hashicorp · sreeram77 · Aug 28, 2025 · Aug 28, 2025
@@ -103,7 +103,6 @@ linters:
       - third_party$
       - builtin$
       - examples$
-      - agent/consul
 formatters:
   enable:
     - gofmt

@@ -34,19 +34,19 @@ func (r *ACLResolver) resolveEnterpriseDefaultsForIdentity(identity structs.ACLI
 }
 
 // resolveEnterpriseIdentityAndRoles will resolve an enterprise identity to an additional set of roles
-func (_ *ACLResolver) resolveEnterpriseIdentityAndRoles(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLRoles, error) {
+func (*ACLResolver) resolveEnterpriseIdentityAndRoles(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLRoles, error) {
 	// this function does nothing in CE
 	return nil, nil, nil
 }
 
 // resolveEnterpriseIdentityAndPolicies will resolve an enterprise identity to an additional set of policies
-func (_ *ACLResolver) resolveEnterpriseIdentityAndPolicies(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLPolicies, error) {
+func (*ACLResolver) resolveEnterpriseIdentityAndPolicies(_ structs.ACLIdentity) (structs.ACLIdentity, structs.ACLPolicies, error) {
 	// this function does nothing in CE
 	return nil, nil, nil
 }
 
 // resolveLocallyManagedEnterpriseToken will resolve a managed service provider token to an identity and authorizer
-func (_ *ACLResolver) resolveLocallyManagedEnterpriseToken(_ string) (structs.ACLIdentity, acl.Authorizer, bool) {
+func (*ACLResolver) resolveLocallyManagedEnterpriseToken(_ string) (structs.ACLIdentity, acl.Authorizer, bool) {
 	return nil, nil, false
 }
 

@@ -326,7 +326,7 @@ func (a *ACL) TokenRead(args *structs.ACLTokenGetRequest, reply *structs.ACLToke
 				return fmt.Errorf("token has expired: %w", acl.ErrNotFound)
 			} else if token == nil {
 				// token does not exist
-				if ns := args.EnterpriseMeta.NamespaceOrEmpty(); ns != "" {
+				if ns := args.NamespaceOrEmpty(); ns != "" {
 					return fmt.Errorf("token not found in namespace %s: %w", ns, acl.ErrNotFound)
 				}
 				return fmt.Errorf("token does not exist: %w", acl.ErrNotFound)
@@ -486,7 +486,7 @@ func (a *ACL) TokenClone(args *structs.ACLTokenSetRequest, reply *structs.ACLTok
 	if err != nil {
 		return err
 	} else if token == nil {
-		if ns := args.ACLToken.EnterpriseMeta.NamespaceOrEmpty(); ns != "" {
+		if ns := args.ACLToken.NamespaceOrEmpty(); ns != "" {
 			return fmt.Errorf("token not found in namespace %s: %w", ns, acl.ErrNotFound)
 		}
 		return fmt.Errorf("token does not exist: %w", acl.ErrNotFound)
@@ -631,7 +631,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
 		return a.srv.forwardDC("ACL.TokenDelete", a.srv.config.PrimaryDatacenter, args, reply)
 	} else {
 		// in Primary Datacenter but the token does not exist - return early indicating it wasn't found.
-		if ns := args.EnterpriseMeta.NamespaceOrEmpty(); ns != "" {
+		if ns := args.NamespaceOrEmpty(); ns != "" {
 			return fmt.Errorf("token not found in namespace %s: %w", ns, acl.ErrNotFound)
 		}
 		return fmt.Errorf("token does not exist: %w", acl.ErrNotFound)
@@ -647,7 +647,7 @@ func (a *ACL) TokenDelete(args *structs.ACLTokenDeleteRequest, reply *string) er
 	}
 
