From 04ad7165e797d1d02751be6e53cec30421d0a288 Mon Sep 17 00:00:00 2001
From: Tim Gross <tgross@hashicorp.com>
Date: Thu, 5 Sep 2024 13:52:32 -0400
Subject: [PATCH] services: reject node secret for Read/List RPC (#23910)

As of Nomad 1.6.0, Nomad clients never make RPC requests to the
ServiceRegistrationList/Read RPC without using a specific Workload Identity
rather than the node secret. Tighten the ACL permissions on these RPCs so that
node secrets are no longer valid tokens.

Ref: https://hashicorp.atlassian.net/browse/NET-10009
Ref: https://developer.hashicorp.com/nomad/docs/release-notes/nomad/upcoming#nomad-1-9-0
---
 .changelog/23910.txt                        |  3 +++
 acl/acl.go                                  |  4 ----
 nomad/service_registration_endpoint_test.go | 24 ++-------------------
 3 files changed, 5 insertions(+), 26 deletions(-)
 create mode 100644 .changelog/23910.txt

diff --git a/.changelog/23910.txt b/.changelog/23910.txt
new file mode 100644
index 000000000..871fc3ce1
--- /dev/null
+++ b/.changelog/23910.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+services: Clients older than 1.5.0 will fail to read Nomad native services via template blocks
+```
diff --git a/acl/acl.go b/acl/acl.go
index 32393b417..59d03aa58 100644
--- a/acl/acl.go
+++ b/acl/acl.go
@@ -906,10 +906,6 @@ func (a *ACL) AllowServiceRegistrationReadList(ns string, isWorkload bool) bool
 	switch {
 	case a == nil:
 		return false
-	case a.client == PolicyRead,
-		a.client == PolicyWrite:
-		// COMPAT: older clients won't send WI tokens for these requests
-		return true
 	case a.aclsDisabled, a.management:
 		return true
 	}
diff --git a/nomad/service_registration_endpoint_test.go b/nomad/service_registration_endpoint_test.go
index 0dff59f03..07d8ef17d 100644
--- a/nomad/service_registration_endpoint_test.go
+++ b/nomad/service_registration_endpoint_test.go
@@ -848,17 +848,7 @@ func TestServiceRegistration_List(t *testing.T) {
 				var serviceRegResp structs.ServiceRegistrationListResponse
 				err = msgpackrpc.CallWithCodec(
 					codec, structs.ServiceRegistrationListRPCMethod, serviceRegReq, &serviceRegResp)
-				require.NoError(t, err)
-				require.ElementsMatch(t, []*structs.ServiceRegistrationListStub{
-					{
-						Namespace: "platform",
-						Services: []*structs.ServiceRegistrationStub{
-							{
-								ServiceName: "countdash-api",
-								Tags:        []string{"bar"},
-							},
-						}},
-				}, serviceRegResp.Services)
+				must.EqError(t, err, structs.ErrPermissionDenied.Error())
 			},
 			name: "ACLs enabled with node secret token",
 		},
@@ -1139,17 +1129,7 @@ func TestServiceRegistration_GetService(t *testing.T) {
 				var serviceRegResp structs.ServiceRegistrationListResponse
 				err = msgpackrpc.CallWithCodec(
 					codec, structs.ServiceRegistrationListRPCMethod, serviceRegReq, &serviceRegResp)
-				require.NoError(t, err)
-				require.ElementsMatch(t, []*structs.ServiceRegistrationListStub{
-					{
-						Namespace: "platform",
-						Services: []*structs.ServiceRegistrationStub{
-							{
-								ServiceName: "countdash-api",
-								Tags:        []string{"bar"},
-							},
-						}},
-				}, serviceRegResp.Services)
+				must.EqError(t, err, "Permission denied")
 			},
 			name: "ACLs enabled using node secret",
 		},