2016-12-13 23:21:14 -08:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2018-10-19 12:04:07 -04:00
|
|
|
"io"
|
2016-12-13 23:21:14 -08:00
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
"github.com/armon/go-metrics"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
2017-09-25 20:40:42 +02:00
|
|
|
"github.com/hashicorp/consul/agent/config"
|
2018-10-19 12:04:07 -04:00
|
|
|
"github.com/hashicorp/consul/agent/consul"
|
|
|
|
"github.com/hashicorp/consul/agent/local"
|
2017-07-06 12:34:00 +02:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2018-10-19 12:04:07 -04:00
|
|
|
"github.com/hashicorp/consul/lib"
|
2019-12-06 14:01:34 -05:00
|
|
|
"github.com/hashicorp/consul/sdk/testutil"
|
2016-12-14 19:28:09 -08:00
|
|
|
"github.com/hashicorp/consul/types"
|
2020-01-28 17:50:41 -06:00
|
|
|
"github.com/hashicorp/go-hclog"
|
2016-12-14 19:28:09 -08:00
|
|
|
"github.com/hashicorp/serf/serf"
|
2018-10-19 12:04:07 -04:00
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2016-12-13 23:21:14 -08:00
|
|
|
)
|
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
type TestACLAgent struct {
|
|
|
|
// Name is an optional name of the agent.
|
|
|
|
Name string
|
2017-09-25 20:40:42 +02:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
HCL string
|
2017-09-25 20:40:42 +02:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
// Config is the agent configuration. If Config is nil then
|
|
|
|
// TestConfig() is used. If Config.DataDir is set then it is
|
|
|
|
// the callers responsibility to clean up the data directory.
|
|
|
|
// Otherwise, a temporary data directory is created and removed
|
|
|
|
// when Shutdown() is called.
|
|
|
|
Config *config.RuntimeConfig
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
// LogOutput is the sink for the logs. If nil, logs are written
|
|
|
|
// to os.Stderr.
|
|
|
|
LogOutput io.Writer
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
// DataDir is the data directory which is used when Config.DataDir
|
|
|
|
// is not set. It is created automatically and removed when
|
|
|
|
// Shutdown() is called.
|
|
|
|
DataDir string
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2019-12-18 13:46:53 -05:00
|
|
|
resolveTokenFn func(string) (structs.ACLIdentity, acl.Authorizer, error)
|
2017-09-25 20:40:42 +02:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
*Agent
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
// NewTestACLAGent does just enough so that all the code within agent/acl.go can work
|
|
|
|
// Basically it needs a local state for some of the vet* functions, a logger and a delegate.
|
|
|
|
// The key is that we are the delegate so we can control the ResolveToken responses
|
2019-12-18 13:46:53 -05:00
|
|
|
func NewTestACLAgent(t *testing.T, name string, hcl string, resolveFn func(string) (structs.ACLIdentity, acl.Authorizer, error)) *TestACLAgent {
|
2018-10-19 12:04:07 -04:00
|
|
|
a := &TestACLAgent{Name: name, HCL: hcl, resolveTokenFn: resolveFn}
|
|
|
|
hclDataDir := `data_dir = "acl-agent"`
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2019-12-06 14:01:34 -05:00
|
|
|
logOutput := testutil.TestWriter(t)
|
2020-01-28 17:50:41 -06:00
|
|
|
logger := hclog.NewInterceptLogger(&hclog.LoggerOptions{
|
|
|
|
Name: a.Name,
|
|
|
|
Level: hclog.Debug,
|
|
|
|
Output: logOutput,
|
|
|
|
})
|
2019-12-06 14:01:34 -05:00
|
|
|
|
|
|
|
a.Config = TestConfig(logger,
|
2018-10-19 12:04:07 -04:00
|
|
|
config.Source{Name: a.Name, Format: "hcl", Data: a.HCL},
|
|
|
|
config.Source{Name: a.Name + ".data_dir", Format: "hcl", Data: hclDataDir},
|
|
|
|
)
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2019-12-06 14:01:34 -05:00
|
|
|
agent, err := New(a.Config, logger)
|
2018-10-19 12:04:07 -04:00
|
|
|
if err != nil {
|
|
|
|
panic(fmt.Sprintf("Error creating agent: %v", err))
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
2018-10-19 12:04:07 -04:00
|
|
|
a.Agent = agent
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
