consul/command/acl/token/update/token_update_test.go

410 lines
11 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package tokenupdate
import (
"encoding/json"
"strings"
"testing"
"github.com/mitchellh/cli"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/agent"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/testrpc"
)
func TestTokenUpdateCommand_noTabs(t *testing.T) {
t.Parallel()
if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') {
t.Fatal("help has tabs")
}
}
func create_token(t *testing.T, client *api.Client, aclToken *api.ACLToken, writeOptions *api.WriteOptions) *api.ACLToken {
token, _, err := client.ACL().TokenCreate(aclToken, writeOptions)
require.NoError(t, err)
return token
}
func TestTokenUpdateCommand(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
a := agent.NewTestAgent(t, `
primary_datacenter = "dc1"
acl {
enabled = true
tokens {
initial_management = "root"
}
}`)
defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1")
// Create a policy
client := a.Client()
policy, _, err := client.ACL().PolicyCreate(
&api.ACLPolicy{Name: "test-policy"},
&api.WriteOptions{Token: "root"},
)
require.NoError(t, err)
run := func(t *testing.T, args []string) *api.ACLToken {
ui := cli.NewMockUi()
cmd := New(ui)
code := cmd.Run(append(args, "-format=json"))
require.Equal(t, 0, code)
require.Empty(t, ui.ErrorWriter.String())
var token api.ACLToken
require.NoError(t, json.Unmarshal(ui.OutputWriter.Bytes(), &token))
return &token
}
// update with node identity
t.Run("node-identity", func(t *testing.T) {
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-node-identity=foo:bar",
"-description=test token",
})
require.Len(t, responseToken.NodeIdentities, 1)
require.Equal(t, "foo", responseToken.NodeIdentities[0].NodeName)
require.Equal(t, "bar", responseToken.NodeIdentities[0].Datacenter)
})
t.Run("node-identity-merge", func(t *testing.T) {
token := create_token(t,
client,
&api.ACLToken{Description: "test", NodeIdentities: []*api.ACLNodeIdentity{{NodeName: "foo", Datacenter: "bar"}}},
&api.WriteOptions{Token: "root"},
)
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-node-identity=bar:baz",
"-description=test token",
"-merge-node-identities",
})
require.Len(t, responseToken.NodeIdentities, 2)
expected := []*api.ACLNodeIdentity{
{
NodeName: "foo",
Datacenter: "bar",
},
{
NodeName: "bar",
Datacenter: "baz",
},
}
require.ElementsMatch(t, expected, responseToken.NodeIdentities)
})
t.Run("replace-templated-policy", func(t *testing.T) {
token := create_token(
t,
client, &api.ACLToken{Description: "test", TemplatedPolicies: []*api.ACLTemplatedPolicy{
{TemplateName: api.ACLTemplatedPolicyServiceName, TemplateVariables: &api.ACLTemplatedPolicyVariables{Name: "api"}},
}},
&api.WriteOptions{Token: "root"},
)
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-replace-templated-policy=builtin/node",
"-description=test token",
"-var=name:web",
})
require.Len(t, responseToken.TemplatedPolicies, 1)
require.Equal(t, api.ACLTemplatedPolicyNodeName, responseToken.TemplatedPolicies[0].TemplateName)
require.Equal(t, "web", responseToken.TemplatedPolicies[0].TemplateVariables.Name)
})
t.Run("append-templated-policy", func(t *testing.T) {
templatedPolicy := &api.ACLTemplatedPolicy{TemplateName: api.ACLTemplatedPolicyServiceName, TemplateVariables: &api.ACLTemplatedPolicyVariables{Name: "api"}}
token := create_token(
t,
client, &api.ACLToken{Description: "test", TemplatedPolicies: []*api.ACLTemplatedPolicy{
templatedPolicy,
}},
&api.WriteOptions{Token: "root"},
)
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-append-templated-policy=builtin/node",
"-description=test token",
"-var=name:web",
})
require.Len(t, responseToken.TemplatedPolicies, 2)
require.ElementsMatch(t, responseToken.TemplatedPolicies,
[]*api.ACLTemplatedPolicy{templatedPolicy, {TemplateName: api.ACLTemplatedPolicyNodeName, TemplateVariables: &api.ACLTemplatedPolicyVariables{Name: "web"}}})
})
// update with policy by name
t.Run("policy-name", func(t *testing.T) {
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-policy-name=" + policy.Name,
"-description=test token",
})
require.Len(t, responseToken.Policies, 1)
})
// update with policy by id
t.Run("policy-id", func(t *testing.T) {
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-policy-id=" + policy.ID,
"-description=test token",
})
require.Len(t, responseToken.Policies, 1)
})
// update with service-identity
t.Run("service-identity", func(t *testing.T) {
