use allow/deny instead of the colored alternatives (hashicorp#9019)

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>

client/allocrunner/taskrunner/task_dir_hook.go

@@ -92,7 +92,12 @@ func setEnvvars(envBuilder *taskenv.Builder, fsi drivers.FSIsolation, taskDir *a
 
 	// Set the host environment variables for non-image based drivers
 	if fsi != drivers.FSIsolationImage {
-		filter := strings.Split(conf.ReadDefault("env.blacklist", cconfig.DefaultEnvBlacklist), ",")
+		// COMPAT(0.13) using inclusive language, blacklist is kept for backward compatibility.
+		denylist := conf.ReadAlternativeDefault(
+			[]string{"env.denylist", "env.blacklist"},
+			cconfig.DefaultEnvDenylist,
+		)
+		filter := strings.Split(denylist, ",")
 		envBuilder.SetHostEnvvars(filter)
 	}
 }

client/allocrunner/taskrunner/validate_hook.go

@@ -43,7 +43,11 @@ func validateTask(task *structs.Task, taskEnv *taskenv.TaskEnv, conf *config.Con
 	var mErr multierror.Error
 
 	// Validate the user
-	unallowedUsers := conf.ReadStringListToMapDefault("user.blacklist", config.DefaultUserBlacklist)
+	// COMPAT(0.13) uses inclusive language. blacklist is kept for backward compatilibity.
+	unallowedUsers := conf.ReadStringListAlternativeToMapDefault(
+		[]string{"user.denylist", "user.blacklist"},
+		config.DefaultUserDenylist,
+	)
 	checkDrivers := conf.ReadStringListToMapDefault("user.checked_drivers", config.DefaultUserCheckedDrivers)
 	if _, driverMatch := checkDrivers[task.Driver]; driverMatch {
 		if _, unallowed := unallowedUsers[task.User]; unallowed {

client/client.go

@@ -409,9 +409,10 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulServic
 		return nil, fmt.Errorf("fingerprinting failed: %v", err)
 	}
 
-	// Build the white/blacklists of drivers.
-	allowlistDrivers := cfg.ReadStringListToMap("driver.whitelist")
-	blocklistDrivers := cfg.ReadStringListToMap("driver.blacklist")
+	// Build the allow/denylists of drivers.
+	// COMPAT(0.13) uses inclusive language. white/blacklist are there for backward compatible reasons only.
+	allowlistDrivers := cfg.ReadStringListToMap("driver.allowlist", "driver.whitelist")
+	blocklistDrivers := cfg.ReadStringListToMap("driver.denylist", "driver.blacklist")
 
 	// Setup the csi manager
 	csiConfig := &csimanager.Config{

client/client_test.go

@@ -1211,7 +1211,7 @@ func TestClient_UpdateNodeFromFingerprintKeepsConfig(t *testing.T) {
 	client, cleanup = TestClient(t, func(c *config.Config) {
 		c.NetworkInterface = dev
 		c.Node.Name = name
-		c.Options["fingerprint.blacklist"] = "network"
+		c.Options["fingerprint.denylist"] = "network"
 		// Node is already a mock.Node, with a device
 		c.Node.NodeResources.Networks[0].Device = dev
 	})
@@ -1265,7 +1265,7 @@ func Test_UpdateNodeFromFingerprintMultiIP(t *testing.T) {
 	// Client without network configured updates to match fingerprint
 	client, cleanup := TestClient(t, func(c *config.Config) {
 		c.NetworkInterface = dev
-		c.Options["fingerprint.blacklist"] = "network,cni,bridge"
+		c.Options["fingerprint.denylist"] = "network,cni,bridge"
 		c.Node.Resources.Networks = c.Node.NodeResources.Networks
 	})
 	defer cleanup()

client/config/config.go

@@ -19,26 +19,26 @@ import (
 )
 
 var (
-	// DefaultEnvBlacklist is the default set of environment variables that are
+	// DefaultEnvDenylist is the default set of environment variables that are
 	// filtered when passing the environment variables of the host to a task.
 	// duplicated in command/agent/host, update that if this changes.
-	DefaultEnvBlacklist = strings.Join([]string{
+	DefaultEnvDenylist = strings.Join([]string{
 		"CONSUL_TOKEN",
 		"CONSUL_HTTP_TOKEN",
 		"VAULT_TOKEN",
 		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
 		"GOOGLE_APPLICATION_CREDENTIALS",
 	}, ",")
 
