dns token (#17936)

* dns token

fix whitespace for docs and comments

fix test cases

fix test cases

remove tabs in help text

Add changelog

Peering dns test

Peering dns test

Partial implementation of Peered DNS test

Swap to new topology lib

expose dns port for integration tests on client

remove partial test implementation

remove extra port exposure

remove changelog from the ent pr

Add dns token to set-agent-token switch

Add enterprise golden file

Use builtin/dns template in tests

Update ent dns policy

Update ent dns template test

remove local gen certs

fix templated policy specs

* add changelog

* go mod tidy

.changelog/17936.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+acl: Add new `acl.tokens.dns` config field which specifies the token used implicitly during dns checks.
+```

agent/agent_endpoint.go

@@ -1531,6 +1531,9 @@ func (s *HTTPHandlers) AgentToken(resp http.ResponseWriter, req *http.Request) (
 		case "config_file_service_registration":
 			s.agent.tokens.UpdateConfigFileRegistrationToken(args.Token, token_store.TokenSourceAPI)
 
+		case "dns_token", "dns":
+			s.agent.tokens.UpdateDNSToken(args.Token, token_store.TokenSourceAPI)
+
 		default:
 			return HTTPError{StatusCode: http.StatusNotFound, Reason: fmt.Sprintf("Token %q is unknown", target)}
 		}

agent/config/builder.go

@@ -882,6 +882,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 			ACLAgentRecoveryToken:          stringVal(c.ACL.Tokens.AgentRecovery),
 			ACLReplicationToken:            stringVal(c.ACL.Tokens.Replication),
 			ACLConfigFileRegistrationToken: stringVal(c.ACL.Tokens.ConfigFileRegistration),
+			ACLDNSToken:                    stringVal(c.ACL.Tokens.DNS),
 		},
 
 		// Autopilot

agent/config/config.go

@@ -778,6 +778,7 @@ type Tokens struct {
 	Default                *string `mapstructure:"default"`
 	Agent                  *string `mapstructure:"agent"`
 	ConfigFileRegistration *string `mapstructure:"config_file_service_registration"`
+	DNS                    *string `mapstructure:"dns"`
 
 	// Enterprise Only
 	ManagedServiceProvider []ServiceProviderToken `mapstructure:"managed_service_provider"`

agent/config/testdata/TestRuntimeConfig_Sanitize.golden

@@ -17,6 +17,7 @@
         "ACLAgentRecoveryToken": "hidden",
         "ACLAgentToken": "hidden",
         "ACLConfigFileRegistrationToken": "hidden",
+        "ACLDNSToken": "hidden",
         "ACLDefaultToken": "hidden",
         "ACLReplicationToken": "hidden",
         "DataDir": "",

agent/dns.go

@@ -416,7 +416,7 @@ func (d *DNSServer) handlePtr(resp dns.ResponseWriter, req *dns.Msg) {
 	args := structs.DCSpecificRequest{
 		Datacenter: datacenter,
 		QueryOptions: structs.QueryOptions{
-			Token:      d.agent.tokens.UserToken(),
+			Token:      d.coalesceDNSToken(),
 			AllowStale: cfg.AllowStale,
 		},
 	}
@@ -452,7 +452,7 @@ func (d *DNSServer) handlePtr(resp dns.ResponseWriter, req *dns.Msg) {
 		sargs := structs.ServiceSpecificRequest{
 			Datacenter: datacenter,
 			QueryOptions: structs.QueryOptions{
-				Token:      d.agent.tokens.UserToken(),
+				Token:      d.coalesceDNSToken(),
 				AllowStale: cfg.AllowStale,
 			},
 			ServiceAddress: serviceAddress,
@@ -513,7 +513,7 @@ func (d *DNSServer) handleQuery(resp dns.ResponseWriter, req *dns.Msg) {
 
 	cfg := d.config.Load().(*dnsConfig)
 
