2023-03-28 20:12:41 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 20:12:41 +00:00
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
package acl
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
)
|
|
|
|
|
|
|
|
type testAuthorizer EnforcementDecision
|
|
|
|
|
2020-11-04 18:50:03 +00:00
|
|
|
var _ Authorizer = testAuthorizer(Allow)
|
|
|
|
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) ACLRead(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) ACLWrite(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) AgentRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) AgentWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) EventRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) EventWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2023-09-12 21:22:51 +00:00
|
|
|
func (authz testAuthorizer) IdentityRead(string, *AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
|
|
|
func (authz testAuthorizer) IdentityReadAll(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
|
|
|
func (authz testAuthorizer) IdentityWrite(string, *AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
|
|
|
func (authz testAuthorizer) IdentityWriteAny(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) IntentionDefaultAllow(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) IntentionRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) IntentionWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) KeyList(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) KeyRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) KeyWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) KeyWritePrefix(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) KeyringRead(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) KeyringWrite(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) NodeRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2020-11-04 18:50:03 +00:00
|
|
|
func (authz testAuthorizer) NodeReadAll(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) NodeWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2021-08-20 22:11:01 +00:00
|
|
|
func (authz testAuthorizer) MeshRead(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
|
|
|
func (authz testAuthorizer) MeshWrite(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2022-07-22 20:42:23 +00:00
|
|
|
func (authz testAuthorizer) PeeringRead(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
|
|
|
func (authz testAuthorizer) PeeringWrite(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) OperatorRead(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) OperatorWrite(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) PreparedQueryRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) PreparedQueryWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) ServiceRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
2020-11-04 18:50:03 +00:00
|
|
|
}
|
|
|
|
func (authz testAuthorizer) ServiceReadAll(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
2019-10-15 20:58:50 +00:00
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) ServiceWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2022-03-24 11:25:05 +00:00
|
|
|
func (authz testAuthorizer) ServiceWriteAny(*AuthorizerContext) EnforcementDecision {
|
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) SessionRead(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) SessionWrite(string, *AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
2019-12-18 18:43:24 +00:00
|
|
|
func (authz testAuthorizer) Snapshot(*AuthorizerContext) EnforcementDecision {
|
2019-10-15 20:58:50 +00:00
|
|
|
return EnforcementDecision(authz)
|
|
|
|
}
|
|
|
|
|
2022-03-11 02:48:27 +00:00
|
|
|
func (authz testAuthorizer) ToAllowAuthorizer() AllowAuthorizer {
|
|
|
|
return AllowAuthorizer{Authorizer: &authz}
|
|
|
|
}
|
|
|
|
|
2019-10-15 20:58:50 +00:00
|
|
|
func TestChainedAuthorizer(t *testing.T) {
|
|
|
|
t.Run("No Authorizers", func(t *testing.T) {
|
|
|
|
authz := NewChainedAuthorizer([]Authorizer{})
|
|
|
|
checkDenyACLRead(t, authz, "foo", nil)
|
|
|
|
checkDenyACLWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyAgentRead(t, authz, "foo", nil)
|
|
|
|
checkDenyAgentWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyEventRead(t, authz, "foo", nil)
|
|
|
|
checkDenyEventWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionDefaultAllow(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionRead(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyRead(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyList(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyringRead(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyringWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyWritePrefix(t, authz, "foo", nil)
|
|
|
|
checkDenyNodeRead(t, authz, "foo", nil)
|
|
|
|
checkDenyNodeWrite(t, authz, "foo", nil)
|
2021-08-20 22:11:01 +00:00
|
|
|
checkDenyMeshRead(t, authz, "foo", nil)
|
|
|
|
checkDenyMeshWrite(t, authz, "foo", nil)
|
2022-07-22 20:42:23 +00:00
|
|
|
checkDenyPeeringRead(t, authz, "foo", nil)
|
|
|
|
checkDenyPeeringWrite(t, authz, "foo", nil)
|
2019-10-15 20:58:50 +00:00
|
|
|
checkDenyOperatorRead(t, authz, "foo", nil)
|
|
|
|
checkDenyOperatorWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyPreparedQueryRead(t, authz, "foo", nil)
|
|
|
|
checkDenyPreparedQueryWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyServiceRead(t, authz, "foo", nil)
|
|
|
|
checkDenyServiceWrite(t, authz, "foo", nil)
|
|
|
|
checkDenySessionRead(t, authz, "foo", nil)
|
|
|
|
checkDenySessionWrite(t, authz, "foo", nil)
|
|
|
|
checkDenySnapshot(t, authz, "foo", nil)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Authorizer Defaults", func(t *testing.T) {
|
|
|
|
authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Default)})
|
|
|
|
checkDenyACLRead(t, authz, "foo", nil)
|
|
|
|
checkDenyACLWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyAgentRead(t, authz, "foo", nil)
|
|
|
|
checkDenyAgentWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyEventRead(t, authz, "foo", nil)
|
|
|
|
checkDenyEventWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionDefaultAllow(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionRead(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyRead(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyList(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyringRead(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyringWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyWritePrefix(t, authz, "foo", nil)
|
|
|
|
checkDenyNodeRead(t, authz, "foo", nil)
|
|
|
|
checkDenyNodeWrite(t, authz, "foo", nil)
|
2021-08-20 22:11:01 +00:00
|
|
|
checkDenyMeshRead(t, authz, "foo", nil)
|
|
|
|
checkDenyMeshWrite(t, authz, "foo", nil)
|
2022-07-22 20:42:23 +00:00
|
|
|
checkDenyPeeringRead(t, authz, "foo", nil)
|
|
|
|
checkDenyPeeringWrite(t, authz, "foo", nil)
|
2019-10-15 20:58:50 +00:00
|
|
|
checkDenyOperatorRead(t, authz, "foo", nil)
|
|
|
|
checkDenyOperatorWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyPreparedQueryRead(t, authz, "foo", nil)
|
|
|
|
checkDenyPreparedQueryWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyServiceRead(t, authz, "foo", nil)
|
|
|
|
checkDenyServiceWrite(t, authz, "foo", nil)
|
|
|
|
checkDenySessionRead(t, authz, "foo", nil)
|
|
|
|
checkDenySessionWrite(t, authz, "foo", nil)
|
|
|
|
checkDenySnapshot(t, authz, "foo", nil)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Authorizer No Defaults", func(t *testing.T) {
|
|
|
|
authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Allow)})
|
|
|
|
checkAllowACLRead(t, authz, "foo", nil)
|
|
|
|
checkAllowACLWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowAgentRead(t, authz, "foo", nil)
|
|
|
|
checkAllowAgentWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowEventRead(t, authz, "foo", nil)
|
|
|
|
checkAllowEventWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowIntentionDefaultAllow(t, authz, "foo", nil)
|
|
|
|
checkAllowIntentionRead(t, authz, "foo", nil)
|
|
|
|
checkAllowIntentionWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyRead(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyList(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyringRead(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyringWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyWritePrefix(t, authz, "foo", nil)
|
|
|
|
checkAllowNodeRead(t, authz, "foo", nil)
|
|
|
|
checkAllowNodeWrite(t, authz, "foo", nil)
|
2021-08-20 22:11:01 +00:00
|
|
|
checkAllowMeshRead(t, authz, "foo", nil)
|
|
|
|
checkAllowMeshWrite(t, authz, "foo", nil)
|
2022-07-22 20:42:23 +00:00
|
|
|