agent.LogOutput = logOutput
|
2019-12-06 14:01:34 -05:00
|
|
|
agent.logger = logger
|
2018-10-19 12:04:07 -04:00
|
|
|
agent.MemSink = metrics.NewInmemSink(1*time.Second, time.Minute)
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
a.Agent.delegate = a
|
|
|
|
a.Agent.State = local.NewState(LocalConfig(a.Config), a.Agent.logger, a.Agent.tokens)
|
|
|
|
a.Agent.State.TriggerSyncChanges = func() {}
|
|
|
|
return a
|
|
|
|
}
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
func (a *TestACLAgent) ACLsEnabled() bool {
|
|
|
|
// the TestACLAgent always has ACLs enabled
|
|
|
|
return true
|
|
|
|
}
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
func (a *TestACLAgent) UseLegacyACLs() bool {
|
|
|
|
return false
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
func (a *TestACLAgent) ResolveToken(secretID string) (acl.Authorizer, error) {
|
|
|
|
if a.resolveTokenFn == nil {
|
|
|
|
panic("This agent is useless without providing a token resolution function")
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
2019-12-18 13:46:53 -05:00
|
|
|
_, authz, err := a.resolveTokenFn(secretID)
|
|
|
|
return authz, err
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *TestACLAgent) ResolveTokenToIdentityAndAuthorizer(secretID string) (structs.ACLIdentity, acl.Authorizer, error) {
|
|
|
|
if a.resolveTokenFn == nil {
|
|
|
|
panic("This agent is useless without providing a token resolution function")
|
|
|
|
}
|
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
return a.resolveTokenFn(secretID)
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
2019-12-18 13:46:53 -05:00
|
|
|
func (a *TestACLAgent) ResolveTokenAndDefaultMeta(secretID string, entMeta *structs.EnterpriseMeta, authzContext *acl.AuthorizerContext) (acl.Authorizer, error) {
|
|
|
|
identity, authz, err := a.ResolveTokenToIdentityAndAuthorizer(secretID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Default the EnterpriseMeta based on the Tokens meta or actual defaults
|
|
|
|
// in the case of unknown identity
|
|
|
|
if identity != nil {
|
|
|
|
entMeta.Merge(identity.EnterpriseMetadata())
|
|
|
|
} else {
|
|
|
|
entMeta.Merge(structs.DefaultEnterpriseMeta())
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use the meta to fill in the ACL authorization context
|
|
|
|
entMeta.FillAuthzContext(authzContext)
|
|
|
|
|
|
|
|
return authz, err
|
|
|
|
}
|
|
|
|
|
2020-01-27 11:54:32 -08:00
|
|
|
func (a *TestACLAgent) ResolveIdentityFromToken(secretID string) (bool, structs.ACLIdentity, error) {
|
|
|
|
if a.resolveTokenFn == nil {
|
|
|
|
panic("This agent is useless without providing a token resolution function")
|
|
|
|
}
|
|
|
|
|
|
|
|
identity, _, err := a.resolveTokenFn(secretID)
|
|
|
|
if err != nil {
|
|
|
|
return true, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return true, identity, nil
|
|
|
|
}
|
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
// All of these are stubs to satisfy the interface
|
|
|
|
func (a *TestACLAgent) GetLANCoordinate() (lib.CoordinateSet, error) {
|
|
|
|
return nil, fmt.Errorf("Unimplemented")
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) Leave() error {
|
|
|
|
return fmt.Errorf("Unimplemented")
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) LANMembers() []serf.Member {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) LANMembersAllSegments() ([]serf.Member, error) {
|
|
|
|
return nil, fmt.Errorf("Unimplemented")
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) LANSegmentMembers(segment string) ([]serf.Member, error) {
|
|
|
|
return nil, fmt.Errorf("Unimplemented")
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) LocalMember() serf.Member {
|
|
|
|
return serf.Member{}
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) JoinLAN(addrs []string) (n int, err error) {
|
|
|
|
return 0, fmt.Errorf("Unimplemented")
|
|
|
|
}
|
2019-10-04 16:10:02 -05:00
|
|
|
