github.com/outbrain/consul@v1.4.5/agent/structs/acl_legacy.go (about) 1 // DEPRECATED (ACL-Legacy-Compat) 2 // 3 // Everything within this file is deprecated and related to the original ACL 4 // implementation. Once support for v1 ACLs are removed this whole file can 5 // be deleted. 6 7 package structs 8 9 import ( 10 "errors" 11 "fmt" 12 "time" 13 14 "github.com/hashicorp/consul/acl" 15 ) 16 17 const ( 18 // ACLBootstrapInit is used to perform a scan for existing tokens which 19 // will decide whether bootstrapping is allowed for a cluster. This is 20 // initiated by the leader when it steps up, if necessary. 21 ACLBootstrapInit ACLOp = "bootstrap-init" 22 23 // ACLBootstrapNow is used to perform a one-time ACL bootstrap operation on 24 // a cluster to get the first management token. 25 ACLBootstrapNow ACLOp = "bootstrap-now" 26 27 // ACLForceSet is deprecated, but left for backwards compatibility. 28 ACLForceSet ACLOp = "force-set" 29 ) 30 31 // ACLBootstrapNotInitializedErr is returned when a bootstrap is attempted but 32 // we haven't yet initialized ACL bootstrap. It provides some guidance to 33 // operators on how to proceed. 34 var ACLBootstrapNotInitializedErr = errors.New("ACL bootstrap not initialized, need to force a leader election and ensure all Consul servers support this feature") 35 36 const ( 37 // ACLTokenTypeClient tokens have rules applied 38 ACLTokenTypeClient = "client" 39 40 // ACLTokenTypeManagement tokens have an always allow policy, so they can 41 // make other tokens and can access all resources. 42 ACLTokenTypeManagement = "management" 43 44 // ACLTokenTypeNone 45 ACLTokenTypeNone = "" 46 ) 47 48 // ACL is used to represent a token and its rules 49 type ACL struct { 50 ID string 51 Name string 52 Type string 53 Rules string 54 55 RaftIndex 56 } 57 58 // ACLs is a slice of ACLs. 59 type ACLs []*ACL 60 61 // Convert does a 1-1 mapping of the ACLCompat structure to its ACLToken 62 // equivalent. This will NOT fill in the other ACLToken fields or perform any other 63 // upgrade (other than correcting an older HCL syntax that is no longer 64 // supported). 65 func (a *ACL) Convert() *ACLToken { 66 // Ensure that we correct any old HCL in legacy tokens to prevent old 67 // syntax from leaking elsewhere into the system. 68 // 69 // DEPRECATED (ACL-Legacy-Compat) 70 correctedRules := SanitizeLegacyACLTokenRules(a.Rules) 71 if correctedRules != "" { 72 a.Rules = correctedRules 73 } 74 75 return &ACLToken{ 76 AccessorID: "", 77 SecretID: a.ID, 78 Description: a.Name, 79 Policies: nil, 80 Type: a.Type, 81 Rules: a.Rules, 82 Local: false, 83 RaftIndex: a.RaftIndex, 84 } 85 } 86 87 // Convert attempts to convert an ACLToken into an ACLCompat. 88 func (tok *ACLToken) Convert() (*ACL, error) { 89 if tok.Type == "" { 90 return nil, fmt.Errorf("Cannot convert ACLToken into compat token") 91 } 92 93 compat := &ACL{ 94 ID: tok.SecretID, 95 Name: tok.Description, 96 Type: tok.Type, 97 Rules: tok.Rules, 98 RaftIndex: tok.RaftIndex, 99 } 100 return compat, nil 101 } 102 103 // IsSame checks if one ACL is the same as another, without looking 104 // at the Raft information (that's why we didn't call it IsEqual). This is 105 // useful for seeing if an update would be idempotent for all the functional 106 // parts of the structure. 107 func (a *ACL) IsSame(other *ACL) bool { 108 if a.ID != other.ID || 109 a.Name != other.Name || 110 a.Type != other.Type || 111 a.Rules != other.Rules { 112 return false 113 } 114 115 return true 116 } 117 118 // ACLRequest is used to create, update or delete an ACL 119 type ACLRequest struct { 120 Datacenter string 121 Op ACLOp 122 ACL ACL 123 WriteRequest 124 } 125 126 func (r *ACLRequest) RequestDatacenter() string { 127 return r.Datacenter 128 } 129 130 // ACLRequests is a list of ACL change requests. 131 type ACLRequests []*ACLRequest 132 133 // ACLSpecificRequest is used to request an ACL by ID 134 type ACLSpecificRequest struct { 135 Datacenter string 136 ACL string 137 QueryOptions 138 } 139 140 // RequestDatacenter returns the DC this request is targeted to. 141 func (r *ACLSpecificRequest) RequestDatacenter() string { 142 return r.Datacenter 143 } 144 145 // IndexedACLs has tokens along with the Raft metadata about them. 146 type IndexedACLs struct { 147 ACLs ACLs 148 QueryMeta 149 } 150 151 // ACLBootstrap keeps track of whether bootstrapping ACLs is allowed for a 152 // cluster. 153 type ACLBootstrap struct { 154 // AllowBootstrap will only be true if no existing management tokens 155 // have been found. 156 AllowBootstrap bool 157 158 RaftIndex 159 } 160 161 // ACLPolicyResolveLegacyRequest is used to request an ACL by Token SecretID, conditionally 162 // filtering on an ID 163 type ACLPolicyResolveLegacyRequest struct { 164 Datacenter string // The Datacenter the RPC may be sent to 165 ACL string // The Tokens Secret ID 166 ETag string // Caching ETag to prevent resending the policy when not needed 167 QueryOptions 168 } 169 170 // RequestDatacenter returns the DC this request is targeted to. 171 func (r *ACLPolicyResolveLegacyRequest) RequestDatacenter() string { 172 return r.Datacenter 173 } 174 175 type ACLPolicyResolveLegacyResponse struct { 176 ETag string 177 Parent string 178 Policy *acl.Policy 179 TTL time.Duration 180 QueryMeta 181 }