open-consul/acl/cache_test.go

package acl

import (
	"testing"
)

func TestCache_GetPolicy(t *testing.T) {
	c, err := NewCache(2, nil, nil)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	p, err := c.GetPolicy("")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Should get the same policy
	p1, err := c.GetPolicy("")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if p != p1 {
		t.Fatalf("should be cached")
	}

	// Work with some new policies to evict the original one
	_, err = c.GetPolicy(testSimplePolicy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	_, err = c.GetPolicy(testSimplePolicy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	_, err = c.GetPolicy(testSimplePolicy2)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	_, err = c.GetPolicy(testSimplePolicy2)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Test invalidation of p
	p3, err := c.GetPolicy("")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if p == p3 {
		t.Fatalf("should be not cached")
	}
}

func TestCache_GetACL(t *testing.T) {
	policies := map[string]string{
		"foo": testSimplePolicy,
		"bar": testSimplePolicy2,
		"baz": testSimplePolicy3,
	}
	faultfn := func(id string) (string, string, error) {
		return "deny", policies[id], nil
	}

	c, err := NewCache(2, faultfn, nil)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	acl, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if acl.KeyRead("bar/test") {
		t.Fatalf("should deny")
	}
	if !acl.KeyRead("foo/test") {
		t.Fatalf("should allow")
	}

	acl2, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if acl != acl2 {
		t.Fatalf("should be cached")
	}

	// Invalidate cache
	_, err = c.GetACL("bar")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	_, err = c.GetACL("bar")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	_, err = c.GetACL("baz")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	_, err = c.GetACL("baz")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	acl3, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if acl == acl3 {
		t.Fatalf("should not be cached")
	}
}

func TestCache_ClearACL(t *testing.T) {
	policies := map[string]string{
		"foo": testSimplePolicy,
		"bar": testSimplePolicy,
	}
	faultfn := func(id string) (string, string, error) {
		return "deny", policies[id], nil
	}

	c, err := NewCache(16, faultfn, nil)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	acl, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Nuke the cache
	c.ClearACL("foo")

	// Clear the policy cache
	c.policyCache.Purge()

	acl2, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if acl == acl2 {
		t.Fatalf("should not be cached")
	}
}

func TestCache_Purge(t *testing.T) {
	policies := map[string]string{
		"foo": testSimplePolicy,
		"bar": testSimplePolicy,
	}
	faultfn := func(id string) (string, string, error) {
		return "deny", policies[id], nil
	}

	c, err := NewCache(16, faultfn, nil)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	acl, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Nuke the cache
	c.Purge()
	c.policyCache.Purge()

	acl2, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if acl == acl2 {
		t.Fatalf("should not be cached")
	}
}

func TestCache_GetACLPolicy(t *testing.T) {
	policies := map[string]string{
		"foo": testSimplePolicy,
		"bar": testSimplePolicy,
	}
	faultfn := func(id string) (string, string, error) {
		return "deny", policies[id], nil
	}
	c, err := NewCache(16, faultfn, nil)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	p, err := c.GetPolicy(testSimplePolicy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	_, err = c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	parent, p2, err := c.GetACLPolicy("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if parent != "deny" {
		t.Fatalf("bad: %v", parent)
	}

	if p2 != p {
		t.Fatalf("expected cached policy")
	}

	parent, p3, err := c.GetACLPolicy("bar")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if parent != "deny" {
		t.Fatalf("bad: %v", parent)
	}

	if p3 != p {
		t.Fatalf("expected cached policy")
	}
}

func TestCache_GetACL_Parent(t *testing.T) {
	faultfn := func(id string) (string, string, error) {
		switch id {
		case "foo":
			// Foo inherits from bar
			return "bar", testSimplePolicy, nil
		case "bar":
			return "deny", testSimplePolicy2, nil
		}
		t.Fatalf("bad case")
		return "", "", nil
	}

	c, err := NewCache(16, faultfn, nil)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	acl, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if !acl.KeyRead("bar/test") {
		t.Fatalf("should allow")
	}
	if !acl.KeyRead("foo/test") {
		t.Fatalf("should allow")
	}
}