 	// Purge the identity from the cache to prevent using the previous definition of the identity
-	a.srv.ACLResolver.cache.RemoveIdentityWithSecretToken(token.SecretID)
+	a.srv.cache.RemoveIdentityWithSecretToken(token.SecretID)
 
 	if reply != nil {
 		*reply = token.AccessorID
@@ -685,15 +685,15 @@ func (a *ACL) TokenList(args *structs.ACLTokenListRequest, reply *structs.ACLTok
 		return err
 	}
 	// merge the token default meta into the requests meta
-	args.EnterpriseMeta.Merge(&requestMeta)
-	args.EnterpriseMeta.FillAuthzContext(&authzContext)
+	args.Merge(&requestMeta)
+	args.FillAuthzContext(&authzContext)
 	if err := authz.ToAllowAuthorizer().ACLReadAllowed(&authzContext); err != nil {
 		return err
 	}
 
 	var methodMeta *acl.EnterpriseMeta
 	if args.AuthMethod != "" {
-		methodMeta = args.ACLAuthMethodEnterpriseMeta.ToEnterpriseMeta()
+		methodMeta = args.ToEnterpriseMeta()
 		// attempt to merge in the overall meta, wildcards will not be merged
 		methodMeta.MergeNoWildcard(&args.EnterpriseMeta)
 		// in the event that the meta above didn't merge due to being a wildcard
@@ -982,7 +982,7 @@ func (a *ACL) PolicySet(args *structs.ACLPolicySetRequest, reply *structs.ACLPol
 	}
 
 	// Remove from the cache to prevent stale cache usage
-	a.srv.ACLResolver.cache.RemovePolicy(policy.ID)
+	a.srv.cache.RemovePolicy(policy.ID)
 
 	if _, policy, err := a.srv.fsm.State().ACLPolicyGetByID(nil, policy.ID, &policy.EnterpriseMeta); err == nil && policy != nil {
 		*reply = *policy
@@ -1025,7 +1025,7 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
 	}
 
 	if policy == nil {
-		if ns := args.EnterpriseMeta.NamespaceOrEmpty(); ns != "" {
+		if ns := args.NamespaceOrEmpty(); ns != "" {
 			return fmt.Errorf("policy not found in namespace %s: %w", ns, acl.ErrNotFound)
 		}
 		return fmt.Errorf("policy does not exist: %w", acl.ErrNotFound)
@@ -1044,7 +1044,7 @@ func (a *ACL) PolicyDelete(args *structs.ACLPolicyDeleteRequest, reply *string)
 		return fmt.Errorf("Failed to apply policy delete request: %v", err)
 	}
 
-	a.srv.ACLResolver.cache.RemovePolicy(policy.ID)
+	a.srv.cache.RemovePolicy(policy.ID)
 
 	*reply = policy.Name
 
@@ -1105,12 +1105,12 @@ func (a *ACL) PolicyResolve(args *structs.ACLPolicyBatchGetRequest, reply *struc
 	}
 
 	// get full list of policies for this token
-	identity, policies, err := a.srv.ACLResolver.resolveTokenToIdentityAndPolicies(args.Token)
+	identity, policies, err := a.srv.resolveTokenToIdentityAndPolicies(args.Token)
 	if err != nil {
 		return err
 	}
 
-	entIdentity, entPolicies, err := a.srv.ACLResolver.resolveEnterpriseIdentityAndPolicies(identity)
+	entIdentity, entPolicies, err := a.srv.resolveEnterpriseIdentityAndPolicies(identity)
 	if err != nil {
 		return err
 	}
@@ -1420,7 +1420,7 @@ func (a *ACL) RoleSet(args *structs.ACLRoleSetRequest, reply *structs.ACLRole) e
 	}
 
