diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index 77ca6edf3c..658f72a426 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -381,6 +381,9 @@ func (a *ACL) lookupExpandedTokenInfo(ws memdb.WatchSet, state *state.Store, tok if err != nil { return tokenInfo, err } + if role == nil { + continue + } for _, policy := range role.Policies { policyIDs[policy.ID] = struct{}{} @@ -404,6 +407,9 @@ func (a *ACL) lookupExpandedTokenInfo(ws memdb.WatchSet, state *state.Store, tok if err != nil { return tokenInfo, err } + if policy == nil { + continue + } policies = append(policies, policy) } for _, policy := range identityPolicies { diff --git a/api/acl.go b/api/acl.go index 9989a50b22..bd6d825632 100644 --- a/api/acl.go +++ b/api/acl.go @@ -66,8 +66,8 @@ type ACLTokenExpanded struct { ExpandedPolicies []ACLPolicy ExpandedRoles []ACLRole - NamespaceDefaultPolicies []string - NamespaceDefaultRoles []string + NamespaceDefaultPolicyIDs []string + NamespaceDefaultRoleIDs []string AgentACLDefaultPolicy string AgentACLDownPolicy string diff --git a/command/acl/token/formatter.go b/command/acl/token/formatter.go index cc56710020..7844c9cc41 100644 --- a/command/acl/token/formatter.go +++ b/command/acl/token/formatter.go @@ -239,17 +239,17 @@ func (f *prettyFormatter) FormatTokenExpanded(token *api.ACLTokenExpanded) (stri buffer.WriteString("=== End of Authorizer Layer 0: Token ===\n") - if len(token.NamespaceDefaultPolicies) > 0 || len(token.NamespaceDefaultRoles) > 0 { + if len(token.NamespaceDefaultPolicyIDs) > 0 || len(token.NamespaceDefaultRoleIDs) > 0 { buffer.WriteString("=== Start of Authorizer Layer 1: Token Namespace’s Defaults (Inherited) ===\n") buffer.WriteString(fmt.Sprintf("Description: ACL Roles inherited by all Tokens in Namespace %q\n\n", token.Namespace)) buffer.WriteString("Namespace Policy Defaults:\n") - for _, policyID := range token.NamespaceDefaultPolicies { + for _, policyID := range token.NamespaceDefaultPolicyIDs { formatPolicy(policies[policyID], WHITESPACE_2) } buffer.WriteString("Namespace Role Defaults:\n") - for _, roleID := range token.NamespaceDefaultRoles { + for _, roleID := range token.NamespaceDefaultRoleIDs { formatRole(roles[roleID], WHITESPACE_2) } diff --git a/command/acl/token/formatter_test.go b/command/acl/token/formatter_test.go index ba93e9dc08..aafe1fcfb2 100644 --- a/command/acl/token/formatter_test.go +++ b/command/acl/token/formatter_test.go @@ -408,11 +408,11 @@ var expandedTokenTestCases = map[string]testCase{ }, }, }, - NamespaceDefaultPolicies: []string{"2b582ff1-4a43-457f-8a2b-30a8265e29a5"}, - NamespaceDefaultRoles: []string{"56033f2b-e1a6-4905-b71d-e011c862bc65"}, - AgentACLDefaultPolicy: "deny", - AgentACLDownPolicy: "extend-cache", - ResolvedByAgent: "server-1", + NamespaceDefaultPolicyIDs: []string{"2b582ff1-4a43-457f-8a2b-30a8265e29a5"}, + NamespaceDefaultRoleIDs: []string{"56033f2b-e1a6-4905-b71d-e011c862bc65"}, + AgentACLDefaultPolicy: "deny", + AgentACLDownPolicy: "extend-cache", + ResolvedByAgent: "server-1", ACLToken: api.ACLToken{ AccessorID: "fbd2447f-7479-4329-ad13-b021d74f86ba", SecretID: "869c6e91-4de9-4dab-b56e-87548435f9c6", diff --git a/command/acl/token/testdata/FormatTokenExpanded/oss/basic.json.golden b/command/acl/token/testdata/FormatTokenExpanded/oss/basic.json.golden index cba80e455a..d03e47d646 100644 --- a/command/acl/token/testdata/FormatTokenExpanded/oss/basic.json.golden +++ b/command/acl/token/testdata/FormatTokenExpanded/oss/basic.json.golden @@ -22,8 +22,8 @@ } ], "ExpandedRoles": null, - "NamespaceDefaultPolicies": null, - "NamespaceDefaultRoles": null, + "NamespaceDefaultPolicyIDs": null, + "NamespaceDefaultRoleIDs": null, "AgentACLDefaultPolicy": "allow", "AgentACLDownPolicy": "deny", "ResolvedByAgent": "leader", diff --git a/command/acl/token/testdata/FormatTokenExpanded/oss/complex.json.golden b/command/acl/token/testdata/FormatTokenExpanded/oss/complex.json.golden index 36931e2192..b0ed45c0d3 100644 --- a/command/acl/token/testdata/FormatTokenExpanded/oss/complex.json.golden +++ b/command/acl/token/testdata/FormatTokenExpanded/oss/complex.json.golden @@ -133,10 +133,10 @@ "ModifyIndex": 0 } ], - "NamespaceDefaultPolicies": [ + "NamespaceDefaultPolicyIDs": [ "2b582ff1-4a43-457f-8a2b-30a8265e29a5" ], - "NamespaceDefaultRoles": [ + "NamespaceDefaultRoleIDs": [ "56033f2b-e1a6-4905-b71d-e011c862bc65" ], "AgentACLDefaultPolicy": "deny",