Gets rid of the Consul service exception under version 8.

Fixes #2816.
hashicorp · Mar 24, 2017 · 5480270 · 5480270
1 parent fae78dc
commit 5480270
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/consul/acl.go b/consul/acl.go
@@ -341,9 +341,14 @@ func (f *aclFilter) allowNode(node string) bool {
 
 // allowService is used to determine if a service is accessible for an ACL.
 func (f *aclFilter) allowService(service string) bool {
-	if service == "" || service == ConsulServiceID {
+	if service == "" {
 		return true
 	}
+
+	if !f.enforceVersion8 && service == ConsulServiceID {
+		return true
+	}
+
 	return f.acl.ServiceRead(service)
 }
 

diff --git a/consul/acl_test.go b/consul/acl_test.go
@@ -903,18 +903,29 @@ func TestACL_filterServices(t *testing.T) {
 	services := structs.Services{
 		"service1": []string{},
 		"service2": []string{},
+		"consul":   []string{},
 	}
 
-	// Try permissive filtering
+	// Try permissive filtering.
 	filt := newAclFilter(acl.AllowAll(), nil, false)
 	filt.filterServices(services)
-	if len(services) != 2 {
+	if len(services) != 3 {
 		t.Fatalf("bad: %#v", services)
 	}
 
-	// Try restrictive filtering
+	// Try restrictive filtering.
 	filt = newAclFilter(acl.DenyAll(), nil, false)
 	filt.filterServices(services)
+	if len(services) != 1 {
+		t.Fatalf("bad: %#v", services)
+	}
+	if _, ok := services["consul"]; !ok {
+		t.Fatalf("bad: %#v", services)
+	}
+
+	// Try restrictive filtering with version 8 enforcement.
+	filt = newAclFilter(acl.DenyAll(), nil, true)
+	filt.filterServices(services)
 	if len(services) != 0 {
 		t.Fatalf("bad: %#v", services)
 	}