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-service-identity=service:datapalace",
"-description=test token",
})
require.Len(t, responseToken.ServiceIdentities, 1)
require.Equal(t, "service", responseToken.ServiceIdentities[0].ServiceName)
})
// update with no description shouldn't delete the current description
t.Run("merge-description", func(t *testing.T) {
token := create_token(t, client, &api.ACLToken{Description: "test token"}, &api.WriteOptions{Token: "root"})
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-policy-name=" + policy.Name,
})
require.Equal(t, "test token", responseToken.Description)
})
}
func TestTokenUpdateCommandWithAppend(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
a := agent.NewTestAgent(t, `
primary_datacenter = "dc1"
acl {
enabled = true
tokens {
initial_management = "root"
}
}`)
defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1")
// Create a policy
client := a.Client()
policy, _, err := client.ACL().PolicyCreate(
&api.ACLPolicy{Name: "test-policy"},
&api.WriteOptions{Token: "root"},
)
require.NoError(t, err)
// secondary policy
secondPolicy, _, policyErr := client.ACL().PolicyCreate(
&api.ACLPolicy{Name: "secondary-policy"},
&api.WriteOptions{Token: "root"},
)
require.NoError(t, policyErr)
run := func(t *testing.T, args []string) *api.ACLToken {
ui := cli.NewMockUi()
cmd := New(ui)
code := cmd.Run(append(args, "-format=json"))
require.Equal(t, 0, code)
require.Empty(t, ui.ErrorWriter.String())
var token api.ACLToken
require.NoError(t, json.Unmarshal(ui.OutputWriter.Bytes(), &token))
return &token
}
// update with append-policy-name
t.Run("append-policy-name", func(t *testing.T) {
token := create_token(t, client,
&api.ACLToken{Description: "test", Policies: []*api.ACLTokenPolicyLink{{Name: policy.Name}}},
&api.WriteOptions{Token: "root"},
)
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-append-policy-name=" + secondPolicy.Name,
"-description=test token",
})
require.Len(t, responseToken.Policies, 2)
})
// update with append-policy-id
t.Run("append-policy-id", func(t *testing.T) {
token := create_token(t, client,
&api.ACLToken{Description: "test", Policies: []*api.ACLTokenPolicyLink{{Name: policy.Name}}},
&api.WriteOptions{Token: "root"},
)
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-append-policy-id=" + secondPolicy.ID,
"-description=test token",
})
require.Len(t, responseToken.Policies, 2)
})
// update with append-node-identity
t.Run("append-node-identity", func(t *testing.T) {
token := create_token(t, client,
&api.ACLToken{
Description: "test",
Policies: []*api.ACLTokenPolicyLink{{Name: policy.Name}},
NodeIdentities: []*api.ACLNodeIdentity{{NodeName: "namenode", Datacenter: "somewhere"}},
},
&api.WriteOptions{Token: "root"},
)
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-append-node-identity=third:node",
"-description=test token",
})
require.Len(t, responseToken.NodeIdentities, 2)
})
// update with append-service-identity
t.Run("append-service-identity", func(t *testing.T) {
token := create_token(t, client,
&api.ACLToken{
Description: "test",
Policies: []*api.ACLTokenPolicyLink{{Name: policy.Name}},
ServiceIdentities: []*api.ACLServiceIdentity{{ServiceName: "service"}},
},
&api.WriteOptions{Token: "root"},
)
responseToken := run(t, []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-append-service-identity=web",
"-description=test token",
})
require.Len(t, responseToken.ServiceIdentities, 2)
})
}
func TestTokenUpdateCommand_JSON(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
a := agent.NewTestAgent(t, `
primary_datacenter = "dc1"
acl {
enabled = true
tokens {
initial_management = "root"
}
}`)
defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1")
ui := cli.NewMockUi()
// Create a policy
client := a.Client()
policy, _, err := client.ACL().PolicyCreate(
&api.ACLPolicy{Name: "test-policy"},
&api.WriteOptions{Token: "root"},
)
require.NoError(t, err)
token := create_token(t, client, &api.ACLToken{Description: "test"}, &api.WriteOptions{Token: "root"})
t.Run("update with policy by name", func(t *testing.T) {
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-accessor-id=" + token.AccessorID,
"-token=root",
"-policy-name=" + policy.Name,
"-description=test token",
"-format=json",
}
code := cmd.Run(args)
assert.Equal(t, code, 0)
assert.Empty(t, ui.ErrorWriter.String())
var jsonOutput json.RawMessage
err := json.Unmarshal([]byte(ui.OutputWriter.String()), &jsonOutput)
require.NoError(t, err, "token unmarshalling error")
})
}