diff --git a/agent/consul/catalog_endpoint_test.go b/agent/consul/catalog_endpoint_test.go index 7fb5720ddf..6d8fa10703 100644 --- a/agent/consul/catalog_endpoint_test.go +++ b/agent/consul/catalog_endpoint_test.go @@ -263,11 +263,16 @@ node "foo" { func createToken(t *testing.T, cc rpc.ClientCodec, policyRules string) string { t.Helper() + return createTokenWithPolicyName(t, "the-policy", cc, policyRules) +} + +func createTokenWithPolicyName(t *testing.T, policyName string, cc rpc.ClientCodec, policyRules string) string { + t.Helper() reqPolicy := structs.ACLPolicySetRequest{ Datacenter: "dc1", Policy: structs.ACLPolicy{ - Name: "the-policy", + Name: policyName, Rules: policyRules, }, WriteRequest: structs.WriteRequest{Token: "root"}, @@ -282,7 +287,7 @@ func createToken(t *testing.T, cc rpc.ClientCodec, policyRules string) string { Datacenter: "dc1", ACLToken: structs.ACLToken{ SecretID: token, - Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}}, + Policies: []structs.ACLTokenPolicyLink{{Name: policyName}}, }, WriteRequest: structs.WriteRequest{Token: "root"}, } diff --git a/agent/consul/connect_ca_endpoint_test.go b/agent/consul/connect_ca_endpoint_test.go index 45341fd55f..c257c9fc63 100644 --- a/agent/consul/connect_ca_endpoint_test.go +++ b/agent/consul/connect_ca_endpoint_test.go @@ -1118,25 +1118,7 @@ func TestConnectCASignValidation(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1") - // Create an ACL token with service:write for web* - var webToken string - { - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` - service "web" { - policy = "write" - }`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.NoError(t, msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &webToken)) - } - + webToken := createToken(t, codec, `service "web" { policy = "write" }`) testWebID := connect.TestSpiffeIDService(t, "web") tests := []struct { diff --git a/agent/consul/coordinate_endpoint_test.go b/agent/consul/coordinate_endpoint_test.go index 646c85b19e..f40ee102dd 100644 --- a/agent/consul/coordinate_endpoint_test.go +++ b/agent/consul/coordinate_endpoint_test.go @@ -220,25 +220,7 @@ func TestCoordinate_Update_ACLDeny(t *testing.T) { t.Fatalf("err: %v", err) } - // Create an ACL that can write to the node. - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` -node "node1" { - policy = "write" -} -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var id string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &id); err != nil { - t.Fatalf("err: %v", err) - } + id := createToken(t, codec, `node "node1" { policy = "write" }`) // With the token, it should now go through. req.Token = id @@ -460,27 +442,7 @@ func TestCoordinate_ListNodes_ACLFilter(t *testing.T) { t.Fatalf("bad: %#v", resp.Coordinates) } - // Create an ACL that can read one of the nodes. - var id string - { - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` -node "foo" { - policy = "read" -} -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &id); err != nil { - t.Fatalf("err: %v", err) - } - } + id := createToken(t, codec, ` node "foo" { policy = "read" } `) // With the token, it should now go through. arg.Token = id @@ -598,25 +560,7 @@ func TestCoordinate_Node_ACLDeny(t *testing.T) { t.Fatalf("err: %v", err) } - // Create an ACL that can read from the node. - aclReq := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` -node "node1" { - policy = "read" -} -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var id string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &aclReq, &id); err != nil { - t.Fatalf("err: %v", err) - } + id := createToken(t, codec, `node "node1" { policy = "read" } `) // With the token, it should now go through. arg.Token = id diff --git a/agent/consul/health_endpoint_test.go b/agent/consul/health_endpoint_test.go index bc34c2c6de..9ad65401f0 100644 --- a/agent/consul/health_endpoint_test.go +++ b/agent/consul/health_endpoint_test.go @@ -993,26 +993,15 @@ func TestHealth_ServiceNodes_ConnectProxy_ACL(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create the ACL. - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` -service "foo" { + rules := ` +service_prefix "foo" { policy = "write" } -node "foo" { +node_prefix "foo" { policy = "write" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var token string - assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", arg, &token)) +` + token := createToken(t, codec, rules) { var out struct{} diff --git a/agent/consul/intention_endpoint_test.go b/agent/consul/intention_endpoint_test.go index 7ddf7d9d6c..441746b3fc 100644 --- a/agent/consul/intention_endpoint_test.go +++ b/agent/consul/intention_endpoint_test.go @@ -877,27 +877,12 @@ func TestIntentionApply_aclDeny(t *testing.T) { waitForLeaderEstablishment(t, s1) - // Create an ACL with write permissions - var token string - { - var rules = ` -service "foo" { + rules := ` +service_prefix "foo" { policy = "deny" intentions = "write" }` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token)) - } + token := createToken(t, codec, rules) // Setup a basic record to create ixn := structs.IntentionRequest{ @@ -1282,27 +1267,12 @@ func TestIntentionApply_aclDelete(t *testing.T) { waitForLeaderEstablishment(t, s1) - // Create an ACL with write permissions - var token string - { - var rules = ` -service "foo" { + rules := ` +service_prefix "foo" { policy = "deny" intentions = "write" }` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token)) - } + token := createToken(t, codec, rules) // Setup a basic record to create ixn := structs.IntentionRequest{ @@ -1363,27 +1333,12 @@ func TestIntentionApply_aclUpdate(t *testing.T) { waitForLeaderEstablishment(t, s1) - // Create an ACL with write permissions - var token string - { - var rules = ` -service "foo" { + rules := ` +service_prefix "foo" { policy = "deny" intentions = "write" }` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token)) - } + token := createToken(t, codec, rules) // Setup a basic record to create ixn := structs.IntentionRequest{ @@ -1477,27 +1432,12 @@ func TestIntentionApply_aclUpdateChange(t *testing.T) { waitForLeaderEstablishment(t, s1) - // Create an ACL with write permissions - var token string - { - var rules = ` -service "foo" { + rules := ` +service_prefix "foo" { policy = "deny" intentions = "write" }` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token)) - } + token := createToken(t, codec, rules) // Setup a basic record to create ixn := structs.IntentionRequest{ @@ -2018,26 +1958,11 @@ func TestIntentionCheck_aclDeny(t *testing.T) { waitForLeaderEstablishment(t, s1) - // Create an ACL with service read permissions. This will grant permission. - var token string - { - var rules = ` -service "bar" { + rules := ` +service_prefix "bar" { policy = "read" }` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.NoError(t, msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token)) - } + token := createToken(t, codec, rules) // Check req := &structs.IntentionQueryRequest{ diff --git a/agent/consul/kvs_endpoint_test.go b/agent/consul/kvs_endpoint_test.go index 398e9e305f..9fa6e37fea 100644 --- a/agent/consul/kvs_endpoint_test.go +++ b/agent/consul/kvs_endpoint_test.go @@ -94,22 +94,7 @@ func TestKVS_Apply_ACLDeny(t *testing.T) { testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create the ACL - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: testListRules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var out string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out); err != nil { - t.Fatalf("err: %v", err) - } - id := out + id := createToken(t, codec, testListRules) // Try a write argR := structs.KVSRequest{ @@ -459,21 +444,7 @@ func TestKVSEndpoint_List_ACLDeny(t *testing.T) { } } - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: testListRules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var out string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out); err != nil { - t.Fatalf("err: %v", err) - } - id := out + id := createToken(t, codec, testListRules) getR := structs.KeyRequest{ Datacenter: "dc1", @@ -551,32 +522,18 @@ func TestKVSEndpoint_List_ACLEnableKeyListPolicy(t *testing.T) { //write acl policy that denies recursive reads on "" var testListRules1 = ` -key "" { +key_prefix "" { policy = "deny" } -key "bar" { +key_prefix "bar" { policy = "list" } -key "zip" { +key_prefix "zip" { policy = "read" } ` - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: testListRules1, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var out string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out); err != nil { - t.Fatalf("err: %v", err) - } - id := out + id := createToken(t, codec, testListRules1) //recursive read on empty prefix should fail getReq := structs.KeyRequest{ @@ -752,21 +709,7 @@ func TestKVSEndpoint_ListKeys_ACLDeny(t *testing.T) { } } - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: testListRules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var out string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out); err != nil { - t.Fatalf("err: %v", err) - } - id := out + id := createToken(t, codec, testListRules) getR := structs.KeyListRequest{ Datacenter: "dc1", diff --git a/agent/consul/operator_autopilot_endpoint_test.go b/agent/consul/operator_autopilot_endpoint_test.go index 5b8b7b2cd6..d1a9e96b6d 100644 --- a/agent/consul/operator_autopilot_endpoint_test.go +++ b/agent/consul/operator_autopilot_endpoint_test.go @@ -75,27 +75,7 @@ func TestOperator_Autopilot_GetConfiguration_ACLDeny(t *testing.T) { t.Fatalf("err: %v", err) } - // Create an ACL with operator read permissions. - var