diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index a21550acdb..0a03157230 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -1249,13 +1249,27 @@ func (a *ACL) PolicyResolve(args *structs.ACLPolicyBatchGetRequest, reply *struc return err } + entIdentity, entPolicies, err := a.srv.acls.resolveEnterpriseIdentityAndPolicies(identity) + if err != nil { + return err + } + idMap := make(map[string]*structs.ACLPolicy) for _, policyID := range identity.PolicyIDs() { idMap[policyID] = nil } + if entIdentity != nil { + for _, policyID := range entIdentity.PolicyIDs() { + idMap[policyID] = nil + } + } + for _, policy := range policies { idMap[policy.ID] = policy } + for _, policy := range entPolicies { + idMap[policy.ID] = policy + } for _, policyID := range args.PolicyIDs { if policy, ok := idMap[policyID]; ok { @@ -1679,13 +1693,27 @@ func (a *ACL) RoleResolve(args *structs.ACLRoleBatchGetRequest, reply *structs.A return err } + entIdentity, entRoles, err := a.srv.acls.resolveEnterpriseIdentityAndRoles(identity) + if err != nil { + return err + } + idMap := make(map[string]*structs.ACLRole) for _, roleID := range identity.RoleIDs() { idMap[roleID] = nil } + if entIdentity != nil { + for _, roleID := range entIdentity.RoleIDs() { + idMap[roleID] = nil + } + } + for _, role := range roles { idMap[role.ID] = role } + for _, role := range entRoles { + idMap[role.ID] = role + } for _, roleID := range args.RoleIDs { if role, ok := idMap[roleID]; ok { diff --git a/agent/consul/acl_oss.go b/agent/consul/acl_oss.go index 3945a41d3e..591c596e11 100644 --- a/agent/consul/acl_oss.go +++ b/agent/consul/acl_oss.go @@ -24,3 +24,15 @@ func newACLConfig(hclog.Logger) *acl.Config { func (r *ACLResolver) resolveEnterpriseDefaultsForIdentity(identity structs.ACLIdentity) (acl.Authorizer, error) { return nil, nil } + +// resolveEnterpriseIdentityAndRoles will resolve an enterprise identity to an additional set of roles +func (_ *ACLResolver) resolveEnterpriseIdentityAndRoles(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLRoles, error) { + // this function does nothing in OSS + return nil, nil, nil +} + +// resolveEnterpriseIdentityAndPolicies will resolve an enterprise identity to an additional set of policies +func (_ *ACLResolver) resolveEnterpriseIdentityAndPolicies(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLPolicies, error) { + // this function does nothing in OSS + return nil, nil, nil +}