checkAllowPeeringRead(t, authz, "foo", nil)
|
|
|
|
checkAllowPeeringWrite(t, authz, "foo", nil)
|
2019-10-15 20:58:50 +00:00
|
|
|
checkAllowOperatorRead(t, authz, "foo", nil)
|
|
|
|
checkAllowOperatorWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowPreparedQueryRead(t, authz, "foo", nil)
|
|
|
|
checkAllowPreparedQueryWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowServiceRead(t, authz, "foo", nil)
|
|
|
|
checkAllowServiceWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowSessionRead(t, authz, "foo", nil)
|
|
|
|
checkAllowSessionWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowSnapshot(t, authz, "foo", nil)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("First Found", func(t *testing.T) {
|
|
|
|
authz := NewChainedAuthorizer([]Authorizer{testAuthorizer(Deny), testAuthorizer(Allow)})
|
|
|
|
checkDenyACLRead(t, authz, "foo", nil)
|
|
|
|
checkDenyACLWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyAgentRead(t, authz, "foo", nil)
|
|
|
|
checkDenyAgentWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyEventRead(t, authz, "foo", nil)
|
|
|
|
checkDenyEventWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionDefaultAllow(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionRead(t, authz, "foo", nil)
|
|
|
|
checkDenyIntentionWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyRead(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyList(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyringRead(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyringWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyKeyWritePrefix(t, authz, "foo", nil)
|
|
|
|
checkDenyNodeRead(t, authz, "foo", nil)
|
|
|
|
checkDenyNodeWrite(t, authz, "foo", nil)
|
2021-08-20 22:11:01 +00:00
|
|
|
checkDenyMeshRead(t, authz, "foo", nil)
|
|
|
|
checkDenyMeshWrite(t, authz, "foo", nil)
|
2022-07-22 20:42:23 +00:00
|
|
|
checkDenyPeeringRead(t, authz, "foo", nil)
|
|
|
|
checkDenyPeeringWrite(t, authz, "foo", nil)
|
2019-10-15 20:58:50 +00:00
|
|
|
checkDenyOperatorRead(t, authz, "foo", nil)
|
|
|
|
checkDenyOperatorWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyPreparedQueryRead(t, authz, "foo", nil)
|
|
|
|
checkDenyPreparedQueryWrite(t, authz, "foo", nil)
|
|
|
|
checkDenyServiceRead(t, authz, "foo", nil)
|
|
|
|
checkDenyServiceWrite(t, authz, "foo", nil)
|
|
|
|
checkDenySessionRead(t, authz, "foo", nil)
|
|
|
|
checkDenySessionWrite(t, authz, "foo", nil)
|
|
|
|
checkDenySnapshot(t, authz, "foo", nil)
|
|
|
|
|
|
|
|
authz = NewChainedAuthorizer([]Authorizer{testAuthorizer(Default), testAuthorizer(Allow)})
|
|
|
|
checkAllowACLRead(t, authz, "foo", nil)
|
|
|
|
checkAllowACLWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowAgentRead(t, authz, "foo", nil)
|
|
|
|
checkAllowAgentWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowEventRead(t, authz, "foo", nil)
|
|
|
|
checkAllowEventWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowIntentionDefaultAllow(t, authz, "foo", nil)
|
|
|
|
checkAllowIntentionRead(t, authz, "foo", nil)
|
|
|
|
checkAllowIntentionWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyRead(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyList(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyringRead(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyringWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowKeyWritePrefix(t, authz, "foo", nil)
|
|
|
|
checkAllowNodeRead(t, authz, "foo", nil)
|
|
|
|
checkAllowNodeWrite(t, authz, "foo", nil)
|
2021-08-20 22:11:01 +00:00
|
|
|
checkAllowMeshRead(t, authz, "foo", nil)
|
|
|
|
checkAllowMeshWrite(t, authz, "foo", nil)
|
2022-07-22 20:42:23 +00:00
|
|
|
checkAllowPeeringRead(t, authz, "foo", nil)
|
|
|
|
checkAllowPeeringWrite(t, authz, "foo", nil)
|
2019-10-15 20:58:50 +00:00
|
|
|
checkAllowOperatorRead(t, authz, "foo", nil)
|
|
|
|
checkAllowOperatorWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowPreparedQueryRead(t, authz, "foo", nil)
|
|
|
|
checkAllowPreparedQueryWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowServiceRead(t, authz, "foo", nil)
|
|
|
|
checkAllowServiceWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowSessionRead(t, authz, "foo", nil)
|
|
|
|
checkAllowSessionWrite(t, authz, "foo", nil)
|
|
|
|
checkAllowSnapshot(t, authz, "foo", nil)
|
|
|
|
})
|
|
|
|
|
|
|
|
}
|