mirror of https://github.com/status-im/consul.git
acl: remove most of the rest of structs/acl_legacy.go
This commit is contained in:
parent
954b283fec
commit
531f2f8a3f
|
@ -12,7 +12,7 @@ func (a *ACL) GetPolicy(*LegacyACLGetPolicy, *LegacyACLGetPolicy) error {
|
|||
return fmt.Errorf("ACL.GetPolicy: the legacy ACL system has been removed")
|
||||
}
|
||||
|
||||
func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *structs.ACL) error {
|
||||
func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *LegacyACLRequest) error {
|
||||
return fmt.Errorf("ACL.Bootstrap: the legacy ACL system has been removed")
|
||||
}
|
||||
|
||||
|
@ -22,10 +22,10 @@ func (a *ACL) Apply(*LegacyACLRequest, *string) error {
|
|||
return fmt.Errorf("ACL.Apply: the legacy ACL system has been removed")
|
||||
}
|
||||
|
||||
func (a *ACL) Get(*structs.ACLSpecificRequest, *structs.IndexedACLs) error {
|
||||
func (a *ACL) Get(*LegacyACLRequest, *LegacyACLRequest) error {
|
||||
return fmt.Errorf("ACL.Get: the legacy ACL system has been removed")
|
||||
}
|
||||
|
||||
func (a *ACL) List(*structs.DCSpecificRequest, *structs.IndexedACLs) error {
|
||||
func (a *ACL) List(*structs.DCSpecificRequest, *LegacyACLRequest) error {
|
||||
return fmt.Errorf("ACL.List: the legacy ACL system has been removed")
|
||||
}
|
||||
|
|
|
@ -16,7 +16,7 @@ func init() {
|
|||
registerRestorer(structs.TombstoneRequestType, restoreTombstone)
|
||||
registerRestorer(structs.SessionRequestType, restoreSession)
|
||||
registerRestorer(structs.DeprecatedACLRequestType, restoreACL)
|
||||
registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap)
|
||||
registerRestorer(structs.ACLBootstrapRequestType, restoreACLBootstrap) // TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
registerRestorer(structs.CoordinateBatchUpdateType, restoreCoordinates)
|
||||
registerRestorer(structs.PreparedQueryRequestType, restorePreparedQuery)
|
||||
registerRestorer(structs.AutopilotRequestType, restoreAutopilot)
|
||||
|
@ -574,9 +574,17 @@ func restoreACL(header *SnapshotHeader, restore *state.Restore, decoder *codec.D
|
|||
return nil
|
||||
}
|
||||
|
||||
// DEPRECATED (ACL-Legacy-Compat) - remove once v1 acl compat is removed
|
||||
func restoreACLBootstrap(header *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
var req structs.ACLBootstrap
|
||||
// TODO(ACL-Legacy-Compat) - remove in phase 2
|
||||
func restoreACLBootstrap(_ *SnapshotHeader, restore *state.Restore, decoder *codec.Decoder) error {
|
||||
type ACLBootstrap struct {
|
||||
// AllowBootstrap will only be true if no existing management tokens
|
||||
// have been found.
|
||||
AllowBootstrap bool
|
||||
|
||||
structs.RaftIndex
|
||||
}
|
||||
|
||||
var req ACLBootstrap
|
||||
if err := decoder.Decode(&req); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@ package fsm
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
|
@ -581,7 +582,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
|
|||
require.NotNil(t, rtoken)
|
||||
require.NotEmpty(t, rtoken.Hash)
|
||||
|
||||
restoredACL, err := rtoken.Convert()
|
||||
restoredACL, err := convertACLTokenToLegacy(rtoken)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, &acl, restoredACL)
|
||||
|
||||
|
@ -734,6 +735,23 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
// convertACLTokenToLegacy attempts to convert an ACLToken into an legacy ACL.
|
||||
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
|
||||
func convertACLTokenToLegacy(tok *structs.ACLToken) (*structs.ACL, error) {
|
||||
if tok.Type == "" {
|
||||
return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
|
||||
}
|
||||
|
||||
compat := &structs.ACL{
|
||||
ID: tok.SecretID,
|
||||
Name: tok.Description,
|
||||
Type: tok.Type,
|
||||
Rules: tok.Rules,
|
||||
RaftIndex: tok.RaftIndex,
|
||||
}
|
||||
return compat, nil
|
||||
}
|
||||
|
||||
func TestFSM_BadRestore_OSS(t *testing.T) {
|
||||
t.Parallel()
|
||||
// Create an FSM with some state.
|
||||
|
|
|
@ -6,10 +6,6 @@
|
|||
|
||||
package structs
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
)
|
||||
|
||||
const (
|
||||
// ACLTokenTypeClient tokens have rules applied
|
||||
ACLTokenTypeClient = "client"
|
||||
|
@ -17,9 +13,6 @@ const (
|
|||
// ACLTokenTypeManagement tokens have an always allow policy, so they can
|
||||
// make other tokens and can access all resources.
