mirror of
https://github.com/status-im/consul.git
synced 2025-01-23 20:19:29 +00:00
706c844423
This adds an aws-iam auth method type which supports authenticating to Consul using AWS IAM identities. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
151 lines
4.8 KiB
Go
151 lines
4.8 KiB
Go
package iamauth
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestConfigValidate(t *testing.T) {
|
|
principalArn := "arn:aws:iam::000000000000:role/my-role"
|
|
|
|
cases := map[string]struct {
|
|
expError string
|
|
configs []Config
|
|
|
|
includeHeaderNames bool
|
|
}{
|
|
"bound iam principals are required": {
|
|
expError: "BoundIAMPrincipalARNs is required and must have at least 1 entry",
|
|
configs: []Config{
|
|
{BoundIAMPrincipalARNs: nil},
|
|
{BoundIAMPrincipalARNs: []string{}},
|
|
},
|
|
},
|
|
"entity tags require entity details": {
|
|
expError: "Must set EnableIAMEntityDetails=true to use IAMUserTags",
|
|
configs: []Config{
|
|
{
|
|
BoundIAMPrincipalARNs: []string{principalArn},
|
|
EnableIAMEntityDetails: false,
|
|
IAMEntityTags: []string{"some-tag"},
|
|
},
|
|
},
|
|
},
|
|
"entity details require all entity header names": {
|
|
expError: "Must set all of GetEntityMethodHeader, GetEntityURLHeader, " +
|
|
"GetEntityHeadersHeader, and GetEntityBodyHeader when EnableIAMEntityDetails=true",
|
|
configs: []Config{
|
|
{
|
|
BoundIAMPrincipalARNs: []string{principalArn},
|
|
EnableIAMEntityDetails: true,
|
|
},
|
|
{
|
|
BoundIAMPrincipalARNs: []string{principalArn},
|
|
EnableIAMEntityDetails: true,
|
|
GetEntityBodyHeader: "X-Test-Header",
|
|
},
|
|
{
|
|
BoundIAMPrincipalARNs: []string{principalArn},
|
|
EnableIAMEntityDetails: true,
|
|
GetEntityHeadersHeader: "X-Test-Header",
|
|
},
|
|
{
|
|
BoundIAMPrincipalARNs: []string{principalArn},
|
|
EnableIAMEntityDetails: true,
|
|
GetEntityURLHeader: "X-Test-Header",
|
|
},
|
|
{
|
|
BoundIAMPrincipalARNs: []string{principalArn},
|
|
EnableIAMEntityDetails: true,
|
|
GetEntityMethodHeader: "X-Test-Header",
|
|
},
|
|
},
|
|
},
|
|
"wildcard principals require entity details": {
|
|
expError: "Must set EnableIAMEntityDetails=true to use wildcards in BoundIAMPrincipalARNs",
|
|
configs: []Config{
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*"}},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/path/*"}},
|
|
},
|
|
},
|
|
"only one wildcard suffix is allowed": {
|
|
expError: "Only one wildcard is allowed at the end of the bound IAM principal ARN",
|
|
configs: []Config{
|
|
{
|
|
BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/**"},
|
|
EnableIAMEntityDetails: true,
|
|
},
|
|
{
|
|
BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*/*"},
|
|
EnableIAMEntityDetails: true,
|
|
},
|
|
{
|
|
BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*/path"},
|
|
EnableIAMEntityDetails: true,
|
|
},
|
|
{
|
|
BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*/path/*"},
|
|
EnableIAMEntityDetails: true,
|
|
},
|
|
},
|
|
},
|
|
"invalid principal arns are disallowed": {
|
|
expError: fmt.Sprintf("Invalid principal ARN"),
|
|
configs: []Config{
|
|
{BoundIAMPrincipalARNs: []string{""}},
|
|
{BoundIAMPrincipalARNs: []string{" "}},
|
|
{BoundIAMPrincipalARNs: []string{"*"}, EnableIAMEntityDetails: true},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam:role/my-role"}},
|
|
},
|
|
},
|
|
"valid principal arns are allowed": {
|
|
includeHeaderNames: true,
|
|
configs: []Config{
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:sts::000000000000:assumed-role/my-role/some-session-name"}},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:user/my-user"}},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/my-role"}},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:*"}, EnableIAMEntityDetails: true},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*"}, EnableIAMEntityDetails: true},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/path/*"}, EnableIAMEntityDetails: true},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:user/*"}, EnableIAMEntityDetails: true},
|
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:user/path/*"}, EnableIAMEntityDetails: true},
|
|
},
|
|
},
|
|
"server id header value requires service id header name": {
|
|
expError: "Must set ServerIDHeaderName to use a server ID value",
|
|
configs: []Config{
|
|
{
|
|
BoundIAMPrincipalARNs: []string{principalArn},
|
|
ServerIDHeaderValue: "consul.test.example.com",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
for name, c := range cases {
|
|
t.Run(name, func(t *testing.T) {
|
|
for _, conf := range c.configs {
|
|
if c.includeHeaderNames {
|
|
setTestHeaderNames(&conf)
|
|
}
|
|
err := conf.Validate()
|
|
if c.expError != "" {
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), c.expError)
|
|
} else {
|
|
require.NoError(t, err)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func setTestHeaderNames(conf *Config) {
|
|
conf.GetEntityMethodHeader = "X-Test-Method"
|
|
conf.GetEntityURLHeader = "X-Test-URL"
|
|
conf.GetEntityHeadersHeader = "X-Test-Headers"
|
|
conf.GetEntityBodyHeader = "X-Test-Body"
|
|
}
|