-	// DefaultUserBlacklist is the default set of users that tasks are not
+	// DefaultUserDenylist is the default set of users that tasks are not
 	// allowed to run as when using a driver in "user.checked_drivers"
-	DefaultUserBlacklist = strings.Join([]string{
+	DefaultUserDenylist = strings.Join([]string{
 		"root",
 		"Administrator",
 	}, ",")
 
 	// DefaultUserCheckedDrivers is the set of drivers we apply the user
-	// blacklist onto. For virtualized drivers it often doesn't make sense to
+	// denylist onto. For virtualized drivers it often doesn't make sense to
 	// make this stipulation so by default they are ignored.
 	DefaultUserCheckedDrivers = strings.Join([]string{
 		"exec",
@@ -344,11 +344,20 @@ func (c *Config) Read(id string) string {
 // ReadDefault returns the specified configuration value, or the specified
 // default value if none is set.
 func (c *Config) ReadDefault(id string, defaultValue string) string {
-	val, ok := c.Options[id]
-	if !ok {
-		return defaultValue
+	return c.ReadAlternativeDefault([]string{id}, defaultValue)
+}
+
+// ReadAlternativeDefault returns the specified configuration value, or the
+// specified value if none is set.
+func (c *Config) ReadAlternativeDefault(ids []string, defaultValue string) string {
+	for _, id := range ids {
+		val, ok := c.Options[id]
+		if ok {
+			return val
+		}
 	}
-	return val
+
+	return defaultValue
 }
 
 // ReadBool parses the specified option as a boolean.
@@ -420,28 +429,30 @@ func (c *Config) ReadDurationDefault(id string, defaultValue time.Duration) time
 	return val
 }
 
-// ReadStringListToMap tries to parse the specified option as a comma separated list.
+// ReadStringListToMap tries to parse the specified option(s) as a comma separated list.
 // If there is an error in parsing, an empty list is returned.
-func (c *Config) ReadStringListToMap(key string) map[string]struct{} {
-	s := strings.TrimSpace(c.Read(key))
-	list := make(map[string]struct{})
-	if s != "" {
-		for _, e := range strings.Split(s, ",") {
-			trimmed := strings.TrimSpace(e)
-			list[trimmed] = struct{}{}
-		}
-	}
-	return list
+func (c *Config) ReadStringListToMap(keys ...string) map[string]struct{} {
+	val := c.ReadAlternativeDefault(keys, "")
+
+	return splitValue(val)
 }
 
 // ReadStringListToMap tries to parse the specified option as a comma separated list.
 // If there is an error in parsing, an empty list is returned.
 func (c *Config) ReadStringListToMapDefault(key, defaultValue string) map[string]struct{} {
-	val, ok := c.Options[key]
-	if !ok {
-		val = defaultValue
-	}
+	return c.ReadStringListAlternativeToMapDefault([]string{key}, defaultValue)
+}
+
+// ReadStringListAlternativeToMapDefault tries to parse the specified options as a comma sparated list.
+// If there is an error in parsing, an empty list is returned.
+func (c *Config) ReadStringListAlternativeToMapDefault(keys []string, defaultValue string) map[string]struct{} {
+	val := c.ReadAlternativeDefault(keys, defaultValue)
+
+	return splitValue(val)
+}
 
