consul: correctly check consul acl token namespace when using consul oss

[shoenig]

This PR fixes the Nomad Object Namespace <-> Consul ACL Token relationship
check when using Consul OSS (or Consul ENT without namespace support).

Nomad v1.1.0 introduced a regression where Nomad would fail the validation
when submitting Connect jobs and allow_unauthenticated set to true, with
Consul OSS - because it would do the namespace check against the Consul ACL
token assuming the "default" namespace, which does not work because Consul OSS
does not have namespaces.

Instead of making the bad assumption, expand the namespace check to handle
each special case explicitly.

Fixes #10718

[notnoop]

Few questions; approach seems reasonable.

[notnoop]

I find it a bit easier if the common cases are grouped together, and special cases are together. I'd suggest moving this case to be the second.

[notnoop]

I found it a tad harder to reason through conditions, maybe because of ordering. I would probably find it easier if the conditions were order the following way:

1. namespace == token.Namespace: either ACL not enabled, or it's enabled and they match
2. token.Namespace == "default": special case
3. token.Namespace != "default" && namespace == "" <- token.Namespace != "default" is redundant here but included for explicitness
4. default: the mismatch case

[shoenig]

Thanks for this suggestion, this is easier to read 🙂

[notnoop]

I'm not familiar with namespace_prefix. Is it only applicable if token's namespace is default? Why doesn't it apply in the default or token.Namespace != "default" cases? Is a special case for handling legacy apps only? Might be useful to add more context.

[shoenig]

Yep, Consul token ACL policies can supply namespace or namespace_prefix blocks which give the token permission beyond the "default" namespace. Those blocks are only allowable in tokens in the "default" namespace.

https://www.consul.io/docs/security/acl/acl-rules#namespace-rules

Expanded on the comment to clarify.

[shoenig]

@notnoop I applied your recommendations, thanks for the suggestion.

I also fixed the failing tests, which then made me realize we need to split the tests between oss and ent - they were originally written around the same bad assumption that caused this bug in the first place. So now we also have new files

nomad/consul_oss_test.go
nomad/consul_policy_oss_test.go
nomad/job_endpoint_oss_test.go

which are oriented around the fact that Nomad OSS does not consider the group.consul.namespace field. I'm working on a followup PR for ENT which expands on the same tests but with all combinations of possible input for group.consul.namespace and the Consul token Namespace.

[notnoop]

Looks great. Awesome tests. LGTM.

[notnoop]

I don't know how I personally feel about this style of nested t.Run: When the assertions are simply delegation to try, it feels a simple table tests might read better and is more concise.

[shoenig]

Yeah, for tests like these it's hard to find the right balance between readability of the code and readability of the description of the test. By composing t.Run we get a free way of composing the description, making it obvious what the difference is between one particular test from the tests surrounding it. OTOH it's a lot of lines of code that aren't actually doing anything. I'll take a look at refactoring these tests some more after the bugfix release.

[shoenig]

Spot checking (oss Nomad + oss Consul)

$ nomad job run api.nomad
Error submitting job: Unexpected response code: 500 (job-submitter consul token denied: missing consul token)
$ nomad job run -consul-token $(uuid-tool) api.nomad
Error submitting job: Unexpected response code: 500 (job-submitter consul token denied: unable to read consul token: Unexpected response code: 403 (ACL not found))
$ nomad job run -consul-token 76221243-1631-e241-9b34-ffbcb6c36025 api.nomad
==> Monitoring evaluation "3d2dcf7f"
    Evaluation triggered by job "api"
    Evaluation within deployment: "8afe1793"
    Evaluation status changed: "pending" -> "complete"
==> Evaluation "3d2dcf7f" finished with status "complete"

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.