acl: replace legacy Get and List RPCs with an error impl

These endpoints are being removed as part of the legacy ACL system.
3 years ago · abd9cd0e15
2 changed files with 4 additions and 193 deletions
--- a/agent/consul/acl_endpoint_legacy.go
+++ b/agent/consul/acl_endpoint_legacy.go
@ -6,10 +6,8 @@ import (

 	"github.com/armon/go-metrics"
 	"github.com/armon/go-metrics/prometheus"
-	"github.com/hashicorp/go-memdb"

 	"github.com/hashicorp/consul/acl"
-	"github.com/hashicorp/consul/agent/consul/state"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/lib"
 )
@ -141,94 +139,10 @@ func (a *ACL) Apply(args *structs.ACLRequest, reply *string) error {
 	return nil
 }

-// Get is used to retrieve a single ACL
-func (a *ACL) Get(args *structs.ACLSpecificRequest,
-	reply *structs.IndexedACLs) error {
-	if done, err := a.srv.ForwardRPC("ACL.Get", args, reply); done {
-		return err
-	}
-
-	// NOTE: This has no ACL check because legacy ACLs were managed with
-	// the secrets and therefore the argument to the Get request is
-	// authorization in and of itself.
-
-	// Verify we are allowed to serve this request
-	if !a.srv.config.ACLsEnabled {
-		return acl.ErrDisabled
-	}
-
-	return a.srv.blockingQuery(&args.QueryOptions,
-		&reply.QueryMeta,
-		func(ws memdb.WatchSet, state *state.Store) error {
-			index, token, err := state.ACLTokenGetBySecret(ws, args.ACL, nil)
-			if err != nil {
-				return err
-			}
-
-			// Converting an ACLToken to an ACL will return nil and an error
-			// (which we ignore) when it is unconvertible.
-			//
-			// This also means we won't have to check expiration times since
-			// any legacy tokens never had expiration times and no non-legacy
-			// tokens can be converted.
-
-			var acl *structs.ACL
-			if token != nil {
-				acl, _ = token.Convert()
-			}
-
-			reply.Index = index
-			if acl != nil {
-				reply.ACLs = structs.ACLs{acl}
-			} else {
-				reply.ACLs = nil
-			}
-			return nil
-		})
+func (a *ACL) Get(*structs.ACLSpecificRequest, *structs.IndexedACLs) error {
+	return fmt.Errorf("ACL.Get: the legacy ACL system has been removed")
 }

-// List is used to list all the ACLs
-func (a *ACL) List(args *structs.DCSpecificRequest,
-	reply *structs.IndexedACLs) error {
-	if done, err := a.srv.ForwardRPC("ACL.List", args, reply); done {
-		return err
-	}
-
-	// Verify we are allowed to serve this request
-	if !a.srv.config.ACLsEnabled {
-		return acl.ErrDisabled
-	}
-
-	// Verify token is permitted to list ACLs
-	// NOTES: Previously with legacy ACL there was no read-only ACL permissions
-	// and this check for ACLWrite is basically what it did before.
-	if authz, err := a.srv.ResolveToken(args.Token); err != nil {
-		return err
-	} else if authz.ACLWrite(nil) != acl.Allow {
-		return acl.ErrPermissionDenied
-	}
-
-	return a.srv.blockingQuery(&args.QueryOptions,
-		&reply.QueryMeta,
-		func(ws memdb.WatchSet, state *state.Store) error {
-			index, tokens, err := state.ACLTokenList(ws, false, true, "", "", "", nil, nil)
-			if err != nil {
-				return err
-			}
-
-			now := time.Now()
-
-			var acls structs.ACLs
-			for _, token := range tokens {
-				if token.IsExpired(now) {
-					continue
-				}
-				if acl, err := token.Convert(); err == nil && acl != nil {
-					acls = append(acls, acl)
-				}
-			}
-
-			reply.Index, reply.ACLs = index, acls
-			return nil
-		})
+func (a *ACL) List(*structs.DCSpecificRequest, *structs.IndexedACLs) error {
+	return fmt.Errorf("ACL.List: the legacy ACL system has been removed")
 }
--- a/agent/consul/acl_endpoint_test.go
+++ b/agent/consul/acl_endpoint_test.go
@ -275,40 +275,6 @@ func TestACLEndpoint_Apply_RootChange(t *testing.T) {
 	testutil.RequireErrorContains(t, err, "root ACL")
 }