token string - { - var rules = ` - operator = "read" - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + token := createToken(t, codec, `operator = "read"`) // Now we can read and verify the config arg.Token = token @@ -182,27 +162,7 @@ func TestOperator_Autopilot_SetConfiguration_ACLDeny(t *testing.T) { t.Fatalf("err: %v", err) } - // Create an ACL with operator write permissions. - var token string - { - var rules = ` - operator = "write" - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + token := createToken(t, codec, `operator = "write"`) // Now we can update the config arg.Token = token diff --git a/agent/consul/operator_raft_endpoint_test.go b/agent/consul/operator_raft_endpoint_test.go index 252bd14ba5..da5bcc1214 100644 --- a/agent/consul/operator_raft_endpoint_test.go +++ b/agent/consul/operator_raft_endpoint_test.go @@ -93,26 +93,8 @@ func TestOperator_RaftGetConfiguration_ACLDeny(t *testing.T) { } // Create an ACL with operator read permissions. - var token string - { - var rules = ` - operator = "read" - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + rules := `operator = "read"` + token := createToken(t, codec, rules) // Now it should go through. arg.Token = token @@ -241,27 +223,7 @@ func TestOperator_RaftRemovePeerByAddress_ACLDeny(t *testing.T) { t.Fatalf("err: %v", err) } - // Create an ACL with operator write permissions. - var token string - { - var rules = ` - operator = "write" - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + token := createToken(t, codec, `operator = "write" `) // Now it should kick back for being an invalid config, which means it // tried to do the operation. @@ -371,27 +333,7 @@ func TestOperator_RaftRemovePeerByID_ACLDeny(t *testing.T) { t.Fatalf("err: %v", err) } - // Create an ACL with operator write permissions. - var token string - { - var rules = ` - operator = "write" - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + token := createToken(t, codec, `operator = "write"`) // Now it should kick back for being an invalid config, which means it // tried to do the operation. diff --git a/agent/consul/prepared_query_endpoint_test.go b/agent/consul/prepared_query_endpoint_test.go index 64ee6a2276..33858726cb 100644 --- a/agent/consul/prepared_query_endpoint_test.go +++ b/agent/consul/prepared_query_endpoint_test.go @@ -210,29 +210,12 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create an ACL with write permissions for redis queries. - var token string - { - var rules = ` - query "redis" { - policy = "write" - } - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, + rules := ` + query_prefix "redis" { + policy = "write" } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + ` + token := createToken(t, codec, rules) // Set up a bare bones query. query := structs.PreparedQueryRequest{ @@ -656,29 +639,12 @@ func TestPreparedQuery_ACLDeny_Catchall_Template(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create an ACL with write permissions for any prefix. - var token string - { - var rules = ` - query "" { - policy = "write" - } - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, + rules := ` + query "" { + policy = "write" } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + ` + token := createToken(t, codec, rules) // Set up a catch-all template. query := structs.PreparedQueryRequest{ @@ -875,29 +841,12 @@ func TestPreparedQuery_Get(t *testing.T) { testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create an ACL with write permissions for redis queries. - var token string - { - var rules = ` - query "redis" { - policy = "write" - } - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, + rules := ` + query_prefix "redis" { + policy = "write" } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + ` + token := createToken(t, codec, rules) // Set up a bare bones query. query := structs.PreparedQueryRequest{ @@ -1133,29 +1082,12 @@ func TestPreparedQuery_List(t *testing.T) { testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create an ACL with write permissions for redis queries. - var token string - { - var rules = ` - query "redis" { - policy = "write" - } - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, + rules := ` + query_prefix "redis" { + policy = "write" } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + ` + token := createToken(t, codec, rules) // Query with a legit token but no queries. { @@ -1346,29 +1278,12 @@ func TestPreparedQuery_Explain(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create an ACL with write permissions for prod- queries. - var token string - { - var rules = ` - query "prod-" { - policy = "write" - } - ` - - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: rules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, + rules := ` + query_prefix "prod-" { + policy = "write" } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } - } + ` + token := createToken(t, codec, rules) // Set up a template. query := structs.PreparedQueryRequest{ @@ -1515,52 +1430,13 @@ func TestPreparedQuery_Execute(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root")) testrpc.WaitForLeader(t, s1.RPC, "dc2", testrpc.WithToken("root")) - // Create ACL tokens with read permission to the service and to the service - // and all nodes. - var execNoNodesToken string - { - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: `service "foo" { policy = "read" }`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.NoError(t, msgpackrpc.CallWithCodec(codec1, "ACL.Apply", &req, &execNoNodesToken)) - } - var execToken string - { - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: `service "foo" { policy = "read" } - node "" { policy = "read" }`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.NoError(t, msgpackrpc.CallWithCodec(codec1, "ACL.Apply", &req, &execToken)) - } - // Make a new exec token that can't read the service. - var denyToken string - { - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: `service "foo" { policy = "deny" }`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - require.NoError(t, msgpackrpc.CallWithCodec(codec1, "ACL.Apply", &req, &denyToken)) - } + execNoNodesToken := createTokenWithPolicyName(t, "no-nodes", codec1, `service_prefix "foo" { policy = "read" }`) + rules := ` + service_prefix "foo" { policy = "read" } + node_prefix "" { policy = "read" } + ` + execToken := createTokenWithPolicyName(t, "with-read", codec1, rules) + denyToken := createTokenWithPolicyName(t, "with-deny", codec1, `service_prefix "foo" { policy = "deny" }`) newSessionDC1 := func(t *testing.T) string { t.Helper() diff --git a/agent/consul/session_endpoint_test.go b/agent/consul/session_endpoint_test.go index 8615f8715a..61551b7e83 100644 --- a/agent/consul/session_endpoint_test.go +++ b/agent/consul/session_endpoint_test.go @@ -167,26 +167,12 @@ func TestSession_Apply_ACLDeny(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create the ACL. - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` + rules := ` session "foo" { policy = "write" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - - var token string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } +` + token := createToken(t, codec, rules) // Just add a node. s1.fsm.State().EnsureNode(1, &structs.Node{Node: "foo", Address: "127.0.0.1"}) @@ -405,26 +391,12 @@ func TestSession_Get_List_NodeSessions_ACLFilter(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create the ACL. - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` + rules := ` session "foo" { policy = "read" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - - var token string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } +` + token := createToken(t, codec, rules) // Create a node and a session. s1.fsm.State().EnsureNode(1, &structs.Node{Node: "foo", Address: "127.0.0.1"}) @@ -764,26 +736,12 @@ func TestSession_Renew_ACLDeny(t *testing.T) { testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root")) - // Create the ACL. - req := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` + rules := ` session "foo" { policy = "write" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - - var token string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil { - t.Fatalf("err: %v", err) - } +` + token := createToken(t, codec, rules) // Just add a node. s1.fsm.State().EnsureNode(1, &structs.Node{Node: "foo", Address: "127.0.0.1"}) diff --git a/agent/consul/txn_endpoint_test.go b/agent/consul/txn_endpoint_test.go index 4abb691402..d850e0b2bf 100644 --- a/agent/consul/txn_endpoint_test.go +++ b/agent/consul/txn_endpoint_test.go @@ -348,23 +348,7 @@ func TestTxn_Apply_ACLDeny(t *testing.T) { check := structs.HealthCheck{Node: "nope", CheckID: types.CheckID("nope")} state.EnsureCheck(4, &check) - // Create the ACL. - var id string - { - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: testTxnRules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := s1.RPC("ACL.Apply", &arg, &id); err != nil { - t.Fatalf("err: %v", err) - } - } + id := createToken(t, rpcClient(t, s1), testTxnRules) // Set up a transaction where every operation should get blocked due to // ACLs. @@ -888,23 +872,7 @@ func TestTxn_Read_ACLDeny(t *testing.T) { check := structs.HealthCheck{Node: "nope", CheckID: types.CheckID("nope")} state.EnsureCheck(4, &check) - // Create the ACL. - var id string - { - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: testTxnRules, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &id); err != nil { - t.Fatalf("err: %v", err) - } - } + id := createToken(t, codec, testTxnRules) // Set up a transaction where every operation should get blocked due to // ACLs.