From f7f7c4695e2d7e546dad6e6f8f621967913fca1a Mon Sep 17 00:00:00 2001 From: Ryan Uber Date: Fri, 12 Jun 2015 15:59:18 -0700 Subject: [PATCH] agent: testing dns when acls are in use --- command/agent/dns_test.go | 179 +++++++++++++++++++++++++++----------- 1 file changed, 129 insertions(+), 50 deletions(-) diff --git a/command/agent/dns_test.go b/command/agent/dns_test.go index ec584a1cd2..46e0dd40f2 100644 --- a/command/agent/dns_test.go +++ b/command/agent/dns_test.go @@ -13,22 +13,38 @@ import ( "github.com/miekg/dns" ) -func makeDNSServer(t *testing.T, config *DNSConfig, recursor *dns.Server) (string, *DNSServer) { - if config == nil { - config = &DNSConfig{} +func makeDNSServer(t *testing.T) (string, *DNSServer) { + return makeDNSServerConfig(t, nil, nil) +} + +func makeDNSServerConfig( + t *testing.T, + agentFn func(c *Config), + dnsFn func(*DNSConfig)) (string, *DNSServer) { + // Create the configs and apply the functions + agentConf := nextConfig() + if agentFn != nil { + agentFn(agentConf) } - recursors := []string{} - if recursor != nil { - recursors = append(recursors, recursor.Addr) + dnsConf := &DNSConfig{} + if dnsFn != nil { + dnsFn(dnsConf) } - conf := nextConfig() - addr, _ := conf.ClientListener(conf.Addresses.DNS, conf.Ports.DNS) - dir, agent := makeAgent(t, conf) - server, err := NewDNSServer(agent, config, agent.logOutput, - conf.Domain, addr.String(), recursors) + + // Add in the recursor if any + if r := agentConf.DNSRecursor; r != "" { + agentConf.DNSRecursors = append(agentConf.DNSRecursors, r) + } + + // Start the server + addr, _ := agentConf.ClientListener(agentConf.Addresses.DNS, agentConf.Ports.DNS) + dir, agent := makeAgent(t, agentConf) + server, err := NewDNSServer(agent, dnsConf, agent.logOutput, + agentConf.Domain, addr.String(), agentConf.DNSRecursors) if err != nil { t.Fatalf("err: %v", err) } + return dir, server } @@ -90,7 +106,7 @@ func TestRecursorAddr(t *testing.T) { } func TestDNS_NodeLookup(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -160,7 +176,7 @@ func TestDNS_NodeLookup(t *testing.T) { } func TestDNS_CaseInsensitiveNodeLookup(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -194,7 +210,7 @@ func TestDNS_CaseInsensitiveNodeLookup(t *testing.T) { } func TestDNS_NodeLookup_PeriodName(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -236,7 +252,7 @@ func TestDNS_NodeLookup_PeriodName(t *testing.T) { } func TestDNS_NodeLookup_AAAA(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -287,7 +303,9 @@ func TestDNS_NodeLookup_CNAME(t *testing.T) { }) defer recursor.Shutdown() - dir, srv := makeDNSServer(t, nil, recursor) + dir, srv := makeDNSServerConfig(t, func(c *Config) { + c.DNSRecursor = recursor.Addr + }, nil) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -333,7 +351,7 @@ func TestDNS_NodeLookup_CNAME(t *testing.T) { } func TestDNS_ReverseLookup(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -375,7 +393,7 @@ func TestDNS_ReverseLookup(t *testing.T) { } func TestDNS_ReverseLookup_CustomDomain(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() srv.domain = dns.Fqdn("custom") @@ -418,7 +436,7 @@ func TestDNS_ReverseLookup_CustomDomain(t *testing.T) { } func TestDNS_ReverseLookup_IPV6(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -460,7 +478,7 @@ func TestDNS_ReverseLookup_IPV6(t *testing.T) { } func TestDNS_ServiceLookup(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -527,7 +545,7 @@ func TestDNS_ServiceLookup(t *testing.T) { } func TestDNS_ServiceLookup_ServiceAddress(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -595,7 +613,7 @@ func TestDNS_ServiceLookup_ServiceAddress(t *testing.T) { } func TestDNS_CaseInsensitiveServiceLookup(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -634,7 +652,7 @@ func TestDNS_CaseInsensitiveServiceLookup(t *testing.T) { } func TestDNS_ServiceLookup_TagPeriod(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -695,7 +713,7 @@ func TestDNS_ServiceLookup_TagPeriod(t *testing.T) { } func TestDNS_ServiceLookup_Dedup(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -772,7 +790,7 @@ func TestDNS_ServiceLookup_Dedup(t *testing.T) { } func TestDNS_ServiceLookup_Dedup_SRV(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -880,7 +898,9 @@ func TestDNS_Recurse(t *testing.T) { recursor := makeRecursor(t, []dns.RR{dnsA("apple.com", "1.2.3.4")}) defer recursor.Shutdown() - dir, srv := makeDNSServer(t, nil, recursor) + dir, srv := makeDNSServerConfig(t, func(c *Config) { + c.DNSRecursor = recursor.Addr + }, nil) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -903,7 +923,7 @@ func TestDNS_Recurse(t *testing.T) { } func TestDNS_ServiceLookup_FilterCritical(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1034,7 +1054,9 @@ func TestDNS_ServiceLookup_FilterCritical(t *testing.T) { } func TestDNS_ServiceLookup_OnlyPassing(t *testing.T) { - dir, srv := makeDNSServer(t, &DNSConfig{OnlyPassing: true}, nil) + dir, srv := makeDNSServerConfig(t, nil, func(c *DNSConfig) { + c.OnlyPassing = true + }) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1150,7 +1172,7 @@ func TestDNS_ServiceLookup_OnlyPassing(t *testing.T) { } func TestDNS_ServiceLookup_Randomize(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1218,10 +1240,9 @@ func TestDNS_ServiceLookup_Randomize(t *testing.T) { } func TestDNS_ServiceLookup_Truncate(t *testing.T) { - config := &DNSConfig{ - EnableTruncate: true, - } - dir, srv := makeDNSServer(t, config, nil) + dir, srv := makeDNSServerConfig(t, nil, func(c *DNSConfig) { + c.EnableTruncate = true + }) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1269,7 +1290,9 @@ func TestDNS_ServiceLookup_CNAME(t *testing.T) { }) defer recursor.Shutdown() - dir, srv := makeDNSServer(t, nil, recursor) + dir, srv := makeDNSServerConfig(t, func(c *Config) { + c.DNSRecursor = recursor.Addr + }, nil) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1337,13 +1360,13 @@ func TestDNS_NodeLookup_TTL(t *testing.T) { }) defer recursor.Shutdown() - config := &DNSConfig{ - NodeTTL: 10 * time.Second, - AllowStale: true, - MaxStale: time.Second, - } - - dir, srv := makeDNSServer(t, config, recursor) + dir, srv := makeDNSServerConfig(t, func(c *Config) { + c.DNSRecursor = recursor.Addr + }, func(c *DNSConfig) { + c.NodeTTL = 10 * time.Second + c.AllowStale = true + c.MaxStale = time.Second + }) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1456,16 +1479,16 @@ func TestDNS_NodeLookup_TTL(t *testing.T) { } func TestDNS_ServiceLookup_TTL(t *testing.T) { - config := &DNSConfig{ - ServiceTTL: map[string]time.Duration{ + confFn := func(c *DNSConfig) { + c.ServiceTTL = map[string]time.Duration{ "db": 10 * time.Second, "*": 5 * time.Second, - }, - AllowStale: true, - MaxStale: time.Second, - } + } + c.AllowStale = true + c.MaxStale = time.Second - dir, srv := makeDNSServer(t, config, nil) + } + dir, srv := makeDNSServerConfig(t, nil, confFn) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1560,7 +1583,7 @@ func TestDNS_ServiceLookup_TTL(t *testing.T) { } func TestDNS_ServiceLookup_SRV_RFC(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1627,7 +1650,7 @@ func TestDNS_ServiceLookup_SRV_RFC(t *testing.T) { } func TestDNS_ServiceLookup_SRV_RFC_TCP_Default(t *testing.T) { - dir, srv := makeDNSServer(t, nil, nil) + dir, srv := makeDNSServer(t) defer os.RemoveAll(dir) defer srv.agent.Shutdown() @@ -1692,3 +1715,59 @@ func TestDNS_ServiceLookup_SRV_RFC_TCP_Default(t *testing.T) { t.Fatalf("Bad: %#v", in.Extra[0]) } } + +func TestDNS_ServiceLookup_FilterACL(t *testing.T) { + confFn := func(c *Config) { + c.ACLMasterToken = "root" + c.ACLDatacenter = "dc1" + c.ACLDownPolicy = "deny" + c.ACLDefaultPolicy = "deny" + } + dir, srv := makeDNSServerConfig(t, confFn, nil) + defer os.RemoveAll(dir) + defer srv.agent.Shutdown() + + testutil.WaitForLeader(t, srv.agent.RPC, "dc1") + + // Register a service + args := &structs.RegisterRequest{ + Datacenter: "dc1", + Node: "foo", + Address: "127.0.0.1", + Service: &structs.NodeService{ + Service: "foo", + Port: 12345, + }, + WriteRequest: structs.WriteRequest{Token: "root"}, + } + var out struct{} + if err := srv.agent.RPC("Catalog.Register", args, &out); err != nil { + t.Fatalf("err: %v", err) + } + + // Set up the DNS query + c := new(dns.Client) + addr, _ := srv.agent.config.ClientListener("", srv.agent.config.Ports.DNS) + m := new(dns.Msg) + m.SetQuestion("foo.service.consul.", dns.TypeA) + + // Query with the root token. Should get results. + srv.agent.config.ACLToken = "root" + in, _, err := c.Exchange(m, addr.String()) + if err != nil { + t.Fatalf("err: %v", err) + } + if len(in.Answer) != 1 { + t.Fatalf("Bad: %#v", in) + } + + // Query with a non-root token without access. Should get nothing. + srv.agent.config.ACLToken = "anonymous" + in, _, err = c.Exchange(m, addr.String()) + if err != nil { + t.Fatalf("err: %v", err) + } + if len(in.Answer) != 0 { + t.Fatalf("Bad: %#v", in) + } +}