acl: add stub hooks to support some plumbing in enterprise (#4951)

This commit is contained in:
R.B. Boyer 2018-11-13 15:35:54 -06:00 committed by GitHub
parent b3e9281181
commit 934fae659f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 65 additions and 1 deletions

View File

@ -103,6 +103,15 @@ func aclApplyInternal(srv *Server, args *structs.ACLRequest, reply *string) erro
return acl.PermissionDeniedError{Cause: "Cannot modify root ACL"}
}
// Ensure that we allow more permissive rule formats for legacy tokens,
// but that we correct them on the way into the system.
//
// DEPRECATED (ACL-Legacy-Compat)
correctedRules := structs.SanitizeLegacyACLTokenRules(args.ACL.Rules)
if correctedRules != "" {
args.ACL.Rules = correctedRules
}
// Validate the rules compile
_, err := acl.NewPolicyFromSource("", 0, args.ACL.Rules, acl.SyntaxLegacy, srv.sentinel)
if err != nil {

View File

@ -541,6 +541,15 @@ func restoreToken(header *snapshotHeader, restore *state.Restore, decoder *codec
if err := decoder.Decode(&req); err != nil {
return err
}
// DEPRECATED (ACL-Legacy-Compat)
if req.Rules != "" {
// When we restore a snapshot we may have to correct old HCL in legacy
// tokens to prevent the in-memory representation from using an older
// syntax.
structs.SanitizeLegacyACLToken(&req)
}
return restore.ACLToken(&req)
}

View File

@ -316,6 +316,17 @@ func (s *Store) aclTokenSetTxn(tx *memdb.Txn, idx uint64, token *structs.ACLToke
return ErrMissingACLTokenAccessor
}
// DEPRECATED (ACL-Legacy-Compat)
if token.Rules != "" {
// When we update a legacy acl token we may have to correct old HCL to
// prevent the propagation of older syntax into the state store and
// into in-memory representations.
correctedRules := structs.SanitizeLegacyACLTokenRules(token.Rules)
if correctedRules != "" {
token.Rules = correctedRules
}
}
// Check for an existing ACL
// DEPRECATED (ACL-Legacy-Compat) - transition to using accessor index instead of secret once v1 compat is removed
existing, err := tx.First("acl-tokens", "id", token.SecretID)

View File

@ -60,8 +60,18 @@ type ACLs []*ACL
// Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken
// equivalent. This will NOT fill in the other ACLToken fields or perform any other
// upgrade.
// upgrade (other than correcting an older HCL syntax that is no longer
// supported).
func (a *ACL) Convert() *ACLToken {
// Ensure that we correct any old HCL in legacy tokens to prevent old
// syntax from leaking elsewhere into the system.
//
// DEPRECATED (ACL-Legacy-Compat)
correctedRules := SanitizeLegacyACLTokenRules(a.Rules)
if correctedRules != "" {
a.Rules = correctedRules
}
return &ACLToken{
AccessorID: "",
SecretID: a.ID,

View File

@ -0,0 +1,25 @@
// +build !ent
package structs
// SanitizeLegacyACLToken does nothing in the OSS builds. It does not mutate
// the input argument at all.
//
// In enterprise builds this hook is necessary to support fixing old multiline
// HCL strings in legacy token Sentinel policies into heredocs. If the token
// was updated and previously had a Hash set, this will also update it.
//
// DEPRECATED (ACL-Legacy-Compat)
func SanitizeLegacyACLToken(token *ACLToken) {
}
// SanitizeLegacyACLTokenRules does nothing in the OSS builds. It always
// returns an empty string.
//
// In enterprise builds this hook is necessary to support fixing any old
// multiline HCL strings in legacy token Sentinel policies into heredocs.
//
// DEPRECATED (ACL-Legacy-Compat)
func SanitizeLegacyACLTokenRules(rules string) string {
return ""
}