hashicorp · johnlanda · Sep 20, 2023 · Jun 28, 2023 · Sep 20, 2023 · Sep 20, 2023
@@ -0,0 +1,3 @@
+```release-note:feature
+acl: Add new `acl.tokens.dns` config field which specifies the token used implicitly during dns checks.
+```
@@ -1531,6 +1531,9 @@ func (s *HTTPHandlers) AgentToken(resp http.ResponseWriter, req *http.Request) (
 		case "config_file_service_registration":
 			s.agent.tokens.UpdateConfigFileRegistrationToken(args.Token, token_store.TokenSourceAPI)
 
+		case "dns_token", "dns":
+			s.agent.tokens.UpdateDNSToken(args.Token, token_store.TokenSourceAPI)
+
 		default:
 			return HTTPError{StatusCode: http.StatusNotFound, Reason: fmt.Sprintf("Token %q is unknown", target)}
 		}

@@ -882,6 +882,7 @@ func (b *builder) build() (rt RuntimeConfig, err error) {
 			ACLAgentRecoveryToken:          stringVal(c.ACL.Tokens.AgentRecovery),
 			ACLReplicationToken:            stringVal(c.ACL.Tokens.Replication),
 			ACLConfigFileRegistrationToken: stringVal(c.ACL.Tokens.ConfigFileRegistration),
+			ACLDNSToken:                    stringVal(c.ACL.Tokens.DNS),
 		},
 
 		// Autopilot

@@ -778,6 +778,7 @@ type Tokens struct {
 	Default                *string `mapstructure:"default"`
 	Agent                  *string `mapstructure:"agent"`
 	ConfigFileRegistration *string `mapstructure:"config_file_service_registration"`
+	DNS                    *string `mapstructure:"dns"`
 
 	// Enterprise Only
 	ManagedServiceProvider []ServiceProviderToken `mapstructure:"managed_service_provider"`

@@ -17,6 +17,7 @@
         "ACLAgentRecoveryToken": "hidden",
         "ACLAgentToken": "hidden",
         "ACLConfigFileRegistrationToken": "hidden",
+        "ACLDNSToken": "hidden",
         "ACLDefaultToken": "hidden",
         "ACLReplicationToken": "hidden",
         "DataDir": "",

@@ -416,7 +416,7 @@ func (d *DNSServer) handlePtr(resp dns.ResponseWriter, req *dns.Msg) {
 	args := structs.DCSpecificRequest{
 		Datacenter: datacenter,
 		QueryOptions: structs.QueryOptions{
-			Token:      d.agent.tokens.UserToken(),
+			Token:      d.coalesceDNSToken(),
 			AllowStale: cfg.AllowStale,
 		},
 	}
@@ -452,7 +452,7 @@ func (d *DNSServer) handlePtr(resp dns.ResponseWriter, req *dns.Msg) {
 		sargs := structs.ServiceSpecificRequest{
 			Datacenter: datacenter,
 			QueryOptions: structs.QueryOptions{
-				Token:      d.agent.tokens.UserToken(),
+				Token:      d.coalesceDNSToken(),
 				AllowStale: cfg.AllowStale,
 			},
 			ServiceAddress: serviceAddress,
@@ -513,7 +513,7 @@ func (d *DNSServer) handleQuery(resp dns.ResponseWriter, req *dns.Msg) {
 
 	cfg := d.config.Load().(*dnsConfig)
 