-	// Setup the message response
+	// Set up the message response
 	m := new(dns.Msg)
 	m.SetReply(req)
 	m.Compress = !cfg.DisableCompression
@@ -875,7 +875,7 @@ func (d *DNSServer) dispatch(remoteAddr net.Addr, req, resp *dns.Msg, maxRecursi
 			ServiceName:    queryParts[len(queryParts)-1],
 			EnterpriseMeta: locality.EnterpriseMeta,
 			QueryOptions: structs.QueryOptions{
-				Token: d.agent.tokens.UserToken(),
+				Token: d.coalesceDNSToken(),
 			},
 		}
 		if args.PeerName == "" {
@@ -1093,7 +1093,7 @@ func (d *DNSServer) nodeLookup(cfg *dnsConfig, lookup nodeLookup, req, resp *dns
 		PeerName:   lookup.PeerName,
 		Node:       lookup.Node,
 		QueryOptions: structs.QueryOptions{
-			Token:      d.agent.tokens.UserToken(),
+			Token:      d.coalesceDNSToken(),
 			AllowStale: cfg.AllowStale,
 		},
 		EnterpriseMeta: lookup.EnterpriseMeta,
@@ -1425,7 +1425,7 @@ func (d *DNSServer) lookupServiceNodes(cfg *dnsConfig, lookup serviceLookup) (st
 		ServiceTags: serviceTags,
 		TagFilter:   lookup.Tag != "",
 		QueryOptions: structs.QueryOptions{
-			Token:            d.agent.tokens.UserToken(),
+			Token:            d.coalesceDNSToken(),
 			AllowStale:       cfg.AllowStale,
 			MaxAge:           cfg.CacheMaxAge,
 			UseCache:         cfg.UseCache,
@@ -1503,7 +1503,7 @@ func (d *DNSServer) preparedQueryLookup(cfg *dnsConfig, datacenter, query string
 		Datacenter:    datacenter,
 		QueryIDOrName: query,
 		QueryOptions: structs.QueryOptions{
-			Token:      d.agent.tokens.UserToken(),
+			Token:      d.coalesceDNSToken(),
 			AllowStale: cfg.AllowStale,
 			MaxAge:     cfg.CacheMaxAge,
 		},
@@ -2172,3 +2172,11 @@ func (d *DNSServer) resolveCNAME(cfg *dnsConfig, name string, maxRecursionLevel
 	d.logger.Error("all resolvers failed for name", "name", name)
 	return nil
 }
+
+func (d *DNSServer) coalesceDNSToken() string {
+	if d.agent.tokens.DNSToken() != "" {
+		return d.agent.tokens.DNSToken()
+	} else {
+		return d.agent.tokens.UserToken()
+	}
+}

agent/dns_ce_test.go

@@ -10,11 +10,12 @@ import (
 	"context"
 	"testing"
 
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/testrpc"
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/require"
 )
 
 func TestDNS_CE_PeeredServices(t *testing.T) {

agent/dns_test.go

@@ -6310,6 +6310,22 @@ func TestDNS_ServiceLookup_SRV_RFC_TCP_Default(t *testing.T) {
 
 }
 
+func initDNSToken(t *testing.T, rpc RPC) {
+	t.Helper()
+
+	reqToken := structs.ACLTokenSetRequest{
+		Datacenter: "dc1",
+		ACLToken: structs.ACLToken{
+			SecretID:          "279d4735-f8ca-4d48-b5cc-c00a9713bbf8",
+			Policies:          nil,
+			TemplatedPolicies: []*structs.ACLTemplatedPolicy{{TemplateName: "builtin/dns"}},
+		},
+		WriteRequest: structs.WriteRequest{Token: "root"},
+	}
+	err := rpc.RPC(context.Background(), "ACL.TokenSet", &reqToken, &structs.ACLToken{})
+	require.NoError(t, err)
+}
+
 func TestDNS_ServiceLookup_FilterACL(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
@@ -6322,10 +6338,11 @@ func TestDNS_ServiceLookup_FilterACL(t *testing.T) {
 	}{
 		{"root", 1},
 		{"anonymous", 0},
+		{"dns", 1},
 	}
 	for _, tt := range tests {
 		t.Run("ACLToken == "+tt.token, func(t *testing.T) {
-			a := NewTestAgent(t, `
+			hcl := `
 				primary_datacenter = "dc1"
 