+// splitValue parses the value as a comma separated list.
+func splitValue(val string) map[string]struct{} {
 	list := make(map[string]struct{})
 	if val != "" {
 		for _, e := range strings.Split(val, ",") {

client/fingerprint_manager.go

@@ -65,28 +65,30 @@ func (fm *FingerprintManager) getNode() *structs.Node {
 }
 
 // Run starts the process of fingerprinting the node. It does an initial pass,
-// identifying whitelisted and blacklisted fingerprints/drivers. Then, for
+// identifying allowlisted and denylisted fingerprints/drivers. Then, for
 // those which require periotic checking, it starts a periodic process for
 // each.
 func (fp *FingerprintManager) Run() error {
 	// First, set up all fingerprints
 	cfg := fp.getConfig()
-	whitelistFingerprints := cfg.ReadStringListToMap("fingerprint.whitelist")
-	whitelistFingerprintsEnabled := len(whitelistFingerprints) > 0
-	blacklistFingerprints := cfg.ReadStringListToMap("fingerprint.blacklist")
+	// COMPAT(0.13) using inclusive language, whitelist is kept for backward compatibility.
+	allowlistFingerprints := cfg.ReadStringListToMap("fingerprint.allowlist", "fingerprint.whitelist")
+	allowlistFingerprintsEnabled := len(allowlistFingerprints) > 0
+	// COMPAT(0.13) using inclusive language, blacklist is kept for backward compatibility.
+	denylistFingerprints := cfg.ReadStringListToMap("fingerprint.denylist", "fingerprint.blacklist")
 
 	fp.logger.Debug("built-in fingerprints", "fingerprinters", fingerprint.BuiltinFingerprints())
 
 	var availableFingerprints []string
 	var skippedFingerprints []string
 	for _, name := range fingerprint.BuiltinFingerprints() {
-		// Skip modules that are not in the whitelist if it is enabled.
-		if _, ok := whitelistFingerprints[name]; whitelistFingerprintsEnabled && !ok {
+		// Skip modules that are not in the allowlist if it is enabled.
+		if _, ok := allowlistFingerprints[name]; allowlistFingerprintsEnabled && !ok {
 			skippedFingerprints = append(skippedFingerprints, name)
 			continue
 		}
-		// Skip modules that are in the blacklist
-		if _, ok := blacklistFingerprints[name]; ok {
+		// Skip modules that are in the denylist
+		if _, ok := denylistFingerprints[name]; ok {
 			skippedFingerprints = append(skippedFingerprints, name)
 			continue
 		}
@@ -99,7 +101,7 @@ func (fp *FingerprintManager) Run() error {
 	}
 
 	if len(skippedFingerprints) != 0 {
-		fp.logger.Debug("fingerprint modules skipped due to white/blacklist",
+		fp.logger.Debug("fingerprint modules skipped due to allow/denylist",
 			"skipped_fingerprinters", skippedFingerprints)
 	}
 

client/fingerprint_manager_test.go

@@ -61,13 +61,13 @@ func TestFimgerprintManager_Run_InWhitelist(t *testing.T) {
 	require.NotEqual(node.Attributes["cpu.frequency"], "")
 }
 
-func TestFingerprintManager_Run_InBlacklist(t *testing.T) {
+func TestFingerprintManager_Run_InDenylist(t *testing.T) {
 	t.Parallel()
 	require := require.New(t)
 	testClient, cleanup := TestClient(t, func(c *config.Config) {
 		c.Options = map[string]string{
-			"fingerprint.whitelist": "  arch,memory,foo,bar	",
-			"fingerprint.blacklist": "  cpu	",
+			"fingerprint.allowlist": "  arch,memory,foo,bar	",
+			"fingerprint.denylist": "  cpu	",
 		}
 	})
 	defer cleanup()
@@ -94,6 +94,38 @@ func TestFingerprintManager_Run_Combination(t *testing.T) {
 	t.Parallel()
 	require := require.New(t)
 
+	testClient, cleanup := TestClient(t, func(c *config.Config) {
+		c.Options = map[string]string{
+			"fingerprint.allowlist": "  arch,cpu,memory,foo,bar	",
+			"fingerprint.denylist": "  memory,host	",
+		}
+	})
+	defer cleanup()
+
+	fm := NewFingerprintManager(
+		testClient.config.PluginSingletonLoader,
+		testClient.GetConfig,
+		testClient.config.Node,
+		testClient.shutdownCh,
+		testClient.updateNodeFromFingerprint,
+		testClient.logger,
+	)
+
+	err := fm.Run()
+	require.Nil(err)
+
+	node := testClient.config.Node
+
+	require.NotEqual(node.Attributes["cpu.frequency"], "")
+	require.NotEqual(node.Attributes["cpu.arch"], "")
+	require.NotContains(node.Attributes, "memory.totalbytes")
+	require.NotContains(node.Attributes, "os.name")
+}
+
+func TestFingerprintManager_Run_CombinationLegacyNames(t *testing.T) {
+	t.Parallel()
+	require := require.New(t)
+
 	testClient, cleanup := TestClient(t, func(c *config.Config) {
 		c.Options = map[string]string{
 			"fingerprint.whitelist": "  arch,cpu,memory,foo,bar	",

