[NET-5329] use acl templated policy under the hood for node/service i…

…dentities (#18813)
hashicorp · Sep 14, 2023 · 8021226 · 8021226
1 parent e5808d8
commit 8021226
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 42 deletions.
diff --git a/.changelog/18813.txt b/.changelog/18813.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+acl: Use templated policy to generate synthetic policies for tokens/roles with node and/or service identities
+```
diff --git a/agent/structs/acl.go b/agent/structs/acl.go
@@ -9,11 +9,11 @@ import (
 	"errors"
 	"fmt"
 	"hash"
-	"hash/fnv"
 	"sort"
 	"strings"
 	"time"
 
+	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/lib/stringslice"
 
 	"golang.org/x/crypto/blake2b"
@@ -182,22 +182,20 @@ func (s *ACLServiceIdentity) EstimateSize() int {
 }
 
 func (s *ACLServiceIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy {
+	// use templated policy to generate synthetic policy
+	templatedPolicy := ACLTemplatedPolicy{
+		TemplateID:   ACLTemplatedPolicyServiceID,
+		TemplateName: api.ACLTemplatedPolicyServiceName,
+		Datacenters:  s.Datacenters,
+		TemplateVariables: &ACLTemplatedPolicyVariables{
+			Name: s.ServiceName,
+		},
+	}
+
 	// Given that we validate this string name before persisting, we do not
-	// have to escape it before doing the following interpolation.
-	rules := aclServiceIdentityRules(s.ServiceName, entMeta)
-
-	hasher := fnv.New128a()
-	hashID := fmt.Sprintf("%x", hasher.Sum([]byte(rules)))
-
-	policy := &ACLPolicy{}
-	policy.ID = hashID
-	policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
-	sn := NewServiceName(s.ServiceName, entMeta)
-	policy.Description = fmt.Sprintf("synthetic policy for service identity %q", sn.String())
-	policy.Rules = rules
-	policy.Datacenters = s.Datacenters
-	policy.EnterpriseMeta.Merge(entMeta)
-	policy.SetHash(true)
+	// expect any errors from generating the synthetic policy
+	policy, _ := templatedPolicy.SyntheticPolicy(entMeta)
+
 	return policy
 }
 
@@ -254,21 +252,20 @@ func (s *ACLNodeIdentity) EstimateSize() int {
 }
 
 func (s *ACLNodeIdentity) SyntheticPolicy(entMeta *acl.EnterpriseMeta) *ACLPolicy {
+	// use templated policy to generate synthetic policy
+	templatedPolicy := ACLTemplatedPolicy{
+		TemplateID:   ACLTemplatedPolicyNodeID,
+		TemplateName: api.ACLTemplatedPolicyNodeName,
+		Datacenters:  []string{s.Datacenter},
+		TemplateVariables: &ACLTemplatedPolicyVariables{
+			Name: s.NodeName,
+		},
+	}
+
 	// Given that we validate this string name before persisting, we do not
-	// have to escape it before doing the following interpolation.
-	rules := aclNodeIdentityRules(s.NodeName, entMeta)
-
-	hasher := fnv.New128a()
-	hashID := fmt.Sprintf("%x", hasher.Sum([]byte(rules)))
-
-	policy := &ACLPolicy{}
-	policy.ID = hashID
-	policy.Name = fmt.Sprintf("synthetic-policy-%s", hashID)
-	policy.Description = fmt.Sprintf("synthetic policy for node identity %q", s.NodeName)
-	policy.Rules = rules
-	policy.Datacenters = []string{s.Datacenter}
-	policy.EnterpriseMeta.Merge(entMeta)
-	policy.SetHash(true)
+	// expect any errors from generating the synthetic policy
+	policy, _ := templatedPolicy.SyntheticPolicy(entMeta)
+
 	return policy
 }
 

diff --git a/command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty-meta.golden b/command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty-meta.golden
@@ -26,7 +26,7 @@ Policies:
 
