From d5a3ba6cda11598138a1aae2ae0e581169169073 Mon Sep 17 00:00:00 2001
From: Matt Keeler <mkeeler@users.noreply.github.com>
Date: Wed, 23 Jan 2019 15:48:38 -0500
Subject: [PATCH] Disregard rules when set on a management token (#5261)

* Disregard rules when set on a management token

* Add unit test for legacy mgmt token with rules
---
 agent/structs/acl.go      | 14 +++++++-------
 agent/structs/acl_test.go | 20 ++++++++++++++++++++
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/agent/structs/acl.go b/agent/structs/acl.go
index 76f0e69154..05d536eac5 100644
--- a/agent/structs/acl.go
+++ b/agent/structs/acl.go
@@ -190,18 +190,18 @@ func (t *ACLToken) EmbeddedPolicy() *ACLPolicy {
 	// Additionally for management tokens we must embed the policy rules
 	// as well
 	policy := &ACLPolicy{}
-	if t.Rules != "" || t.Type == ACLTokenTypeClient {
-		hasher := fnv.New128a()
-		policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(t.Rules)))
-		policy.Name = fmt.Sprintf("legacy-policy-%s", policy.ID)
-		policy.Rules = t.Rules
-		policy.Syntax = acl.SyntaxLegacy
-	} else if t.Type == ACLTokenTypeManagement {
+	if t.Type == ACLTokenTypeManagement {
 		hasher := fnv.New128a()
 		policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(ACLPolicyGlobalManagement)))
 		policy.Name = "legacy-management"
 		policy.Rules = ACLPolicyGlobalManagement
 		policy.Syntax = acl.SyntaxCurrent
+	} else if t.Rules != "" || t.Type == ACLTokenTypeClient {
+		hasher := fnv.New128a()
+		policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(t.Rules)))
+		policy.Name = fmt.Sprintf("legacy-policy-%s", policy.ID)
+		policy.Rules = t.Rules
+		policy.Syntax = acl.SyntaxLegacy
 	} else {
 		return nil
 	}
diff --git a/agent/structs/acl_test.go b/agent/structs/acl_test.go
index 6a5db4b051..fba38545bf 100644
--- a/agent/structs/acl_test.go
+++ b/agent/structs/acl_test.go
@@ -56,6 +56,26 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) {
 		require.Equal(t, ACLPolicyGlobalManagement, embedded.Rules)
 	})
 
+	t.Run("Legacy Management With Rules", func(t *testing.T) {
+		t.Parallel()
+
+		a := &ACL{
+			ID:    "root",
+			Type:  ACLTokenTypeManagement,
+			Name:  "management",
+			Rules: "operator = \"write\"",
+		}
+
+		token := a.Convert()
+
+		policyIDs := token.PolicyIDs()
+		require.Len(t, policyIDs, 0)
+
+		embedded := token.EmbeddedPolicy()
+		require.NotNil(t, embedded)
+		require.Equal(t, ACLPolicyGlobalManagement, embedded.Rules)
+	})
+
 	t.Run("No Policies", func(t *testing.T) {
 		t.Parallel()