acl: remove most of the rest of structs/acl_legacy.go

This commit is contained in:
Daniel Nephin 2021-09-29 17:11:01 -04:00
parent 954b283fec
commit 531f2f8a3f
5 changed files with 35 additions and 124 deletions

View File

@ -12,7 +12,7 @@ func (a *ACL) GetPolicy(*LegacyACLGetPolicy, *LegacyACLGetPolicy) error {
return fmt.Errorf("ACL.GetPolicy: the legacy ACL system has been removed")
}
func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *structs.ACL) error {
func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *LegacyACLRequest) error {
return fmt.Errorf("ACL.Bootstrap: the legacy ACL system has been removed")
}
@ -22,10 +22,10 @@ func (a *ACL) Apply(*LegacyACLRequest, *string) error {
return fmt.Errorf("ACL.Apply: the legacy ACL system has been removed")
}
func (a *ACL) Get(*structs.ACLSpecificRequest, *structs.IndexedACLs) error {
func (a *ACL) Get(*LegacyACLRequest, *LegacyACLRequest) error {
return fmt.Errorf("ACL.Get: the legacy ACL system has been removed")
}
func (a *ACL) List(*structs.DCSpecificRequest, *structs.IndexedACLs) error {
func (a *ACL) List(*structs.DCSpecificRequest, *LegacyACLRequest) error {
return fmt.Errorf("ACL.List: the legacy ACL system has been removed")
}

View File

@ -16,7 +16,7 @@ func init() {
registerRestorer(structs.TombstoneRequestType, restoreTombstone)
registerRestorer(structs.SessionRequestType, restoreSession)
registerRestorer(structs.DeprecatedACLRequestType, restoreACL)
registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap)
registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap) // TODO(ACL-Legacy-Compat) - remove in phase 2
registerRestorer(structs.CoordinateBatchUpdateType, restoreCoordinates)
registerRestorer(structs.PreparedQueryRequestType, restorePreparedQuery)
registerRestorer(structs.AutopilotRequestType, restoreAutopilot)
@ -574,9 +574,17 @@ func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.D
return nil
}
// DEPRECATED (ACL-Legacy-Compat) - remove once v1 acl compat is removed
func restoreACLBootstrap(header *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
var req structs.ACLBootstrap
// TODO(ACL-Legacy-Compat) - remove in phase 2
func restoreACLBootstrap(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
type ACLBootstrap struct {
// AllowBootstrap will only be true if no existing management tokens
// have been found.
AllowBootstrap bool
structs.RaftIndex
}
var req ACLBootstrap
if err := decoder.Decode(&req); err != nil {
return err
}

View File

@ -2,6 +2,7 @@ package fsm
import (
"bytes"
"fmt"
"testing"
"time"
@ -581,7 +582,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
require.NotNil(t, rtoken)
require.NotEmpty(t, rtoken.Hash)
restoredACL, err := rtoken.Convert()
restoredACL, err := convertACLTokenToLegacy(rtoken)
require.NoError(t, err)
require.Equal(t, &acl, restoredACL)
@ -734,6 +735,23 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
}
}
// convertACLTokenToLegacy attempts to convert an ACLToken into an legacy ACL.
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
func convertACLTokenToLegacy(tok *structs.ACLToken) (*structs.ACL, error) {
if tok.Type == "" {
return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
}
compat := &structs.ACL{
ID: tok.SecretID,
Name: tok.Description,
Type: tok.Type,
Rules: tok.Rules,
RaftIndex: tok.RaftIndex,
}
return compat, nil
}
func TestFSM_BadRestore_OSS(t *testing.T) {
t.Parallel()
// Create an FSM with some state.

View File

@ -6,10 +6,6 @@
package structs
import (
"fmt"
)
const (
// ACLTokenTypeClient tokens have rules applied
ACLTokenTypeClient = "client"
@ -17,9 +13,6 @@ const (
// ACLTokenTypeManagement tokens have an always allow policy, so they can
// make other tokens and can access all resources.
ACLTokenTypeManagement = "management"
// ACLTokenTypeNone
ACLTokenTypeNone = ""
)
// ACL is used to represent a token and its rules
@ -32,14 +25,11 @@ type ACL struct {
RaftIndex
}
// ACLs is a slice of ACLs.
type ACLs []*ACL
// Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken
// equivalent. This will NOT fill in the other ACLToken fields or perform any other
// upgrade (other than correcting an older HCL syntax that is no longer
// supported).
// TODO(ACL-Legacy-Compat): remove
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
func (a *ACL) Convert() *ACLToken {
// Ensure that we correct any old HCL in legacy tokens to prevent old
// syntax from leaking elsewhere into the system.
@ -66,48 +56,3 @@ func (a *ACL) Convert() *ACLToken {
token.SetHash(true)
return token
}
// Convert attempts to convert an ACLToken into an ACLCompat.
// TODO(ACL-Legacy-Compat): remove
func (tok *ACLToken) Convert() (*ACL, error) {
if tok.Type == "" {
return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
}
compat := &ACL{
ID: tok.SecretID,
Name: tok.Description,
Type: tok.Type,
Rules: tok.Rules,
RaftIndex: tok.RaftIndex,
}
return compat, nil
}
// ACLSpecificRequest is used to request an ACL by ID
type ACLSpecificRequest struct {
Datacenter string
ACL string
QueryOptions
}
// RequestDatacenter returns the DC this request is targeted to.
func (r *ACLSpecificRequest) RequestDatacenter() string {
return r.Datacenter
}
// IndexedACLs has tokens along with the Raft metadata about them.
type IndexedACLs struct {
ACLs ACLs
QueryMeta
}
// ACLBootstrap keeps track of whether bootstrapping ACLs is allowed for a
// cluster.
type ACLBootstrap struct {
// AllowBootstrap will only be true if no existing management tokens
// have been found.
AllowBootstrap bool
RaftIndex
}

View File

@ -27,63 +27,3 @@ func TestStructs_ACL_Convert(t *testing.T) {
require.Equal(t, acl.ModifyIndex, token.ModifyIndex)
require.NotEmpty(t, token.Hash)
}
func TestStructs_ACLToken_Convert(t *testing.T) {
t.Run("Management", func(t *testing.T) {
token := &ACLToken{
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
Description: "new token",
Policies: []ACLTokenPolicyLink{
{
ID: ACLPolicyGlobalManagementID,
},
},
Type: ACLTokenTypeManagement,
}
acl, err := token.Convert()
require.NoError(t, err)
require.Equal(t, token.SecretID, acl.ID)
require.Equal(t, token.Type, acl.Type)
require.Equal(t, token.Description, acl.Name)
require.Equal(t, "", acl.Rules)
})
t.Run("Client", func(t *testing.T) {
token := &ACLToken{
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
Description: "new token",
Policies: nil,
Type: ACLTokenTypeClient,
Rules: `acl = "read"`,
}
acl, err := token.Convert()
require.NoError(t, err)
require.Equal(t, token.SecretID, acl.ID)
require.Equal(t, token.Type, acl.Type)
require.Equal(t, token.Description, acl.Name)
require.Equal(t, token.Rules, acl.Rules)
})
t.Run("Unconvertible", func(t *testing.T) {
token := &ACLToken{
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
Description: "new token",
Policies: []ACLTokenPolicyLink{
{
ID: ACLPolicyGlobalManagementID,
},
},
}
acl, err := token.Convert()
require.Error(t, err)
require.Nil(t, acl)
})
}