|
||||
ACLTokenTypeManagement = "management"
|
||||
|
||||
// ACLTokenTypeNone
|
||||
ACLTokenTypeNone = ""
|
||||
)
|
||||
|
||||
// ACL is used to represent a token and its rules
|
||||
|
@ -32,14 +25,11 @@ type ACL struct {
|
|||
RaftIndex
|
||||
}
|
||||
|
||||
// ACLs is a slice of ACLs.
|
||||
type ACLs []*ACL
|
||||
|
||||
// Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken
|
||||
// equivalent. This will NOT fill in the other ACLToken fields or perform any other
|
||||
// upgrade (other than correcting an older HCL syntax that is no longer
|
||||
// supported).
|
||||
// TODO(ACL-Legacy-Compat): remove
|
||||
// TODO(ACL-Legacy-Compat): remove in phase 2, used by snapshot restore
|
||||
func (a *ACL) Convert() *ACLToken {
|
||||
// Ensure that we correct any old HCL in legacy tokens to prevent old
|
||||
// syntax from leaking elsewhere into the system.
|
||||
|
@ -66,48 +56,3 @@ func (a *ACL) Convert() *ACLToken {
|
|||
token.SetHash(true)
|
||||
return token
|
||||
}
|
||||
|
||||
// Convert attempts to convert an ACLToken into an ACLCompat.
|
||||
// TODO(ACL-Legacy-Compat): remove
|
||||
func (tok *ACLToken) Convert() (*ACL, error) {
|
||||
if tok.Type == "" {
|
||||
return nil, fmt.Errorf("Cannot convert ACLToken into compat token")
|
||||
}
|
||||
|
||||
compat := &ACL{
|
||||
ID: tok.SecretID,
|
||||
Name: tok.Description,
|
||||
Type: tok.Type,
|
||||
Rules: tok.Rules,
|
||||
RaftIndex: tok.RaftIndex,
|
||||
}
|
||||
return compat, nil
|
||||
}
|
||||
|
||||
// ACLSpecificRequest is used to request an ACL by ID
|
||||
type ACLSpecificRequest struct {
|
||||
Datacenter string
|
||||
ACL string
|
||||
QueryOptions
|
||||
}
|
||||
|
||||
// RequestDatacenter returns the DC this request is targeted to.
|
||||
func (r *ACLSpecificRequest) RequestDatacenter() string {
|
||||
return r.Datacenter
|
||||
}
|
||||
|
||||
// IndexedACLs has tokens along with the Raft metadata about them.
|
||||
type IndexedACLs struct {
|
||||
ACLs ACLs
|
||||
QueryMeta
|
||||
}
|
||||
|
||||
// ACLBootstrap keeps track of whether bootstrapping ACLs is allowed for a
|
||||
// cluster.
|
||||
type ACLBootstrap struct {
|
||||
// AllowBootstrap will only be true if no existing management tokens
|
||||
// have been found.
|
||||
AllowBootstrap bool
|
||||
|
||||
RaftIndex
|
||||
}
|
||||
|
|
|
@ -27,63 +27,3 @@ func TestStructs_ACL_Convert(t *testing.T) {
|
|||
require.Equal(t, acl.ModifyIndex, token.ModifyIndex)
|
||||
require.NotEmpty(t, token.Hash)
|
||||
}
|
||||
|
||||
func TestStructs_ACLToken_Convert(t *testing.T) {
|
||||
|
||||
t.Run("Management", func(t *testing.T) {
|
||||
token := &ACLToken{
|
||||
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
|
||||
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
|
||||
Description: "new token",
|
||||
Policies: []ACLTokenPolicyLink{
|
||||
{
|
||||
ID: ACLPolicyGlobalManagementID,
|
||||
},
|
||||
},
|
||||
Type: ACLTokenTypeManagement,
|
||||
}
|
||||
|
||||
acl, err := token.Convert()
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, token.SecretID, acl.ID)
|
||||
require.Equal(t, token.Type, acl.Type)
|
||||
require.Equal(t, token.Description, acl.Name)
|
||||
require.Equal(t, "", acl.Rules)
|
||||
})
|
||||
|
||||
t.Run("Client", func(t *testing.T) {
|
||||
token := &ACLToken{
|
||||
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
|
||||
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
|
||||
Description: "new token",
|
||||
Policies: nil,
|
||||
Type: ACLTokenTypeClient,
|
||||
Rules: `acl = "read"`,
|
||||
}
|
||||
|
||||
acl, err := token.Convert()
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, token.SecretID, acl.ID)
|
||||
require.Equal(t, token.Type, acl.Type)
|
||||
require.Equal(t, token.Description, acl.Name)
|
||||
require.Equal(t, token.Rules, acl.Rules)
|
||||
})
|
||||
|
||||
t.Run("Unconvertible", func(t *testing.T) {
|
||||
token := &ACLToken{
|
||||
AccessorID: "6c4eb178-c7f3-4620-b899-91eb8696c265",
|
||||
SecretID: "67c29ecd-cabc-42e0-a20e-771e9a1ab70c",
|
||||
Description: "new token",
|
||||
Policies: []ACLTokenPolicyLink{
|
||||
{
|
||||
ID: ACLPolicyGlobalManagementID,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
acl, err := token.Convert()
|
||||
require.Error(t, err)
|
||||
require.Nil(t, acl)
|
||||
})
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue