diff --git a/agent/config/default.go b/agent/config/default.go index b916b6a93e..bb8ad905c8 100644 --- a/agent/config/default.go +++ b/agent/config/default.go @@ -18,11 +18,6 @@ func DefaultSource() Source { serfLAN := cfg.SerfLANConfig.MemberlistConfig serfWAN := cfg.SerfWANConfig.MemberlistConfig - // DEPRECATED (ACL-Legacy-Compat) - when legacy ACL support is removed these defaults - // the acl_* config entries here should be transitioned to their counterparts in the - // acl stanza for now we need to be able to detect the new entries not being set (not - // just set to the defaults here) so that we can use the old entries. So the true - // default still needs to reside in the original config values return FileSource{ Name: "default", Format: "hcl", diff --git a/agent/consul/acl.go b/agent/consul/acl.go index a5c4010f12..659fe3d23e 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -100,10 +100,6 @@ func (id *missingIdentity) RoleIDs() []string { return nil } -func (id *missingIdentity) EmbeddedPolicy() *structs.ACLPolicy { - return nil -} - func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity { return nil } @@ -124,13 +120,6 @@ func (id *missingIdentity) EnterpriseMetadata() *structs.EnterpriseMeta { return structs.DefaultEnterpriseMetaInDefaultPartition() } -func minTTL(a time.Duration, b time.Duration) time.Duration { - if a < b { - return a - } - return b -} - type ACLRemoteError struct { Err error } @@ -149,7 +138,7 @@ func tokenSecretCacheID(token string) string { } type ACLResolverDelegate interface { - ACLDatacenter(legacy bool) string + ACLDatacenter() string ResolveIdentityFromToken(token string) (bool, structs.ACLIdentity, error) ResolvePolicyFromID(policyID string) (bool, *structs.ACLPolicy, error) ResolveRoleFromID(roleID string) (bool, *structs.ACLRole, error) @@ -365,7 +354,7 @@ func (r *ACLResolver) fetchAndCacheIdentityFromToken(token string, cached *struc cacheID := tokenSecretCacheID(token) req := structs.ACLTokenGetRequest{ - Datacenter: r.delegate.ACLDatacenter(false), + Datacenter: r.delegate.ACLDatacenter(), TokenID: token, TokenIDType: structs.ACLTokenSecret, QueryOptions: structs.QueryOptions{ @@ -453,7 +442,7 @@ func (r *ACLResolver) resolveIdentityFromToken(token string) (structs.ACLIdentit func (r *ACLResolver) fetchAndCachePoliciesForIdentity(identity structs.ACLIdentity, policyIDs []string, cached map[string]*structs.PolicyCacheEntry) (map[string]*structs.ACLPolicy, error) { req := structs.ACLPolicyBatchGetRequest{ - Datacenter: r.delegate.ACLDatacenter(false), + Datacenter: r.delegate.ACLDatacenter(), PolicyIDs: policyIDs, QueryOptions: structs.QueryOptions{ Token: identity.SecretToken(), @@ -508,7 +497,7 @@ func (r *ACLResolver) fetchAndCachePoliciesForIdentity(identity structs.ACLIdent func (r *ACLResolver) fetchAndCacheRolesForIdentity(identity structs.ACLIdentity, roleIDs []string, cached map[string]*structs.RoleCacheEntry) (map[string]*structs.ACLRole, error) { req := structs.ACLRoleBatchGetRequest{ - Datacenter: r.delegate.ACLDatacenter(false), + Datacenter: r.delegate.ACLDatacenter(), RoleIDs: roleIDs, QueryOptions: structs.QueryOptions{ Token: identity.SecretToken(), @@ -616,11 +605,6 @@ func (r *ACLResolver) resolvePoliciesForIdentity(identity structs.ACLIdentity) ( ) if len(policyIDs) == 0 && len(serviceIdentities) == 0 && len(roleIDs) == 0 && len(nodeIdentities) == 0 { - policy := identity.EmbeddedPolicy() - if policy != nil { - return []*structs.ACLPolicy{policy}, nil - } - // In this case the default policy will be all that is in effect. return nil, nil } diff --git a/agent/consul/acl_client.go b/agent/consul/acl_client.go index c5666cb483..5ace9ce616 100644 --- a/agent/consul/acl_client.go +++ b/agent/consul/acl_client.go @@ -23,17 +23,9 @@ var clientACLCacheConfig *structs.ACLCachesConfig = &structs.ACLCachesConfig{ Roles: 128, } -func (c *Client) ACLDatacenter(legacy bool) string { - // For resolution running on clients, when not in - // legacy mode the servers within the current datacenter - // must be queried first to pick up local tokens. When - // in legacy mode the clients should directly query the - // ACL Datacenter. When no ACL datacenter has been set - // then we assume that the local DC is the ACL DC - if legacy && c.config.PrimaryDatacenter != "" { - return c.config.PrimaryDatacenter - } - +func (c *Client) ACLDatacenter() string { + // For resolution running on clients, servers within the current datacenter + // must be queried first to pick up local tokens. return c.config.Datacenter } diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index c9bbeaabc5..3579e245b8 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -235,10 +235,8 @@ func (a *ACL) BootstrapTokens(args *structs.DCSpecificRequest, reply *structs.AC ID: structs.ACLPolicyGlobalManagementID, }, }, - CreateTime: time.Now(), - Local: false, - // DEPRECATED (ACL-Legacy-Compat) - This is used so that the bootstrap token is still visible via the v1 acl APIs - Type: structs.ACLTokenTypeManagement, + CreateTime: time.Now(), + Local: false, EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(), }, ResetIndex: specifiedIndex, diff --git a/agent/consul/acl_endpoint_test.go b/agent/consul/acl_endpoint_test.go index a7e24dc21a..bfe8a02200 100644 --- a/agent/consul/acl_endpoint_test.go +++ b/agent/consul/acl_endpoint_test.go @@ -48,7 +48,6 @@ func TestACLEndpoint_BootstrapTokens(t *testing.T) { require.NoError(t, msgpackrpc.CallWithCodec(codec, "ACL.BootstrapTokens", &arg, &out)) require.Equal(t, 36, len(out.AccessorID)) require.True(t, strings.HasPrefix(out.Description, "Bootstrap Token")) - require.Equal(t, out.Type, structs.ACLTokenTypeManagement) require.True(t, out.CreateIndex > 0) require.Equal(t, out.CreateIndex, out.ModifyIndex) @@ -69,7 +68,6 @@ func TestACLEndpoint_BootstrapTokens(t *testing.T) { require.Equal(t, 36, len(out.AccessorID)) require.NotEqual(t, oldID, out.AccessorID) require.True(t, strings.HasPrefix(out.Description, "Bootstrap Token")) - require.Equal(t, out.Type, structs.ACLTokenTypeManagement) require.True(t, out.CreateIndex > 0) require.Equal(t, out.CreateIndex, out.ModifyIndex) } diff --git a/agent/consul/acl_server.go b/agent/consul/acl_server.go index ecb6019aa2..33372bae8f 100644 --- a/agent/consul/acl_server.go +++ b/agent/consul/acl_server.go @@ -100,7 +100,7 @@ func (s *Server) LocalTokensEnabled() bool { return true } -func (s *Server) ACLDatacenter(legacy bool) string { +func (s *Server) ACLDatacenter() string { // For resolution running on servers the only option // is to contact the configured ACL Datacenter if s.config.PrimaryDatacenter != "" { diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index c1f4816b47..9ebf93bc27 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -613,7 +613,7 @@ func (d *ACLResolverTestDelegate) plainRoleResolveFn(args *structs.ACLRoleBatchG return nil } -func (d *ACLResolverTestDelegate) ACLDatacenter(legacy bool) string { +func (d *ACLResolverTestDelegate) ACLDatacenter() string { return d.datacenter } @@ -2112,38 +2112,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega require.Equal(t, acl.Allow, authz.NodeWrite("foo", nil)) }) - runTwiceAndReset("legacy-management", func(t *testing.T) { - delegate.UseTestLocalData([]interface{}{ - &structs.ACLToken{ - AccessorID: "d109a033-99d1-47e2-a711-d6593373a973", - SecretID: "legacy-management", - Type: structs.ACLTokenTypeManagement, - }, - }) - authz, err := r.ResolveToken("legacy-management") - require.NotNil(t, authz) - require.NoError(t, err) - require.Equal(t, acl.Allow, authz.ACLWrite(nil)) - require.Equal(t, acl.Allow, authz.KeyRead("foo", nil)) - }) - - runTwiceAndReset("legacy-client", func(t *testing.T) { - delegate.UseTestLocalData([]interface{}{ - &structs.ACLToken{ - AccessorID: "b7375838-b104-4a25-b457-329d939bf257", - SecretID: "legacy-client", - Type: structs.ACLTokenTypeClient, - Rules: `service "" { policy = "read" }`, - }, - }) - authz, err := r.ResolveToken("legacy-client") - require.NoError(t, err) - require.NotNil(t, authz) - require.Equal(t, acl.Deny, authz.MeshRead(nil)) - require.Equal(t, acl.Deny, authz.OperatorRead(nil)) - require.Equal(t, acl.Allow, authz.ServiceRead("foo", nil)) - }) - runTwiceAndReset("service and intention wildcard write", func(t *testing.T) { delegate.UseTestLocalData([]interface{}{ &structs.ACLToken{ diff --git a/agent/consul/fsm/snapshot_oss_test.go b/agent/consul/fsm/snapshot_oss_test.go index c4a7b3faa8..996cf2fd23 100644 --- a/agent/consul/fsm/snapshot_oss_test.go +++ b/agent/consul/fsm/snapshot_oss_test.go @@ -111,8 +111,7 @@ func TestFSM_SnapshotRestore_OSS(t *testing.T) { }, CreateTime: time.Now(), Local: false, - // DEPRECATED (ACL-Legacy-Compat) - This is used so that the bootstrap token is still visible via the v1 acl APIs - Type: structs.ACLTokenTypeManagement, + Type: "management", } require.NoError(t, fsm.state.ACLBootstrap(10, 0, token)) diff --git a/agent/consul/leader.go b/agent/consul/leader.go index e548414674..3c1633290b 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -452,11 +452,8 @@ func (s *Server) initializeACLs(ctx context.Context) error { ID: structs.ACLPolicyGlobalManagementID, }, }, - CreateTime: time.Now(), - Local: false, - - // DEPRECATED (ACL-Legacy-Compat) - only needed for compatibility - Type: structs.ACLTokenTypeManagement, + CreateTime: time.Now(), + Local: false, EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(), } @@ -501,35 +498,24 @@ func (s *Server) initializeACLs(ctx context.Context) error { } // Ignoring expiration times to avoid an insertion collision. if token == nil { - // DEPRECATED (ACL-Legacy-Compat) - Don't need to query for previous "anonymous" token - // check for legacy token that needs an upgrade - _, legacyToken, err := state.ACLTokenGetBySecret(nil, anonymousToken, nil) + token = &structs.ACLToken{ + AccessorID: structs.ACLTokenAnonymousID, + SecretID: anonymousToken, + Description: "Anonymous Token", + CreateTime: time.Now(), + EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(), + } + token.SetHash(true) + + req := structs.ACLTokenBatchSetRequest{ + Tokens: structs.ACLTokens{token}, + CAS: false, + } + _, err := s.raftApply(structs.ACLTokenSetRequestType, &req) if err != nil { - return fmt.Errorf("failed to get anonymous token: %v", err) - } - // Ignoring expiration times to avoid an insertion collision. - - // the token upgrade routine will take care of upgrading the token if a legacy version exists - if legacyToken == nil { - token = &structs.ACLToken{ - AccessorID: structs.ACLTokenAnonymousID, - SecretID: anonymousToken, - Description: "Anonymous Token", - CreateTime: time.Now(), - EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(), - } - token.SetHash(true) - - req := structs.ACLTokenBatchSetRequest{ - Tokens: structs.ACLTokens{token}, - CAS: false, - } - _, err := s.raftApply(structs.ACLTokenSetRequestType, &req) - if err != nil { - return fmt.Errorf("failed to create anonymous token: %v", err) - } - s.logger.Info("Created ACL anonymous token from configuration") + return fmt.Errorf("failed to create anonymous token: %v", err) } + s.logger.Info("Created ACL anonymous token from configuration") } // launch the upgrade go routine to generate accessors for everything s.startACLUpgrade(ctx) @@ -599,7 +585,7 @@ func (s *Server) legacyACLTokenUpgrade(ctx context.Context) error { len(newToken.ServiceIdentities) == 0 && len(newToken.NodeIdentities) == 0 && len(newToken.Roles) == 0 && - newToken.Type == structs.ACLTokenTypeManagement { + newToken.Type == "management" { newToken.Policies = append(newToken.Policies, structs.ACLTokenPolicyLink{ID: structs.ACLPolicyGlobalManagementID}) } diff --git a/agent/consul/state/acl.go b/agent/consul/state/acl.go index 7fe8c089f9..9b84c6c16d 100644 --- a/agent/consul/state/acl.go +++ b/agent/consul/state/acl.go @@ -411,18 +411,10 @@ func fixupRolePolicyLinks(tx ReadTxn, original *structs.ACLRole) (*structs.ACLRo return role, nil } -// ACLTokenSet is used to insert an ACL rule into the state store. -// Deprecated (ACL-Legacy-Compat) -func (s *Store) ACLTokenSet(idx uint64, token *structs.ACLToken, legacy bool) error { - tx := s.db.WriteTxn(idx) - defer tx.Abort() - - // Call set on the ACL - if err := aclTokenSetTxn(tx, idx, token, ACLTokenSetOptions{Legacy: legacy}); err != nil { - return err - } - - return tx.Commit() +// ACLTokenSet is used in many tests to set a single ACL token. It is now a shim +// for calling ACLTokenBatchSet with default options. +func (s *Store) ACLTokenSet(idx uint64, token *structs.ACLToken) error { + return s.ACLTokenBatchSet(idx, structs.ACLTokens{token}, ACLTokenSetOptions{}) } type ACLTokenSetOptions struct { @@ -506,11 +498,7 @@ func aclTokenSetTxn(tx WriteTxn, idx uint64, token *structs.ACLToken, opts ACLTo } if opts.Legacy && original != nil { - if original.UsesNonLegacyFields() { - return fmt.Errorf("failed inserting acl token: cannot use legacy endpoint to modify a non-legacy token") - } - - token.AccessorID = original.AccessorID + return fmt.Errorf("legacy tokens can not be modified") } if err := aclTokenUpsertValidateEnterprise(tx, token, original); err != nil { diff --git a/agent/consul/state/acl_test.go b/agent/consul/state/acl_test.go index a58da3e6c2..c86527cd1d 100644 --- a/agent/consul/state/acl_test.go +++ b/agent/consul/state/acl_test.go @@ -46,7 +46,7 @@ func setupAnonymous(t *testing.T, s *Store) { Description: "Anonymous Token", } token.SetHash(true) - require.NoError(t, s.ACLTokenSet(1, &token, false)) + require.NoError(t, s.ACLTokenSet(1, &token)) } func testACLStateStore(t *testing.T) *Store { @@ -171,8 +171,6 @@ func TestStateStore_ACLBootstrap(t *testing.T) { }, CreateTime: time.Now(), Local: false, - // DEPRECATED (ACL-Legacy-Compat) - This is used so that the bootstrap token is still visible via the v1 acl APIs - Type: structs.ACLTokenTypeManagement, } token2 := &structs.ACLToken{ @@ -186,8 +184,6 @@ func TestStateStore_ACLBootstrap(t *testing.T) { }, CreateTime: time.Now(), Local: false, - // DEPRECATED (ACL-Legacy-Compat) - This is used so that the bootstrap token is still visible via the v1 acl APIs - Type: structs.ACLTokenTypeManagement, } s := testStateStore(t) @@ -238,103 +234,6 @@ func TestStateStore_ACLBootstrap(t *testing.T) { require.Len(t, tokens, 2) } -func TestStateStore_ACLToken_SetGet_Legacy(t *testing.T) { - t.Parallel() - t.Run("Legacy - Existing With Policies", func(t *testing.T) { - t.Parallel() - s := testACLTokensStateStore(t) - - token := &structs.ACLToken{ - AccessorID: "c8d0378c-566a-4535-8fc9-c883a8cc9849", - SecretID: "6d48ce91-2558-4098-bdab-8737e4e57d5f", - Policies: []structs.ACLTokenPolicyLink{ - { - ID: testPolicyID_A, - }, - }, - } - - require.NoError(t, s.ACLTokenSet(2, token.Clone(), false)) - - // legacy flag is set so it should disallow setting this token - err := s.ACLTokenSet(3, token.Clone(), true) - require.Error(t, err) - }) - - t.Run("Legacy - Empty Type", func(t *testing.T) { - t.Parallel() - s := testACLTokensStateStore(t) - token := &structs.ACLToken{ - AccessorID: "271cd056-0038-4fd3-90e5-f97f50fb3ac8", - SecretID: "c0056225-5785-43b3-9b77-3954f06d6aee", - } - - require.NoError(t, s.ACLTokenSet(2, token.Clone(), false)) - - // legacy flag is set so it should disallow setting this token - err := s.ACLTokenSet(3, token.Clone(), true) - require.Error(t, err) - }) - - t.Run("Legacy - New", func(t *testing.T) { - t.Parallel() - s := testACLTokensStateStore(t) - token := &structs.ACLToken{ - SecretID: "2989e271-6169-4f34-8fec-4618d70008fb", - Type: structs.ACLTokenTypeClient, - Rules: `service "" { policy = "read" }`, - } - - require.NoError(t, s.ACLTokenSet(2, token.Clone(), true)) - - idx, rtoken, err := s.ACLTokenGetBySecret(nil, token.SecretID, nil) - require.NoError(t, err) - require.Equal(t, uint64(2), idx) - require.NotNil(t, rtoken) - require.Equal(t, "", rtoken.AccessorID) - require.Equal(t, "2989e271-6169-4f34-8fec-4618d70008fb", rtoken.SecretID) - require.Equal(t, "", rtoken.Description) - require.Len(t, rtoken.Policies, 0) - require.Equal(t, structs.ACLTokenTypeClient, rtoken.Type) - require.Equal(t, uint64(2), rtoken.CreateIndex) - require.Equal(t, uint64(2), rtoken.ModifyIndex) - }) - - t.Run("Legacy - Update", func(t *testing.T) { - t.Parallel() - s := testACLTokensStateStore(t) - original := &structs.ACLToken{ - SecretID: "2989e271-6169-4f34-8fec-4618d70008fb", - Type: structs.ACLTokenTypeClient, - Rules: `service "" { policy = "read" }`, - } - - require.NoError(t, s.ACLTokenSet(2, original.Clone(), true)) - - updatedRules := `service "" { policy = "read" } service "foo" { policy = "deny"}` - update := &structs.ACLToken{ - SecretID: "2989e271-6169-4f34-8fec-4618d70008fb", - Type: structs.ACLTokenTypeClient, - Rules: updatedRules, - } - - require.NoError(t, s.ACLTokenSet(3, update.Clone(), true)) - - idx, rtoken, err := s.ACLTokenGetBySecret(nil, original.SecretID, nil) - require.NoError(t, err) - require.Equal(t, uint64(3), idx) - require.NotNil(t, rtoken) - require.Equal(t, "", rtoken.AccessorID) - require.Equal(t, "2989e271-6169-4f34-8fec-4618d70008fb", rtoken.SecretID) - require.Equal(t, "", rtoken.Description) - require.Len(t, rtoken.Policies, 0) - require.Equal(t, structs.ACLTokenTypeClient, rtoken.Type) - require.Equal(t, updatedRules, rtoken.Rules) - require.Equal(t, uint64(2), rtoken.CreateIndex) - require.Equal(t, uint64(3), rtoken.ModifyIndex) - }) -} - func TestStateStore_ACLToken_SetGet(t *testing.T) { t.Parallel() t.Run("Missing Secret", func(t *testing.T) { @@ -344,7 +243,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { AccessorID: "39171632-6f34-4411-827f-9416403687f4", } - err := s.ACLTokenSet(2, token.Clone(), false) + err := s.ACLTokenSet(2, token.Clone()) require.Error(t, err) require.Equal(t, ErrMissingACLTokenSecret, err) }) @@ -356,7 +255,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { SecretID: "39171632-6f34-4411-827f-9416403687f4", } - err := s.ACLTokenSet(2, token.Clone(), false) + err := s.ACLTokenSet(2, token.Clone()) require.Error(t, err) require.Equal(t, ErrMissingACLTokenAccessor, err) }) @@ -372,7 +271,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - err := s.ACLTokenSet(2, token, false) + err := s.ACLTokenSet(2, token) require.Error(t, err) }) @@ -389,7 +288,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - err := s.ACLTokenSet(2, token, false) + err := s.ACLTokenSet(2, token) require.Error(t, err) }) @@ -406,7 +305,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - err := s.ACLTokenSet(2, token.Clone(), false) + err := s.ACLTokenSet(2, token.Clone()) require.Error(t, err) }) @@ -423,7 +322,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - err := s.ACLTokenSet(2, token, false) + err := s.ACLTokenSet(2, token) require.Error(t, err) }) @@ -440,7 +339,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - err := s.ACLTokenSet(2, token.Clone(), false) + err := s.ACLTokenSet(2, token.Clone()) require.Error(t, err) }) @@ -457,7 +356,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - err := s.ACLTokenSet(2, token, false) + err := s.ACLTokenSet(2, token) require.Error(t, err) }) @@ -470,7 +369,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { AuthMethod: "test", } - err := s.ACLTokenSet(2, token, false) + err := s.ACLTokenSet(2, token) require.Error(t, err) }) @@ -497,7 +396,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - require.NoError(t, s.ACLTokenSet(2, token.Clone(), false)) + require.NoError(t, s.ACLTokenSet(2, token.Clone())) idx, rtoken, err := s.ACLTokenGetByAccessor(nil, "daf37c07-d04d-4fd5-9678-a8206a57d61a", nil) require.NoError(t, err) @@ -532,7 +431,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - require.NoError(t, s.ACLTokenSet(2, token.Clone(), false)) + require.NoError(t, s.ACLTokenSet(2, token.Clone())) updated := &structs.ACLToken{ AccessorID: "daf37c07-d04d-4fd5-9678-a8206a57d61a", @@ -554,7 +453,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - require.NoError(t, s.ACLTokenSet(3, updated.Clone(), false)) + require.NoError(t, s.ACLTokenSet(3, updated.Clone())) idx, rtoken, err := s.ACLTokenGetByAccessor(nil, "daf37c07-d04d-4fd5-9678-a8206a57d61a", nil) require.NoError(t, err) @@ -588,7 +487,7 @@ func TestStateStore_ACLToken_SetGet(t *testing.T) { }, } - require.NoError(t, s.ACLTokenSet(2, token.Clone(), false)) + require.NoError(t, s.ACLTokenSet(2, token.Clone())) idx, rtoken, err := s.ACLTokenGetByAccessor(nil, "daf37c07-d04d-4fd5-9678-a8206a57d61a", nil) require.NoError(t, err) @@ -873,30 +772,44 @@ func TestStateStore_ACLTokens_ListUpgradeable(t *testing.T) { t.Parallel() s := testACLTokensStateStore(t) - require.NoError(t, s.ACLTokenSet(2, &structs.ACLToken{ + aclTokenSetLegacy := func(idx uint64, token *structs.ACLToken) error { + tx := s.db.WriteTxn(idx) + defer tx.Abort() + + opts := ACLTokenSetOptions{Legacy: true} + if err := aclTokenSetTxn(tx, idx, token, opts); err != nil { + return err + } + + return tx.Commit() + } + + const ACLTokenTypeManagement = "management" + + require.NoError(t, aclTokenSetLegacy(2, &structs.ACLToken{ SecretID: "34ec8eb3-095d-417a-a937-b439af7a8e8b", - Type: structs.ACLTokenTypeManagement, - }, true)) + Type: ACLTokenTypeManagement, + })) - require.NoError(t, s.ACLTokenSet(3, &structs.ACLToken{ + require.NoError(t, aclTokenSetLegacy(3, &structs.ACLToken{ SecretID: "8de2dd39-134d-4cb1-950b-b7ab96ea20ba", - Type: structs.ACLTokenTypeManagement, - }, true)) + Type: ACLTokenTypeManagement, + })) - require.NoError(t, s.ACLTokenSet(4, &structs.ACLToken{ + require.NoError(t, aclTokenSetLegacy(4, &structs.ACLToken{ SecretID: "548bdb8e-c0d6-477b-bcc4-67fb836e9e61", - Type: structs.ACLTokenTypeManagement, - }, true)) + Type: ACLTokenTypeManagement, + })) - require.NoError(t, s.ACLTokenSet(5, &structs.ACLToken{ + require.NoError(t, aclTokenSetLegacy(5, &structs.ACLToken{ SecretID: "3ee33676-d9b8-4144-bf0b-92618cff438b", - Type: structs.ACLTokenTypeManagement, - }, true)) + Type: ACLTokenTypeManagement, + })) - require.NoError(t, s.ACLTokenSet(6, &structs.ACLToken{ + require.NoError(t, aclTokenSetLegacy(6, &structs.ACLToken{ SecretID: "fa9d658a-6e26-42ab-a5f0-1ea05c893dee", - Type: structs.ACLTokenTypeManagement, - }, true)) + Type: ACLTokenTypeManagement, + })) tokens, _, err := s.ACLTokenListUpgradeable(3) require.NoError(t, err) @@ -1246,7 +1159,7 @@ func TestStateStore_ACLToken_FixupPolicyLinks(t *testing.T) { }, } - require.NoError(t, s.ACLTokenSet(2, token, false)) + require.NoError(t, s.ACLTokenSet(2, token)) _, retrieved, err := s.ACLTokenGetByAccessor(nil, token.AccessorID, nil) require.NoError(t, err) @@ -1372,7 +1285,7 @@ func TestStateStore_ACLToken_FixupRoleLinks(t *testing.T) { }, } - require.NoError(t, s.ACLTokenSet(2, token, false)) + require.NoError(t, s.ACLTokenSet(2, token)) _, retrieved, err := s.ACLTokenGetByAccessor(nil, token.AccessorID, nil) require.NoError(t, err) @@ -1498,7 +1411,7 @@ func TestStateStore_ACLToken_Delete(t *testing.T) { Local: true, } - require.NoError(t, s.ACLTokenSet(2, token.Clone(), false)) + require.NoError(t, s.ACLTokenSet(2, token.Clone())) _, rtoken, err := s.ACLTokenGetByAccessor(nil, "f1093997-b6c7-496d-bfb8-6b1b1895641b", nil) require.NoError(t, err) diff --git a/agent/consul/state/store_integration_test.go b/agent/consul/state/store_integration_test.go index dc6cee8690..60574cb16d 100644 --- a/agent/consul/state/store_integration_test.go +++ b/agent/consul/state/store_integration_test.go @@ -52,7 +52,7 @@ func TestStore_IntegrationWithEventPublisher_ACLTokenUpdate(t *testing.T) { SecretID: "72e81982-7a0f-491f-a60e-c9c802ac1402", } token2.SetHash(false) - require.NoError(s.ACLTokenSet(3, token2.Clone(), false)) + require.NoError(s.ACLTokenSet(3, token2.Clone())) // Ensure there's no reset event. assertNoEvent(t, eventCh) @@ -64,7 +64,7 @@ func TestStore_IntegrationWithEventPublisher_ACLTokenUpdate(t *testing.T) { Description: "something else", } token3.SetHash(false) - require.NoError(s.ACLTokenSet(4, token3.Clone(), false)) + require.NoError(s.ACLTokenSet(4, token3.Clone())) // Ensure the reset event was sent. err = assertErr(t, eventCh) @@ -484,7 +484,7 @@ func createTokenAndWaitForACLEventPublish(t *testing.T, s *Store) *structs.ACLTo eventCh := testRunSub(sub) // Create the ACL token to be used in the subscription. - require.NoError(t, s.ACLTokenSet(2, token.Clone(), false)) + require.NoError(t, s.ACLTokenSet(2, token.Clone())) // Wait for the pre-subscription to be reset assertReset(t, eventCh, true) diff --git a/agent/rpc/subscribe/subscribe_test.go b/agent/rpc/subscribe/subscribe_test.go index d367a3ddbe..531d8ec820 100644 --- a/agent/rpc/subscribe/subscribe_test.go +++ b/agent/rpc/subscribe/subscribe_test.go @@ -857,7 +857,7 @@ node "node1" { SecretID: token, Rules: "", } - require.NoError(t, backend.store.ACLTokenSet(ids.Next("update"), aclToken, false)) + require.NoError(t, backend.store.ACLTokenSet(ids.Next("update"), aclToken)) select { case item := <-chEvents: diff --git a/agent/structs/acl.go b/agent/structs/acl.go index f4b944dafa..8f5e23c028 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -95,7 +95,6 @@ type ACLIdentity interface { SecretToken() string PolicyIDs() []string RoleIDs() []string - EmbeddedPolicy() *ACLPolicy ServiceIdentityList() []*ACLServiceIdentity NodeIdentityList() []*ACLNodeIdentity IsExpired(asOf time.Time) bool @@ -413,48 +412,6 @@ func (t *ACLToken) HasExpirationTime() bool { return t.ExpirationTime != nil && !t.ExpirationTime.IsZero() } -// TODO(ACL-Legacy-Compat): remove -func (t *ACLToken) UsesNonLegacyFields() bool { - return len(t.Policies) > 0 || - len(t.ServiceIdentities) > 0 || - len(t.NodeIdentities) > 0 || - len(t.Roles) > 0 || - t.Type == "" || - t.HasExpirationTime() || - t.ExpirationTTL != 0 || - t.AuthMethod != "" -} - -func (t *ACLToken) EmbeddedPolicy() *ACLPolicy { - // DEPRECATED (ACL-Legacy-Compat) - // - // For legacy tokens with embedded rules this provides a way to map those - // rules to an ACLPolicy. This function can just return nil once legacy - // acl compatibility is no longer needed. - // - // Additionally for management tokens we must embed the policy rules - // as well - policy := &ACLPolicy{} - if t.Type == ACLTokenTypeManagement { - hasher := fnv.New128a() - policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(ACLPolicyGlobalManagement))) - policy.Name = "legacy-management" - policy.Rules = ACLPolicyGlobalManagement - policy.Syntax = acl.SyntaxCurrent - } else if t.Rules != "" || t.Type == ACLTokenTypeClient { - hasher := fnv.New128a() - policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(t.Rules))) - policy.Name = fmt.Sprintf("legacy-policy-%s", policy.ID) - policy.Rules = t.Rules - policy.Syntax = acl.SyntaxLegacy - } else { - return nil - } - - policy.SetHash(true) - return policy -} - func (t *ACLToken) EnterpriseMetadata() *EnterpriseMeta { return &t.EnterpriseMeta } @@ -1799,10 +1756,6 @@ func (id *AgentMasterTokenIdentity) RoleIDs() []string { return nil } -func (id *AgentMasterTokenIdentity) EmbeddedPolicy() *ACLPolicy { - return nil -} - func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity { return nil } diff --git a/agent/structs/acl_legacy.go b/agent/structs/acl_legacy.go deleted file mode 100644 index bc3e4bc1d8..0000000000 --- a/agent/structs/acl_legacy.go +++ /dev/null @@ -1,16 +0,0 @@ -// DEPRECATED (ACL-Legacy-Compat) -// -// Everything within this file is deprecated and related to the original ACL -// implementation. Once support for v1 ACLs are removed this whole file can -// be deleted. - -package structs - -const ( - // ACLTokenTypeClient tokens have rules applied - ACLTokenTypeClient = "client" - - // ACLTokenTypeManagement tokens have an always allow policy, so they can - // make other tokens and can access all resources. - ACLTokenTypeManagement = "management" -) diff --git a/agent/structs/acl_test.go b/agent/structs/acl_test.go index 64f59661e6..39fb5aefc0 100644 --- a/agent/structs/acl_test.go +++ b/agent/structs/acl_test.go @@ -44,56 +44,6 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) { }) } -func TestStructs_ACLToken_EmbeddedPolicy(t *testing.T) { - - t.Run("No Rules", func(t *testing.T) { - - token := &ACLToken{} - require.Nil(t, token.EmbeddedPolicy()) - }) - - t.Run("Legacy Client", func(t *testing.T) { - - // None of the other fields should be considered - token := &ACLToken{ - Type: ACLTokenTypeClient, - Rules: `acl = "read"`, - } - - policy := token.EmbeddedPolicy() - require.NotNil(t, policy) - require.NotEqual(t, "", policy.ID) - require.True(t, strings.HasPrefix(policy.Name, "legacy-policy-")) - require.Equal(t, token.Rules, policy.Rules) - require.Equal(t, policy.Syntax, acl.SyntaxLegacy) - require.NotNil(t, policy.Hash) - require.NotEqual(t, []byte{}, policy.Hash) - }) - - t.Run("Same Policy for Tokens with same Rules", func(t *testing.T) { - - token1 := &ACLToken{ - AccessorID: "f55b260c-5e05-418e-ab19-d421d1ab4b52", - SecretID: "b2165bac-7006-459b-8a72-7f549f0f06d6", - Description: "token 1", - Type: ACLTokenTypeClient, - Rules: `acl = "read"`, - } - - token2 := &ACLToken{ - AccessorID: "09d1c059-961a-46bd-a2e4-76adebe35fa5", - SecretID: "65e98e67-9b29-470c-8ffa-7c5a23cc67c8", - Description: "token 2", - Type: ACLTokenTypeClient, - Rules: `acl = "read"`, - } - - policy1 := token1.EmbeddedPolicy() - policy2 := token2.EmbeddedPolicy() - require.Equal(t, policy1, policy2) - }) -} - func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) { cases := []struct { @@ -205,7 +155,6 @@ func TestStructs_ACLToken_EstimateSize(t *testing.T) { } func TestStructs_ACLToken_Stub(t *testing.T) { - t.Run("Basic", func(t *testing.T) { token := ACLToken{ @@ -238,28 +187,6 @@ func TestStructs_ACLToken_Stub(t *testing.T) { require.Equal(t, token.ModifyIndex, stub.ModifyIndex) require.False(t, stub.Legacy) }) - - t.Run("Legacy", func(t *testing.T) { - token := ACLToken{ - AccessorID: "09d1c059-961a-46bd-a2e4-76adebe35fa5", - SecretID: "65e98e67-9b29-470c-8ffa-7c5a23cc67c8", - Description: "test", - Type: ACLTokenTypeClient, - Rules: `key "" { policy = "read" }`, - } - - stub := token.Stub() - require.Equal(t, token.AccessorID, stub.AccessorID) - require.Equal(t, token.SecretID, stub.SecretID) - require.Equal(t, token.Description, stub.Description) - require.Equal(t, token.Policies, stub.Policies) - require.Equal(t, token.Local, stub.Local) - require.Equal(t, token.CreateTime, stub.CreateTime) - require.Equal(t, token.Hash, stub.Hash) - require.Equal(t, token.CreateIndex, stub.CreateIndex) - require.Equal(t, token.ModifyIndex, stub.ModifyIndex) - require.True(t, stub.Legacy) - }) } func TestStructs_ACLTokens_Sort(t *testing.T) {