2016-12-13 23:21:14 -08:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2017-09-25 20:40:42 +02:00
|
|
|
"os"
|
2016-12-13 23:21:14 -08:00
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
rawacl "github.com/hashicorp/consul/acl"
|
2017-09-25 20:40:42 +02:00
|
|
|
"github.com/hashicorp/consul/agent/config"
|
2017-07-06 12:34:00 +02:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2017-05-12 15:41:13 +02:00
|
|
|
"github.com/hashicorp/consul/testutil"
|
2016-12-14 19:28:09 -08:00
|
|
|
"github.com/hashicorp/consul/types"
|
|
|
|
"github.com/hashicorp/serf/serf"
|
2016-12-13 23:21:14 -08:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestACL_Bad_Config(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
|
|
|
|
dataDir := testutil.TempDir(t, "agent")
|
|
|
|
defer os.Remove(dataDir)
|
|
|
|
|
|
|
|
cfg := TestConfig(config.Source{
|
|
|
|
Name: "acl",
|
|
|
|
Format: "hcl",
|
|
|
|
Data: `
|
|
|
|
acl_down_policy = "nope"
|
|
|
|
data_dir = "` + dataDir + `"
|
|
|
|
`,
|
|
|
|
})
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-05-31 10:56:19 +02:00
|
|
|
// do not use TestAgent here since we want
|
|
|
|
// the agent to fail during startup.
|
pkg refactor
command/agent/* -> agent/*
command/consul/* -> agent/consul/*
command/agent/command{,_test}.go -> command/agent{,_test}.go
command/base/command.go -> command/base.go
command/base/* -> command/*
commands.go -> command/commands.go
The script which did the refactor is:
(
cd $GOPATH/src/github.com/hashicorp/consul
git mv command/agent/command.go command/agent.go
git mv command/agent/command_test.go command/agent_test.go
git mv command/agent/flag_slice_value{,_test}.go command/
git mv command/agent .
git mv command/base/command.go command/base.go
git mv command/base/config_util{,_test}.go command/
git mv commands.go command/
git mv consul agent
rmdir command/base/
gsed -i -e 's|package agent|package command|' command/agent{,_test}.go
gsed -i -e 's|package agent|package command|' command/flag_slice_value{,_test}.go
gsed -i -e 's|package base|package command|' command/base.go command/config_util{,_test}.go
gsed -i -e 's|package main|package command|' command/commands.go
gsed -i -e 's|base.Command|BaseCommand|' command/commands.go
gsed -i -e 's|agent.Command|AgentCommand|' command/commands.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/commands.go
gsed -i -e 's|base\.||' command/commands.go
gsed -i -e 's|command\.||' command/commands.go
gsed -i -e 's|command|c|' main.go
gsed -i -e 's|range Commands|range command.Commands|' main.go
gsed -i -e 's|Commands: Commands|Commands: command.Commands|' main.go
gsed -i -e 's|base\.BoolValue|BoolValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.DurationValue|DurationValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.StringValue|StringValue|' command/operator_autopilot_set.go
gsed -i -e 's|base\.UintValue|UintValue|' command/operator_autopilot_set.go
gsed -i -e 's|\bCommand\b|BaseCommand|' command/base.go
gsed -i -e 's|BaseCommand Options|Command Options|' command/base.go
gsed -i -e 's|base.Command|BaseCommand|' command/*.go
gsed -i -e 's|c\.Command|c.BaseCommand|g' command/*.go
gsed -i -e 's|\tCommand:|\tBaseCommand:|' command/*_test.go
gsed -i -e 's|base\.||' command/*_test.go
gsed -i -e 's|\bCommand\b|AgentCommand|' command/agent{,_test}.go
gsed -i -e 's|cmd.AgentCommand|cmd.BaseCommand|' command/agent.go
gsed -i -e 's|cli.AgentCommand = new(Command)|cli.Command = new(AgentCommand)|' command/agent_test.go
gsed -i -e 's|exec.AgentCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|exec.BaseCommand|exec.Command|' command/agent_test.go
gsed -i -e 's|NewTestAgent|agent.NewTestAgent|' command/agent_test.go
gsed -i -e 's|= TestConfig|= agent.TestConfig|' command/agent_test.go
gsed -i -e 's|: RetryJoin|: agent.RetryJoin|' command/agent_test.go
gsed -i -e 's|\.\./\.\./|../|' command/config_util_test.go
gsed -i -e 's|\bverifyUniqueListeners|VerifyUniqueListeners|' agent/config{,_test}.go command/agent.go
gsed -i -e 's|\bserfLANKeyring\b|SerfLANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bserfWANKeyring\b|SerfWANKeyring|g' agent/{agent,keyring,testagent}.go command/agent.go
gsed -i -e 's|\bNewAgent\b|agent.New|g' command/agent{,_test}.go
gsed -i -e 's|\bNewAgent|New|' agent/{acl_test,agent,testagent}.go
