Fix some minor issues.

hashicorp · Jul 31, 2023 · 209e57a · 209e57a
1 parent 75552a9
commit 209e57a
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 70 deletions.
diff --git a/acl/validation.go b/acl/validation.go
@@ -17,7 +17,7 @@ const (
 var (
 	validServiceIdentityName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
 	validNodeIdentityName    = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`)
-	validPolicyName          = regexp.MustCompile(`^[A-Za-z0-9\-_]+/?[A-Za-z0-9\-_]*$`)
+	validPolicyName          = regexp.MustCompile(`^[A-Za-z0-9\-_]+\/?[A-Za-z0-9\-_]*$`)
 	validRoleName            = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,256}$`)
 	validAuthMethodName      = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,128}$`)
 )

diff --git a/agent/consul/state/acl.go b/agent/consul/state/acl.go
@@ -886,7 +886,7 @@ func aclPolicySetTxn(tx WriteTxn, idx uint64, policy *structs.ACLPolicy) error {
 	if existing != nil {
 		if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok {
 			// Only the name and description are modifiable
-			// Here we specifically check that the rules on the global management policy
+			// Here we specifically check that the rules on the builtin policy
 			// are identical to the correct policy rules within the binary. This is opposed
 			// to checking against the current rules to allow us to update the rules during
 			// upgrades.

diff --git a/agent/consul/state/acl_test.go b/agent/consul/state/acl_test.go
@@ -35,6 +35,12 @@ func setupGlobalManagement(t *testing.T, s *Store) {
 	require.NoError(t, s.ACLPolicySet(1, &policy))
 }
 
+func setupBuiltinGlobalReadOnly(t *testing.T, s *Store) {
+	policy := structs.ACLBuiltinPolicies[structs.ACLPolicyGlobalReadOnlyID]
+	policy.SetHash(true)
+	require.NoError(t, s.ACLPolicySet(2, &policy))
+}
+
 func setupAnonymous(t *testing.T, s *Store) {
 	token := structs.ACLToken{
 		AccessorID:  acl.AnonymousTokenID,
@@ -48,6 +54,7 @@ func setupAnonymous(t *testing.T, s *Store) {
 func testACLStateStore(t *testing.T) *Store {
 	s := testStateStore(t)
 	setupGlobalManagement(t, s)
+	setupBuiltinGlobalReadOnly(t, s)
 	setupAnonymous(t, s)
 	return s
 }
@@ -179,6 +186,7 @@ func TestStateStore_ACLBootstrap(t *testing.T) {
 
 	s := testStateStore(t)
 	setupGlobalManagement(t, s)
+	setupBuiltinGlobalReadOnly(t, s)
 
 	canBootstrap, index, err := s.CanBootstrapACLToken()
 	require.NoError(t, err)

diff --git a/agent/structs/acl.go b/agent/structs/acl.go
@@ -45,87 +45,65 @@ const (
 
