From e635b24215030fd85e35bb7e58639adc8e7b92e2 Mon Sep 17 00:00:00 2001
From: Freddy <freddygv@users.noreply.github.com>
Date: Tue, 14 Jan 2020 15:40:34 -0700
Subject: [PATCH] Update force-leave ACL requirement to operator:write (#7033)

---
 agent/agent_endpoint.go          |  2 +-
 agent/agent_endpoint_test.go     | 15 ++++++++++++++-
 website/source/api/agent.html.md |  2 +-
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go
index a55f90254f..d7405d4da4 100644
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@@ -475,7 +475,7 @@ func (s *HTTPServer) AgentForceLeave(resp http.ResponseWriter, req *http.Request
 	if err != nil {
 		return nil, err
 	}
-	if rule != nil && rule.AgentWrite(s.agent.config.NodeName, nil) != acl.Allow {
+	if rule != nil && rule.OperatorWrite(nil) != acl.Allow {
 		return nil, acl.ErrPermissionDenied
 	}
 
diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go
index 3c8e5063f9..a6a1776de5 100644
--- a/agent/agent_endpoint_test.go
+++ b/agent/agent_endpoint_test.go
@@ -1646,7 +1646,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
 
 	t.Run("agent master token", func(t *testing.T) {
 		req, _ := http.NewRequest("PUT", uri+"?token=towel", nil)
-		if _, err := a.srv.AgentForceLeave(nil, req); err != nil {
+		if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) {
 			t.Fatalf("err: %v", err)
 		}
 	})
@@ -1658,6 +1658,19 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
 			t.Fatalf("err: %v", err)
 		}
 	})
+
+	t.Run("operator write token", func(t *testing.T) {
+		// Create an ACL with operator read permissions.
+		var rules = `
+                    operator = "write"
+                `
+		opToken := testCreateToken(t, a, rules)
+
+		req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", opToken), nil)
+		if _, err := a.srv.AgentForceLeave(nil, req); err != nil {
+			t.Fatalf("err: %v", err)
+		}
+	})
 }
 
 func TestAgent_ForceLeavePrune(t *testing.T) {
diff --git a/website/source/api/agent.html.md b/website/source/api/agent.html.md
index aed49e7e2b..62a70605a9 100644
--- a/website/source/api/agent.html.md
+++ b/website/source/api/agent.html.md
@@ -506,7 +506,7 @@ The table below shows this endpoint's support for
 
 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required  |
 | ---------------- | ----------------- | ------------- | ------------- |
-| `NO`             | `none`            | `none`        | `agent:write` |
+| `NO`             | `none`            | `none`        | `operator:write` |
 
 ### Parameters