gsed -i -e 's|\bAgent\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bBool\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDefaultConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bDevConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bMergeConfig\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bReadConfigPaths\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bParseMetaPair\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfLANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|\bSerfWANKeyring\b|agent.&|g' command/agent{,_test}.go
gsed -i -e 's|circonus\.agent|circonus|g' command/agent{,_test}.go
gsed -i -e 's|logger\.agent|logger|g' command/agent{,_test}.go
gsed -i -e 's|metrics\.agent|metrics|g' command/agent{,_test}.go
gsed -i -e 's|// agent.Agent|// agent|' command/agent{,_test}.go
gsed -i -e 's|a\.agent\.Config|a.Config|' command/agent{,_test}.go
gsed -i -e 's|agent\.AppendSliceValue|AppendSliceValue|' command/{configtest,validate}.go
gsed -i -e 's|consul/consul|agent/consul|' GNUmakefile
gsed -i -e 's|\.\./test|../../test|' agent/consul/server_test.go
# fix imports
f=$(grep -rl 'github.com/hashicorp/consul/command/agent' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/command/agent|github.com/hashicorp/consul/agent|' $f
goimports -w $f
f=$(grep -rl 'github.com/hashicorp/consul/consul' * | grep '\.go')
gsed -i -e 's|github.com/hashicorp/consul/consul|github.com/hashicorp/consul/agent/consul|' $f
goimports -w $f
goimports -w command/*.go main.go
)
2017-06-10 00:28:28 +02:00
|
|
|
_, err := New(cfg)
|
2016-12-13 23:21:14 -08:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "invalid ACL down policy") {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
type MockServer struct {
|
|
|
|
getPolicyFn func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *MockServer) GetPolicy(args *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
|
|
|
if m.getPolicyFn != nil {
|
|
|
|
return m.getPolicyFn(args, reply)
|
|
|
|
}
|
2017-04-20 18:59:42 -07:00
|
|
|
return fmt.Errorf("should not have called GetPolicy")
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_Version8(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-09-25 20:40:42 +02:00
|
|
|
t.Run("version 8 disabled", func(t *testing.T) {
|
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = false
|
|
|
|
`)
|
|
|
|
defer a.Shutdown()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-09-25 20:40:42 +02:00
|
|
|
m := MockServer{
|
|
|
|
getPolicyFn: func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
|
|
|
t.Fatalf("should not have called to server")
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
}
|
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if token, err := a.resolveToken("nope"); token != nil || err != nil {
|
|
|
|
t.Fatalf("bad: %v err: %v", token, err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("version 8 enabled", func(t *testing.T) {
|
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
|
|
|
defer a.Shutdown()
|
|
|
|
|
|
|
|
var called bool
|
|
|
|
m := MockServer{
|
|
|
|
getPolicyFn: func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
|
|
|
called = true
|
|
|
|
return fmt.Errorf("token not found")
|
|
|
|
},
|
|
|
|
}
|
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err := a.resolveToken("nope"); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !called {
|
|
|
|
t.Fatalf("bad")
|
|
|
|
}
|
|
|
|
})
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_Disabled(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_disabled_ttl = "10ms"
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-07-05 12:38:11 +02:00
|
|
|
m := MockServer{
|
|
|
|
// Fetch a token without ACLs enabled and make sure the manager sees it.
|
|
|
|
getPolicyFn: func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
2017-08-23 16:52:48 +02:00
|
|
|
return rawacl.ErrDisabled
|
2017-07-05 12:38:11 +02:00
|
|
|
},
|
|
|
|
}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2017-05-21 09:11:09 +02:00
|
|
|
if a.acls.isDisabled() {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should not be disabled yet")
|
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
if token, err := a.resolveToken("nope"); token != nil || err != nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("bad: %v err: %v", token, err)
|
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
if !a.acls.isDisabled() {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should be disabled")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now turn on ACLs and check right away, it should still think ACLs are
|
|
|
|
// disabled since we don't check again right away.
