From e231d62bc9cdb9d181322ec95615642151961d68 Mon Sep 17 00:00:00 2001
From: Matt Keeler <mkeeler@users.noreply.github.com>
Date: Mon, 10 Feb 2020 19:26:01 -0500
Subject: [PATCH] Make the config entry and leaf cert cache types ns aware
 (#7256)

---
 agent/cache-types/connect_ca_leaf.go      | 16 +++++++++++++++-
 agent/cache-types/connect_ca_leaf_test.go | 14 +++++++++++---
 agent/structs/acl.go                      |  1 +
 agent/structs/config_entry.go             | 11 +++++++----
 4 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/agent/cache-types/connect_ca_leaf.go b/agent/cache-types/connect_ca_leaf.go
index fee5c3221e..e14d36a327 100644
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/consul/lib"
+	"github.com/mitchellh/hashstructure"
 
 	"github.com/hashicorp/consul/agent/cache"
 	"github.com/hashicorp/consul/agent/connect"
@@ -654,7 +655,20 @@ func (r *ConnectCALeafRequest) Key() string {
 		return fmt.Sprintf("agent:%s", r.Agent)
 	}
 
-	return fmt.Sprintf("service:%s", r.Service)
+	r.EnterpriseMeta.Normalize()
+
+	v, err := hashstructure.Hash([]interface{}{
+		r.Service,
+		r.EnterpriseMeta,
+	}, nil)
+	if err == nil {
+		return fmt.Sprintf("service:%d", v)
+	}
+
+	// If there is an error, we don't set the key. A blank key forces
+	// no cache for this request so the request is forwarded directly
+	// to the server.
+	return ""
 }
 
 func (r *ConnectCALeafRequest) CacheInfo() cache.RequestInfo {
diff --git a/agent/cache-types/connect_ca_leaf_test.go b/agent/cache-types/connect_ca_leaf_test.go
index 60eb4c89fc..e3669e27ad 100644
--- a/agent/cache-types/connect_ca_leaf_test.go
+++ b/agent/cache-types/connect_ca_leaf_test.go
@@ -2,6 +2,7 @@ package cachetype
 
 import (
 	"fmt"
+	"strings"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -1018,8 +1019,15 @@ func (r *testGatedRootsRPC) RPC(method string, args interface{}, reply interface
 }
 
 func TestConnectCALeaf_Key(t *testing.T) {
-	r := ConnectCALeafRequest{Service: "web"}
-	require.Equal(t, "service:web", r.Key())
-	r = ConnectCALeafRequest{Agent: "abc"}
+	r1 := ConnectCALeafRequest{Service: "web"}
+	r2 := ConnectCALeafRequest{Service: "api"}
+
+	// hashstructure will hash the service name + ent meta to produce this key
+	r1Key := r1.Key()
+	r2Key := r2.Key()
+	require.True(t, strings.HasPrefix(r1Key, "service:"), "Key %s does not start with service:", r1Key)
+	require.True(t, strings.HasPrefix(r2Key, "service:"), "Key %s does not start with service:", r2Key)
+	require.NotEqual(t, r1Key, r2Key, "Cache keys for different services are not equal")
+	r := ConnectCALeafRequest{Agent: "abc"}
 	require.Equal(t, "agent:abc", r.Key())
 }
diff --git a/agent/structs/acl.go b/agent/structs/acl.go
index f837dfba26..353ce59966 100644
--- a/agent/structs/acl.go
+++ b/agent/structs/acl.go
@@ -182,6 +182,7 @@ func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *EnterpriseMeta) *ACLPolicy
 	policy.Rules = rules
 	policy.Syntax = acl.SyntaxCurrent
 	policy.Datacenters = s.Datacenters
+	policy.EnterpriseMeta.Merge(entMeta)
 	policy.SetHash(true)
 	return policy
 }
diff --git a/agent/structs/config_entry.go b/agent/structs/config_entry.go
index 4e9b7adfa9..08a88e4bd1 100644
--- a/agent/structs/config_entry.go
+++ b/agent/structs/config_entry.go
@@ -510,6 +510,7 @@ func (r *ConfigEntryQuery) CacheInfo() cache.RequestInfo {
 		r.Kind,
 		r.Name,
 		r.Filter,
+		r.EnterpriseMeta,
 	}, nil)
 	if err == nil {
 		// If there is an error, we don't set the key. A blank key forces
@@ -557,11 +558,13 @@ func (r *ServiceConfigRequest) CacheInfo() cache.RequestInfo {
 	// the slice would affect cache keys if we ever persist between agent restarts
 	// and change it.
 	v, err := hashstructure.Hash(struct {
-		Name      string
-		Upstreams []string `hash:"set"`
+		Name           string
+		EnterpriseMeta EnterpriseMeta
+		Upstreams      []string `hash:"set"`
 	}{
-		Name:      r.Name,
-		Upstreams: r.Upstreams,
+		Name:           r.Name,
+		EnterpriseMeta: r.EnterpriseMeta,
+		Upstreams:      r.Upstreams,
 	}, nil)
 	if err == nil {
 		// If there is an error, we don't set the key. A blank key forces