diff --git a/command/agent/keyring_test.go b/command/agent/keyring_test.go index 558c71f5dc..f364b6fa86 100644 --- a/command/agent/keyring_test.go +++ b/command/agent/keyring_test.go @@ -5,7 +5,10 @@ import ( "io/ioutil" "os" "path/filepath" + "strings" "testing" + + "github.com/hashicorp/consul/testutil" ) func TestAgent_LoadKeyrings(t *testing.T) { @@ -113,3 +116,66 @@ func TestAgent_InitKeyring(t *testing.T) { t.Fatalf("bad: %s", content) } } + +func TestAgentKeyring_ACL(t *testing.T) { + key1 := "tbLJg26ZJyJ9pK3qhc9jig==" + key2 := "4leC33rgtXKIVUr9Nr0snQ==" + + conf := nextConfig() + conf.ACLDatacenter = "dc1" + conf.ACLMasterToken = "root" + conf.ACLDefaultPolicy = "deny" + dir, agent := makeAgentKeyring(t, conf, key1) + defer os.RemoveAll(dir) + defer agent.Shutdown() + + testutil.WaitForLeader(t, agent.RPC, "dc1") + + // List keys without access fails + _, err := agent.ListKeys("") + if err == nil || !strings.Contains(err.Error(), "denied") { + t.Fatalf("expected denied error, got: %#v", err) + } + + // List keys with access works + _, err = agent.ListKeys("root") + if err != nil { + t.Fatalf("err: %s", err) + } + + // Install without access fails + _, err = agent.InstallKey(key2, "") + if err == nil || !strings.Contains(err.Error(), "denied") { + t.Fatalf("expected denied error, got: %#v", err) + } + + // Install with access works + _, err = agent.InstallKey(key2, "root") + if err != nil { + t.Fatalf("err: %s", err) + } + + // Use without access fails + _, err = agent.UseKey(key2, "") + if err == nil || !strings.Contains(err.Error(), "denied") { + t.Fatalf("expected denied error, got: %#v", err) + } + + // Use with access works + _, err = agent.UseKey(key2, "root") + if err != nil { + t.Fatalf("err: %s", err) + } + + // Remove without access fails + _, err = agent.RemoveKey(key1, "") + if err == nil || !strings.Contains(err.Error(), "denied") { + t.Fatalf("expected denied error, got: %#v", err) + } + + // Remove with access works + _, err = agent.RemoveKey(key1, "root") + if err != nil { + t.Fatalf("err: %s", err) + } +} diff --git a/command/agent/rpc_client_test.go b/command/agent/rpc_client_test.go index 48d8335649..31ad1ee03b 100644 --- a/command/agent/rpc_client_test.go +++ b/command/agent/rpc_client_test.go @@ -361,7 +361,7 @@ func TestRPCClientInstallKey(t *testing.T) { }) // install key2 - r, err := p1.client.InstallKey(key2) + r, err := p1.client.InstallKey(key2, "") if err != nil { t.Fatalf("err: %s", err) } @@ -391,7 +391,7 @@ func TestRPCClientUseKey(t *testing.T) { defer p1.Close() // add a second key to the ring - r, err := p1.client.InstallKey(key2) + r, err := p1.client.InstallKey(key2, "") if err != nil { t.Fatalf("err: %s", err) } @@ -412,21 +412,21 @@ func TestRPCClientUseKey(t *testing.T) { }) // can't remove key1 yet - r, err = p1.client.RemoveKey(key1) + r, err = p1.client.RemoveKey(key1, "") if err != nil { t.Fatalf("err: %s", err) } keyringError(t, r) // change primary key - r, err = p1.client.UseKey(key2) + r, err = p1.client.UseKey(key2, "") if err != nil { t.Fatalf("err: %s", err) } keyringSuccess(t, r) // can remove key1 now - r, err = p1.client.RemoveKey(key1) + r, err = p1.client.RemoveKey(key1, "") if err != nil { t.Fatalf("err: %s", err) } @@ -437,7 +437,7 @@ func TestRPCClientKeyOperation_encryptionDisabled(t *testing.T) { p1 := testRPCClient(t) defer p1.Close() - r, err := p1.client.ListKeys() + r, err := p1.client.ListKeys("") if err != nil { t.Fatalf("err: %s", err) } @@ -445,7 +445,7 @@ func TestRPCClientKeyOperation_encryptionDisabled(t *testing.T) { } func listKeys(t *testing.T, c *RPCClient) map[string]map[string]int { - resp, err := c.ListKeys() + resp, err := c.ListKeys("") if err != nil { t.Fatalf("err: %s", err) }