From 615378e2c98b5f209d2d16822fcd57cc507acc3f Mon Sep 17 00:00:00 2001 From: skpratt Date: Wed, 14 Dec 2022 13:13:56 -0600 Subject: [PATCH] remove legacy acl policies --- .changelog/15922.txt | 3 + acl/acl_test.go | 483 ++++++++++++++-- acl/authorizer.go | 5 +- acl/policy.go | 130 +---- acl/policy_test.go | 546 +----------------- agent/acl_endpoint.go | 9 +- agent/acl_test.go | 2 +- agent/agent_endpoint_test.go | 58 +- agent/consul/acl.go | 2 +- agent/consul/acl_endpoint.go | 2 +- agent/consul/acl_endpoint_legacy.go | 31 - agent/consul/acl_replication_test.go | 5 - agent/consul/acl_test.go | 18 - .../ready_servers_events_test.go | 2 +- agent/consul/catalog_endpoint_test.go | 9 +- agent/consul/filter_test.go | 16 +- agent/consul/leader.go | 1 - agent/consul/state/acl_test.go | 16 - agent/consul/state/connect_ca_events_test.go | 2 +- agent/consul/state/store_integration_test.go | 3 - agent/grpc-external/testutils/acl.go | 2 +- .../services/subscribe/subscribe_test.go | 4 +- .../proxycfg-glue/intention_upstreams_test.go | 2 +- agent/rpc/peering/service_test.go | 28 +- agent/structs/acl.go | 7 +- agent/structs/acl_test.go | 9 - agent/structs/aclfilter/filter_test.go | 122 ++-- .../config_entry_discoverychain_test.go | 4 +- agent/structs/config_entry_test.go | 2 +- agent/structs/intention_test.go | 2 +- agent/xds/delta_test.go | 6 +- api/agent.go | 8 +- api/agent_test.go | 4 +- api/api_test.go | 3 +- api/operator_license.go | 3 - 35 files changed, 590 insertions(+), 959 deletions(-) create mode 100644 .changelog/15922.txt delete mode 100644 agent/consul/acl_endpoint_legacy.go diff --git a/.changelog/15922.txt b/.changelog/15922.txt new file mode 100644 index 0000000000000..53cf6c802e339 --- /dev/null +++ b/.changelog/15922.txt @@ -0,0 +1,3 @@ +```release-note:deprecation +acl: remove all functionality and references for legacy acl policies. +``` \ No newline at end of file diff --git a/acl/acl_test.go b/acl/acl_test.go index fae37e5a64f25..78f93207290c8 100644 --- a/acl/acl_test.go +++ b/acl/acl_test.go @@ -7,31 +7,6 @@ import ( "github.com/stretchr/testify/require" ) -func legacyPolicy(policy *Policy) *Policy { - return &Policy{ - PolicyRules: PolicyRules{ - Agents: policy.Agents, - AgentPrefixes: policy.Agents, - Nodes: policy.Nodes, - NodePrefixes: policy.Nodes, - Keys: policy.Keys, - KeyPrefixes: policy.Keys, - Services: policy.Services, - ServicePrefixes: policy.Services, - Sessions: policy.Sessions, - SessionPrefixes: policy.Sessions, - Events: policy.Events, - EventPrefixes: policy.Events, - PreparedQueries: policy.PreparedQueries, - PreparedQueryPrefixes: policy.PreparedQueries, - Keyring: policy.Keyring, - Operator: policy.Operator, - Mesh: policy.Mesh, - Peering: policy.Peering, - }, - } -} - // // The following 1 line functions are created to all conform to what // can be stored in the aclCheck type to make defining ACL tests @@ -561,7 +536,7 @@ func TestACL(t *testing.T) { name: "AgentBasicDefaultDeny", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -577,8 +552,22 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "root", + Policy: PolicyRead, + }, + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadDenied", prefix: "ro", check: checkDenyAgentRead}, @@ -601,7 +590,7 @@ func TestACL(t *testing.T) { name: "AgentBasicDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -617,8 +606,22 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "root", + Policy: PolicyRead, + }, + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadDenied", prefix: "ro", check: checkAllowAgentRead}, @@ -641,7 +644,7 @@ func TestACL(t *testing.T) { name: "PreparedQueryDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ PreparedQueries: []*PreparedQueryRule{ { @@ -649,8 +652,14 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + PreparedQueryPrefixes: []*PreparedQueryRule{ + { + Prefix: "other", + Policy: PolicyDeny, + }, + }, }, - }), + }, }, checks: []aclCheck{ // in version 1.2.1 and below this would have failed @@ -665,7 +674,7 @@ func TestACL(t *testing.T) { name: "AgentNestedDefaultDeny", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -685,9 +694,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-ro", + Policy: PolicyRead, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -707,8 +734,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "child-nope", + Policy: PolicyDeny, + }, + { + Node: "child-ro", + Policy: PolicyRead, + }, + { + Node: "child-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadDenied", prefix: "nope", check: checkDenyAgentRead}, @@ -745,7 +790,7 @@ func TestACL(t *testing.T) { name: "AgentNestedDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -765,9 +810,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-ro", + Policy: PolicyRead, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Agents: []*AgentRule{ { @@ -787,8 +850,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + AgentPrefixes: []*AgentRule{ + { + Node: "child-nope", + Policy: PolicyDeny, + }, + { + Node: "child-ro", + Policy: PolicyRead, + }, + { + Node: "child-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadAllowed", prefix: "nope", check: checkAllowAgentRead}, @@ -1679,7 +1760,7 @@ func TestACL(t *testing.T) { name: "NodeDefaultDeny", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Nodes: []*NodeRule{ { @@ -1699,9 +1780,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + NodePrefixes: []*NodeRule{ + { + Name: "root-nope", + Policy: PolicyDeny, + }, + { + Name: "root-ro", + Policy: PolicyRead, + }, + { + Name: "root-rw", + Policy: PolicyWrite, + }, + { + Name: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Nodes: []*NodeRule{ { @@ -1721,8 +1820,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + NodePrefixes: []*NodeRule{ + { + Name: "child-nope", + Policy: PolicyDeny, + }, + { + Name: "child-ro", + Policy: PolicyRead, + }, + { + Name: "child-rw", + Policy: PolicyWrite, + }, + { + Name: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "ReadAllDenied", prefix: "", check: checkDenyNodeReadAll}, @@ -1760,7 +1877,7 @@ func TestACL(t *testing.T) { name: "NodeDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Nodes: []*NodeRule{ { @@ -1780,9 +1897,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + NodePrefixes: []*NodeRule{ + { + Name: "root-nope", + Policy: PolicyDeny, + }, + { + Name: "root-ro", + Policy: PolicyRead, + }, + { + Name: "root-rw", + Policy: PolicyWrite, + }, + { + Name: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Nodes: []*NodeRule{ { @@ -1802,8 +1937,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + NodePrefixes: []*NodeRule{ + { + Name: "child-nope", + Policy: PolicyDeny, + }, + { + Name: "child-ro", + Policy: PolicyRead, + }, + { + Name: "child-rw", + Policy: PolicyWrite, + }, + { + Name: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "ReadAllDenied", prefix: "", check: checkDenyNodeReadAll}, @@ -1841,7 +1994,7 @@ func TestACL(t *testing.T) { name: "SessionDefaultDeny", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Sessions: []*SessionRule{ { @@ -1861,9 +2014,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + SessionPrefixes: []*SessionRule{ + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-ro", + Policy: PolicyRead, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Sessions: []*SessionRule{ { @@ -1883,8 +2054,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + SessionPrefixes: []*SessionRule{ + { + Node: "child-nope", + Policy: PolicyDeny, + }, + { + Node: "child-ro", + Policy: PolicyRead, + }, + { + Node: "child-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadDenied", prefix: "nope", check: checkDenySessionRead}, @@ -1921,7 +2110,7 @@ func TestACL(t *testing.T) { name: "SessionDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Sessions: []*SessionRule{ { @@ -1941,9 +2130,27 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + SessionPrefixes: []*SessionRule{ + { + Node: "root-nope", + Policy: PolicyDeny, + }, + { + Node: "root-ro", + Policy: PolicyRead, + }, + { + Node: "root-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyDeny, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Sessions: []*SessionRule{ { @@ -1963,8 +2170,26 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + SessionPrefixes: []*SessionRule{ + { + Node: "child-nope", + Policy: PolicyDeny, + }, + { + Node: "child-ro", + Policy: PolicyRead, + }, + { + Node: "child-rw", + Policy: PolicyWrite, + }, + { + Node: "override", + Policy: PolicyWrite, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "DefaultReadAllowed", prefix: "nope", check: checkAllowSessionRead}, @@ -2001,7 +2226,7 @@ func TestACL(t *testing.T) { name: "Parent", defaultPolicy: DenyAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Keys: []*KeyRule{ { @@ -2013,6 +2238,16 @@ func TestACL(t *testing.T) { Policy: PolicyRead, }, }, + KeyPrefixes: []*KeyRule{ + { + Prefix: "foo/", + Policy: PolicyWrite, + }, + { + Prefix: "bar/", + Policy: PolicyRead, + }, + }, PreparedQueries: []*PreparedQueryRule{ { Prefix: "other", @@ -2023,6 +2258,16 @@ func TestACL(t *testing.T) { Policy: PolicyRead, }, }, + PreparedQueryPrefixes: []*PreparedQueryRule{ + { + Prefix: "other", + Policy: PolicyWrite, + }, + { + Prefix: "foo", + Policy: PolicyRead, + }, + }, Services: []*ServiceRule{ { Name: "other", @@ -2033,9 +2278,19 @@ func TestACL(t *testing.T) { Policy: PolicyRead, }, }, + ServicePrefixes: []*ServiceRule{ + { + Name: "other", + Policy: PolicyWrite, + }, + { + Name: "foo", + Policy: PolicyRead, + }, + }, }, - }), - legacyPolicy(&Policy{ + }, + { PolicyRules: PolicyRules{ Keys: []*KeyRule{ { @@ -2051,20 +2306,46 @@ func TestACL(t *testing.T) { Policy: PolicyRead, }, }, + KeyPrefixes: []*KeyRule{ + { + Prefix: "foo/priv/", + Policy: PolicyRead, + }, + { + Prefix: "bar/", + Policy: PolicyDeny, + }, + { + Prefix: "zip/", + Policy: PolicyRead, + }, + }, PreparedQueries: []*PreparedQueryRule{ { Prefix: "bar", Policy: PolicyDeny, }, }, + PreparedQueryPrefixes: []*PreparedQueryRule{ + { + Prefix: "bar", + Policy: PolicyDeny, + }, + }, Services: []*ServiceRule{ { Name: "bar", Policy: PolicyDeny, }, }, + ServicePrefixes: []*ServiceRule{ + { + Name: "bar", + Policy: PolicyDeny, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "ServiceReadAllDenied", prefix: "", check: checkDenyServiceReadAll}, @@ -2113,7 +2394,7 @@ func TestACL(t *testing.T) { name: "ComplexDefaultAllow", defaultPolicy: AllowAll(), policyStack: []*Policy{ - legacyPolicy(&Policy{ + { PolicyRules: PolicyRules{ Events: []*EventRule{ { @@ -2129,6 +2410,20 @@ func TestACL(t *testing.T) { Policy: PolicyDeny, }, }, + EventPrefixes: []*EventRule{ + { + Event: "", + Policy: PolicyRead, + }, + { + Event: "foo", + Policy: PolicyWrite, + }, + { + Event: "bar", + Policy: PolicyDeny, + }, + }, Keys: []*KeyRule{ { Prefix: "foo/", @@ -2151,6 +2446,28 @@ func TestACL(t *testing.T) { Policy: PolicyList, }, }, + KeyPrefixes: []*KeyRule{ + { + Prefix: "foo/", + Policy: PolicyWrite, + }, + { + Prefix: "foo/priv/", + Policy: PolicyDeny, + }, + { + Prefix: "bar/", + Policy: PolicyDeny, + }, + { + Prefix: "zip/", + Policy: PolicyRead, + }, + { + Prefix: "zap/", + Policy: PolicyList, + }, + }, PreparedQueries: []*PreparedQueryRule{ { Prefix: "", @@ -2169,6 +2486,24 @@ func TestACL(t *testing.T) { Policy: PolicyWrite, }, }, + PreparedQueryPrefixes: []*PreparedQueryRule{ + { + Prefix: "", + Policy: PolicyRead, + }, + { + Prefix: "foo", + Policy: PolicyWrite, + }, + { + Prefix: "bar", + Policy: PolicyDeny, + }, + { + Prefix: "zoo", + Policy: PolicyWrite, + }, + }, Services: []*ServiceRule{ { Name: "", @@ -2193,8 +2528,32 @@ func TestACL(t *testing.T) { Intentions: PolicyDeny, }, }, + ServicePrefixes: []*ServiceRule{ + { + Name: "", + Policy: PolicyWrite, + }, + { + Name: "foo", + Policy: PolicyRead, + }, + { + Name: "bar", + Policy: PolicyDeny, + }, + { + Name: "barfoo", + Policy: PolicyWrite, + Intentions: PolicyWrite, + }, + { + Name: "intbaz", + Policy: PolicyWrite, + Intentions: PolicyDeny, + }, + }, }, - }), + }, }, checks: []aclCheck{ {name: "ServiceReadAllDenied", prefix: "", check: checkDenyServiceReadAll}, @@ -2905,7 +3264,7 @@ func TestACL_ReadAll(t *testing.T) { body := func(t *testing.T, rules string, defaultPolicy Authorizer, check func(t *testing.T, authz Authorizer, prefix string, entCtx *AuthorizerContext)) { t.Helper() - policy, err := NewPolicyFromSource(rules, SyntaxCurrent, nil, nil) + policy, err := NewPolicyFromSource(rules, nil, nil) require.NoError(t, err) acl, err := NewPolicyAuthorizerWithDefaults(defaultPolicy, []*Policy{policy}, nil) diff --git a/acl/authorizer.go b/acl/authorizer.go index 6842283b182a4..1ecf9f2afe353 100644 --- a/acl/authorizer.go +++ b/acl/authorizer.go @@ -586,9 +586,8 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx // NewAuthorizerFromRules is a convenience function to invoke NewPolicyFromSource followed by NewPolicyAuthorizer with // the parse policy. -// TODO(ACL-Legacy-Compat): remove syntax arg after removing SyntaxLegacy -func NewAuthorizerFromRules(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error) { - policy, err := NewPolicyFromSource(rules, syntax, conf, meta) +func NewAuthorizerFromRules(rules string, conf *Config, meta *EnterprisePolicyMeta) (Authorizer, error) { + policy, err := NewPolicyFromSource(rules, conf, meta) if err != nil { return nil, err } diff --git a/acl/policy.go b/acl/policy.go index db39dc3c31b75..e68eb9530d2b2 100644 --- a/acl/policy.go +++ b/acl/policy.go @@ -3,8 +3,6 @@ package acl import ( "fmt" "strings" - - "github.com/hashicorp/hcl" ) type SyntaxVersion int @@ -309,126 +307,10 @@ func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Poli return p, nil } -// TODO(ACL-Legacy-Compat): remove in phase 2 -func parseLegacy(rules string, conf *Config) (*Policy, error) { - p := &Policy{} - - type LegacyPolicy struct { - Agents []*AgentRule `hcl:"agent,expand"` - Keys []*KeyRule `hcl:"key,expand"` - Nodes []*NodeRule `hcl:"node,expand"` - Services []*ServiceRule `hcl:"service,expand"` - Sessions []*SessionRule `hcl:"session,expand"` - Events []*EventRule `hcl:"event,expand"` - PreparedQueries []*PreparedQueryRule `hcl:"query,expand"` - Keyring string `hcl:"keyring"` - Operator string `hcl:"operator"` - // NOTE: mesh resources not supported here - } - - lp := &LegacyPolicy{} - - if err := hcl.Decode(lp, rules); err != nil { - return nil, fmt.Errorf("Failed to parse ACL rules: %v", err) - } - - // Validate the agent policy - for _, ap := range lp.Agents { - if !isPolicyValid(ap.Policy, false) { - return nil, fmt.Errorf("Invalid agent policy: %#v", ap) - } - - p.AgentPrefixes = append(p.AgentPrefixes, ap) - } - - // Validate the key policy - for _, kp := range lp.Keys { - if !isPolicyValid(kp.Policy, true) { - return nil, fmt.Errorf("Invalid key policy: %#v", kp) - } - - if err := kp.EnterpriseRule.Validate(kp.Policy, conf); err != nil { - return nil, fmt.Errorf("Invalid key enterprise policy: %#v, got error: %v", kp, err) - } - - p.KeyPrefixes = append(p.KeyPrefixes, kp) - } - - // Validate the node policies - for _, np := range lp.Nodes { - if !isPolicyValid(np.Policy, false) { - return nil, fmt.Errorf("Invalid node policy: %#v", np) - } - if err := np.EnterpriseRule.Validate(np.Policy, conf); err != nil { - return nil, fmt.Errorf("Invalid node enterprise policy: %#v, got error: %v", np, err) - } - - p.NodePrefixes = append(p.NodePrefixes, np) - } - - // Validate the service policies - for _, sp := range lp.Services { - if !isPolicyValid(sp.Policy, false) { - return nil, fmt.Errorf("Invalid service policy: %#v", sp) - } - if sp.Intentions != "" && !isPolicyValid(sp.Intentions, false) { - return nil, fmt.Errorf("Invalid service intentions policy: %#v", sp) - } - if err := sp.EnterpriseRule.Validate(sp.Policy, conf); err != nil { - return nil, fmt.Errorf("Invalid service enterprise policy: %#v, got error: %v", sp, err) - } - - p.ServicePrefixes = append(p.ServicePrefixes, sp) - } - - // Validate the session policies - for _, sp := range lp.Sessions { - if !isPolicyValid(sp.Policy, false) { - return nil, fmt.Errorf("Invalid session policy: %#v", sp) - } - - p.SessionPrefixes = append(p.SessionPrefixes, sp) - } - - // Validate the user event policies - for _, ep := range lp.Events { - if !isPolicyValid(ep.Policy, false) { - return nil, fmt.Errorf("Invalid event policy: %#v", ep) - } - - p.EventPrefixes = append(p.EventPrefixes, ep) - } - - // Validate the prepared query policies - for _, pq := range lp.PreparedQueries { - if !isPolicyValid(pq.Policy, false) { - return nil, fmt.Errorf("Invalid query policy: %#v", pq) - } - - p.PreparedQueryPrefixes = append(p.PreparedQueryPrefixes, pq) - } - - // Validate the keyring policy - this one is allowed to be empty - if lp.Keyring != "" && !isPolicyValid(lp.Keyring, false) { - return nil, fmt.Errorf("Invalid keyring policy: %#v", lp.Keyring) - } else { - p.Keyring = lp.Keyring - } - - // Validate the operator policy - this one is allowed to be empty - if lp.Operator != "" && !isPolicyValid(lp.Operator, false) { - return nil, fmt.Errorf("Invalid operator policy: %#v", lp.Operator) - } else { - p.Operator = lp.Operator - } - - return p, nil -} - // NewPolicyFromSource is used to parse the specified ACL rules into an // intermediary set of policies, before being compiled into // the ACL -func NewPolicyFromSource(rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) { +func NewPolicyFromSource(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) { if rules == "" { // Hot path for empty source return &Policy{}, nil @@ -436,15 +318,7 @@ func NewPolicyFromSource(rules string, syntax SyntaxVersion, conf *Config, meta var policy *Policy var err error - switch syntax { - // TODO(ACL-Legacy-Compat): remove and remove as argument from function - case SyntaxLegacy: - policy, err = parseLegacy(rules, conf) - case SyntaxCurrent: - policy, err = parseCurrent(rules, conf, meta) - default: - return nil, fmt.Errorf("Invalid rules version: %d", syntax) - } + policy, err = parseCurrent(rules, conf, meta) return policy, err } diff --git a/acl/policy_test.go b/acl/policy_test.go index 362451e98c0db..7095df286b3a6 100644 --- a/acl/policy_test.go +++ b/acl/policy_test.go @@ -16,15 +16,13 @@ func errStartsWith(t *testing.T, actual error, expected string) { func TestPolicySourceParse(t *testing.T) { cases := []struct { Name string - Syntax SyntaxVersion Rules string RulesJSON string Expected *Policy Err string }{ { - Name: "Basic", - Syntax: SyntaxCurrent, + Name: "Basic", Rules: ` agent_prefix "bar" { policy = "write" @@ -302,291 +300,8 @@ func TestPolicySourceParse(t *testing.T) { }, }}, }, - { - Name: "Legacy Basic", - Syntax: SyntaxLegacy, - Rules: ` - agent "foo" { - policy = "read" - } - agent "bar" { - policy = "write" - } - event "" { - policy = "read" - } - event "foo" { - policy = "write" - } - event "bar" { - policy = "deny" - } - key "" { - policy = "read" - } - key "foo/" { - policy = "write" - } - key "foo/bar/" { - policy = "read" - } - key "foo/bar/baz" { - policy = "deny" - } - keyring = "deny" - node "" { - policy = "read" - } - node "foo" { - policy = "write" - } - node "bar" { - policy = "deny" - } - operator = "deny" - service "" { - policy = "write" - } - service "foo" { - policy = "read" - } - session "foo" { - policy = "write" - } - session "bar" { - policy = "deny" - } - session "baz" { - policy = "deny" - } - query "" { - policy = "read" - } - query "foo" { - policy = "write" - } - query "bar" { - policy = "deny" - } - `, - RulesJSON: ` - { - "agent": { - "foo": { - "policy": "read" - }, - "bar": { - "policy": "write" - } - }, - "event": { - "": { - "policy": "read" - }, - "foo": { - "policy": "write" - }, - "bar": { - "policy": "deny" - } - }, - "key": { - "": { - "policy": "read" - }, - "foo/": { - "policy": "write" - }, - "foo/bar/": { - "policy": "read" - }, - "foo/bar/baz": { - "policy": "deny" - } - }, - "keyring": "deny", - "node": { - "": { - "policy": "read" - }, - "foo": { - "policy": "write" - }, - "bar": { - "policy": "deny" - } - }, - "operator": "deny", - "service": { - "": { - "policy": "write" - }, - "foo": { - "policy": "read" - } - }, - "session": { - "foo": { - "policy": "write" - }, - "bar": { - "policy": "deny" - }, - "baz": { - "policy": "deny" - } - }, - "query": { - "": { - "policy": "read" - }, - "foo": { - "policy": "write" - }, - "bar": { - "policy": "deny" - } - } - } - `, - Expected: &Policy{PolicyRules: PolicyRules{ - AgentPrefixes: []*AgentRule{ - { - Node: "foo", - Policy: PolicyRead, - }, - { - Node: "bar", - Policy: PolicyWrite, - }, - }, - EventPrefixes: []*EventRule{ - { - Event: "", - Policy: PolicyRead, - }, - { - Event: "foo", - Policy: PolicyWrite, - }, - { - Event: "bar", - Policy: PolicyDeny, - }, - }, - Keyring: PolicyDeny, - KeyPrefixes: []*KeyRule{ - { - Prefix: "", - Policy: PolicyRead, - }, - { - Prefix: "foo/", - Policy: PolicyWrite, - }, - { - Prefix: "foo/bar/", - Policy: PolicyRead, - }, - { - Prefix: "foo/bar/baz", - Policy: PolicyDeny, - }, - }, - NodePrefixes: []*NodeRule{ - { - Name: "", - Policy: PolicyRead, - }, - { - Name: "foo", - Policy: PolicyWrite, - }, - { - Name: "bar", - Policy: PolicyDeny, - }, - }, - Operator: PolicyDeny, - PreparedQueryPrefixes: []*PreparedQueryRule{ - { - Prefix: "", - Policy: PolicyRead, - }, - { - Prefix: "foo", - Policy: PolicyWrite, - }, - { - Prefix: "bar", - Policy: PolicyDeny, - }, - }, - ServicePrefixes: []*ServiceRule{ - { - Name: "", - Policy: PolicyWrite, - }, - { - Name: "foo", - Policy: PolicyRead, - }, - }, - SessionPrefixes: []*SessionRule{ - { - Node: "foo", - Policy: PolicyWrite, - }, - { - Node: "bar", - Policy: PolicyDeny, - }, - { - Node: "baz", - Policy: PolicyDeny, - }, - }, - }}, - }, - { - Name: "Service No Intentions (Legacy)", - Syntax: SyntaxLegacy, - Rules: `service "foo" { policy = "write" }`, - RulesJSON: `{ "service": { "foo": { "policy": "write" }}}`, - Expected: &Policy{PolicyRules: PolicyRules{ - ServicePrefixes: []*ServiceRule{ - { - Name: "foo", - Policy: "write", - }, - }, - }}, - }, - { - Name: "Service Intentions (Legacy)", - Syntax: SyntaxLegacy, - Rules: `service "foo" { policy = "write" intentions = "read" }`, - RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "read" }}}`, - Expected: &Policy{PolicyRules: PolicyRules{ - ServicePrefixes: []*ServiceRule{ - { - Name: "foo", - Policy: "write", - Intentions: "read", - }, - }, - }}, - }, - { - Name: "Service Intention: invalid value (Legacy)", - Syntax: SyntaxLegacy, - Rules: `service "foo" { policy = "write" intentions = "foo" }`, - RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "foo" }}}`, - Err: "Invalid service intentions policy", - }, { Name: "Service No Intentions", - Syntax: SyntaxCurrent, Rules: `service "foo" { policy = "write" }`, RulesJSON: `{ "service": { "foo": { "policy": "write" }}}`, Expected: &Policy{PolicyRules: PolicyRules{ @@ -600,7 +315,6 @@ func TestPolicySourceParse(t *testing.T) { }, { Name: "Service Intentions", - Syntax: SyntaxCurrent, Rules: `service "foo" { policy = "write" intentions = "read" }`, RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "read" }}}`, Expected: &Policy{PolicyRules: PolicyRules{ @@ -615,168 +329,144 @@ func TestPolicySourceParse(t *testing.T) { }, { Name: "Service Intention: invalid value", - Syntax: SyntaxCurrent, Rules: `service "foo" { policy = "write" intentions = "foo" }`, RulesJSON: `{ "service": { "foo": { "policy": "write", "intentions": "foo" }}}`, Err: "Invalid service intentions policy", }, { Name: "Bad Policy - ACL", - Syntax: SyntaxCurrent, Rules: `acl = "list"`, // there is no list policy but this helps to exercise another check in isPolicyValid RulesJSON: `{ "acl": "list" }`, // there is no list policy but this helps to exercise another check in isPolicyValid Err: "Invalid acl policy", }, { Name: "Bad Policy - Agent", - Syntax: SyntaxCurrent, Rules: `agent "foo" { policy = "nope" }`, RulesJSON: `{ "agent": { "foo": { "policy": "nope" }}}`, Err: "Invalid agent policy", }, { Name: "Bad Policy - Agent Prefix", - Syntax: SyntaxCurrent, Rules: `agent_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "agent_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid agent_prefix policy", }, { Name: "Bad Policy - Key", - Syntax: SyntaxCurrent, Rules: `key "foo" { policy = "nope" }`, RulesJSON: `{ "key": { "foo": { "policy": "nope" }}}`, Err: "Invalid key policy", }, { Name: "Bad Policy - Key Prefix", - Syntax: SyntaxCurrent, Rules: `key_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "key_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid key_prefix policy", }, { Name: "Bad Policy - Node", - Syntax: SyntaxCurrent, Rules: `node "foo" { policy = "nope" }`, RulesJSON: `{ "node": { "foo": { "policy": "nope" }}}`, Err: "Invalid node policy", }, { Name: "Bad Policy - Node Prefix", - Syntax: SyntaxCurrent, Rules: `node_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "node_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid node_prefix policy", }, { Name: "Bad Policy - Service", - Syntax: SyntaxCurrent, Rules: `service "foo" { policy = "nope" }`, RulesJSON: `{ "service": { "foo": { "policy": "nope" }}}`, Err: "Invalid service policy", }, { Name: "Bad Policy - Service Prefix", - Syntax: SyntaxCurrent, Rules: `service_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "service_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid service_prefix policy", }, { Name: "Bad Policy - Session", - Syntax: SyntaxCurrent, Rules: `session "foo" { policy = "nope" }`, RulesJSON: `{ "session": { "foo": { "policy": "nope" }}}`, Err: "Invalid session policy", }, { Name: "Bad Policy - Session Prefix", - Syntax: SyntaxCurrent, Rules: `session_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "session_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid session_prefix policy", }, { Name: "Bad Policy - Event", - Syntax: SyntaxCurrent, Rules: `event "foo" { policy = "nope" }`, RulesJSON: `{ "event": { "foo": { "policy": "nope" }}}`, Err: "Invalid event policy", }, { Name: "Bad Policy - Event Prefix", - Syntax: SyntaxCurrent, Rules: `event_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "event_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid event_prefix policy", }, { Name: "Bad Policy - Prepared Query", - Syntax: SyntaxCurrent, Rules: `query "foo" { policy = "nope" }`, RulesJSON: `{ "query": { "foo": { "policy": "nope" }}}`, Err: "Invalid query policy", }, { Name: "Bad Policy - Prepared Query Prefix", - Syntax: SyntaxCurrent, Rules: `query_prefix "foo" { policy = "nope" }`, RulesJSON: `{ "query_prefix": { "foo": { "policy": "nope" }}}`, Err: "Invalid query_prefix policy", }, { Name: "Bad Policy - Keyring", - Syntax: SyntaxCurrent, Rules: `keyring = "nope"`, RulesJSON: `{ "keyring": "nope" }`, Err: "Invalid keyring policy", }, { Name: "Bad Policy - Operator", - Syntax: SyntaxCurrent, Rules: `operator = "nope"`, RulesJSON: `{ "operator": "nope" }`, Err: "Invalid operator policy", }, { Name: "Bad Policy - Mesh", - Syntax: SyntaxCurrent, Rules: `mesh = "nope"`, RulesJSON: `{ "mesh": "nope" }`, Err: "Invalid mesh policy", }, { Name: "Bad Policy - Peering", - Syntax: SyntaxCurrent, Rules: `peering = "nope"`, RulesJSON: `{ "peering": "nope" }`, Err: "Invalid peering policy", }, { Name: "Keyring Empty", - Syntax: SyntaxCurrent, Rules: `keyring = ""`, RulesJSON: `{ "keyring": "" }`, Expected: &Policy{PolicyRules: PolicyRules{Keyring: ""}}, }, { Name: "Operator Empty", - Syntax: SyntaxCurrent, Rules: `operator = ""`, RulesJSON: `{ "operator": "" }`, Expected: &Policy{PolicyRules: PolicyRules{Operator: ""}}, }, { Name: "Mesh Empty", - Syntax: