Add fields to the /acl/auth-methods endpoint. (#9741)

* A GET of the /acl/auth-method/:name endpoint returns the fields
MaxTokenTTL and TokenLocality, while a LIST (/acl/auth-methods) does
not.

The list command returns a filtered subset of the full set. This is
somewhat deliberate, so that secrets aren't shown, but the TTL and
Locality fields aren't (IMO) security critical, and it is useful for
the front end to be able to show them.

For consistency these changes mirror the 'omit empty' and string
representation choices made for the GET call.

This includes changes to the gRPC and API code in the client.

The new output looks similar to this
curl 'http://localhost:8500/v1/acl/auth-methods' | jq '.'

  {
    "MaxTokenTTL": "8m20s",
    "Name": "minikube-ttl-local2",
    "Type": "kubernetes",
    "Description": "minikube auth method",
    "TokenLocality": "local",
    "CreateIndex": 530,
    "ModifyIndex": 530,
    "Namespace": "default"
  }
]

Signed-off-by: Mark Anderson <[email protected]>

* Add changelog

Signed-off-by: Mark Anderson <[email protected]>

.changelog/9741.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+acl: extend the auth-methods list endpoint to include MaxTokenTTL and TokenLocality fields.
+```

agent/acl_endpoint_test.go

@@ -1201,6 +1201,8 @@ func TestACL_LoginProcedure_HTTP(t *testing.T) {
 				Config: map[string]interface{}{
 					"SessionID": testSessionID,
 				},
+				TokenLocality: "global",
+				MaxTokenTTL:   500_000_000_000,
 			}
 
 			req, _ := http.NewRequest("PUT", "/v1/acl/auth-method?token=root", jsonBody(methodInput))
@@ -1284,6 +1286,7 @@ func TestACL_LoginProcedure_HTTP(t *testing.T) {
 			resp := httptest.NewRecorder()
 			raw, err := a.srv.ACLAuthMethodList(resp, req)
 			require.NoError(t, err)
+
 			methods, ok := raw.(structs.ACLAuthMethodListStubs)
 			require.True(t, ok)
 
@@ -1297,6 +1300,8 @@ func TestACL_LoginProcedure_HTTP(t *testing.T) {
 						require.Equal(t, expected.Name, actual.Name)
 						require.Equal(t, expected.Type, actual.Type)
 						require.Equal(t, expected.Description, actual.Description)
+						require.Equal(t, expected.MaxTokenTTL, actual.MaxTokenTTL)
+						require.Equal(t, expected.TokenLocality, actual.TokenLocality)
 						require.Equal(t, expected.CreateIndex, actual.CreateIndex)
 						require.Equal(t, expected.ModifyIndex, actual.ModifyIndex)
 						found = true

agent/structs/acl.go

@@ -1090,13 +1090,16 @@ func (rules ACLBindingRules) Sort() {
 	})
 }
 
+// Note: this is a subset of ACLAuthMethod's fields
 type ACLAuthMethodListStub struct {
-	Name        string
-	Type        string
-	DisplayName string `json:",omitempty"`
-	Description string `json:",omitempty"`
-	CreateIndex uint64
-	ModifyIndex uint64
+	Name          string
+	Type          string
+	DisplayName   string        `json:",omitempty"`
+	Description   string        `json:",omitempty"`
+	MaxTokenTTL   time.Duration `json:",omitempty"`
+	TokenLocality string        `json:",omitempty"`
+	CreateIndex   uint64
+	ModifyIndex   uint64
 	EnterpriseMeta
 }
 
@@ -1106,12 +1109,34 @@ func (p *ACLAuthMethod) Stub() *ACLAuthMethodListStub {
 		Type:           p.Type,
 		DisplayName:    p.DisplayName,
 		Description:    p.Description,
+		MaxTokenTTL:    p.MaxTokenTTL,
+		TokenLocality:  p.TokenLocality,
 		CreateIndex:    p.CreateIndex,
 		ModifyIndex:    p.ModifyIndex,
 		EnterpriseMeta: p.EnterpriseMeta,
 	}
 }
 