func (a *TestACLAgent) RemoveFailedNode(node string, prune bool) error {
|
2018-10-19 12:04:07 -04:00
|
|
|
return fmt.Errorf("Unimplemented")
|
|
|
|
}
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
func (a *TestACLAgent) RPC(method string, args interface{}, reply interface{}) error {
|
|
|
|
return fmt.Errorf("Unimplemented")
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) SnapshotRPC(args *structs.SnapshotRequest, in io.Reader, out io.Writer, replyFn structs.SnapshotReplyFn) error {
|
|
|
|
return fmt.Errorf("Unimplemented")
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) Shutdown() error {
|
|
|
|
return fmt.Errorf("Unimplemented")
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) Stats() map[string]map[string]string {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
func (a *TestACLAgent) ReloadConfig(config *consul.Config) error {
|
|
|
|
return fmt.Errorf("Unimplemented")
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
func TestACL_Version8(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
t.Run("version 8 disabled", func(t *testing.T) {
|
2019-12-18 13:46:53 -05:00
|
|
|
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Fail(t, "should not have called delegate.ResolveToken")
|
2019-12-18 13:46:53 -05:00
|
|
|
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
2018-07-01 12:50:53 +02:00
|
|
|
}
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig()+`
|
2018-10-19 12:04:07 -04:00
|
|
|
acl_enforce_version_8 = false
|
|
|
|
`, resolveFn)
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
token, err := a.resolveToken("nope")
|
|
|
|
require.Nil(t, token)
|
|
|
|
require.Nil(t, err)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("version 8 enabled", func(t *testing.T) {
|
|
|
|
called := false
|
2019-12-18 13:46:53 -05:00
|
|
|
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
|
2018-10-19 12:04:07 -04:00
|
|
|
called = true
|
2019-12-18 13:46:53 -05:00
|
|
|
return nil, nil, acl.ErrNotFound
|
2018-07-01 12:50:53 +02:00
|
|
|
}
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig()+`
|
2018-10-19 12:04:07 -04:00
|
|
|
acl_enforce_version_8 = true
|
|
|
|
`, resolveFn)
|
|
|
|
|
|
|
|
_, err := a.resolveToken("nope")
|
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, called)
|
|
|
|
})
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
func TestACL_AgentMasterToken(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2019-12-18 13:46:53 -05:00
|
|
|
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Fail(t, "should not have called delegate.ResolveToken")
|
2019-12-18 13:46:53 -05:00
|
|
|
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
|
|
|
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), resolveFn)
|
2019-02-27 14:28:31 -05:00
|
|
|
a.loadTokens(a.config)
|
2018-10-19 12:04:07 -04:00
|
|
|
authz, err := a.resolveToken("towel")
|
|
|
|
require.NotNil(t, authz)
|
|
|
|
require.Nil(t, err)
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2019-10-15 16:58:50 -04:00
|
|
|
require.Equal(t, acl.Allow, authz.AgentRead(a.config.NodeName, nil))
|
|
|
|
require.Equal(t, acl.Allow, authz.AgentWrite(a.config.NodeName, nil))
|
|
|
|
require.Equal(t, acl.Allow, authz.NodeRead("foobarbaz", nil))
|
|
|
|
require.Equal(t, acl.Deny, authz.NodeWrite("foobarbaz", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
}
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2018-10-19 12:04:07 -04:00
|
|
|
func TestACL_RootAuthorizersDenied(t *testing.T) {
|
|
|
|
t.Parallel()
|
2016-12-13 23:21:14 -08:00
|
|
|
|
2019-12-18 13:46:53 -05:00
|
|
|
resolveFn := func(string) (structs.ACLIdentity, acl.Authorizer, error) {
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Fail(t, "should not have called delegate.ResolveToken")
|
2019-12-18 13:46:53 -05:00
|
|
|
return nil, nil, fmt.Errorf("should not have called delegate.ResolveToken")
|
2018-10-19 12:04:07 -04:00
|
|
|
}
|
|
|
|
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), resolveFn)
