consul-template: revert function_denylist logic (#12071)

* consul-template: replace config rather than append
Co-authored-by: Seth Hoenig <seth.a.hoenig@gmail.com>

command/agent/config.go

@@ -1705,11 +1705,8 @@ func (a *ClientConfig) Merge(b *ClientConfig) *ClientConfig {
 		result.DisableRemoteExec = b.DisableRemoteExec
 	}
 
-	if result.TemplateConfig == nil && b.TemplateConfig != nil {
-		templateConfig := *b.TemplateConfig
-		result.TemplateConfig = &templateConfig
-	} else if b.TemplateConfig != nil {
-		result.TemplateConfig = result.TemplateConfig.Merge(b.TemplateConfig)
+	if b.TemplateConfig != nil {
+		result.TemplateConfig = b.TemplateConfig
 	}
 
 	// Add the servers

command/agent/config_test.go

@@ -1454,43 +1454,79 @@ func TestConfig_LoadConsulTemplateConfig(t *testing.T) {
 	require.Equal(t, 20*time.Second, *templateConfig.VaultRetry.MaxBackoff)
 }
 
-func TestConfig_LoadConsulTemplateBasic(t *testing.T) {
-	ci.Parallel(t)
+func TestConfig_LoadConsulTemplate_FunctionDenylist(t *testing.T) {
+	cases := []struct {
+		File     string
+		Expected *client.ClientTemplateConfig
+	}{
+		{
+			"test-resources/minimal_client.hcl",
+			nil,
+		},
+		{
+			"test-resources/client_with_basic_template.json",
+			&client.ClientTemplateConfig{
+				DisableSandbox:   true,
+				FunctionDenylist: []string{},
+			},
+		},
+		{
+			"test-resources/client_with_basic_template.hcl",
+			&client.ClientTemplateConfig{
+				DisableSandbox:   true,
+				FunctionDenylist: []string{},
+			},
+		},
+		{
+			"test-resources/client_with_function_denylist.hcl",
+			&client.ClientTemplateConfig{
+				DisableSandbox:   false,
+				FunctionDenylist: []string{"foo"},
+			},
+		},
+		{
+			"test-resources/client_with_function_denylist_empty.hcl",
+			&client.ClientTemplateConfig{
+				DisableSandbox:   false,
+				FunctionDenylist: []string{},
+			},
+		},
+		{
+			"test-resources/client_with_function_denylist_empty_string.hcl",
+			&client.ClientTemplateConfig{
+				DisableSandbox:   true,
+				FunctionDenylist: []string{""},
+			},
+		},
+		{
+			"test-resources/client_with_function_denylist_empty_string.json",
+			&client.ClientTemplateConfig{
+				DisableSandbox:   true,
+				FunctionDenylist: []string{""},
+			},
+		},
+		{
+			"test-resources/client_with_function_denylist_nil.hcl",
+			&client.ClientTemplateConfig{
+				DisableSandbox: true,
+			},
+		},
+		{
+			"test-resources/client_with_empty_template.hcl",
+			nil,
+		},
+	}
 
-	defaultConfig := DefaultConfig()
+	for _, tc := range cases {
+		t.Run(tc.File, func(t *testing.T) {
+			agentConfig, err := LoadConfig(tc.File)
 
-	// hcl
-	agentConfig, err := LoadConfig("test-resources/client_with_basic_template.hcl")
-	require.NoError(t, err)
-	require.NotNil(t, agentConfig.Client.TemplateConfig)
+			require.NoError(t, err)
 
-	agentConfig = defaultConfig.Merge(agentConfig)
-	require.Len(t, agentConfig.Client.TemplateConfig.FunctionDenylist, 0)
-	require.NotNil(t, agentConfig.Client.TemplateConfig.FunctionDenylist)
-
-	clientAgent := Agent{config: agentConfig}
-	clientConfig, err := clientAgent.clientConfig()
-	require.NoError(t, err)
-
-	templateConfig := clientConfig.TemplateConfig
-	require.NotNil(t, templateConfig)
-	require.True(t, templateConfig.DisableSandbox)
-	require.Len(t, templateConfig.FunctionDenylist, 0)
-
-	// json
-	agentConfig, err = LoadConfig("test-resources/client_with_basic_template.json")
-	require.NoError(t, err)
-
-	agentConfig = defaultConfig.Merge(agentConfig)
-
-	clientAgent = Agent{config: agentConfig}
-	clientConfig, err = clientAgent.clientConfig()
-	require.NoError(t, err)
-
-	templateConfig = clientConfig.TemplateConfig
-	require.NotNil(t, templateConfig)
-	require.True(t, templateConfig.DisableSandbox)
-	require.Len(t, templateConfig.FunctionDenylist, 0)
+			templateConfig := agentConfig.Client.TemplateConfig
+			require.Equal(t, tc.Expected, templateConfig)
+		})
+	}
 }
 
 func TestParseMultipleIPTemplates(t *testing.T) {

command/agent/test-resources/client_with_empty_template.hcl

@@ -0,0 +1,6 @@
+client {
+  enabled = true
+
+  template {
+  }
+}

command/agent/test-resources/client_with_function_denylist.hcl

@@ -0,0 +1,7 @@
+client {
+  enabled = true
+
+  template {
+    function_denylist = ["foo"]
+  }
+}

command/agent/test-resources/client_with_function_denylist_empty.hcl

@@ -0,0 +1,7 @@
+client {
+  enabled = true
+
+  template {
+    function_denylist = []
+  }
+}

command/agent/test-resources/client_with_function_denylist_empty_string.hcl

@@ -0,0 +1,8 @@
+client {
+  enabled = true
+
+  template {
+    disable_file_sandbox = true
+    function_denylist    = [""]
+  }
+}

command/agent/test-resources/client_with_function_denylist_empty_string.json

@@ -0,0 +1,11 @@
+{
+  "client": {
+    "enabled": true,
+    "template": {
+      "disable_file_sandbox": true,
+      "function_denylist": [
+        ""
+      ]
+    }
+  }
+}

command/agent/test-resources/client_with_function_denylist_nil.hcl

@@ -0,0 +1,7 @@
+client {
+  enabled = true
+
+  template {
+    disable_file_sandbox = true
+  }
+}