Fix some minor issues.

2023-07-31 12:11:25 -07:00 · 2023-07-31 12:11:25 -07:00 · 209e57afb6
parent 75552a98c3
commit 209e57afb6
5 changed files with 66 additions and 80 deletions
--- a/acl/validation.go
+++ b/acl/validation.go
@ -17,7 +17,7 @@ const (
 var (
 	validServiceIdentityName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
 	validNodeIdentityName    = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
-	validPolicyName          = regexp.MustCompile(`^[A-Za-z0-9\-_]+/?[A-Za-z0-9\-_]*$`)
+	validPolicyName          = regexp.MustCompile(`^[A-Za-z0-9\-_]+\/?[A-Za-z0-9\-_]*$`)
 	validRoleName            = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,256}$`)
 	validAuthMethodName      = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,128}$`)
 )
--- a/agent/consul/state/acl.go
+++ b/agent/consul/state/acl.go
@ -886,7 +886,7 @@ func aclPolicySetTxn(tx WriteTxn, idx uint64, policy *structs.ACLPolicy) error {
 	if existing != nil {
 		if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok {
 			// Only the name and description are modifiable
-			// Here we specifically check that the rules on the global management policy
+			// Here we specifically check that the rules on the builtin policy
 			// are identical to the correct policy rules within the binary. This is opposed
 			// to checking against the current rules to allow us to update the rules during
 			// upgrades.
--- a/agent/consul/state/acl_test.go
+++ b/agent/consul/state/acl_test.go
@ -35,6 +35,12 @@ func setupGlobalManagement(t *testing.T, s *Store) {
 	require.NoError(t, s.ACLPolicySet(1, &policy))
 }

+func setupBuiltinGlobalReadOnly(t *testing.T, s *Store) {
+	policy := structs.ACLBuiltinPolicies[structs.ACLPolicyGlobalReadOnlyID]
+	policy.SetHash(true)
+	require.NoError(t, s.ACLPolicySet(2, &policy))
+}
+
 func setupAnonymous(t *testing.T, s *Store) {
 	token := structs.ACLToken{
 		AccessorID:  acl.AnonymousTokenID,
@ -48,6 +54,7 @@ func setupAnonymous(t *testing.T, s *Store) {
 func testACLStateStore(t *testing.T) *Store {
 	s := testStateStore(t)
 	setupGlobalManagement(t, s)
+	setupBuiltinGlobalReadOnly(t, s)
 	setupAnonymous(t, s)
 	return s
 }
@ -179,6 +186,7 @@ func TestStateStore_ACLBootstrap(t *testing.T) {

 	s := testStateStore(t)
 	setupGlobalManagement(t, s)
+	setupBuiltinGlobalReadOnly(t, s)

 	canBootstrap, index, err := s.CanBootstrapACLToken()
 	require.NoError(t, err)
--- a/agent/structs/acl.go
+++ b/agent/structs/acl.go
@ -45,87 +45,65 @@ const (

 	// This policy gives unlimited access to everything. Users
 	// may rename if desired but cannot delete or modify the rules.
-	ACLPolicyGlobalManagementID    = "00000000-0000-0000-0000-000000000001"
-	ACLPolicyGlobalManagementName  = "global-management"
-	ACLPolicyGlobalManagementDesc  = "Builtin Policy that grants unlimited access"
-	ACLPolicyGlobalManagementRules = `
-acl = "write"
-agent_prefix "" {
-	policy = "write"
-}
-event_prefix "" {
-	policy = "write"
-}
-key_prefix "" {
-	policy = "write"
-}
-keyring = "write"
-node_prefix "" {
-	policy = "write"
-}
-operator = "write"
-mesh = "write"
-peering = "write"
-query_prefix "" {
-	policy = "write"
-}
-service_prefix "" {
-	policy = "write"
-	intentions = "write"
-}
-session_prefix "" {
-	policy = "write"
-}` + EnterpriseACLPolicyGlobalManagement
+	ACLPolicyGlobalManagementID   = "00000000-0000-0000-0000-000000000001"
+	ACLPolicyGlobalManagementName = "global-management"
+	ACLPolicyGlobalManagementDesc = "Builtin Policy that grants unlimited access"