+// This is nearly identical to the ACLAuthMethod MarshalJSON
+// Unmarshaling is not implemented because the API is read only
+func (m *ACLAuthMethodListStub) MarshalJSON() ([]byte, error) {
+	type Alias ACLAuthMethodListStub
+	exported := &struct {
+		MaxTokenTTL string `json:",omitempty"`
+		*Alias
+	}{
+		MaxTokenTTL: m.MaxTokenTTL.String(),
+		Alias:       (*Alias)(m),
+	}
+	if m.MaxTokenTTL == 0 {
+		exported.MaxTokenTTL = ""
+	}
+
+	data, err := json.Marshal(exported)
+
+	return data, err
+}
+
 type ACLAuthMethods []*ACLAuthMethod
 type ACLAuthMethodListStubs []*ACLAuthMethodListStub
 

api/acl.go

@@ -270,16 +270,61 @@ type ACLAuthMethodNamespaceRule struct {
 type ACLAuthMethodListEntry struct {
 	Name        string
 	Type        string
-	DisplayName string `json:",omitempty"`
-	Description string `json:",omitempty"`
-	CreateIndex uint64
-	ModifyIndex uint64
+	DisplayName string        `json:",omitempty"`
+	Description string        `json:",omitempty"`
+	MaxTokenTTL time.Duration `json:",omitempty"`
+
+	// TokenLocality defines the kind of token that this auth method produces.
+	// This can be either 'local' or 'global'. If empty 'local' is assumed.
+	TokenLocality string `json:",omitempty"`
+	CreateIndex   uint64
+	ModifyIndex   uint64
 
 	// Namespace is the namespace the ACLAuthMethodListEntry is associated with.
 	// Namespacing is a Consul Enterprise feature.
 	Namespace string `json:",omitempty"`
 }
 
+// This is nearly identical to the ACLAuthMethod MarshalJSON
+func (m *ACLAuthMethodListEntry) MarshalJSON() ([]byte, error) {
+	type Alias ACLAuthMethodListEntry
+	exported := &struct {
+		MaxTokenTTL string `json:",omitempty"`
+		*Alias
+	}{
+		MaxTokenTTL: m.MaxTokenTTL.String(),
+		Alias:       (*Alias)(m),
+	}
+	if m.MaxTokenTTL == 0 {
+		exported.MaxTokenTTL = ""
+	}
+
+	return json.Marshal(exported)
+}
+
+// This is nearly identical to the ACLAuthMethod UnmarshalJSON
+func (m *ACLAuthMethodListEntry) UnmarshalJSON(data []byte) error {
+	type Alias ACLAuthMethodListEntry
+	aux := &struct {
+		MaxTokenTTL string
+		*Alias
+	}{
+		Alias: (*Alias)(m),
+	}
+
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return err
+	}
+	var err error
+	if aux.MaxTokenTTL != "" {
+		if m.MaxTokenTTL, err = time.ParseDuration(aux.MaxTokenTTL); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // ParseKubernetesAuthMethodConfig takes a raw config map and returns a parsed
 // KubernetesAuthMethodConfig.
 func ParseKubernetesAuthMethodConfig(raw map[string]interface{}) (*KubernetesAuthMethodConfig, error) {

api/acl_test.go

@@ -3,6 +3,7 @@ package api
 import (
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/consul/sdk/testutil/retry"
 
@@ -657,6 +658,101 @@ func TestAPI_ACLToken_Clone(t *testing.T) {
 	require.Equal(t, cloned, read)
 }
 
