From 5c40b717edda62ab353195f8af74001c5b720057 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Wed, 22 Sep 2021 13:38:40 -0400
Subject: [PATCH] config: move acl_ttl to DeprecatedConfig

---
 agent/config/builder.go         | 2 +-
 agent/config/config.go          | 4 +---
 agent/config/default.go         | 2 +-
 agent/config/deprecated.go      | 9 +++++++++
 agent/config/deprecated_test.go | 5 +++++
 agent/config/runtime_test.go    | 1 +
 6 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/agent/config/builder.go b/agent/config/builder.go
index e8c39ec699..4f8da68da3 100644
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@@ -856,7 +856,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 			Datacenter:       datacenter,
 			NodeName:         b.nodeName(c.NodeName),
 			ACLPolicyTTL:     b.durationVal("acl.policy_ttl", c.ACL.PolicyTTL),
-			ACLTokenTTL:      b.durationValWithDefault("acl.token_ttl", c.ACL.TokenTTL, b.durationVal("acl_ttl", c.ACLTTL)),
+			ACLTokenTTL:      b.durationVal("acl.token_ttl", c.ACL.TokenTTL),
 			ACLRoleTTL:       b.durationVal("acl.role_ttl", c.ACL.RoleTTL),
 			ACLDownPolicy:    stringVal(c.ACL.DownPolicy),
 			ACLDefaultPolicy: stringVal(c.ACL.DefaultPolicy),
diff --git a/agent/config/config.go b/agent/config/config.go
index 6ed471685e..8035ceaa4b 100644
--- a/agent/config/config.go
+++ b/agent/config/config.go
@@ -131,9 +131,7 @@ type Cache struct {
 // changed and refactored at will since this will break existing setups.
 type Config struct {
 	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl" stanza
-	ACLEnableKeyListPolicy *bool `mapstructure:"acl_enable_key_list_policy"`
-	// DEPRECATED (ACL-Legacy-Compat) - moved into the "acl.tokens" stanza
-	ACLTTL                           *string             `mapstructure:"acl_ttl"`
+	ACLEnableKeyListPolicy           *bool               `mapstructure:"acl_enable_key_list_policy"`
 	ACL                              ACL                 `mapstructure:"acl"`
 	Addresses                        Addresses           `mapstructure:"addresses"`
 	AdvertiseAddrLAN                 *string             `mapstructure:"advertise_addr"`
diff --git a/agent/config/default.go b/agent/config/default.go
index 5f6b7c40a3..b916b6a93e 100644
--- a/agent/config/default.go
+++ b/agent/config/default.go
@@ -27,8 +27,8 @@ func DefaultSource() Source {
 		Name:   "default",
 		Format: "hcl",
 		Data: `
-		acl_ttl = "30s"
 		acl = {
+			token_ttl = "30s"
 			policy_ttl = "30s"
 			default_policy = "allow"
 			down_policy = "extend-cache"
diff --git a/agent/config/deprecated.go b/agent/config/deprecated.go
index 2ce3218e39..d4b173b41c 100644
--- a/agent/config/deprecated.go
+++ b/agent/config/deprecated.go
@@ -24,6 +24,8 @@ type DeprecatedConfig struct {
 	ACLDefaultPolicy *string `mapstructure:"acl_default_policy"`
 	// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.down_policy"
 	ACLDownPolicy *string `mapstructure:"acl_down_policy"`
+	// DEPRECATED (ACL-Legacy-Compat) - moved to "acl.token_ttl"
+	ACLTTL *string `mapstructure:"acl_ttl"`
 }
 
 func applyDeprecatedConfig(d *decodeTarget) (Config, []string) {
@@ -97,6 +99,13 @@ func applyDeprecatedConfig(d *decodeTarget) (Config, []string) {
 		warns = append(warns, deprecationWarning("acl_down_policy", "acl.down_policy"))
 	}
 
+	if dep.ACLTTL != nil {
+		if d.Config.ACL.TokenTTL == nil {
+			d.Config.ACL.TokenTTL = dep.ACLTTL
+		}
+		warns = append(warns, deprecationWarning("acl_ttl", "acl.token_ttl"))
+	}
+
 	return d.Config, warns
 }
 
diff --git a/agent/config/deprecated_test.go b/agent/config/deprecated_test.go
index 3082a93f74..edf378f7d1 100644
--- a/agent/config/deprecated_test.go
+++ b/agent/config/deprecated_test.go
@@ -3,6 +3,7 @@ package config
 import (
 	"sort"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 )
@@ -24,6 +25,8 @@ acl_replication_token = "token5"
 acl_default_policy = "deny"
 acl_down_policy = "async-cache"
 
+acl_ttl = "3h"
+
 `},
 	}
 	patchLoadOptsShims(&opts)
@@ -39,6 +42,7 @@ acl_down_policy = "async-cache"
 		deprecationWarning("acl_master_token", "acl.tokens.master"),
 		deprecationWarning("acl_replication_token", "acl.tokens.replication"),
 		deprecationWarning("acl_token", "acl.tokens.default"),
+		deprecationWarning("acl_ttl", "acl.token_ttl"),
 	}
 	sort.Strings(result.Warnings)
 	require.Equal(t, expectWarns, result.Warnings)
@@ -56,6 +60,7 @@ acl_down_policy = "async-cache"
 	require.Equal(t, "token5", rt.ACLTokens.ACLReplicationToken)
 	require.Equal(t, "deny", rt.ACLResolverSettings.ACLDefaultPolicy)
 	require.Equal(t, "async-cache", rt.ACLResolverSettings.ACLDownPolicy)
+	require.Equal(t, 3*time.Hour, rt.ACLResolverSettings.ACLTokenTTL)
 }
 
 func TestLoad_DeprecatedConfig_ACLReplication(t *testing.T) {
diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go
index c4640a1372..2e8c9c3b1c 100644
--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@@ -5923,6 +5923,7 @@ func TestLoad_FullConfig(t *testing.T) {
 		deprecationWarning("enable_acl_replication", "acl.enable_token_replication"),
 		deprecationWarning("acl_default_policy", "acl.default_policy"),
 		deprecationWarning("acl_down_policy", "acl.down_policy"),
+		deprecationWarning("acl_ttl", "acl.token_ttl"),
 		`bootstrap_expect > 0: expecting 53 servers`,
 	}
 	expectedWarns = append(expectedWarns, enterpriseConfigKeyWarnings...)