From a89ffba2d4ce50a469e14eba6d1c0c06f23c9416 Mon Sep 17 00:00:00 2001 From: Mark Anderson Date: Fri, 3 Dec 2021 10:20:25 -0800 Subject: [PATCH] Cross port of ent #1383 (#11726) Cross port of ent #1383 "Reject non-default datacenter when making partitioned ACLs" On the OSS side this is a minor refactor to add some more checks that are only applicable to enterprise code. Signed-off-by: Mark Anderson --- agent/consul/acl_endpoint.go | 14 ++++++-------- agent/consul/acl_endpoint_oss.go | 15 +++++++++++++++ agent/structs/acl_oss.go | 4 ++++ 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/agent/consul/acl_endpoint.go b/agent/consul/acl_endpoint.go index 0b58c23970..376278c835 100644 --- a/agent/consul/acl_endpoint.go +++ b/agent/consul/acl_endpoint.go @@ -700,9 +700,8 @@ func (a *ACL) tokenSetInternal(args *structs.ACLTokenSetRequest, reply *structs. token.SetHash(true) - // validate the enterprise meta - err = state.ACLTokenUpsertValidateEnterprise(token, accessorMatch) - if err != nil { + // validate the enterprise specific fields + if err = a.tokenUpsertValidateEnterprise(token, accessorMatch); err != nil { return err } @@ -1181,9 +1180,8 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol return err } - // validate the enterprise meta - err = state.ACLPolicyUpsertValidateEnterprise(policy, idMatch) - if err != nil { + // validate the enterprise specific fields + if err = a.policyUpsertValidateEnterprise(policy, idMatch); err != nil { return err } @@ -1543,8 +1541,8 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e } } - // validate the enterprise meta - if err := state.ACLRoleUpsertValidateEnterprise(role, existing); err != nil { + // validate the enterprise specific fields + if err := a.roleUpsertValidateEnterprise(role, existing); err != nil { return err } diff --git a/agent/consul/acl_endpoint_oss.go b/agent/consul/acl_endpoint_oss.go index 6aac4629d3..80cb54c80d 100644 --- a/agent/consul/acl_endpoint_oss.go +++ b/agent/consul/acl_endpoint_oss.go @@ -8,6 +8,21 @@ import ( "github.com/hashicorp/consul/agent/structs" ) +func (a *ACL) tokenUpsertValidateEnterprise(token *structs.ACLToken, existing *structs.ACLToken) error { + state := a.srv.fsm.State() + return state.ACLTokenUpsertValidateEnterprise(token, existing) +} + +func (a *ACL) policyUpsertValidateEnterprise(policy *structs.ACLPolicy, existing *structs.ACLPolicy) error { + state := a.srv.fsm.State() + return state.ACLPolicyUpsertValidateEnterprise(policy, existing) +} + +func (a *ACL) roleUpsertValidateEnterprise(role *structs.ACLRole, existing *structs.ACLRole) error { + state := a.srv.fsm.State() + return state.ACLRoleUpsertValidateEnterprise(role, existing) +} + func (a *ACL) enterpriseAuthMethodTypeValidation(authMethodType string) error { return nil } diff --git a/agent/structs/acl_oss.go b/agent/structs/acl_oss.go index 353c682568..3a1457aad8 100644 --- a/agent/structs/acl_oss.go +++ b/agent/structs/acl_oss.go @@ -94,3 +94,7 @@ func (r *ACLRole) NodeIdentityList() []*ACLNodeIdentity { } return out } + +func IsValidPartitionAndDatacenter(meta EnterpriseMeta, datacenters []string, primaryDatacenter string) bool { + return true +}