Fix some minor issues.

2023-07-31 12:11:25 -07:00 · 2023-07-31 12:11:25 -07:00 · 209e57afb6
parent 75552a98c3
commit 209e57afb6
5 changed files with 66 additions and 80 deletions
--- a/acl/validation.go
+++ b/acl/validation.go
@ -17,7 +17,7 @@ const (
 var (
 	validServiceIdentityName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
 	validNodeIdentityName    = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
-	validPolicyName          = regexp.MustCompile(`^[A-Za-z0-9\-_]+/?[A-Za-z0-9\-_]*$`)
+	validPolicyName          = regexp.MustCompile(`^[A-Za-z0-9\-_]+\/?[A-Za-z0-9\-_]*$`)
 	validRoleName            = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,256}$`)
 	validAuthMethodName      = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,128}$`)
 )
--- a/agent/consul/state/acl.go
+++ b/agent/consul/state/acl.go
@ -886,7 +886,7 @@ func aclPolicySetTxn(tx WriteTxn, idx uint64, policy *structs.ACLPolicy) error {
 	if existing != nil {
 		if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok {
 			// Only the name and description are modifiable
-			// Here we specifically check that the rules on the global management policy
+			// Here we specifically check that the rules on the builtin policy
 			// are identical to the correct policy rules within the binary. This is opposed
 			// to checking against the current rules to allow us to update the rules during
 			// upgrades.
--- a/agent/consul/state/acl_test.go
+++ b/agent/consul/state/acl_test.go
@ -35,6 +35,12 @@ func setupGlobalManagement(t *testing.T, s *Store) {
 	require.NoError(t, s.ACLPolicySet(1, &policy))
 }
 func setupBuiltinGlobalReadOnly(t *testing.T, s *Store) {
 	policy := structs.ACLBuiltinPolicies[structs.ACLPolicyGlobalReadOnlyID]
 	policy.SetHash(true)
 	require.NoError(t, s.ACLPolicySet(2, &policy))
 }
 func setupAnonymous(t *testing.T, s *Store) {
 	token := structs.ACLToken{
 		AccessorID:  acl.AnonymousTokenID,
@ -48,6 +54,7 @@ func setupAnonymous(t *testing.T, s *Store) {
 func testACLStateStore(t *testing.T) *Store {
 	s := testStateStore(t)
 	setupGlobalManagement(t, s)
 	setupBuiltinGlobalReadOnly(t, s)
 	setupAnonymous(t, s)
 	return s
 }
@ -179,6 +186,7 @@ func TestStateStore_ACLBootstrap(t *testing.T) {
 	s := testStateStore(t)
 	setupGlobalManagement(t, s)
 	setupBuiltinGlobalReadOnly(t, s)
 	canBootstrap, index, err := s.CanBootstrapACLToken()
 	require.NoError(t, err)
--- a/agent/structs/acl.go
+++ b/agent/structs/acl.go
@ -45,87 +45,65 @@ const (
 	// This policy gives unlimited access to everything. Users
 	// may rename if desired but cannot delete or modify the rules.