func TestCache_GetACL_ParentCache(t *testing.T) {
	// Same rules, different parent
	faultfn := func(id string) (string, string, error) {
		switch id {
		case "foo":
			return "allow", testSimplePolicy, nil
		case "bar":
			return "deny", testSimplePolicy, nil
		}
		t.Fatalf("bad case")
		return "", "", nil
	}

	c, err := NewCache(16, faultfn, nil)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	acl, err := c.GetACL("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if !acl.KeyRead("bar/test") {
		t.Fatalf("should allow")
	}
	if !acl.KeyRead("foo/test") {
		t.Fatalf("should allow")
	}

	acl2, err := c.GetACL("bar")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if acl == acl2 {
		t.Fatalf("should not match")
	}

	if acl2.KeyRead("bar/test") {
		t.Fatalf("should not allow")
	}
	if !acl2.KeyRead("foo/test") {
		t.Fatalf("should allow")
	}
}

var testSimplePolicy = `
key "foo/" {
	policy = "read"
}
`

var testSimplePolicy2 = `
key "bar/" {
	policy = "read"
}
`
var testSimplePolicy3 = `
key "baz/" {
	policy = "read"
}
`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`package acl`

			`import (`
			`"testing"`
			`)`

			`func TestCache_GetPolicy(t *testing.T) {`
Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`c, err := NewCache(2, nil, nil)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`p, err := c.GetPolicy("")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Should get the same policy`
			`p1, err := c.GetPolicy("")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if p != p1 {`
			`t.Fatalf("should be cached")`
			`}`

Switches all ACL caches to 2Q. 2016-08-09 18:00:22 +00:00			`// Work with some new policies to evict the original one`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`_, err = c.GetPolicy(testSimplePolicy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
Switches all ACL caches to 2Q. 2016-08-09 18:00:22 +00:00			`_, err = c.GetPolicy(testSimplePolicy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`_, err = c.GetPolicy(testSimplePolicy2)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`_, err = c.GetPolicy(testSimplePolicy2)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00
			`// Test invalidation of p`
			`p3, err := c.GetPolicy("")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if p == p3 {`
			`t.Fatalf("should be not cached")`
			`}`
			`}`

			`func TestCache_GetACL(t *testing.T) {`
			`policies := map[string]string{`
			`"foo": testSimplePolicy,`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`"bar": testSimplePolicy2,`
Switches all ACL caches to 2Q. 2016-08-09 18:00:22 +00:00			`"baz": testSimplePolicy3,`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`faultfn := func(id string) (string, string, error) {`
			`return "deny", policies[id], nil`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`

Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`c, err := NewCache(2, faultfn, nil)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`acl, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if acl.KeyRead("bar/test") {`
			`t.Fatalf("should deny")`
			`}`
			`if !acl.KeyRead("foo/test") {`
			`t.Fatalf("should allow")`
			`}`

			`acl2, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if acl != acl2 {`
			`t.Fatalf("should be cached")`
			`}`

			`// Invalidate cache`
			`_, err = c.GetACL("bar")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
Switches all ACL caches to 2Q. 2016-08-09 18:00:22 +00:00			`_, err = c.GetACL("bar")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`_, err = c.GetACL("baz")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`_, err = c.GetACL("baz")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00
			`acl3, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if acl == acl3 {`
			`t.Fatalf("should not be cached")`
			`}`
			`}`

			`func TestCache_ClearACL(t *testing.T) {`
			`policies := map[string]string{`
			`"foo": testSimplePolicy,`
			`"bar": testSimplePolicy,`
			`}`
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`faultfn := func(id string) (string, string, error) {`
			`return "deny", policies[id], nil`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`

Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`c, err := NewCache(16, faultfn, nil)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`acl, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Nuke the cache`
			`c.ClearACL("foo")`

acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`// Clear the policy cache`
acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`c.policyCache.Purge()`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`acl2, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if acl == acl2 {`
			`t.Fatalf("should not be cached")`
			`}`
			`}`

acl: Adding cache purging 2014-08-09 00:44:23 +00:00			`func TestCache_Purge(t *testing.T) {`
			`policies := map[string]string{`
			`"foo": testSimplePolicy,`
			`"bar": testSimplePolicy,`
			`}`
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`faultfn := func(id string) (string, string, error) {`
			`return "deny", policies[id], nil`
acl: Adding cache purging 2014-08-09 00:44:23 +00:00			`}`

Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`c, err := NewCache(16, faultfn, nil)`
acl: Adding cache purging 2014-08-09 00:44:23 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`acl, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Nuke the cache`
			`c.Purge()`
			`c.policyCache.Purge()`

			`acl2, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if acl == acl2 {`
			`t.Fatalf("should not be cached")`
			`}`
			`}`

acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`func TestCache_GetACLPolicy(t *testing.T) {`
			`policies := map[string]string{`
			`"foo": testSimplePolicy,`
			`"bar": testSimplePolicy,`
			`}`
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`faultfn := func(id string) (string, string, error) {`
			`return "deny", policies[id], nil`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`}`
Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`c, err := NewCache(16, faultfn, nil)`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`p, err := c.GetPolicy(testSimplePolicy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`_, err = c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`parent, p2, err := c.GetACLPolicy("foo")`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`if parent != "deny" {`
			`t.Fatalf("bad: %v", parent)`
			`}`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00
			`if p2 != p {`
			`t.Fatalf("expected cached policy")`
			`}`

acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`parent, p3, err := c.GetACLPolicy("bar")`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`if parent != "deny" {`
			`t.Fatalf("bad: %v", parent)`
			`}`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00
			`if p3 != p {`
			`t.Fatalf("expected cached policy")`
			`}`
			`}`

acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`func TestCache_GetACL_Parent(t *testing.T) {`
			`faultfn := func(id string) (string, string, error) {`
			`switch id {`
			`case "foo":`
			`// Foo inherits from bar`
			`return "bar", testSimplePolicy, nil`
			`case "bar":`
			`return "deny", testSimplePolicy2, nil`
			`}`
			`t.Fatalf("bad case")`
			`return "", "", nil`
			`}`

Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`c, err := NewCache(16, faultfn, nil)`
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`acl, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if !acl.KeyRead("bar/test") {`
			`t.Fatalf("should allow")`
			`}`
			`if !acl.KeyRead("foo/test") {`
			`t.Fatalf("should allow")`
			`}`
			`}`

acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`func TestCache_GetACL_ParentCache(t *testing.T) {`
			`// Same rules, different parent`
			`faultfn := func(id string) (string, string, error) {`
			`switch id {`
			`case "foo":`
			`return "allow", testSimplePolicy, nil`
			`case "bar":`
			`return "deny", testSimplePolicy, nil`
			`}`
			`t.Fatalf("bad case")`
			`return "", "", nil`
			`}`

Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`c, err := NewCache(16, faultfn, nil)`
acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`acl, err := c.GetACL("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if !acl.KeyRead("bar/test") {`
			`t.Fatalf("should allow")`
			`}`
			`if !acl.KeyRead("foo/test") {`
			`t.Fatalf("should allow")`
			`}`

			`acl2, err := c.GetACL("bar")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if acl == acl2 {`
			`t.Fatalf("should not match")`
			`}`

			`if acl2.KeyRead("bar/test") {`
			`t.Fatalf("should not allow")`
			`}`
			`if !acl2.KeyRead("foo/test") {`
			`t.Fatalf("should allow")`
			`}`
			`}`

acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			var testSimplePolicy = `
			`key "foo/" {`
			`policy = "read"`
			`}`
			`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00
			var testSimplePolicy2 = `
			`key "bar/" {`
			`policy = "read"`
			`}`
			`
Switches all ACL caches to 2Q. 2016-08-09 18:00:22 +00:00			var testSimplePolicy3 = `
			`key "baz/" {`
			`policy = "read"`
			`}`
			`