From 209e57afb6950d34dd59965f29b6d6d11f187722 Mon Sep 17 00:00:00 2001 From: Jeremy Jacobson Date: Mon, 31 Jul 2023 12:11:25 -0700 Subject: [PATCH] Fix some minor issues. --- acl/validation.go | 2 +- agent/consul/state/acl.go | 2 +- agent/consul/state/acl_test.go | 8 ++ agent/structs/acl.go | 110 +++++++----------- .../docs/security/acl/acl-policies.mdx | 4 +- 5 files changed, 56 insertions(+), 70 deletions(-) diff --git a/acl/validation.go b/acl/validation.go index 3ce307e910c7..17019ef8791f 100644 --- a/acl/validation.go +++ b/acl/validation.go @@ -17,7 +17,7 @@ const ( var ( validServiceIdentityName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`) validNodeIdentityName = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-_]*[a-z0-9])?$`) - validPolicyName = regexp.MustCompile(`^[A-Za-z0-9\-_]+/?[A-Za-z0-9\-_]*$`) + validPolicyName = regexp.MustCompile(`^[A-Za-z0-9\-_]+\/?[A-Za-z0-9\-_]*$`) validRoleName = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,256}$`) validAuthMethodName = regexp.MustCompile(`^[A-Za-z0-9\-_]{1,128}$`) ) diff --git a/agent/consul/state/acl.go b/agent/consul/state/acl.go index 6d117c2bb98b..22c8a6164e42 100644 --- a/agent/consul/state/acl.go +++ b/agent/consul/state/acl.go @@ -886,7 +886,7 @@ func aclPolicySetTxn(tx WriteTxn, idx uint64, policy *structs.ACLPolicy) error { if existing != nil { if builtinPolicy, ok := structs.ACLBuiltinPolicies[policy.ID]; ok { // Only the name and description are modifiable - // Here we specifically check that the rules on the global management policy + // Here we specifically check that the rules on the builtin policy // are identical to the correct policy rules within the binary. This is opposed // to checking against the current rules to allow us to update the rules during // upgrades. diff --git a/agent/consul/state/acl_test.go b/agent/consul/state/acl_test.go index 878617540ee7..5a67551d9879 100644 --- a/agent/consul/state/acl_test.go +++ b/agent/consul/state/acl_test.go @@ -35,6 +35,12 @@ func setupGlobalManagement(t *testing.T, s *Store) { require.NoError(t, s.ACLPolicySet(1, &policy)) } +func setupBuiltinGlobalReadOnly(t *testing.T, s *Store) { + policy := structs.ACLBuiltinPolicies[structs.ACLPolicyGlobalReadOnlyID] + policy.SetHash(true) + require.NoError(t, s.ACLPolicySet(2, &policy)) +} + func setupAnonymous(t *testing.T, s *Store) { token := structs.ACLToken{ AccessorID: acl.AnonymousTokenID, @@ -48,6 +54,7 @@ func setupAnonymous(t *testing.T, s *Store) { func testACLStateStore(t *testing.T) *Store { s := testStateStore(t) setupGlobalManagement(t, s) + setupBuiltinGlobalReadOnly(t, s) setupAnonymous(t, s) return s } @@ -179,6 +186,7 @@ func TestStateStore_ACLBootstrap(t *testing.T) { s := testStateStore(t) setupGlobalManagement(t, s) + setupBuiltinGlobalReadOnly(t, s) canBootstrap, index, err := s.CanBootstrapACLToken() require.NoError(t, err) diff --git a/agent/structs/acl.go b/agent/structs/acl.go index 66f6f3c07ffa..bfee52bd00ce 100644 --- a/agent/structs/acl.go +++ b/agent/structs/acl.go @@ -45,87 +45,65 @@ const ( // This policy gives unlimited access to everything. Users // may rename if desired but cannot delete or modify the rules. - ACLPolicyGlobalManagementID = "00000000-0000-0000-0000-000000000001" - ACLPolicyGlobalManagementName = "global-management" - ACLPolicyGlobalManagementDesc = "Builtin Policy that grants unlimited access" - ACLPolicyGlobalManagementRules = ` -acl = "write" -agent_prefix "" { - policy = "write" -} -event_prefix "" { - policy = "write" -} -key_prefix "" { - policy = "write" -} -keyring = "write" -node_prefix "" { - policy = "write" -} -operator = "write" -mesh = "write" -peering = "write" -query_prefix "" { - policy = "write" -} -service_prefix "" { - policy = "write" - intentions = "write" -} -session_prefix "" { - policy = "write" -}` + EnterpriseACLPolicyGlobalManagement - - ACLPolicyGlobalReadOnlyID = "00000000-0000-0000-0000-000000000002" - ACLPolicyGlobalReadOnlyName = "builtin/global-read-only" - ACLPolicyGlobalReadOnlyDesc = "Builtin Policy that grants unlimited read-only access to all components" - ACLPolicyGlobalReadOnlyRules = ` -acl = "read" + ACLPolicyGlobalManagementID = "00000000-0000-0000-0000-000000000001" + ACLPolicyGlobalManagementName = "global-management" + ACLPolicyGlobalManagementDesc = "Builtin Policy that grants unlimited access" + + ACLPolicyGlobalReadOnlyID = "00000000-0000-0000-0000-000000000002" + ACLPolicyGlobalReadOnlyName = "builtin/global-read-only" + ACLPolicyGlobalReadOnlyDesc = "Builtin Policy that grants unlimited read-only access to all components" + + ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000" + + aclPolicyGlobalRulesTemplate = ` +acl = "###" agent_prefix "" { - policy = "read" + policy = "###" } event_prefix "" { - policy = "read" + policy = "###" } key_prefix "" { - policy = "read" + policy = "###" } -keyring = "read" +keyring = "###" node_prefix "" { - policy = "read" + policy = "###" } -operator = "read" -mesh = "read" -peering = "read" +operator = "###" +mesh = "###" +peering = "###" query_prefix "" { - policy = "read" + policy = "###" } service_prefix "" { - policy = "read" - intentions = "read" + policy = "###" + intentions = "###" } session_prefix "" { - policy = "read" -}` + EnterpriseACLPolicyGlobalReadOnly - - ACLReservedIDPrefix = "00000000-0000-0000-0000-0000000000" + policy = "###" +}` ) -var ACLBuiltinPolicies = map[string]ACLPolicy{ - ACLPolicyGlobalManagementID: { - ID: ACLPolicyGlobalManagementID, - Name: ACLPolicyGlobalManagementName, - Description: ACLPolicyGlobalManagementDesc, - Rules: ACLPolicyGlobalManagementRules, - }, - ACLPolicyGlobalReadOnlyID: { - ID: ACLPolicyGlobalReadOnlyID, - Name: ACLPolicyGlobalReadOnlyName, - Description: ACLPolicyGlobalReadOnlyDesc, - Rules: ACLPolicyGlobalReadOnlyRules, - }, -} +var ( + ACLPolicyGlobalReadOnlyRules = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "read") + EnterpriseACLPolicyGlobalReadOnly + ACLPolicyGlobalManagementRules = strings.ReplaceAll(aclPolicyGlobalRulesTemplate, "###", "write") + EnterpriseACLPolicyGlobalManagement + + ACLBuiltinPolicies = map[string]ACLPolicy{ + ACLPolicyGlobalManagementID: { + ID: ACLPolicyGlobalManagementID, + Name: ACLPolicyGlobalManagementName, + Description: ACLPolicyGlobalManagementDesc, + Rules: ACLPolicyGlobalManagementRules, + }, + ACLPolicyGlobalReadOnlyID: { + ID: ACLPolicyGlobalReadOnlyID, + Name: ACLPolicyGlobalReadOnlyName, + Description: ACLPolicyGlobalReadOnlyDesc, + Rules: ACLPolicyGlobalReadOnlyRules, + }, + } +) func ACLIDReserved(id string) bool { return strings.HasPrefix(id, ACLReservedIDPrefix) diff --git a/website/content/docs/security/acl/acl-policies.mdx b/website/content/docs/security/acl/acl-policies.mdx index f23b0246d0d0..e1583f250a29 100644 --- a/website/content/docs/security/acl/acl-policies.mdx +++ b/website/content/docs/security/acl/acl-policies.mdx @@ -391,11 +391,11 @@ New installations of Consul ship with the following built-in policies. ### Global Management -The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope. +The `global-management` policy grants unrestricted privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. You can rename the global management policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope. ### Global Read-Only -The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul will prevent you from modifying any other attributes, including the rule set and datacenter scope. +The `builtin/global-read-only` policy grants unrestricted _read-only_ privileges to any token linked to it. The policy is assigned the reserved ID of `00000000-0000-0000-0000-000000000002`. You can rename the global read-only policy, but Consul prevents you from modifying any other attributes, including the rule set and datacenter scope. ### Namespace Management