-	// Setup the message response
+	// Set up the message response
 	m := new(dns.Msg)
 	m.SetReply(req)
 	m.Compress = !cfg.DisableCompression
@@ -875,7 +875,7 @@ func (d *DNSServer) dispatch(remoteAddr net.Addr, req, resp *dns.Msg, maxRecursi
 			ServiceName:    queryParts[len(queryParts)-1],
 			EnterpriseMeta: locality.EnterpriseMeta,
 			QueryOptions: structs.QueryOptions{
-				Token: d.agent.tokens.UserToken(),
+				Token: d.coalesceDNSToken(),
 			},
 		}
 		if args.PeerName == "" {
@@ -1093,7 +1093,7 @@ func (d *DNSServer) nodeLookup(cfg *dnsConfig, lookup nodeLookup, req, resp *dns
 		PeerName:   lookup.PeerName,
 		Node:       lookup.Node,
 		QueryOptions: structs.QueryOptions{
-			Token:      d.agent.tokens.UserToken(),
+			Token:      d.coalesceDNSToken(),
 			AllowStale: cfg.AllowStale,
 		},
 		EnterpriseMeta: lookup.EnterpriseMeta,
@@ -1425,7 +1425,7 @@ func (d *DNSServer) lookupServiceNodes(cfg *dnsConfig, lookup serviceLookup) (st
 		ServiceTags: serviceTags,
 		TagFilter:   lookup.Tag != "",
 		QueryOptions: structs.QueryOptions{
-			Token:            d.agent.tokens.UserToken(),
+			Token:            d.coalesceDNSToken(),
 			AllowStale:       cfg.AllowStale,
 			MaxAge:           cfg.CacheMaxAge,
 			UseCache:         cfg.UseCache,
@@ -1503,7 +1503,7 @@ func (d *DNSServer) preparedQueryLookup(cfg *dnsConfig, datacenter, query string
 		Datacenter:    datacenter,
 		QueryIDOrName: query,
 		QueryOptions: structs.QueryOptions{
-			Token:      d.agent.tokens.UserToken(),
+			Token:      d.coalesceDNSToken(),
 			AllowStale: cfg.AllowStale,
 			MaxAge:     cfg.CacheMaxAge,
 		},
@@ -2172,3 +2172,11 @@ func (d *DNSServer) resolveCNAME(cfg *dnsConfig, name string, maxRecursionLevel
 	d.logger.Error("all resolvers failed for name", "name", name)
 	return nil
 }
+
+func (d *DNSServer) coalesceDNSToken() string {
+	if d.agent.tokens.DNSToken() != "" {
+		return d.agent.tokens.DNSToken()
+	} else {
+		return d.agent.tokens.UserToken()
+	}
+}
@@ -10,11 +10,12 @@ import (
 	"context"
 	"testing"
 
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/require"
+
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/testrpc"
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/require"
 )
 
 func TestDNS_CE_PeeredServices(t *testing.T) {

@@ -6310,6 +6310,22 @@ func TestDNS_ServiceLookup_SRV_RFC_TCP_Default(t *testing.T) {
 
 }
 
+func initDNSToken(t *testing.T, rpc RPC) {
+	t.Helper()
+
+	reqToken := structs.ACLTokenSetRequest{
+		Datacenter: "dc1",
+		ACLToken: structs.ACLToken{
+			SecretID:          "279d4735-f8ca-4d48-b5cc-c00a9713bbf8",
+			Policies:          nil,
+			TemplatedPolicies: []*structs.ACLTemplatedPolicy{{TemplateName: "builtin/dns"}},
+		},
+		WriteRequest: structs.WriteRequest{Token: "root"},
+	}
+	err := rpc.RPC(context.Background(), "ACL.TokenSet", &reqToken, &structs.ACLToken{})
+	require.NoError(t, err)
+}
+
 func TestDNS_ServiceLookup_FilterACL(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
@@ -6322,10 +6338,11 @@ func TestDNS_ServiceLookup_FilterACL(t *testing.T) {
 	}{
 		{"root", 1},
 		{"anonymous", 0},
+		{"dns", 1},
 	}
 	for _, tt := range tests {
 		t.Run("ACLToken == "+tt.token, func(t *testing.T) {
-			a := NewTestAgent(t, `
+			hcl := `
 				primary_datacenter = "dc1"
 
 				acl {
@@ -6335,13 +6352,34 @@ func TestDNS_ServiceLookup_FilterACL(t *testing.T) {
 
