From 037823e8641dcad06b7dcd60531a17be91f7c680 Mon Sep 17 00:00:00 2001
From: Michael Schurter <mschurter@hashicorp.com>
Date: Thu, 16 Feb 2023 10:32:21 -0800
Subject: [PATCH] Minor post-1.5-beta1 API, code, and docs cleanups (#16193)

* api: return error on parse failure

* docs: clarify anonymous policy with task api
---
 command/agent/variable_endpoint.go                  |  3 +--
 nomad/variables_endpoint.go                         | 10 +++++-----
 website/content/api-docs/task-api.mdx               |  6 ++++--
 website/content/docs/concepts/workload-identity.mdx |  6 ------
 4 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/command/agent/variable_endpoint.go b/command/agent/variable_endpoint.go
index bbf8b03bc..98c581d54 100644
--- a/command/agent/variable_endpoint.go
+++ b/command/agent/variable_endpoint.go
@@ -16,7 +16,6 @@ func (s *HTTPServer) VariablesListRequest(resp http.ResponseWriter, req *http.Re
 
 	args := structs.VariablesListRequest{}
 	if s.parse(resp, req, &args.Region, &args.QueryOptions) {
-		//TODO(schmichael) shouldn't we return something here?!
 		return nil, CodedError(http.StatusBadRequest, "failed to parse parameters")
 	}
 
@@ -56,7 +55,7 @@ func (s *HTTPServer) variableQuery(resp http.ResponseWriter, req *http.Request,
 		Path: path,
 	}
 	if s.parse(resp, req, &args.Region, &args.QueryOptions) {
-		return nil, nil
+		return nil, CodedError(http.StatusBadRequest, "failed to parse parameters")
 	}
 	var out structs.VariablesReadResponse
 	if err := s.agent.RPC(structs.VariablesReadRPCMethod, &args, &out); err != nil {
diff --git a/nomad/variables_endpoint.go b/nomad/variables_endpoint.go
index 94fdd5080..be43d0677 100644
--- a/nomad/variables_endpoint.go
+++ b/nomad/variables_endpoint.go
@@ -496,7 +496,7 @@ func (sv *Variables) decrypt(v *structs.VariableEncrypted) (*structs.VariableDec
 
 // handleMixedAuthEndpoint is a helper to handle auth on RPC endpoints that can
 // either be called by external clients or by workload identity
-func (sv *Variables) handleMixedAuthEndpoint(args structs.QueryOptions, cap, pathOrPrefix string) (*acl.ACL, *structs.IdentityClaims, error) {
+func (sv *Variables) handleMixedAuthEndpoint(args structs.QueryOptions, policy, pathOrPrefix string) (*acl.ACL, *structs.IdentityClaims, error) {
 
 	var aclObj *acl.ACL
 	var err error
@@ -509,7 +509,7 @@ func (sv *Variables) handleMixedAuthEndpoint(args structs.QueryOptions, cap, pat
 	}
 	claims := args.GetIdentity().GetClaims()
 
-	err = sv.authorize(aclObj, claims, args.RequestNamespace(), cap, pathOrPrefix)
+	err = sv.authorize(aclObj, claims, args.RequestNamespace(), policy, pathOrPrefix)
 	if err != nil {
 		return aclObj, claims, err
 	}
@@ -517,7 +517,7 @@ func (sv *Variables) handleMixedAuthEndpoint(args structs.QueryOptions, cap, pat
 	return aclObj, claims, nil
 }
 
-func (sv *Variables) authorize(aclObj *acl.ACL, claims *structs.IdentityClaims, ns, cap, pathOrPrefix string) error {
+func (sv *Variables) authorize(aclObj *acl.ACL, claims *structs.IdentityClaims, ns, policy, pathOrPrefix string) error {
 
 	if aclObj == nil && claims == nil {
 		return nil // ACLs aren't enabled
@@ -526,7 +526,7 @@ func (sv *Variables) authorize(aclObj *acl.ACL, claims *structs.IdentityClaims,
 	// Perform normal ACL validation. If the ACL object is nil, that means we're
 	// working with an identity claim.
 	if aclObj != nil {
-		if !aclObj.AllowVariableOperation(ns, pathOrPrefix, cap) {
+		if !aclObj.AllowVariableOperation(ns, pathOrPrefix, policy) {
 			return structs.ErrPermissionDenied
 		}
 		return nil
@@ -547,7 +547,7 @@ func (sv *Variables) authorize(aclObj *acl.ACL, claims *structs.IdentityClaims,
 			return err // this only returns an error when the state store has gone wrong
 		}
 		if aclObj != nil && aclObj.AllowVariableOperation(
-			ns, pathOrPrefix, cap) {
+			ns, pathOrPrefix, policy) {
 			return nil
 		}
 	}
diff --git a/website/content/api-docs/task-api.mdx b/website/content/api-docs/task-api.mdx
index 8384c49ea..d7db63f99 100644
--- a/website/content/api-docs/task-api.mdx
+++ b/website/content/api-docs/task-api.mdx
@@ -31,10 +31,11 @@ to Nomad.
 
 Unlike the agent's HTTP API, the Task API *always requires authentication* even
 if [ACLs][acl] are disabled.  This allows Nomad to always make the Task API
-available even if the workload is untrusted.
+available even if the workload is untrusted. If ACLs are enabled, the [anonymous
+policy][anon] is not available via the Task API.
 
 Both [ACL Tokens][acl-tokens] and [Workload Identities][workload-id] are
-accepted. Once the Task API has authneticated the credentials, the normal
+accepted. Once the Task API has authenticated the credentials, the normal
 endpoint-specific authorization is applied when ACLs are enabled.
 
 The Workload Identity should be used by tasks accessing the Task API.
@@ -94,6 +95,7 @@ $ nomad node status -filter 'Meta.example == "Hello World!"'
 [acl]: /nomad/docs/concepts/acl
 [acl-tokens]: /nomad/docs/concepts/acl#token
 [alloc-exec]: /nomad/docs/commands/alloc/exec
+[anon]: /nomad/tutorials/access-control/access-control#acl-policies
 [bind_addr]: /nomad/docs/configuration
 [mTLS]: /nomad/tutorials/transport-security/security-enable-tls
 [task-user]: /nomad/docs/job-specification/task#user
diff --git a/website/content/docs/concepts/workload-identity.mdx b/website/content/docs/concepts/workload-identity.mdx
index e85f7db87..4fcbb0c52 100644
--- a/website/content/docs/concepts/workload-identity.mdx
+++ b/website/content/docs/concepts/workload-identity.mdx
@@ -90,13 +90,7 @@ nomad acl policy apply \
    redis-policy ./policy.hcl
 ```
 
-## Using Workload Identity
-
-In Nomad 1.4.0 the workload identity is used only for `template`
-access to [Variables][] and not exposed outside of Nomad.
-
 [allocation]: /nomad/docs/concepts/architecture#allocation
 [identity-block]: /nomad/docs/job-specification/identity
 [plan applier]: /nomad/docs/concepts/scheduling/scheduling
-[Variables]: /nomad/docs/concepts/variables
 [JSON Web Token (JWT)]: https://datatracker.ietf.org/doc/html/rfc7519