|
|
|
|
m.getPolicyFn = func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
2017-08-23 16:52:48 +02:00
|
|
|
return rawacl.ErrNotFound
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
if token, err := a.resolveToken("nope"); token != nil || err != nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("bad: %v err: %v", token, err)
|
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
if !a.acls.isDisabled() {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should be disabled")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wait the waiting period and make sure it checks again. Do a few tries
|
|
|
|
// to make sure we don't think it's disabled.
|
2017-09-25 20:40:42 +02:00
|
|
|
time.Sleep(2 * 10 * time.Millisecond)
|
2016-12-13 23:21:14 -08:00
|
|
|
for i := 0; i < 10; i++ {
|
2017-05-21 09:11:09 +02:00
|
|
|
_, err := a.resolveToken("nope")
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrNotFound(err) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
if a.acls.isDisabled() {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should not be disabled")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_Special_IDs(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
acl_agent_master_token = "towel"
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-07-05 12:38:11 +02:00
|
|
|
m := MockServer{
|
|
|
|
// An empty ID should get mapped to the anonymous token.
|
|
|
|
getPolicyFn: func(req *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
|
|
|
if req.ACL != "anonymous" {
|
|
|
|
t.Fatalf("bad: %#v", *req)
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
return rawacl.ErrNotFound
|
2017-07-05 12:38:11 +02:00
|
|
|
},
|
|
|
|
}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
_, err := a.resolveToken("")
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrNotFound(err) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// A root ACL request should get rejected and not call the server.
|
|
|
|
m.getPolicyFn = func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
|
|
|
t.Fatalf("should not have called to server")
|
|
|
|
return nil
|
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
_, err = a.resolveToken("deny")
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrRootDenied(err) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// The ACL master token should also not call the server, but should give
|
2017-05-31 01:05:21 +02:00
|
|
|
// us a working agent token.
|
2017-05-21 09:11:09 +02:00
|
|
|
acl, err := a.resolveToken("towel")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if acl == nil {
|
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !acl.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should be able to read agent")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !acl.AgentWrite(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should be able to write agent")
|
|
|
|
}
|
2017-07-16 20:08:26 -07:00
|
|
|
if !acl.NodeRead("hello") {
|
|
|
|
t.Fatalf("should be able to read any node")
|
|
|
|
}
|
2017-09-14 14:31:01 -05:00
|
|
|
if acl.NodeWrite("hello", nil) {
|
2017-07-16 20:08:26 -07:00
|
|
|
t.Fatalf("should not be able to write any node")
|
|
|
|
}
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_Down_Deny(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_down_policy = "deny"
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-07-05 12:38:11 +02:00
|
|
|
m := MockServer{
|
|
|
|
// Resolve with ACLs down.
|
|
|
|
getPolicyFn: func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
|
|
|
return fmt.Errorf("ACLs are broken")
|
|
|
|
},
|
|
|
|
}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2017-05-21 09:11:09 +02:00
|
|
|
acl, err := a.resolveToken("nope")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if acl == nil {
|
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if acl.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_Down_Allow(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_down_policy = "allow"
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-07-05 12:38:11 +02:00
|
|
|
m := MockServer{
|
|
|
|
// Resolve with ACLs down.
|
|
|
|
getPolicyFn: func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
|
|
|
return fmt.Errorf("ACLs are broken")
|
|
|
|
},
|
|
|
|
}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2017-05-21 09:11:09 +02:00
|
|
|
acl, err := a.resolveToken("nope")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if acl == nil {
|
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !acl.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_Down_Extend(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_down_policy = "extend-cache"
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-07-05 12:38:11 +02:00
|
|
|
m := MockServer{
|
|
|
|
// Populate the cache for one of the tokens.
|
|
|
|
getPolicyFn: func(req *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
|
|
|
*reply = structs.ACLPolicy{
|
|
|
|
Parent: "allow",
|
|
|
|
Policy: &rawacl.Policy{
|
|
|
|
Agents: []*rawacl.AgentPolicy{
|
|
|
|
&rawacl.AgentPolicy{
|
2017-09-25 20:40:42 +02:00
|
|
|
Node: a.config.NodeName,
|
2017-07-05 12:38:11 +02:00
|
|
|
Policy: "read",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2017-05-21 09:11:09 +02:00
|
|
|
acl, err := a.resolveToken("yep")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if acl == nil {
|
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !acl.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if acl.AgentWrite(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now take down ACLs and make sure a new token fails to resolve.
