Add Namespace support to the API module and the CLI commands (#6874)

Also update the Docs and fixup the HTTP API to return proper errors when someone attempts to use Namespaces with an OSS agent.

Add Namespace HTTP API docs

Make all API endpoints disallow unknown fields

agent/acl_endpoint.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/lib"
 )
 
 // aclCreateResponse is used to wrap the ACL ID
@@ -186,7 +187,9 @@ func (s *HTTPServer) ACLPolicyList(resp http.ResponseWriter, req *http.Request)
 	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
 		return nil, nil
 	}
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -244,7 +247,9 @@ func (s *HTTPServer) ACLPolicyRead(resp http.ResponseWriter, req *http.Request,
 		return nil, nil
 	}
 
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -281,9 +286,11 @@ func (s *HTTPServer) aclPolicyWriteInternal(resp http.ResponseWriter, req *http.
 		Datacenter: s.agent.config.Datacenter,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.Policy.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.Policy.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
-	if err := decodeBody(req.Body, &args.Policy); err != nil {
+	if err := s.rewordUnknownEnterpriseFieldError(lib.DecodeJSON(req.Body, &args.Policy)); err != nil {
 		return nil, BadRequestError{Reason: fmt.Sprintf("Policy decoding failed: %v", err)}
 	}
 
@@ -315,7 +322,9 @@ func (s *HTTPServer) ACLPolicyDelete(resp http.ResponseWriter, req *http.Request
 		PolicyID:   policyID,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	var ignored string
 	if err := s.agent.RPC("ACL.PolicyDelete", args, &ignored); err != nil {
@@ -338,7 +347,9 @@ func (s *HTTPServer) ACLTokenList(resp http.ResponseWriter, req *http.Request) (
 		return nil, nil
 	}
 
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -442,7 +453,9 @@ func (s *HTTPServer) ACLTokenGet(resp http.ResponseWriter, req *http.Request, to
 		return nil, nil
 	}
 
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -471,9 +484,11 @@ func (s *HTTPServer) aclTokenSetInternal(resp http.ResponseWriter, req *http.Req
 		Create:     create,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.ACLToken.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.ACLToken.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
-	if err := decodeBody(req.Body, &args.ACLToken); err != nil {
+	if err := s.rewordUnknownEnterpriseFieldError(lib.DecodeJSON(req.Body, &args.ACLToken)); err != nil {
 		return nil, BadRequestError{Reason: fmt.Sprintf("Token decoding failed: %v", err)}
 	}
 
@@ -499,7 +514,9 @@ func (s *HTTPServer) ACLTokenDelete(resp http.ResponseWriter, req *http.Request,
 		TokenID:    tokenID,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	var ignored string
 	if err := s.agent.RPC("ACL.TokenDelete", args, &ignored); err != nil {
@@ -518,8 +535,10 @@ func (s *HTTPServer) ACLTokenClone(resp http.ResponseWriter, req *http.Request,
 		Create:     true,
 	}
 
-	s.parseEntMeta(req, &args.ACLToken.EnterpriseMeta)
-	if err := decodeBody(req.Body, &args.ACLToken); err != nil {
+	if err := s.parseEntMeta(req, &args.ACLToken.EnterpriseMeta); err != nil {
+		return nil, err
+	}
+	if err := s.rewordUnknownEnterpriseFieldError(lib.DecodeJSON(req.Body, &args.ACLToken)); err != nil {
 		return nil, BadRequestError{Reason: fmt.Sprintf("Token decoding failed: %v", err)}
 	}
 	s.parseToken(req, &args.Token)
@@ -544,7 +563,9 @@ func (s *HTTPServer) ACLRoleList(resp http.ResponseWriter, req *http.Request) (i
 	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
 		return nil, nil
 	}
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -621,7 +642,9 @@ func (s *HTTPServer) ACLRoleRead(resp http.ResponseWriter, req *http.Request, ro
 	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
 		return nil, nil
 	}
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -654,9 +677,11 @@ func (s *HTTPServer) ACLRoleWrite(resp http.ResponseWriter, req *http.Request, r
 		Datacenter: s.agent.config.Datacenter,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.Role.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.Role.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
-	if err := decodeBody(req.Body, &args.Role); err != nil {
+	if err := s.rewordUnknownEnterpriseFieldError(lib.DecodeJSON(req.Body, &args.Role)); err != nil {
 		return nil, BadRequestError{Reason: fmt.Sprintf("Role decoding failed: %v", err)}
 	}
 
@@ -680,7 +705,9 @@ func (s *HTTPServer) ACLRoleDelete(resp http.ResponseWriter, req *http.Request,
 		RoleID:     roleID,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	var ignored string
 	if err := s.agent.RPC("ACL.RoleDelete", args, &ignored); err != nil {
@@ -700,7 +727,9 @@ func (s *HTTPServer) ACLBindingRuleList(resp http.ResponseWriter, req *http.Requ
 		return nil, nil
 	}
 
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -760,7 +789,9 @@ func (s *HTTPServer) ACLBindingRuleRead(resp http.ResponseWriter, req *http.Requ
 		return nil, nil
 	}
 
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -793,9 +824,11 @@ func (s *HTTPServer) ACLBindingRuleWrite(resp http.ResponseWriter, req *http.Req
 		Datacenter: s.agent.config.Datacenter,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.BindingRule.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.BindingRule.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
-	if err := decodeBody(req.Body, &args.BindingRule); err != nil {
+	if err := s.rewordUnknownEnterpriseFieldError(lib.DecodeJSON(req.Body, &args.BindingRule)); err != nil {
 		return nil, BadRequestError{Reason: fmt.Sprintf("BindingRule decoding failed: %v", err)}
 	}
 
@@ -819,7 +852,9 @@ func (s *HTTPServer) ACLBindingRuleDelete(resp http.ResponseWriter, req *http.Re
 		BindingRuleID: bindingRuleID,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	var ignored bool
 	if err := s.agent.RPC("ACL.BindingRuleDelete", args, &ignored); err != nil {
@@ -838,7 +873,9 @@ func (s *HTTPServer) ACLAuthMethodList(resp http.ResponseWriter, req *http.Reque
 	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
 		return nil, nil
 	}
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -895,7 +932,9 @@ func (s *HTTPServer) ACLAuthMethodRead(resp http.ResponseWriter, req *http.Reque
 	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
 		return nil, nil
 	}
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	if args.Datacenter == "" {
 		args.Datacenter = s.agent.config.Datacenter
@@ -929,9 +968,11 @@ func (s *HTTPServer) ACLAuthMethodWrite(resp http.ResponseWriter, req *http.Requ
 		Datacenter: s.agent.config.Datacenter,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.AuthMethod.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.AuthMethod.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
-	if err := decodeBody(req.Body, &args.AuthMethod); err != nil {
+	if err := s.rewordUnknownEnterpriseFieldError(lib.DecodeJSON(req.Body, &args.AuthMethod)); err != nil {
 		return nil, BadRequestError{Reason: fmt.Sprintf("AuthMethod decoding failed: %v", err)}
 	}
 
@@ -958,7 +999,9 @@ func (s *HTTPServer) ACLAuthMethodDelete(resp http.ResponseWriter, req *http.Req
 		AuthMethodName: methodName,
 	}
 	s.parseToken(req, &args.Token)
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	var ignored bool
 	if err := s.agent.RPC("ACL.AuthMethodDelete", args, &ignored); err != nil {
@@ -978,10 +1021,12 @@ func (s *HTTPServer) ACLLogin(resp http.ResponseWriter, req *http.Request) (inte
 		Auth:       &structs.ACLLoginParams{},
 	}
 	s.parseDC(req, &args.Datacenter)
-	s.parseEntMeta(req, &args.Auth.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.Auth.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
-	if err := decodeBody(req.Body, &args.Auth); err != nil {
-		return nil, BadRequestError{Reason: fmt.Sprintf("Failed to decode request body: %v", err)}
+	if err := s.rewordUnknownEnterpriseFieldError(lib.DecodeJSON(req.Body, &args.Auth)); err != nil {
+		return nil, BadRequestError{Reason: fmt.Sprintf("Failed to decode request body:: %v", err)}
 	}
 