-	ACLPolicyGlobalManagementID    = "00000000-0000-0000-0000-000000000001"
+	ACLPolicyGlobalManagementID   = "00000000-0000-0000-0000-000000000001"
-	ACLPolicyGlobalManagementName  = "global-management"
+	ACLPolicyGlobalManagementName = "global-management"
-	ACLPolicyGlobalManagementDesc  = "Builtin Policy that grants unlimited access"
+	ACLPolicyGlobalManagementDesc = "Builtin Policy that grants unlimited access"
 	ACLPolicyGlobalManagementRules = `
 acl = "write"
 agent_prefix "" {
 	policy = "write"
 }
 event_prefix "" {
 	policy = "write"
 }
 key_prefix "" {
 	policy = "write"
 }
 keyring = "write"
 node_prefix "" {
 	policy = "write"
 }
 operator = "write"
 mesh = "write"
 peering = "write"
 query_prefix "" {
 	policy = "write"
 }
 service_prefix "" {
 	policy = "write"
 	intentions = "write"
 }
 session_prefix "" {
 	policy = "write"
 }` + EnterpriseACLPolicyGlobalManagement
-	ACLPolicyGlobalReadOnlyID    = "00000000-0000-0000-0000-000000000002"
+	ACLPolicyGlobalReadOnlyID   = "00000000-0000-0000-0000-000000000002"
-	ACLPolicyGlobalReadOnlyName  = "builtin/global-read-only"
+	ACLPolicyGlobalReadOnlyName = "builtin/global-read-only"
-	ACLPolicyGlobalReadOnlyDesc  = "Builtin Policy that grants unlimited read-only access to all components"
+	ACLPolicyGlobalReadOnlyDesc = "Builtin Policy that grants unlimited read-only access to all components"
 	ACLPolicyGlobalReadOnlyRules = `
 acl = "read"
 agent_prefix "" {
 	policy = "read"
 }
 event_prefix "" {
 	policy = "read"
 }
 key_prefix "" {
 	policy = "read"
 }
 keyring = "read"
 node_prefix "" {
 	policy = "read"
 }
 operator = "read"
 mesh = "read"
 peering = "read"
 query_prefix "" {
 	policy = "read"
 }
 service_prefix "" {
 	policy = "read"
 	intentions = "read"
 }
 session_prefix "" {
 	policy = "read"
 }` + EnterpriseACLPolicyGlobalReadOnly
 	ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000"
 	aclPolicyGlobalRulesTemplate = `
 acl = "###"
 agent_prefix "" {
 	policy = "###"
 }
 event_prefix "" {
 	policy = "###"
 }
 key_prefix "" {
 	policy = "###"
 }
 keyring = "###"
 node_prefix "" {
 	policy = "###"
 }
 operator = "###"
 mesh = "###"
 peering = "###"
 query_prefix "" {
 	policy = "###"
 }
 service_prefix "" {
 	policy = "###"
 	intentions = "###"
 }
 session_prefix "" {
 	policy = "###"
 }`
 )
-var ACLBuiltinPolicies = map[string]ACLPolicy{
+var (
-	ACLPolicyGlobalManagementID: {
+	ACLPolicyGlobalReadOnlyRules   = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "read") + EnterpriseACLPolicyGlobalReadOnly
-		ID:          ACLPolicyGlobalManagementID,
+	ACLPolicyGlobalManagementRules = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "write") + EnterpriseACLPolicyGlobalManagement
-		Name:        ACLPolicyGlobalManagementName,
+
-		Description: ACLPolicyGlobalManagementDesc,
+	ACLBuiltinPolicies = map[string]ACLPolicy{
-		Rules:       ACLPolicyGlobalManagementRules,
+		ACLPolicyGlobalManagementID: {
-	},
+			ID:          ACLPolicyGlobalManagementID,
-	ACLPolicyGlobalReadOnlyID: {
+			Name:        ACLPolicyGlobalManagementName,
-		ID:          ACLPolicyGlobalReadOnlyID,
+			Description: ACLPolicyGlobalManagementDesc,
-		Name:        ACLPolicyGlobalReadOnlyName,
+			Rules:       ACLPolicyGlobalManagementRules,
-		Description: ACLPolicyGlobalReadOnlyDesc,
+		},
-		Rules:       ACLPolicyGlobalReadOnlyRules,
+		ACLPolicyGlobalReadOnlyID: {
-	},
+			ID:          ACLPolicyGlobalReadOnlyID,
-}
+			Name:        ACLPolicyGlobalReadOnlyName,
 			Description: ACLPolicyGlobalReadOnlyDesc,
 			Rules:       ACLPolicyGlobalReadOnlyRules,
 		},
 	}
 )
 func ACLIDReserved(id string) bool {
 	return strings.HasPrefix(id, ACLReservedIDPrefix)
--- a/website/content/docs/security/acl/acl-policies.mdx
+++ b/website/content/docs/security/acl/acl-policies.mdx
@ -391,11 +391,11 @@ New installations of Consul ship with the following built-in policies.
 ### Global Management
-The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
+The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.
 ### Global Read-Only
-The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
+The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.
 ### Namespace Management <EnterpriseAlert inline />