|
|
|
|
m.getPolicyFn = func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
|
|
|
return fmt.Errorf("ACLs are broken")
|
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
acl, err = a.resolveToken("nope")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if acl == nil {
|
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if acl.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if acl.AgentWrite(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read the token from the cache while ACLs are broken, which should
|
|
|
|
// extend.
|
2017-05-21 09:11:09 +02:00
|
|
|
acl, err = a.resolveToken("yep")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if acl == nil {
|
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !acl.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if acl.AgentWrite(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_Cache(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2017-07-05 12:38:11 +02:00
|
|
|
m := MockServer{
|
|
|
|
// Populate the cache for one of the tokens.
|
|
|
|
getPolicyFn: func(req *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
|
|
|
*reply = structs.ACLPolicy{
|
|
|
|
ETag: "hash1",
|
|
|
|
Parent: "deny",
|
|
|
|
Policy: &rawacl.Policy{
|
|
|
|
Agents: []*rawacl.AgentPolicy{
|
|
|
|
&rawacl.AgentPolicy{
|
2017-09-25 20:40:42 +02:00
|
|
|
Node: a.config.NodeName,
|
2017-07-05 12:38:11 +02:00
|
|
|
Policy: "read",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
TTL: 10 * time.Millisecond,
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2017-08-23 16:52:48 +02:00
|
|
|
rule, err := a.resolveToken("yep")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
if rule == nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !rule.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if rule.AgentWrite(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
if rule.NodeRead("nope") {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fetch right away and make sure it uses the cache.
|
|
|
|
m.getPolicyFn = func(*structs.ACLPolicyRequest, *structs.ACLPolicy) error {
|
|
|
|
t.Fatalf("should not have called to server")
|
|
|
|
return nil
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
rule, err = a.resolveToken("yep")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
if rule == nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !rule.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if rule.AgentWrite(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
if rule.NodeRead("nope") {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wait for the TTL to expire and try again. This time the token will be
|
|
|
|
// gone.
|
|
|
|
time.Sleep(20 * time.Millisecond)
|
|
|
|
m.getPolicyFn = func(req *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
2017-08-23 16:52:48 +02:00
|
|
|
return rawacl.ErrNotFound
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
_, err = a.resolveToken("yep")
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrNotFound(err) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Page it back in with a new tag and different policy
|
|
|
|
m.getPolicyFn = func(req *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
|
|
|
*reply = structs.ACLPolicy{
|
|
|
|
ETag: "hash2",
|
|
|
|
Parent: "deny",
|
|
|
|
Policy: &rawacl.Policy{
|
|
|
|
Agents: []*rawacl.AgentPolicy{
|
|
|
|
&rawacl.AgentPolicy{
|
2017-09-25 20:40:42 +02:00
|
|
|
Node: a.config.NodeName,
|
2016-12-13 23:21:14 -08:00
|
|
|
Policy: "write",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
TTL: 10 * time.Millisecond,
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
rule, err = a.resolveToken("yep")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
if rule == nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !rule.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !rule.AgentWrite(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
if rule.NodeRead("nope") {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wait for the TTL to expire and try again. This will match the tag
|
|
|
|
// and not send the policy back, but we should have the old token
|
|
|
|
// behavior.
|
|
|
|
time.Sleep(20 * time.Millisecond)
|
|
|
|
var didRefresh bool
|
|
|
|
m.getPolicyFn = func(req *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
|
|
|
*reply = structs.ACLPolicy{
|
|
|
|
ETag: "hash2",
|
|
|
|
TTL: 10 * time.Millisecond,
|
|
|
|
}
|
|
|
|
didRefresh = true
|
|
|
|
return nil
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
rule, err = a.resolveToken("yep")
|
2016-12-13 23:21:14 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
if rule == nil {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should not be nil")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !rule.AgentRead(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
2017-09-25 20:40:42 +02:00
|
|
|
if !rule.AgentWrite(a.config.NodeName) {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should allow")
|
|
|
|
}
|
2017-08-23 16:52:48 +02:00
|
|
|
if rule.NodeRead("nope") {
|
2016-12-13 23:21:14 -08:00
|
|
|
t.Fatalf("should deny")
|
|
|
|
}
|
|
|
|
if !didRefresh {
|
|
|
|
t.Fatalf("should refresh")
|
|
|
|
}
|
|
|
|
}
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// catalogPolicy supplies some standard policies to help with testing the
|
|
|
|
// catalog-related vet and filter functions.
