2014-09-21 18:21:54 +00:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
2017-07-17 19:48:45 +00:00
|
|
|
"bytes"
|
|
|
|
"encoding/base64"
|
2014-10-09 22:28:38 +00:00
|
|
|
"fmt"
|
2014-10-04 20:43:10 +00:00
|
|
|
"io/ioutil"
|
2014-09-21 18:21:54 +00:00
|
|
|
"os"
|
2014-10-04 20:43:10 +00:00
|
|
|
"path/filepath"
|
2015-07-07 21:14:06 +00:00
|
|
|
"strings"
|
2014-09-21 18:21:54 +00:00
|
|
|
"testing"
|
2015-07-07 21:14:06 +00:00
|
|
|
|
2019-03-27 12:54:56 +00:00
|
|
|
"github.com/hashicorp/consul/sdk/testutil"
|
2017-07-17 19:48:45 +00:00
|
|
|
"github.com/hashicorp/memberlist"
|
2019-08-12 18:11:11 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2014-09-21 18:21:54 +00:00
|
|
|
)
|
|
|
|
|
2017-07-17 19:48:45 +00:00
|
|
|
func checkForKey(key string, keyring *memberlist.Keyring) error {
|
|
|
|
rk, err := base64.StdEncoding.DecodeString(key)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
pk := keyring.GetPrimaryKey()
|
|
|
|
if !bytes.Equal(rk, pk) {
|
|
|
|
return fmt.Errorf("got %q want %q", pk, rk)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2014-09-21 18:21:54 +00:00
|
|
|
func TestAgent_LoadKeyrings(t *testing.T) {
|
2017-05-21 07:54:40 +00:00
|
|
|
t.Parallel()
|
2014-09-21 18:21:54 +00:00
|
|
|
key := "tbLJg26ZJyJ9pK3qhc9jig=="
|
|
|
|
|
|
|
|
// Should be no configured keyring file by default
|
2017-07-17 19:48:45 +00:00
|
|
|
t.Run("no keys", func(t *testing.T) {
|
2020-03-31 19:59:56 +00:00
|
|
|
a1 := NewTestAgent(t, "")
|
2017-07-17 19:48:45 +00:00
|
|
|
defer a1.Shutdown()
|
2014-09-21 18:21:54 +00:00
|
|
|
|
2017-09-25 18:40:42 +00:00
|
|
|
c1 := a1.consulConfig()
|
2017-07-17 19:48:45 +00:00
|
|
|
if c1.SerfLANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("bad: %#v", c1.SerfLANConfig.KeyringFile)
|
|
|
|
}
|
|
|
|
if c1.SerfLANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
if c1.SerfWANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("bad: %#v", c1.SerfLANConfig.KeyringFile)
|
|
|
|
}
|
|
|
|
if c1.SerfWANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
})
|
2014-09-21 18:21:54 +00:00
|
|
|
|
|
|
|
// Server should auto-load LAN and WAN keyring files
|
2017-07-17 19:48:45 +00:00
|
|
|
t.Run("server with keys", func(t *testing.T) {
|
2020-03-31 20:24:39 +00:00
|
|
|
a2 := StartTestAgent(t, TestAgent{Key: key})
|
2017-07-17 19:48:45 +00:00
|
|
|
defer a2.Shutdown()
|
2014-09-21 18:21:54 +00:00
|
|
|
|
2017-09-25 18:40:42 +00:00
|
|
|
c2 := a2.consulConfig()
|
2017-07-17 19:48:45 +00:00
|
|
|
if c2.SerfLANConfig.KeyringFile == "" {
|
|
|
|
t.Fatalf("should have keyring file")
|
|
|
|
}
|
|
|
|
if c2.SerfLANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if err := checkForKey(key, c2.SerfLANConfig.MemberlistConfig.Keyring); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if c2.SerfWANConfig.KeyringFile == "" {
|
|
|
|
t.Fatalf("should have keyring file")
|
|
|
|
}
|
|
|
|
if c2.SerfWANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if err := checkForKey(key, c2.SerfWANConfig.MemberlistConfig.Keyring); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
})
|
2014-09-21 18:21:54 +00:00
|
|
|
|
|
|
|
// Client should auto-load only the LAN keyring file
|
2017-07-17 19:48:45 +00:00
|
|
|
t.Run("client with keys", func(t *testing.T) {
|
2020-03-31 20:24:39 +00:00
|
|
|
