mirror of
https://github.com/status-im/consul.git
synced 2025-02-25 20:05:24 +00:00
7c7503c849
Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept *any* valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots`
91 lines
1.8 KiB
Go
91 lines
1.8 KiB
Go
package testutils
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/hashicorp/go-uuid"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
"github.com/hashicorp/consul/acl/resolver"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
func ACLAnonymous(t *testing.T) resolver.Result {
|
|
t.Helper()
|
|
|
|
return resolver.Result{
|
|
Authorizer: acl.DenyAll(),
|
|
ACLIdentity: &structs.ACLToken{
|
|
AccessorID: structs.ACLTokenAnonymousID,
|
|
},
|
|
}
|
|
}
|
|
|
|
func ACLAllowAll(t *testing.T) resolver.Result {
|
|
t.Helper()
|
|
|
|
return resolver.Result{
|
|
Authorizer: acl.AllowAll(),
|
|
ACLIdentity: randomACLIdentity(t),
|
|
}
|
|
}
|
|
|
|
func ACLNoPermissions(t *testing.T) resolver.Result {
|
|
t.Helper()
|
|
|
|
return resolver.Result{
|
|
Authorizer: acl.DenyAll(),
|
|
ACLIdentity: randomACLIdentity(t),
|
|
}
|
|
}
|
|
|
|
func ACLServiceWriteAny(t *testing.T) resolver.Result {
|
|
t.Helper()
|
|
|
|
policy, err := acl.NewPolicyFromSource(`
|
|
service "foo" {
|
|
policy = "write"
|
|
}
|
|
`, acl.SyntaxCurrent, nil, nil)
|
|
require.NoError(t, err)
|
|
|
|
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
|
|
require.NoError(t, err)
|
|
|
|
return resolver.Result{
|
|
Authorizer: authz,
|
|
ACLIdentity: randomACLIdentity(t),
|
|
}
|
|
}
|
|
|
|
func ACLServiceRead(t *testing.T, serviceName string) resolver.Result {
|
|
t.Helper()
|
|
|
|
aclRule := &acl.Policy{
|
|
PolicyRules: acl.PolicyRules{
|
|
Services: []*acl.ServiceRule{
|
|
{
|
|
Name: serviceName,
|
|
Policy: acl.PolicyRead,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{aclRule}, nil)
|
|
require.NoError(t, err)
|
|
|
|
return resolver.Result{
|
|
Authorizer: authz,
|
|
ACLIdentity: randomACLIdentity(t),
|
|
}
|
|
}
|
|
|
|
func randomACLIdentity(t *testing.T) structs.ACLIdentity {
|
|
id, err := uuid.GenerateUUID()
|
|
require.NoError(t, err)
|
|
|
|
return &structs.ACLToken{AccessorID: id}
|
|
}
|