|
|
|
|
func catalogPolicy(req *structs.ACLPolicyRequest, reply *structs.ACLPolicy) error {
|
|
|
|
reply.Policy = &rawacl.Policy{}
|
|
|
|
|
|
|
|
switch req.ACL {
|
|
|
|
|
|
|
|
case "node-ro":
|
|
|
|
reply.Policy.Nodes = append(reply.Policy.Nodes,
|
|
|
|
&rawacl.NodePolicy{Name: "Node", Policy: "read"})
|
|
|
|
|
|
|
|
case "node-rw":
|
|
|
|
reply.Policy.Nodes = append(reply.Policy.Nodes,
|
|
|
|
&rawacl.NodePolicy{Name: "Node", Policy: "write"})
|
|
|
|
|
|
|
|
case "service-ro":
|
|
|
|
reply.Policy.Services = append(reply.Policy.Services,
|
|
|
|
&rawacl.ServicePolicy{Name: "service", Policy: "read"})
|
|
|
|
|
|
|
|
case "service-rw":
|
|
|
|
reply.Policy.Services = append(reply.Policy.Services,
|
|
|
|
&rawacl.ServicePolicy{Name: "service", Policy: "write"})
|
|
|
|
|
|
|
|
case "other-rw":
|
|
|
|
reply.Policy.Services = append(reply.Policy.Services,
|
|
|
|
&rawacl.ServicePolicy{Name: "other", Policy: "write"})
|
|
|
|
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("unknown token %q", req.ACL)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_vetServiceRegister(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
m := MockServer{catalogPolicy}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Register a new service, with permission.
|
2017-05-21 09:11:09 +02:00
|
|
|
err := a.vetServiceRegister("service-rw", &structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Register a new service without write privs.
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetServiceRegister("service-ro", &structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
})
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Try to register over a service without write privs to the existing
|
|
|
|
// service.
|
2017-10-23 10:08:34 +02:00
|
|
|
a.state.AddService(&structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "other",
|
|
|
|
}, "")
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetServiceRegister("service-rw", &structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
})
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_vetServiceUpdate(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
m := MockServer{catalogPolicy}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update a service that doesn't exist.
|
2017-05-21 09:11:09 +02:00
|
|
|
err := a.vetServiceUpdate("service-rw", "my-service")
|
2016-12-14 19:28:09 -08:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "Unknown service") {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update with write privs.
|
2017-10-23 10:08:34 +02:00
|
|
|
a.state.AddService(&structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
}, "")
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetServiceUpdate("service-rw", "my-service")
|
2016-12-14 19:28:09 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update without write privs.
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetServiceUpdate("service-ro", "my-service")
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_vetCheckRegister(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
m := MockServer{catalogPolicy}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Register a new service check with write privs.
|
2017-05-21 09:11:09 +02:00
|
|
|
err := a.vetCheckRegister("service-rw", &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Register a new service check without write privs.
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckRegister("service-ro", &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
})
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Register a new node check with write privs.
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckRegister("node-rw", &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Register a new node check without write privs.
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckRegister("node-ro", &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
})
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Try to register over a service check without write privs to the
|
|
|
|
// existing service.
|
2017-10-23 10:08:34 +02:00
|
|
|
a.state.AddService(&structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
}, "")
|
2017-10-23 10:08:34 +02:00
|
|
|
a.state.AddCheck(&structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "other",
|
|
|
|
}, "")
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckRegister("service-rw", &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
})
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Try to register over a node check without write privs to the node.
|
2017-10-23 10:08:34 +02:00
|
|
|
a.state.AddCheck(&structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-node-check"),
|
|
|
|
}, "")
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckRegister("service-rw", &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-node-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
})
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_vetCheckUpdate(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
m := MockServer{catalogPolicy}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update a check that doesn't exist.
|
2017-05-21 09:11:09 +02:00
|
|
|
err := a.vetCheckUpdate("node-rw", "my-check")
|
2016-12-14 19:28:09 -08:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "Unknown check") {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update service check with write privs.
|
2017-10-23 10:08:34 +02:00
|
|
|
a.state.AddService(&structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
}, "")
|
2017-10-23 10:08:34 +02:00
|
|
|
a.state.AddCheck(&structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-service-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
}, "")
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckUpdate("service-rw", "my-service-check")
|
2016-12-14 19:28:09 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update service check without write privs.