-	ACLPolicyGlobalReadOnlyID    = "00000000-0000-0000-0000-000000000002"
-	ACLPolicyGlobalReadOnlyName  = "builtin/global-read-only"
-	ACLPolicyGlobalReadOnlyDesc  = "Builtin Policy that grants unlimited read-only access to all components"
-	ACLPolicyGlobalReadOnlyRules = `
-acl = "read"
-agent_prefix "" {
-	policy = "read"
-}
-event_prefix "" {
-	policy = "read"
-}
-key_prefix "" {
-	policy = "read"
-}
-keyring = "read"
-node_prefix "" {
-	policy = "read"
-}
-operator = "read"
-mesh = "read"
-peering = "read"
-query_prefix "" {
-	policy = "read"
-}
-service_prefix "" {
-	policy = "read"
-	intentions = "read"
-}
-session_prefix "" {
-	policy = "read"
-}` + EnterpriseACLPolicyGlobalReadOnly
+	ACLPolicyGlobalReadOnlyID   = "00000000-0000-0000-0000-000000000002"
+	ACLPolicyGlobalReadOnlyName = "builtin/global-read-only"
+	ACLPolicyGlobalReadOnlyDesc = "Builtin Policy that grants unlimited read-only access to all components"

 	ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000"
+
+	aclPolicyGlobalRulesTemplate = `
+acl = "###"
+agent_prefix "" {
+	policy = "###"
+}
+event_prefix "" {
+	policy = "###"
+}
+key_prefix "" {
+	policy = "###"
+}
+keyring = "###"
+node_prefix "" {
+	policy = "###"
+}
+operator = "###"
+mesh = "###"
+peering = "###"
+query_prefix "" {
+	policy = "###"
+}
+service_prefix "" {
+	policy = "###"
+	intentions = "###"
+}
+session_prefix "" {
+	policy = "###"
+}`
 )

-var ACLBuiltinPolicies = map[string]ACLPolicy{
-	ACLPolicyGlobalManagementID: {
-		ID:          ACLPolicyGlobalManagementID,
-		Name:        ACLPolicyGlobalManagementName,
-		Description: ACLPolicyGlobalManagementDesc,
-		Rules:       ACLPolicyGlobalManagementRules,
-	},
-	ACLPolicyGlobalReadOnlyID: {
-		ID:          ACLPolicyGlobalReadOnlyID,
-		Name:        ACLPolicyGlobalReadOnlyName,
-		Description: ACLPolicyGlobalReadOnlyDesc,
-		Rules:       ACLPolicyGlobalReadOnlyRules,
-	},
-}
+var (
+	ACLPolicyGlobalReadOnlyRules   = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "read") + EnterpriseACLPolicyGlobalReadOnly
+	ACLPolicyGlobalManagementRules = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "write") + EnterpriseACLPolicyGlobalManagement
+
+	ACLBuiltinPolicies = map[string]ACLPolicy{
+		ACLPolicyGlobalManagementID: {
+			ID:          ACLPolicyGlobalManagementID,
+			Name:        ACLPolicyGlobalManagementName,
+			Description: ACLPolicyGlobalManagementDesc,
+			Rules:       ACLPolicyGlobalManagementRules,
+		},
+		ACLPolicyGlobalReadOnlyID: {
+			ID:          ACLPolicyGlobalReadOnlyID,
+			Name:        ACLPolicyGlobalReadOnlyName,
+			Description: ACLPolicyGlobalReadOnlyDesc,
+			Rules:       ACLPolicyGlobalReadOnlyRules,
+		},
+	}
+)

 func ACLIDReserved(id string) bool {
 	return strings.HasPrefix(id, ACLReservedIDPrefix)
--- a/website/content/docs/security/acl/acl-policies.mdx
+++ b/website/content/docs/security/acl/acl-policies.mdx
@ -391,11 +391,11 @@ New installations of Consul ship with the following built-in policies.

 ### Global Management

-The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
+The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.

 ### Global Read-Only

-The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
+The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.

 ### Namespace Management <EnterpriseAlert inline />