 	// This policy gives unlimited access to everything. Users
 	// may rename if desired but cannot delete or modify the rules.
-	ACLPolicyGlobalManagementID    = "00000000-0000-0000-0000-000000000001"
-	ACLPolicyGlobalManagementName  = "global-management"
-	ACLPolicyGlobalManagementDesc  = "Builtin Policy that grants unlimited access"
-	ACLPolicyGlobalManagementRules = `
-acl = "write"
-agent_prefix "" {
-	policy = "write"
-}
-event_prefix "" {
-	policy = "write"
-}
-key_prefix "" {
-	policy = "write"
-}
-keyring = "write"
-node_prefix "" {
-	policy = "write"
-}
-operator = "write"
-mesh = "write"
-peering = "write"
-query_prefix "" {
-	policy = "write"
-}
-service_prefix "" {
-	policy = "write"
-	intentions = "write"
-}
-session_prefix "" {
-	policy = "write"
-}` + EnterpriseACLPolicyGlobalManagement
-
-	ACLPolicyGlobalReadOnlyID    = "00000000-0000-0000-0000-000000000002"
-	ACLPolicyGlobalReadOnlyName  = "builtin/global-read-only"
-	ACLPolicyGlobalReadOnlyDesc  = "Builtin Policy that grants unlimited read-only access to all components"
-	ACLPolicyGlobalReadOnlyRules = `
-acl = "read"
+	ACLPolicyGlobalManagementID   = "00000000-0000-0000-0000-000000000001"
+	ACLPolicyGlobalManagementName = "global-management"
+	ACLPolicyGlobalManagementDesc = "Builtin Policy that grants unlimited access"
+
+	ACLPolicyGlobalReadOnlyID   = "00000000-0000-0000-0000-000000000002"
+	ACLPolicyGlobalReadOnlyName = "builtin/global-read-only"
+	ACLPolicyGlobalReadOnlyDesc = "Builtin Policy that grants unlimited read-only access to all components"
+
+	ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000"
+
+	aclPolicyGlobalRulesTemplate = `
+acl = "###"
 agent_prefix "" {
-	policy = "read"
+	policy = "###"
 }
 event_prefix "" {
-	policy = "read"
+	policy = "###"
 }
 key_prefix "" {
-	policy = "read"
+	policy = "###"
 }
-keyring = "read"
+keyring = "###"
 node_prefix "" {
-	policy = "read"
+	policy = "###"
 }
-operator = "read"
-mesh = "read"
-peering = "read"
+operator = "###"
+mesh = "###"
+peering = "###"
 query_prefix "" {
-	policy = "read"
+	policy = "###"
 }
 service_prefix "" {
-	policy = "read"
-	intentions = "read"
+	policy = "###"
+	intentions = "###"
 }
 session_prefix "" {
-	policy = "read"
-}` + EnterpriseACLPolicyGlobalReadOnly
-
-	ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000"
+	policy = "###"
+}`
 )
 
-var ACLBuiltinPolicies = map[string]ACLPolicy{
-	ACLPolicyGlobalManagementID: {
-		ID:          ACLPolicyGlobalManagementID,
-		Name:        ACLPolicyGlobalManagementName,
-		Description: ACLPolicyGlobalManagementDesc,
-		Rules:       ACLPolicyGlobalManagementRules,
-	},
-	ACLPolicyGlobalReadOnlyID: {
-		ID:          ACLPolicyGlobalReadOnlyID,
-		Name:        ACLPolicyGlobalReadOnlyName,
-		Description: ACLPolicyGlobalReadOnlyDesc,
-		Rules:       ACLPolicyGlobalReadOnlyRules,
-	},
-}
+var (
+	ACLPolicyGlobalReadOnlyRules   = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "read") + EnterpriseACLPolicyGlobalReadOnly
+	ACLPolicyGlobalManagementRules = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "write") + EnterpriseACLPolicyGlobalManagement
+
+	ACLBuiltinPolicies = map[string]ACLPolicy{
+		ACLPolicyGlobalManagementID: {
+			ID:          ACLPolicyGlobalManagementID,
+			Name:        ACLPolicyGlobalManagementName,
+			Description: ACLPolicyGlobalManagementDesc,
+			Rules:       ACLPolicyGlobalManagementRules,
+		},
+		ACLPolicyGlobalReadOnlyID: {
+			ID:          ACLPolicyGlobalReadOnlyID,
+			Name:        ACLPolicyGlobalReadOnlyName,
+			Description: ACLPolicyGlobalReadOnlyDesc,
+			Rules:       ACLPolicyGlobalReadOnlyRules,
+		},
+	}
+)
 
 func ACLIDReserved(id string) bool {
 	return strings.HasPrefix(id, ACLReservedIDPrefix)

diff --git a/website/content/docs/security/acl/acl-policies.mdx b/website/content/docs/security/acl/acl-policies.mdx
@@ -391,11 +391,11 @@ New installations of Consul ship with the following built-in policies.
 
 ### Global Management
 
-The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
+The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.
 
 ### Global Read-Only
 
-The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope.
+The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope.
 
 ### Namespace Management <EnterpriseAlert inline />