consul/agent/structs/acl_templated_policy_ce_test.go

138 lines
3.2 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
//go:build !consulent
package structs
import (
"testing"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/api"
)
func TestStructs_ACLTemplatedPolicy_SyntheticPolicy(t *testing.T) {
type testCase struct {
templatedPolicy *ACLTemplatedPolicy
expectedPolicy *ACLPolicy
}
testCases := map[string]testCase{
"service-identity-template": {
templatedPolicy: &ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyServiceID,
TemplateName: api.ACLTemplatedPolicyServiceName,
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: "api",
},
},
expectedPolicy: &ACLPolicy{
Description: "synthetic policy generated from templated policy: builtin/service",
Rules: `
service "api" {
policy = "write"
}
service "api-sidecar-proxy" {
policy = "write"
}
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}`,
},
},
"node-identity-template": {
templatedPolicy: &ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyNodeID,
TemplateName: api.ACLTemplatedPolicyNodeName,
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: "web",
},
},
expectedPolicy: &ACLPolicy{
Description: "synthetic policy generated from templated policy: builtin/node",
Rules: `
node "web" {
policy = "write"
}
service_prefix "" {
policy = "read"
}`,
},
},
"dns-template": {
templatedPolicy: &ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyDNSID,
TemplateName: api.ACLTemplatedPolicyDNSName,
},
expectedPolicy: &ACLPolicy{
Description: "synthetic policy generated from templated policy: builtin/dns",
Rules: `
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
query_prefix "" {
policy = "read"
}`,
},
},
"workload-identity-template": {
templatedPolicy: &ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyWorkloadIdentityID,
TemplateName: api.ACLTemplatedPolicyWorkloadIdentityName,
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: "api",
},
},
expectedPolicy: &ACLPolicy{
Description: "synthetic policy generated from templated policy: builtin/workload-identity",
Rules: `identity "api" {
policy = "write"
}`,
},
},
"api-gateway-template": {
templatedPolicy: &ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyAPIGatewayID,
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: "api-gateway",
},
},
expectedPolicy: &ACLPolicy{
Description: "synthetic policy generated from templated policy: builtin/api-gateway",
Rules: `mesh = "read"
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
service "api-gateway" {
policy = "write"
}`,
},
},
}
for name, tcase := range testCases {
t.Run(name, func(t *testing.T) {
policy, err := tcase.templatedPolicy.SyntheticPolicy(nil)
require.NoError(t, err)
require.Equal(t, tcase.expectedPolicy.Description, policy.Description)
require.Equal(t, tcase.expectedPolicy.Rules, policy.Rules)
require.Contains(t, policy.Name, "synthetic-policy-")
require.NotEmpty(t, policy.Hash)
require.NotEmpty(t, policy.ID)
})
}
}