From 8c9c48e2191829a1fdf203faf892098338ea5e99 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Sat, 22 Jan 2022 14:12:08 -0500 Subject: [PATCH] acl: remove duplicate methods Now that ACLResolver is embedded we don't need ResolveTokenToIdentity on Client and Server. Moving ResolveTokenAndDefaultMeta to ACLResolver removes the duplicate implementation. --- agent/consul/acl.go | 24 ++++++++++++++++++++++++ agent/consul/acl_client.go | 33 --------------------------------- agent/consul/acl_server.go | 30 ------------------------------ 3 files changed, 24 insertions(+), 63 deletions(-) diff --git a/agent/consul/acl.go b/agent/consul/acl.go index b475bf1596..797bd22e4f 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -1158,6 +1158,30 @@ func (r *ACLResolver) ACLsEnabled() bool { return true } +func (r *ACLResolver) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) { + identity, authz, err := r.ResolveTokenToIdentityAndAuthorizer(token) + if err != nil { + return nil, err + } + + if entMeta == nil { + entMeta = &structs.EnterpriseMeta{} + } + + // Default the EnterpriseMeta based on the Tokens meta or actual defaults + // in the case of unknown identity + if identity != nil { + entMeta.Merge(identity.EnterpriseMetadata()) + } else { + entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition()) + } + + // Use the meta to fill in the ACL authorization context + entMeta.FillAuthzContext(authzContext) + + return authz, err +} + // aclFilter is used to filter results from our state store based on ACL rules // configured for the provided token. type aclFilter struct { diff --git a/agent/consul/acl_client.go b/agent/consul/acl_client.go index 89fcd1b81f..0d11906a34 100644 --- a/agent/consul/acl_client.go +++ b/agent/consul/acl_client.go @@ -1,7 +1,6 @@ package consul import ( - "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/structs" ) @@ -43,35 +42,3 @@ func (c *Client) ResolveRoleFromID(roleID string) (bool, *structs.ACLRole, error // clients do no local role resolution at the moment return false, nil, nil } - -func (c *Client) ResolveTokenToIdentity(token string) (structs.ACLIdentity, error) { - // not using ResolveTokenToIdentityAndAuthorizer because in this case we don't - // need to resolve the roles, policies and namespace but just want the identity - // information such as accessor id. - return c.ACLResolver.ResolveTokenToIdentity(token) -} - -// TODO: Server has an identical implementation, remove duplication -func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) { - identity, authz, err := c.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token) - if err != nil { - return nil, err - } - - if entMeta == nil { - entMeta = &structs.EnterpriseMeta{} - } - - // Default the EnterpriseMeta based on the Tokens meta or actual defaults - // in the case of unknown identity - if identity != nil { - entMeta.Merge(identity.EnterpriseMetadata()) - } else { - entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition()) - } - - // Use the meta to fill in the ACL authorization context - entMeta.FillAuthzContext(authzContext) - - return authz, err -} diff --git a/agent/consul/acl_server.go b/agent/consul/acl_server.go index 28c83ab116..3802145fad 100644 --- a/agent/consul/acl_server.go +++ b/agent/consul/acl_server.go @@ -164,37 +164,7 @@ func (s *Server) ResolveToken(token string) (acl.Authorizer, error) { return authz, err } -func (s *Server) ResolveTokenToIdentity(token string) (structs.ACLIdentity, error) { - // not using ResolveTokenToIdentityAndAuthorizer because in this case we don't - // need to resolve the roles, policies and namespace but just want the identity - // information such as accessor id. - return s.ACLResolver.ResolveTokenToIdentity(token) -} - // TODO: Client has an identical implementation, remove duplication -func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) { - identity, authz, err := s.ACLResolver.ResolveTokenToIdentityAndAuthorizer(token) - if err != nil { - return nil, err - } - - if entMeta == nil { - entMeta = &structs.EnterpriseMeta{} - } - - // Default the EnterpriseMeta based on the Tokens meta or actual defaults - // in the case of unknown identity - if identity != nil { - entMeta.Merge(identity.EnterpriseMetadata()) - } else { - entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition()) - } - - // Use the meta to fill in the ACL authorization context - entMeta.FillAuthzContext(authzContext) - - return authz, err -} func (s *Server) filterACL(token string, subj interface{}) error { return filterACL(s.ACLResolver, token, subj)