acl: remove EmbeddedPolicy

This method is no longer. It only existed for legacy tokens, which are no longer supported.
pull/11184/head
Daniel Nephin 3 years ago
parent 121431bf17
commit c77e5747b1

@ -100,10 +100,6 @@ func (id *missingIdentity) RoleIDs() []string {
return nil return nil
} }
func (id *missingIdentity) EmbeddedPolicy() *structs.ACLPolicy {
return nil
}
func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity { func (id *missingIdentity) ServiceIdentityList() []*structs.ACLServiceIdentity {
return nil return nil
} }
@ -616,11 +612,6 @@ func (r *ACLResolver) resolvePoliciesForIdentity(identity structs.ACLIdentity) (
) )
if len(policyIDs) == 0 && len(serviceIdentities) == 0 && len(roleIDs) == 0 && len(nodeIdentities) == 0 { if len(policyIDs) == 0 && len(serviceIdentities) == 0 && len(roleIDs) == 0 && len(nodeIdentities) == 0 {
policy := identity.EmbeddedPolicy()
if policy != nil {
return []*structs.ACLPolicy{policy}, nil
}
// In this case the default policy will be all that is in effect. // In this case the default policy will be all that is in effect.
return nil, nil return nil, nil
} }

@ -95,7 +95,6 @@ type ACLIdentity interface {
SecretToken() string SecretToken() string
PolicyIDs() []string PolicyIDs() []string
RoleIDs() []string RoleIDs() []string
EmbeddedPolicy() *ACLPolicy
ServiceIdentityList() []*ACLServiceIdentity ServiceIdentityList() []*ACLServiceIdentity
NodeIdentityList() []*ACLNodeIdentity NodeIdentityList() []*ACLNodeIdentity
IsExpired(asOf time.Time) bool IsExpired(asOf time.Time) bool
@ -425,36 +424,6 @@ func (t *ACLToken) UsesNonLegacyFields() bool {
t.AuthMethod != "" t.AuthMethod != ""
} }
func (t *ACLToken) EmbeddedPolicy() *ACLPolicy {
// DEPRECATED (ACL-Legacy-Compat)
//
// For legacy tokens with embedded rules this provides a way to map those
// rules to an ACLPolicy. This function can just return nil once legacy
// acl compatibility is no longer needed.
//
// Additionally for management tokens we must embed the policy rules
// as well
policy := &ACLPolicy{}
if t.Type == ACLTokenTypeManagement {
hasher := fnv.New128a()
policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(ACLPolicyGlobalManagement)))
policy.Name = "legacy-management"
policy.Rules = ACLPolicyGlobalManagement
policy.Syntax = acl.SyntaxCurrent
} else if t.Rules != "" || t.Type == ACLTokenTypeClient {
hasher := fnv.New128a()
policy.ID = fmt.Sprintf("%x", hasher.Sum([]byte(t.Rules)))
policy.Name = fmt.Sprintf("legacy-policy-%s", policy.ID)
policy.Rules = t.Rules
policy.Syntax = acl.SyntaxLegacy
} else {
return nil
}
policy.SetHash(true)
return policy
}
func (t *ACLToken) EnterpriseMetadata() *EnterpriseMeta { func (t *ACLToken) EnterpriseMetadata() *EnterpriseMeta {
return &t.EnterpriseMeta return &t.EnterpriseMeta
} }
@ -1799,10 +1768,6 @@ func (id *AgentMasterTokenIdentity) RoleIDs() []string {
return nil return nil
} }
func (id *AgentMasterTokenIdentity) EmbeddedPolicy() *ACLPolicy {
return nil
}
func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity { func (id *AgentMasterTokenIdentity) ServiceIdentityList() []*ACLServiceIdentity {
return nil return nil
} }

@ -44,56 +44,6 @@ func TestStructs_ACLToken_PolicyIDs(t *testing.T) {
}) })
} }
func TestStructs_ACLToken_EmbeddedPolicy(t *testing.T) {
t.Run("No Rules", func(t *testing.T) {
token := &ACLToken{}
require.Nil(t, token.EmbeddedPolicy())
})
t.Run("Legacy Client", func(t *testing.T) {
// None of the other fields should be considered
token := &ACLToken{
Type: ACLTokenTypeClient,
Rules: `acl = "read"`,
}
policy := token.EmbeddedPolicy()
require.NotNil(t, policy)
require.NotEqual(t, "", policy.ID)
require.True(t, strings.HasPrefix(policy.Name, "legacy-policy-"))
require.Equal(t, token.Rules, policy.Rules)
require.Equal(t, policy.Syntax, acl.SyntaxLegacy)
require.NotNil(t, policy.Hash)
require.NotEqual(t, []byte{}, policy.Hash)
})
t.Run("Same Policy for Tokens with same Rules", func(t *testing.T) {
token1 := &ACLToken{
AccessorID: "f55b260c-5e05-418e-ab19-d421d1ab4b52",
SecretID: "b2165bac-7006-459b-8a72-7f549f0f06d6",
Description: "token 1",
Type: ACLTokenTypeClient,
Rules: `acl = "read"`,
}
token2 := &ACLToken{
AccessorID: "09d1c059-961a-46bd-a2e4-76adebe35fa5",
SecretID: "65e98e67-9b29-470c-8ffa-7c5a23cc67c8",
Description: "token 2",
Type: ACLTokenTypeClient,
Rules: `acl = "read"`,
}
policy1 := token1.EmbeddedPolicy()
policy2 := token2.EmbeddedPolicy()
require.Equal(t, policy1, policy2)
})
}
func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) { func TestStructs_ACLServiceIdentity_SyntheticPolicy(t *testing.T) {
cases := []struct { cases := []struct {

Loading…
Cancel
Save