|
2018-10-19 12:04:07 -04:00
|
|
|
authz, err := a.resolveToken("deny")
|
|
|
|
require.Nil(t, authz)
|
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrRootDenied(err))
|
|
|
|
authz, err = a.resolveToken("allow")
|
|
|
|
require.Nil(t, authz)
|
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrRootDenied(err))
|
|
|
|
authz, err = a.resolveToken("manage")
|
|
|
|
require.Nil(t, authz)
|
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrRootDenied(err))
|
|
|
|
}
|
|
|
|
|
2019-12-18 13:44:32 -05:00
|
|
|
func authzFromPolicy(policy *acl.Policy, cfg *acl.Config) (acl.Authorizer, error) {
|
2019-12-06 14:01:34 -05:00
|
|
|
return acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, cfg)
|
2016-12-13 23:21:14 -08:00
|
|
|
}
|
2016-12-14 19:28:09 -08:00
|
|
|
|
2019-12-18 13:46:53 -05:00
|
|
|
type testToken struct {
|
|
|
|
token structs.ACLToken
|
|
|
|
// yes the rules can exist on the token itself but that is legacy behavior
|
|
|
|
// that I would prefer these tests not rely on
|
|
|
|
rules string
|
|
|
|
}
|
2016-12-14 19:28:09 -08:00
|
|
|
|
2019-12-18 13:46:53 -05:00
|
|
|
var (
|
|
|
|
nodeROSecret = "7e80d017-bccc-492f-8dec-65f03aeaebf3"
|
|
|
|
nodeRWSecret = "e3586ee5-02a2-4bf4-9ec3-9c4be7606e8c"
|
|
|
|
serviceROSecret = "3d2c8552-df3b-4da7-9890-36885cbf56ac"
|
|
|
|
serviceRWSecret = "4a1017a2-f788-4be3-93f2-90566f1340bb"
|
|
|
|
otherRWSecret = "a38e8016-91b6-4876-b3e7-a307abbb2002"
|
|
|
|
|
|
|
|
testTokens = map[string]testToken{
|
|
|
|
nodeROSecret: testToken{
|
|
|
|
token: structs.ACLToken{
|
|
|
|
AccessorID: "9df2d1a4-2d07-414e-8ead-6053f56ed2eb",
|
|
|
|
SecretID: nodeROSecret,
|
2018-10-19 12:04:07 -04:00
|
|
|
},
|
2019-12-18 13:46:53 -05:00
|
|
|
rules: `node_prefix "Node" { policy = "read" }`,
|
|
|
|
},
|
|
|
|
nodeRWSecret: testToken{
|
|
|
|
token: structs.ACLToken{
|
|
|
|
AccessorID: "efb6b7d5-d343-47c1-b4cb-aa6b94d2f490",
|
|
|
|
SecretID: nodeROSecret,
|
2018-10-19 12:04:07 -04:00
|
|
|
},
|
2019-12-18 13:46:53 -05:00
|
|
|
rules: `node_prefix "Node" { policy = "write" }`,
|
|
|
|
},
|
|
|
|
serviceROSecret: testToken{
|
|
|
|
token: structs.ACLToken{
|
|
|
|
AccessorID: "0da53edb-36e5-4603-9c31-79965bad45f5",
|
|
|
|
SecretID: serviceROSecret,
|
2018-10-19 12:04:07 -04:00
|
|
|
},
|
2019-12-18 13:46:53 -05:00
|
|
|
rules: `service_prefix "service" { policy = "read" }`,
|
|
|
|
},
|
|
|
|
serviceRWSecret: testToken{
|
|
|
|
token: structs.ACLToken{
|
|
|
|
AccessorID: "52504258-137a-41e6-9326-01f40e80872e",
|
|
|
|
SecretID: serviceRWSecret,
|
2018-10-19 12:04:07 -04:00
|
|
|
},
|
2019-12-18 13:46:53 -05:00
|
|
|
rules: `service_prefix "service" { policy = "write" }`,
|
|
|
|
},
|
|
|
|
otherRWSecret: testToken{
|
|
|
|
token: structs.ACLToken{
|
|
|
|
AccessorID: "5e032c5b-c39e-4552-b5ad-8a9365b099c4",
|
|
|
|
SecretID: otherRWSecret,
|
2018-10-19 12:04:07 -04:00
|
|
|
},
|
2019-12-18 13:46:53 -05:00
|
|
|
rules: `service_prefix "other" { policy = "write" }`,
|
|
|
|
},
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|
2019-12-18 13:46:53 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
func catalogPolicy(token string) (structs.ACLIdentity, acl.Authorizer, error) {
|
|
|
|
tok, ok := testTokens[token]
|
|
|
|
if !ok {
|
|
|
|
return nil, nil, acl.ErrNotFound
|
|
|
|
}
|
|
|
|
|
|
|
|
policy, err := acl.NewPolicyFromSource("", 0, tok.rules, acl.SyntaxCurrent, nil, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
authz, err := authzFromPolicy(policy, nil)
|
|
|
|
return &tok.token, authz, err
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_vetServiceRegister(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Register a new service, with permission.
|
2019-12-18 13:46:53 -05:00
|
|
|
err := a.vetServiceRegister(serviceRWSecret, &structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.NoError(t, err)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Register a new service without write privs.