 Service Identities:
 	Name: gardener (Datacenters: middleearth-northwest)
-		Description: synthetic policy for service identity "gardener"
+		Description: synthetic policy generated from templated policy: builtin/service
 		Rules:
 			service "gardener" {
 				policy = "write"
@@ -43,7 +43,7 @@ Service Identities:
 
 Node Identities:
 	Name: bagend (Datacenter: middleearth-northwest)
-		Description: synthetic policy for node identity "bagend"
+		Description: synthetic policy generated from templated policy: builtin/node
 		Rules:
 			node "bagend" {
 				policy = "write"
@@ -96,7 +96,7 @@ Roles:
 
 		Service Identities:
 			Name: foo (Datacenters: middleearth-southwest)
-				Description: synthetic policy for service identity "foo"
+				Description: synthetic policy generated from templated policy: builtin/service
 				Rules:
 					service "foo" {
 						policy = "write"
@@ -125,7 +125,7 @@ Roles:
 
 		Node Identities:
 			Name: bar (Datacenter: middleearth-southwest)
-				Description: synthetic policy for node identity "bar"
+				Description: synthetic policy generated from templated policy: builtin/node
 				Rules:
 					node "bar" {
 						policy = "write"
@@ -158,7 +158,7 @@ Namespace Role Defaults:
 
 		Service Identities:
 			Name: web (Datacenters: middleearth-northeast)
-				Description: synthetic policy for service identity "web"
+				Description: synthetic policy generated from templated policy: builtin/service
 				Rules:
 					service "web" {
 						policy = "write"
@@ -175,7 +175,7 @@ Namespace Role Defaults:
 
 		Node Identities:
 			Name: db (Datacenter: middleearth-northwest)
-				Description: synthetic policy for node identity "db"
+				Description: synthetic policy generated from templated policy: builtin/node
 				Rules:
 					node "db" {
 						policy = "write"

diff --git a/command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty.golden b/command/acl/token/testdata/FormatTokenExpanded/ce/complex.pretty.golden
@@ -23,7 +23,7 @@ Policies:
 
 Service Identities:
 	Name: gardener (Datacenters: middleearth-northwest)
-		Description: synthetic policy for service identity "gardener"
+		Description: synthetic policy generated from templated policy: builtin/service
 		Rules:
 			service "gardener" {
 				policy = "write"
@@ -40,7 +40,7 @@ Service Identities:
 
 Node Identities:
 	Name: bagend (Datacenter: middleearth-northwest)
-		Description: synthetic policy for node identity "bagend"
+		Description: synthetic policy generated from templated policy: builtin/node
 		Rules:
 			node "bagend" {
 				policy = "write"
@@ -93,7 +93,7 @@ Roles:
 
 		Service Identities:
 			Name: foo (Datacenters: middleearth-southwest)
-				Description: synthetic policy for service identity "foo"
+				Description: synthetic policy generated from templated policy: builtin/service
 				Rules:
 					service "foo" {
 						policy = "write"
@@ -122,7 +122,7 @@ Roles:
 
 		Node Identities:
 			Name: bar (Datacenter: middleearth-southwest)
-				Description: synthetic policy for node identity "bar"
+				Description: synthetic policy generated from templated policy: builtin/node
 				Rules:
 					node "bar" {
 						policy = "write"
@@ -155,7 +155,7 @@ Namespace Role Defaults:
 
 		Service Identities:
 			Name: web (Datacenters: middleearth-northeast)
-				Description: synthetic policy for service identity "web"
+				Description: synthetic policy generated from templated policy: builtin/service
 				Rules:
 					service "web" {
 						policy = "write"
@@ -172,7 +172,7 @@ Namespace Role Defaults:
 
 		Node Identities:
 			Name: db (Datacenter: middleearth-northwest)
-				Description: synthetic policy for node identity "db"
+				Description: synthetic policy generated from templated policy: builtin/node
 				Rules:
 					node "db" {
 						policy = "write"