From a7b34d50fc5581d54948f9d2bcd67cb0403219bc Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Mon, 9 Jan 2023 13:28:53 -0500 Subject: [PATCH] Output user-friendly name for anonymous token (#15884) --- .changelog/15884.txt | 3 + acl/acl.go | 16 ++ acl/errors.go | 6 + acl/testing.go | 3 +- agent/acl.go | 2 +- agent/agent.go | 7 +- agent/consul/acl.go | 4 +- agent/consul/acl_endpoint.go | 2 +- agent/consul/acl_endpoint_test.go | 336 +++++++++++++-------------- agent/consul/acl_token_exp_test.go | 7 +- agent/consul/intention_endpoint.go | 34 +-- agent/consul/internal_endpoint.go | 2 +- agent/consul/leader.go | 4 +- agent/consul/leader_test.go | 3 +- agent/consul/rpc_test.go | 4 +- agent/consul/state/acl.go | 6 +- agent/consul/state/acl_test.go | 8 +- agent/grpc-external/testutils/acl.go | 2 +- agent/grpc-external/utils.go | 3 +- agent/local/state.go | 20 +- agent/structs/acl.go | 4 - command/acl/acl_helpers.go | 3 +- 22 files changed, 256 insertions(+), 223 deletions(-) create mode 100644 .changelog/15884.txt diff --git a/.changelog/15884.txt b/.changelog/15884.txt new file mode 100644 index 0000000000..aaa4f35c99 --- /dev/null +++ b/.changelog/15884.txt @@ -0,0 +1,3 @@ +```release-note:feature +acl: anonymous token is logged as 'anonymous token' instead of its accessor ID +``` \ No newline at end of file diff --git a/acl/acl.go b/acl/acl.go index 5c0ee9e897..20b0426661 100644 --- a/acl/acl.go +++ b/acl/acl.go @@ -2,6 +2,12 @@ package acl const ( WildcardName = "*" + + // AnonymousTokenID is the AccessorID of the anonymous token. + // When logging or displaying to users, use acl.AliasIfAnonymousToken + // to convert this to AnonymousTokenAlias. + AnonymousTokenID = "00000000-0000-0000-0000-000000000002" + AnonymousTokenAlias = "anonymous token" ) // Config encapsulates all of the generic configuration parameters used for @@ -43,3 +49,13 @@ func (c *Config) Close() { c.EnterpriseConfig.Close() } } + +// AliasIfAnonymousToken returns the string "anonymous token" if +// accessorID is acl.AnonymousTokenID. Used for better +// UX when logging the accessorID. +func AliasIfAnonymousToken(accessorID string) string { + if accessorID == AnonymousTokenID { + return AnonymousTokenAlias + } + return accessorID +} diff --git a/acl/errors.go b/acl/errors.go index 6e6b483daa..585bd12a06 100644 --- a/acl/errors.go +++ b/acl/errors.go @@ -98,6 +98,8 @@ func (e PermissionDeniedError) Error() string { if e.Accessor == "" { message.WriteString(": provided token") + } else if e.Accessor == AnonymousTokenID { + message.WriteString(": anonymous token") } else { fmt.Fprintf(&message, ": token with AccessorID '%s'", e.Accessor) } @@ -107,6 +109,10 @@ func (e PermissionDeniedError) Error() string { if e.ResourceID.Name != "" { fmt.Fprintf(&message, " on %s", e.ResourceID.ToString()) } + + if e.Accessor == AnonymousTokenID { + message.WriteString(". The anonymous token is used implicitly when a request does not specify a token.") + } return message.String() } diff --git a/acl/testing.go b/acl/testing.go index 303bd1de66..283446d00c 100644 --- a/acl/testing.go +++ b/acl/testing.go @@ -2,9 +2,10 @@ package acl import ( "fmt" - "github.com/stretchr/testify/require" "regexp" "testing" + + "github.com/stretchr/testify/require" ) func RequirePermissionDeniedError(t testing.TB, err error, authz Authorizer, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string) { diff --git a/agent/acl.go b/agent/acl.go index 50e913a4d9..f3ba50cf4b 100644 --- a/agent/acl.go +++ b/agent/acl.go @@ -169,7 +169,7 @@ func (a *Agent) filterMembers(token string, members *[]serf.Member) error { continue } accessorID := authz.AccessorID() - a.logger.Debug("dropping node from result due to ACLs", "node", node, "accessorID", accessorID) + a.logger.Debug("dropping node from result due to ACLs", "node", node, "accessorID", acl.AliasIfAnonymousToken(accessorID)) m = append(m[:i], m[i+1:]...) i-- } diff --git a/agent/agent.go b/agent/agent.go index a19da5c70a..adda75326a 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -17,8 +17,6 @@ import ( "sync" "time" - "github.com/hashicorp/consul/proto/pboperator" - "github.com/armon/go-metrics" "github.com/armon/go-metrics/prometheus" "github.com/hashicorp/go-connlimit" @@ -66,6 +64,7 @@ import ( "github.com/hashicorp/consul/lib/mutex" "github.com/hashicorp/consul/lib/routine" "github.com/hashicorp/consul/logging" + "github.com/hashicorp/consul/proto/pboperator" "github.com/hashicorp/consul/proto/pbpeering" "github.com/hashicorp/consul/tlsutil" "github.com/hashicorp/consul/types" @@ -1956,12 +1955,10 @@ OUTER: WriteRequest: structs.WriteRequest{Token: agentToken}, } var reply struct{} - // todo(kit) port all of these logger calls to hclog w/ loglevel configuration - // todo(kit) handle acl.ErrNotFound cases here in the future if err := a.RPC(context.Background(), "Coordinate.Update", &req, &reply); err != nil { if acl.IsErrPermissionDenied(err) { accessorID := a.aclAccessorID(agentToken) - a.logger.Warn("Coordinate update blocked by ACLs", "accessorID", accessorID) + a.logger.Warn("Coordinate update blocked by ACLs", "accessorID", acl.AliasIfAnonymousToken(accessorID)) } else { a.logger.Error("Coordinate update error", "error", err) } diff --git a/agent/consul/acl.go b/agent/consul/acl.go index 3dbb19a618..03a5750cbf 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -718,7 +718,7 @@ func (r *ACLResolver) collectPoliciesForIdentity(identity structs.ACLIdentity, p } else { r.logger.Warn("policy not found for identity", "policy", policyID, - "accessorID", accessorID, + "accessorID", acl.AliasIfAnonymousToken(accessorID), ) } @@ -819,7 +819,7 @@ func (r *ACLResolver) collectRolesForIdentity(identity structs.ACLIdentity, role } r.logger.Warn("role not found for identity", "role", roleID, - "accessorID", accessorID, + "accessorID", acl.AliasIfAnonymousToken(accessorID), ) } diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index b009b8f914..e149ca4202 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -574,7 +574,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er return fmt.Errorf("Accessor ID is missing or an invalid UUID") } - if args.TokenID == structs.ACLTokenAnonymousID { + if args.TokenID == acl.AnonymousTokenID { return fmt.Errorf("Delete operation not permitted on the anonymous token") } diff --git a/agent/consul/acl_endpoint_test.go b/agent/consul/acl_endpoint_test.go index 06781e7cbf..84930df55e 100644 --- a/agent/consul/acl_endpoint_test.go +++ b/agent/consul/acl_endpoint_test.go @@ -8,7 +8,7 @@ import ( "testing" "time" - uuid "github.com/hashicorp/go-uuid" + "github.com/hashicorp/go-uuid" "github.com/stretchr/testify/require" "gopkg.in/square/go-jose.v2/jwt" @@ -161,7 +161,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} t.Run("exists and matches what we created", func(t *testing.T) { token, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) @@ -176,7 +176,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { resp := structs.ACLTokenResponse{} - err = acl.TokenRead(&req, &resp) + err = aclEp.TokenRead(&req, &resp) require.NoError(t, err) require.Equal(t, token, resp.Token) @@ -199,7 +199,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { resp := structs.ACLTokenResponse{} - require.NoError(t, acl.TokenRead(&req, &resp)) + require.NoError(t, aclEp.TokenRead(&req, &resp)) require.Equal(t, token, resp.Token) }) @@ -214,7 +214,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { resp := structs.ACLTokenResponse{} retry.Run(t, func(r *retry.R) { - require.NoError(r, acl.TokenRead(&req, &resp)) + require.NoError(r, aclEp.TokenRead(&req, &resp)) require.Nil(r, resp.Token) }) }) @@ -233,7 +233,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { resp := structs.ACLTokenResponse{} - err = acl.TokenRead(&req, &resp) + err = aclEp.TokenRead(&req, &resp) require.Nil(t, resp.Token) require.NoError(t, err) }) @@ -248,7 +248,7 @@ func TestACLEndpoint_TokenRead(t *testing.T) { resp := structs.ACLTokenResponse{} - err := acl.TokenRead(&req, &resp) + err := aclEp.TokenRead(&req, &resp) require.Nil(t, resp.Token) require.EqualError(t, err, "failed acl token lookup: index error: UUID must be 36 characters") }) @@ -703,7 +703,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { }) t.Run("Update auth method linked token and try to change auth method", func(t *testing.T) { - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} testSessionID := testauth.StartSession() defer testauth.ResetSession(testSessionID) @@ -717,7 +717,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { // create a token in one method methodToken := structs.ACLToken{} - require.NoError(t, acl.Login(&structs.ACLLoginRequest{ + require.NoError(t, aclEp.Login(&structs.ACLLoginRequest{ Auth: &structs.ACLLoginParams{ AuthMethod: method1.Name, BearerToken: "fake-token", @@ -743,12 +743,12 @@ func TestACLEndpoint_TokenSet(t *testing.T) { resp := structs.ACLToken{} - err = acl.TokenSet(&req, &resp) + err = aclEp.TokenSet(&req, &resp) testutil.RequireErrorContains(t, err, "Cannot change AuthMethod") }) t.Run("Update auth method linked token and let the SecretID and AuthMethod be defaulted", func(t *testing.T) { - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} testSessionID := testauth.StartSession() defer testauth.ResetSession(testSessionID) @@ -761,7 +761,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { require.NoError(t, err) methodToken := structs.ACLToken{} - require.NoError(t, acl.Login(&structs.ACLLoginRequest{ + require.NoError(t, aclEp.Login(&structs.ACLLoginRequest{ Auth: &structs.ACLLoginParams{ AuthMethod: method.Name, BearerToken: "fake-token", @@ -783,7 +783,7 @@ func TestACLEndpoint_TokenSet(t *testing.T) { resp := structs.ACLToken{} - require.NoError(t, acl.TokenSet(&req, &resp)) + require.NoError(t, aclEp.TokenSet(&req, &resp)) // Get the token directly to validate that it exists tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", resp.AccessorID) @@ -1291,7 +1291,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} // No Create Arg t.Run("no create arg", func(t *testing.T) { @@ -1309,7 +1309,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1330,7 +1330,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.NoError(t, err) // Get the token directly to validate that it exists @@ -1360,7 +1360,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1380,7 +1380,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1400,7 +1400,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1420,7 +1420,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1440,7 +1440,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1460,7 +1460,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1480,7 +1480,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1501,7 +1501,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1521,7 +1521,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) @@ -1542,7 +1542,7 @@ func TestACLEndpoint_TokenSet_CustomID(t *testing.T) { resp := structs.ACLToken{} - err := acl.TokenSet(&req, &resp) + err := aclEp.TokenSet(&req, &resp) require.Error(t, err) }) } @@ -1560,13 +1560,13 @@ func TestACLEndpoint_TokenSet_anon(t *testing.T) { policy, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} // Assign the policies to a token tokenUpsertReq := structs.ACLTokenSetRequest{ Datacenter: "dc1", ACLToken: structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, + AccessorID: acl.AnonymousTokenID, Policies: []structs.ACLTokenPolicyLink{ { ID: policy.ID, @@ -1576,11 +1576,11 @@ func TestACLEndpoint_TokenSet_anon(t *testing.T) { WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } token := structs.ACLToken{} - err = acl.TokenSet(&tokenUpsertReq, &token) + err = aclEp.TokenSet(&tokenUpsertReq, &token) require.NoError(t, err) require.NotEmpty(t, token.SecretID) - tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", structs.ACLTokenAnonymousID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", acl.AnonymousTokenID) require.NoError(t, err) require.Equal(t, len(tokenResp.Token.Policies), 1) require.Equal(t, tokenResp.Token.Policies[0].ID, policy.ID) @@ -1616,7 +1616,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { // Ensure s2 is authoritative. waitForNewACLReplication(t, s2, structs.ACLReplicateTokens, 1, 1, 0) - acl := ACL{srv: s1} + acl1 := ACL{srv: s1} acl2 := ACL{srv: s2} existingToken, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) @@ -1643,7 +1643,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { var resp string - err = acl.TokenDelete(&req, &resp) + err = acl1.TokenDelete(&req, &resp) require.NoError(t, err) // Make sure the token is gone @@ -1675,7 +1675,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { var resp string - err = acl.TokenDelete(&req, &resp) + err = acl1.TokenDelete(&req, &resp) require.NoError(t, err) // Make sure the token is still gone (this time it's actually gone) @@ -1693,7 +1693,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { var resp string - err = acl.TokenDelete(&req, &resp) + err = acl1.TokenDelete(&req, &resp) require.NoError(t, err) // Make sure the token is gone @@ -1712,7 +1712,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { var out structs.ACLTokenResponse - err := acl.TokenRead(&readReq, &out) + err := acl1.TokenRead(&readReq, &out) require.NoError(t, err) @@ -1723,7 +1723,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { } var resp string - err = acl.TokenDelete(&req, &resp) + err = acl1.TokenDelete(&req, &resp) require.EqualError(t, err, "Deletion of the request's authorization token is not permitted") }) @@ -1739,7 +1739,7 @@ func TestACLEndpoint_TokenDelete(t *testing.T) { var resp string - err = acl.TokenDelete(&req, &resp) + err = acl1.TokenDelete(&req, &resp) require.NoError(t, err) // token should be nil @@ -1780,21 +1780,21 @@ func TestACLEndpoint_TokenDelete_anon(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLTokenDeleteRequest{ Datacenter: "dc1", - TokenID: structs.ACLTokenAnonymousID, + TokenID: acl.AnonymousTokenID, WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var resp string - err := acl.TokenDelete(&req, &resp) + err := aclEp.TokenDelete(&req, &resp) require.EqualError(t, err, "Delete operation not permitted on the anonymous token") // Make sure the token is still there - tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", structs.ACLTokenAnonymousID) + tokenResp, err := retrieveTestToken(codec, TestDefaultInitialManagementToken, "dc1", acl.AnonymousTokenID) require.NoError(t, err) require.NotNil(t, tokenResp.Token) } @@ -1812,7 +1812,7 @@ func TestACLEndpoint_TokenList(t *testing.T) { }, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} t1, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) require.NoError(t, err) @@ -1840,12 +1840,12 @@ func