2023-03-28 19:12:30 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 19:12:30 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
package tokenupdate
|
|
|
|
|
|
|
|
import (
|
2020-02-15 15:06:05 +00:00
|
|
|
"encoding/json"
|
2018-10-19 16:04:07 +00:00
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/mitchellh/cli"
|
|
|
|
"github.com/stretchr/testify/assert"
|
2020-06-16 16:54:27 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2021-07-20 22:38:23 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent"
|
|
|
|
"github.com/hashicorp/consul/api"
|
|
|
|
"github.com/hashicorp/consul/testrpc"
|
2018-10-19 16:04:07 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestTokenUpdateCommand_noTabs(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') {
|
|
|
|
t.Fatal("help has tabs")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
func create_token(t *testing.T, client *api.Client, aclToken *api.ACLToken, writeOptions *api.WriteOptions) *api.ACLToken {
|
|
|
|
token, _, err := client.ACL().TokenCreate(aclToken, writeOptions)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return token
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func TestTokenUpdateCommand(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
2020-03-31 19:59:56 +00:00
|
|
|
a := agent.NewTestAgent(t, `
|
2018-10-19 16:04:07 +00:00
|
|
|
primary_datacenter = "dc1"
|
|
|
|
acl {
|
|
|
|
enabled = true
|
|
|
|
tokens {
|
2021-12-07 12:48:50 +00:00
|
|
|
initial_management = "root"
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
defer a.Shutdown()
|
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
|
|
|
|
// Create a policy
|
|
|
|
client := a.Client()
|
|
|
|
|
|
|
|
policy, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
2020-06-16 16:54:27 +00:00
|
|
|
require.NoError(t, err)
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2020-06-16 16:54:27 +00:00
|
|
|
run := func(t *testing.T, args []string) *api.ACLToken {
|
|
|
|
ui := cli.NewMockUi()
|
2018-11-05 14:32:09 +00:00
|
|
|
cmd := New(ui)
|
2020-06-16 16:54:27 +00:00
|
|
|
|
|
|
|
code := cmd.Run(append(args, "-format=json"))
|
|
|
|
require.Equal(t, 0, code)
|
|
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
|
|
|
|
var token api.ACLToken
|
|
|
|
require.NoError(t, json.Unmarshal(ui.OutputWriter.Bytes(), &token))
|
|
|
|
return &token
|
|
|
|
}
|
|
|
|
|
|
|
|
// update with node identity
|
|
|
|
t.Run("node-identity", func(t *testing.T) {
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
2018-10-19 16:04:07 +00:00
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
2023-02-07 18:26:30 +00:00
|
|
|
"-accessor-id=" + token.AccessorID,
|
2018-10-19 16:04:07 +00:00
|
|
|
"-token=root",
|
2020-06-16 16:54:27 +00:00
|
|
|
"-node-identity=foo:bar",
|
2018-10-19 16:04:07 +00:00
|
|
|
"-description=test token",
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
require.Len(t, responseToken.NodeIdentities, 1)
|
|
|
|
require.Equal(t, "foo", responseToken.NodeIdentities[0].NodeName)
|
|
|
|
require.Equal(t, "bar", responseToken.NodeIdentities[0].Datacenter)
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("node-identity-merge", func(t *testing.T) {
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t,
|
|
|
|
client,
|
|
|
|
&api.ACLToken{Description: "test", NodeIdentities: []*api.ACLNodeIdentity{{NodeName: "foo", Datacenter: "bar"}}},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
2020-06-16 16:54:27 +00:00
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
2023-02-07 18:26:30 +00:00
|
|
|
"-accessor-id=" + token.AccessorID,
|
2020-06-16 16:54:27 +00:00
|
|
|
"-token=root",
|
|
|
|
"-node-identity=bar:baz",
|
|
|
|
"-description=test token",
|
|
|
|
"-merge-node-identities",
|
|
|
|
})
|
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
require.Len(t, responseToken.NodeIdentities, 2)
|
2020-06-16 16:54:27 +00:00
|
|
|
expected := []*api.ACLNodeIdentity{
|
2020-06-16 17:19:31 +00:00
|
|
|
{
|
2020-06-16 16:54:27 +00:00
|
|
|
NodeName: "foo",
|
|
|
|
Datacenter: "bar",
|
|
|
|
},
|
2020-06-16 17:19:31 +00:00
|
|
|
{
|
2020-06-16 16:54:27 +00:00
|
|
|
NodeName: "bar",
|
|
|
|
Datacenter: "baz",
|
|
|
|
},
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2023-03-06 23:14:06 +00:00
|
|
|
require.ElementsMatch(t, expected, responseToken.NodeIdentities)
|
2023-03-06 15:00:39 +00:00
|
|
|
})
|
|
|
|
|
2020-06-16 16:54:27 +00:00
