Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix policy lookup to allow for slashes #18347

Merged
merged 4 commits into from
Aug 3, 2023
Merged

Fix policy lookup to allow for slashes #18347

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1a9cded
Fix policy lookup to allow for slashes
jjacobson93 Aug 1, 2023
cfec746
Fix suggestions
jjacobson93 Aug 3, 2023
8a9db4c
Fix other test
jjacobson93 Aug 3, 2023
ac13bf1
Revert some lines
jjacobson93 Aug 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions agent/acl_endpoint.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package agent
import (
"fmt"
"net/http"
"net/url"
"strings"

"github.com/hashicorp/consul/acl"
Expand Down Expand Up @@ -145,6 +146,12 @@ func (s *HTTPHandlers) ACLPolicyCRUD(resp http.ResponseWriter, req *http.Request
}

func (s *HTTPHandlers) ACLPolicyRead(resp http.ResponseWriter, req *http.Request, policyID, policyName string) (interface{}, error) {
// policy name needs to be unescaped in case there were `/` characters
policyName, err := url.QueryUnescape(policyName)
if err != nil {
return nil, err
}

args := structs.ACLPolicyGetRequest{
Datacenter: s.agent.config.Datacenter,
PolicyID: policyID,
Expand Down
8 changes: 6 additions & 2 deletions command/acl/acl_helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,13 @@ func GetTokenAccessorIDFromPartial(client *api.Client, partialAccessorID string)
}

func GetPolicyIDFromPartial(client *api.Client, partialID string) (string, error) {
if partialID == "global-management" {
return structs.ACLPolicyGlobalManagementID, nil
// try the builtin policies (by name) first
for _, policy := range structs.ACLBuiltinPolicies {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor / non-blocking: This could be a map lookup instead of looping

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The map is actually ID -> policy, not Name -> policy, which is what it was doing before. But I added an extra line to do a map lookup in case the partialID is actually an ID and we don't have to list them

if partialID == policy.Name {
return policy.ID, nil
}
}

// The full UUID string was given
if len(partialID) == 36 {
return partialID, nil
Expand Down
88 changes: 88 additions & 0 deletions command/acl/acl_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package acl

import (
"io"
"testing"

"github.com/hashicorp/consul/agent"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/testrpc"
"github.com/stretchr/testify/require"
)

func Test_GetPolicyIDByName_Builtins(t *testing.T) {
t.Parallel()

a := agent.StartTestAgent(t,
agent.TestAgent{
LogOutput: io.Discard,
HCL: `
primary_datacenter = "dc1"
acl {
enabled = true
tokens {
initial_management = "root"
}
}
`,
},
)

defer a.Shutdown()
testrpc.WaitForTestAgent(t, a.RPC, "dc1", testrpc.WithToken("root"))

client := a.Client()
client.AddHeader("X-Consul-Token", "root")

t.Run("global management policy", func(t *testing.T) {
id, err := GetPolicyIDByName(client, structs.ACLPolicyGlobalManagementName)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor: It would be good to create a list of the policy names to tests, and iterate over that list and test each one. Then, when new builtin policies are added these tests are slightly easier to update.

We could even just iterate over the values in structs.ACLBuiltinPolicies to grab the policy name from each one. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great idea. I have changed it to a loop

require.NoError(t, err)
require.Equal(t, structs.ACLPolicyGlobalManagementID, id)
})

t.Run("global read-only policy", func(t *testing.T) {
id, err := GetPolicyIDByName(client, structs.ACLPolicyGlobalReadOnlyName)
require.NoError(t, err)
require.Equal(t, structs.ACLPolicyGlobalReadOnlyID, id)
})
}

func Test_GetPolicyIDFromPartial_Builtins(t *testing.T) {
t.Parallel()

a := agent.StartTestAgent(t,
agent.TestAgent{
LogOutput: io.Discard,
HCL: `
primary_datacenter = "dc1"
acl {
enabled = true
tokens {
initial_management = "root"
}
}
`,
},
)

defer a.Shutdown()
testrpc.WaitForTestAgent(t, a.RPC, "dc1", testrpc.WithToken("root"))

client := a.Client()
client.AddHeader("X-Consul-Token", "root")

t.Run("global management policy", func(t *testing.T) {
id, err := GetPolicyIDFromPartial(client, structs.ACLPolicyGlobalManagementName)
require.NoError(t, err)
require.Equal(t, structs.ACLPolicyGlobalManagementID, id)
})

t.Run("global read-only policy", func(t *testing.T) {
id, err := GetPolicyIDFromPartial(client, structs.ACLPolicyGlobalReadOnlyName)
require.NoError(t, err)
require.Equal(t, structs.ACLPolicyGlobalReadOnlyID, id)
})
}