 	var out structs.ACLToken

agent/agent_endpoint_test.go

@@ -3055,7 +3055,7 @@ func testCreateToken(t *testing.T, a *TestAgent, rules string) string {
 	policyID := testCreatePolicy(t, a, policyName, rules)
 
 	args := map[string]interface{}{
-		"Name": "User Token",
+		"Description": "User Token",
 		"Policies": []map[string]interface{}{
 			map[string]interface{}{
 				"ID": policyID,

agent/discovery_chain_endpoint.go

@@ -1,7 +1,6 @@
 package agent
 
 import (
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
@@ -107,7 +106,7 @@ func (t *discoveryChainReadRequest) UnmarshalJSON(data []byte) (err error) {
 	}{
 		Alias: (*Alias)(t),
 	}
-	if err = json.Unmarshal(data, &aux); err != nil {
+	if err = lib.UnmarshalJSON(data, &aux); err != nil {
 		return err
 	}
 

agent/http.go

@@ -25,6 +25,7 @@ import (
 	"github.com/hashicorp/consul/agent/consul"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/api"
+	"github.com/hashicorp/consul/lib"
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
@@ -573,11 +574,7 @@ func (s *HTTPServer) Index(resp http.ResponseWriter, req *http.Request) {
 }
 
 func decodeBody(body io.Reader, out interface{}) error {
-	if body == nil {
-		return io.EOF
-	}
-
-	return json.NewDecoder(body).Decode(&out)
+	return lib.DecodeJSON(body, out)
 }
 
 // decodeBodyDeprecated is deprecated, please ues decodeBody above.

agent/http_oss.go

@@ -3,10 +3,38 @@
 package agent
 
 import (
+	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/hashicorp/consul/agent/structs"
 )
 
-func (s *HTTPServer) parseEntMeta(req *http.Request, entMeta *structs.EnterpriseMeta) {
+func (s *HTTPServer) parseEntMeta(req *http.Request, entMeta *structs.EnterpriseMeta) error {
+	if headerNS := req.Header.Get("X-Consul-Namespace"); headerNS != "" {
+		return BadRequestError{Reason: "Invalid header: \"X-Consul-Namespace\" - Namespaces is a Consul Enterprise feature"}
+	}
+	if queryNS := req.URL.Query().Get("ns"); queryNS != "" {
+		return BadRequestError{Reason: "Invalid query parameter: \"ns\" - Namespaces is a Consul Enterprise feature"}
+	}
+	return nil
+}
+
+func (s *HTTPServer) rewordUnknownEnterpriseFieldError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	msg := err.Error()
+
+	if strings.Contains(msg, "json: unknown field ") {
+		quotedField := strings.TrimPrefix(msg, "json: unknown field ")
+
+		switch quotedField {
+		case `"Namespace"`:
+			return fmt.Errorf("%v - Namespaces is a Consul Enterprise feature", err)
+		}
+	}
+
+	return err
 }

agent/kvs_endpoint.go

@@ -18,7 +18,9 @@ func (s *HTTPServer) KVSEndpoint(resp http.ResponseWriter, req *http.Request) (i
 	if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
 		return nil, nil
 	}
-	s.parseEntMeta(req, &args.EnterpriseMeta)
+	if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
+		return nil, err
+	}
 
 	// Pull out the key name, validation left to each sub-handler
 	args.Key = strings.TrimPrefix(req.URL.Path, "/v1/kv/")