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetServiceRegister(serviceROSecret, &structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.True(t, acl.IsErrPermissionDenied(err))
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Try to register over a service without write privs to the existing
|
|
|
|
// service.
|
2017-08-28 14:17:13 +02:00
|
|
|
a.State.AddService(&structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "other",
|
|
|
|
}, "")
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetServiceRegister(serviceRWSecret, &structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.True(t, acl.IsErrPermissionDenied(err))
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_vetServiceUpdate(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Update a service that doesn't exist.
|
2019-12-18 13:46:53 -05:00
|
|
|
err := a.vetServiceUpdate(serviceRWSecret, structs.NewServiceID("my-service", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
|
|
|
require.Contains(t, err.Error(), "Unknown service")
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Update with write privs.
|
2017-08-28 14:17:13 +02:00
|
|
|
a.State.AddService(&structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
}, "")
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetServiceUpdate(serviceRWSecret, structs.NewServiceID("my-service", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.NoError(t, err)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Update without write privs.
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetServiceUpdate(serviceROSecret, structs.NewServiceID("my-service", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrPermissionDenied(err))
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_vetCheckRegister(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Register a new service check with write privs.
|
2019-12-18 13:46:53 -05:00
|
|
|
err := a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.NoError(t, err)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Register a new service check without write privs.
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckRegister(serviceROSecret, &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrPermissionDenied(err))
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Register a new node check with write privs.
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckRegister(nodeRWSecret, &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.NoError(t, err)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Register a new node check without write privs.
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckRegister(nodeROSecret, &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrPermissionDenied(err))
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Try to register over a service check without write privs to the
|
|
|
|
// existing service.
|
2017-08-28 14:17:13 +02:00
|
|
|
a.State.AddService(&structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
}, "")
|
2017-08-28 14:17:13 +02:00
|
|
|
a.State.AddCheck(&structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "other",
|
|
|
|
}, "")
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrPermissionDenied(err))
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Try to register over a node check without write privs to the node.
|
2017-08-28 14:17:13 +02:00
|
|
|
a.State.AddCheck(&structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-node-check"),
|
|
|
|
}, "")
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckRegister(serviceRWSecret, &structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-node-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
})
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrPermissionDenied(err))
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_vetCheckUpdate(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Update a check that doesn't exist.
|
2019-12-18 13:46:53 -05:00
|
|
|
err := a.vetCheckUpdate(nodeRWSecret, structs.NewCheckID("my-check", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
|
|
|
require.Contains(t, err.Error(), "Unknown check")
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Update service check with write privs.
|
2017-08-28 14:17:13 +02:00
|
|
|
a.State.AddService(&structs.NodeService{
|
2016-12-14 19:28:09 -08:00
|
|
|
ID: "my-service",
|
|
|
|
Service: "service",
|
|
|
|
}, "")
|
2017-08-28 14:17:13 +02:00
|
|
|
a.State.AddCheck(&structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-service-check"),
|
|
|
|
ServiceID: "my-service",
|
|
|
|
ServiceName: "service",
|
|
|
|
}, "")
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckUpdate(serviceRWSecret, structs.NewCheckID("my-service-check", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.NoError(t, err)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Update service check without write privs.
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckUpdate(serviceROSecret, structs.NewCheckID("my-service-check", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
2019-12-09 21:26:41 -05:00
|
|
|
require.True(t, acl.IsErrPermissionDenied(err), "not permission denied: %s", err.Error())
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Update node check with write privs.
|
2017-08-28 14:17:13 +02:00
|
|
|
a.State.AddCheck(&structs.HealthCheck{
|
2016-12-14 19:28:09 -08:00
|
|
|
CheckID: types.CheckID("my-node-check"),
|
|
|
|
}, "")
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckUpdate(nodeRWSecret, structs.NewCheckID("my-node-check", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.NoError(t, err)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
// Update without write privs.
