mirror of
https://github.com/status-im/consul.git
synced 2025-01-26 13:40:20 +00:00
acl: remove EmbeddedPolicy
This method is no longer. It only existed for legacy tokens, which are no longer supported.
This commit is contained in:
parent
121431bf17
commit
c77e5747b1
@ -100,10 +100,6 @@ func (id *missingIdentity) RoleIDs() []string {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *missingIdentity) EmbeddedPolicy() *structs.ACLPolicy {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity {
|
||||
return nil
|
||||
}
|
||||
@ -616,11 +612,6 @@ func (r *ACLResolver) resolvePoliciesForIdentity(identity structs.ACLIdentity) (
|
||||
)
|
||||
|
||||
if len(policyIDs) == 0 && len(serviceIdentities) == 0 && len(roleIDs) == 0 && len(nodeIdentities) == 0 {
|
||||
policy := identity.EmbeddedPolicy()
|
||||
if policy != nil {
|
||||
return []*structs.ACLPolicy{policy}, nil
|
||||
}
|
||||
|
||||
// In this case the default policy will be all that is in effect.
|
||||
return nil, nil
|
||||
}
|
||||
|
@ -95,7 +95,6 @@ type ACLIdentity interface {
|
||||
SecretToken() string
|
||||
PolicyIDs() []string
|
||||
RoleIDs() []string
|
||||
EmbeddedPolicy() *ACLPolicy
|
||||
ServiceIdentityList() []*ACLServiceIdentity
|
||||
NodeIdentityList() []*ACLNodeIdentity
|
||||
IsExpired(asOf time.Time) bool
|
||||
@ -425,36 +424,6 @@ func (t *ACLToken) UsesNonLegacyFields() bool {
|
||||
t.AuthMethod != ""
|
||||
}
|
||||
|
||||
func (t *ACLToken) EmbeddedPolicy() *ACLPolicy {
|
||||
// DEPRECATED (ACL-Legacy-Compat)
|
||||
//
|
||||
// For legacy tokens with embedded rules this provides a way to map those
|
||||
// rules to an ACLPolicy. This function can just return nil once legacy
|
||||
// acl compatibility is no longer needed.
|
||||
//
|
||||
// Additionally for management tokens we must embed the policy rules
|
||||
// as well
|
||||
policy := &ACLPolicy{}
|
||||
if t.Type == ACLTokenTypeManagement {
|
||||
hasher := fnv.New128a()
|
||||
policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(ACLPolicyGlobalManagement)))
|
||||
policy.Name = "legacy-management"
|
||||
policy.Rules = ACLPolicyGlobalManagement
|
||||
policy.Syntax = acl.SyntaxCurrent
|
||||
} else if t.Rules != "" || t.Type == ACLTokenTypeClient {
|
||||
hasher := fnv.New128a()
|
||||
policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(t.Rules)))
|
||||
policy.Name = fmt.Sprintf("legacy-policy-%s", policy.ID)
|
||||
policy.Rules = t.Rules
|
||||
policy.Syntax = acl.SyntaxLegacy
|
||||
} else {
|
||||
return nil
|
||||
}
|
||||
|
||||
policy.SetHash(true)
|
||||
return policy
|
||||
}
|
||||
|
||||
func (t *ACLToken) EnterpriseMetadata() *EnterpriseMeta {
|
||||
return &t.EnterpriseMeta
|
||||
}
|
||||
@ -1799,10 +1768,6 @@ func (id *AgentMasterTokenIdentity) RoleIDs() []string {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) EmbeddedPolicy() *ACLPolicy {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
|
||||
return nil
|
||||
}
|
||||
|
@ -44,56 +44,6 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestStructs_ACLToken_EmbeddedPolicy(t *testing.T) {
|
||||
|
||||
t.Run("No Rules", func(t *testing.T) {
|
||||
|
||||
token := &ACLToken{}
|
||||
require.Nil(t, token.EmbeddedPolicy())
|
||||
})
|
||||
|
||||
t.Run("Legacy Client", func(t *testing.T) {
|
||||
|
||||
// None of the other fields should be considered
|
||||
token := &ACLToken{
|
||||
Type: ACLTokenTypeClient,
|
||||
Rules: `acl = "read"`,
|
||||
}
|
||||
|
||||
policy := token.EmbeddedPolicy()
|
||||
require.NotNil(t, policy)
|
||||
require.NotEqual(t, "", policy.ID)
|
||||
require.True(t, strings.HasPrefix(policy.Name, "legacy-policy-"))
|
||||
require.Equal(t, token.Rules, policy.Rules)
|
||||
require.Equal(t, policy.Syntax, acl.SyntaxLegacy)
|
||||
require.NotNil(t, policy.Hash)
|
||||
require.NotEqual(t, []byte{}, policy.Hash)
|
||||
})
|
||||
|
||||
t.Run("Same Policy for Tokens with same Rules", func(t *testing.T) {
|
||||
|
||||
token1 := &ACLToken{
|
||||
AccessorID: "f55b260c-5e05-418e-ab19-d421d1ab4b52",
|
||||
SecretID: "b2165bac-7006-459b-8a72-7f549f0f06d6",
|
||||
Description: "token 1",
|
||||
Type: ACLTokenTypeClient,
|
||||
Rules: `acl = "read"`,
|
||||
}
|
||||
|
||||
token2 := &ACLToken{
|
||||
AccessorID: "09d1c059-961a-46bd-a2e4-76adebe35fa5",
|
||||
SecretID: "65e98e67-9b29-470c-8ffa-7c5a23cc67c8",
|
||||
Description: "token 2",
|
||||
Type: ACLTokenTypeClient,
|
||||
Rules: `acl = "read"`,
|
||||
}
|
||||
|
||||
policy1 := token1.EmbeddedPolicy()
|
||||
policy2 := token2.EmbeddedPolicy()
|
||||
require.Equal(t, policy1, policy2)
|
||||
})
|
||||
}
|
||||
|
||||
func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) {
|
||||
|
||||
cases := []struct {
|
||||
|
Loading…
x
Reference in New Issue
Block a user