From 5480270d11e806f1101864178a9e0f4894ac9727 Mon Sep 17 00:00:00 2001
From: James Phillips <slackpad@gmail.com>
Date: Thu, 23 Mar 2017 16:10:50 -0700
Subject: [PATCH] Gets rid of the Consul service exception under version 8.

Fixes #2816.
---
 consul/acl.go      |  7 ++++++-
 consul/acl_test.go | 17 ++++++++++++++---
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/consul/acl.go b/consul/acl.go
index c51a9df799ae..316a010e487b 100644
--- a/consul/acl.go
+++ b/consul/acl.go
@@ -341,9 +341,14 @@ func (f *aclFilter) allowNode(node string) bool {
 
 // allowService is used to determine if a service is accessible for an ACL.
 func (f *aclFilter) allowService(service string) bool {
-	if service == "" || service == ConsulServiceID {
+	if service == "" {
 		return true
 	}
+
+	if !f.enforceVersion8 && service == ConsulServiceID {
+		return true
+	}
+
 	return f.acl.ServiceRead(service)
 }
 
diff --git a/consul/acl_test.go b/consul/acl_test.go
index 2657f12e01c2..8235976d5ef1 100644
--- a/consul/acl_test.go
+++ b/consul/acl_test.go
@@ -903,18 +903,29 @@ func TestACL_filterServices(t *testing.T) {
 	services := structs.Services{
 		"service1": []string{},
 		"service2": []string{},
+		"consul":   []string{},
 	}
 
-	// Try permissive filtering
+	// Try permissive filtering.
 	filt := newAclFilter(acl.AllowAll(), nil, false)
 	filt.filterServices(services)
-	if len(services) != 2 {
+	if len(services) != 3 {
 		t.Fatalf("bad: %#v", services)
 	}
 
-	// Try restrictive filtering
+	// Try restrictive filtering.
 	filt = newAclFilter(acl.DenyAll(), nil, false)
 	filt.filterServices(services)
+	if len(services) != 1 {
+		t.Fatalf("bad: %#v", services)
+	}
+	if _, ok := services["consul"]; !ok {
+		t.Fatalf("bad: %#v", services)
+	}
+
+	// Try restrictive filtering with version 8 enforcement.
+	filt = newAclFilter(acl.DenyAll(), nil, true)
+	filt.filterServices(services)
 	if len(services) != 0 {
 		t.Fatalf("bad: %#v", services)
 	}