status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-09 13:26:07 +00:00
Code Issues Projects Releases Wiki Activity

Convert tests to the new ACL system

Browse Source 
In preparation for removing ACL.Apply
This commit is contained in:
Daniel Nephin 2021-09-03 16:13:11 -04:00
parent 5779af1f62
commit fa4b33ab8f
11 changed files with 87 additions and 595 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
agent/consul/catalog_endpoint_test.go
View File

@ -263,11 +263,16 @@ node "foo" {
func createToken(t *testing.T, cc rpc.ClientCodec, policyRules string) string {
t.Helper()
return createTokenWithPolicyName(t, "the-policy", cc, policyRules)
}
func createTokenWithPolicyName(t *testing.T, policyName string, cc rpc.ClientCodec, policyRules string) string {
t.Helper()
reqPolicy := structs.ACLPolicySetRequest{
Datacenter: "dc1",
Policy: structs.ACLPolicy{
Name: "the-policy",
Name: policyName,
Rules: policyRules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
@ -282,7 +287,7 @@ func createToken(t *testing.T, cc rpc.ClientCodec, policyRules string) string {
Datacenter: "dc1",
ACLToken: structs.ACLToken{
SecretID: token,
Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}},
Policies: []structs.ACLTokenPolicyLink{{Name: policyName}},
},
WriteRequest: structs.WriteRequest{Token: "root"},
}

20
agent/consul/connect_ca_endpoint_test.go
View File

@ -1118,25 +1118,7 @@ func TestConnectCASignValidation(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Create an ACL token with service:write for web*
var webToken string
{
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `
service "web" {
policy = "write"
}`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &webToken))
}
webToken := createToken(t, codec, `service "web" { policy = "write" }`)
testWebID := connect.TestSpiffeIDService(t, "web")
tests := []struct {

62
agent/consul/coordinate_endpoint_test.go
View File

@ -220,25 +220,7 @@ func TestCoordinate_Update_ACLDeny(t *testing.T) {
t.Fatalf("err: %v", err)
}
// Create an ACL that can write to the node.
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `
node "node1" {
policy = "write"
}
`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var id string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &id); err != nil {
t.Fatalf("err: %v", err)
}
id := createToken(t, codec, `node "node1" { policy = "write" }`)
// With the token, it should now go through.
req.Token = id
@ -460,27 +442,7 @@ func TestCoordinate_ListNodes_ACLFilter(t *testing.T) {
t.Fatalf("bad: %#v", resp.Coordinates)
}
// Create an ACL that can read one of the nodes.
var id string
{
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `
node "foo" {
policy = "read"
}
`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &id); err != nil {
t.Fatalf("err: %v", err)
}
}
id := createToken(t, codec, ` node "foo" { policy = "read" } `)
// With the token, it should now go through.
arg.Token = id
@ -598,25 +560,7 @@ func TestCoordinate_Node_ACLDeny(t *testing.T) {
t.Fatalf("err: %v", err)
}
// Create an ACL that can read from the node.
aclReq := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `
node "node1" {
policy = "read"
}
`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var id string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &aclReq, &id); err != nil {
t.Fatalf("err: %v", err)
}
id := createToken(t, codec, `node "node1" { policy = "read" } `)
// With the token, it should now go through.
arg.Token = id

21
agent/consul/health_endpoint_test.go
View File

@ -993,26 +993,15 @@ func TestHealth_ServiceNodes_ConnectProxy_ACL(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create the ACL.
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `
service "foo" {
rules := `
service_prefix "foo" {
policy = "write"
}
node "foo" {
node_prefix "foo" {
policy = "write"
}
`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var token string
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", arg, &token))
`
token := createToken(t, codec, rules)
{
var out struct{}

105
agent/consul/intention_endpoint_test.go
View File

@ -877,27 +877,12 @@ func TestIntentionApply_aclDeny(t *testing.T) {
waitForLeaderEstablishment(t, s1)
// Create an ACL with write permissions
var token string
{
var rules = `
service "foo" {
rules := `
service_prefix "foo" {
policy = "deny"
intentions = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
token := createToken(t, codec, rules)
// Setup a basic record to create
ixn := structs.IntentionRequest{
@ -1282,27 +1267,12 @@ func TestIntentionApply_aclDelete(t *testing.T) {
waitForLeaderEstablishment(t, s1)
// Create an ACL with write permissions
var token string
{
var rules = `
service "foo" {
rules := `
service_prefix "foo" {
policy = "deny"
intentions = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
token := createToken(t, codec, rules)
// Setup a basic record to create
ixn := structs.IntentionRequest{
@ -1363,27 +1333,12 @@ func TestIntentionApply_aclUpdate(t *testing.T) {
waitForLeaderEstablishment(t, s1)
// Create an ACL with write permissions
var token string
{
var rules = `
service "foo" {
rules := `
service_prefix "foo" {
policy = "deny"
intentions = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
token := createToken(t, codec, rules)
// Setup a basic record to create
ixn := structs.IntentionRequest{
@ -1477,27 +1432,12 @@ func TestIntentionApply_aclUpdateChange(t *testing.T) {
waitForLeaderEstablishment(t, s1)
// Create an ACL with write permissions
var token string
{
var rules = `
service "foo" {
rules := `
service_prefix "foo" {
policy = "deny"
intentions = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
token := createToken(t, codec, rules)
// Setup a basic record to create
ixn := structs.IntentionRequest{
@ -2018,26 +1958,11 @@ func TestIntentionCheck_aclDeny(t *testing.T) {
waitForLeaderEstablishment(t, s1)
// Create an ACL with service read permissions. This will grant permission.
var token string
{
var rules = `
service "bar" {
rules := `
service_prefix "bar" {
policy = "read"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.NoError(t, msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
token := createToken(t, codec, rules)
// Check
req := &structs.IntentionQueryRequest{

