consul/internal/mesh/proxy-tracker/proxy_state_exports_test.go
John Murret d67e5c6e35
NET-5590 - authorization: check for identity:write in CA certs, xds server, and getting envoy bootstrap params (#19049)
* NET-5590 - authorization: check for identity:write in CA certs, xds server, and getting envoy bootstrap params

* gofmt file
2023-10-03 22:02:23 +00:00

79 lines
2.2 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package proxytracker
import (
"github.com/hashicorp/consul/acl"
pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1"
"github.com/hashicorp/consul/proto-public/pbresource"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
"strings"
"testing"
)
func TestProxyState_Authorize(t *testing.T) {
testIdentity := &pbresource.Reference{
Type: &pbresource.Type{
Group: "mesh",
GroupVersion: "v1alpha1",
Kind: "Identity",
},
Tenancy: &pbresource.Tenancy{
Partition: "default",
Namespace: "default",
PeerName: "local",
},
Name: "test-identity",
}
type testCase struct {
description string
proxyState *ProxyState
configureAuthorizer func(authorizer *acl.MockAuthorizer)
expectedErrorMessage string
}
testsCases := []testCase{
{
description: "ProxyState - if identity write is allowed for the workload then allow.",
proxyState: &ProxyState{
ProxyState: &pbmesh.ProxyState{
Identity: testIdentity,
},
},
expectedErrorMessage: "",
configureAuthorizer: func(authz *acl.MockAuthorizer) {
authz.On("IdentityWrite", testIdentity.Name, mock.Anything).Return(acl.Allow)
},
},
{
description: "ProxyState - if identity write is not allowed for the workload then deny.",
proxyState: &ProxyState{
ProxyState: &pbmesh.ProxyState{
Identity: testIdentity,
},
},
expectedErrorMessage: "Permission denied: token with AccessorID '' lacks permission 'identity:write' on \"test-identity\"",
configureAuthorizer: func(authz *acl.MockAuthorizer) {
authz.On("IdentityWrite", testIdentity.Name, mock.Anything).Return(acl.Deny)
},
},
}
for _, tc := range testsCases {
t.Run(tc.description, func(t *testing.T) {
authz := &acl.MockAuthorizer{}
authz.On("ToAllow").Return(acl.AllowAuthorizer{Authorizer: authz})
tc.configureAuthorizer(authz)
err := tc.proxyState.Authorize(authz)
errMsg := ""
if err != nil {
errMsg = err.Error()
}
// using contains because Enterprise tests append the parition and namespace
// information to the message.
require.True(t, strings.Contains(errMsg, tc.expectedErrorMessage))
})
}
}