acl: remove Server.ResolveTokenIdentityAndDefaultMeta

This method suffered from similar naming to a couple other methods on Server, and had not great
re-use (2 callers). By copying a few of the lines into one of the callers we can move the
implementation into the second caller.

Once moved, we can see that ResolveTokenAndDefaultMeta is identical in both Client and Server, and
likely should be further refactored, possibly into ACLResolver.

This change is being made to make ACL resolution easier to trace.
This commit is contained in:
Daniel Nephin 2021-07-30 18:05:33 -04:00
parent 6cf6e7c5fe
commit b837ba35a0
4 changed files with 15 additions and 14 deletions

View File

@ -1244,6 +1244,10 @@ func (r *ACLResolver) ResolveTokenToIdentityAndAuthorizer(token string) (structs
return identity, acl.NewChainedAuthorizer(chain), nil return identity, acl.NewChainedAuthorizer(chain), nil
} }
// TODO: rename to AccessorIDFromToken. This method is only used to retrieve the
// ACLIdentity.ID, so we don't need to return a full ACLIdentity. We could
// return a much smaller type (instad of just a string) to allow for changes
// in the future.
func (r *ACLResolver) ResolveTokenToIdentity(token string) (structs.ACLIdentity, error) { func (r *ACLResolver) ResolveTokenToIdentity(token string) (structs.ACLIdentity, error) {
if !r.ACLsEnabled() { if !r.ACLsEnabled() {
return nil, nil return nil, nil

View File

@ -93,6 +93,7 @@ func (c *Client) ResolveTokenToIdentity(token string) (structs.ACLIdentity, erro
return c.acls.ResolveTokenToIdentity(token) return c.acls.ResolveTokenToIdentity(token)
} }
// TODO: Server has an identical implementation, remove duplication
func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) { func (c *Client) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
identity, authz, err := c.acls.ResolveTokenToIdentityAndAuthorizer(token) identity, authz, err := c.acls.ResolveTokenToIdentityAndAuthorizer(token)
if err != nil { if err != nil {

View File

@ -235,12 +235,11 @@ func (s *Server) ResolveTokenToIdentity(token string) (structs.ACLIdentity, erro
return s.acls.ResolveTokenToIdentity(token) return s.acls.ResolveTokenToIdentity(token)
} }
// ResolveTokenIdentityAndDefaultMeta retrieves an identity and authorizer for the caller, // TODO: Client has an identical implementation, remove duplication
// and populates the EnterpriseMeta based on the AuthorizerContext. func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
func (s *Server) ResolveTokenIdentityAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (structs.ACLIdentity, acl.Authorizer, error) {
identity, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token) identity, authz, err := s.acls.ResolveTokenToIdentityAndAuthorizer(token)
if err != nil { if err != nil {
return nil, nil, err return nil, err
} }
// Default the EnterpriseMeta based on the Tokens meta or actual defaults // Default the EnterpriseMeta based on the Tokens meta or actual defaults
@ -254,12 +253,6 @@ func (s *Server) ResolveTokenIdentityAndDefaultMeta(token string, entMeta *struc
// Use the meta to fill in the ACL authorization context // Use the meta to fill in the ACL authorization context
entMeta.FillAuthzContext(authzContext) entMeta.FillAuthzContext(authzContext)
return identity, authz, err
}
// ResolveTokenAndDefaultMeta passes through to ResolveTokenIdentityAndDefaultMeta, eliding the identity from its response.
func (s *Server) ResolveTokenAndDefaultMeta(token string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
_, authz, err := s.ResolveTokenIdentityAndDefaultMeta(token, entMeta, authzContext)
return authz, err return authz, err
} }

View File

@ -100,15 +100,18 @@ func (s *Intention) Apply(args *structs.IntentionRequest, reply *string) error {
} }
// Get the ACL token for the request for the checks below. // Get the ACL token for the request for the checks below.
var entMeta structs.EnterpriseMeta identity, authz, err := s.srv.acls.ResolveTokenToIdentityAndAuthorizer(args.Token)
ident, authz, err := s.srv.ResolveTokenIdentityAndDefaultMeta(args.Token, &entMeta, nil)
if err != nil { if err != nil {
return err return err
} }
var accessorID string var accessorID string
if ident != nil { var entMeta structs.EnterpriseMeta
accessorID = ident.ID() if identity != nil {
entMeta.Merge(identity.EnterpriseMetadata())
accessorID = identity.ID()
} else {
entMeta.Merge(structs.DefaultEnterpriseMetaInDefaultPartition())
} }
var ( var (