consul/agent/auto-config/config_translate_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package autoconf

import (
	"testing"

	"github.com/stretchr/testify/require"

	"github.com/hashicorp/consul/agent/config"
	"github.com/hashicorp/consul/agent/structs"
	pbconfig "github.com/hashicorp/consul/proto/private/pbconfig"
	"github.com/hashicorp/consul/proto/private/pbconnect"
)

func stringPointer(s string) *string {
	return &s
}

func boolPointer(b bool) *bool {
	return &b
}

func mustTranslateCARootToProtobuf(t *testing.T, in *structs.CARoot) *pbconnect.CARoot {
	out, err := pbconnect.NewCARootFromStructs(in)
	require.NoError(t, err)
	return out
}

func mustTranslateCARootsToStructs(t *testing.T, in *pbconnect.CARoots) *structs.IndexedCARoots {
	out, err := pbconnect.CARootsToStructs(in)
	require.NoError(t, err)
	return out
}

func mustTranslateCARootsToProtobuf(t *testing.T, in *structs.IndexedCARoots) *pbconnect.CARoots {
	out, err := pbconnect.NewCARootsFromStructs(in)
	require.NoError(t, err)
	return out
}

func mustTranslateIssuedCertToProtobuf(t *testing.T, in *structs.IssuedCert) *pbconnect.IssuedCert {
	var out, err = pbconnect.NewIssuedCertFromStructs(in)
	require.NoError(t, err)
	return out
}

func TestTranslateConfig(t *testing.T) {
	original := pbconfig.Config{
		Datacenter:        "abc",
		PrimaryDatacenter: "def",
		NodeName:          "ghi",
		SegmentName:       "jkl",
		ACL: &pbconfig.ACL{
			Enabled:                true,
			PolicyTTL:              "1s",
			RoleTTL:                "2s",
			TokenTTL:               "3s",
			DownPolicy:             "deny",
			DefaultPolicy:          "deny",
			EnableKeyListPolicy:    true,
			EnableTokenPersistence: true,
			MSPDisableBootstrap:    false,
			Tokens: &pbconfig.ACLTokens{
				InitialManagement: "99e7e490-6baf-43fc-9010-78b6aa9a6813",
				Replication:       "51308d40-465c-4ac6-a636-7c0747edec89",
				AgentRecovery:     "e012e1ea-78a2-41cc-bc8b-231a44196f39",
				Default:           "8781a3f5-de46-4b45-83e1-c92f4cfd0332",
				Agent:             "ddb8f1b0-8a99-4032-b601-87926bce244e",
				ManagedServiceProvider: []*pbconfig.ACLServiceProviderToken{
					{
						AccessorID: "23f37987-7b9e-4e5b-acae-dbc9bc137bae",
						SecretID:   "e28b820a-438e-4e2b-ad24-fe59e6a4914f",
					},
				},
			},
		},
		AutoEncrypt: &pbconfig.AutoEncrypt{
			TLS:      true,
			DNSSAN:   []string{"dns"},
			IPSAN:    []string{"198.18.0.1"},
			AllowTLS: false,
		},
		Gossip: &pbconfig.Gossip{
			RetryJoinLAN: []string{"10.0.0.1"},
			Encryption: &pbconfig.GossipEncryption{
				Key:            "blarg",
				VerifyOutgoing: true,
				VerifyIncoming: true,
			},
		},
		TLS: &pbconfig.TLS{
			VerifyOutgoing:       true,
			VerifyServerHostname: true,
			CipherSuites:         "stuff",
			MinVersion:           "tls13",
		},
	}

	expected := config.Config{
		Datacenter:            stringPointer("abc"),
		PrimaryDatacenter:     stringPointer("def"),
		NodeName:              stringPointer("ghi"),
		SegmentName:           stringPointer("jkl"),
		RetryJoinLAN:          []string{"10.0.0.1"},
		EncryptKey:            stringPointer("blarg"),
		EncryptVerifyIncoming: boolPointer(true),
		EncryptVerifyOutgoing: boolPointer(true),
		TLS: config.TLS{
			Defaults: config.TLSProtocolConfig{
				VerifyOutgoing:  boolPointer(true),
				TLSCipherSuites: stringPointer("stuff"),
				TLSMinVersion:   stringPointer("TLSv1_3"),
			},
			InternalRPC: config.TLSProtocolConfig{
				VerifyServerHostname: boolPointer(true),
			},
		},
		ACL: config.ACL{
			Enabled:                boolPointer(true),
			PolicyTTL:              stringPointer("1s"),
			RoleTTL:                stringPointer("2s"),
			TokenTTL:               stringPointer("3s"),
			DownPolicy:             stringPointer("deny"),
			DefaultPolicy:          stringPointer("deny"),
			EnableKeyListPolicy:    boolPointer(true),
			EnableTokenPersistence: boolPointer(true),
			Tokens: config.Tokens{
				InitialManagement: stringPointer("99e7e490-6baf-43fc-9010-78b6aa9a6813"),
				AgentRecovery:     stringPointer("e012e1ea-78a2-41cc-bc8b-231a44196f39"),
				Replication:       stringPointer("51308d40-465c-4ac6-a636-7c0747edec89"),
				Default:           stringPointer("8781a3f5-de46-4b45-83e1-c92f4cfd0332"),
				Agent:             stringPointer("ddb8f1b0-8a99-4032-b601-87926bce244e"),
				ManagedServiceProvider: []config.ServiceProviderToken{
					{
						AccessorID: stringPointer("23f37987-7b9e-4e5b-acae-dbc9bc137bae"),
						SecretID:   stringPointer("e28b820a-438e-4e2b-ad24-fe59e6a4914f"),
					},
				},
			},
		},
		AutoEncrypt: config.AutoEncrypt{
			TLS:      boolPointer(true),
			DNSSAN:   []string{"dns"},
			IPSAN:    []string{"198.18.0.1"},
			AllowTLS: boolPointer(false),
		},
	}

	translated := translateConfig(&original)
	require.Equal(t, expected, translated)
}

func TestCArootsTranslation(t *testing.T) {
	_, indexedRoots, _ := testCerts(t, "autoconf", "dc1")
	protoRoots := mustTranslateCARootsToProtobuf(t, indexedRoots)
	require.Equal(t, indexedRoots, mustTranslateCARootsToStructs(t, protoRoots))
}

func caRootRoundtrip(t *testing.T, s *structs.CARoot) *structs.CARoot {
	pbRoot, err := pbconnect.NewCARootFromStructs(s)
	require.NoError(t, err)
	root, err := pbconnect.CARootToStructs(pbRoot)
	require.NoError(t, err)
	return root
}
func caRootsRoundtrip(t *testing.T, s *structs.IndexedCARoots) *structs.IndexedCARoots {
	pbRoot, err := pbconnect.NewCARootsFromStructs(s)
	require.NoError(t, err)
	root, err := pbconnect.CARootsToStructs(pbRoot)
	require.NoError(t, err)
	return root
}

func issuedCertRoundtrip(t *testing.T, s *structs.IssuedCert) *structs.IssuedCert {
	pbCert, err := pbconnect.NewIssuedCertFromStructs(s)
	require.NoError(t, err)
	cert, err := pbconnect.IssuedCertToStructs(pbCert)
	require.NoError(t, err)
	return cert
}