diff --git a/.changelog/15922.txt b/.changelog/15922.txt new file mode 100644 index 0000000000..96cd488012 --- /dev/null +++ b/.changelog/15922.txt @@ -0,0 +1,3 @@ +```release-note:breaking-change +acl: remove all functionality and references for legacy acl policies. +``` \ No newline at end of file diff --git a/acl/acl_test.go b/acl/acl_test.go index fae37e5a64..78f9320729 100644 --- a/acl/acl_test.go +++ b/acl/acl_test.go @@ -7,31 +7,6 @@ import ( "github.com/stretchr/testify/require" ) -func legacyPolicy(policy *Policy) *Policy { - return &Policy{ - PolicyRules: PolicyRules{ - Agents: policy.Agents, - AgentPrefixes: policy.Agents, - Nodes: policy.Nodes, - NodePrefixes: policy.Nodes, - Keys: policy.Keys, - KeyPrefixes: policy.Keys, - Services: policy.Services, - ServicePrefixes: policy.Services, - Sessions: policy.Sessions, - SessionPrefixes: policy.Sessions, - Events: policy.Events, - EventPrefixes: policy.Events, - PreparedQueries: policy.PreparedQueries, - PreparedQueryPrefixes: policy.PreparedQueries, - Keyring: policy.Keyring, - Operator: policy.Operator, - Mesh: policy.Mesh, - Peering: policy.Peering, - }, - } -} - // // The following 1 line functions are created to all conform to what // can be stored in the aclCheck type to make defining ACL tests @@ -561,7 +536,7 @@ func TestACL(t *testing.T) { name: "AgentBasicDefaultDeny", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -577,8 +552,22 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "root", + Policy: PolicyRead, + }, + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadDenied", prefix: "ro", check: checkDenyAgentRead}, @@ -601,7 +590,7 @@ func TestACL(t *testing.T) { name: "AgentBasicDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -617,8 +606,22 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "root", + Policy: PolicyRead, + }, + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadDenied", prefix: "ro", check: checkAllowAgentRead}, @@ -641,7 +644,7 @@ func TestACL(t *testing.T) { name: "PreparedQueryDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ PreparedQueries: []*PreparedQueryRule{ { @@ -649,8 +652,14 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + PreparedQueryPrefixes: []*PreparedQueryRule{ + { + Prefix: "other", + Policy: PolicyDeny, + }, + }, }, - }), + }, }, checks: []aclCheck{ // in version 1.2.1 and below this would have failed @@ -665,7 +674,7 @@ func TestACL(t *testing.T) { name: "AgentNestedDefaultDeny", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -685,9 +694,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-ro", + Policy: PolicyRead, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -707,8 +734,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "child-nope", + Policy: PolicyDeny, + }, + { + Node: "child-ro", + Policy: PolicyRead, + }, + { + Node: "child-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadDenied", prefix: "nope", check: checkDenyAgentRead}, @@ -745,7 +790,7 @@ func TestACL(t *testing.T) { name: "AgentNestedDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -765,9 +810,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-ro", + Policy: PolicyRead, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -787,8 +850,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "child-nope", + Policy: PolicyDeny, + }, + { + Node: "child-ro", + Policy: PolicyRead, + }, + { + Node: "child-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadAllowed", prefix: "nope", check: checkAllowAgentRead}, @@ -1679,7 +1760,7 @@ func TestACL(t *testing.T) { name: "NodeDefaultDeny", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Nodes: []*NodeRule{ { @@ -1699,9 +1780,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + NodePrefixes: []*NodeRule{ + { + Name: "root-nope", + Policy: PolicyDeny, + }, + { + Name: "root-ro", + Policy: PolicyRead, + }, + { + Name: "root-rw", + Policy: PolicyWrite, + }, + { + Name: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Nodes: []*NodeRule{ { @@ -1721,8 +1820,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + NodePrefixes: []*NodeRule{ + { + Name: "child-nope", + Policy: PolicyDeny, + }, + { + Name: "child-ro", + Policy: PolicyRead, + }, + { + Name: "child-rw", + Policy: PolicyWrite, + }, + { + Name: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "ReadAllDenied", prefix: "", check: checkDenyNodeReadAll}, @@ -1760,7 +1877,7 @@ func TestACL(t *testing.T) { name: "NodeDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Nodes: []*NodeRule{ { @@ -1780,9 +1897,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + NodePrefixes: []*NodeRule{ + { + Name: "root-nope", + Policy: PolicyDeny, + }, + { + Name: "root-ro", + Policy: PolicyRead, + }, + { + Name: "root-rw", + Policy: PolicyWrite, + }, + { + Name: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Nodes: []*NodeRule{ { @@ -1802,8 +1937,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + NodePrefixes: []*NodeRule{ + { + Name: "child-nope", + Policy: PolicyDeny, + }, + { + Name: "child-ro", + Policy: PolicyRead, + }, + { + Name: "child-rw", + Policy: PolicyWrite, + }, + { + Name: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "ReadAllDenied", prefix: "", check: checkDenyNodeReadAll}, @@ -1841,7 +1994,7 @@ func TestACL(t *testing.T) { name: "SessionDefaultDeny", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Sessions: []*SessionRule{ { @@ -1861,9 +2014,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + SessionPrefixes: []*SessionRule{ + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-ro", + Policy: PolicyRead, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Sessions: []*SessionRule{ { @@ -1883,8 +2054,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + SessionPrefixes: []*SessionRule{ + { + Node: "child-nope", + Policy: PolicyDeny, + }, + { + Node: "child-ro", + Policy: PolicyRead, + }, + { + Node: "child-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadDenied", prefix: "nope", check: checkDenySessionRead}, @@ -1921,7 +2110,7 @@ func TestACL(t *testing.T) { name: "SessionDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Sessions: []*SessionRule{ { @@ -1941,9 +2130,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + SessionPrefixes: []*SessionRule{ + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-ro", + Policy: PolicyRead, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Sessions: []*SessionRule{ { @@ -1963,8 +2170,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + SessionPrefixes: []*SessionRule{ + { + Node: "child-nope", + Policy: PolicyDeny, + }, + { + Node: "child-ro", + Policy: PolicyRead, + }, + { + Node: "child-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadAllowed", prefix: "nope", check: checkAllowSessionRead}, @@ -2001,7 +2226,7 @@ func TestACL(t *testing.T) { name: "Parent", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Keys: []*KeyRule{ { @@ -2013,6 +2238,16 @@ func TestACL(t *testing.T) { Policy: PolicyRead, }, }, + KeyPrefixes: []*KeyRule{ + { + Prefix: "foo/", + Policy: PolicyWrite, + }, + { + Prefix: "bar/", + Policy: PolicyRead, + }, + }, PreparedQueries: []*PreparedQueryRule{ { Prefix: "other", @@ -2023,6 +2258,16 @@ func TestACL(t *testing.T) { Policy: PolicyRead, }, }, + PreparedQueryPrefixes: []*PreparedQueryRule{ + { + Prefix: "other", + Policy: PolicyWrite, + }, + { + Prefix: "foo", + Policy: PolicyRead, + }, + }, Services: []*ServiceRule{ { Name: "other", @@ -2033,9 +2278,19 @@ func TestACL(t *testing.T) { Policy: PolicyRead, }, }, + ServicePrefixes: []*ServiceRule{ + { + Name: "other", + Policy: PolicyWrite, + }, + { + Name: "foo", + Policy: PolicyRead, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Keys: []*KeyRule{ { @@ -2051,20 +2306,46 @@ func TestACL(t *testing.T) { Policy: PolicyRead, }, }, + KeyPrefixes: []*KeyRule{ + { + Prefix: "foo/priv/", + Policy: PolicyRead, + }, + { + Prefix: "bar/", + Policy: PolicyDeny, + }, + { + Prefix: "zip/", + Policy: PolicyRead, + }, + }, PreparedQueries: []*PreparedQueryRule{ { Prefix: "bar", Policy: PolicyDeny, }, }, + PreparedQueryPrefixes: []*PreparedQueryRule{ + { + Prefix: "bar", + Policy: PolicyDeny, + }, + }, Services: []*ServiceRule{ { Name: "bar", Policy: PolicyDeny, }, }, + ServicePrefixes: []*ServiceRule{ + { + Name: "bar", + Policy: PolicyDeny, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "ServiceReadAllDenied", prefix: "", check: checkDenyServiceReadAll}, @@ -2113,7 +2394,7 @@ func TestACL(t *testing.T) { name: "ComplexDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Events: []*EventRule{ { @@ -2129,6 +2410,20 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + EventPrefixes: []*EventRule{ + { + Event: "", + Policy: PolicyRead, + }, + { + Event: "foo", + Policy: PolicyWrite, + }, + { + Event: "bar", + Policy: PolicyDeny, + }, + }, Keys: []*KeyRule{ { Prefix: "foo/", @@ -2151,6 +2446,28 @@ func TestACL(t *testing.T) { Policy: PolicyList, }, }, + KeyPrefixes: []*KeyRule{ + { + Prefix: "foo/", + Policy: PolicyWrite, + }, + { + Prefix: "foo/priv/", + Policy: PolicyDeny, + }, + { + Prefix: "bar/", + Policy: PolicyDeny, + }, + { + Prefix: "zip/", + Policy: PolicyRead, + }, + { + Prefix: "zap/", + Policy: PolicyList, + }, + }, PreparedQueries: []*PreparedQueryRule{ { Prefix: "", @@ -2169,6 +2486,24 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + PreparedQueryPrefixes: []*PreparedQueryRule{ + { + Prefix: "", + Policy: PolicyRead, + }, + { + Prefix: "foo", + Policy: PolicyWrite, + }, + { + Prefix: "bar", + Policy: PolicyDeny, + }, + { + Prefix: "zoo", + Policy: PolicyWrite, + }, + }, Services: []*ServiceRule{ { Name: "", @@ -2193,8 +2528,32 @@ func TestACL(t *testing.T) { Intentions: PolicyDeny, }, }, + ServicePrefixes: []*ServiceRule{ + { + Name: "", + Policy: PolicyWrite, + }, + { + Name: "foo", + Policy: PolicyRead, + }, + { + Name: "bar", + Policy: PolicyDeny, + }, + { + Name: "barfoo", + Policy: PolicyWrite, + Intentions: PolicyWrite, + }, + { + Name: "intbaz", + Policy: PolicyWrite, + Intentions: PolicyDeny, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "ServiceReadAllDenied", prefix: "", check: checkDenyServiceReadAll}, @@ -2905,7 +3264,7 @@ func TestACL_ReadAll(t *testing.T) { body := func(t *testing.T, rules string, defaultPolicy