From 67bbcc4a4fc6093fdb005ed9038a593de715d8f2 Mon Sep 17 00:00:00 2001
From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com>
Date: Thu, 30 Nov 2023 20:09:19 +0100
Subject: [PATCH] cli: setup consul proper ns handling (#19237)

In order to correctly handle Consul namespaces, auth methods and binding rules
must always be created in the default namespace only.

---------

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>
---
 .../consul-wi-default-auth-method-config.json |  9 +++-
 command/setup_consul.go                       | 52 +++++++++++++++----
 2 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/command/asset/consul-wi-default-auth-method-config.json b/command/asset/consul-wi-default-auth-method-config.json
index eeb469164..20fe590b0 100644
--- a/command/asset/consul-wi-default-auth-method-config.json
+++ b/command/asset/consul-wi-default-auth-method-config.json
@@ -1,8 +1,13 @@
 {
   "JWKSURL": "http://localhost:4646/.well-known/jwks.json",
-  "JWTSupportedAlgs": ["ES256"],
-  "BoundAudiences": ["consul.io"],
+  "JWTSupportedAlgs": [
+    "ES256"
+  ],
+  "BoundAudiences": [
+    "consul.io"
+  ],
   "ClaimMappings": {
+    "consul_namespace": "consul_namespace",
     "nomad_namespace": "nomad_namespace",
     "nomad_job_id": "nomad_job_id",
     "nomad_task": "nomad_task",
diff --git a/command/setup_consul.go b/command/setup_consul.go
index 335da07e1..b703d092c 100644
--- a/command/setup_consul.go
+++ b/command/setup_consul.go
@@ -407,7 +407,13 @@ consul {
 }
 
 func (s *SetupConsulCommand) authMethodExists(authMethodName string) bool {
-	existingMethods, _, _ := s.client.ACL().AuthMethodList(nil)
+	qo := &api.QueryOptions{}
+	if s.consulEnt {
+		// auth methods are created in the default ns
+		qo.Namespace = "default"
+	}
+
+	existingMethods, _, _ := s.client.ACL().AuthMethodList(qo)
 	return slices.ContainsFunc(
 		existingMethods,
 		func(m *api.ACLAuthMethodListEntry) bool { return m.Name == authMethodName })
@@ -432,10 +438,10 @@ func (s *SetupConsulCommand) renderAuthMethod(name string, desc string) (*api.AC
 		TokenLocality: "local",
 		Config:        authConfig,
 	}
-	if s.consulEnt && (s.clientCfg.Namespace == "" || s.clientCfg.Namespace == "default") {
+	if s.consulEnt {
 		method.NamespaceRules = []*api.ACLAuthMethodNamespaceRule{{
 			Selector:      "",
-			BindNamespace: "${value.nomad_namespace}",
+			BindNamespace: "${value.consul_namespace}",
 		}}
 	}
 
@@ -443,7 +449,13 @@ func (s *SetupConsulCommand) renderAuthMethod(name string, desc string) (*api.AC
 }
 
 func (s *SetupConsulCommand) createAuthMethod(authMethod *api.ACLAuthMethod) error {
-	_, _, err := s.client.ACL().AuthMethodCreate(authMethod, nil)
+	wo := &api.WriteOptions{}
+	if s.consulEnt {
+		// auth methods are created in the default ns
+		wo.Namespace = "default"
+	}
+
+	_, _, err := s.client.ACL().AuthMethodCreate(authMethod, wo)
 	if err != nil {
 		if strings.Contains(err.Error(), "error checking JWKSURL") {
 			s.Ui.Error(fmt.Sprintf(
@@ -485,7 +497,12 @@ func (s *SetupConsulCommand) createNamespace(ns string) error {
 }
 
 func (s *SetupConsulCommand) bindingRuleExists(rule *api.ACLBindingRule) bool {
-	existingRules, _, _ := s.client.ACL().BindingRuleList("", nil)
+	qo := &api.QueryOptions{}
+	if s.consulEnt {
+		// binding rules are created in the default ns
+		qo.Namespace = "default"
+	}
+	existingRules, _, _ := s.client.ACL().BindingRuleList("", qo)
 	return slices.ContainsFunc(
 		existingRules,
 		func(r *api.ACLBindingRule) bool {
@@ -497,7 +514,12 @@ func (s *SetupConsulCommand) bindingRuleExists(rule *api.ACLBindingRule) bool {
 }
 
 func (s *SetupConsulCommand) createBindingRules(rule *api.ACLBindingRule) error {
-	_, _, err := s.client.ACL().BindingRuleCreate(rule, nil)
+	wo := &api.WriteOptions{}
+	if s.consulEnt {
+		// binding rules are created in the default ns
+		wo.Namespace = "default"
+	}
+	_, _, err := s.client.ACL().BindingRuleCreate(rule, wo)
 	if err != nil {
 		return fmt.Errorf("[✘] Could not create Consul binding rule: %w", err)
 	}
@@ -601,7 +623,11 @@ func (s *SetupConsulCommand) removeConfiguredComponents() int {
 		componentsToRemove["Auth method"] = []string{consulAuthMethodName}
 	}
 
-	authMethodRules, _, err := s.client.ACL().BindingRuleList(consulAuthMethodName, nil)
+	qo := &api.QueryOptions{}
+	if s.consulEnt {
+		qo.Namespace = "default"
+	}
+	authMethodRules, _, err := s.client.ACL().BindingRuleList(consulAuthMethodName, qo)
 	if err != nil {
 		s.Ui.Error(fmt.Sprintf("[✘] Failed to fetch binding rules for method: %q", consulAuthMethodName))
 		exitCode = 1
@@ -682,7 +708,11 @@ func (s *SetupConsulCommand) removeConfiguredComponents() int {
 		}
 
 		for _, b := range authMethodRules {
-			_, err := s.client.ACL().BindingRuleDelete(b.ID, nil)
+			wo := &api.WriteOptions{}
+			if s.consulEnt {
+				wo.Namespace = "default"
+			}
+			_, err := s.client.ACL().BindingRuleDelete(b.ID, wo)
 			if err != nil {
 				s.Ui.Error(fmt.Sprintf("[✘] Failed to delete binding rule %q: %v", b.ID, err.Error()))
 				exitCode = 1
@@ -692,7 +722,11 @@ func (s *SetupConsulCommand) removeConfiguredComponents() int {
 		}
 
 		for _, authMethod := range componentsToRemove["Auth method"] {
-			_, err := s.client.ACL().AuthMethodDelete(authMethod, nil)
+			wo := &api.WriteOptions{}
+			if s.consulEnt {
+				wo.Namespace = "default"
+			}
+			_, err := s.client.ACL().AuthMethodDelete(authMethod, wo)
 			if err != nil {
 				s.Ui.Error(fmt.Sprintf("[✘] Failed to delete auth method %q: %v", authMethod, err.Error()))
 				exitCode = 1