acl.Aut } func resolveTokenAsync(r *ACLResolver, token string, ch chan *asyncResolutionResult) { - authz, err := r.ResolveToken(token) + _, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token) ch <- &asyncResolutionResult{authz: authz, err: err} } +// Deprecated: use resolveToken or ACLResolver.ResolveTokenToIdentityAndAuthorizer instead +func (r *ACLResolver) ResolveToken(token string) (acl.Authorizer, error) { + _, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token) + return authz, err +} + +func resolveToken(t *testing.T, r *ACLResolver, token string) acl.Authorizer { + t.Helper() + _, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token) + require.NoError(t, err) + return authz +} + func testIdentityForToken(token string) (bool, structs.ACLIdentity, error) { switch token { case "missing-policy": @@ -1739,57 +1753,50 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega }) runTwiceAndReset("Missing Policy", func(t *testing.T) { - authz, err := r.ResolveToken("missing-policy") - require.NoError(t, err) + authz := resolveToken(t, r, "missing-policy") require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.ACLRead(nil)) require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil)) }) runTwiceAndReset("Missing Role", func(t *testing.T) { - authz, err := r.ResolveToken("missing-role") - require.NoError(t, err) + authz := resolveToken(t, r, "missing-role") require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.ACLRead(nil)) require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil)) }) runTwiceAndReset("Missing Policy on Role", func(t *testing.T) { - authz, err := r.ResolveToken("missing-policy-on-role") - require.NoError(t, err) + authz := resolveToken(t, r, "missing-policy-on-role") require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.ACLRead(nil)) require.Equal(t, acl.Deny, authz.NodeWrite("foo", nil)) }) runTwiceAndReset("Normal with Policy", func(t *testing.T) { - authz, err := r.ResolveToken("found") + authz := resolveToken(t, r, "found") require.NotNil(t, authz) - require.NoError(t, err) require.Equal(t, acl.Deny, authz.ACLRead(nil)) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) }) runTwiceAndReset("Normal with Role", func(t *testing.T) { - authz, err := r.ResolveToken("found-role") + authz := resolveToken(t, r, "found-role") require.NotNil(t, authz) - require.NoError(t, err) require.Equal(t, acl.Deny, authz.ACLRead(nil)) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) }) runTwiceAndReset("Normal with Policy and Role", func(t *testing.T) { - authz, err := r.ResolveToken("found-policy-and-role") + authz := resolveToken(t, r, "found-policy-and-role") require.NotNil(t, authz) - require.NoError(t, err) require.Equal(t, acl.Deny, authz.ACLRead(nil)) require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) require.Equal(t, acl.Allow, authz.ServiceRead("bar", nil)) }) runTwiceAndReset("Role With Node Identity", func(t *testing.T) { - authz, err := r.ResolveToken("found-role-node-identity") - require.NoError(t, err) + authz := resolveToken(t, r, "found-role-node-identity") require.NotNil(t, authz) require.Equal(t, acl.Allow, authz.NodeWrite("test-node", nil)) require.Equal(t, acl.Deny, authz.NodeWrite("test-node-dc2", nil))