TestACLEndpoint_TokenList(t *testing.T) { resp := structs.ACLTokenListResponse{} - err = acl.TokenList(&req, &resp) + err = aclEp.TokenList(&req, &resp) require.NoError(t, err) tokens := []string{ initialManagementTokenAccessorID, - structs.ACLTokenAnonymousID, + acl.AnonymousTokenID, t1.AccessorID, t2.AccessorID, t3.AccessorID, @@ -1863,12 +1863,12 @@ func TestACLEndpoint_TokenList(t *testing.T) { resp := structs.ACLTokenListResponse{} - err = acl.TokenList(&req, &resp) + err = aclEp.TokenList(&req, &resp) require.NoError(t, err) tokens := []string{ initialManagementTokenAccessorID, - structs.ACLTokenAnonymousID, + acl.AnonymousTokenID, t1.AccessorID, t2.AccessorID, } @@ -1889,12 +1889,12 @@ func TestACLEndpoint_TokenList(t *testing.T) { resp := structs.ACLTokenListResponse{} - err = acl.TokenList(&req, &resp) + err = aclEp.TokenList(&req, &resp) require.NoError(t, err) tokens := []string{ initialManagementTokenAccessorID, - structs.ACLTokenAnonymousID, + acl.AnonymousTokenID, readOnlyToken.AccessorID, t1.AccessorID, t2.AccessorID, @@ -1919,7 +1919,7 @@ func TestACLEndpoint_TokenBatchRead(t *testing.T) { }, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} t1, err := upsertTestToken(codec, TestDefaultInitialManagementToken, "dc1", nil) require.NoError(t, err) @@ -1943,7 +1943,7 @@ func TestACLEndpoint_TokenBatchRead(t *testing.T) { resp := structs.ACLTokenBatchResponse{} - err = acl.TokenBatchRead(&req, &resp) + err = aclEp.TokenBatchRead(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.Tokens), tokens) }) @@ -1961,7 +1961,7 @@ func TestACLEndpoint_TokenBatchRead(t *testing.T) { resp := structs.ACLTokenBatchResponse{} - err = acl.TokenBatchRead(&req, &resp) + err = aclEp.TokenBatchRead(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.Tokens), tokens) }) @@ -1979,7 +1979,7 @@ func TestACLEndpoint_PolicyRead(t *testing.T) { policy, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLPolicyGetRequest{ Datacenter: "dc1", @@ -1989,7 +1989,7 @@ func TestACLEndpoint_PolicyRead(t *testing.T) { resp := structs.ACLPolicyResponse{} - err = acl.PolicyRead(&req, &resp) + err = aclEp.PolicyRead(&req, &resp) require.NoError(t, err) require.Equal(t, policy, resp.Policy) } @@ -2006,7 +2006,7 @@ func TestACLEndpoint_PolicyReadByName(t *testing.T) { policy, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLPolicyGetRequest{ Datacenter: "dc1", @@ -2016,7 +2016,7 @@ func TestACLEndpoint_PolicyReadByName(t *testing.T) { resp := structs.ACLPolicyResponse{} - err = acl.PolicyRead(&req, &resp) + err = aclEp.PolicyRead(&req, &resp) require.NoError(t, err) require.Equal(t, policy, resp.Policy) } @@ -2037,7 +2037,7 @@ func TestACLEndpoint_PolicyBatchRead(t *testing.T) { p2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} policies := []string{p1.ID, p2.ID} req := structs.ACLPolicyBatchGetRequest{ @@ -2048,7 +2048,7 @@ func TestACLEndpoint_PolicyBatchRead(t *testing.T) { resp := structs.ACLPolicyBatchResponse{} - err = acl.PolicyBatchRead(&req, &resp) + err = aclEp.PolicyBatchRead(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.Policies), []string{p1.ID, p2.ID}) } @@ -2062,7 +2062,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} var policyID string @@ -2078,7 +2078,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { } resp := structs.ACLPolicy{} - err := acl.PolicySet(&req, &resp) + err := aclEp.PolicySet(&req, &resp) require.NoError(t, err) require.NotNil(t, resp.ID) @@ -2107,7 +2107,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { } resp := structs.ACLPolicy{} - err := acl.PolicySet(&req, &resp) + err := aclEp.PolicySet(&req, &resp) require.Error(t, err) }) @@ -2124,7 +2124,7 @@ func TestACLEndpoint_PolicySet(t *testing.T) { } resp := structs.ACLPolicy{} - err := acl.PolicySet(&req, &resp) + err := aclEp.PolicySet(&req, &resp) require.NoError(t, err) require.NotNil(t, resp.ID) @@ -2150,7 +2150,7 @@ func TestACLEndpoint_PolicySet_CustomID(t *testing.T) { _, srv, _ := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} // Attempt to create policy with ID req := structs.ACLPolicySetRequest{ @@ -2165,7 +2165,7 @@ func TestACLEndpoint_PolicySet_CustomID(t *testing.T) { } resp := structs.ACLPolicy{} - err := acl.PolicySet(&req, &resp) + err := aclEp.PolicySet(&req, &resp) require.Error(t, err) } @@ -2179,7 +2179,7 @@ func TestACLEndpoint_PolicySet_globalManagement(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} // Can't change the rules { @@ -2194,7 +2194,7 @@ func TestACLEndpoint_PolicySet_globalManagement(t *testing.T) { } resp := structs.ACLPolicy{} - err := acl.PolicySet(&req, &resp) + err := aclEp.PolicySet(&req, &resp) require.EqualError(t, err, "Changing the Rules for the builtin global-management policy is not permitted") } @@ -2211,7 +2211,7 @@ func TestACLEndpoint_PolicySet_globalManagement(t *testing.T) { } resp := structs.ACLPolicy{} - err := acl.PolicySet(&req, &resp) + err := aclEp.PolicySet(&req, &resp) require.NoError(t, err) // Get the policy again @@ -2238,7 +2238,7 @@ func TestACLEndpoint_PolicyDelete(t *testing.T) { existingPolicy, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLPolicyDeleteRequest{ Datacenter: "dc1", @@ -2248,7 +2248,7 @@ func TestACLEndpoint_PolicyDelete(t *testing.T) { var resp string - err = acl.PolicyDelete(&req, &resp) + err = aclEp.PolicyDelete(&req, &resp) require.NoError(t, err) // Make sure the policy is gone @@ -2266,7 +2266,7 @@ func TestACLEndpoint_PolicyDelete_globalManagement(t *testing.T) { _, srv, _ := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLPolicyDeleteRequest{ Datacenter: "dc1", @@ -2275,7 +2275,7 @@ func TestACLEndpoint_PolicyDelete_globalManagement(t *testing.T) { } var resp string - err := acl.PolicyDelete(&req, &resp) + err := aclEp.PolicyDelete(&req, &resp) require.EqualError(t, err, "Delete operation not permitted on the builtin global-management policy") } @@ -2296,7 +2296,7 @@ func TestACLEndpoint_PolicyList(t *testing.T) { p2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLPolicyListRequest{ Datacenter: "dc1", @@ -2305,7 +2305,7 @@ func TestACLEndpoint_PolicyList(t *testing.T) { resp := structs.ACLPolicyListResponse{} - err = acl.PolicyList(&req, &resp) + err = aclEp.PolicyList(&req, &resp) require.NoError(t, err) policies := []string{ @@ -2332,7 +2332,7 @@ func TestACLEndpoint_PolicyResolve(t *testing.T) { p2, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} policies := []string{p1.ID, p2.ID} @@ -2352,7 +2352,7 @@ func TestACLEndpoint_PolicyResolve(t *testing.T) { WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } token := structs.ACLToken{} - err = acl.TokenSet(&tokenUpsertReq, &token) + err = aclEp.TokenSet(&tokenUpsertReq, &token) require.NoError(t, err) require.NotEmpty(t, token.SecretID) @@ -2362,7 +2362,7 @@ func TestACLEndpoint_PolicyResolve(t *testing.T) { PolicyIDs: []string{p1.ID, p2.ID}, QueryOptions: structs.QueryOptions{Token: token.SecretID}, } - err = acl.PolicyResolve(&req, &resp) + err = aclEp.PolicyResolve(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.Policies), policies) } @@ -2379,7 +2379,7 @@ func TestACLEndpoint_RoleRead(t *testing.T) { role, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLRoleGetRequest{ Datacenter: "dc1", @@ -2389,7 +2389,7 @@ func TestACLEndpoint_RoleRead(t *testing.T) { resp := structs.ACLRoleResponse{} - err = acl.RoleRead(&req, &resp) + err = aclEp.RoleRead(&req, &resp) require.NoError(t, err) require.Equal(t, role, resp.Role) } @@ -2410,7 +2410,7 @@ func TestACLEndpoint_RoleBatchRead(t *testing.T) { r2, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} roles := []string{r1.ID, r2.ID} req := structs.ACLRoleBatchGetRequest{ @@ -2421,7 +2421,7 @@ func TestACLEndpoint_RoleBatchRead(t *testing.T) { resp := structs.ACLRoleBatchResponse{} - err = acl.RoleBatchRead(&req, &resp) + err = aclEp.RoleBatchRead(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.Roles), roles) } @@ -2798,7 +2798,7 @@ func TestACLEndpoint_RoleSet_names(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} testPolicy1, err := upsertTestPolicy(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) @@ -2855,7 +2855,7 @@ func TestACLEndpoint_RoleSet_names(t *testing.T) { } resp := structs.ACLRole{} - err := acl.RoleSet(&req, &resp) + err := aclEp.RoleSet(&req, &resp) if test.ok { require.NoError(t, err) @@ -2883,7 +2883,7 @@ func TestACLEndpoint_RoleDelete(t *testing.T) { require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLRoleDeleteRequest{ Datacenter: "dc1", @@ -2893,7 +2893,7 @@ func TestACLEndpoint_RoleDelete(t *testing.T) { var resp string - err = acl.RoleDelete(&req, &resp) + err = aclEp.RoleDelete(&req, &resp) require.NoError(t, err) // Make sure the role is gone @@ -2918,7 +2918,7 @@ func TestACLEndpoint_RoleList(t *testing.T) { r2, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLRoleListRequest{ Datacenter: "dc1", @@ -2927,7 +2927,7 @@ func TestACLEndpoint_RoleList(t *testing.T) { resp := structs.ACLRoleListResponse{} - err = acl.RoleList(&req, &resp) + err = aclEp.RoleList(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.Roles), []string{r1.ID, r2.ID}) } @@ -2949,7 +2949,7 @@ func TestACLEndpoint_RoleResolve(t *testing.T) { r2, err := upsertTestRole(codec, TestDefaultInitialManagementToken, "dc1") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} // Assign the roles to a token tokenUpsertReq := structs.ACLTokenSetRequest{ @@ -2967,7 +2967,7 @@ func TestACLEndpoint_RoleResolve(t *testing.T) { WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } token := structs.ACLToken{} - err = acl.TokenSet(&tokenUpsertReq, &token) + err = aclEp.TokenSet(&tokenUpsertReq, &token) require.NoError(t, err) require.NotEmpty(t, token.SecretID) @@ -2977,7 +2977,7 @@ func TestACLEndpoint_RoleResolve(t *testing.T) { RoleIDs: []string{r1.ID, r2.ID}, QueryOptions: structs.QueryOptions{Token: token.SecretID}, } - err = acl.RoleResolve(&req, &resp) + err = aclEp.RoleResolve(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.Roles), []string{r1.ID, r2.ID}) }) @@ -2997,7 +2997,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} newAuthMethod := func(name string) structs.ACLAuthMethod { return structs.ACLAuthMethod{ @@ -3017,7 +3017,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) require.NoError(t, err) // Get the method directly to validate that it exists @@ -3041,7 +3041,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) require.Error(t, err) }) @@ -3058,7 +3058,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) require.NoError(t, err) // Get the method directly to validate that it exists @@ -3084,7 +3084,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) require.NoError(t, err) // Get the method directly to validate that it exists @@ -3106,7 +3106,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) require.Error(t, err) }) @@ -3122,7 +3122,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) require.Error(t, err) }) @@ -3162,7 +3162,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) if test.ok { require.NoError(t, err) @@ -3191,7 +3191,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) require.NoError(t, err) // Get the method directly to validate that it exists @@ -3218,7 +3218,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) require.NoError(t, err) // Get the method directly to validate that it exists @@ -3244,7 +3244,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) testutil.RequireErrorContains(t, err, "MaxTokenTTL 1ms cannot be less than") }) @@ -3259,7 +3259,7 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) { } resp := structs.ACLAuthMethod{} - err := acl.AuthMethodSet(&req, &resp) + err := aclEp.AuthMethodSet(&req, &resp) testutil.RequireErrorContains(t, err, "MaxTokenTTL 25h0m0s cannot be more than") }) } @@ -3280,7 +3280,7 @@ func TestACLEndpoint_AuthMethodDelete(t *testing.T) { existingMethod, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", testSessionID) require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} t.Run("normal", func(t *testing.T) { req := structs.ACLAuthMethodDeleteRequest{ @@ -3290,7 +3290,7 @@ func TestACLEndpoint_AuthMethodDelete(t *testing.T) { } var ignored bool - err = acl.AuthMethodDelete(&req, &ignored) + err = aclEp.AuthMethodDelete(&req, &ignored) require.NoError(t, err) // Make sure the method is gone @@ -3307,7 +3307,7 @@ func TestACLEndpoint_AuthMethodDelete(t *testing.T) { } var ignored bool - err = acl.AuthMethodDelete(&req, &ignored) + err = aclEp.AuthMethodDelete(&req, &ignored) require.NoError(t, err) }) } @@ -3332,11 +3332,11 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { testauth.InstallSessionToken(testSessionID2, "fake-token2", "default", "abc", "abc123") createToken := func(methodName, bearerToken string) *structs.ACLToken { - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} resp := structs.ACLToken{} - require.NoError(t, acl.Login(&structs.ACLLoginRequest{ + require.NoError(t, aclEp.Login(&structs.ACLLoginRequest{ Auth: &structs.ACLLoginParams{ AuthMethod: methodName, BearerToken: bearerToken, @@ -3389,7 +3389,7 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { i2_t1 := createToken(method2.Name, "fake-token2") i2_t2 := createToken(method2.Name, "fake-token2") - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLAuthMethodDeleteRequest{ Datacenter: "dc1", @@ -3398,7 +3398,7 @@ func TestACLEndpoint_AuthMethodDelete_RuleAndTokenCascade(t *testing.T) { } var ignored bool - err = acl.AuthMethodDelete(&req, &ignored) + err = aclEp.AuthMethodDelete(&req, &ignored) require.NoError(t, err) // Make sure the method is gone. @@ -3447,7 +3447,7 @@ func TestACLEndpoint_AuthMethodList(t *testing.T) { i2, err := upsertTestAuthMethod(codec, TestDefaultInitialManagementToken, "dc1", "") require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLAuthMethodListRequest{ Datacenter: "dc1", @@ -3456,7 +3456,7 @@ func TestACLEndpoint_AuthMethodList(t *testing.T) { resp := structs.ACLAuthMethodListResponse{} - err = acl.AuthMethodList(&req, &resp) + err = aclEp.AuthMethodList(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.AuthMethods), []string{i1.Name, i2.Name}) } @@ -3470,7 +3470,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} var ruleID string @@ -3498,7 +3498,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { } resp := structs.ACLBindingRule{} - err := acl.BindingRuleSet(&req, &resp) + err := aclEp.BindingRuleSet(&req, &resp) require.Error(t, err) } @@ -3510,7 +3510,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { } resp := structs.ACLBindingRule{} - err := acl.BindingRuleSet(&req, &resp) + err := aclEp.BindingRuleSet(&req, &resp) require.NoError(t, err) require.NotEmpty(t, resp.ID) return &resp @@ -3526,7 +3526,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { } resp := structs.ACLBindingRule{} - err := acl.BindingRuleSet(&req, &resp) + err := aclEp.BindingRuleSet(&req, &resp) require.NoError(t, err) require.NotNil(t, resp.ID) @@ -3559,7 +3559,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { } var resp structs.ACLBindingRule - err := acl.BindingRuleSet(&req, &resp) + err := aclEp.BindingRuleSet(&req, &resp) require.NoError(t, err) require.NotNil(t, resp.ID) @@ -3599,7 +3599,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { } resp := structs.ACLBindingRule{} - err := acl.BindingRuleSet(&req, &resp) + err := aclEp.BindingRuleSet(&req, &resp) require.NoError(t, err) require.NotNil(t, resp.ID) @@ -3631,7 +3631,7 @@ func TestACLEndpoint_BindingRuleSet(t *testing.T) { } resp := structs.ACLBindingRule{} - err := acl.BindingRuleSet(&req, &resp) + err := aclEp.BindingRuleSet(&req, &resp) require.NoError(t, err) require.NotNil(t, resp.ID) @@ -3744,7 +3744,7 @@ func TestACLEndpoint_BindingRuleDelete(t *testing.T) { ) require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} t.Run("normal", func(t *testing.T) { req := structs.ACLBindingRuleDeleteRequest{ @@ -3754,7 +3754,7 @@ func TestACLEndpoint_BindingRuleDelete(t *testing.T) { } var ignored bool - err = acl.BindingRuleDelete(&req, &ignored) + err = aclEp.BindingRuleDelete(&req, &ignored) require.NoError(t, err) // Make sure the rule is gone @@ -3774,7 +3774,7 @@ func TestACLEndpoint_BindingRuleDelete(t *testing.T) { } var ignored bool - err = acl.BindingRuleDelete(&req, &ignored) + err = aclEp.BindingRuleDelete(&req, &ignored) require.NoError(t, err) }) } @@ -3810,7 +3810,7 @@ func TestACLEndpoint_BindingRuleList(t *testing.T) { ) require.NoError(t, err) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} req := structs.ACLBindingRuleListRequest{ Datacenter: "dc1", @@ -3819,7 +3819,7 @@ func TestACLEndpoint_BindingRuleList(t *testing.T) { resp := structs.ACLBindingRuleListResponse{} - err = acl.BindingRuleList(&req, &resp) + err = aclEp.BindingRuleList(&req, &resp) require.NoError(t, err) require.ElementsMatch(t, gatherIDs(t, resp.BindingRules), []string{r1.ID, r2.ID}) } @@ -3953,7 +3953,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { // Ensure s2 is authoritative. waitForNewACLReplication(t, s2, structs.ACLReplicateTokens, 1, 1, 0) - acl := ACL{srv: s1} + aclEp := ACL{srv: s1} acl2 := ACL{srv: s2} // @@ -4051,7 +4051,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp = structs.ACLAuthMethodResponse{} - require.NoError(t, acl.AuthMethodRead(&req, &resp)) + require.NoError(t, aclEp.AuthMethodRead(&req, &resp)) require.Nil(t, resp.AuthMethod) }) @@ -4071,7 +4071,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp = structs.ACLAuthMethodListResponse{} - require.NoError(t, acl.AuthMethodList(&req, &resp)) + require.NoError(t, aclEp.AuthMethodList(&req, &resp)) require.Len(t, resp.AuthMethods, 0) }) @@ -4152,7 +4152,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp = structs.ACLBindingRuleResponse{} - require.NoError(t, acl.BindingRuleRead(&req, &resp)) + require.NoError(t, aclEp.BindingRuleRead(&req, &resp)) require.Nil(t, resp.BindingRule) }) @@ -4172,7 +4172,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { QueryOptions: structs.QueryOptions{Token: TestDefaultInitialManagementToken}, } resp = structs.ACLBindingRuleListResponse{} - require.NoError(t, acl.BindingRuleList(&req, &resp)) + require.NoError(t, aclEp.BindingRuleList(&req, &resp)) require.Len(t, resp.BindingRules, 0) }) @@ -4219,7 +4219,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } respAM := structs.ACLAuthMethod{} - require.NoError(t, acl.AuthMethodSet(&reqAM, &respAM)) + require.NoError(t, aclEp.AuthMethodSet(&reqAM, &respAM)) reqBR := structs.ACLBindingRuleSetRequest{ Datacenter: "dc1", @@ -4232,7 +4232,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { } respBR := structs.ACLBindingRule{} - require.NoError(t, acl.BindingRuleSet(&reqBR, &respBR)) + require.NoError(t, aclEp.BindingRuleSet(&reqBR, &respBR)) }) var primaryToken *structs.ACLToken @@ -4246,7 +4246,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) primaryToken = &resp // present in dc1 @@ -4271,7 +4271,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { } var ignored bool - require.NoError(t, acl.Logout(&req, &ignored)) + require.NoError(t, aclEp.Logout(&req, &ignored)) // absent in dc2 resp2, err := retrieveTestToken(codec2, TestDefaultInitialManagementToken, "dc2", remoteToken.AccessorID) @@ -4290,7 +4290,7 @@ func TestACLEndpoint_SecureIntroEndpoints_OnlyCreateLocalData(t *testing.T) { } var ignored bool - testutil.RequireErrorContains(t, acl.Logout(&req, &ignored), "ACL not found") + testutil.RequireErrorContains(t, aclEp.Logout(&req, &ignored), "ACL not found") // present in dc1 resp2, err := retrieveTestToken(codec1, TestDefaultInitialManagementToken, "dc1", primaryToken.AccessorID) @@ -4358,7 +4358,7 @@ func TestACLEndpoint_Login(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} testSessionID := testauth.StartSession() defer testauth.ResetSession(testSessionID) @@ -4447,7 +4447,7 @@ func TestACLEndpoint_Login(t *testing.T) { req.Token = "nope" resp := structs.ACLToken{} - testutil.RequireErrorContains(t, acl.Login(&req, &resp), "do not provide a token") + testutil.RequireErrorContains(t, aclEp.Login(&req, &resp), "do not provide a token") }) t.Run("unknown method", func(t *testing.T) { @@ -4461,7 +4461,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - testutil.RequireErrorContains(t, acl.Login(&req, &resp), fmt.Sprintf("auth method %q not found", method.Name+"-notexist")) + testutil.RequireErrorContains(t, aclEp.Login(&req, &resp), fmt.Sprintf("auth method %q not found", method.Name+"-notexist")) }) t.Run("invalid method token", func(t *testing.T) { @@ -4475,7 +4475,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - require.Error(t, acl.Login(&req, &resp)) + require.Error(t, aclEp.Login(&req, &resp)) }) t.Run("valid method token no bindings", func(t *testing.T) { @@ -4489,7 +4489,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - testutil.RequireErrorContains(t, acl.Login(&req, &resp), "Permission denied") + testutil.RequireErrorContains(t, aclEp.Login(&req, &resp), "Permission denied") }) t.Run("valid method token 1 role binding and role does not exist", func(t *testing.T) { @@ -4503,7 +4503,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - testutil.RequireErrorContains(t, acl.Login(&req, &resp), "Permission denied") + testutil.RequireErrorContains(t, aclEp.Login(&req, &resp), "Permission denied") }) // create the role so that the bindtype=role login works @@ -4518,7 +4518,7 @@ func TestACLEndpoint_Login(t *testing.T) { } var out structs.ACLRole - require.NoError(t, acl.RoleSet(&arg, &out)) + require.NoError(t, aclEp.RoleSet(&arg, &out)) vaultRoleID = out.ID } @@ -4534,7 +4534,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login: {"pod":"pod1"}`, resp.Description) @@ -4557,7 +4557,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login: {"pod":"pod1"}`, resp.Description) @@ -4581,7 +4581,7 @@ func TestACLEndpoint_Login(t *testing.T) { } var out structs.ACLRole - require.NoError(t, acl.RoleSet(&arg, &out)) + require.NoError(t, aclEp.RoleSet(&arg, &out)) monolithRoleID = out.ID } @@ -4597,7 +4597,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login: {"pod":"pod1"}`, resp.Description) @@ -4623,7 +4623,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login: {"pod":"pod1"}`, resp.Description) @@ -4646,7 +4646,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login: {"node":"true"}`, resp.Description) @@ -4672,7 +4672,7 @@ func TestACLEndpoint_Login(t *testing.T) { } var out structs.ACLBindingRule - require.NoError(t, acl.BindingRuleSet(&req, &out)) + require.NoError(t, aclEp.BindingRuleSet(&req, &out)) } t.Run("valid bearer token 1 binding (no selectors this time)", func(t *testing.T) { @@ -4686,7 +4686,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login: {"pod":"pod1"}`, resp.Description) @@ -4716,7 +4716,7 @@ func TestACLEndpoint_Login(t *testing.T) { } var ignored structs.ACLAuthMethod - require.NoError(t, acl.AuthMethodSet(&req, &ignored)) + require.NoError(t, aclEp.AuthMethodSet(&req, &ignored)) } t.Run("updating the method invalidates the cache", func(t *testing.T) { @@ -4732,7 +4732,7 @@ func TestACLEndpoint_Login(t *testing.T) { } resp := structs.ACLToken{} - testutil.RequireErrorContains(t, acl.Login(&req, &resp), "ACL not found") + testutil.RequireErrorContains(t, aclEp.Login(&req, &resp), "ACL not found") }) } @@ -4746,7 +4746,7 @@ func TestACLEndpoint_Login_with_MaxTokenTTL(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} testSessionID := testauth.StartSession() defer testauth.ResetSession(testSessionID) @@ -4784,7 +4784,7 @@ func TestACLEndpoint_Login_with_MaxTokenTTL(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) got := &resp got.CreateIndex = 0 @@ -4837,7 +4837,7 @@ func TestACLEndpoint_Login_with_TokenLocality(t *testing.T) { // Ensure s2 is authoritative. waitForNewACLReplication(t, s2, structs.ACLReplicateTokens, 1, 1, 0) - acl := ACL{srv: s1} + acl1 := ACL{srv: s1} acl2 := ACL{srv: s2} testSessionID := testauth.StartSession() @@ -4890,7 +4890,7 @@ func TestACLEndpoint_Login_with_TokenLocality(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, acl1.Login(&req, &resp)) secretID := resp.SecretID @@ -4937,7 +4937,7 @@ func TestACLEndpoint_Login_with_TokenLocality(t *testing.T) { logoutACL = acl2 logoutDC = "dc2" } else { - logoutACL = acl + logoutACL = acl1 logoutDC = "dc1" } @@ -4962,7 +4962,7 @@ func TestACLEndpoint_Login_k8s(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} // spin up a fake api server testSrv := kubeauth.StartTestAPIServer(t) @@ -4996,7 +4996,7 @@ func TestACLEndpoint_Login_k8s(t *testing.T) { } resp := structs.ACLToken{} - require.Error(t, acl.Login(&req, &resp)) + require.Error(t, aclEp.Login(&req, &resp)) }) t.Run("valid bearer token no bindings", func(t *testing.T) { @@ -5010,7 +5010,7 @@ func TestACLEndpoint_Login_k8s(t *testing.T) { } resp := structs.ACLToken{} - testutil.RequireErrorContains(t, acl.Login(&req, &resp), "Permission denied") + testutil.RequireErrorContains(t, aclEp.Login(&req, &resp), "Permission denied") }) _, err = upsertTestBindingRule( @@ -5032,7 +5032,7 @@ func TestACLEndpoint_Login_k8s(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login: {"pod":"pod1"}`, resp.Description) @@ -5064,7 +5064,7 @@ func TestACLEndpoint_Login_k8s(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login: {"pod":"pod1"}`, resp.Description) @@ -5087,7 +5087,7 @@ func TestACLEndpoint_Login_jwt(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} // spin up a fake oidc server oidcServer := oidcauthtest.Start(t) @@ -5151,7 +5151,7 @@ func TestACLEndpoint_Login_jwt(t *testing.T) { } resp := structs.ACLToken{} - require.Error(t, acl.Login(&req, &resp)) + require.Error(t, aclEp.Login(&req, &resp)) }) cl := jwt.Claims{ @@ -5189,7 +5189,7 @@ func TestACLEndpoint_Login_jwt(t *testing.T) { } resp := structs.ACLToken{} - testutil.RequireErrorContains(t, acl.Login(&req, &resp), "Permission denied") + testutil.RequireErrorContains(t, aclEp.Login(&req, &resp), "Permission denied") }) _, err = upsertTestBindingRule( @@ -5210,7 +5210,7 @@ func TestACLEndpoint_Login_jwt(t *testing.T) { } resp := structs.ACLToken{} - require.NoError(t, acl.Login(&req, &resp)) + require.NoError(t, aclEp.Login(&req, &resp)) require.Equal(t, method.Name, resp.AuthMethod) require.Equal(t, `token created via login`, resp.Description) @@ -5235,7 +5235,7 @@ func TestACLEndpoint_Logout(t *testing.T) { _, srv, codec := testACLServerWithConfig(t, nil, false) waitForLeaderEstablishment(t, srv) - acl := ACL{srv: srv} + aclEp := ACL{srv: srv} testSessionID := testauth.StartSession() defer testauth.ResetSession(testSessionID) @@ -5264,7 +5264,7 @@ func TestACLEndpoint_Logout(t *testing.T) { req.Token = "" var ignored bool - testutil.RequireErrorContains(t, acl.Logout(&req, &ignored), "ACL not found") + testutil.RequireErrorContains(t, aclEp.Logout(&req, &ignored), "ACL not found") }) t.Run("logout from deleted token", func(t *testing.T) { @@ -5273,7 +5273,7 @@ func TestACLEndpoint_Logout(t *testing.T) { WriteRequest: structs.WriteRequest{Token: "not-found"}, } var ignored bool - testutil.RequireErrorContains(t, acl.Logout(&req, &ignored), "ACL not found") + testutil.RequireErrorContains(t, aclEp.Logout(&req, &ignored), "ACL not found") }) t.Run("logout from non-auth method-linked token should fail", func(t *testing.T) { @@ -5282,7 +5282,7 @@ func TestACLEndpoint_Logout(t *testing.T) { WriteRequest: structs.WriteRequest{Token: TestDefaultInitialManagementToken}, } var ignored bool - testutil.RequireErrorContains(t, acl.Logout(&req, &ignored), "Permission denied") + testutil.RequireErrorContains(t, aclEp.Logout(&req, &ignored), "Permission denied") }) t.Run("login then logout", func(t *testing.T) { @@ -5296,7 +5296,7 @@ func TestACLEndpoint_Logout(t *testing.T) { } loginToken := structs.ACLToken{} - require.NoError(t, acl.Login(&loginReq, &loginToken)) + require.NoError(t, aclEp.Login(&loginReq, &loginToken)) require.NotEmpty(t, loginToken.SecretID) // Now turn around and nuke it. @@ -5306,7 +5306,7 @@ func TestACLEndpoint_Logout(t *testing.T) { } var ignored bool - require.NoError(t, acl.Logout(&req, &ignored)) + require.NoError(t, aclEp.Logout(&req, &ignored)) }) } diff --git a/agent/consul/acl_token_exp_test.go b/agent/consul/acl_token_exp_test.go index 672cb332c0..c4f0c768d0 100644 --- a/agent/consul/acl_token_exp_test.go +++ b/agent/consul/acl_token_exp_test.go @@ -7,6 +7,7 @@ import ( "github.com/stretchr/testify/require" + "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/testrpc" ) @@ -56,7 +57,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) { codec := rpcClient(t, s1) defer codec.Close() - acl := ACL{srv: s1} + aclEp := ACL{srv: s1} initialManagementTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root") require.NoError(t, err) @@ -68,7 +69,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) { } var res structs.ACLTokenListResponse - err = acl.TokenList(&req, &res) + err = aclEp.TokenList(&req, &res) if err != nil { return nil, nil, err } @@ -91,7 +92,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) { // The initial management token and the anonymous token are always // going to be present and global. expectGlobal = append(expectGlobal, initialManagementTokenAccessorID) - expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID) + expectGlobal = append(expectGlobal, acl.AnonymousTokenID) if local { expectLocal = append(expectLocal, expect...) diff --git a/agent/consul/intention_endpoint.go b/agent/consul/intention_endpoint.go index 3c938f22d4..6ad053f7f6 100644 --- a/agent/consul/intention_endpoint.go +++ b/agent/consul/intention_endpoint.go @@ -176,11 +176,10 @@ func (s *Intention) computeApplyChangesLegacyCreate( if !args.Intention.CanWrite(authz) { sn := args.Intention.SourceServiceName() dn := args.Intention.DestinationServiceName() - // todo(kit) Migrate intention access denial logging over to audit logging when we implement it s.logger.Warn("Intention creation denied due to ACLs", "source", sn.String(), "destination", dn.String(), - "accessorID", accessorID) + "accessorID", acl.AliasIfAnonymousToken(accessorID)) return nil, acl.ErrPermissionDenied } @@ -250,8 +249,9 @@ func (s *Intention) computeApplyChangesLegacyUpdate( } if !ixn.CanWrite(authz) { - // todo(kit) Migrate intention access denial logging over to audit logging when we implement it - s.logger.Warn("Update operation on intention denied due to ACLs", "intention", args.Intention.ID, "accessorID", accessorID) + s.logger.Warn("Update operation on intention denied due to ACLs", + "intention", args.Intention.ID, + "accessorID", acl.AliasIfAnonymousToken(accessorID)) return nil, acl.ErrPermissionDenied } @@ -311,11 +311,10 @@ func (s *Intention) computeApplyChangesUpsert( if !args.Intention.CanWrite(authz) { sn := args.Intention.SourceServiceName() dn := args.Intention.DestinationServiceName() - // todo(kit) Migrate intention access denial logging over to audit logging when we implement it s.logger.Warn("Intention upsert denied due to ACLs", "source", sn.String(), "destination", dn.String(), - "accessorID", accessorID) + "accessorID", acl.AliasIfAnonymousToken(accessorID)) return nil, acl.ErrPermissionDenied } @@ -371,8 +370,9 @@ func (s *Intention) computeApplyChangesLegacyDelete( } if !ixn.CanWrite(authz) { - // todo(kit) Migrate intention access denial logging over to audit logging when we implement it - s.logger.Warn("Deletion operation on intention denied due to ACLs", "intention", args.Intention.ID, "accessorID", accessorID) + s.logger.Warn("Deletion operation on intention denied due to ACLs", + "intention", args.Intention.ID, + "accessorID", acl.AliasIfAnonymousToken(accessorID)) return nil, acl.ErrPermissionDenied } @@ -392,11 +392,10 @@ func (s *Intention) computeApplyChangesDelete( if !args.Intention.CanWrite(authz) { sn := args.Intention.SourceServiceName() dn := args.Intention.DestinationServiceName() - // todo(kit) Migrate intention access denial logging over to audit logging when we implement it s.logger.Warn("Intention delete denied due to ACLs", "source", sn.String(), "destination", dn.String(), - "accessorID", accessorID) + "accessorID", acl.AliasIfAnonymousToken(accessorID)) return nil, acl.ErrPermissionDenied } @@ -483,8 +482,9 @@ func (s *Intention) Get(args *structs.IntentionQueryRequest, reply *structs.Inde // If ACLs prevented any responses, error if len(reply.Intentions) == 0 { accessorID := authz.AccessorID() - // todo(kit) Migrate intention access denial logging over to audit logging when we implement it - s.logger.Warn("Request to get intention denied due to ACLs", "intention", args.IntentionID, "accessorID", accessorID) + s.logger.Warn("Request to get intention denied due to ACLs", + "intention", args.IntentionID, + "accessorID", acl.AliasIfAnonymousToken(accessorID)) return acl.ErrPermissionDenied } @@ -617,8 +617,9 @@ func (s *Intention) Match(args *structs.IntentionQueryRequest, reply *structs.In if prefix := entry.Name; prefix != "" { if err := authz.ToAllowAuthorizer().IntentionReadAllowed(prefix, &authzContext); err != nil { accessorID := authz.AccessorID() - // todo(kit) Migrate intention access denial logging over to audit logging when we implement it - s.logger.Warn("Operation on intention prefix denied due to ACLs", "prefix", prefix, "accessorID", accessorID) + s.logger.Warn("Operation on intention prefix denied due to ACLs", + "prefix", prefix, + "accessorID", acl.AliasIfAnonymousToken(accessorID)) return err } } @@ -741,8 +742,9 @@ func (s *Intention) Check(args *structs.IntentionQueryRequest, reply *structs.In query.FillAuthzContext(&authzContext) if err := authz.ToAllowAuthorizer().ServiceReadAllowed(prefix, &authzContext); err != nil { accessorID := authz.AccessorID() - // todo(kit) Migrate intention access denial logging over to audit logging when we implement it - s.logger.Warn("test on intention denied due to ACLs", "prefix", prefix, "accessorID", accessorID) + s.logger.Warn("test on intention denied due to ACLs", + "prefix", prefix, + "accessorID", acl.AliasIfAnonymousToken(accessorID)) return err } } diff --git a/agent/consul/internal_endpoint.go b/agent/consul/internal_endpoint.go index a740e575da..2b5e8a1942 100644 --- a/agent/consul/internal_endpoint.go +++ b/agent/consul/internal_endpoint.go @@ -755,7 +755,7 @@ func (m *Internal) EventFire(args *structs.EventFireRequest, if err := authz.ToAllowAuthorizer().EventWriteAllowed(args.Name, nil); err != nil { accessorID := authz.AccessorID() - m.logger.Warn("user event blocked by ACLs", "event", args.Name, "accessorID", accessorID) + m.logger.Warn("user event blocked by ACLs", "event", args.Name, "accessorID", acl.AliasIfAnonymousToken(accessorID)) return err } diff --git a/agent/consul/leader.go b/agent/consul/leader.go index 94aeeb3bb4..fde95684da 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -510,7 +510,7 @@ func (s *Server) initializeACLs(ctx context.Context) error { // Ignoring expiration times to avoid an insertion collision. if token == nil { token = &structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, + AccessorID: acl.AnonymousTokenID, SecretID: anonymousToken, Description: "Anonymous Token", CreateTime: time.Now(), @@ -595,7 +595,7 @@ func (s *Server) legacyACLTokenUpgrade(ctx context.Context) error { newToken := *token if token.SecretID == anonymousToken { - newToken.AccessorID = structs.ACLTokenAnonymousID + newToken.AccessorID = acl.AnonymousTokenID } else { accessor, err := lib.GenerateUUID(s.checkTokenUUID) if err != nil { diff --git a/agent/consul/leader_test.go b/agent/consul/leader_test.go index 0eaa33946d..3bbe08bc63 100644 --- a/agent/consul/leader_test.go +++ b/agent/consul/leader_test.go @@ -20,6 +20,7 @@ import ( msgpackrpc "github.com/hashicorp/consul-net-rpc/net-rpc-msgpackrpc" + "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/structs" tokenStore "github.com/hashicorp/consul/agent/token" "github.com/hashicorp/consul/api" @@ -2409,7 +2410,7 @@ func TestLeader_ACL_Initialization_AnonymousToken(t *testing.T) { reqToken := structs.ACLTokenSetRequest{ Datacenter: "dc1", ACLToken: structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, + AccessorID: acl.AnonymousTokenID, SecretID: anonymousToken, Description: "Anonymous Token", CreateTime: time.Now(), diff --git a/agent/consul/rpc_test.go b/agent/consul/rpc_test.go index b08dd995b7..92821362da 100644 --- a/agent/consul/rpc_test.go +++ b/agent/consul/rpc_test.go @@ -1047,7 +1047,7 @@ func TestRPC_LocalTokenStrippedOnForward(t *testing.T) { tokenUpsertReq := structs.ACLTokenSetRequest{ Datacenter: "dc1", ACLToken: structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, + AccessorID: acl.AnonymousTokenID, Policies: []structs.ACLTokenPolicyLink{ { ID: kvPolicy.ID, @@ -1225,7 +1225,7 @@ func TestRPC_LocalTokenStrippedOnForward_GRPC(t *testing.T) { tokenUpsertReq := structs.ACLTokenSetRequest{ Datacenter: "dc1", ACLToken: structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, + AccessorID: acl.AnonymousTokenID, Policies: []structs.ACLTokenPolicyLink{ {ID: policy.ID}, }, diff --git a/agent/consul/state/acl.go b/agent/consul/state/acl.go index 61fa3337fb..3e604625c0 100644 --- a/agent/consul/state/acl.go +++ b/agent/consul/state/acl.go @@ -4,11 +4,11 @@ import ( "fmt" "time" - memdb "github.com/hashicorp/go-memdb" + "github.com/hashicorp/go-memdb" "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/structs" - pbacl "github.com/hashicorp/consul/proto/pbacl" + "github.com/hashicorp/consul/proto/pbacl" ) // ACLTokens is used when saving a snapshot @@ -839,7 +839,7 @@ func aclTokenDeleteTxn(tx WriteTxn, idx uint64, value, index string, entMeta *ac return nil } - if token.