From 80d13d500bb553406c09c4317c3580c44e87a1de Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 18 Dec 2019 13:44:32 -0500 Subject: [PATCH] Miscellaneous acl package cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Renamed EnterpriseACLConfig to just Config • Removed chained_authorizer_oss.go as it was empty • Renamed acl.go to errors.go to more closely describe its contents --- acl/acl_oss.go | 6 ++-- acl/authorizer.go | 4 +-- acl/authorizer_oss.go | 6 ++-- acl/chained_authorizer_oss.go | 3 -- acl/{acl.go => errors.go} | 0 acl/policy.go | 8 ++--- acl/policy_authorizer.go | 4 +-- acl/policy_authorizer_oss.go | 6 ++-- acl/policy_oss.go | 6 ++-- acl/static_authorizer.go | 60 +++++++++++++++++------------------ agent/acl_test.go | 2 +- agent/consul/acl.go | 4 +-- agent/consul/acl_oss.go | 2 +- agent/consul/server.go | 2 +- agent/structs/acl.go | 6 ++-- 15 files changed, 58 insertions(+), 61 deletions(-) delete mode 100644 acl/chained_authorizer_oss.go rename acl/{acl.go => errors.go} (100%) diff --git a/acl/acl_oss.go b/acl/acl_oss.go index 3da5d7b29c..b9bc60ab64 100644 --- a/acl/acl_oss.go +++ b/acl/acl_oss.go @@ -2,7 +2,7 @@ package acl -// EnterpriseACLConfig stub -type EnterpriseACLConfig struct{} +// Config stub +type Config struct{} -func (_ *EnterpriseACLConfig) Close() {} +func (_ *Config) Close() {} diff --git a/acl/authorizer.go b/acl/authorizer.go index 9c25f09d25..fe5a1f68a8 100644 --- a/acl/authorizer.go +++ b/acl/authorizer.go @@ -145,7 +145,7 @@ type Authorizer interface { Snapshot(*AuthorizerContext) EnforcementDecision // Embedded Interface for Consul Enterprise specific ACL enforcement - EnterpriseAuthorizer + enterpriseAuthorizer } func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx *AuthorizerContext) (EnforcementDecision, error) { @@ -234,7 +234,7 @@ func Enforce(authz Authorizer, rsc Resource, segment string, access string, ctx return authz.SessionWrite(segment, ctx), nil } default: - if processed, decision, err := EnforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed { + if processed, decision, err := enforceEnterprise(authz, rsc, segment, lowerAccess, ctx); processed { return decision, err } return Deny, fmt.Errorf("Invalid ACL resource requested: %q", rsc) diff --git a/acl/authorizer_oss.go b/acl/authorizer_oss.go index c2e9775300..cf33ea268f 100644 --- a/acl/authorizer_oss.go +++ b/acl/authorizer_oss.go @@ -5,9 +5,9 @@ package acl // AuthorizerContext stub type AuthorizerContext struct{} -// EnterpriseAuthorizer stub interface -type EnterpriseAuthorizer interface{} +// enterpriseAuthorizer stub interface +type enterpriseAuthorizer interface{} -func EnforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) { +func enforceEnterprise(_ Authorizer, _ Resource, _ string, _ string, _ *AuthorizerContext) (bool, EnforcementDecision, error) { return false, Deny, nil } diff --git a/acl/chained_authorizer_oss.go b/acl/chained_authorizer_oss.go deleted file mode 100644 index fd5160ee6d..0000000000 --- a/acl/chained_authorizer_oss.go +++ /dev/null @@ -1,3 +0,0 @@ -// +build !consulent - -package acl diff --git a/acl/acl.go b/acl/errors.go similarity index 100% rename from acl/acl.go rename to acl/errors.go diff --git a/acl/policy.go b/acl/policy.go index 541f8bfd28..8181794f0d 100644 --- a/acl/policy.go +++ b/acl/policy.go @@ -161,7 +161,7 @@ func isPolicyValid(policy string, allowList bool) bool { return true } -func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error { +func (pr *PolicyRules) Validate(conf *Config) error { // Validate the acl policy - this one is allowed to be empty if pr.ACL != "" && !isPolicyValid(pr.ACL, false) { return fmt.Errorf("Invalid acl policy: %#v", pr.ACL) @@ -288,7 +288,7 @@ func (pr *PolicyRules) Validate(conf *EnterpriseACLConfig) error { return nil } -func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) { +func parseCurrent(rules string, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) { p, err := decodeRules(rules, conf, meta) if err != nil { return nil, err @@ -305,7 +305,7 @@ func parseCurrent(rules string, conf *EnterpriseACLConfig, meta *EnterprisePolic return p, nil } -func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) { +func parseLegacy(rules string, conf *Config) (*Policy, error) { p := &Policy{} type LegacyPolicy struct { @@ -422,7 +422,7 @@ func parseLegacy(rules string, conf *EnterpriseACLConfig) (*Policy, error) { // NewPolicyFromSource is used to parse the specified ACL rules into an // intermediary set of policies, before being compiled into // the ACL -func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *EnterpriseACLConfig, meta *EnterprisePolicyMeta) (*Policy, error) { +func NewPolicyFromSource(id string, revision uint64, rules string, syntax SyntaxVersion, conf *Config, meta *EnterprisePolicyMeta) (*Policy, error) { if rules == "" { // Hot path for empty source return &Policy{ID: id, Revision: revision}, nil diff --git a/acl/policy_authorizer.go b/acl/policy_authorizer.go index 4aeec2c789..d446301f3e 100644 --- a/acl/policy_authorizer.go +++ b/acl/policy_authorizer.go @@ -313,13 +313,13 @@ func (p *policyAuthorizer) loadRules(policy *PolicyRules) error { return nil } -func newPolicyAuthorizer(policies []*Policy, ent *EnterpriseACLConfig) (Authorizer, error) { +func newPolicyAuthorizer(policies []*Policy, ent *Config) (Authorizer, error) { policy := MergePolicies(policies) return newPolicyAuthorizerFromRules(&policy.PolicyRules, ent) } -func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *EnterpriseACLConfig) (Authorizer, error) { +func newPolicyAuthorizerFromRules(rules *PolicyRules, ent *Config) (Authorizer, error) { p := &policyAuthorizer{ agentRules: radix.New(), intentionRules: radix.New(), diff --git a/acl/policy_authorizer_oss.go b/acl/policy_authorizer_oss.go index 44e36fc9d4..0e1c20f075 100644 --- a/acl/policy_authorizer_oss.go +++ b/acl/policy_authorizer_oss.go @@ -5,7 +5,7 @@ package acl // enterprisePolicyAuthorizer stub type enterprisePolicyAuthorizer struct{} -func (authz *enterprisePolicyAuthorizer) init(*EnterpriseACLConfig) { +func (authz *enterprisePolicyAuthorizer) init(*Config) { // nothing to do } @@ -14,13 +14,13 @@ func (authz *enterprisePolicyAuthorizer) enforce(_ *EnterpriseRule, _ *Authorize } // NewPolicyAuthorizer merges the policies and returns an Authorizer that will enforce them -func NewPolicyAuthorizer(policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) { +func NewPolicyAuthorizer(policies []*Policy, entConfig *Config) (Authorizer, error) { return newPolicyAuthorizer(policies, entConfig) } // NewPolicyAuthorizerWithDefaults will actually created a ChainedAuthorizer with // the policies compiled into one Authorizer and the backup policy of the defaultAuthz -func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *EnterpriseACLConfig) (Authorizer, error) { +func NewPolicyAuthorizerWithDefaults(defaultAuthz Authorizer, policies []*Policy, entConfig *Config) (Authorizer, error) { authz, err := newPolicyAuthorizer(policies, entConfig) if err != nil { return nil, err diff --git a/acl/policy_oss.go b/acl/policy_oss.go index 950867ccf2..4a4fc84db3 100644 --- a/acl/policy_oss.go +++ b/acl/policy_oss.go @@ -14,7 +14,7 @@ type EnterprisePolicyMeta struct{} // EnterpriseRule stub type EnterpriseRule struct{} -func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error { +func (r *EnterpriseRule) Validate(string, *Config) error { // nothing to validate return nil } @@ -22,12 +22,12 @@ func (r *EnterpriseRule) Validate(string, *EnterpriseACLConfig) error { // EnterprisePolicyRules stub type EnterprisePolicyRules struct{} -func (r *EnterprisePolicyRules) Validate(*EnterpriseACLConfig) error { +func (r *EnterprisePolicyRules) Validate(*Config) error { // nothing to validate return nil } -func decodeRules(rules string, _ *EnterpriseACLConfig, _ *EnterprisePolicyMeta) (*Policy, error) { +func decodeRules(rules string, _ *Config, _ *EnterprisePolicyMeta) (*Policy, error) { p := &Policy{} if err := hcl.Decode(p, rules); err != nil { diff --git a/acl/static_authorizer.go b/acl/static_authorizer.go index 0befd7c8ea..7691033173 100644 --- a/acl/static_authorizer.go +++ b/acl/static_authorizer.go @@ -3,13 +3,13 @@ package acl var ( // allowAll is a singleton policy which allows all // non-management actions - allowAll Authorizer = &StaticAuthorizer{ + allowAll Authorizer = &staticAuthorizer{ allowManage: false, defaultAllow: true, } // denyAll is a singleton policy which denies all actions - denyAll Authorizer = &StaticAuthorizer{ + denyAll Authorizer = &staticAuthorizer{ allowManage: false, defaultAllow: false, } @@ -18,7 +18,7 @@ var ( // actions, including management // TODO (acls) - Do we need to keep this around? Our config parsing doesn't allow // specifying a default "manage" policy so I believe nothing will every use this. - manageAll Authorizer = &StaticAuthorizer{ + manageAll Authorizer = &staticAuthorizer{ allowManage: true, defaultAllow: true, } @@ -27,187 +27,187 @@ var ( // StaticAuthorizer is used to implement a base ACL policy. It either // allows or denies all requests. This can be used as a parent // ACL to act in a blacklist or whitelist mode. -type StaticAuthorizer struct { +type staticAuthorizer struct { allowManage bool defaultAllow bool } -func (s *StaticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision { if s.allowManage { return Allow } return Deny } -func (s *StaticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision { if s.allowManage { return Allow } return Deny } -func (s *StaticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision { if s.defaultAllow { return Allow } return Deny } -func (s *StaticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision { +func (s *staticAuthorizer) Snapshot(_ *AuthorizerContext) EnforcementDecision { if s.allowManage { return Allow } diff --git a/agent/acl_test.go b/agent/acl_test.go index aae317f0b1..d7c10c2c35 100644 --- a/agent/acl_test.go +++ b/agent/acl_test.go @@ -223,7 +223,7 @@ func TestACL_RootAuthorizersDenied(t *testing.T) { require.True(t, acl.IsErrRootDenied(err)) } -func authzFromPolicy(policy *acl.Policy, cfg *acl.EnterpriseACLConfig) (acl.Authorizer, error) { +func authzFromPolicy(policy *acl.Policy, cfg *acl.Config) (acl.Authorizer, error) { return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg) } diff --git a/agent/consul/acl.go b/agent/consul/acl.go index f1fdf46f42..43ce8be434 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -130,7 +130,7 @@ type ACLResolverConfig struct { AutoDisable bool // EnterpriseACLConfig contains Consul Enterprise specific ACL configuration - EnterpriseConfig *acl.EnterpriseACLConfig + EnterpriseConfig *acl.Config } // ACLResolver is the type to handle all your token and policy resolution needs. @@ -163,7 +163,7 @@ type ACLResolver struct { logger *log.Logger delegate ACLResolverDelegate - entConf *acl.EnterpriseACLConfig + entConf *acl.Config cache *structs.ACLCaches identityGroup singleflight.Group diff --git a/agent/consul/acl_oss.go b/agent/consul/acl_oss.go index eb87d8e0ba..4b2451d1e1 100644 --- a/agent/consul/acl_oss.go +++ b/agent/consul/acl_oss.go @@ -16,7 +16,7 @@ func (s *Server) replicationEnterpriseMeta() *structs.EnterpriseMeta { return structs.ReplicationEnterpriseMeta() } -func newEnterpriseACLConfig(*log.Logger) *acl.EnterpriseACLConfig { +func newEnterpriseACLConfig(*log.Logger) *acl.Config { return nil } diff --git a/agent/consul/server.go b/agent/consul/server.go index 659fe9117c..2c2c9a7207 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -110,7 +110,7 @@ var ( type Server struct { // enterpriseACLConfig is the Consul Enterprise specific items // necessary for ACLs - enterpriseACLConfig *acl.EnterpriseACLConfig + enterpriseACLConfig *acl.Config // acls is used to resolve tokens to effective policies acls *ACLResolver diff --git a/agent/structs/acl.go b/agent/structs/acl.go index 7dfae67538..8e2cff4586 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -696,7 +696,7 @@ func (policies ACLPolicyListStubs) Sort() { }) } -func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) ([]*acl.Policy, error) { +func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Config) ([]*acl.Policy, error) { // Parse the policies parsed := make([]*acl.Policy, 0, len(policies)) for _, policy := range policies { @@ -721,7 +721,7 @@ func (policies ACLPolicies) resolveWithCache(cache *ACLCaches, entConf *acl.Ente return parsed, nil } -func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (acl.Authorizer, error) { +func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.Config) (acl.Authorizer, error) { // Determine the cache key cacheKey := policies.HashKey() entry := cache.GetAuthorizer(cacheKey) @@ -746,7 +746,7 @@ func (policies ACLPolicies) Compile(cache *ACLCaches, entConf *acl.EnterpriseACL return authorizer, nil } -func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.EnterpriseACLConfig) (*acl.Policy, error) { +func (policies ACLPolicies) Merge(cache *ACLCaches, entConf *acl.Config) (*acl.Policy, error) { parsed, err := policies.resolveWithCache(cache, entConf) if err != nil { return nil, err