consul/acl/acl_test.go

400 lines
7.6 KiB
Go
Raw Normal View History

2014-08-06 15:08:17 -07:00
package acl
import (
"testing"
)
func TestRootACL(t *testing.T) {
if RootACL("allow") != AllowAll() {
t.Fatalf("Bad root")
}
if RootACL("deny") != DenyAll() {
t.Fatalf("Bad root")
}
if RootACL("manage") != ManageAll() {
t.Fatalf("Bad root")
}
if RootACL("foo") != nil {
t.Fatalf("bad root")
}
}
2014-08-06 15:08:17 -07:00
func TestStaticACL(t *testing.T) {
all := AllowAll()
if _, ok := all.(*StaticACL); !ok {
t.Fatalf("expected static")
}
none := DenyAll()
if _, ok := none.(*StaticACL); !ok {
t.Fatalf("expected static")
}
manage := ManageAll()
if _, ok := none.(*StaticACL); !ok {
t.Fatalf("expected static")
}
2014-08-06 15:08:17 -07:00
if !all.KeyRead("foobar") {
t.Fatalf("should allow")
}
if !all.KeyWrite("foobar") {
t.Fatalf("should allow")
}
2014-11-30 20:33:46 -07:00
if !all.ServiceRead("foobar") {
t.Fatalf("should allow")
}
if !all.ServiceWrite("foobar") {
t.Fatalf("should allow")
}
if !all.EventRead("foobar") {
t.Fatalf("should allow")
}
if !all.EventWrite("foobar") {
t.Fatalf("should allow")
}
if !all.KeyringRead() {
t.Fatalf("should allow")
}
if !all.KeyringWrite() {
t.Fatalf("should allow")
}
if all.ACLList() {
t.Fatalf("should not allow")
}
if all.ACLModify() {
t.Fatalf("should not allow")
}
2014-08-06 15:08:17 -07:00
if none.KeyRead("foobar") {
t.Fatalf("should not allow")
}
if none.KeyWrite("foobar") {
t.Fatalf("should not allow")
}
2014-11-30 20:33:46 -07:00
if none.ServiceRead("foobar") {
t.Fatalf("should not allow")
}
if none.ServiceWrite("foobar") {
t.Fatalf("should not allow")
}
2015-06-17 18:56:29 -07:00
if none.EventRead("foobar") {
t.Fatalf("should not allow")
}
if none.EventRead("") {
t.Fatalf("should not allow")
}
if none.EventWrite("foobar") {
t.Fatalf("should not allow")
}
if none.EventWrite("") {
t.Fatalf("should not allow")
}
if none.KeyringRead() {
t.Fatalf("should now allow")
}
if none.KeyringWrite() {
t.Fatalf("should not allow")
}
if none.ACLList() {
2015-06-19 10:20:38 -07:00
t.Fatalf("should not allow")
}
if none.ACLModify() {
2015-06-19 10:20:38 -07:00
t.Fatalf("should not allow")
}
if !manage.KeyRead("foobar") {
t.Fatalf("should allow")
}
if !manage.KeyWrite("foobar") {
t.Fatalf("should allow")
}
2014-11-30 20:33:46 -07:00
if !manage.ServiceRead("foobar") {
t.Fatalf("should allow")
}
if !manage.ServiceWrite("foobar") {
t.Fatalf("should allow")
}
if !manage.EventRead("foobar") {
t.Fatalf("should allow")
}
if !manage.EventWrite("foobar") {
t.Fatalf("should allow")
}
if !manage.KeyringRead() {
t.Fatalf("should allow")
}
if !manage.KeyringWrite() {
t.Fatalf("should allow")
}
if !manage.ACLList() {
t.Fatalf("should allow")
}
if !manage.ACLModify() {
t.Fatalf("should allow")
}
2014-08-06 15:08:17 -07:00
}
func TestPolicyACL(t *testing.T) {
all := AllowAll()
policy := &Policy{
Keys: []*KeyPolicy{
&KeyPolicy{
Prefix: "foo/",
Policy: KeyPolicyWrite,
},
&KeyPolicy{
Prefix: "foo/priv/",
Policy: KeyPolicyDeny,
},
&KeyPolicy{
Prefix: "bar/",
Policy: KeyPolicyDeny,
},
&KeyPolicy{
Prefix: "zip/",
Policy: KeyPolicyRead,
},
},
2014-11-30 20:33:46 -07:00
Services: []*ServicePolicy{
&ServicePolicy{
Name: "",
Policy: ServicePolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: ServicePolicyRead,
},
&ServicePolicy{
Name: "bar",
Policy: ServicePolicyDeny,
},
2015-05-05 08:25:19 +02:00
&ServicePolicy{
Name: "barfoo",
Policy: ServicePolicyWrite,
},
2014-11-30 20:33:46 -07:00
},
2015-06-17 18:56:29 -07:00
Events: []*EventPolicy{
&EventPolicy{
Event: "",
Policy: EventPolicyRead,
},
&EventPolicy{
Event: "foo",
Policy: EventPolicyWrite,
},
&EventPolicy{
Event: "bar",
Policy: EventPolicyDeny,
},
},
2014-08-06 15:08:17 -07:00
}
acl, err := New(all, policy)
if err != nil {
t.Fatalf("err: %v", err)
}
2014-11-30 20:33:46 -07:00
type keycase struct {
inp string
read bool
write bool
writePrefix bool
2014-08-06 15:08:17 -07:00
}
2014-11-30 20:33:46 -07:00
cases := []keycase{
{"other", true, true, true},
{"foo/test", true, true, true},