+//
+func TestAPI_AuthMethod_List(t *testing.T) {
+	t.Parallel()
+	c, s := makeACLClient(t)
+	defer s.Stop()
+
+	acl := c.ACL()
+	s.WaitForSerfCheck(t)
+
+	method1 := ACLAuthMethod{
+		Name:          "test_1",
+		Type:          "kubernetes",
+		Description:   "test 1",
+		MaxTokenTTL:   260 * time.Second,
+		TokenLocality: "global",
+		Config:        AuthMethodCreateKubernetesConfigHelper(),
+	}
+
+	created1, wm, err := acl.AuthMethodCreate(&method1, nil)
+
+	require.NoError(t, err)
+	require.NotNil(t, created1)
+	require.NotEqual(t, "", created1.Name)
+	require.NotEqual(t, 0, wm.RequestTime)
+
+	method2 := ACLAuthMethod{
+		Name:          "test_2",
+		Type:          "kubernetes",
+		Description:   "test 2",
+		MaxTokenTTL:   0,
+		TokenLocality: "local",
+		Config:        AuthMethodCreateKubernetesConfigHelper(),
+	}
+
+	_, _, err = acl.AuthMethodCreate(&method2, nil)
+	require.NoError(t, err)
+
+	entries, _, err := acl.AuthMethodList(nil)
+	require.NoError(t, err)
+	require.NotNil(t, entries)
+	require.Equal(t, 2, len(entries))
+
+	{
+		entry := entries[0]
+		require.Equal(t, "test_1", entry.Name)
+		require.Equal(t, 260*time.Second, entry.MaxTokenTTL)
+		require.Equal(t, "global", entry.TokenLocality)
+	}
+	{
+		entry := entries[1]
+		require.Equal(t, "test_2", entry.Name)
+		require.Equal(t, time.Duration(0), entry.MaxTokenTTL)
+		require.Equal(t, "local", entry.TokenLocality)
+	}
+}
+
+func AuthMethodCreateKubernetesConfigHelper() (result map[string]interface{}) {
+	var pemData = `
+-----BEGIN CERTIFICATE-----
+MIIE1DCCArwCCQC2kx7TchbxAzANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUwHhcNMjEwMTI3MDIzNDA1
+WhcNMjIwMTI3MDIzNDA1WjAsMQswCQYDVQQGEwJVUzELMAkGA1UECAwCV0ExEDAO
+BgNVBAcMB1NlYXR0bGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt
+j3zRFLg2A2DcZFwoc1HvIsGzqcfvxjee/OQjKyIuXbdpbJGIahB2piNYtd49zU/5
+ofRAuqIQOco3V9LfL52I7NchNBvPQOrXjbpcM3qF2qQvunVlnnaPCIf8S5hsFMaq
+w2/+jnLjaUdXGJ9bold5E/bms87uRahvhUpY7MhkSDNsAen+YThpwucc9JFRmrz3
+EXGtTzcpyEn9b0s6ut9mum2UVqghAQyLeW8cNx1zeg6Bi5USjOKF6CQgF7o4kZ9X
+D0Nk5vB9eePs/q5N9LHkDFKVCmzAYgzcQeGZFEzNcgK7N5y+aB2xXKpH3tydpwRd
+uS+g05Jvk8M8P34wteUb8tq3jZuY7UYzlINMSrPuZdFhcGjmxPjC5hl1SZy4vF1s
+GAD9RsleTZ8yeC6Cfo4mba214C9CqYkC2NBw2HO53pzO/tYI844QPhjmVBJ7bb35
+S052HD7m+AzbfY6w9CDH4D4mzIM4u1yRB6OlXdXTH58BhgxHdEnugLYr13QlVWRW
+4nZgMFKiTY7cBscpPcVRsne/VR9VwSatp3adj+G8+WUtwQLJC2OcCFYvmHfdSOs0
+B15LH/tGeJcfKViKC9ifPq5abVZByr66jTQMAdBWet03OBnmLqJs9TI4wci0MkK/
+HlHYdy734rReD81LY9fCRCRFV4ZtMx2rfj7cqgKLlwIDAQABMA0GCSqGSIb3DQEB
+CwUAA4ICAQB6ji6wA9ROFx8ZhLPlEnDiielSUN8LR2K8cmAjxxffJo3GxRH/zZYl
+CM+DzU5VVzW6RGWuTNzcFNsxlaRx20sj5RyXLH90wFYLO2Rrs1XKWmqpfdN0Iiue
+W7rYdNPV7YPjIVQVoijEt8kwx24jE9mU5ILXe4+WKPWavG+dHA1r8lQdg7wmE/8R
+E/nSVtusuX0JRVdL96iy2HB37DYj+rJEE0C7fKAk51o0C4F6fOzUsWCaP/23pZNI
+rA6hCq2CJeT4ObVukCIrnylrckZs8ElcZ7PvJ9bCNvma+dAxbL0uEkv0q0feLeVh
+OTttNIVTUjYjr3KE6rtE1Rr35R/6HCK+zZDOkKf+TVEQsFuI4DRVEuntzjo9bgZf
+fAL6G+UXpzW440BJzmzADnSthawMZFdqVrrBzpzb+B2d9VLDEoyCCFzaJyj/Gyff
+kqxRFTHZJRKC/3iIRXOX64bIr1YmXHFHCBkcq7eyh1oeaTrGZ43HimaveWwcsPv/
+SxTJANJHqf4BiFtVjN7LZXi3HUIRAsceEbd0TfW5be9SQ0tbDyyGYt/bXtBLGTIh
+9kerr9eWDHlpHMTyP01+Ua3EacbfgrmvD9sa3s6gC4SnwlvLdubmyLwoorCs77eF
+15bSOU7NsVZfwLw+M+DyNWPxI1BR/XOP+YoyTgIEChIC9eYnmlWU2Q==
+-----END CERTIFICATE-----`
+
+	result = map[string]interface{}{
+		"Host":              "https://192.0.2.42:8443",
+		"CACert":            pemData,
+		"ServiceAccountJWT": `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImp0aSI6ImQxYTZiYzE5LWZiODItNDI5ZC05NmUxLTg1YTFjYjEyNGQ3MCIsImlhdCI6MTYxMTcxNTQ5NiwiZXhwIjoxNjExNzE5MDk2fQ.rrVS5h1Yw20eI41RsTl2YAqzKKikKNg3qMkDmspTPQs`,
+	}
+	return
+}
+
 func TestAPI_RulesTranslate_FromToken(t *testing.T) {
 	t.Parallel()
 	c, s := makeACLClient(t)