 					tokens {
 						initial_management = "root"
-						default = "`+tt.token+`"
+`
+			if tt.token == "dns" {
+				// Create a UUID for dns token since it doesn't have an alias
+				dnsToken := "279d4735-f8ca-4d48-b5cc-c00a9713bbf8"
+
+				hcl = hcl + `
+						default = "anonymous"
+						dns = "` + dnsToken + `"
+`
+			} else {
+				hcl = hcl + `
+						default = "` + tt.token + `"
+`
+			}
+
+			hcl = hcl + `
 					}
 				}
-			`)
+			`
+
+			a := NewTestAgent(t, hcl)
 			defer a.Shutdown()
 			testrpc.WaitForLeader(t, a.RPC, "dc1")
 
+			if tt.token == "dns" {
+				initDNSToken(t, a)
+			}
+
 			// Register a service
 			args := &structs.RegisterRequest{
 				Datacenter: "dc1",
@@ -6373,6 +6411,7 @@ func TestDNS_ServiceLookup_FilterACL(t *testing.T) {
 		})
 	}
 }
+
 func TestDNS_ServiceLookup_MetaTXT(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")

@@ -529,6 +529,7 @@ type TestACLConfigParams struct {
 	DefaultToken           string
 	AgentRecoveryToken     string
 	ReplicationToken       string
+	DNSToken               string
 	EnableTokenReplication bool
 }
 
@@ -547,7 +548,8 @@ func (p *TestACLConfigParams) HasConfiguredTokens() bool {
 		p.AgentToken != "" ||
 		p.DefaultToken != "" ||
 		p.AgentRecoveryToken != "" ||
-		p.ReplicationToken != ""
+		p.ReplicationToken != "" ||
+		p.DNSToken != ""
 }
 
 func TestACLConfigNew() string {
@@ -557,6 +559,7 @@ func TestACLConfigNew() string {
 		InitialManagementToken: "root",
 		AgentToken:             "root",
 		AgentRecoveryToken:     "towel",
+		DNSToken:               "dns",
 	})
 }
 

@@ -26,6 +26,7 @@ type Config struct {
 	ACLAgentRecoveryToken          string
 	ACLReplicationToken            string
 	ACLConfigFileRegistrationToken string
+	ACLDNSToken                    string
 
 	EnterpriseConfig
 }
@@ -77,6 +78,7 @@ type persistedTokens struct {
 	Default                string `json:"default,omitempty"`
 	Agent                  string `json:"agent,omitempty"`
 	ConfigFileRegistration string `json:"config_file_service_registration,omitempty"`
+	DNS                    string `json:"dns,omitempty"`
 }
 
 type fileStore struct {
@@ -144,6 +146,16 @@ func loadTokens(s *Store, cfg Config, tokens persistedTokens, logger Logger) {
 		s.UpdateConfigFileRegistrationToken(cfg.ACLConfigFileRegistrationToken, TokenSourceConfig)
 	}
 
+	if tokens.DNS != "" {
+		s.UpdateDNSToken(tokens.DNS, TokenSourceAPI)
+
+		if cfg.ACLDNSToken != "" {
+			logger.Warn("\"dns\" token present in both the configuration and persisted token store, using the persisted token")
+		}
+	} else {
+		s.UpdateDNSToken(cfg.ACLDNSToken, TokenSourceConfig)
+	}
+
 	loadEnterpriseTokens(s, cfg)
 }
 
@@ -206,6 +218,10 @@ func (p *fileStore) saveToFile(s *Store) error {
 		tokens.ConfigFileRegistration = tok
 	}
 
+	if tok, source := s.DNSTokenAndSource(); tok != "" && source == TokenSourceAPI {
+		tokens.DNS = tok
+	}
+
 	data, err := json.Marshal(tokens)
 	if err != nil {
 		p.logger.Warn("failed to persist tokens", "error", err)