2023-09-08 12:45:24 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
|
|
|
|
//go:build !consulent
|
|
|
|
|
|
|
|
package structs
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2023-10-05 19:45:41 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/consul/api"
|
2023-09-08 12:45:24 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestStructs_ACLTemplatedPolicy_SyntheticPolicy(t *testing.T) {
|
|
|
|
type testCase struct {
|
|
|
|
templatedPolicy *ACLTemplatedPolicy
|
|
|
|
expectedPolicy *ACLPolicy
|
|
|
|
}
|
|
|
|
|
|
|
|
testCases := map[string]testCase{
|
|
|
|
"service-identity-template": {
|
|
|
|
templatedPolicy: &ACLTemplatedPolicy{
|
|
|
|
TemplateID: ACLTemplatedPolicyServiceID,
|
|
|
|
TemplateName: api.ACLTemplatedPolicyServiceName,
|
|
|
|
TemplateVariables: &ACLTemplatedPolicyVariables{
|
|
|
|
Name: "api",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
expectedPolicy: &ACLPolicy{
|
|
|
|
Description: "synthetic policy generated from templated policy: builtin/service",
|
|
|
|
Rules: `
|
|
|
|
service "api" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service "api-sidecar-proxy" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}`,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"node-identity-template": {
|
|
|
|
templatedPolicy: &ACLTemplatedPolicy{
|
|
|
|
TemplateID: ACLTemplatedPolicyNodeID,
|
|
|
|
TemplateName: api.ACLTemplatedPolicyNodeName,
|
|
|
|
TemplateVariables: &ACLTemplatedPolicyVariables{
|
|
|
|
Name: "web",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
expectedPolicy: &ACLPolicy{
|
|
|
|
Description: "synthetic policy generated from templated policy: builtin/node",
|
|
|
|
Rules: `
|
|
|
|
node "web" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}`,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"dns-template": {
|
|
|
|
templatedPolicy: &ACLTemplatedPolicy{
|
|
|
|
TemplateID: ACLTemplatedPolicyDNSID,
|
|
|
|
TemplateName: api.ACLTemplatedPolicyDNSName,
|
|
|
|
},
|
|
|
|
expectedPolicy: &ACLPolicy{
|
|
|
|
Description: "synthetic policy generated from templated policy: builtin/dns",
|
|
|
|
Rules: `
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
query_prefix "" {
|
|
|
|
policy = "read"
|
2023-10-05 19:45:41 +00:00
|
|
|
}`,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"workload-identity-template": {
|
|
|
|
templatedPolicy: &ACLTemplatedPolicy{
|
|
|
|
TemplateID: ACLTemplatedPolicyWorkloadIdentityID,
|
|
|
|
TemplateName: api.ACLTemplatedPolicyWorkloadIdentityName,
|
|
|
|
TemplateVariables: &ACLTemplatedPolicyVariables{
|
|
|
|
Name: "api",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
expectedPolicy: &ACLPolicy{
|
|
|
|
Description: "synthetic policy generated from templated policy: builtin/workload-identity",
|
|
|
|
Rules: `identity "api" {
|
|
|
|
policy = "write"
|
2023-11-24 17:55:05 +00:00
|
|
|
}`,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"api-gateway-template": {
|
|
|
|
templatedPolicy: &ACLTemplatedPolicy{
|
|
|
|
TemplateID: ACLTemplatedPolicyAPIGatewayID,
|
|
|
|
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
|
|
|
|
TemplateVariables: &ACLTemplatedPolicyVariables{
|
|
|
|
Name: "api-gateway",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
expectedPolicy: &ACLPolicy{
|
|
|
|
Description: "synthetic policy generated from templated policy: builtin/api-gateway",
|
|
|
|
Rules: `mesh = "read"
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
service "api-gateway" {
|
|
|
|
policy = "write"
|
2023-09-08 12:45:24 +00:00
|
|
|
}`,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, tcase := range testCases {
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
policy, err := tcase.templatedPolicy.SyntheticPolicy(nil)
|
|
|
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, tcase.expectedPolicy.Description, policy.Description)
|
|
|
|
require.Equal(t, tcase.expectedPolicy.Rules, policy.Rules)
|
|
|
|
require.Contains(t, policy.Name, "synthetic-policy-")
|
|
|
|
require.NotEmpty(t, policy.Hash)
|
|
|
|
require.NotEmpty(t, policy.ID)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|