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckUpdate("service-ro", "my-service-check")
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update node check with write privs.
|
2017-10-23 10:08:34 +02:00
|
|
|
a.state.AddCheck(&structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-node-check"),
|
|
|
|
}, "")
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckUpdate("node-rw", "my-node-check")
|
2016-12-14 19:28:09 -08:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update without write privs.
|
2017-05-21 09:11:09 +02:00
|
|
|
err = a.vetCheckUpdate("node-ro", "my-node-check")
|
2017-08-23 16:52:48 +02:00
|
|
|
if !rawacl.IsErrPermissionDenied(err) {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_filterMembers(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
m := MockServer{catalogPolicy}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var members []serf.Member
|
2017-05-21 09:11:09 +02:00
|
|
|
if err := a.filterMembers("node-ro", &members); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if len(members) != 0 {
|
|
|
|
t.Fatalf("bad: %#v", members)
|
|
|
|
}
|
|
|
|
|
|
|
|
members = []serf.Member{
|
|
|
|
serf.Member{Name: "Node 1"},
|
|
|
|
serf.Member{Name: "Nope"},
|
|
|
|
serf.Member{Name: "Node 2"},
|
|
|
|
}
|
2017-05-21 09:11:09 +02:00
|
|
|
if err := a.filterMembers("node-ro", &members); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if len(members) != 2 ||
|
|
|
|
members[0].Name != "Node 1" ||
|
|
|
|
members[1].Name != "Node 2" {
|
|
|
|
t.Fatalf("bad: %#v", members)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_filterServices(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
m := MockServer{catalogPolicy}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
services := make(map[string]*structs.NodeService)
|
2017-05-21 09:11:09 +02:00
|
|
|
if err := a.filterServices("node-ro", &services); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
services["my-service"] = &structs.NodeService{ID: "my-service", Service: "service"}
|
|
|
|
services["my-other"] = &structs.NodeService{ID: "my-other", Service: "other"}
|
2017-05-21 09:11:09 +02:00
|
|
|
if err := a.filterServices("service-ro", &services); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if _, ok := services["my-service"]; !ok {
|
|
|
|
t.Fatalf("bad: %#v", services)
|
|
|
|
}
|
|
|
|
if _, ok := services["my-other"]; ok {
|
|
|
|
t.Fatalf("bad: %#v", services)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_filterChecks(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2017-09-25 20:40:42 +02:00
|
|
|
a := NewTestAgent(t.Name(), TestACLConfig()+`
|
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`)
|
2017-05-21 09:11:09 +02:00
|
|
|
defer a.Shutdown()
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
m := MockServer{catalogPolicy}
|
2017-06-19 16:36:09 +02:00
|
|
|
if err := a.registerEndpoint("ACL", &m); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
checks := make(map[types.CheckID]*structs.HealthCheck)
|
2017-05-21 09:11:09 +02:00
|
|
|
if err := a.filterChecks("node-ro", &checks); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
checks["my-node"] = &structs.HealthCheck{}
|
|
|
|
checks["my-service"] = &structs.HealthCheck{ServiceName: "service"}
|
|
|
|
checks["my-other"] = &structs.HealthCheck{ServiceName: "other"}
|
2017-05-21 09:11:09 +02:00
|
|
|
if err := a.filterChecks("service-ro", &checks); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if _, ok := checks["my-node"]; ok {
|
|
|
|
t.Fatalf("bad: %#v", checks)
|
|
|
|
}
|
|
|
|
if _, ok := checks["my-service"]; !ok {
|
|
|
|
t.Fatalf("bad: %#v", checks)
|
|
|
|
}
|
|
|
|
if _, ok := checks["my-other"]; ok {
|
|
|
|
t.Fatalf("bad: %#v", checks)
|
|
|
|
}
|
|
|
|
|
|
|
|
checks["my-node"] = &structs.HealthCheck{}
|
|
|
|
checks["my-service"] = &structs.HealthCheck{ServiceName: "service"}
|
|
|
|
checks["my-other"] = &structs.HealthCheck{ServiceName: "other"}
|
2017-05-21 09:11:09 +02:00
|
|
|
if err := a.filterChecks("node-ro", &checks); err != nil {
|
2016-12-14 19:28:09 -08:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if _, ok := checks["my-node"]; !ok {
|
|
|
|
t.Fatalf("bad: %#v", checks)
|
|
|
|
}
|
|
|
|
if _, ok := checks["my-service"]; ok {
|
|
|
|
t.Fatalf("bad: %#v", checks)
|
|
|
|
}
|
|
|
|
if _, ok := checks["my-other"]; ok {
|
|
|
|
t.Fatalf("bad: %#v", checks)
|
|
|
|
}
|
|
|
|
}
|