|
|
|
// update with policy by name
|
|
|
|
t.Run("policy-name", func(t *testing.T) {
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
2020-06-16 16:54:27 +00:00
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
2023-02-07 18:26:30 +00:00
|
|
|
"-accessor-id=" + token.AccessorID,
|
2020-06-16 16:54:27 +00:00
|
|
|
"-token=root",
|
|
|
|
"-policy-name=" + policy.Name,
|
|
|
|
"-description=test token",
|
|
|
|
})
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
require.Len(t, responseToken.Policies, 1)
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2018-10-19 16:04:07 +00:00
|
|
|
|
|
|
|
// update with policy by id
|
2020-06-16 16:54:27 +00:00
|
|
|
t.Run("policy-id", func(t *testing.T) {
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
2018-10-19 16:04:07 +00:00
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
2023-02-07 18:26:30 +00:00
|
|
|
"-accessor-id=" + token.AccessorID,
|
2018-10-19 16:04:07 +00:00
|
|
|
"-token=root",
|
|
|
|
"-policy-id=" + policy.ID,
|
|
|
|
"-description=test token",
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2018-10-19 16:04:07 +00:00
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
require.Len(t, responseToken.Policies, 1)
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2018-11-05 14:32:09 +00:00
|
|
|
|
2023-03-06 15:00:39 +00:00
|
|
|
// update with service-identity
|
|
|
|
t.Run("service-identity", func(t *testing.T) {
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
2023-03-06 15:00:39 +00:00
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-accessor-id=" + token.AccessorID,
|
|
|
|
"-token=root",
|
|
|
|
"-service-identity=service:datapalace",
|
|
|
|
"-description=test token",
|
|
|
|
})
|
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
require.Len(t, responseToken.ServiceIdentities, 1)
|
|
|
|
require.Equal(t, "service", responseToken.ServiceIdentities[0].ServiceName)
|
2023-03-06 15:00:39 +00:00
|
|
|
})
|
|
|
|
|
2018-11-05 14:32:09 +00:00
|
|
|
// update with no description shouldn't delete the current description
|
2020-06-16 16:54:27 +00:00
|
|
|
t.Run("merge-description", func(t *testing.T) {
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t, client, &api.ACLToken{Description: "test token"}, &api.WriteOptions{Token: "root"})
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
2018-11-05 14:32:09 +00:00
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
2023-02-07 18:26:30 +00:00
|
|
|
"-accessor-id=" + token.AccessorID,
|
2018-11-05 14:32:09 +00:00
|
|
|
"-token=root",
|
|
|
|
"-policy-name=" + policy.Name,
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2018-11-05 14:32:09 +00:00
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
require.Equal(t, "test token", responseToken.Description)
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2018-10-19 16:04:07 +00:00
|
|
|
}
|
2020-02-15 15:06:05 +00:00
|
|
|
|
2023-03-01 20:00:37 +00:00
|
|
|
func TestTokenUpdateCommandWithAppend(t *testing.T) {
|
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
a := agent.NewTestAgent(t, `
|
|
|
|
primary_datacenter = "dc1"
|
|
|
|
acl {
|
|
|
|
enabled = true
|
|
|
|
tokens {
|
|
|
|
initial_management = "root"
|
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
defer a.Shutdown()
|
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
|
|
|
|
// Create a policy
|
|
|
|
client := a.Client()
|
|
|
|
|
|
|
|
policy, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
//secondary policy
|
|
|
|
secondPolicy, _, policyErr := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "secondary-policy"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, policyErr)
|
|
|
|
|
|
|
|
run := func(t *testing.T, args []string) *api.ACLToken {
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
|
|
|
|
code := cmd.Run(append(args, "-format=json"))
|
|
|
|
require.Equal(t, 0, code)
|
|
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
|
|
|
|
var token api.ACLToken
|
|
|
|
require.NoError(t, json.Unmarshal(ui.OutputWriter.Bytes(), &token))
|
|
|
|
return &token
|
|
|
|
}
|
|
|
|
|
|
|
|
// update with append-policy-name
|
|
|
|
t.Run("append-policy-name", func(t *testing.T) {
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t, client,
|
|
|
|
&api.ACLToken{Description: "test", Policies: []*api.ACLTokenPolicyLink{{Name: policy.Name}}},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
2023-03-01 20:00:37 +00:00