(*structs.ACLToken).AccessorID == structs.ACLTokenAnonymousID { + if token.(*structs.ACLToken).AccessorID == acl.AnonymousTokenID { return fmt.Errorf("Deletion of the builtin anonymous token is not permitted") } diff --git a/agent/consul/state/acl_test.go b/agent/consul/state/acl_test.go index 9634bf52f1..5c9e097e98 100644 --- a/agent/consul/state/acl_test.go +++ b/agent/consul/state/acl_test.go @@ -41,7 +41,7 @@ func setupGlobalManagement(t *testing.T, s *Store) { func setupAnonymous(t *testing.T, s *Store) { token := structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, + AccessorID: acl.AnonymousTokenID, SecretID: "anonymous", Description: "Anonymous Token", } @@ -979,7 +979,7 @@ func TestStateStore_ACLToken_List(t *testing.T) { role: "", methodName: "", accessors: []string{ - structs.ACLTokenAnonymousID, + acl.AnonymousTokenID, "47eea4da-bda1-48a6-901c-3e36d2d9262f", // policy + global "54866514-3cf2-4fec-8a8a-710583831834", // mgmt + global "74277ae1-6a9b-4035-b444-2370fe6a2cb5", // authMethod + global @@ -1098,7 +1098,7 @@ func TestStateStore_ACLToken_List(t *testing.T) { role: "", methodName: "", accessors: []string{ - structs.ACLTokenAnonymousID, + acl.AnonymousTokenID, "211f0360-ef53-41d3-9d4d-db84396eb6c0", // authMethod + local "47eea4da-bda1-48a6-901c-3e36d2d9262f", // policy + global "4915fc9d-3726-4171-b588-6c271f45eecd", // policy + local @@ -1476,7 +1476,7 @@ func TestStateStore_ACLToken_Delete(t *testing.T) { t.Parallel() s := testACLTokensStateStore(t) - require.Error(t, s.ACLTokenDeleteByAccessor(3, structs.ACLTokenAnonymousID, nil)) + require.Error(t, s.ACLTokenDeleteByAccessor(3, acl.AnonymousTokenID, nil)) }) t.Run("Not Found", func(t *testing.T) { diff --git a/agent/grpc-external/testutils/acl.go b/agent/grpc-external/testutils/acl.go index ccb2e6a30e..8def60fff7 100644 --- a/agent/grpc-external/testutils/acl.go +++ b/agent/grpc-external/testutils/acl.go @@ -18,7 +18,7 @@ func ACLAnonymous(t *testing.T) resolver.Result { return resolver.Result{ Authorizer: acl.DenyAll(), ACLIdentity: &structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, + AccessorID: acl.AnonymousTokenID, }, } } diff --git a/agent/grpc-external/utils.go b/agent/grpc-external/utils.go index 4d6e918924..bb218ddf0e 100644 --- a/agent/grpc-external/utils.go +++ b/agent/grpc-external/utils.go @@ -7,7 +7,6 @@ import ( "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/acl/resolver" - "github.com/hashicorp/consul/agent/structs" ) // We tag logs with a unique identifier to ease debugging. In the future this @@ -36,7 +35,7 @@ func RequireAnyValidACLToken(resolver ACLResolver, token string) error { return status.Error(codes.Unauthenticated, err.Error()) } - if id := authz.ACLIdentity; id != nil && id.ID() == structs.ACLTokenAnonymousID { + if id := authz.ACLIdentity; id != nil && id.ID() == acl.AnonymousTokenID { return status.Error(codes.Unauthenticated, "An ACL token must be provided (via the `x-consul-token` metadata field) to call this endpoint") } diff --git a/agent/local/state.go b/agent/local/state.go index d2a634ebf0..559250a9d6 100644 --- a/agent/local/state.go +++ b/agent/local/state.go @@ -1301,7 +1301,9 @@ func (l *State) deleteService(key structs.ServiceID) error { // todo(fs): some backoff strategy might be a better solution l.services[key].InSync = true accessorID := l.aclAccessorID(st) - l.logger.Warn("Service deregistration blocked by ACLs", "service", key.String(), "accessorID", accessorID) + l.logger.Warn("Service deregistration blocked by ACLs", + "service", key.String(), + "accessorID", acl.AliasIfAnonymousToken(accessorID)) metrics.IncrCounter([]string{"acl", "blocked", "service", "deregistration"}, 1) return nil @@ -1341,7 +1343,9 @@ func (l *State) deleteCheck(key structs.CheckID) error { // todo(fs): some backoff strategy might be a better solution l.checks[key].InSync = true accessorID := l.aclAccessorID(ct) - l.logger.Warn("Check deregistration blocked by ACLs", "check", key.String(), "accessorID", accessorID) + l.logger.Warn("Check deregistration blocked by ACLs", + "check", key.String(), + "accessorID", acl.AliasIfAnonymousToken(accessorID)) metrics.IncrCounter([]string{"acl", "blocked", "check", "deregistration"}, 1) return nil @@ -1430,7 +1434,9 @@ func (l *State) syncService(key structs.ServiceID) error { l.checks[checkKey].InSync = true } accessorID := l.aclAccessorID(st) - l.logger.Warn("Service registration blocked by ACLs", "service", key.String(), "accessorID", accessorID) + l.logger.Warn("Service registration blocked by ACLs", + "service", key.String(), + "accessorID", acl.AliasIfAnonymousToken(accessorID)) metrics.IncrCounter([]string{"acl", "blocked", "service", "registration"}, 1) return nil @@ -1484,7 +1490,9 @@ func (l *State) syncCheck(key structs.CheckID) error { // todo(fs): some backoff strategy might be a better solution l.checks[key].InSync = true accessorID := l.aclAccessorID(ct) - l.logger.Warn("Check registration blocked by ACLs", "check", key.String(), "accessorID", accessorID) + l.logger.Warn("Check registration blocked by ACLs", + "check", key.String(), + "accessorID", acl.AliasIfAnonymousToken(accessorID)) metrics.IncrCounter([]string{"acl", "blocked", "check", "registration"}, 1) return nil @@ -1522,7 +1530,9 @@ func (l *State) syncNodeInfo() error { // todo(fs): some backoff strategy might be a better solution l.nodeInfoInSync = true accessorID := l.aclAccessorID(at) - l.logger.Warn("Node info update blocked by ACLs", "node", l.config.NodeID, "accessorID", accessorID) + l.logger.Warn("Node info update blocked by ACLs", + "node", l.config.NodeID, + "accessorID", acl.AliasIfAnonymousToken(accessorID)) metrics.IncrCounter([]string{"acl", "blocked", "node", "registration"}, 1) return nil diff --git a/agent/structs/acl.go b/agent/structs/acl.go index f1b3a7d673..46bc46acf8 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -72,10 +72,6 @@ session_prefix "" { policy = "write" }` + EnterpriseACLPolicyGlobalManagement - // This is the policy ID for anonymous access. This is configurable by the - // user. - ACLTokenAnonymousID = "00000000-0000-0000-0000-000000000002" - ACLReservedPrefix = "00000000-0000-0000-0000-0000000000" ) diff --git a/command/acl/acl_helpers.go b/command/acl/acl_helpers.go index 928290f1cd..e9e33d6c6a 100644 --- a/command/acl/acl_helpers.go +++ b/command/acl/acl_helpers.go @@ -4,13 +4,14 @@ import ( "fmt" "strings" + "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/api" ) func GetTokenIDFromPartial(client *api.Client, partialID string) (string, error) { if partialID == "anonymous" { - return structs.ACLTokenAnonymousID, nil + return acl.AnonymousTokenID, nil } // the full UUID string was given