SyntaxCurrent, Rules: `mesh = ""`, RulesJSON: `{ "mesh": "" }`, Expected: &Policy{PolicyRules: PolicyRules{Mesh: ""}}, }, { Name: "Peering Empty", - Syntax: SyntaxCurrent, Rules: `peering = ""`, RulesJSON: `{ "peering": "" }`, Expected: &Policy{PolicyRules: PolicyRules{Peering: ""}}, @@ -788,7 +478,7 @@ func TestPolicySourceParse(t *testing.T) { require.True(t, tc.Rules != "" || tc.RulesJSON != "") if tc.Rules != "" { t.Run("hcl", func(t *testing.T) { - actual, err := NewPolicyFromSource(tc.Rules, tc.Syntax, nil, nil) + actual, err := NewPolicyFromSource(tc.Rules, nil, nil) if tc.Err != "" { errStartsWith(t, err, tc.Err) } else { @@ -798,7 +488,7 @@ func TestPolicySourceParse(t *testing.T) { } if tc.RulesJSON != "" { t.Run("json", func(t *testing.T) { - actual, err := NewPolicyFromSource(tc.RulesJSON, tc.Syntax, nil, nil) + actual, err := NewPolicyFromSource(tc.RulesJSON, nil, nil) if tc.Err != "" { errStartsWith(t, err, tc.Err) } else { @@ -1585,236 +1275,6 @@ func TestMergePolicies(t *testing.T) { } -func TestRulesTranslate(t *testing.T) { - input := ` -# top level comment - -# block comment -agent "" { - # policy comment - policy = "write" -} - -# block comment -key "" { - # policy comment - policy = "write" -} - -# block comment -node "" { - # policy comment - policy = "write" -} - -# block comment -event "" { - # policy comment - policy = "write" -} - -# block comment -service "" { - # policy comment - policy = "write" -} - -# block comment -session "" { - # policy comment - policy = "write" -} - -# block comment -query "" { - # policy comment - policy = "write" -} - -# comment -keyring = "write" - -# comment -operator = "write" - -# comment -mesh = "write" - -# comment -peering = "write" -` - - expected := ` -# top level comment - -# block comment -agent_prefix "" { - # policy comment - policy = "write" -} - -# block comment -key_prefix "" { - # policy comment - policy = "write" -} - -# block comment -node_prefix "" { - # policy comment - policy = "write" -} - -# block comment -event_prefix "" { - # policy comment - policy = "write" -} - -# block comment -service_prefix "" { - # policy comment - policy = "write" -} - -# block comment -session_prefix "" { - # policy comment - policy = "write" -} - -# block comment -query_prefix "" { - # policy comment - policy = "write" -} - -# comment -keyring = "write" - -# comment -operator = "write" - -# comment -mesh = "write" - -# comment -peering = "write" -` - - output, err := TranslateLegacyRules([]byte(input)) - require.NoError(t, err) - require.Equal(t, strings.Trim(expected, "\n"), string(output)) -} - -func TestRulesTranslate_GH5493(t *testing.T) { - input := ` -{ - "key": { - "": { - "policy": "read" - }, - "key": { - "policy": "read" - }, - "policy": { - "policy": "read" - }, - "privatething1/": { - "policy": "deny" - }, - "anapplication/private/": { - "policy": "deny" - }, - "privatething2/": { - "policy": "deny" - } - }, - "session": { - "": { - "policy": "write" - } - }, - "node": { - "": { - "policy": "read" - } - }, - "agent": { - "": { - "policy": "read" - } - }, - "service": { - "": { - "policy": "read" - } - }, - "event": { - "": { - "policy": "read" - } - }, - "query": { - "": { - "policy": "read" - } - } -}` - expected := ` -key_prefix "" { - policy = "read" -} - -key_prefix "key" { - policy = "read" -} - -key_prefix "policy" { - policy = "read" -} - -key_prefix "privatething1/" { - policy = "deny" -} - -key_prefix "anapplication/private/" { - policy = "deny" -} - -key_prefix "privatething2/" { - policy = "deny" -} - -session_prefix "" { - policy = "write" -} - -node_prefix "" { - policy = "read" -} - -agent_prefix "" { - policy = "read" -} - -service_prefix "" { - policy = "read" -} - -event_prefix "" { - policy = "read" -} - -query_prefix "" { - policy = "read" -} -` - output, err := TranslateLegacyRules([]byte(input)) - require.NoError(t, err) - require.Equal(t, strings.Trim(expected, "\n"), string(output)) -} - func TestPrecedence(t *testing.T) { type testCase struct { name string diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go index 54f4b5c12b0c9..53a0d851906d3 100644 --- a/agent/acl_endpoint.go +++ b/agent/acl_endpoint.go @@ -215,8 +215,6 @@ func (s *HTTPHandlers) aclPolicyWriteInternal(_resp http.ResponseWriter, req *ht return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: fmt.Sprintf("Policy decoding failed: %v", err)} } - args.Policy.Syntax = acl.SyntaxCurrent - if create { if args.Policy.ID != "" { return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot specify the ID when creating a new policy"} @@ -1009,10 +1007,9 @@ func (s *HTTPHandlers) ACLAuthorize(resp http.ResponseWriter, req *http.Request) // There are a number of reason why this is okay. // // 1. The authorizations performed here are the same as what would be done if other HTTP APIs - // were used. This is just a way to see if it would be allowed. In the future when we have - // audit logging, these authorization checks will be logged along with those from the real - // endpoints. In that respect, you can figure out if you have access just as easily by - // attempting to perform the requested operation. + // were used. This is just a way to see if it would be allowed. These authorization checks + // will be logged along with those from the real endpoints. In that respect, you can figure + // out if you have access just as easily by attempting to perform the requested operation. // 2. In order to use this API you must have a valid ACL token secret. // 3. Along with #2 you can use the ACL.GetPolicy RPC endpoint which will return a rolled up // set of policy rules showing your tokens effective policy. This RPC endpoint exposes diff --git a/agent/acl_test.go b/agent/acl_test.go index bc53e6c8a3bb3..8e2040a7aac20 100644 --- a/agent/acl_test.go +++ b/agent/acl_test.go @@ -237,7 +237,7 @@ func catalogPolicy(token string) (structs.ACLIdentity, acl.Authorizer, error) { return nil, nil, acl.ErrNotFound } - policy, err := acl.NewPolicyFromSource(tok.rules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tok.rules, nil, nil) if err != nil { return nil, nil, err } diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go index e0f72fc37616f..50b5c3514af2b 100644 --- a/agent/agent_endpoint_test.go +++ b/agent/agent_endpoint_test.go @@ -531,7 +531,7 @@ func TestAgent_Service(t *testing.T) { tests := []struct { name string - tokenRules string + policies string url string updateFunc func() wantWait time.Duration @@ -665,7 +665,7 @@ func TestAgent_Service(t *testing.T) { name: "err: bad ACL for service", url: "/v1/agent/service/web-sidecar-proxy", // Limited token doesn't grant read to the service - tokenRules: ` + policies: ` key "" { policy = "read" } @@ -679,7 +679,7 @@ func TestAgent_Service(t *testing.T) { name: "good ACL for service", url: "/v1/agent/service/web-sidecar-proxy", // Limited token doesn't grant read to the service - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "read" } @@ -704,9 +704,9 @@ func TestAgent_Service(t *testing.T) { // Inject the root token for tests that don't care about ACL token := "root" - if tt.tokenRules != "" { + if tt.policies != "" { // Create new token and use that. - token = testCreateToken(t, a, tt.tokenRules) + token = testCreateToken(t, a, tt.policies) } req.Header.Set("X-Consul-Token", token) resp := httptest.NewRecorder() @@ -4303,7 +4303,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s // directly. json string enableACL bool - tokenRules string + policies string wantNS *structs.NodeService wantErr string wantSidecarIDLeftAfterDereg bool @@ -4346,7 +4346,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4367,10 +4367,10 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } } `, - enableACL: true, - tokenRules: ``, // No token rules means no valid token - wantNS: nil, - wantErr: "Permission denied", + enableACL: true, + policies: ``, // No token rules means no valid token + wantNS: nil, + wantErr: "Permission denied", }, { name: "ACL OK for service but not for sidecar", @@ -4385,7 +4385,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s `, enableACL: true, // This will become more common/reasonable when ACLs support exact match. - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "deny" } @@ -4411,7 +4411,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4435,7 +4435,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4464,7 +4464,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4689,8 +4689,8 @@ func testAgent_RegisterServiceDeregisterService_Sidecar(t *testing.T, extraHCL s // Create an ACL token with require policy var token string - if tt.enableACL && tt.tokenRules != "" { - token = testCreateToken(t, a, tt.tokenRules) + if tt.enableACL && tt.policies != "" { + token = testCreateToken(t, a, tt.policies) } br := bytes.NewBufferString(tt.json) @@ -4798,7 +4798,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH // directly. json string enableACL bool - tokenRules string + policies string wantNS *structs.NodeService wantErr string wantSidecarIDLeftAfterDereg bool @@ -4841,7 +4841,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4862,10 +4862,10 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } } `, - enableACL: true, - tokenRules: ``, // No token rules means no valid token - wantNS: nil, - wantErr: "Permission denied", + enableACL: true, + policies: ``, // No token rules means no valid token + wantNS: nil, + wantErr: "Permission denied", }, { name: "ACL OK for service but not for sidecar", @@ -4880,7 +4880,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH `, enableACL: true, // This will become more common/reasonable when ACLs support exact match. - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "deny" } @@ -4906,7 +4906,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4930,7 +4930,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -4959,7 +4959,7 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH } `, enableACL: true, - tokenRules: ` + policies: ` service "web-sidecar-proxy" { policy = "write" } @@ -5184,8 +5184,8 @@ func testAgent_RegisterServiceDeregisterService_Sidecar_UDP(t *testing.T, extraH // Create an ACL token with require policy var token string - if tt.enableACL && tt.tokenRules != "" { - token = testCreateToken(t, a, tt.tokenRules) + if tt.enableACL && tt.policies != "" { + token = testCreateToken(t, a, tt.policies) } br := bytes.NewBufferString(tt.json) diff --git a/agent/consul/acl.go b/agent/consul/acl.go index 03a5750cbfdf6..0c65ed9fd1ef0 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -284,7 +284,7 @@ func agentRecoveryAuthorizer(nodeName string, entMeta *acl.EnterpriseMeta, aclCo node_prefix "" { policy = "read" } - `, nodeName), acl.SyntaxCurrent, &conf, entMeta.ToEnterprisePolicyMeta()) + `, nodeName), &conf, entMeta.ToEnterprisePolicyMeta()) if err != nil { return nil, err } diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index 4994baeb9c1f8..1cbea7779b222 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -913,7 +913,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol } // validate the rules - _, err = acl.NewPolicyFromSource(policy.Rules, policy.Syntax, a.srv.aclConfig, policy.EnterprisePolicyMeta()) + _, err = acl.NewPolicyFromSource(policy.Rules, a.srv.aclConfig, policy.EnterprisePolicyMeta()) if err != nil { return err } diff --git a/agent/consul/acl_endpoint_legacy.go b/agent/consul/acl_endpoint_legacy.go deleted file mode 100644 index efee32cb5ebac..0000000000000 --- a/agent/consul/acl_endpoint_legacy.go +++ /dev/null @@ -1,31 +0,0 @@ -package consul - -import ( - "fmt" - - "github.com/hashicorp/consul/agent/structs" -) - -type LegacyACLGetPolicy struct{} - -func (a *ACL) GetPolicy(*LegacyACLGetPolicy, *LegacyACLGetPolicy) error { - return fmt.Errorf("ACL.GetPolicy: the legacy ACL system has been removed") -} - -func (a *ACL) Bootstrap(*structs.DCSpecificRequest, *LegacyACLRequest) error { - return fmt.Errorf("ACL.Bootstrap: the legacy ACL system has been removed") -} - -type LegacyACLRequest struct{} - -func (a *ACL) Apply(*LegacyACLRequest, *string) error { - return fmt.Errorf("ACL.Apply: the legacy ACL system has been removed") -} - -func (a *ACL) Get(*LegacyACLRequest, *LegacyACLRequest) error { - return fmt.Errorf("ACL.Get: the legacy ACL system has been removed") -} - -func (a *ACL) List(*structs.DCSpecificRequest, *LegacyACLRequest) error { - return fmt.Errorf("ACL.List: the legacy ACL system has been removed") -} diff --git a/agent/consul/acl_replication_test.go b/agent/consul/acl_replication_test.go index 25bd3929ff3ee..a0c2576cf8fc9 100644 --- a/agent/consul/acl_replication_test.go +++ b/agent/consul/acl_replication_test.go @@ -10,7 +10,6 @@ import ( "github.com/stretchr/testify/require" - "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/consul/authmethod/testauth" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/structs/aclfilter" @@ -31,7 +30,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) { Name: "policy1", Description: "policy1 - already in sync", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, Datacenters: nil, Hash: []byte{1, 2, 3, 4}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, @@ -41,7 +39,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) { Name: "policy2", Description: "policy2 - updated but not changed", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, Datacenters: nil, Hash: []byte{1, 2, 3, 4}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25}, @@ -51,7 +48,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) { Name: "policy3", Description: "policy3 - updated and changed", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, Datacenters: nil, Hash: []byte{1, 2, 3, 4}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25}, @@ -61,7 +57,6 @@ func TestACLReplication_diffACLPolicies(t *testing.T) { Name: "policy4", Description: "policy4 - needs deleting", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, Datacenters: nil, Hash: []byte{1, 2, 3, 4}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 25}, diff --git a/agent/consul/acl_test.go b/agent/consul/acl_test.go index c6601289d508a..2a5964fed8e80 100644 --- a/agent/consul/acl_test.go +++ b/agent/consul/acl_test.go @@ -213,7 +213,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "acl-ro", Description: "acl-ro", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } p.SetHash(false) @@ -224,7 +223,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "acl-wr", Description: "acl-wr", Rules: `acl = "write"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } p.SetHash(false) @@ -235,7 +233,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "service-ro", Description: "service-ro", Rules: `service_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } p.SetHash(false) @@ -246,7 +243,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "service-wr", Description: "service-wr", Rules: `service_prefix "" { policy = "write" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } p.SetHash(false) @@ -257,7 +253,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } @@ -269,7 +264,6 @@ func testPolicyForID(policyID string) (bool, *structs.ACLPolicy, error) { Name: "dc2-key-wr", Description: "dc2-key-wr", Rules: `key_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc2"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, } @@ -1699,7 +1693,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "acl-ro", Description: "acl-ro", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) @@ -1733,7 +1726,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "acl-ro", Description: "acl-ro", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) @@ -1768,7 +1760,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "acl-ro", Description: "acl-ro", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) @@ -1793,7 +1784,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1802,7 +1792,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "dc2-key-wr", Description: "dc2-key-wr", Rules: `key_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc2"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1836,7 +1825,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1845,7 +1833,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "dc2-key-wr", Description: "dc2-key-wr", Rules: `key_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc2"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1874,7 +1861,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1883,7 +1869,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "dc2-key-wr", Description: "dc2-key-wr", Rules: `key_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc2"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -1901,7 +1886,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "service-ro", Description: "service-ro", Rules: `service_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) @@ -2072,7 +2056,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "node-wr", Description: "node-wr", Rules: `node_prefix "" { policy = "write"}`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, @@ -2098,7 +2081,6 @@ func testACLResolver_variousTokens(t *testing.T, delegate *ACLResolverTestDelega Name: "ixn-write", Description: "ixn-write", Rules: `service_prefix "" { policy = "write" intentions = "write" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: structs.RaftIndex{CreateIndex: 1, ModifyIndex: 2}, }, }) diff --git a/agent/consul/autopilotevents/ready_servers_events_test.go b/agent/consul/autopilotevents/ready_servers_events_test.go index 0f686fbc5f117..aedf25c4d9928 100644 --- a/agent/consul/autopilotevents/ready_servers_events_test.go +++ b/agent/consul/autopilotevents/ready_servers_events_test.go @@ -101,7 +101,7 @@ func TestEventPayloadReadyServers_HasReadPermission(t *testing.T) { service "foo" { policy = "write" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/consul/catalog_endpoint_test.go b/agent/consul/catalog_endpoint_test.go index c1d1dbe983cd9..390c0d5f11cd3 100644 --- a/agent/consul/catalog_endpoint_test.go +++ b/agent/consul/catalog_endpoint_test.go @@ -3588,7 +3588,7 @@ service "gateway" { func TestVetRegisterWithACL(t *testing.T) { appendAuthz := func(t *testing.T, defaultAuthz acl.Authorizer, rules string) acl.Authorizer { - policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(rules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(defaultAuthz, []*acl.Policy{policy}, nil) @@ -3878,8 +3878,11 @@ func TestVetDeregisterWithACL(t *testing.T) { policy, err := acl.NewPolicyFromSource(` node "node" { policy = "write" +}, +node_prefix "node" { + policy = "write" } -`, acl.SyntaxLegacy, nil, nil) +`, nil, nil) if err != nil { t.Fatalf("err %v", err) } @@ -3892,7 +3895,7 @@ node "node" { service "my-service" { policy = "write" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) if err != nil { t.Fatalf("err %v", err) } diff --git a/agent/consul/filter_test.go b/agent/consul/filter_test.go index 415ac762ab869..22f605da8166f 100644 --- a/agent/consul/filter_test.go +++ b/agent/consul/filter_test.go @@ -10,7 +10,7 @@ import ( func TestFilter_DirEnt(t *testing.T) { t.Parallel() - policy, _ := acl.NewPolicyFromSource(testFilterRules, acl.SyntaxLegacy, nil, nil) + policy, _ := acl.NewPolicyFromSource(testFilterRules, nil, nil) aclR, _ := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) type tcase struct { @@ -52,7 +52,7 @@ func TestFilter_DirEnt(t *testing.T) { func TestFilter_TxnResults(t *testing.T) { t.Parallel() - policy, _ := acl.NewPolicyFromSource(testFilterRules, acl.SyntaxLegacy, nil, nil) + policy, _ := acl.NewPolicyFromSource(testFilterRules, nil, nil) aclR, _ := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) type tcase struct { @@ -104,13 +104,25 @@ var testFilterRules = ` key "" { policy = "deny" } +key_prefix "" { + policy = "deny" +} key "foo/" { policy = "read" } +key_prefix "foo/" { + policy = "read" +} key "foo/priv/" { policy = "deny" } +key_prefix "foo/priv/" { + policy = "deny" +} key "zip/" { policy = "read" } +key_prefix "zip/" { + policy = "read" +} ` diff --git a/agent/consul/leader.go b/agent/consul/leader.go index 3333a2f7e8265..973c74c272e9b 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -415,7 +415,6 @@ func (s *Server) initializeACLs(ctx context.Context) error { Name: "global-management", Description: "Builtin Policy that grants unlimited access", Rules: structs.ACLPolicyGlobalManagement, - Syntax: acl.SyntaxCurrent, EnterpriseMeta: *structs.DefaultEnterpriseMetaInDefaultPartition(), } if policy != nil { diff --git a/agent/consul/state/acl_test.go b/agent/consul/state/acl_test.go index 15491e437dc2d..5e01514730fef 100644 --- a/agent/consul/state/acl_test.go +++ b/agent/consul/state/acl_test.go @@ -33,7 +33,6 @@ func setupGlobalManagement(t *testing.T, s *Store) { Name: "global-management", Description: "Builtin Policy that grants unlimited access", Rules: structs.ACLPolicyGlobalManagement, - Syntax: acl.SyntaxCurrent, } policy.SetHash(true) require.NoError(t, s.ACLPolicySet(1, &policy)) @@ -74,35 +73,30 @@ func setupExtraPolicies(t *testing.T, s *Store) { Name: "node-read", Description: "Allows reading all node information", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: testPolicyID_B, Name: "agent-read", Description: "Allows reading all node information", Rules: `agent_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: testPolicyID_C, Name: "acl-read", Description: "Allows acl read", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: testPolicyID_D, Name: "acl-write", Description: "Allows acl write", Rules: `acl = "write"`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: testPolicyID_E, Name: "kv-read", Description: "Allows kv read", Rules: `key_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, } @@ -1068,7 +1062,6 @@ func TestStateStore_ACLToken_FixupPolicyLinks(t *testing.T) { Name: "node-read-renamed", Description: "Allows reading all node information", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, } renamed.SetHash(true) require.NoError(t, s.ACLPolicySet(3, renamed)) @@ -1475,7 +1468,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) { Name: "node-read", Description: "Allows reading all node information", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, } @@ -1488,7 +1480,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) { require.Equal(t, "node-read", rpolicy.Name) require.Equal(t, "Allows reading all node information", rpolicy.Description) require.Equal(t, `node_prefix "" { policy = "read" }`, rpolicy.Rules) - require.Equal(t, acl.SyntaxCurrent, rpolicy.Syntax) require.Len(t, rpolicy.Datacenters, 1) require.Equal(t, "dc1", rpolicy.Datacenters[0]) require.Equal(t, uint64(3), rpolicy.CreateIndex) @@ -1502,7 +1493,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) { require.Equal(t, "global-management", rpolicy.Name) require.Equal(t, "Builtin Policy that grants unlimited access", rpolicy.Description) require.Equal(t, structs.ACLPolicyGlobalManagement, rpolicy.Rules) - require.Equal(t, acl.SyntaxCurrent, rpolicy.Syntax) require.Len(t, rpolicy.Datacenters, 0) require.Equal(t, uint64(1), rpolicy.CreateIndex) require.Equal(t, uint64(1), rpolicy.ModifyIndex) @@ -1518,7 +1508,6 @@ func TestStateStore_ACLPolicy_SetGet(t *testing.T) { Name: "node-read-modified", Description: "Modified", Rules: `node_prefix "" { policy = "read" } node "secret" { policy = "deny" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1", "dc2"}, } @@ -2307,7 +2296,6 @@ func TestStateStore_ACLRole_FixupPolicyLinks(t *testing.T) { Name: "node-read-renamed", Description: "Allows reading all node information", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, } renamed.SetHash(true) require.NoError(t, s.ACLPolicySet(3, renamed)) @@ -3368,14 +3356,12 @@ func TestStateStore_ACLTokens_Snapshot_Restore(t *testing.T) { Name: "policy1", Description: "policy1", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: "7b70fa0f-58cd-412d-93c3-a0f17bb19a3e", Name: "policy2", Description: "policy2", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, }, } @@ -3769,14 +3755,12 @@ func TestStateStore_ACLRoles_Snapshot_Restore(t *testing.T) { Name: "policy1", Description: "policy1", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, }, &structs.ACLPolicy{ ID: "7b70fa0f-58cd-412d-93c3-a0f17bb19a3e", Name: "policy2", Description: "policy2", Rules: `acl = "read"`, - Syntax: acl.SyntaxCurrent, }, } diff --git a/agent/consul/state/connect_ca_events_test.go b/agent/consul/state/connect_ca_events_test.go index b5062340a1226..ebd52b333201b 100644 --- a/agent/consul/state/connect_ca_events_test.go +++ b/agent/consul/state/connect_ca_events_test.go @@ -105,7 +105,7 @@ func TestEventPayloadCARoots_HasReadPermission(t *testing.T) { service "foo" { policy = "write" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/consul/state/store_integration_test.go b/agent/consul/state/store_integration_test.go index b787ad94f8487..0d28880aa381c 100644 --- a/agent/consul/state/store_integration_test.go +++ b/agent/consul/state/store_integration_test.go @@ -140,7 +140,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) { ID: testPolicyID_C, Name: "foo-read", Rules: `node "foo" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, } policy2.SetHash(false) @@ -154,7 +153,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) { ID: testPolicyID_A, Name: "node-read", Rules: `node_prefix "" { policy = "write" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, } policy3.SetHash(false) @@ -213,7 +211,6 @@ func TestStore_IntegrationWithEventPublisher_ACLPolicyUpdate(t *testing.T) { ID: testPolicyID_B, Name: "node-read", Rules: `node_prefix "foo" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, Datacenters: []string{"dc1"}, } policy4.SetHash(false) diff --git a/agent/grpc-external/testutils/acl.go b/agent/grpc-external/testutils/acl.go index 8def60fff7374..a443a38ca2386 100644 --- a/agent/grpc-external/testutils/acl.go +++ b/agent/grpc-external/testutils/acl.go @@ -47,7 +47,7 @@ func ACLServiceWriteAny(t *testing.T) resolver.Result { service "foo" { policy = "write" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/grpc-internal/services/subscribe/subscribe_test.go b/agent/grpc-internal/services/subscribe/subscribe_test.go index c04d60a260a43..f31169eb94ef4 100644 --- a/agent/grpc-internal/services/subscribe/subscribe_test.go +++ b/agent/grpc-internal/services/subscribe/subscribe_test.go @@ -692,7 +692,7 @@ node "node1" { } ` cfg := &acl.Config{WildcardName: structs.WildcardSpecifier} - authorizer, err := acl.NewAuthorizerFromRules(rules, acl.SyntaxCurrent, cfg, nil) + authorizer, err := acl.NewAuthorizerFromRules(rules, cfg, nil) require.NoError(t, err) authorizer = acl.NewChainedAuthorizer([]acl.Authorizer{authorizer, acl.DenyAll()}) require.Equal(t, acl.Deny, authorizer.NodeRead("denied", nil)) @@ -896,7 +896,7 @@ node "node1" { policy = "write" } ` - authorizer, err := acl.NewAuthorizerFromRules(rules, acl.SyntaxCurrent, &acl.Config{WildcardName: structs.WildcardSpecifier}, nil) + authorizer, err := acl.NewAuthorizerFromRules(rules, &acl.Config{WildcardName: structs.WildcardSpecifier}, nil) require.NoError(t, err) authorizer = acl.NewChainedAuthorizer([]acl.Authorizer{authorizer, acl.DenyAll()}) require.Equal(t, acl.Deny, authorizer.NodeRead("denied", nil)) diff --git a/agent/proxycfg-glue/intention_upstreams_test.go b/agent/proxycfg-glue/intention_upstreams_test.go index 22846f24d206c..1a69b1de70525 100644 --- a/agent/proxycfg-glue/intention_upstreams_test.go +++ b/agent/proxycfg-glue/intention_upstreams_test.go @@ -91,7 +91,7 @@ func disableLegacyIntentions(t *testing.T, store *state.Store) { } func policyAuthorizer(t *testing.T, policyHCL string) acl.Authorizer { - policy, err := acl.NewPolicyFromSource(policyHCL, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(policyHCL, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/rpc/peering/service_test.go b/agent/rpc/peering/service_test.go index 833614559d763..b8fa04ef869bf 100644 --- a/agent/rpc/peering/service_test.go +++ b/agent/rpc/peering/service_test.go @@ -1729,28 +1729,24 @@ func upsertTestACLs(t *testing.T, store *state.Store) { ) policies := structs.ACLPolicies{ { - ID: testPolicyPeeringReadID, - Name: "peering-read", - Rules: `peering = "read"`, - Syntax: acl.SyntaxCurrent, + ID: testPolicyPeeringReadID, + Name: "peering-read", + Rules: `peering = "read"`, }, { - ID: testPolicyPeeringWriteID, - Name: "peering-write", - Rules: `peering = "write"`, - Syntax: acl.SyntaxCurrent, + ID: testPolicyPeeringWriteID, + Name: "peering-write", + Rules: `peering = "write"`, }, { - ID: testPolicyServiceReadID, - Name: "service-read", - Rules: `service "api" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, + ID: testPolicyServiceReadID, + Name: "service-read", + Rules: `service "api" { policy = "read" }`, }, { - ID: testPolicyServiceWriteID, - Name: "service-write", - Rules: `service "api" { policy = "write" }`, - Syntax: acl.SyntaxCurrent, + ID: testPolicyServiceWriteID, + Name: "service-write", + Rules: `service "api" { policy = "write" }`, }, } require.NoError(t, store.ACLPolicyBatchSet(100, policies)) diff --git a/agent/structs/acl.go b/agent/structs/acl.go index e2533d516778a..fa89986a337ae 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -160,7 +160,6 @@ func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPo sn := NewServiceName(s.ServiceName, entMeta) policy.Description = fmt.Sprintf("synthetic policy for service identity %q", sn.String()) policy.Rules = rules - policy.Syntax = acl.SyntaxCurrent policy.Datacenters = s.Datacenters policy.EnterpriseMeta.Merge(entMeta) policy.SetHash(true) @@ -232,7 +231,6 @@ func (s *ACLNodeIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolic policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID) policy.Description = fmt.Sprintf("synthetic policy for node identity %q", s.NodeName) policy.Rules = rules - policy.Syntax = acl.SyntaxCurrent policy.Datacenters = []string{s.Datacenter} policy.EnterpriseMeta.Merge(entMeta) policy.SetHash(true) @@ -596,9 +594,6 @@ type ACLPolicy struct { // The rule set (using the updated rule syntax) Rules string - // DEPRECATED (ACL-Legacy-Compat) - This is only needed while we support the legacy ACLs - Syntax acl.SyntaxVersion `json:"-"` - // Datacenters that the policy is valid within. // - No wildcards allowed // - If empty then the policy is valid within all datacenters @@ -759,7 +754,7 @@ func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Conf continue } - p, err := acl.NewPolicyFromSource(policy.Rules, policy.Syntax, entConf, policy.EnterprisePolicyMeta()) + p, err := acl.NewPolicyFromSource(policy.Rules, entConf, policy.EnterprisePolicyMeta()) if err != nil { return nil, fmt.Errorf("failed to parse %q: %v", policy.Name, err) } diff --git a/agent/structs/acl_test.go b/agent/structs/acl_test.go index 36ccc7ec339d9..d5b083ec5e615 100644 --- a/agent/structs/acl_test.go +++ b/agent/structs/acl_test.go @@ -67,7 +67,6 @@ func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) { } expect := &ACLPolicy{ - Syntax: acl.SyntaxCurrent, Datacenters: test.datacenters, Rules: test.expectRules, } @@ -402,7 +401,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) { Name: "policy1", Description: "policy1", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 1, ModifyIndex: 2, @@ -413,7 +411,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) { Name: "policy2", Description: "policy2", Rules: `agent_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 3, ModifyIndex: 4, @@ -424,7 +421,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) { Name: "policy3", Description: "policy3", Rules: `key_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 5, ModifyIndex: 6, @@ -435,7 +431,6 @@ func TestStructs_ACLPolicies_resolveWithCache(t *testing.T) { Name: "policy4", Description: "policy4", Rules: `service_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 7, ModifyIndex: 8, @@ -492,7 +487,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) { Name: "policy1", Description: "policy1", Rules: `node_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 1, ModifyIndex: 2, @@ -503,7 +497,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) { Name: "policy2", Description: "policy2", Rules: `agent_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 3, ModifyIndex: 4, @@ -514,7 +507,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) { Name: "policy3", Description: "policy3", Rules: `key_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 5, ModifyIndex: 6, @@ -525,7 +517,6 @@ func TestStructs_ACLPolicies_Compile(t *testing.T) { Name: "policy4", Description: "policy4", Rules: `service_prefix "" { policy = "read" }`, - Syntax: acl.SyntaxCurrent, RaftIndex: RaftIndex{ CreateIndex: 7, ModifyIndex: 8, diff --git a/agent/structs/aclfilter/filter_test.go b/agent/structs/aclfilter/filter_test.go index 4afb00bb5d34f..9ce57e8f03692 100644 --- a/agent/structs/aclfilter/filter_test.go +++ b/agent/structs/aclfilter/filter_test.go @@ -28,7 +28,7 @@ func TestACL_filterImported_IndexedHealthChecks(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -99,7 +99,7 @@ func TestACL_filterImported_IndexedNodes(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -172,7 +172,7 @@ func TestACL_filterImported_IndexedNodeServices(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -253,7 +253,7 @@ func TestACL_filterImported_IndexedNodeServiceList(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -333,7 +333,7 @@ func TestACL_filterImported_IndexedServiceNodes(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -402,7 +402,7 @@ func TestACL_filterImported_CheckServiceNode(t *testing.T) { } run := func(t *testing.T, tc testCase) { - policy, err := acl.NewPolicyFromSource(tc.policyRules, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(tc.policyRules, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -505,10 +505,16 @@ func TestACL_filterHealthChecks(t *testing.T) { service "foo" { policy = "read" } + service_prefix "foo" { + policy = "read" + } node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + node_prefix "node1" { + policy = "read" + } + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -527,7 +533,10 @@ func TestACL_filterHealthChecks(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + service_prefix "foo" { + policy = "read" + } + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -546,7 +555,10 @@ func TestACL_filterHealthChecks(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + node_prefix "node1" { + policy = "read" + } + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -604,7 +616,10 @@ func TestACL_filterIntentions(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + service_prefix "foo" { + policy = "read" + } + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -675,7 +690,7 @@ func TestACL_filterServiceNodes(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -694,7 +709,7 @@ func TestACL_filterServiceNodes(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -758,7 +773,7 @@ func TestACL_filterNodeServices(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -777,7 +792,7 @@ func TestACL_filterNodeServices(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -796,7 +811,7 @@ func TestACL_filterNodeServices(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -855,7 +870,7 @@ func TestACL_filterNodeServiceList(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -874,7 +889,7 @@ func TestACL_filterNodeServiceList(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -893,7 +908,7 @@ func TestACL_filterNodeServiceList(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -936,7 +951,7 @@ func TestACL_filterGatewayServices(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -996,7 +1011,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1015,7 +1030,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1034,7 +1049,7 @@ func TestACL_filterCheckServiceNodes(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1094,7 +1109,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1113,7 +1128,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1132,7 +1147,7 @@ func TestACL_filterPreparedQueryExecuteResponse(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1231,7 +1246,7 @@ node "node1" { service "foo" { policy = "read" }` - policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(rules, nil, nil) if err != nil { t.Fatalf("err %v", err) } @@ -1259,7 +1274,7 @@ node "node2" { service "bar" { policy = "read" }` - policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(rules, nil, nil) if err != nil { t.Fatalf("err %v", err) } @@ -1293,7 +1308,7 @@ node "node2" { service "bar" { policy = "read" }` - policy, err := acl.NewPolicyFromSource(rules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(rules, nil, nil) if err != nil { t.Fatalf("err %v", err) } @@ -1344,7 +1359,7 @@ func TestACL_filterCoordinates(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1396,7 +1411,7 @@ func TestACL_filterSessions(t *testing.T) { session "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1500,7 +1515,7 @@ func TestACL_filterNodeDump(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1520,7 +1535,7 @@ func TestACL_filterNodeDump(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1549,7 +1564,7 @@ func TestACL_filterNodeDump(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1587,7 +1602,7 @@ func TestACL_filterNodeDump(t *testing.T) { service "" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1607,8 +1622,11 @@ func TestACL_filterNodeDump(t *testing.T) { policy, err := acl.NewPolicyFromSource(` node "" { policy = "read" + }, + node_prefix "" { + policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1640,11 +1658,17 @@ func TestACL_filterNodeDump(t *testing.T) { policy, err := acl.NewPolicyFromSource(` service "" { policy = "read" + }, + service_prefix "" { + policy = "read" } node "" { policy = "read" + }, + node_prefix "" { + policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1813,7 +1837,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1877,7 +1901,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) { service "bar" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1903,7 +1927,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) { service "bar" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -1928,7 +1952,7 @@ func TestACL_filterIndexedNodesWithGateways(t *testing.T) { node "node1" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2022,7 +2046,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) { service_prefix "bar" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2044,7 +2068,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) { service_prefix "bar" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2067,7 +2091,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) { service "foo-gateway" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2089,7 +2113,7 @@ func TestACL_filterIndexedServiceDump(t *testing.T) { service "foo" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2164,7 +2188,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) { service_prefix "" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2184,7 +2208,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) { service_prefix "" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2203,7 +2227,7 @@ func TestACL_filterDatacenterCheckServiceNodes(t *testing.T) { node_prefix "" { policy = "read" } - `, acl.SyntaxCurrent, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2360,7 +2384,7 @@ func TestACL_filterPreparedQueries(t *testing.T) { query "query-with-a-token" { policy = "read" } - `, acl.SyntaxLegacy, nil, nil) + `, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -2432,7 +2456,7 @@ func TestACL_unhandledFilterType(t *testing.T) { func policy(t *testing.T, hcl string) acl.Authorizer { t.Helper() - policy, err := acl.NewPolicyFromSource(hcl, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(hcl, nil, nil) require.NoError(t, err) authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/structs/config_entry_discoverychain_test.go b/agent/structs/config_entry_discoverychain_test.go index df1a5c5df126d..b16f48f63b4d4 100644 --- a/agent/structs/config_entry_discoverychain_test.go +++ b/agent/structs/config_entry_discoverychain_test.go @@ -17,7 +17,7 @@ func TestConfigEntries_ListRelatedServices_AndACLs(t *testing.T) { // This test tests both of these because they are related functions. newAuthz := func(t *testing.T, src string) acl.Authorizer { - policy, err := acl.NewPolicyFromSource(src, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(src, nil, nil) require.NoError(t, err) authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) @@ -34,7 +34,7 @@ func TestConfigEntries_ListRelatedServices_AndACLs(t *testing.T) { buf.WriteString(fmt.Sprintf("service %q { policy = %q }\n", s, "write")) } - policy, err := acl.NewPolicyFromSource(buf.String(), acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(buf.String(), nil, nil) require.NoError(t, err) authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/structs/config_entry_test.go b/agent/structs/config_entry_test.go index 64ad4361efc67..67d9cd1add504 100644 --- a/agent/structs/config_entry_test.go +++ b/agent/structs/config_entry_test.go @@ -25,7 +25,7 @@ func TestConfigEntries_ACLs(t *testing.T) { type testcase = configEntryACLTestCase newAuthz := func(t *testing.T, src string) acl.Authorizer { - policy, err := acl.NewPolicyFromSource(src, acl.SyntaxCurrent, nil, nil) + policy, err := acl.NewPolicyFromSource(src, nil, nil) require.NoError(t, err) authorizer, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil) diff --git a/agent/structs/intention_test.go b/agent/structs/intention_test.go index f5aac91ca7806..ef6e4c00d25dd 100644 --- a/agent/structs/intention_test.go +++ b/agent/structs/intention_test.go @@ -117,7 +117,7 @@ func TestIntention_ACLs(t *testing.T) { for name, tcase := range cases { t.Run(name, func(t *testing.T) { - authz, err := acl.NewAuthorizerFromRules(tcase.rules, acl.SyntaxCurrent, &config, nil) + authz, err := acl.NewAuthorizerFromRules(tcase.rules, &config, nil) require.NoError(t, err) require.Equal(t, tcase.read, tcase.intention.CanRead(authz)) diff --git a/agent/xds/delta_test.go b/agent/xds/delta_test.go index 50ba84af904bc..40e4f3b33e6bd 100644 --- a/agent/xds/delta_test.go +++ b/agent/xds/delta_test.go @@ -1050,7 +1050,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLEnforcement(t *testing.T) { // Ensure the correct token was passed require.Equal(t, tt.token, id) // Parse the ACL and enforce it - policy, err := acl.NewPolicyFromSource(tt.acl, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(tt.acl, nil, nil) require.NoError(t, err) return acl.NewPolicyAuthorizerWithDefaults(acl.RootAuthorizer("deny"), []*acl.Policy{policy}, nil) } @@ -1139,7 +1139,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLTokenDeleted_StreamTerminatedDuri aclRules := `service "web" { policy = "write" }` token := "service-write-on-web" - policy, err := acl.NewPolicyFromSource(aclRules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(aclRules, nil, nil) require.NoError(t, err) var validToken atomic.Value @@ -1237,7 +1237,7 @@ func TestServer_DeltaAggregatedResources_v3_ACLTokenDeleted_StreamTerminatedInBa aclRules := `service "web" { policy = "write" }` token := "service-write-on-web" - policy, err := acl.NewPolicyFromSource(aclRules, acl.SyntaxLegacy, nil, nil) + policy, err := acl.NewPolicyFromSource(aclRules, nil, nil) require.NoError(t, err) var validToken atomic.Value diff --git a/api/agent.go b/api/agent.go index 8db4d36cc25d7..6e2883a411c28 100644 --- a/api/agent.go +++ b/api/agent.go @@ -201,11 +201,11 @@ const ( // ACLModeEnabled indicates that ACLs are enabled and operating in new ACL // mode (v1.4.0+ ACLs) ACLModeEnabled MemberACLMode = "1" - // ACLModeLegacy indicates that ACLs are enabled and operating in legacy mode. - ACLModeLegacy MemberACLMode = "2" + // ACLModeLegacy has been deprecated, and will be treated as ACLModeUnknown. + ACLModeLegacy MemberACLMode = "2" // DEPRECATED // ACLModeUnkown is used to indicate that the AgentMember.Tags didn't advertise // an ACL mode at all. This is the case for Consul versions before v1.4.0 and - // should be treated similarly to ACLModeLegacy. + // should be treated the same as ACLModeLegacy. ACLModeUnknown MemberACLMode = "3" ) @@ -244,8 +244,6 @@ func (m *AgentMember) ACLMode() MemberACLMode { return ACLModeDisabled case ACLModeEnabled: return ACLModeEnabled - case ACLModeLegacy: - return ACLModeLegacy default: return ACLModeUnknown } diff --git a/api/agent_test.go b/api/agent_test.go index 60d93600466b8..da97985d7e7d7 100644 --- a/api/agent_test.go +++ b/api/agent_test.go @@ -14,8 +14,6 @@ import ( "testing" "time" - "github.com/stretchr/testify/assert" - "github.com/hashicorp/serf/serf" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -2018,7 +2016,7 @@ func TestMemberACLMode(t *testing.T) { }, "legacy": { tagValue: "2", - expectedMode: ACLModeLegacy, + expectedMode: ACLModeUnknown, }, "unknown-3": { tagValue: "3", diff --git a/api/api_test.go b/api/api_test.go index 268105fc784eb..182627ee066ec 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -913,9 +913,8 @@ func TestAPI_Headers(t *testing.T) { policy = "read" } `)) - // ACL support is disabled + // Legacy ACL support is deprecated. require.Error(t, err) - require.Equal(t, "application/octet-stream", request.Header.Get("Content-Type")) _, _, err = c.Event().Fire(&UserEvent{ Name: "test", diff --git a/api/operator_license.go b/api/operator_license.go index 74eed3baa4d67..14c548b1a3549 100644 --- a/api/operator_license.go +++ b/api/operator_license.go @@ -30,9 +30,6 @@ type License struct { // no longer be used in any capacity TerminationTime time.Time `json:"termination_time"` - // Whether the license will ignore termination - IgnoreTermination bool `json:"ignore_termination"` - // The product the license is valid for Product string `json:"product"`