71
agent/consul/kvs_endpoint_test.go
View File

@ -94,22 +94,7 @@ func TestKVS_Apply_ACLDeny(t *testing.T) {
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create the ACL
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: testListRules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var out string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out); err != nil {
t.Fatalf("err: %v", err)
}
id := out
id := createToken(t, codec, testListRules)
// Try a write
argR := structs.KVSRequest{
@ -459,21 +444,7 @@ func TestKVSEndpoint_List_ACLDeny(t *testing.T) {
}
}
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: testListRules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var out string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out); err != nil {
t.Fatalf("err: %v", err)
}
id := out
id := createToken(t, codec, testListRules)
getR := structs.KeyRequest{
Datacenter: "dc1",
@ -551,32 +522,18 @@ func TestKVSEndpoint_List_ACLEnableKeyListPolicy(t *testing.T) {
//write acl policy that denies recursive reads on ""
var testListRules1 = `
key "" {
key_prefix "" {
policy = "deny"
}
key "bar" {
key_prefix "bar" {
policy = "list"
}
key "zip" {
key_prefix "zip" {
policy = "read"
}
`
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: testListRules1,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var out string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out); err != nil {
t.Fatalf("err: %v", err)
}
id := out
id := createToken(t, codec, testListRules1)
//recursive read on empty prefix should fail
getReq := structs.KeyRequest{
@ -752,21 +709,7 @@ func TestKVSEndpoint_ListKeys_ACLDeny(t *testing.T) {
}
}
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: testListRules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var out string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &out); err != nil {
t.Fatalf("err: %v", err)
}
id := out
id := createToken(t, codec, testListRules)
getR := structs.KeyListRequest{
Datacenter: "dc1",

44
agent/consul/operator_autopilot_endpoint_test.go
View File

@ -75,27 +75,7 @@ func TestOperator_Autopilot_GetConfiguration_ACLDeny(t *testing.T) {
t.Fatalf("err: %v", err)
}
// Create an ACL with operator read permissions.
var token string
{
var rules = `
operator = "read"
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, `operator = "read"`)
// Now we can read and verify the config
arg.Token = token
@ -182,27 +162,7 @@ func TestOperator_Autopilot_SetConfiguration_ACLDeny(t *testing.T) {
t.Fatalf("err: %v", err)
}
// Create an ACL with operator write permissions.
var token string
{
var rules = `
operator = "write"
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, `operator = "write"`)
// Now we can update the config
arg.Token = token

66
agent/consul/operator_raft_endpoint_test.go
View File

@ -93,26 +93,8 @@ func TestOperator_RaftGetConfiguration_ACLDeny(t *testing.T) {
}
// Create an ACL with operator read permissions.
var token string
{
var rules = `
operator = "read"
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
rules := `operator = "read"`
token := createToken(t, codec, rules)
// Now it should go through.
arg.Token = token
@ -241,27 +223,7 @@ func TestOperator_RaftRemovePeerByAddress_ACLDeny(t *testing.T) {
t.Fatalf("err: %v", err)
}
// Create an ACL with operator write permissions.
var token string
{
var rules = `
operator = "write"
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, `operator = "write" `)
// Now it should kick back for being an invalid config, which means it
// tried to do the operation.
@ -371,27 +333,7 @@ func TestOperator_RaftRemovePeerByID_ACLDeny(t *testing.T) {
t.Fatalf("err: %v", err)
}
// Create an ACL with operator write permissions.
var token string
{
var rules = `
operator = "write"
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, `operator = "write"`)
// Now it should kick back for being an invalid config, which means it
// tried to do the operation.