a3 := StartTestAgent(t, TestAgent{HCL: `
|
2017-09-25 18:40:42 +00:00
|
|
|
server = false
|
|
|
|
bootstrap = false
|
2019-09-05 17:24:36 +00:00
|
|
|
`, Key: key})
|
2017-07-17 19:48:45 +00:00
|
|
|
defer a3.Shutdown()
|
|
|
|
|
2017-09-25 18:40:42 +00:00
|
|
|
c3 := a3.consulConfig()
|
2017-07-17 19:48:45 +00:00
|
|
|
if c3.SerfLANConfig.KeyringFile == "" {
|
|
|
|
t.Fatalf("should have keyring file")
|
|
|
|
}
|
|
|
|
if c3.SerfLANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if err := checkForKey(key, c3.SerfLANConfig.MemberlistConfig.Keyring); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if c3.SerfWANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("bad: %#v", c3.SerfWANConfig.KeyringFile)
|
|
|
|
}
|
|
|
|
if c3.SerfWANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAgent_InmemKeyrings(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
key := "tbLJg26ZJyJ9pK3qhc9jig=="
|
|
|
|
|
|
|
|
// Should be no configured keyring file by default
|
|
|
|
t.Run("no keys", func(t *testing.T) {
|
2020-03-31 19:59:56 +00:00
|
|
|
a1 := NewTestAgent(t, "")
|
2017-07-17 19:48:45 +00:00
|
|
|
defer a1.Shutdown()
|
|
|
|
|
2017-09-25 18:40:42 +00:00
|
|
|
c1 := a1.consulConfig()
|
2017-07-17 19:48:45 +00:00
|
|
|
if c1.SerfLANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("bad: %#v", c1.SerfLANConfig.KeyringFile)
|
|
|
|
}
|
|
|
|
if c1.SerfLANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
if c1.SerfWANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("bad: %#v", c1.SerfLANConfig.KeyringFile)
|
|
|
|
}
|
|
|
|
if c1.SerfWANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
// Server should auto-load LAN and WAN keyring
|
|
|
|
t.Run("server with keys", func(t *testing.T) {
|
2020-03-31 19:59:56 +00:00
|
|
|
a2 := NewTestAgent(t, `
|
2019-09-05 17:24:36 +00:00
|
|
|
encrypt = "`+key+`"
|
2017-09-25 18:40:42 +00:00
|
|
|
disable_keyring_file = true
|
2019-09-05 17:24:36 +00:00
|
|
|
`)
|
2017-07-17 19:48:45 +00:00
|
|
|
defer a2.Shutdown()
|
|
|
|
|
2017-09-25 18:40:42 +00:00
|
|
|
c2 := a2.consulConfig()
|
2017-07-17 19:48:45 +00:00
|
|
|
if c2.SerfLANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("should not have keyring file")
|
|
|
|
}
|
|
|
|
if c2.SerfLANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if err := checkForKey(key, c2.SerfLANConfig.MemberlistConfig.Keyring); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if c2.SerfWANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("should not have keyring file")
|
|
|
|
}
|
|
|
|
if c2.SerfWANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if err := checkForKey(key, c2.SerfWANConfig.MemberlistConfig.Keyring); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
// Client should auto-load only the LAN keyring
|
|
|
|
t.Run("client with keys", func(t *testing.T) {
|
2020-03-31 19:59:56 +00:00
|
|
|
a3 := NewTestAgent(t, `
|
2019-09-05 17:24:36 +00:00
|
|
|
encrypt = "`+key+`"
|
2017-09-25 18:40:42 +00:00
|
|
|
server = false
|
|
|
|
bootstrap = false
|
|
|
|
disable_keyring_file = true
|
2019-09-05 17:24:36 +00:00
|
|
|
`)
|
2017-07-17 19:48:45 +00:00
|
|
|
defer a3.Shutdown()
|
|
|
|
|
2017-09-25 18:40:42 +00:00
|
|
|
c3 := a3.consulConfig()
|
2017-07-17 19:48:45 +00:00
|
|
|
if c3.SerfLANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("should not have keyring file")