|
2019-12-18 13:46:53 -05:00
|
|
|
err = a.vetCheckUpdate(nodeROSecret, structs.NewCheckID("my-node-check", nil))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Error(t, err)
|
|
|
|
require.True(t, acl.IsErrPermissionDenied(err))
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_filterMembers(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
var members []serf.Member
|
2019-12-18 13:46:53 -05:00
|
|
|
require.NoError(t, a.filterMembers(nodeROSecret, &members))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Len(t, members, 0)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
|
|
|
members = []serf.Member{
|
|
|
|
serf.Member{Name: "Node 1"},
|
|
|
|
serf.Member{Name: "Nope"},
|
|
|
|
serf.Member{Name: "Node 2"},
|
|
|
|
}
|
2019-12-18 13:46:53 -05:00
|
|
|
require.NoError(t, a.filterMembers(nodeROSecret, &members))
|
2018-10-19 12:04:07 -04:00
|
|
|
require.Len(t, members, 2)
|
|
|
|
require.Equal(t, members[0].Name, "Node 1")
|
|
|
|
require.Equal(t, members[1].Name, "Node 2")
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_filterServices(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
2019-12-09 21:26:41 -05:00
|
|
|
services := make(map[structs.ServiceID]*structs.NodeService)
|
2019-12-18 13:46:53 -05:00
|
|
|
require.NoError(t, a.filterServices(nodeROSecret, &services))
|
2016-12-14 19:28:09 -08:00
|
|
|
|
2019-12-09 21:26:41 -05:00
|
|
|
services[structs.NewServiceID("my-service", nil)] = &structs.NodeService{ID: "my-service", Service: "service"}
|
|
|
|
services[structs.NewServiceID("my-other", nil)] = &structs.NodeService{ID: "my-other", Service: "other"}
|
2019-12-18 13:46:53 -05:00
|
|
|
require.NoError(t, a.filterServices(serviceROSecret, &services))
|
2019-12-09 21:26:41 -05:00
|
|
|
require.Contains(t, services, structs.NewServiceID("my-service", nil))
|
|
|
|
require.NotContains(t, services, structs.NewServiceID("my-other", nil))
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestACL_filterChecks(t *testing.T) {
|
2017-05-21 09:54:40 +02:00
|
|
|
t.Parallel()
|
2019-12-06 14:01:34 -05:00
|
|
|
a := NewTestACLAgent(t, t.Name(), TestACLConfig(), catalogPolicy)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
2019-12-09 21:26:41 -05:00
|
|
|
checks := make(map[structs.CheckID]*structs.HealthCheck)
|
2019-12-18 13:46:53 -05:00
|
|
|
require.NoError(t, a.filterChecks(nodeROSecret, &checks))
|
2016-12-14 19:28:09 -08:00
|
|
|
|
2019-12-09 21:26:41 -05:00
|
|
|
checks[structs.NewCheckID("my-node", nil)] = &structs.HealthCheck{}
|
|
|
|
checks[structs.NewCheckID("my-service", nil)] = &structs.HealthCheck{ServiceName: "service"}
|
|
|
|
checks[structs.NewCheckID("my-other", nil)] = &structs.HealthCheck{ServiceName: "other"}
|
2019-12-18 13:46:53 -05:00
|
|
|
require.NoError(t, a.filterChecks(serviceROSecret, &checks))
|
2019-12-09 21:26:41 -05:00
|
|
|
_, ok := checks[structs.NewCheckID("my-node", nil)]
|
2018-10-19 12:04:07 -04:00
|
|
|
require.False(t, ok)
|
2019-12-09 21:26:41 -05:00
|
|
|
_, ok = checks[structs.NewCheckID("my-service", nil)]
|
2018-10-19 12:04:07 -04:00
|
|
|
require.True(t, ok)
|
2019-12-09 21:26:41 -05:00
|
|
|
_, ok = checks[structs.NewCheckID("my-other", nil)]
|
2018-10-19 12:04:07 -04:00
|
|
|
require.False(t, ok)
|
2016-12-14 19:28:09 -08:00
|
|
|
|
2019-12-09 21:26:41 -05:00
|
|
|
checks[structs.NewCheckID("my-node", nil)] = &structs.HealthCheck{}
|
|
|
|
checks[structs.NewCheckID("my-service", nil)] = &structs.HealthCheck{ServiceName: "service"}
|
|
|
|
checks[structs.NewCheckID("my-other", nil)] = &structs.HealthCheck{ServiceName: "other"}
|
2019-12-18 13:46:53 -05:00
|
|
|
require.NoError(t, a.filterChecks(nodeROSecret, &checks))
|
2019-12-09 21:26:41 -05:00
|
|
|
_, ok = checks[structs.NewCheckID("my-node", nil)]
|
2018-10-19 12:04:07 -04:00
|
|
|
require.True(t, ok)
|
2019-12-09 21:26:41 -05:00
|
|
|
_, ok = checks[structs.NewCheckID("my-service", nil)]
|
2018-10-19 12:04:07 -04:00
|
|
|
require.False(t, ok)
|
2019-12-09 21:26:41 -05:00
|
|
|
_, ok = checks[structs.NewCheckID("my-other", nil)]
|
2018-10-19 12:04:07 -04:00
|
|
|
require.False(t, ok)
|
2016-12-14 19:28:09 -08:00
|
|
|
}
|