command/acl_policy.go

@@ -16,7 +16,7 @@ Usage: nomad acl policy <subcommand> [options] [args]
 
   This command groups subcommands for interacting with ACL policies. Nomad's ACL
   system can be used to control access to data and APIs. ACL policies allow a
-  set of capabilities or actions to be granted or whitelisted. For a full guide
+  set of capabilities or actions to be granted or allowlisted. For a full guide
   see: https://www.nomadproject.io/guides/acl.html
 
   Create an ACL policy:

command/agent/config.go

@@ -311,7 +311,7 @@ type ClientTemplateConfig struct {
 	// are unsafe because they expose information from the client host.
 	FunctionDenylist []string `hcl:"function_denylist"`
 
-	// COMPAT(0.13) consul-template uses inclusive language from v0.25.0 - function_blacklist is kept for compatibility
+	// Deprecated: COMPAT(0.13) consul-template uses inclusive language from v0.25.0 - function_blacklist is kept for compatibility
 	FunctionBlacklist []string `hcl:"function_blacklist"`
 
 	// DisableSandbox allows templates to access arbitrary files on the

command/agent/testdata/obj-len-one.hcl

@@ -1,5 +1,5 @@
 client {
   options {
-    driver.whitelist = "docker"
+    driver.allowlist = "docker"
   }
 }

command/agent/testdata/obj-len-one.json

@@ -1,7 +1,7 @@
 {
 	"client": {
 		"options": {
-			"driver.whitelist": "docker"
+			"driver.allowlist": "docker"
 		}
 	},
 	"server": {}

drivers/docker/config.go

@@ -96,7 +96,10 @@ func PluginLoader(opts map[string]string) (map[string]interface{}, error) {
 	conf["volumes"] = volConf
 
 	// capabilities
-	if v, ok := opts["docker.caps.whitelist"]; ok {
+	// COMPAT(0.13) uses inclusive language. whitelist is used for backward compatibility.
+	if v, ok := opts["docker.caps.allowlist"]; ok {
+		conf["allow_caps"] = strings.Split(v, ",")
+	} else if v, ok := opts["docker.caps.whitelist"]; ok {
 		conf["allow_caps"] = strings.Split(v, ",")
 	}
 
@@ -497,7 +500,7 @@ type DockerMount struct {
 
 func (m DockerMount) toDockerHostMount() (docker.HostMount, error) {
 	if m.Type == "" {
-		// for backward compatbility, as type is optional
+		// for backward compatibility, as type is optional
 		m.Type = "volume"
 	}
 

drivers/docker/driver.go

@@ -909,7 +909,7 @@ func (d *Driver) createContainerConfig(task *drivers.TaskConfig, driverConfig *T
 			}
 		}
 		if len(missingCaps) > 0 {
-			return c, fmt.Errorf("Docker driver doesn't have the following caps whitelisted on this Nomad agent: %s", missingCaps)
+			return c, fmt.Errorf("Docker driver doesn't have the following caps allowlisted on this Nomad agent: %s", missingCaps)
 		}
 	}
 

drivers/docker/driver_darwin_test.go

@@ -11,7 +11,7 @@ import (
 // be mounted into Docker containers on macOS without needing dev performing
 // special setup.
 //
-// macOS sets tempdir as `/var`, which Docker does not whitelist as a path that
+// macOS sets tempdir as `/var`, which Docker does not allowlist as a path that
 // can be bind-mounted.
 func TestMain(m *testing.M) {
 	tmpdir := fmt.Sprintf("/tmp/nomad-docker-tests-%d", time.Now().Unix())