consul/internal/resource/resourcetest/acls.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package resourcetest

import (
	"testing"

	"github.com/stretchr/testify/require"
	"google.golang.org/protobuf/reflect/protoreflect"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/agent/structs"
	"github.com/hashicorp/consul/internal/resource"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

const (
	DENY    = "deny"
	ALLOW   = "allow"
	DEFAULT = "default"
)

var checkF = func(t *testing.T, expect string, got error) {
	switch expect {
	case ALLOW:
		if acl.IsErrPermissionDenied(got) {
			t.Fatal("should be allowed")
		}
	case DENY:
		if !acl.IsErrPermissionDenied(got) {
			t.Fatal("should be denied")
		}
	case DEFAULT:
		require.Nil(t, got, "expected fallthrough decision")
	default:
		t.Fatalf("unexpected expectation: %q", expect)
	}
}

type ACLTestCase struct {
	Rules   string
	Data    protoreflect.ProtoMessage
	Owner   *pbresource.ID
	Typ     *pbresource.Type
	ReadOK  string
	WriteOK string
	ListOK  string
}

func RunACLTestCase(t *testing.T, tc ACLTestCase, registry resource.Registry) {
	reg, ok := registry.Resolve(tc.Typ)
	require.True(t, ok)

	resolvedType, ok := registry.Resolve(tc.Typ)
	require.True(t, ok)

	res := Resource(tc.Typ, "test").
		WithTenancy(DefaultTenancyForType(t, resolvedType)).
		WithOwner(tc.Owner).
		WithData(t, tc.Data).
		Build()

	ValidateAndNormalize(t, registry, res)

	config := acl.Config{
		WildcardName: structs.WildcardSpecifier,
	}
	authz, err := acl.NewAuthorizerFromRules(tc.Rules, &config, nil)
	require.NoError(t, err)
	authz = acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.DenyAll()})

	t.Run("read", func(t *testing.T) {
		err := reg.ACLs.Read(authz, &acl.AuthorizerContext{}, res.Id, res)
		checkF(t, tc.ReadOK, err)
	})
	t.Run("write", func(t *testing.T) {
		err := reg.ACLs.Write(authz, &acl.AuthorizerContext{}, res)
		checkF(t, tc.WriteOK, err)
	})
	t.Run("list", func(t *testing.T) {
		err := reg.ACLs.List(authz, &acl.AuthorizerContext{})
		checkF(t, tc.ListOK, err)
	})
}
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: BUSL-1.1`

			`package resourcetest`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`"google.golang.org/protobuf/reflect/protoreflect"`

			`"github.com/hashicorp/consul/acl"`
			`"github.com/hashicorp/consul/agent/structs"`
			`"github.com/hashicorp/consul/internal/resource"`
			`"github.com/hashicorp/consul/proto-public/pbresource"`
			`)`

			`const (`
			`DENY = "deny"`
			`ALLOW = "allow"`
			`DEFAULT = "default"`
			`)`

			`var checkF = func(t *testing.T, expect string, got error) {`
			`switch expect {`
			`case ALLOW:`
			`if acl.IsErrPermissionDenied(got) {`
			`t.Fatal("should be allowed")`
			`}`
			`case DENY:`
			`if !acl.IsErrPermissionDenied(got) {`
			`t.Fatal("should be denied")`
			`}`
			`case DEFAULT:`
			`require.Nil(t, got, "expected fallthrough decision")`
			`default:`
			`t.Fatalf("unexpected expectation: %q", expect)`
			`}`
			`}`

			`type ACLTestCase struct {`
			`Rules string`
			`Data protoreflect.ProtoMessage`
			`Owner *pbresource.ID`
			`Typ *pbresource.Type`
			`ReadOK string`
			`WriteOK string`
			`ListOK string`
			`}`

			`func RunACLTestCase(t *testing.T, tc ACLTestCase, registry resource.Registry) {`
			`reg, ok := registry.Resolve(tc.Typ)`
			`require.True(t, ok)`

			`resolvedType, ok := registry.Resolve(tc.Typ)`
			`require.True(t, ok)`

			`res := Resource(tc.Typ, "test").`
			`WithTenancy(DefaultTenancyForType(t, resolvedType)).`
			`WithOwner(tc.Owner).`
			`WithData(t, tc.Data).`
			`Build()`

			`ValidateAndNormalize(t, registry, res)`

			`config := acl.Config{`
			`WildcardName: structs.WildcardSpecifier,`
			`}`
			`authz, err := acl.NewAuthorizerFromRules(tc.Rules, &config, nil)`
			`require.NoError(t, err)`
			`authz = acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.DenyAll()})`

			`t.Run("read", func(t *testing.T) {`
			`err := reg.ACLs.Read(authz, &acl.AuthorizerContext{}, res.Id, res)`
			`checkF(t, tc.ReadOK, err)`
			`})`
			`t.Run("write", func(t *testing.T) {`
			`err := reg.ACLs.Write(authz, &acl.AuthorizerContext{}, res)`
			`checkF(t, tc.WriteOK, err)`
			`})`
			`t.Run("list", func(t *testing.T) {`
			`err := reg.ACLs.List(authz, &acl.AuthorizerContext{})`
			`checkF(t, tc.ListOK, err)`
			`})`
			`}`