 	// Remove from the cache to prevent stale cache usage
-	a.srv.ACLResolver.cache.RemoveRole(role.ID)
+	a.srv.cache.RemoveRole(role.ID)
 
 	if _, role, err := a.srv.fsm.State().ACLRoleGetByID(nil, role.ID, &role.EnterpriseMeta); err == nil && role != nil {
 		*reply = *role
@@ -1463,7 +1463,7 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro
 	}
 
 	if role == nil {
-		if ns := args.EnterpriseMeta.NamespaceOrEmpty(); ns != "" {
+		if ns := args.NamespaceOrEmpty(); ns != "" {
 			return fmt.Errorf("role not found in namespace %s: %w", ns, acl.ErrNotFound)
 		}
 		return fmt.Errorf("role does not exist: %w", acl.ErrNotFound)
@@ -1478,7 +1478,7 @@ func (a *ACL) RoleDelete(args *structs.ACLRoleDeleteRequest, reply *string) erro
 		return fmt.Errorf("Failed to apply role delete request: %v", err)
 	}
 
-	a.srv.ACLResolver.cache.RemoveRole(role.ID)
+	a.srv.cache.RemoveRole(role.ID)
 
 	*reply = role.Name
 
@@ -1533,12 +1533,12 @@ func (a *ACL) RoleResolve(args *structs.ACLRoleBatchGetRequest, reply *structs.A
 	}
 
 	// get full list of roles for this token
-	identity, roles, err := a.srv.ACLResolver.resolveTokenToIdentityAndRoles(args.Token)
+	identity, roles, err := a.srv.resolveTokenToIdentityAndRoles(args.Token)
 	if err != nil {
 		return err
 	}
 
-	entIdentity, entRoles, err := a.srv.ACLResolver.resolveEnterpriseIdentityAndRoles(identity)
+	entIdentity, entRoles, err := a.srv.resolveEnterpriseIdentityAndRoles(identity)
 	if err != nil {
 		return err
 	}
@@ -1778,7 +1778,7 @@ func (a *ACL) BindingRuleDelete(args *structs.ACLBindingRuleDeleteRequest, reply
 	}
 
 	if rule == nil {
-		if ns := args.EnterpriseMeta.NamespaceOrEmpty(); ns != "" {
+		if ns := args.NamespaceOrEmpty(); ns != "" {
 			return fmt.Errorf("binding rule not found in namespace %s: %w", ns, acl.ErrNotFound)
 		}
 		return fmt.Errorf("binding rule does not exist: %w", acl.ErrNotFound)
@@ -2026,7 +2026,7 @@ func (a *ACL) AuthMethodDelete(args *structs.ACLAuthMethodDeleteRequest, reply *
 	}
 
 	if method == nil {
-		if ns := args.EnterpriseMeta.NamespaceOrEmpty(); ns != "" {
+		if ns := args.NamespaceOrEmpty(); ns != "" {
 			return fmt.Errorf("auth method not found in namespace %s: %w", ns, acl.ErrNotFound)
 		}
 		return fmt.Errorf("auth method does not exist: %w", acl.ErrNotFound)

@@ -5018,7 +5018,7 @@ func TestACLEndpoint_Login_with_MaxTokenTTL(t *testing.T) {
 		},
 		EnterpriseMeta: *defaultEntMeta,
 	}
-	expect.ACLAuthMethodEnterpriseMeta.FillWithEnterpriseMeta(defaultEntMeta)
+	expect.FillWithEnterpriseMeta(defaultEntMeta)
 	require.Equal(t, got, expect)
 }
 
@@ -5125,7 +5125,7 @@ func TestACLEndpoint_Login_with_TokenLocality(t *testing.T) {
 				},
 				EnterpriseMeta: *defaultEntMeta,
 			}
-			expect.ACLAuthMethodEnterpriseMeta.FillWithEnterpriseMeta(defaultEntMeta)
+			expect.FillWithEnterpriseMeta(defaultEntMeta)
 			require.Equal(t, got, expect)
 
 			// Now turn around and nuke it.