Authorizer, check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)) { t.Helper() - policy, err := NewPolicyFromSource(rules, SyntaxCurrent, nil, nil) + policy, err := NewPolicyFromSource(rules, nil, nil) require.NoError(t, err) acl, err := NewPolicyAuthorizerWithDefaults(defaultPolicy, []*Policy{policy}, nil) diff --git a/acl/authorizer.go b/acl/authorizer.go index 6842283b18..1ecf9f2afe 100644 --- a/acl/authorizer.go +++ b/acl/authorizer.go @@ -586,9 +586,8 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx // NewAuthorizerFromRules is a convenience function to invoke NewPolicyFromSource followed by NewPolicyAuthorizer with // the parse policy. -// TODO(ACL-Legacy-Compat): remove syntax arg after removing SyntaxLegacy -func NewAuthorizerFromRules(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error) { - policy, err := NewPolicyFromSource(rules, syntax, conf, meta) +func NewAuthorizerFromRules(rules string, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error) { + policy, err := NewPolicyFromSource(rules, conf, meta) if err != nil { return nil, err } diff --git a/acl/policy.go b/acl/policy.go index 59c3df8b3c..de97bc544d 100644 --- a/acl/policy.go +++ b/acl/policy.go @@ -1,15 +1,8 @@ package acl import ( - "bytes" "fmt" - "strconv" "strings" - - "github.com/hashicorp/hcl" - "github.com/hashicorp/hcl/hcl/ast" - hclprinter "github.com/hashicorp/hcl/hcl/printer" - "github.com/hashicorp/hcl/hcl/token" ) type SyntaxVersion int @@ -297,7 +290,7 @@ func (pr *PolicyRules) Validate(conf *Config) error { return nil } -func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) { +func parse(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) { p, err := decodeRules(rules, conf, meta) if err != nil { return nil, err @@ -314,126 +307,10 @@ func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Poli return p, nil } -// TODO(ACL-Legacy-Compat): remove in phase 2 -func parseLegacy(rules string, conf *Config) (*Policy, error) { - p := &Policy{} - - type LegacyPolicy struct { - Agents []*AgentRule `hcl:"agent,expand"` - Keys []*KeyRule `hcl:"key,expand"` - Nodes []*NodeRule `hcl:"node,expand"` - Services []*ServiceRule `hcl:"service,expand"` - Sessions []*SessionRule `hcl:"session,expand"` - Events []*EventRule `hcl:"event,expand"` - PreparedQueries []*PreparedQueryRule `hcl:"query,expand"` - Keyring string `hcl:"keyring"` - Operator string `hcl:"operator"` - // NOTE: mesh resources not supported here - } - - lp := &LegacyPolicy{} - - if err := hcl.Decode(lp, rules); err != nil { - return nil, fmt.Errorf("Failed to parse ACL rules: %v", err) - } - - // Validate the agent policy - for _, ap := range lp.Agents { - if !isPolicyValid(ap.Policy, false) { - return nil, fmt.Errorf("Invalid agent policy: %#v", ap) - } - - p.AgentPrefixes = append(p.AgentPrefixes, ap) - } - - // Validate the key policy - for _, kp := range lp.Keys { - if !isPolicyValid(kp.Policy, true) { - return nil, fmt.Errorf("Invalid key policy: %#v", kp) - } - - if err := kp.EnterpriseRule.Validate(kp.Policy, conf); err != nil { - return nil, fmt.Errorf("Invalid key enterprise policy: %#v, got error: %v", kp, err) - } - - p.KeyPrefixes = append(p.KeyPrefixes, kp) - } - - // Validate the node policies - for _, np := range lp.Nodes { - if !isPolicyValid(np.Policy, false) { - return nil, fmt.Errorf("Invalid node policy: %#v", np) - } - if err := np.EnterpriseRule.Validate(np.Policy, conf); err != nil { - return nil, fmt.Errorf("Invalid node enterprise policy: %#v, got error: %v", np, err) - } - - p.NodePrefixes = append(p.NodePrefixes, np) - } - - // Validate the service policies - for _, sp := range lp.Services { - if !isPolicyValid(sp.Policy, false) { - return nil, fmt.Errorf("Invalid service policy: %#v", sp) - } - if sp.Intentions != "" && !isPolicyValid(sp.Intentions, false) { - return nil, fmt.Errorf("Invalid service intentions policy: %#v", sp) - } - if err := sp.EnterpriseRule.Validate(sp.Policy, conf); err != nil { - return nil, fmt.Errorf("Invalid service enterprise policy: %#v, got error: %v", sp, err) - } - - p.ServicePrefixes = append(p.ServicePrefixes, sp) - } - - // Validate the session policies - for _, sp := range lp.Sessions { - if !isPolicyValid(sp.Policy, false) { - return nil, fmt.Errorf("Invalid session policy: %#v", sp) - } - - p.SessionPrefixes = append(p.SessionPrefixes, sp) - } - - // Validate the user event policies - for _, ep := range lp.Events { - if !isPolicyValid(ep.Policy, false) { - return nil, fmt.Errorf("Invalid event policy: %#v", ep) - } - - p.EventPrefixes = append(p.EventPrefixes, ep) - } - - // Validate the prepared query policies - for _, pq := range lp.PreparedQueries { - if !isPolicyValid(pq.Policy, false) { - return nil, fmt.Errorf("Invalid query policy: %#v", pq) - } - - p.PreparedQueryPrefixes = append(p.PreparedQueryPrefixes, pq) - } - - // Validate the keyring policy - this one is allowed to be empty - if lp.Keyring != "" && !isPolicyValid(lp.Keyring, false) { - return nil, fmt.Errorf("Invalid keyring policy: %#v", lp.Keyring) - } else { - p.Keyring = lp.Keyring - } - - // Validate the operator policy - this one is allowed to be empty - if lp.Operator != "" && !isPolicyValid(lp.Operator, false) { - return nil, fmt.Errorf("Invalid operator policy: %#v", lp.Operator) - } else { - p.Operator = lp.Operator - } - - return p, nil -} - // NewPolicyFromSource is used to parse the specified ACL rules into an // intermediary set of policies, before being compiled into // the ACL -func NewPolicyFromSource(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) { +func NewPolicyFromSource(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) { if rules == "" { // Hot path for empty source return &Policy{}, nil @@ -441,15 +318,7 @@ func NewPolicyFromSource(rules string, syntax SyntaxVersion, conf *Config, meta var policy *Policy var err error - switch syntax { - // TODO(ACL-Legacy-Compat): remove and remove as argument from function - case SyntaxLegacy: - policy, err = parseLegacy(rules, conf) - case SyntaxCurrent: - policy, err = parseCurrent(rules, conf, meta) - default: - return nil, fmt.Errorf("Invalid rules version: %d", syntax) - } + policy, err = parse(rules, conf, meta) return policy, err } @@ -482,56 +351,3 @@ func takesPrecedenceOver(a, b string) bool { return false } - -func TranslateLegacyRules(policyBytes []byte) ([]byte, error) { - parsed, err := hcl.ParseBytes(policyBytes) - if err != nil { - return nil, fmt.Errorf("Failed to parse rules: %v", err) - } - - rewritten := ast.Walk(parsed, func(node ast.Node) (ast.Node, bool) { - switch n := node.(type) { - case *ast.ObjectItem: - if len(n.Keys) < 1 { - return node, true - } - - txt := n.Keys[0].Token.Text - if n.Keys[0].Token.Type == token.STRING { - txt, err = strconv.Unquote(txt) - if err != nil { - return node, true - } - } - - switch txt { - case "policy": - n.Keys[0].Token.Text = "policy" - case "agent": - n.Keys[0].Token.Text = "agent_prefix" - case "key": - n.Keys[0].Token.Text = "key_prefix" - case "node": - n.Keys[0].Token.Text = "node_prefix" - case "query": - n.Keys[0].Token.Text = "query_prefix" - case "service": - n.Keys[0].Token.Text = "service_prefix" - case "session": - n.Keys[0].Token.Text = "session_prefix" - case "event": - n.Keys[0].Token.Text = "event_prefix" - } - } - - return node, true - }) - - buffer := new(bytes.Buffer) - - if err := hclprinter.Fprint(buffer, rewritten); err != nil { - return nil, fmt.Errorf("Failed to output new rules: %v", err) - } - - return buffer.Bytes(), nil -} diff --git a/acl/policy_test.go b/acl/policy_test.go index 362451e98c..7095df286b 100644 --- a/acl/policy_test.go +++ b/acl/policy_test.go @@ -16,15 +16,13 @@ func errStartsWith(t *testing.T, actual error, expected string) { func TestPolicySourceParse(t *testing.T) { cases := []struct { Name string - Syntax SyntaxVersion Rules string RulesJSON string Expected *Policy Err string }{ { - Name: "Basic", - Syntax: SyntaxCurrent, + Name: "Basic", Rules: ` agent_prefix "bar" { policy = "write" @@ -302,291 +300,8 @@ func TestPolicySourceParse(t *testing.T) { }, }}, }, - { - Name: "Legacy Basic", - Syntax: SyntaxLegacy, - Rules: ` - agent "foo" { - policy = "read" - } - agent "bar" { - policy = "write" - } - event "" { - policy = "read" - } - event "foo" { - policy = "write" - } - event "bar" { - policy = "deny" - } - key "" { - policy = "read" - } - key "foo/" { - policy = "write" - } - key "foo/bar/" { - policy = "read" - } - key "foo/bar/baz" { - policy = "deny" - } - keyring = "deny" - node "" { - policy = "read" - } - node "foo" { - policy = "write" - } - node "bar" { - policy = "deny" - } - operator = "deny" - service "" { - policy = "write" - } - service "foo" { - policy = "read" - } - session "foo" { - policy = "write" - } - session "bar" { - policy = "deny" - } - session "baz" { - policy = "deny" - } - query "" { - policy = "read" - } - query "foo" { - policy = "write" - } - query "bar" { - policy = "deny" - } - `, - RulesJSON: ` - { - "agent": { - "foo": { - "policy": "read" - }, - "bar": { - "policy": "write" - } - }, - "event": { - "": { - "policy": "read" - }, - "foo": { - "policy": "write" - }, - "bar": { - "policy": "deny" - } - }, - "key": { - "": { - "policy": "read" - }, - "foo/": { - "policy": "write" - }, - "foo/bar/": { - "policy": "read" - }, - "foo/bar/baz": { - "policy": "deny" - } - }, - "keyring": "deny", - "node": { - "": { - "policy": "read" - }, - "foo": { - "policy": "write" - }, - "bar": { - "policy": "deny" - } - }, - "operator": "deny", - "service": { - "": { - "policy": "write" - }, - "foo": { - "policy": "read" - } - }, - "session": { - "foo": { - "policy": "write" - }, - "bar": { - "policy": "deny" - }, - "baz": { - "policy": "deny" - } - }, - "query": { - "": { - "policy": "read" - }, - "foo": { - "policy": "write" - }, - "bar": { - "policy": "deny" - } - } - } - `, - Expected: &Policy{PolicyRules: PolicyRules{ - AgentPrefixes: []*AgentRule{ - { - Node: "foo", - Policy: PolicyRead, - }, - { - Node: "bar", - Policy: PolicyWrite, - }, - }, - EventPrefixes: []*EventRule{ - { - Event: "", - Policy: PolicyRead, - }, - { - Event: "foo", - Policy: PolicyWrite, - }, - { - Event: "bar", - Policy: PolicyDeny, - }, - }, - Keyring: PolicyDeny, - KeyPrefixes: []*KeyRule{ - { - Prefix: "", - Policy: PolicyRead, - }, - { - Prefix: "foo/", - Policy: PolicyWrite, - }, - { - Prefix: "foo/bar/", - Policy: PolicyRead, - }, - { - Prefix: "foo/bar/baz", - Policy: PolicyDeny, - }, - }, - NodePrefixes: []*NodeRule{ - { - Name: "", - Policy: PolicyRead, - }, - { - Name: "foo", - Policy: PolicyWrite, - }, - { - Name: "bar", - Policy: PolicyDeny, - }, - }, - Operator: PolicyDeny, - PreparedQueryPrefixes: []*PreparedQueryRule{ - { - Prefix: "", - Policy: PolicyRead, - }, - { - Prefix: "foo", - Policy: PolicyWrite, - }, - { - Prefix: "bar", - Policy: PolicyDeny, - }, - }, - ServicePrefixes: []*ServiceRule{ - { - Name: "", - Policy: PolicyWrite, - }, - { - Name: "foo", - Policy: PolicyRead, - }, - }, - SessionPrefixes: []*SessionRule{ - { - Node: "foo", - Policy: PolicyWrite, - }, - { - Node: "bar", - Policy: PolicyDeny, - }, - { - Node: "baz", - Policy: PolicyDeny, - }, - }, - }}, - }, - { - Name: "Service No Intentions (Legacy)", - Syntax: SyntaxLegacy, - Rules: `service "foo" { policy = "write" }`, - RulesJSON: `{ "service": { "foo": { "policy": "write" }}}`, - Expected: &Policy{PolicyRules: PolicyRules{ - ServicePrefixes: []*ServiceRule{ - { - Name: "foo", - Policy: "write", - }, - }, - }}, - }, - { - Name: "Service Intentions (Legacy)", - Syntax: SyntaxLegacy, - Rules: `service "foo" { policy = "write" intentions = "read" }`, - RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "read" }}}`, - Expected: &Policy{PolicyRules: PolicyRules{ - ServicePrefixes: []*ServiceRule{ - { - Name: "foo", - Policy: "write", - Intentions: "read", - }, - }, - }}, - }, - { - Name: "Service Intention: invalid value (Legacy)", - Syntax: SyntaxLegacy, - Rules: `service "foo" { policy = "write" intentions = "foo" }`, - RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "foo" }}}`, - Err: "Invalid service intentions policy", - }, { Name: "Service No Intentions", - Syntax: SyntaxCurrent, Rules: `service "foo" { policy = "write" }`, RulesJSON: `{ "service": { "foo": { "policy": "write" }}}`, Expected: &Policy{PolicyRules: PolicyRules{ @@ -600,7 +315,6 @@ func TestPolicySourceParse(t *testing.T) { }, { Name: "Service Intentions", - Syntax: SyntaxCurrent, Rules: `service "foo" { policy = "write" intentions = "read" }`, RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "read" }}}`, Expected: &Policy{PolicyRules: PolicyRules{ @@ -615,168 +329,144 @@ func TestPolicySourceParse(t *testing.T) { }, { Name: "Service Intention: invalid value", - Syntax: SyntaxCurrent, Rules: `service "foo" { policy = "write" intentions = "foo" }`, RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "foo" }}}`, Err: "Invalid service intentions policy", }, { Name: "Bad Policy - ACL", - Syntax: SyntaxCurrent, Rules: `acl = "list"`, // there is no list policy but this helps to exercise another check in isPolicyValid RulesJSON: `{ "acl": "list" }`, // there is no list policy but this helps to exercise another check in isPolicyValid Err: "Invalid acl policy", }, { Name: "Bad Policy - Agent", - Syntax: SyntaxCurrent, Rules: `agent "foo" { policy = "nope" }`, RulesJSON: `{ "agent": { "foo": { "policy": "nope" }}}`, Err: "Invalid agent policy", }, { Name: "Bad Policy - Agent Prefix", - Syntax: SyntaxCurrent, Rules: `agent_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "agent_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid agent_prefix policy", }, { Name: "Bad Policy - Key", - Syntax: SyntaxCurrent, Rules: `key "foo" { policy = "nope" }`, RulesJSON: `{ "key": { "foo": { "policy": "nope" }}}`, Err: "Invalid key policy", }, { Name: "Bad Policy - Key Prefix", - Syntax: SyntaxCurrent, Rules: `key_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "key_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid key_prefix policy", }, { Name: "Bad Policy - Node", - Syntax: SyntaxCurrent, Rules: `node "foo" { policy = "nope" }`, RulesJSON: `{ "node": { "foo": { "policy": "nope" }}}`, Err: "Invalid node policy", }, { Name: "Bad Policy - Node Prefix", - Syntax: SyntaxCurrent, Rules: `node_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "node_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid node_prefix policy", }, { Name: "Bad Policy - Service", - Syntax: SyntaxCurrent, Rules: `service "foo" { policy = "nope" }`, RulesJSON: `{ "service": { "foo": { "policy": "nope" }}}`, Err: "Invalid service policy", }, { Name: "Bad Policy - Service Prefix", - Syntax: SyntaxCurrent, Rules: `service_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "service_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid service_prefix policy", }, { Name: "Bad Policy - Session", - Syntax: SyntaxCurrent, Rules: `session "foo" { policy = "nope" }`, RulesJSON: `{ "session": { "foo": { "policy": "nope" }}}`, Err: "Invalid session policy", }, { Name: "Bad Policy - Session Prefix", - Syntax: SyntaxCurrent, Rules: `session_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "session_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid session_prefix policy", }, { Name: "Bad Policy - Event", - Syntax: SyntaxCurrent, Rules: `event "foo" { policy = "nope" }`, RulesJSON: `{ "event": { "foo": { "policy": "nope" }}}`, Err: "Invalid event policy", }, { Name: "Bad Policy - Event Prefix", - Syntax: SyntaxCurrent, Rules: `event_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "event_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid event_prefix policy", }, { Name: "Bad Policy - Prepared Query", - Syntax: SyntaxCurrent, Rules: `query "foo" { policy = "nope" }`, RulesJSON: `{ "query": { "foo": { "policy": "nope" }}}`, Err: "Invalid query policy", }, { Name: "Bad Policy - Prepared Query Prefix", - Syntax: SyntaxCurrent, Rules: `query_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "query_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid query_prefix policy", }, { Name: "Bad Policy - Keyring", - Syntax: SyntaxCurrent, Rules: `keyring = "nope"`, RulesJSON: `{ "keyring": "nope" }`, Err: "Invalid keyring policy", }, { Name: "Bad Policy - Operator", - Syntax: SyntaxCurrent, Rules: `operator = "nope"`, RulesJSON: `{ "operator": "nope" }`, Err: "Invalid operator policy", }, { Name: "Bad Policy - Mesh", - Syntax: SyntaxCurrent, Rules: `mesh = "nope"`, RulesJSON: `{ "mesh": "nope" }`, Err: "Invalid mesh policy", }, { Name: "Bad Policy - Peering", - Syntax: SyntaxCurrent, Rules: `peering = "nope"`, RulesJSON: `{ "peering": "nope" }`, Err: "Invalid peering policy", }, { Name: "Keyring Empty", - Syntax: SyntaxCurrent, Rules: `keyring = ""`, RulesJSON: `{ "keyring": "" }`, Expected: &Policy{PolicyRules: PolicyRules{Keyring: ""}}, }, { Name: "Operator Empty", - Syntax: SyntaxCurrent, Rules: `operator = ""`, RulesJSON: `{ "operator": "" }`, Expected: &Policy{PolicyRules: PolicyRules{Operator: ""}}, }, { Name: "Mesh Empty", - Syntax: SyntaxCurrent, Rules: `mesh = ""`, RulesJSON: `{ "mesh": "" }`, Expected: &Policy{PolicyRules: PolicyRules{Mesh: ""}}, }, { Name: "Peering Empty", - Syntax: SyntaxCurrent, Rules: `peering = ""`, RulesJSON: `{ "peering": "" }`, Expected: &Policy{PolicyRules: PolicyRules{Peering: ""}}, @@ -788,7 +478,7 @@ func TestPolicySourceParse(t *testing.T) { require.True(t, tc.Rules != "" || tc.RulesJSON != "") if tc.Rules != "" { t.Run("hcl", func(t *testing.T) { - actual, err := NewPolicyFromSource(tc.Rules, tc.Syntax, nil, nil) + actual, err := NewPolicyFromSource(tc.Rules, nil, nil) if tc.Err != "" { errStartsWith(t, err, tc.Err) } else { @@ -798,7 +488,7 @@ func TestPolicySourceParse(t *testing.T) { } if tc.RulesJSON != "" { t.Run("json", func(t *testing.T) { - actual, err := NewPolicyFromSource(tc.RulesJSON, tc.Syntax, nil, nil) + actual, err := NewPolicyFromSource(tc.RulesJSON, nil, nil) if tc.Err != "" { errStartsWith(t, err, tc.Err) } else { @@ -1585,236 +1275,6 @@ func TestMergePolicies(t *testing.T) { } -func TestRulesTranslate(t *testing.T) { - input := ` -# top level comment - -# block comment -agent "" { - # policy comment - policy = "write" -} - -# block comment -key "" { - # policy comment - policy = "write" -} - -# block comment -node "" { - # policy comment - policy = "write" -} - -# block comment -event "" { - # policy comment - policy = "write" -} - -# block comment -service "" { - # policy comment - policy = "write" -} - -# block comment -session "" { - # policy comment - policy = "write" -} - -# block comment -query "" { - # policy comment - policy = "write" -} - -# comment -keyring = "write" - -# comment -operator = "write" - -# comment -mesh = "write" - -# comment -peering = "write" -` - - expected := ` -# top level comment - -# block comment -agent_prefix "" { - # policy comment - policy = "write" -} - -# block comment -key_prefix "" { - # policy comment - policy = "write" -} - -# block comment -node_prefix "" { - # policy comment - policy = "write" -} - -# block comment -event_prefix "" { - # policy comment - policy = "write" -} - -# block comment -service_prefix "" { - # policy comment - policy = "write" -} - -# block comment -session_prefix "" { - # policy comment - policy = "write" -} - -# block comment -query_prefix "" { - # policy comment - policy = "write" -} - -# comment -keyring = "write" - -# comment -operator = "write" - -# comment -mesh = "write" - -# comment -peering = "write" -` - - output, err := TranslateLegacyRules([]byte(input)) - require.NoError(t, err) - require.Equal(t, strings.Trim(expected, "\n"), string(output)) -} - -func TestRulesTranslate_GH5493(t *testing.T) { - input := ` -{ - "key": { - "": { - "policy": "read" - }, - "key": { - "policy": "read" - }, - "policy": { - "policy": "read" - }, - "privatething1/": { - "policy": "deny" - }, - "anapplication/private/": { - "policy": "deny" - }, - "privatething2/": { - "policy": "deny" - } - }, - "session": { - "": { - "policy": "write" - } - }, - "node": { - "": { - "policy": "read" - } - }, - "agent": { - "": { - "policy": "read" - } - }, - "service": { - "": { - "policy": "read" - } - }, - "event": { - "": { - "policy": "read" - } - }, - "query": { - "": { - "policy": "read" - } - } -}` - expected := ` -key_prefix "" { - policy = "read" -} - -key_prefix "key" { - policy = "read" -} - -key_prefix "policy" { - policy = "read" -} - -key_prefix "privatething1/" { - policy = "deny" -} - -key_prefix "anapplication/private/" { - policy = "deny" -} - -key_prefix "privatething2/" { - policy = "deny" -} - -session_prefix "" { - policy = "write" -} - -node_prefix "" { - policy = "read" -} - -agent_prefix "" { - policy = "read" -} - -service_prefix "" { - policy = "read" -} - -event_prefix "" { - policy = "read" -} - -query_prefix "" { - policy = "read" -} -` - output, err := TranslateLegacyRules([]byte(input)) - require.NoError(t, err) - require.Equal(t, strings.Trim(expected, "\n"), string(output)) -} - func TestPrecedence(t *testing.T) { type testCase struct { name string diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go index 54f4b5c12b..53a0d85190 100644 --- a/agent/acl_endpoint.go +++ b/agent/acl_endpoint.go @@ -215,8 +215,6 @@ func (s *HTTPHandlers) aclPolicyWriteInternal(_resp http.ResponseWriter, req *ht return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: fmt.Sprintf("Policy decoding failed: %v", err)} } - args.Policy.Syntax = acl.SyntaxCurrent - if create { if args.Policy.ID != "" { return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot specify the ID when creating a new policy"} @@ -1009,10 +1007,9 @@ func (s *HTTPHandlers) ACLAuthorize(resp http.ResponseWriter, req *http.Request) // There are a number of reason why this is okay. // // 1. The authorizations performed here are the same as what would be done if other HTTP APIs - // were used. This is just a way to see if it would be allowed. In the future when we have - // audit logging, these authorization checks will be logged along with those from the real - // endpoints. In that respect, you can figure out if you have access just as easily by - // attempting to perform the requested operation. + // were used. This is just a way to see if it would be allowed. These authorization checks + // will be logged along with those from the real endpoints. In that respect, you can figure + // out if you have access just as easily by attempting to perform the requested operation. // 2. In order to use this API you must have a valid ACL token secret. // 3. Along with #2 you can use the ACL.GetPolicy RPC endpoint which will return a rolled up // set of policy rules showing your tokens effective policy. This RPC endpoint exposes diff --git a/agent/acl_test.go b/agent/acl_test.go index 7066f69f5a..cc2249c675 100644 --- a/agent/acl_test.go +++ b/agent/acl_test.go @@ -238,7 +238,7 @@ func catalogPolicy(testACL string) (structs.ACLIdentity, acl.Authorizer, error) return nil, nil, acl.ErrNotFound } - policy, err := acl.NewPolicyFromSource(tok.rules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tok.rules, nil, nil) if err != nil { return nil, nil, err } diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index 543371afea..c16e815e14 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -535,7 +535,7 @@ func TestAgent_Service(t *testing.T) { tests := []struct { name string - tokenRules string + policies string url string updateFunc func() wantWait time.Duration @@ -671,7 +671,7 @@ func TestAgent_Service(t *testing.T) { name: "err: bad ACL for service", url: "/v1/agent/service/web-sidecar-proxy", // Limited token doesn't grant read to the service - tokenRules: ` + policies: ` key "" { policy = "read" } @@ -685,7 +685,7 @@ func TestAgent_Service(t *testing.T) { name: "good ACL for service", url: "/v1/agent/service/web-sidecar-proxy", // Limited token doesn't grant read to the service - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "read" } @@ -711,9 +711,9 @@ func TestAgent_Service(t *testing.T) { // Inject the root token for tests that don't care about ACL token := "root" - if tt.tokenRules != "" { + if tt.policies != "" { // Create new token and use that. - token = testCreateToken(t, a, tt.tokenRules) + token = testCreateToken(t, a, tt.policies) } req.Header.Set("X-Consul-Token", token) resp := httptest.NewRecorder() @@ -4353,7 +4353,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s // directly. json string enableACL bool - tokenRules string + policies string wantNS *structs.NodeService wantErr string wantSidecarIDLeftAfterDereg bool @@ -4396,7 +4396,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4417,10 +4417,10 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } } `, - enableACL: true, - tokenRules: ``, // No token rules means no valid token - wantNS: nil, - wantErr: "Permission denied", + enableACL: true, + policies: ``, // No token rules means no valid token + wantNS: nil, + wantErr: "Permission denied", }, { name: "ACL OK for service but not for sidecar", @@ -4435,7 +4435,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s `, enableACL: true, // This will become more common/reasonable when ACLs support exact match. - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "deny" } @@ -4461,7 +4461,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4485,7 +4485,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4514,7 +4514,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4739,8 +4739,8 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s // Create an ACL token with require policy var token string - if tt.enableACL && tt.tokenRules != "" { - token = testCreateToken(t, a, tt.tokenRules) + if tt.enableACL && tt.policies != "" { + token = testCreateToken(t, a, tt.policies) } br := bytes.NewBufferString(tt.json) @@ -4850,7 +4850,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH // directly. json string enableACL bool - tokenRules string + policies string wantNS *structs.NodeService wantErr string wantSidecarIDLeftAfterDereg bool @@ -4893,7 +4893,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4914,10 +4914,10 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } } `, - enableACL: true, - tokenRules: ``, // No token rules means no valid token - wantNS: nil, - wantErr: "Permission denied", + enableACL: true, + policies: ``, // No policies means no valid token + wantNS: nil, + wantErr: "Permission denied", }, { name: "ACL OK for service but not for sidecar", @@ -4932,7 +4932,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH `, enableACL: true, // This will become more common/reasonable when ACLs support exact match. - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "deny" } @@ -4958,7 +4958,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4982,7 +4982,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -5011,7 +5011,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -5236,8 +5236,8 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH // Create an ACL token with require policy var token string - if tt.enableACL && tt.tokenRules != "" { - token = testCreateToken(t, a, tt.tokenRules) + if tt.enableACL && tt.policies != "" { + token = testCreateToken(t, a, tt.policies) } br := bytes.NewBufferString(tt.json) diff --git a/agent/consul/acl.go b/agent/consul/acl.go index 03a5750cbf..0c65ed9fd1 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -284,7 +284,7 @@ func agentRecoveryAuthorizer(nodeName string, entMeta *acl.EnterpriseMeta, aclCo node_prefix "" { policy = "read" } - `, nodeName), acl.SyntaxCurrent, &conf, entMeta.ToEnterprisePolicyMeta()) + `, nodeName), &conf, entMeta.ToEnterprisePolicyMeta()) if err != nil { return nil, err } diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index 4994baeb9c..1cbea7779b 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -913,7 +913,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol } // validate the rules - _, err = acl.NewPolicyFromSource(policy.Rules, policy.Syntax, a.srv.aclConfig, policy.EnterprisePolicyMeta()) + _, err = acl.NewPolicyFromSource(policy.Rules, a.srv.aclConfig, policy.EnterprisePolicyMeta()) if err != nil { return err } diff --git a/agent/consul/acl_endpoint_legacy.go b/agent/consul/acl_endpoint_legacy.go deleted file mode 100644 index efee32cb5e..0000000000 --- a/agent/consul/acl_endpoint_legacy.go +++ /dev/null @@ -1,31 +0,0 @@ -package consul - -import ( - "fmt" - - "github.com/hashicorp/consul/agent/structs" -) - -type LegacyACLGetPolicy struct{} - -func (a *ACL) GetPolicy(*LegacyACLGetPolicy, *LegacyACLGetPolicy) error { - return fmt.Errorf("ACL.GetPolicy: the legacy ACL system has been removed") -} - -func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *LegacyACLRequest) error { - return fmt.Errorf("ACL.Bootstrap: the legacy ACL system has been removed") -} - -type LegacyACLRequest struct{} - -func (a *ACL) Apply(*LegacyACLRequest, *string) error { - return fmt.Errorf("ACL.Apply: the legacy ACL system has been removed") -} - -func (a *ACL) Get(*LegacyACLRequest, *LegacyACLRequest) error { - return fmt.Errorf("ACL.Get: the legacy ACL system has been removed") -} - -func (a *ACL) List(*structs.DCSpecificRequest, *LegacyACLRequest) error { - return fmt.Errorf("ACL.List: the legacy ACL system has been removed") -} diff --git a/agent/consul/acl_replication_test.go b/agent/consul/acl_replication_test.go index 25bd3929ff..a0c2576cf8 100644 --- a/agent/consul/acl_replication_test.go +++ b/agent/consul/acl_replication_test.go @@ -10,7 +10,6 @@ import ( "github.com/stretchr/testify/require" - "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/consul/authmethod/testauth" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/structs/aclfilter" @@ -31,7 +30,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) { Name: "policy1", Description: "policy1 - already in sync", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, Datacenters: nil, Hash: []byte{1, 2, 3, 4}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, @@ -41,7 +39,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) { Name: "policy2", Description: "policy2 - updated but not changed", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, Datacenters: nil, Hash: []byte{1, 2, 3, 4}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25}, @@ -51,7 +48,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) { Name: "policy3", Description: "policy3 - updated and changed", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, Datacenters: nil, Hash: []byte{1, 2, 3, 4}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25}, @@ -61,7 +57,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) { Name: "policy4", Description: "policy4 - needs deleting", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, Datacenters: nil, Hash: []byte{1, 2, 3, 