agent: testing keyring ACLs

command/agent/keyring_test.go

@@ -5,7 +5,10 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
+
+	"github.com/hashicorp/consul/testutil"
 )
 
 func TestAgent_LoadKeyrings(t *testing.T) {
@@ -113,3 +116,66 @@ func TestAgent_InitKeyring(t *testing.T) {
 		t.Fatalf("bad: %s", content)
 	}
 }
+
+func TestAgentKeyring_ACL(t *testing.T) {
+	key1 := "tbLJg26ZJyJ9pK3qhc9jig=="
+	key2 := "4leC33rgtXKIVUr9Nr0snQ=="
+
+	conf := nextConfig()
+	conf.ACLDatacenter = "dc1"
+	conf.ACLMasterToken = "root"
+	conf.ACLDefaultPolicy = "deny"
+	dir, agent := makeAgentKeyring(t, conf, key1)
+	defer os.RemoveAll(dir)
+	defer agent.Shutdown()
+
+	testutil.WaitForLeader(t, agent.RPC, "dc1")
+
+	// List keys without access fails
+	_, err := agent.ListKeys("")
+	if err == nil || !strings.Contains(err.Error(), "denied") {
+		t.Fatalf("expected denied error, got: %#v", err)
+	}
+
+	// List keys with access works
+	_, err = agent.ListKeys("root")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	// Install without access fails
+	_, err = agent.InstallKey(key2, "")
+	if err == nil || !strings.Contains(err.Error(), "denied") {
+		t.Fatalf("expected denied error, got: %#v", err)
+	}
+
+	// Install with access works
+	_, err = agent.InstallKey(key2, "root")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	// Use without access fails
+	_, err = agent.UseKey(key2, "")
+	if err == nil || !strings.Contains(err.Error(), "denied") {
+		t.Fatalf("expected denied error, got: %#v", err)
+	}
+
+	// Use with access works
+	_, err = agent.UseKey(key2, "root")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	// Remove without access fails
+	_, err = agent.RemoveKey(key1, "")
+	if err == nil || !strings.Contains(err.Error(), "denied") {
+		t.Fatalf("expected denied error, got: %#v", err)
+	}
+
+	// Remove with access works
+	_, err = agent.RemoveKey(key1, "root")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+}

command/agent/rpc_client_test.go

@@ -361,7 +361,7 @@ func TestRPCClientInstallKey(t *testing.T) {
 	})
 
 	// install key2
-	r, err := p1.client.InstallKey(key2)
+	r, err := p1.client.InstallKey(key2, "")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -391,7 +391,7 @@ func TestRPCClientUseKey(t *testing.T) {
 	defer p1.Close()
 
 	// add a second key to the ring
-	r, err := p1.client.InstallKey(key2)
+	r, err := p1.client.InstallKey(key2, "")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -412,21 +412,21 @@ func TestRPCClientUseKey(t *testing.T) {
 	})
 
 	// can't remove key1 yet
-	r, err = p1.client.RemoveKey(key1)
+	r, err = p1.client.RemoveKey(key1, "")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
 	keyringError(t, r)
 
 	// change primary key
-	r, err = p1.client.UseKey(key2)
+	r, err = p1.client.UseKey(key2, "")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
 	keyringSuccess(t, r)
 
 	// can remove key1 now
-	r, err = p1.client.RemoveKey(key1)
+	r, err = p1.client.RemoveKey(key1, "")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -437,7 +437,7 @@ func TestRPCClientKeyOperation_encryptionDisabled(t *testing.T) {
 	p1 := testRPCClient(t)
 	defer p1.Close()
 
-	r, err := p1.client.ListKeys()
+	r, err := p1.client.ListKeys("")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -445,7 +445,7 @@ func TestRPCClientKeyOperation_encryptionDisabled(t *testing.T) {
 }
 
 func listKeys(t *testing.T, c *RPCClient) map[string]map[string]int {
-	resp, err := c.ListKeys()
+	resp, err := c.ListKeys("")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}