@@ -32,7 +32,7 @@ func (r *aclTokenReplicator) FetchRemote(srv *Server, lastRemoteIndex uint64) (i
 	}
 
 	r.remote = remote.Tokens
-	return len(remote.Tokens), remote.QueryMeta.Index, nil
+	return len(remote.Tokens), remote.Index, nil
 }
 
 func (r *aclTokenReplicator) FetchLocal(srv *Server) (int, uint64, error) {
@@ -142,7 +142,7 @@ func (r *aclPolicyReplicator) FetchRemote(srv *Server, lastRemoteIndex uint64) (
 	}
 
 	r.remote = remote.Policies
-	return len(remote.Policies), remote.QueryMeta.Index, nil
+	return len(remote.Policies), remote.Index, nil
 }
 
 func (r *aclPolicyReplicator) FetchLocal(srv *Server) (int, uint64, error) {
@@ -239,7 +239,7 @@ func (r *aclRoleReplicator) FetchRemote(srv *Server, lastRemoteIndex uint64) (in
 	}
 
 	r.remote = remote.Roles
-	return len(remote.Roles), remote.QueryMeta.Index, nil
+	return len(remote.Roles), remote.Index, nil
 }
 
 func (r *aclRoleReplicator) FetchLocal(srv *Server) (int, uint64, error) {

@@ -217,7 +217,7 @@ func (s *Server) aclBinder() *auth.Binder {
 func (s *Server) aclTokenWriter() *auth.TokenWriter {
 	return auth.NewTokenWriter(auth.TokenWriterConfig{
 		RaftApply:           s.raftApply,
-		ACLCache:            s.ACLResolver.cache,
+		ACLCache:            s.cache,
 		Store:               s.fsm.State(),
 		CheckUUID:           s.checkTokenUUID,
 		MaxExpirationTTL:    s.config.ACLTokenMaxExpirationTTL,

@@ -1534,9 +1534,8 @@ func TestACLResolver_Client(t *testing.T) {
 					return acl.ErrNotFound
 				}
 
-				select {
-				case <-readyCh:
-				}
+				<-readyCh
+
 				time.Sleep(100 * time.Millisecond)
 				return nil
 			},
@@ -2326,7 +2325,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) {
 	require.NoError(t, err)
 
 	testutil.RunStep(t, "first resolve", func(t *testing.T) {
-		authz, err := srv.ACLResolver.ResolveToken(token)
+		authz, err := srv.ResolveToken(token)
 		require.NoError(t, err)
 		require.NotNil(t, authz)
 		require.Equal(t, acl.Allow, authz.KeyRead("foo", nil))
@@ -2345,7 +2344,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) {
 		err := msgpackrpc.CallWithCodec(codec, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{})
 		require.NoError(t, err)
 
-		authz, err := srv.ACLResolver.ResolveToken(token)
+		authz, err := srv.ResolveToken(token)
 		require.NoError(t, err)
 		require.NotNil(t, authz)
 		require.Equal(t, acl.Deny, authz.KeyRead("foo", nil))
@@ -2361,7 +2360,7 @@ func TestACLResolver_ResolveToken_UpdatesPurgeTheCache(t *testing.T) {
 		err := msgpackrpc.CallWithCodec(codec, "ACL.TokenDelete", &req, &resp)
 		require.NoError(t, err)
 
-		_, err = srv.ACLResolver.ResolveToken(token)
+		_, err = srv.ResolveToken(token)
 		require.True(t, acl.IsErrNotFound(err), "Error %v is not acl.ErrNotFound", err)
 	})
 }
@@ -111,7 +111,7 @@ func (s *Server) reapExpiredACLTokens(local, global bool) (int, error) {
 
 	// Purge the identities from the cache
 	for _, secretID := range secretIDs {
-		s.ACLResolver.cache.RemoveIdentityWithSecretToken(secretID)
+		s.cache.RemoveIdentityWithSecretToken(secretID)
 	}
 
 	return len(req.TokenIDs), nil

@@ -192,7 +192,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
 		})
 	})
 
-	time.Sleep(token3.ExpirationTime.Sub(time.Now()) + 10*time.Millisecond)
+	time.Sleep(time.Until(*token3.ExpirationTime) + 10*time.Millisecond)
 
 	t.Run("one should be reaped", func(t *testing.T) {
 		n, err := s1.reapExpiredACLTokens(local, global)
@@ -209,7 +209,7 @@ func testACLTokenReap_Primary(t *testing.T, local, global bool) {
 		})
 	})
 