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-accessor-id=" + token.AccessorID,
|
|
|
|
"-token=root",
|
|
|
|
"-append-policy-name=" + secondPolicy.Name,
|
|
|
|
"-description=test token",
|
|
|
|
})
|
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
require.Len(t, responseToken.Policies, 2)
|
2023-03-01 20:00:37 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
// update with append-policy-id
|
|
|
|
t.Run("append-policy-id", func(t *testing.T) {
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t, client,
|
|
|
|
&api.ACLToken{Description: "test", Policies: []*api.ACLTokenPolicyLink{{Name: policy.Name}}},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
2023-03-01 20:00:37 +00:00
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-accessor-id=" + token.AccessorID,
|
|
|
|
"-token=root",
|
2023-03-06 23:14:06 +00:00
|
|
|
"-append-policy-id=" + secondPolicy.ID,
|
2023-03-01 20:00:37 +00:00
|
|
|
"-description=test token",
|
|
|
|
})
|
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
require.Len(t, responseToken.Policies, 2)
|
|
|
|
})
|
|
|
|
|
|
|
|
// update with append-node-identity
|
|
|
|
t.Run("append-node-identity", func(t *testing.T) {
|
|
|
|
token := create_token(t, client,
|
|
|
|
&api.ACLToken{
|
|
|
|
Description: "test",
|
|
|
|
Policies: []*api.ACLTokenPolicyLink{{Name: policy.Name}},
|
|
|
|
NodeIdentities: []*api.ACLNodeIdentity{{NodeName: "namenode", Datacenter: "somewhere"}},
|
|
|
|
},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-accessor-id=" + token.AccessorID,
|
|
|
|
"-token=root",
|
|
|
|
"-append-node-identity=third:node",
|
|
|
|
"-description=test token",
|
|
|
|
})
|
|
|
|
|
|
|
|
require.Len(t, responseToken.NodeIdentities, 2)
|
|
|
|
require.Equal(t, "third", responseToken.NodeIdentities[1].NodeName)
|
|
|
|
require.Equal(t, "node", responseToken.NodeIdentities[1].Datacenter)
|
|
|
|
})
|
|
|
|
|
|
|
|
// update with append-service-identity
|
|
|
|
t.Run("append-service-identity", func(t *testing.T) {
|
|
|
|
token := create_token(t, client,
|
|
|
|
&api.ACLToken{
|
|
|
|
Description: "test",
|
|
|
|
Policies: []*api.ACLTokenPolicyLink{{Name: policy.Name}},
|
|
|
|
ServiceIdentities: []*api.ACLServiceIdentity{{ServiceName: "service"}},
|
|
|
|
},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
|
|
|
|
responseToken := run(t, []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-accessor-id=" + token.AccessorID,
|
|
|
|
"-token=root",
|
|
|
|
"-append-service-identity=web",
|
|
|
|
"-description=test token",
|
|
|
|
})
|
|
|
|
|
|
|
|
require.Len(t, responseToken.ServiceIdentities, 2)
|
|
|
|
require.Equal(t, "web", responseToken.ServiceIdentities[1].ServiceName)
|
2023-03-01 20:00:37 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2020-02-15 15:06:05 +00:00
|
|
|
func TestTokenUpdateCommand_JSON(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2020-02-15 15:06:05 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
2020-03-31 19:59:56 +00:00
|
|
|
a := agent.NewTestAgent(t, `
|
2020-02-15 15:06:05 +00:00
|
|
|
primary_datacenter = "dc1"
|
|
|
|
acl {
|
|
|
|
enabled = true
|
|
|
|
tokens {
|
2021-12-07 12:48:50 +00:00
|
|
|
initial_management = "root"
|
2020-02-15 15:06:05 +00:00
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
defer a.Shutdown()
|
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
|
|
|
|
// Create a policy
|
|
|
|
client := a.Client()
|
|
|
|
|
|
|
|
policy, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
2022-01-20 16:45:56 +00:00
|
|
|
require.NoError(t, err)
|
2020-02-15 15:06:05 +00:00
|
|
|
|
2023-03-06 23:14:06 +00:00
|
|
|
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
|
2020-02-15 15:06:05 +00:00
|
|
|
|
|
|
|
t.Run("update with policy by name", func(t *testing.T) {
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
2023-02-07 18:26:30 +00:00
|
|
|
"-accessor-id=" + token.AccessorID,
|
2020-02-15 15:06:05 +00:00
|
|
|
"-token=root",
|
|
|
|
"-policy-name=" + policy.Name,
|
|
|
|
"-description=test token",
|
|
|
|
"-format=json",
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
|
|
|
assert.Equal(t, code, 0)
|
|
|
|
assert.Empty(t, ui.ErrorWriter.String())
|
2020-02-15 15:06:05 +00:00
|
|
|
|
|
|
|
var jsonOutput json.RawMessage
|
|
|
|
err := json.Unmarshal([]byte(ui.OutputWriter.String()), &jsonOutput)
|
|
|
|
require.NoError(t, err, "token unmarshalling error")
|
|
|
|
})
|
|
|
|
}
|