From c77e5747b1d0c2da050630931311050d2865a29c Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 29 Sep 2021 17:54:54 -0400 Subject: [PATCH] acl: remove EmbeddedPolicy This method is no longer. It only existed for legacy tokens, which are no longer supported. --- agent/consul/acl.go | 9 ------- agent/structs/acl.go | 35 --------------------------- agent/structs/acl_test.go | 50 --------------------------------------- 3 files changed, 94 deletions(-) diff --git a/agent/consul/acl.go b/agent/consul/acl.go index a5c4010f12..cc2c4375ab 100644 --- a/agent/consul/acl.go +++ b/agent/consul/acl.go @@ -100,10 +100,6 @@ func (id *missingIdentity) RoleIDs() []string { return nil } -func (id *missingIdentity) EmbeddedPolicy() *structs.ACLPolicy { - return nil -} - func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity { return nil } @@ -616,11 +612,6 @@ func (r *ACLResolver) resolvePoliciesForIdentity(identity structs.ACLIdentity) ( ) if len(policyIDs) == 0 && len(serviceIdentities) == 0 && len(roleIDs) == 0 && len(nodeIdentities) == 0 { - policy := identity.EmbeddedPolicy() - if policy != nil { - return []*structs.ACLPolicy{policy}, nil - } - // In this case the default policy will be all that is in effect. return nil, nil } diff --git a/agent/structs/acl.go b/agent/structs/acl.go index f4b944dafa..15edc47f26 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -95,7 +95,6 @@ type ACLIdentity interface { SecretToken() string PolicyIDs() []string RoleIDs() []string - EmbeddedPolicy() *ACLPolicy ServiceIdentityList() []*ACLServiceIdentity NodeIdentityList() []*ACLNodeIdentity IsExpired(asOf time.Time) bool @@ -425,36 +424,6 @@ func (t *ACLToken) UsesNonLegacyFields() bool { t.AuthMethod != "" } -func (t *ACLToken) EmbeddedPolicy() *ACLPolicy { - // DEPRECATED (ACL-Legacy-Compat) - // - // For legacy tokens with embedded rules this provides a way to map those - // rules to an ACLPolicy. This function can just return nil once legacy - // acl compatibility is no longer needed. - // - // Additionally for management tokens we must embed the policy rules - // as well - policy := &ACLPolicy{} - if t.Type == ACLTokenTypeManagement { - hasher := fnv.New128a() - policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(ACLPolicyGlobalManagement))) - policy.Name = "legacy-management" - policy.Rules = ACLPolicyGlobalManagement - policy.Syntax = acl.SyntaxCurrent - } else if t.Rules != "" || t.Type == ACLTokenTypeClient { - hasher := fnv.New128a() - policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(t.Rules))) - policy.Name = fmt.Sprintf("legacy-policy-%s", policy.ID) - policy.Rules = t.Rules - policy.Syntax = acl.SyntaxLegacy - } else { - return nil - } - - policy.SetHash(true) - return policy -} - func (t *ACLToken) EnterpriseMetadata() *EnterpriseMeta { return &t.EnterpriseMeta } @@ -1799,10 +1768,6 @@ func (id *AgentMasterTokenIdentity) RoleIDs() []string { return nil } -func (id *AgentMasterTokenIdentity) EmbeddedPolicy() *ACLPolicy { - return nil -} - func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity { return nil } diff --git a/agent/structs/acl_test.go b/agent/structs/acl_test.go index 64f59661e6..ec52edce0b 100644 --- a/agent/structs/acl_test.go +++ b/agent/structs/acl_test.go @@ -44,56 +44,6 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) { }) } -func TestStructs_ACLToken_EmbeddedPolicy(t *testing.T) { - - t.Run("No Rules", func(t *testing.T) { - - token := &ACLToken{} - require.Nil(t, token.EmbeddedPolicy()) - }) - - t.Run("Legacy Client", func(t *testing.T) { - - // None of the other fields should be considered - token := &ACLToken{ - Type: ACLTokenTypeClient, - Rules: `acl = "read"`, - } - - policy := token.EmbeddedPolicy() - require.NotNil(t, policy) - require.NotEqual(t, "", policy.ID) - require.True(t, strings.HasPrefix(policy.Name, "legacy-policy-")) - require.Equal(t, token.Rules, policy.Rules) - require.Equal(t, policy.Syntax, acl.SyntaxLegacy) - require.NotNil(t, policy.Hash) - require.NotEqual(t, []byte{}, policy.Hash) - }) - - t.Run("Same Policy for Tokens with same Rules", func(t *testing.T) { - - token1 := &ACLToken{ - AccessorID: "f55b260c-5e05-418e-ab19-d421d1ab4b52", - SecretID: "b2165bac-7006-459b-8a72-7f549f0f06d6", - Description: "token 1", - Type: ACLTokenTypeClient, - Rules: `acl = "read"`, - } - - token2 := &ACLToken{ - AccessorID: "09d1c059-961a-46bd-a2e4-76adebe35fa5", - SecretID: "65e98e67-9b29-470c-8ffa-7c5a23cc67c8", - Description: "token 2", - Type: ACLTokenTypeClient, - Rules: `acl = "read"`, - } - - policy1 := token1.EmbeddedPolicy() - policy2 := token2.EmbeddedPolicy() - require.Equal(t, policy1, policy2) - }) -} - func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) { cases := []struct {