4}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25}, diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index c6601289d5..2a5964fed8 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -213,7 +213,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "acl-ro", Description: "acl-ro", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } p.SetHash(false) @@ -224,7 +223,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "acl-wr", Description: "acl-wr", Rules: `acl = "write"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } p.SetHash(false) @@ -235,7 +233,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "service-ro", Description: "service-ro", Rules: `service_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } p.SetHash(false) @@ -246,7 +243,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "service-wr", Description: "service-wr", Rules: `service_prefix "" { policy = "write" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } p.SetHash(false) @@ -257,7 +253,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } @@ -269,7 +264,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "dc2-key-wr", Description: "dc2-key-wr", Rules: `key_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc2"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } @@ -1699,7 +1693,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "acl-ro", Description: "acl-ro", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) @@ -1733,7 +1726,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "acl-ro", Description: "acl-ro", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) @@ -1768,7 +1760,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "acl-ro", Description: "acl-ro", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) @@ -1793,7 +1784,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1802,7 +1792,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "dc2-key-wr", Description: "dc2-key-wr", Rules: `key_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc2"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1836,7 +1825,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1845,7 +1833,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "dc2-key-wr", Description: "dc2-key-wr", Rules: `key_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc2"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1874,7 +1861,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1883,7 +1869,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "dc2-key-wr", Description: "dc2-key-wr", Rules: `key_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc2"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1901,7 +1886,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "service-ro", Description: "service-ro", Rules: `service_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) @@ -2072,7 +2056,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -2098,7 +2081,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "ixn-write", Description: "ixn-write", Rules: `service_prefix "" { policy = "write" intentions = "write" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) diff --git a/agent/consul/auth/token_writer.go b/agent/consul/auth/token_writer.go index f6d7976605..957d34fada 100644 --- a/agent/consul/auth/token_writer.go +++ b/agent/consul/auth/token_writer.go @@ -306,10 +306,6 @@ func (w *TokenWriter) write(token, existing *structs.ACLToken, fromLogin bool) ( } token.NodeIdentities = nodeIdentities - if token.Type != "" { - return nil, errors.New("Type cannot be specified for this token") - } - if err := w.enterpriseValidation(token, existing); err != nil { return nil, err } diff --git a/agent/consul/auth/token_writer_test.go b/agent/consul/auth/token_writer_test.go index b2fef1c116..499c10ab57 100644 --- a/agent/consul/auth/token_writer_test.go +++ b/agent/consul/auth/token_writer_test.go @@ -98,10 +98,6 @@ func TestTokenWriter_Create_Validation(t *testing.T) { fromLogin: false, errorContains: "AuthMethod field is disallowed outside of login", }, - "Type set": { - token: structs.ACLToken{Type: "some-type"}, - errorContains: "Type cannot be specified for this token", - }, } for desc, tc := range testCases { t.Run(desc, func(t *testing.T) { @@ -494,10 +490,6 @@ func TestTokenWriter_Update_Validation(t *testing.T) { token: structs.ACLToken{AccessorID: token.AccessorID, ExpirationTime: timePointer(token.ExpirationTime.Add(1 * time.Minute))}, errorContains: "Cannot change expiration time", }, - "Type set": { - token: structs.ACLToken{AccessorID: token.AccessorID, Type: "some-type"}, - errorContains: "Type cannot be specified for this token", - }, } for desc, tc := range testCases { t.Run(desc, func(t *testing.T) { diff --git a/agent/consul/autopilotevents/ready_servers_events_test.go b/agent/consul/autopilotevents/ready_servers_events_test.go index 0f686fbc5f..aedf25c4d9 100644 --- a/agent/consul/autopilotevents/ready_servers_events_test.go +++ b/agent/consul/autopilotevents/ready_servers_events_test.go @@ -101,7 +101,7 @@ func TestEventPayloadReadyServers_HasReadPermission(t *testing.T) { service "foo" { policy = "write" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/consul/catalog_endpoint_test.go b/agent/consul/catalog_endpoint_test.go index c1d1dbe983..e4c6cd7dee 100644 --- a/agent/consul/catalog_endpoint_test.go +++ b/agent/consul/catalog_endpoint_test.go @@ -3588,7 +3588,7 @@ service "gateway" { func TestVetRegisterWithACL(t *testing.T) { appendAuthz := func(t *testing.T, defaultAuthz acl.Authorizer, rules string) acl.Authorizer { - policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(rules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(defaultAuthz, []*acl.Policy{policy}, nil) @@ -3876,10 +3876,10 @@ func TestVetDeregisterWithACL(t *testing.T) { // Create a basic node policy. policy, err := acl.NewPolicyFromSource(` -node "node" { - policy = "write" -} -`, acl.SyntaxLegacy, nil, nil) + node_prefix "node" { + policy = "write" + } + `, nil, nil) if err != nil { t.Fatalf("err %v", err) } @@ -3892,7 +3892,7 @@ node "node" { service "my-service" { policy = "write" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) if err != nil { t.Fatalf("err %v", err) } diff --git a/agent/consul/filter_test.go b/agent/consul/filter_test.go index 415ac762ab..b5f81c28fe 100644 --- a/agent/consul/filter_test.go +++ b/agent/consul/filter_test.go @@ -10,7 +10,7 @@ import ( func TestFilter_DirEnt(t *testing.T) { t.Parallel() - policy, _ := acl.NewPolicyFromSource(testFilterRules, acl.SyntaxLegacy, nil, nil) + policy, _ := acl.NewPolicyFromSource(testFilterRules, nil, nil) aclR, _ := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) type tcase struct { @@ -52,7 +52,7 @@ func TestFilter_DirEnt(t *testing.T) { func TestFilter_TxnResults(t *testing.T) { t.Parallel() - policy, _ := acl.NewPolicyFromSource(testFilterRules, acl.SyntaxLegacy, nil, nil) + policy, _ := acl.NewPolicyFromSource(testFilterRules, nil, nil) aclR, _ := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) type tcase struct { @@ -101,16 +101,16 @@ func TestFilter_TxnResults(t *testing.T) { } var testFilterRules = ` -key "" { +key_prefix "" { policy = "deny" } -key "foo/" { +key_prefix "foo/" { policy = "read" } -key "foo/priv/" { +key_prefix "foo/priv/" { policy = "deny" } -key "zip/" { +key_prefix "zip/" { policy = "read" } ` diff --git a/agent/consul/fsm/snapshot_test.go b/agent/consul/fsm/snapshot_test.go index 75f159e07c..97fa87e434 100644 --- a/agent/consul/fsm/snapshot_test.go +++ b/agent/consul/fsm/snapshot_test.go @@ -113,7 +113,6 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) { }, CreateTime: time.Now(), Local: false, - Type: "management", } require.NoError(t, fsm.state.ACLBootstrap(10, 0, token)) diff --git a/agent/consul/leader.go b/agent/consul/leader.go index efd26ba507..469616b08c 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -413,7 +413,6 @@ func (s *Server) initializeACLs(ctx context.Context) error { Name: "global-management", Description: "Builtin Policy that grants unlimited access", Rules: structs.ACLPolicyGlobalManagement, - Syntax: acl.SyntaxCurrent, EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(), } if policy != nil { diff --git a/agent/consul/state/acl.go b/agent/consul/state/acl.go index 03eedff7bc..a1308f8fe9 100644 --- a/agent/consul/state/acl.go +++ b/agent/consul/state/acl.go @@ -450,13 +450,13 @@ func aclTokenSetTxn(tx WriteTxn, idx uint64, token *structs.ACLToken, opts ACLTo if token.AccessorID == "" { return ErrMissingACLTokenAccessor } + if opts.FromReplication && token.Local { return fmt.Errorf("Cannot replicate local tokens") } // Check for an existing ACL - // DEPRECATED (ACL-Legacy-Compat) - transition to using accessor index instead of secret once v1 compat is removed - _, existing, err := aclTokenGetFromIndex(tx, token.SecretID, "id", nil) + _, existing, err := aclTokenGetFromIndex(tx, token.AccessorID, indexAccessor, nil) if err != nil { return fmt.Errorf("failed token lookup: %s", err) } @@ -553,7 +553,7 @@ func aclTokenSetTxn(tx WriteTxn, idx uint64, token *structs.ACLToken, opts ACLTo // ACLTokenGetBySecret is used to look up an existing ACL token by its SecretID. func (s *Store) ACLTokenGetBySecret(ws memdb.WatchSet, secret string, entMeta *acl.EnterpriseMeta) (uint64, *structs.ACLToken, error) { - return s.aclTokenGet(ws, secret, "id", entMeta) + return s.aclTokenGet(ws, secret, indexID, entMeta) } // ACLTokenGetByAccessor is used to look up an existing ACL token by its AccessorID. diff --git a/agent/consul/state/acl_test.go b/agent/consul/state/acl_test.go index 15491e437d..5e01514730 100644 --- a/agent/consul/state/acl_test.go +++ b/agent/consul/state/acl_test.go @@ -33,7 +33,6 @@ func setupGlobalManagement(t *testing.T, s *Store) { Name: "global-management", Description: "Builtin Policy that grants unlimited access", Rules: structs.ACLPolicyGlobalManagement, - Syntax: acl.SyntaxCurrent, } policy.SetHash(true) require.NoError(t, s.ACLPolicySet(1, &policy)) @@ -74,35 +73,30 @@ func setupExtraPolicies(t *testing.T, s *Store) { Name: "node-read", Description: "Allows reading all node information", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: testPolicyID_B, Name: "agent-read", Description: "Allows reading all node information", Rules: `agent_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: testPolicyID_C, Name: "acl-read", Description: "Allows acl read", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: testPolicyID_D, Name: "acl-write", Description: "Allows acl write", Rules: `acl = "write"`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: testPolicyID_E, Name: "kv-read", Description: "Allows kv read", Rules: `key_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, } @@ -1068,7 +1062,6 @@ func TestStateStore_ACLToken_FixupPolicyLinks(t *testing.T) { Name: "node-read-renamed", Description: "Allows reading all node information", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, } renamed.SetHash(true) require.NoError(t, s.ACLPolicySet(3, renamed)) @@ -1475,7 +1468,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) { Name: "node-read", Description: "Allows reading all node information", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, } @@ -1488,7 +1480,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) { require.Equal(t, "node-read", rpolicy.Name) require.Equal(t, "Allows reading all node information", rpolicy.Description) require.Equal(t, `node_prefix "" { policy = "read" }`, rpolicy.Rules) - require.Equal(t, acl.SyntaxCurrent, rpolicy.Syntax) require.Len(t, rpolicy.Datacenters, 1) require.Equal(t, "dc1", rpolicy.Datacenters[0]) require.Equal(t, uint64(3), rpolicy.CreateIndex) @@ -1502,7 +1493,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) { require.Equal(t, "global-management", rpolicy.Name) require.Equal(t, "Builtin Policy that grants unlimited access", rpolicy.Description) require.Equal(t, structs.ACLPolicyGlobalManagement, rpolicy.Rules) - require.Equal(t, acl.SyntaxCurrent, rpolicy.Syntax) require.Len(t, rpolicy.Datacenters, 0) require.Equal(t, uint64(1), rpolicy.CreateIndex) require.Equal(t, uint64(1), rpolicy.ModifyIndex) @@ -1518,7 +1508,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) { Name: "node-read-modified", Description: "Modified", Rules: `node_prefix "" { policy = "read" } node "secret" { policy = "deny" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1", "dc2"}, } @@ -2307,7 +2296,6 @@ func TestStateStore_ACLRole_FixupPolicyLinks(t *testing.T) { Name: "node-read-renamed", Description: "Allows reading all node information", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, } renamed.SetHash(true) require.NoError(t, s.ACLPolicySet(3, renamed)) @@ -3368,14 +3356,12 @@ func TestStateStore_ACLTokens_Snapshot_Restore(t *testing.T) { Name: "policy1", Description: "policy1", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: "7b70fa0f-58cd-412d-93c3-a0f17bb19a3e", Name: "policy2", Description: "policy2", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, }, } @@ -3769,14 +3755,12 @@ func TestStateStore_ACLRoles_Snapshot_Restore(t *testing.T) { Name: "policy1", Description: "policy1", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: "7b70fa0f-58cd-412d-93c3-a0f17bb19a3e", Name: "policy2", Description: "policy2", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, }, } diff --git a/agent/consul/state/connect_ca_events_test.go b/agent/consul/state/connect_ca_events_test.go index b5062340a1..ebd52b3332 100644 --- a/agent/consul/state/connect_ca_events_test.go +++ b/agent/consul/state/connect_ca_events_test.go @@ -105,7 +105,7 @@ func TestEventPayloadCARoots_HasReadPermission(t *testing.T) { service "foo" { policy = "write" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/consul/state/store_integration_test.go b/agent/consul/state/store_integration_test.go index b787ad94f8..0d28880aa3 100644 --- a/agent/consul/state/store_integration_test.go +++ b/agent/consul/state/store_integration_test.go @@ -140,7 +140,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) { ID: testPolicyID_C, Name: "foo-read", Rules: `node "foo" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, } policy2.SetHash(false) @@ -154,7 +153,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) { ID: testPolicyID_A, Name: "node-read", Rules: `node_prefix "" { policy = "write" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, } policy3.SetHash(false) @@ -213,7 +211,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) { ID: testPolicyID_B, Name: "node-read", Rules: `node_prefix "foo" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, } policy4.SetHash(false) diff --git a/agent/grpc-external/testutils/acl.go b/agent/grpc-external/testutils/acl.go index 8def60fff7..a443a38ca2 100644 --- a/agent/grpc-external/testutils/acl.go +++ b/agent/grpc-external/testutils/acl.go @@ -47,7 +47,7 @@ func ACLServiceWriteAny(t *testing.T) resolver.Result { service "foo" { policy = "write" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/grpc-internal/services/subscribe/subscribe_test.go b/agent/grpc-internal/services/subscribe/subscribe_test.go index c04d60a260..f31169eb94 100644 --- a/agent/grpc-internal/services/subscribe/subscribe_test.go +++ b/agent/grpc-internal/services/subscribe/subscribe_test.go @@ -692,7 +692,7 @@ node "node1" { } ` cfg := &acl.Config{WildcardName: structs.WildcardSpecifier} - authorizer, err := acl.NewAuthorizerFromRules(rules, acl.SyntaxCurrent, cfg, nil) + authorizer, err := acl.NewAuthorizerFromRules(rules, cfg, nil) require.NoError(t, err) authorizer = acl.NewChainedAuthorizer([]acl.Authorizer{authorizer, acl.DenyAll()}) require.Equal(t, acl.Deny, authorizer.NodeRead("denied", nil)) @@ -896,7 +896,7 @@ node "node1" { policy = "write" } ` - authorizer, err := acl.NewAuthorizerFromRules(rules, acl.SyntaxCurrent, &acl.Config{WildcardName: structs.WildcardSpecifier}, nil) + authorizer, err := acl.NewAuthorizerFromRules(rules, &acl.Config{WildcardName: structs.WildcardSpecifier}, nil) require.NoError(t, err) authorizer = acl.NewChainedAuthorizer([]acl.Authorizer{authorizer, acl.DenyAll()}) require.Equal(t, acl.Deny, authorizer.NodeRead("denied", nil)) diff --git a/agent/proxycfg-glue/intention_upstreams_test.go b/agent/proxycfg-glue/intention_upstreams_test.go index 22846f24d2..1a69b1de70 100644 --- a/agent/proxycfg-glue/intention_upstreams_test.go +++ b/agent/proxycfg-glue/intention_upstreams_test.go @@ -91,7 +91,7 @@ func disableLegacyIntentions(t *testing.T, store *state.Store) { } func policyAuthorizer(t *testing.T, policyHCL string) acl.Authorizer { - policy, err := acl.NewPolicyFromSource(policyHCL, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(policyHCL, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/rpc/peering/service_test.go b/agent/rpc/peering/service_test.go index 833614559d..b8fa04ef86 100644 --- a/agent/rpc/peering/service_test.go +++ b/agent/rpc/peering/service_test.go @@ -1729,28 +1729,24 @@ func upsertTestACLs(t *testing.T, store *state.Store) { ) policies := structs.ACLPolicies{ { - ID: testPolicyPeeringReadID, - Name: "peering-read", - Rules: `peering = "read"`, - Syntax: acl.SyntaxCurrent, + ID: testPolicyPeeringReadID, + Name: "peering-read", + Rules: `peering = "read"`, }, { - ID: testPolicyPeeringWriteID, - Name: "peering-write", - Rules: `peering = "write"`, - Syntax: acl.SyntaxCurrent, + ID: testPolicyPeeringWriteID, + Name: "peering-write", + Rules: `peering = "write"`, }, { - ID: testPolicyServiceReadID, - Name: "service-read", - Rules: `service "api" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, + ID: testPolicyServiceReadID, + Name: "service-read", + Rules: `service "api" { policy = "read" }`, }, { - ID: testPolicyServiceWriteID, - Name: "service-write", - Rules: `service "api" { policy = "write" }`, - Syntax: acl.SyntaxCurrent, + ID: testPolicyServiceWriteID, + Name: "service-write", + Rules: `service "api" { policy = "write" }`, }, } require.NoError(t, store.ACLPolicyBatchSet(100, policies)) diff --git a/agent/structs/acl.go b/agent/structs/acl.go index 3cb5167786..fa89986a33 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -160,7 +160,6 @@ func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPo sn := NewServiceName(s.ServiceName, entMeta) policy.Description = fmt.Sprintf("synthetic policy for service identity %q", sn.String()) policy.Rules = rules - policy.Syntax = acl.SyntaxCurrent policy.Datacenters = s.Datacenters policy.EnterpriseMeta.Merge(entMeta) policy.SetHash(true) @@ -232,7 +231,6 @@ func (s *ACLNodeIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolic policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID) policy.Description = fmt.Sprintf("synthetic policy for node identity %q", s.NodeName) policy.Rules = rules - policy.Syntax = acl.SyntaxCurrent policy.Datacenters = []string{s.Datacenter} policy.EnterpriseMeta.Merge(entMeta) policy.SetHash(true) @@ -286,13 +284,6 @@ type ACLToken struct { // The node identities that this token should be allowed to manage. NodeIdentities ACLNodeIdentities `json:",omitempty"` - // Type is the V1 Token Type - // DEPRECATED (ACL-Legacy-Compat) - remove once we no longer support v1 ACL compat - // Even though we are going to auto upgrade management tokens we still - // want to be able to have the old APIs operate on the upgraded management tokens - // so this field is being kept to identify legacy tokens even after an auto-upgrade - Type string `json:"-"` - // Whether this token is DC local. This means that it will not be synced // to the ACL datacenter and replicated to others. Local bool @@ -479,7 +470,6 @@ func (t *ACLToken) SetHash(force bool) []byte { // Write all the user set fields hash.Write([]byte(t.Description)) - hash.Write([]byte(t.Type)) if t.Local { hash.Write([]byte("local")) @@ -516,7 +506,7 @@ func (t *ACLToken) SetHash(force bool) []byte { func (t *ACLToken) EstimateSize() int { // 41 = 16 (RaftIndex) + 8 (Hash) + 8 (ExpirationTime) + 8 (CreateTime) + 1 (Local) - size := 41 + len(t.AccessorID) + len(t.SecretID) + len(t.Description) + len(t.Type) + len(t.AuthMethod) + size := 41 + len(t.AccessorID) + len(t.SecretID) + len(t.Description) + len(t.AuthMethod) for _, link := range t.Policies { size += len(link.ID) + len(link.Name) } @@ -604,9 +594,6 @@ type ACLPolicy struct { // The rule set (using the updated rule syntax) Rules string - // DEPRECATED (ACL-Legacy-Compat) - This is only needed while we support the legacy ACLs - Syntax acl.SyntaxVersion `json:"-"` - // Datacenters that the policy is valid within. // - No wildcards allowed // - If empty then the