166
agent/consul/prepared_query_endpoint_test.go
View File

@ -210,29 +210,12 @@ func TestPreparedQuery_Apply_ACLDeny(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create an ACL with write permissions for redis queries.
var token string
{
var rules = `
query "redis" {
rules := `
query_prefix "redis" {
policy = "write"
}
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, rules)
// Set up a bare bones query.
query := structs.PreparedQueryRequest{
@ -656,29 +639,12 @@ func TestPreparedQuery_ACLDeny_Catchall_Template(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create an ACL with write permissions for any prefix.
var token string
{
var rules = `
rules := `
query "" {
policy = "write"
}
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, rules)
// Set up a catch-all template.
query := structs.PreparedQueryRequest{
@ -875,29 +841,12 @@ func TestPreparedQuery_Get(t *testing.T) {
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create an ACL with write permissions for redis queries.
var token string
{
var rules = `
query "redis" {
rules := `
query_prefix "redis" {
policy = "write"
}
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, rules)
// Set up a bare bones query.
query := structs.PreparedQueryRequest{
@ -1133,29 +1082,12 @@ func TestPreparedQuery_List(t *testing.T) {
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create an ACL with write permissions for redis queries.
var token string
{
var rules = `
query "redis" {
rules := `
query_prefix "redis" {
policy = "write"
}
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, rules)
// Query with a legit token but no queries.
{
@ -1346,29 +1278,12 @@ func TestPreparedQuery_Explain(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create an ACL with write permissions for prod- queries.
var token string
{
var rules = `
query "prod-" {
rules := `
query_prefix "prod-" {
policy = "write"
}
`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
}
token := createToken(t, codec, rules)
// Set up a template.
query := structs.PreparedQueryRequest{
@ -1515,52 +1430,13 @@ func TestPreparedQuery_Execute(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root"))
testrpc.WaitForLeader(t, s1.RPC, "dc2", testrpc.WithToken("root"))
// Create ACL tokens with read permission to the service and to the service
// and all nodes.
var execNoNodesToken string
{
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `service "foo" { policy = "read" }`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.NoError(t, msgpackrpc.CallWithCodec(codec1, "ACL.Apply", &req, &execNoNodesToken))
}
var execToken string
{
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `service "foo" { policy = "read" }
node "" { policy = "read" }`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.NoError(t, msgpackrpc.CallWithCodec(codec1, "ACL.Apply", &req, &execToken))
}
// Make a new exec token that can't read the service.
var denyToken string
{
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `service "foo" { policy = "deny" }`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.NoError(t, msgpackrpc.CallWithCodec(codec1, "ACL.Apply", &req, &denyToken))
}
execNoNodesToken := createTokenWithPolicyName(t, "no-nodes", codec1, `service_prefix "foo" { policy = "read" }`)
rules := `
service_prefix "foo" { policy = "read" }
node_prefix "" { policy = "read" }
`
execToken := createTokenWithPolicyName(t, "with-read", codec1, rules)
denyToken := createTokenWithPolicyName(t, "with-deny", codec1, `service_prefix "foo" { policy = "deny" }`)
newSessionDC1 := func(t *testing.T) string {
t.Helper()

60
agent/consul/session_endpoint_test.go
View File

@ -167,26 +167,12 @@ func TestSession_Apply_ACLDeny(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create the ACL.
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `
rules := `
session "foo" {
policy = "write"
}
`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var token string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
`
token := createToken(t, codec, rules)
// Just add a node.
s1.fsm.State().EnsureNode(1, &structs.Node{Node: "foo", Address: "127.0.0.1"})
@ -405,26 +391,12 @@ func TestSession_Get_List_NodeSessions_ACLFilter(t *testing.T) {
testrpc.WaitForLeader(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create the ACL.
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `
rules := `
session "foo" {
policy = "read"
}
`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var token string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
`
token := createToken(t, codec, rules)
// Create a node and a session.
s1.fsm.State().EnsureNode(1, &structs.Node{Node: "foo", Address: "127.0.0.1"})
@ -764,26 +736,12 @@ func TestSession_Renew_ACLDeny(t *testing.T) {
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root"))
// Create the ACL.
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: `
rules := `
session "foo" {
policy = "write"
}
`,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
var token string
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
`
token := createToken(t, codec, rules)
// Just add a node.
s1.fsm.State().EnsureNode(1, &structs.Node{Node: "foo", Address: "127.0.0.1"})

36
agent/consul/txn_endpoint_test.go
View File

@ -348,23 +348,7 @@ func TestTxn_Apply_ACLDeny(t *testing.T) {
check := structs.HealthCheck{Node: "nope", CheckID: types.CheckID("nope")}
state.EnsureCheck(4, &check)
// Create the ACL.
var id string
{
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: testTxnRules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := s1.RPC("ACL.Apply", &arg, &id); err != nil {
t.Fatalf("err: %v", err)
}
}
id := createToken(t, rpcClient(t, s1), testTxnRules)
// Set up a transaction where every operation should get blocked due to
// ACLs.
@ -888,23 +872,7 @@ func TestTxn_Read_ACLDeny(t *testing.T) {
check := structs.HealthCheck{Node: "nope", CheckID: types.CheckID("nope")}
state.EnsureCheck(4, &check)
// Create the ACL.
var id string
{
arg := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
Type: structs.ACLTokenTypeClient,
Rules: testTxnRules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &id); err != nil {
t.Fatalf("err: %v", err)
}
}
id := createToken(t, codec, testTxnRules)
// Set up a transaction where every operation should get blocked due to
// ACLs.