|
|
|
|
}
|
|
|
|
if c3.SerfLANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if err := checkForKey(key, c3.SerfLANConfig.MemberlistConfig.Keyring); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if c3.SerfWANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("bad: %#v", c3.SerfWANConfig.KeyringFile)
|
|
|
|
}
|
|
|
|
if c3.SerfWANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
// Any keyring files should be ignored
|
|
|
|
t.Run("ignore files", func(t *testing.T) {
|
|
|
|
dir := testutil.TempDir(t, "consul")
|
|
|
|
defer os.RemoveAll(dir)
|
|
|
|
|
|
|
|
badKey := "unUzC2X3JgMKVJlZna5KVg=="
|
|
|
|
if err := initKeyring(filepath.Join(dir, SerfLANKeyring), badKey); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if err := initKeyring(filepath.Join(dir, SerfWANKeyring), badKey); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2020-03-31 19:59:56 +00:00
|
|
|
a4 := NewTestAgent(t, `
|
2019-09-05 17:24:36 +00:00
|
|
|
encrypt = "`+key+`"
|
2017-09-25 18:40:42 +00:00
|
|
|
disable_keyring_file = true
|
2019-09-05 17:24:36 +00:00
|
|
|
data_dir = "`+dir+`"
|
|
|
|
`)
|
2017-07-17 19:48:45 +00:00
|
|
|
defer a4.Shutdown()
|
|
|
|
|
2017-09-25 18:40:42 +00:00
|
|
|
c4 := a4.consulConfig()
|
2017-07-17 19:48:45 +00:00
|
|
|
if c4.SerfLANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("should not have keyring file")
|
|
|
|
}
|
|
|
|
if c4.SerfLANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if err := checkForKey(key, c4.SerfLANConfig.MemberlistConfig.Keyring); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if c4.SerfWANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("should not have keyring file")
|
|
|
|
}
|
|
|
|
if c4.SerfWANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if err := checkForKey(key, c4.SerfWANConfig.MemberlistConfig.Keyring); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
})
|
2014-09-21 18:21:54 +00:00
|
|
|
}
|
2014-10-04 20:43:10 +00:00
|
|
|
|
|
|
|
func TestAgent_InitKeyring(t *testing.T) {
|
2017-05-21 07:54:40 +00:00
|
|
|
t.Parallel()
|
2014-10-04 20:43:10 +00:00
|
|
|
key1 := "tbLJg26ZJyJ9pK3qhc9jig=="
|
|
|
|
key2 := "4leC33rgtXKIVUr9Nr0snQ=="
|
2014-10-09 22:28:38 +00:00
|
|
|
expected := fmt.Sprintf(`["%s"]`, key1)
|
2014-10-04 20:43:10 +00:00
|
|
|
|
2017-05-12 13:41:13 +00:00
|
|
|
dir := testutil.TempDir(t, "consul")
|
2014-10-04 20:43:10 +00:00
|
|
|
defer os.RemoveAll(dir)
|
|
|
|
|
|
|
|
file := filepath.Join(dir, "keyring")
|
|
|
|
|
|
|
|
// First initialize the keyring
|
2014-10-10 18:13:30 +00:00
|
|
|
if err := initKeyring(file, key1); err != nil {
|
2014-10-04 20:43:10 +00:00
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
2014-10-09 22:28:38 +00:00
|
|
|
content, err := ioutil.ReadFile(file)
|
2014-10-04 20:43:10 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
2014-10-09 22:28:38 +00:00
|
|
|
if string(content) != expected {
|
|
|
|
t.Fatalf("bad: %s", content)
|
2014-10-04 20:43:10 +00:00
|
|
|
}
|
|
|
|
|
2014-10-09 22:28:38 +00:00
|
|
|
// Try initializing again with a different key
|
2014-10-10 18:13:30 +00:00
|
|
|
if err := initKeyring(file, key2); err != nil {
|
2014-10-04 20:43:10 +00:00
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
2014-10-10 18:13:30 +00:00
|
|
|
// Content should still be the same