-	time.Sleep(token4.ExpirationTime.Sub(time.Now()) + 10*time.Millisecond)
+	time.Sleep(time.Until(*token4.ExpirationTime) + 10*time.Millisecond)
 
 	t.Run("two should be reaped", func(t *testing.T) {
 		n, err := s1.reapExpiredACLTokens(local, global)

@@ -51,7 +51,7 @@ func (l *Login) TokenForVerifiedIdentity(identity *authmethod.Identity, authMeth
 		Policies:          bindings.Policies,
 		EnterpriseMeta:    bindings.EnterpriseMeta,
 	}
-	token.ACLAuthMethodEnterpriseMeta.FillWithEnterpriseMeta(&authMethod.EnterpriseMeta)
+	token.FillWithEnterpriseMeta(&authMethod.EnterpriseMeta)
 
 	updated, err := l.writer.Create(token, true)
 	switch {

@@ -437,7 +437,7 @@ func TestTokenWriter_Create_Expiration(t *testing.T) {
 
 		updated, err := writer.Create(token, false)
 		require.NoError(t, err)
-		require.InEpsilon(t, 10*time.Minute, updated.ExpirationTime.Sub(time.Now()), 0.1)
+		require.InEpsilon(t, 10*time.Minute, time.Until(*updated.ExpirationTime), 0.1)
 		require.Zero(t, updated.ExpirationTTL)
 	})
 

@@ -511,7 +511,7 @@ func createReadServiceAccountFound(namespace, name, uid, overrideAnnotation stri
 		},
 	}
 	if overrideAnnotation != "" {
-		sa.ObjectMeta.Annotations = map[string]string{
+		sa.Annotations = map[string]string{
 			"consul.hashicorp.com/service-name": overrideAnnotation,
 		}
 	}

@@ -46,7 +46,7 @@ type AutoConfigAuthorizer interface {
 
 type disabledAuthorizer struct{}
 
-func (_ *disabledAuthorizer) Authorize(_ *pbautoconf.AutoConfigRequest) (AutoConfigOptions, error) {
+func (*disabledAuthorizer) Authorize(_ *pbautoconf.AutoConfigRequest) (AutoConfigOptions, error) {
 	return AutoConfigOptions{}, fmt.Errorf("Auto Config is disabled")
 }
 

@@ -195,5 +195,4 @@ func TestAutoEncryptSign_MismatchedDC(t *testing.T) {
 	err = msgpackrpc.CallWithCodec(codec, "AutoEncrypt.Sign", args, &reply)
 	codec.Close()
 	require.EqualError(t, err, "mismatched datacenter (client_dc='different' server_dc='dc1'); check client has same datacenter set as servers")
-	return
 }
@@ -14,6 +14,6 @@ func (s *Server) autopilotPromoter() autopilot.Promoter {
 	return autopilot.DefaultPromoter()
 }
 
-func (_ *Server) autopilotServerExt(_ *metadata.Server) interface{} {
+func (*Server) autopilotServerExt(_ *metadata.Server) interface{} {
 	return nil
 }
@@ -532,7 +532,7 @@ func (c *Catalog) ListNodes(args *structs.DCSpecificRequest, reply *structs.Inde
 				return err
 			}
 			if isUnmodified(args.QueryOptions, reply.Index) {
-				reply.QueryMeta.NotModified = true
+				reply.NotModified = true
 				reply.Nodes = nil
 				return nil
 			}
@@ -612,7 +612,7 @@ func (c *Catalog) ListServices(args *structs.DCSpecificRequest, reply *structs.I
 			}
 			if isUnmodified(args.QueryOptions, reply.Index) {
 				reply.Services = nil
-				reply.QueryMeta.NotModified = true
+				reply.NotModified = true
 				return nil
 			}