policy is valid within all datacenters @@ -767,7 +754,7 @@ func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Conf continue } - p, err := acl.NewPolicyFromSource(policy.Rules, policy.Syntax, entConf, policy.EnterprisePolicyMeta()) + p, err := acl.NewPolicyFromSource(policy.Rules, entConf, policy.EnterprisePolicyMeta()) if err != nil { return nil, fmt.Errorf("failed to parse %q: %v", policy.Name, err) } diff --git a/agent/structs/acl_test.go b/agent/structs/acl_test.go index 36ccc7ec33..d5b083ec5e 100644 --- a/agent/structs/acl_test.go +++ b/agent/structs/acl_test.go @@ -67,7 +67,6 @@ func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) { } expect := &ACLPolicy{ - Syntax: acl.SyntaxCurrent, Datacenters: test.datacenters, Rules: test.expectRules, } @@ -402,7 +401,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) { Name: "policy1", Description: "policy1", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 1, ModifyIndex: 2, @@ -413,7 +411,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) { Name: "policy2", Description: "policy2", Rules: `agent_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 3, ModifyIndex: 4, @@ -424,7 +421,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) { Name: "policy3", Description: "policy3", Rules: `key_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 5, ModifyIndex: 6, @@ -435,7 +431,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) { Name: "policy4", Description: "policy4", Rules: `service_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 7, ModifyIndex: 8, @@ -492,7 +487,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) { Name: "policy1", Description: "policy1", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 1, ModifyIndex: 2, @@ -503,7 +497,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) { Name: "policy2", Description: "policy2", Rules: `agent_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 3, ModifyIndex: 4, @@ -514,7 +507,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) { Name: "policy3", Description: "policy3", Rules: `key_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 5, ModifyIndex: 6, @@ -525,7 +517,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) { Name: "policy4", Description: "policy4", Rules: `service_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 7, ModifyIndex: 8, diff --git a/agent/structs/aclfilter/filter_test.go b/agent/structs/aclfilter/filter_test.go index 4afb00bb5d..4666b52a33 100644 --- a/agent/structs/aclfilter/filter_test.go +++ b/agent/structs/aclfilter/filter_test.go @@ -28,7 +28,7 @@ func TestACL_filterImported_IndexedHealthChecks(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -99,7 +99,7 @@ func TestACL_filterImported_IndexedNodes(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -172,7 +172,7 @@ func TestACL_filterImported_IndexedNodeServices(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -253,7 +253,7 @@ func TestACL_filterImported_IndexedNodeServiceList(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -333,7 +333,7 @@ func TestACL_filterImported_IndexedServiceNodes(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -402,7 +402,7 @@ func TestACL_filterImported_CheckServiceNode(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -505,10 +505,16 @@ func TestACL_filterHealthChecks(t *testing.T) { service "foo" { policy = "read" } + service_prefix "foo" { + policy = "read" + } node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + node_prefix "node1" { + policy = "read" + } + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -527,7 +533,10 @@ func TestACL_filterHealthChecks(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + service_prefix "foo" { + policy = "read" + } + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -546,7 +555,10 @@ func TestACL_filterHealthChecks(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + node_prefix "node1" { + policy = "read" + } + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -604,7 +616,10 @@ func TestACL_filterIntentions(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + service_prefix "foo" { + policy = "read" + } + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -675,7 +690,7 @@ func TestACL_filterServiceNodes(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -694,7 +709,7 @@ func TestACL_filterServiceNodes(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -758,7 +773,7 @@ func TestACL_filterNodeServices(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -777,7 +792,7 @@ func TestACL_filterNodeServices(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -796,7 +811,7 @@ func TestACL_filterNodeServices(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -855,7 +870,7 @@ func TestACL_filterNodeServiceList(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -874,7 +889,7 @@ func TestACL_filterNodeServiceList(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -893,7 +908,7 @@ func TestACL_filterNodeServiceList(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -936,7 +951,7 @@ func TestACL_filterGatewayServices(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -996,7 +1011,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1015,7 +1030,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1034,7 +1049,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1094,7 +1109,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1113,7 +1128,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1132,7 +1147,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1231,7 +1246,7 @@ node "node1" { service "foo" { policy = "read" }` - policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(rules, nil, nil) if err != nil { t.Fatalf("err %v", err) } @@ -1259,7 +1274,7 @@ node "node2" { service "bar" { policy = "read" }` - policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(rules, nil, nil) if err != nil { t.Fatalf("err %v", err) } @@ -1293,7 +1308,7 @@ node "node2" { service "bar" { policy = "read" }` - policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(rules, nil, nil) if err != nil { t.Fatalf("err %v", err) } @@ -1344,7 +1359,7 @@ func TestACL_filterCoordinates(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1396,7 +1411,7 @@ func TestACL_filterSessions(t *testing.T) { session "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1500,7 +1515,7 @@ func TestACL_filterNodeDump(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1520,7 +1535,7 @@ func TestACL_filterNodeDump(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1549,7 +1564,7 @@ func TestACL_filterNodeDump(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1587,7 +1602,7 @@ func TestACL_filterNodeDump(t *testing.T) { service "" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1607,8 +1622,11 @@ func TestACL_filterNodeDump(t *testing.T) { policy, err := acl.NewPolicyFromSource(` node "" { policy = "read" + }, + node_prefix "" { + policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1640,11 +1658,17 @@ func TestACL_filterNodeDump(t *testing.T) { policy, err := acl.NewPolicyFromSource(` service "" { policy = "read" + }, + service_prefix "" { + policy = "read" } node "" { policy = "read" + }, + node_prefix "" { + policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1813,7 +1837,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1877,7 +1901,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) { service "bar" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1903,7 +1927,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) { service "bar" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1928,7 +1952,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2022,7 +2046,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) { service_prefix "bar" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2044,7 +2068,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) { service_prefix "bar" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2067,7 +2091,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) { service "foo-gateway" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2089,7 +2113,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2164,7 +2188,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) { service_prefix "" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2184,7 +2208,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) { service_prefix "" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2203,7 +2227,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) { node_prefix "" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2360,7 +2384,7 @@ func TestACL_filterPreparedQueries(t *testing.T) { query "query-with-a-token" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2432,7 +2456,7 @@ func TestACL_unhandledFilterType(t *testing.T) { func policy(t *testing.T, hcl string) acl.Authorizer { t.Helper() - policy, err := acl.NewPolicyFromSource(hcl, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(hcl, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/structs/config_entry_discoverychain_test.go b/agent/structs/config_entry_discoverychain_test.go index df1a5c5df1..b16f48f63b 100644 --- a/agent/structs/config_entry_discoverychain_test.go +++ b/agent/structs/config_entry_discoverychain_test.go @@ -17,7 +17,7 @@ func TestConfigEntries_ListRelatedServices_AndACLs(t *testing.T) { // This test tests both of these because they are related functions. newAuthz := func(t *testing.T, src string) acl.Authorizer { - policy, err := acl.NewPolicyFromSource(src, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(src, nil, nil) require.NoError(t, err) authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -34,7 +34,7 @@ func TestConfigEntries_ListRelatedServices_AndACLs(t *testing.T) { buf.WriteString(fmt.Sprintf("service %q { policy = %q }\n", s, "write")) } - policy, err := acl.NewPolicyFromSource(buf.String(), acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(buf.String(), nil, nil) require.NoError(t, err) authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/structs/config_entry_test.go b/agent/structs/config_entry_test.go index 4debc7ac9d..4cff6e9e56 100644 --- a/agent/structs/config_entry_test.go +++ b/agent/structs/config_entry_test.go @@ -26,7 +26,7 @@ func TestConfigEntries_ACLs(t *testing.T) { type testcase = configEntryACLTestCase newAuthz := func(t *testing.T, src string) acl.Authorizer { - policy, err := acl.NewPolicyFromSource(src, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(src, nil, nil) require.NoError(t, err) authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/structs/intention_test.go b/agent/structs/intention_test.go index f5aac91ca7..ef6e4c00d2 100644 --- a/agent/structs/intention_test.go +++ b/agent/structs/intention_test.go @@ -117,7 +117,7 @@ func TestIntention_ACLs(t *testing.T) { for name, tcase := range cases { t.Run(name, func(t *testing.T) { - authz, err := acl.NewAuthorizerFromRules(tcase.rules, acl.SyntaxCurrent, &config, nil) + authz, err := acl.NewAuthorizerFromRules(tcase.rules, &config, nil) require.NoError(t, err) require.Equal(t, tcase.read, tcase.intention.CanRead(authz)) diff --git a/agent/xds/delta_test.go b/agent/xds/delta_test.go index 0b7359da52..d9b0969d1d 100644 --- a/agent/xds/delta_test.go +++ b/agent/xds/delta_test.go @@ -1069,7 +1069,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLEnforcement(t *testing.T) { // Ensure the correct token was passed require.Equal(t, tt.token, id) // Parse the ACL and enforce it - policy, err := acl.NewPolicyFromSource(tt.acl, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(tt.acl, nil, nil) require.NoError(t, err) return acl.NewPolicyAuthorizerWithDefaults(acl.RootAuthorizer("deny"), []*acl.Policy{policy}, nil) } @@ -1158,7 +1158,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLTokenDeleted_StreamTerminatedDuri aclRules := `service "web" { policy = "write" }` token := "service-write-on-web" - policy, err := acl.NewPolicyFromSource(aclRules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(aclRules, nil, nil) require.NoError(t, err) var validToken atomic.Value @@ -1256,7 +1256,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLTokenDeleted_StreamTerminatedInBa aclRules := `service "web" { policy = "write" }` token := "service-write-on-web" - policy, err := acl.NewPolicyFromSource(aclRules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(aclRules, nil, nil) require.NoError(t, err) var validToken atomic.Value diff --git a/api/agent.go b/api/agent.go index 8db4d36cc2..6e2883a411 100644 --- a/api/agent.go +++ b/api/agent.go @@ -201,11 +201,11 @@ const ( // ACLModeEnabled indicates that ACLs are enabled and operating in new ACL // mode (v1.4.0+ ACLs) ACLModeEnabled MemberACLMode = "1" - // ACLModeLegacy indicates that ACLs are enabled and operating in legacy mode. - ACLModeLegacy MemberACLMode = "2" + // ACLModeLegacy has been deprecated, and will be treated as ACLModeUnknown. + ACLModeLegacy MemberACLMode = "2" // DEPRECATED // ACLModeUnkown is used to indicate that the AgentMember.Tags didn't advertise // an ACL mode at all. This is the case for Consul versions before v1.4.0 and - // should be treated similarly to ACLModeLegacy. + // should be treated the same as ACLModeLegacy. ACLModeUnknown MemberACLMode = "3" ) @@ -244,8 +244,6 @@ func (m *AgentMember) ACLMode() MemberACLMode { return ACLModeDisabled case ACLModeEnabled: return ACLModeEnabled - case ACLModeLegacy: - return ACLModeLegacy default: return ACLModeUnknown } diff --git a/api/agent_test.go b/api/agent_test.go index a36e35a94d..4f78d39ad0 100644 --- a/api/agent_test.go +++ b/api/agent_test.go @@ -2017,7 +2017,7 @@ func TestMemberACLMode(t *testing.T) { }, "legacy": { tagValue: "2", - expectedMode: ACLModeLegacy, + expectedMode: ACLModeUnknown, }, "unknown-3": { tagValue: "3", diff --git a/api/api_test.go b/api/api_test.go index 268105fc78..ea1578c496 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -908,15 +908,6 @@ func TestAPI_Headers(t *testing.T) { require.Error(t, err) require.Equal(t, "application/octet-stream", request.Header.Get("Content-Type")) - _, err = c.ACL().RulesTranslate(strings.NewReader(` - agent "" { - policy = "read" - } - `)) - // ACL support is disabled - require.Error(t, err) - require.Equal(t, "application/octet-stream", request.Header.Get("Content-Type")) - _, _, err = c.Event().Fire(&UserEvent{ Name: "test", Payload: []byte("foo"), @@ -925,6 +916,24 @@ func TestAPI_Headers(t *testing.T) { require.Equal(t, "application/octet-stream", request.Header.Get("Content-Type")) } +func TestAPI_Deprecated(t *testing.T) { + t.Parallel() + c, s := makeClientWithConfig(t, func(c *Config) { + transport := http.DefaultTransport.(*http.Transport).Clone() + c.Transport = transport + }, nil) + defer s.Stop() + // Rules translation functionality was completely removed in Consul 1.15. + _, err := c.ACL().RulesTranslate(strings.NewReader(` + agent "" { + policy = "read" + } + `)) + require.Error(t, err) + _, err = c.ACL().RulesTranslateToken("") + require.Error(t, err) +} + func TestAPI_RequestToHTTP(t *testing.T) { t.Parallel() c, s := makeClient(t) diff --git a/api/operator_license.go b/api/operator_license.go index 74eed3baa4..14c548b1a3 100644 --- a/api/operator_license.go +++ b/api/operator_license.go @@ -30,9 +30,6 @@ type License struct { // no longer be used in any capacity TerminationTime time.Time `json:"termination_time"` - // Whether the license will ignore termination - IgnoreTermination bool `json:"ignore_termination"` - // The product the license is valid for Product string `json:"product"` diff --git a/ui/packages/consul-ui/app/abilities/token.js b/ui/packages/consul-ui/app/abilities/token.js index a47c392888..034dfb269a 100644 --- a/ui/packages/consul-ui/app/abilities/token.js +++ b/ui/packages/consul-ui/app/abilities/token.js @@ -1,7 +1,6 @@ import BaseAbility from './base'; import { inject as service } from '@ember/service'; -import { isLegacy } from 'consul-ui/helpers/token/is-legacy'; import { isAnonymous } from 'consul-ui/helpers/token/is-anonymous'; export default class TokenAbility extends BaseAbility { @@ -28,6 +27,6 @@ export default class TokenAbility extends BaseAbility { } get canDuplicate() { - return this.env.var('CONSUL_ACLS_ENABLED') && !isLegacy([this.item]) && super.canWrite; + return this.env.var('CONSUL_ACLS_ENABLED') && super.canWrite; } } diff --git a/ui/packages/consul-ui/app/models/token.js b/ui/packages/consul-ui/app/models/token.js index c2b31a339c..46875cc83d 100644 --- a/ui/packages/consul-ui/app/models/token.js +++ b/ui/packages/consul-ui/app/models/token.js @@ -15,7 +15,6 @@ export default class Token extends Model { @attr('string') IDPName; @attr('string') SecretID; - @attr('boolean') Legacy; @attr('boolean') Local; @attr('string', { defaultValue: () => '' }) Description; @attr() meta; // {} @@ -29,12 +28,6 @@ export default class Token extends Model { @attr('number') CreateIndex; @attr('number') ModifyIndex; - // Legacy - @attr('string') Type; - @attr('string', { defaultValue: () => '' }) Name; - @attr('string') Rules; - // End Legacy - @computed('Policies.[]') get isGlobalManagement() { return (this.Policies || []).find((item) => item.ID === MANAGEMENT_ID); diff --git a/ui/packages/consul-ui/tests/integration/helpers/token/is-legacy-test.js b/ui/packages/consul-ui/tests/integration/helpers/token/is-legacy-test.js deleted file mode 100644 index a8f47c8f76..0000000000 --- a/ui/packages/consul-ui/tests/integration/helpers/token/is-legacy-test.js +++ /dev/null @@ -1,17 +0,0 @@ -import { module, test } from 'qunit'; -import { setupRenderingTest } from 'ember-qunit'; -import { render } from '@ember/test-helpers'; -import hbs from 'htmlbars-inline-precompile'; - -module('Integration | Helper | token/is-legacy', function (hooks) { - setupRenderingTest(hooks); - - // Replace this with your real tests. - test('it renders', async function (assert) { - this.set('inputValue', {}); - - await render(hbs`{{token/is-legacy inputValue}}`); - - assert.equal(this.element.textContent.trim(), 'false'); - }); -}); diff --git a/ui/packages/consul-ui/tests/unit/helpers/token/is-legacy-test.js b/ui/packages/consul-ui/tests/unit/helpers/token/is-legacy-test.js deleted file mode 100644 index b998c6b55e..0000000000 --- a/ui/packages/consul-ui/tests/unit/helpers/token/is-legacy-test.js +++ /dev/null @@ -1,53 +0,0 @@ -import { isLegacy } from 'consul-ui/helpers/token/is-legacy'; -import { module, test } from 'qunit'; - -module('Unit | Helper | token/is-legacy', function () { - test('it returns true if the token has a Legacy=true', function (assert) { - const actual = isLegacy([{ Legacy: true }]); - assert.ok(actual); - }); - test('it returns false if the token has a Legacy=false', function (assert) { - const actual = isLegacy([{ Legacy: false }]); - assert.notOk(actual); - }); - test('it returns true if the token has Rules', function (assert) { - const actual = isLegacy([{ Rules: 'some rules' }]); - assert.ok(actual); - }); - test('it returns false if the token has Rules but those rules are empty', function (assert) { - const actual = isLegacy([{ Rules: '' }]); - assert.notOk(actual); - }); - test('it returns false if the token has Rules but those rules is null', function (assert) { - const actual = isLegacy([{ Rules: null }]); - assert.notOk(actual); - }); - // passing arrays - test("it returns false if things don't have Legacy or Rules", function (assert) { - const actual = isLegacy([[{}, {}]]); - assert.notOk(actual); - }); - test('it returns true if the token has a Legacy=true', function (assert) { - const actual = isLegacy([[{}, { Legacy: true }]]); - assert.ok(actual); - }); - test('it returns false if the token has a Legacy=false', function (assert) { - const actual = isLegacy([[{}, { Legacy: false }]]); - assert.notOk(actual); - }); - test('it returns true if one token has Rules', function (assert) { - const actual = isLegacy([[{}, { Rules: 'some rules' }]]); - assert.ok(actual); - }); - test('it returns false if tokens have no Rules, or has Rules but those rules are empty', function (assert) { - const actual = isLegacy([[{}, { Rules: '' }]]); - assert.notOk(actual); - }); - test('it returns false if a token is marked as legacy, has Rules but those rules are empty', function (assert) { - // this may seem strange, but empty Rules should override Legacy, this only happens - // when a legacy token that has already been loaded has its rules wiped out - // WITHOUT then the ui refreshing - const actual = isLegacy([{ Legacy: true, Rules: '' }]); - assert.notOk(actual); - }); -});