{"foo/priv/test", false, false, false},
{"bar/any", false, false, false},
{"zip/test", true, false, false},
{"foo/", true, true, false},
{"", true, true, false},
2014-08-06 15:08:17 -07:00
}
for _, c := range cases {
if c.read != acl.KeyRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.KeyWrite(c.inp) {
t.Fatalf("Write fail: %#v", c)
}
if c.writePrefix != acl.KeyWritePrefix(c.inp) {
t.Fatalf("Write prefix fail: %#v", c)
}
2014-08-06 15:08:17 -07:00
}
2014-11-30 20:33:46 -07:00
// Test the services
type servicecase struct {
inp string
read bool
write bool
}
scases := []servicecase{
{"other", true, true},
{"foo", true, false},
{"bar", false, false},
2015-05-05 08:25:19 +02:00
{"foobar", true, false},
{"barfo", false, false},
{"barfoo", true, true},
{"barfoo2", true, true},
2014-11-30 20:33:46 -07:00
}
for _, c := range scases {
if c.read != acl.ServiceRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.ServiceWrite(c.inp) {
t.Fatalf("Write fail: %#v", c)
}
}
2015-06-17 18:56:29 -07:00
2015-07-07 11:21:27 -06:00
// Test the events
2015-06-17 18:56:29 -07:00
type eventcase struct {
inp string
read bool
write bool
}
eventcases := []eventcase{
{"foo", true, true},
{"foobar", true, true},
{"bar", false, false},
{"barbaz", false, false},
{"baz", true, false},
}
for _, c := range eventcases {
if c.read != acl.EventRead(c.inp) {
t.Fatalf("Event fail: %#v", c)
}
if c.write != acl.EventWrite(c.inp) {
t.Fatalf("Event fail: %#v", c)
}
}
2014-08-06 15:08:17 -07:00
}
func TestPolicyACL_Parent(t *testing.T) {
deny := DenyAll()
policyRoot := &Policy{
Keys: []*KeyPolicy{
&KeyPolicy{
Prefix: "foo/",
Policy: KeyPolicyWrite,
},
&KeyPolicy{
Prefix: "bar/",
Policy: KeyPolicyRead,
},
},
2014-11-30 20:33:46 -07:00
Services: []*ServicePolicy{
&ServicePolicy{
Name: "other",
Policy: ServicePolicyWrite,
},
&ServicePolicy{
Name: "foo",
Policy: ServicePolicyRead,
},
},
2014-08-06 15:08:17 -07:00
}
root, err := New(deny, policyRoot)
if err != nil {
t.Fatalf("err: %v", err)
}
policy := &Policy{
Keys: []*KeyPolicy{
&KeyPolicy{
Prefix: "foo/priv/",
Policy: KeyPolicyRead,
},
&KeyPolicy{
Prefix: "bar/",
Policy: KeyPolicyDeny,
},
&KeyPolicy{
Prefix: "zip/",
Policy: KeyPolicyRead,
},
},
2014-11-30 20:33:46 -07:00
Services: []*ServicePolicy{
&ServicePolicy{
Name: "bar",
Policy: ServicePolicyDeny,
},
},
2014-08-06 15:08:17 -07:00
}
acl, err := New(root, policy)
if err != nil {
t.Fatalf("err: %v", err)
}
2014-11-30 20:33:46 -07:00
type keycase struct {
inp string
read bool
write bool
writePrefix bool
2014-08-06 15:08:17 -07:00
}
2014-11-30 20:33:46 -07:00
cases := []keycase{
{"other", false, false, false},
{"foo/test", true, true, true},
{"foo/priv/test", true, false, false},
{"bar/any", false, false, false},
{"zip/test", true, false, false},
2014-08-06 15:08:17 -07:00
}
for _, c := range cases {
if c.read != acl.KeyRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.KeyWrite(c.inp) {
t.Fatalf("Write fail: %#v", c)
}
if c.writePrefix != acl.KeyWritePrefix(c.inp) {
t.Fatalf("Write prefix fail: %#v", c)
}
2014-08-06 15:08:17 -07:00
}
2014-11-30 20:33:46 -07:00
// Test the services
type servicecase struct {
inp string
read bool
write bool
}
scases := []servicecase{
{"fail", false, false},
{"other", true, true},
{"foo", true, false},
{"bar", false, false},
}
for _, c := range scases {
if c.read != acl.ServiceRead(c.inp) {
t.Fatalf("Read fail: %#v", c)
}
if c.write != acl.ServiceWrite(c.inp) {
t.Fatalf("Write fail: %#v", c)
}
}
2014-08-06 15:08:17 -07:00
}
2015-07-07 11:21:27 -06:00
func TestPolicyACL_Keyring(t *testing.T) {
// Test keyring ACLs
type keyringcase struct {
inp string
read bool
write bool
}
keyringcases := []keyringcase{
{"", false, false},
{KeyringPolicyRead, true, false},
{KeyringPolicyWrite, true, true},
{KeyringPolicyDeny, false, false},
}
for _, c := range keyringcases {
acl, err := New(DenyAll(), &Policy{Keyring: c.inp})
if err != nil {
t.Fatalf("bad: %s", err)
}
if acl.KeyringRead() != c.read {
t.Fatalf("bad: %#v", c)
}
if acl.KeyringWrite() != c.write {
t.Fatalf("bad: %#v", c)
}
}
}