2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 18:39:22 +00:00
|
|
|
|
2022-03-27 10:59:30 +00:00
|
|
|
package testutils
|
2022-04-05 14:26:14 +00:00
|
|
|
|
|
|
|
import (
|
2022-03-27 10:59:30 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2022-04-05 21:10:06 +00:00
|
|
|
|
2023-01-04 12:40:34 +00:00
|
|
|
"github.com/hashicorp/go-uuid"
|
|
|
|
|
2022-04-05 21:10:06 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
2022-06-17 09:24:43 +00:00
|
|
|
"github.com/hashicorp/consul/acl/resolver"
|
2023-01-04 12:40:34 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2024-01-12 16:54:07 +00:00
|
|
|
"github.com/hashicorp/consul/sdk/testutil"
|
2022-04-05 14:26:14 +00:00
|
|
|
)
|
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func ACLAnonymous(t testutil.TestingTB) resolver.Result {
|
2022-06-17 09:24:43 +00:00
|
|
|
t.Helper()
|
|
|
|
|
2023-01-04 12:40:34 +00:00
|
|
|
return resolver.Result{
|
|
|
|
Authorizer: acl.DenyAll(),
|
|
|
|
ACLIdentity: &structs.ACLToken{
|
2023-01-09 18:28:53 +00:00
|
|
|
AccessorID: acl.AnonymousTokenID,
|
2023-01-04 12:40:34 +00:00
|
|
|
},
|
|
|
|
}
|
2022-06-17 09:24:43 +00:00
|
|
|
}
|
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func ACLsDisabled(t testutil.TestingTB) resolver.Result {
|
2022-06-17 09:24:43 +00:00
|
|
|
t.Helper()
|
|
|
|
|
2023-01-04 12:40:34 +00:00
|
|
|
return resolver.Result{
|
2023-01-05 16:31:18 +00:00
|
|
|
Authorizer: acl.ManageAll(),
|
2023-01-04 12:40:34 +00:00
|
|
|
}
|
2022-06-17 09:24:43 +00:00
|
|
|
}
|
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func ACLNoPermissions(t testutil.TestingTB) resolver.Result {
|
2023-01-04 12:40:34 +00:00
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
return resolver.Result{
|
|
|
|
Authorizer: acl.DenyAll(),
|
|
|
|
ACLIdentity: randomACLIdentity(t),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func ACLServiceWriteAny(t testutil.TestingTB) resolver.Result {
|
2022-04-05 14:26:14 +00:00
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
policy, err := acl.NewPolicyFromSource(`
|
|
|
|
service "foo" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
2023-02-06 15:35:52 +00:00
|
|
|
`, nil, nil)
|
2022-04-05 14:26:14 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2023-01-04 12:40:34 +00:00
|
|
|
return resolver.Result{
|
|
|
|
Authorizer: authz,
|
|
|
|
ACLIdentity: randomACLIdentity(t),
|
|
|
|
}
|
2022-04-05 14:26:14 +00:00
|
|
|
}
|
2022-04-20 00:24:21 +00:00
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func ACLServiceRead(t testutil.TestingTB, serviceName string) resolver.Result {
|
2022-04-20 00:24:21 +00:00
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
aclRule := &acl.Policy{
|
|
|
|
PolicyRules: acl.PolicyRules{
|
|
|
|
Services: []*acl.ServiceRule{
|
|
|
|
{
|
|
|
|
Name: serviceName,
|
|
|
|
Policy: acl.PolicyRead,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{aclRule}, nil)
|
2023-10-03 22:02:23 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return resolver.Result{
|
|
|
|
Authorizer: authz,
|
|
|
|
ACLIdentity: randomACLIdentity(t),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func ACLUseProvidedPolicy(t testutil.TestingTB, aclPolicy *acl.Policy) resolver.Result {
|
2023-10-03 22:02:23 +00:00
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{aclPolicy}, nil)
|
2022-04-20 00:24:21 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2023-01-04 12:40:34 +00:00
|
|
|
return resolver.Result{
|
|
|
|
Authorizer: authz,
|
|
|
|
ACLIdentity: randomACLIdentity(t),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func ACLOperatorRead(t testutil.TestingTB) resolver.Result {
|
2023-04-11 11:10:14 +00:00
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
aclRule := &acl.Policy{
|
|
|
|
PolicyRules: acl.PolicyRules{
|
|
|
|
Operator: acl.PolicyRead,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{aclRule}, nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return resolver.Result{
|
|
|
|
Authorizer: authz,
|
|
|
|
ACLIdentity: randomACLIdentity(t),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func ACLOperatorWrite(t testutil.TestingTB) resolver.Result {
|
2023-04-11 11:10:14 +00:00
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
aclRule := &acl.Policy{
|
|
|
|
PolicyRules: acl.PolicyRules{
|
|
|
|
Operator: acl.PolicyWrite,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{aclRule}, nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return resolver.Result{
|
|
|
|
Authorizer: authz,
|
|
|
|
ACLIdentity: randomACLIdentity(t),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-01-12 16:54:07 +00:00
|
|
|
func randomACLIdentity(t testutil.TestingTB) structs.ACLIdentity {
|
2023-01-04 12:40:34 +00:00
|
|
|
id, err := uuid.GenerateUUID()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return &structs.ACLToken{AccessorID: id}
|
2022-04-20 00:24:21 +00:00
|
|
|
}
|