-func TestACLEndpoint_Get(t *testing.T) {
-	if testing.Short() {
-		t.Skip("too slow for testing.Short")
-	}
-
-	t.Parallel()
-	_, srv, codec := testACLServerWithConfig(t, nil, false)
-	waitForLeaderEstablishment(t, srv)
-
-	arg := structs.ACLRequest{
-		Datacenter: "dc1",
-		Op:         structs.ACLSet,
-		ACL: structs.ACL{
-			Name: "User token",
-			Type: structs.ACLTokenTypeClient,
-		},
-		WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
-	}
-	var out string
-	err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out)
-	require.NoError(t, err)
-
-	getR := structs.ACLSpecificRequest{
-		Datacenter: "dc1",
-		ACL:        out,
-	}
-	var acls structs.IndexedACLs
-	err = msgpackrpc.CallWithCodec(codec, "ACL.Get", &getR, &acls)
-	require.NoError(t, err)
-	require.NotEqual(t, uint64(0), acls.Index)
-	require.Len(t, acls.ACLs, 1)
-	require.Equal(t, out, acls.ACLs[0].ID)
-}
-
 func TestACLEndpoint_GetPolicy(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
@ -378,75 +344,6 @@ func TestACLEndpoint_GetPolicy_Management(t *testing.T) {
 	require.Equal(t, "manage", resp.Parent)
 }

-func TestACLEndpoint_List(t *testing.T) {
-	if testing.Short() {
-		t.Skip("too slow for testing.Short")
-	}
-
-	t.Parallel()
-	_, srv, codec := testACLServerWithConfig(t, nil, false)
-	waitForLeaderEstablishment(t, srv)
-	var expectedIDs []string
-
-	for i := 0; i < 5; i++ {
-		arg := structs.ACLRequest{
-			Datacenter: "dc1",
-			Op:         structs.ACLSet,
-			ACL: structs.ACL{
-				Name: "User token",
-				Type: structs.ACLTokenTypeClient,
-			},
-			WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
-		}
-		var out string
-		err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out)
-		require.NoError(t, err)
-		expectedIDs = append(expectedIDs, out)
-	}
-
-	getR := structs.DCSpecificRequest{
-		Datacenter:   "dc1",
-		QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken},
-	}
-	var acls structs.IndexedACLs
-	err := msgpackrpc.CallWithCodec(codec, "ACL.List", &getR, &acls)
-	require.NoError(t, err)
-	require.NotEqual(t, uint64(0), acls.Index)
-
-	// 5  + master
-	require.Len(t, acls.ACLs, 6)
-	var actualIDs []string
-	for i := 0; i < len(acls.ACLs); i++ {
-		s := acls.ACLs[i]
-		if s.ID == anonymousToken || s.ID == TestDefaultMasterToken {
-			continue
-		}
-
-		require.Equal(t, "User token", s.Name)
-
-		actualIDs = append(actualIDs, s.ID)
-	}
-
-	require.ElementsMatch(t, expectedIDs, actualIDs)
-}
-
-func TestACLEndpoint_List_Denied(t *testing.T) {
-	if testing.Short() {
-		t.Skip("too slow for testing.Short")
-	}
-
-	t.Parallel()
-	_, srv, codec := testACLServerWithConfig(t, nil, false)
-	waitForLeaderEstablishment(t, srv)
-
-	getR := structs.DCSpecificRequest{
-		Datacenter: "dc1",
-	}
-	var acls structs.IndexedACLs
-	err := msgpackrpc.CallWithCodec(codec, "ACL.List", &getR, &acls)
-	require.True(t, acl.IsErrPermissionDenied(err), "Err %v is not an acl.ErrPermissionDenied", err)
-}
-
 func TestACLEndpoint_ReplicationStatus(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")