|
2014-10-09 22:28:38 +00:00
|
|
|
content, err = ioutil.ReadFile(file)
|
|
|
|
if err != nil {
|
2014-10-04 20:43:10 +00:00
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
2014-10-09 22:28:38 +00:00
|
|
|
if string(content) != expected {
|
|
|
|
t.Fatalf("bad: %s", content)
|
2014-10-04 20:43:10 +00:00
|
|
|
}
|
|
|
|
}
|
2015-07-07 21:14:06 +00:00
|
|
|
|
|
|
|
func TestAgentKeyring_ACL(t *testing.T) {
|
2017-05-21 07:54:40 +00:00
|
|
|
t.Parallel()
|
2015-07-07 21:14:06 +00:00
|
|
|
key1 := "tbLJg26ZJyJ9pK3qhc9jig=="
|
|
|
|
key2 := "4leC33rgtXKIVUr9Nr0snQ=="
|
|
|
|
|
2020-03-31 20:24:39 +00:00
|
|
|
a := StartTestAgent(t, TestAgent{HCL: TestACLConfig() + `
|
2017-09-25 18:40:42 +00:00
|
|
|
acl_datacenter = "dc1"
|
|
|
|
acl_master_token = "root"
|
|
|
|
acl_default_policy = "deny"
|
2019-09-05 17:24:36 +00:00
|
|
|
`, Key: key1})
|
2017-05-21 07:11:09 +00:00
|
|
|
defer a.Shutdown()
|
2015-07-07 21:14:06 +00:00
|
|
|
|
|
|
|
// List keys without access fails
|
2020-08-12 06:54:51 +00:00
|
|
|
_, err := a.ListKeys("", false, 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
|
|
|
t.Fatalf("expected denied error, got: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// List keys with access works
|
2020-08-12 06:54:51 +00:00
|
|
|
_, err = a.ListKeys("root", false, 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Install without access fails
|
2017-05-21 07:11:09 +00:00
|
|
|
_, err = a.InstallKey(key2, "", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
|
|
|
t.Fatalf("expected denied error, got: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Install with access works
|
2017-05-21 07:11:09 +00:00
|
|
|
_, err = a.InstallKey(key2, "root", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use without access fails
|
2017-05-21 07:11:09 +00:00
|
|
|
_, err = a.UseKey(key2, "", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
|
|
|
t.Fatalf("expected denied error, got: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use with access works
|
2017-05-21 07:11:09 +00:00
|
|
|
_, err = a.UseKey(key2, "root", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove without access fails
|
2017-05-21 07:11:09 +00:00
|
|
|
_, err = a.RemoveKey(key1, "", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
|
|
|
t.Fatalf("expected denied error, got: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove with access works
|
2017-05-21 07:11:09 +00:00
|
|
|
_, err = a.RemoveKey(key1, "root", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
}
|
2019-08-12 18:11:11 +00:00
|
|
|
|
|
|
|
func TestValidateLocalOnly(t *testing.T) {
|
|
|
|
require.NoError(t, ValidateLocalOnly(false, false))
|
|
|
|
require.NoError(t, ValidateLocalOnly(true, true))
|
|
|
|
|
|
|
|
require.Error(t, ValidateLocalOnly(true, false))
|
|
|
|
}
|
2020-02-13 19:35:09 +00:00
|
|
|
|
|
|
|
func TestAgent_KeyringIsMissingKey(t *testing.T) {
|
|
|
|
key1 := "tbLJg26ZJyJ9pK3qhc9jig=="
|
|
|
|
key2 := "4leC33rgtXKIVUr9Nr0snQ=="
|
|
|
|
decoded1, err := decodeStringKey(key1)
|
|
|
|
require.NoError(t, err)
|
|
|
|
keyring, err := memberlist.NewKeyring([][]byte{}, decoded1)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.True(t, keyringIsMissingKey(keyring, key2))
|
|
|
|
require.False(t, keyringIsMissingKey(keyring, key1))
|
|
|
|
}
|