 				acl {
@@ -6335,13 +6352,34 @@ func TestDNS_ServiceLookup_FilterACL(t *testing.T) {
 
 					tokens {
 						initial_management = "root"
-						default = "`+tt.token+`"
+`
+			if tt.token == "dns" {
+				// Create a UUID for dns token since it doesn't have an alias
+				dnsToken := "279d4735-f8ca-4d48-b5cc-c00a9713bbf8"
+
+				hcl = hcl + `
+						default = "anonymous"
+						dns = "` + dnsToken + `"
+`
+			} else {
+				hcl = hcl + `
+						default = "` + tt.token + `"
+`
+			}
+
+			hcl = hcl + `
 					}
 				}
-			`)
+			`
+
+			a := NewTestAgent(t, hcl)
 			defer a.Shutdown()
 			testrpc.WaitForLeader(t, a.RPC, "dc1")
 
+			if tt.token == "dns" {
+				initDNSToken(t, a)
+			}
+
 			// Register a service
 			args := &structs.RegisterRequest{
 				Datacenter: "dc1",
@@ -6373,6 +6411,7 @@ func TestDNS_ServiceLookup_FilterACL(t *testing.T) {
 		})
 	}
 }
+
 func TestDNS_ServiceLookup_MetaTXT(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")

agent/testagent.go

@@ -529,6 +529,7 @@ type TestACLConfigParams struct {
 	DefaultToken           string
 	AgentRecoveryToken     string
 	ReplicationToken       string
+	DNSToken               string
 	EnableTokenReplication bool
 }
 
@@ -547,7 +548,8 @@ func (p *TestACLConfigParams) HasConfiguredTokens() bool {
 		p.AgentToken != "" ||
 		p.DefaultToken != "" ||
 		p.AgentRecoveryToken != "" ||
-		p.ReplicationToken != ""
+		p.ReplicationToken != "" ||
+		p.DNSToken != ""
 }
 
 func TestACLConfigNew() string {
@@ -557,6 +559,7 @@ func TestACLConfigNew() string {
 		InitialManagementToken: "root",
 		AgentToken:             "root",
 		AgentRecoveryToken:     "towel",
+		DNSToken:               "dns",
 	})
 }
 

agent/token/persistence.go

@@ -26,6 +26,7 @@ type Config struct {
 	ACLAgentRecoveryToken          string
 	ACLReplicationToken            string
 	ACLConfigFileRegistrationToken string
+	ACLDNSToken                    string
 
 	EnterpriseConfig
 }
@@ -77,6 +78,7 @@ type persistedTokens struct {
 	Default                string `json:"default,omitempty"`
 	Agent                  string `json:"agent,omitempty"`
 	ConfigFileRegistration string `json:"config_file_service_registration,omitempty"`
+	DNS                    string `json:"dns,omitempty"`
 }
 
 type fileStore struct {
@@ -144,6 +146,16 @@ func loadTokens(s *Store, cfg Config, tokens persistedTokens, logger Logger) {
 		s.UpdateConfigFileRegistrationToken(cfg.ACLConfigFileRegistrationToken, TokenSourceConfig)
 	}
 
+	if tokens.DNS != "" {
+		s.UpdateDNSToken(tokens.DNS, TokenSourceAPI)
+
+		if cfg.ACLDNSToken != "" {
+			logger.Warn("\"dns\" token present in both the configuration and persisted token store, using the persisted token")
+		}
+	} else {
+		s.UpdateDNSToken(cfg.ACLDNSToken, TokenSourceConfig)
+	}
+
 	loadEnterpriseTokens(s, cfg)
 }
 
@@ -206,6 +218,10 @@ func (p *fileStore) saveToFile(s *Store) error {
 		tokens.ConfigFileRegistration = tok
 	}
 
+	if tok, source := s.DNSTokenAndSource(); tok != "" && source == TokenSourceAPI {
+		tokens.DNS = tok
+	}
+
 	data, err := json.Marshal(tokens)
 	if err != nil {
 		p.logger.Warn("failed to persist tokens", "error", err)