luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/acl/authorizer_test.go

472 lines
8.6 KiB
Go
Raw Normal View History

Add copyright headers for acl, api and bench folders (#16706) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files * copyright headers for agent folder * fix merge conflicts * copyright headers for agent folder * Ignore test data files * fix proto files * ignore agent/uiserver folder for now * copyright headers for agent folder * Add copyright headers for acl, api and bench folders
2023-03-28 20:12:41 +00:00
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
package acl
import (
"fmt"
"testing"
"github.com/stretchr/testify/require"
)
func TestACL_Enforce(t *testing.T) {
type testCase struct {
method string
resource Resource
segment string
access string
ret EnforcementDecision
err string
}
testName := func(t testCase) string {
if t.segment != "" {
return fmt.Sprintf("%s/%s/%s/%s", t.resource, t.segment, t.access, t.ret.String())
}
return fmt.Sprintf("%s/%s/%s", t.resource, t.access, t.ret.String())
}
cases := []testCase{
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "ACLRead",
resource: ResourceACL,
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "ACLRead",
resource: ResourceACL,
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "ACLWrite",
resource: ResourceACL,
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "ACLWrite",
resource: ResourceACL,
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceACL,
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "OperatorRead",
resource: ResourceOperator,
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "OperatorRead",
resource: ResourceOperator,
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "OperatorWrite",
resource: ResourceOperator,
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "OperatorWrite",
resource: ResourceOperator,
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceOperator,
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyringRead",
resource: ResourceKeyring,
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyringRead",
resource: ResourceKeyring,
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyringWrite",
resource: ResourceKeyring,
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyringWrite",
resource: ResourceKeyring,
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceKeyring,
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "AgentRead",
resource: ResourceAgent,
segment: "foo",
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "AgentRead",
resource: ResourceAgent,
segment: "foo",
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "AgentWrite",
resource: ResourceAgent,
segment: "foo",
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "AgentWrite",
resource: ResourceAgent,
segment: "foo",
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceAgent,
segment: "foo",
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "EventRead",
resource: ResourceEvent,
segment: "foo",
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "EventRead",
resource: ResourceEvent,
segment: "foo",
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "EventWrite",
resource: ResourceEvent,
segment: "foo",
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "EventWrite",
resource: ResourceEvent,
segment: "foo",
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceEvent,
segment: "foo",
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "IntentionRead",
resource: ResourceIntention,
segment: "foo",
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "IntentionRead",
resource: ResourceIntention,
segment: "foo",
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "IntentionWrite",
resource: ResourceIntention,
segment: "foo",
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "IntentionWrite",
resource: ResourceIntention,
segment: "foo",
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceIntention,
segment: "foo",
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "NodeRead",
resource: ResourceNode,
segment: "foo",
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "NodeRead",
resource: ResourceNode,
segment: "foo",
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "NodeWrite",
resource: ResourceNode,
segment: "foo",
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "NodeWrite",
resource: ResourceNode,
segment: "foo",
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceNode,
segment: "foo",
access: "list",
ret: Deny,
err: "Invalid access level",
},
Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646) Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
2022-06-29 20:38:17 +00:00
{
[OSS] Add new peering ACL rule (#13848) This commit adds a new ACL rule named "peering" to authorize actions taken against peering-related endpoints. The "peering" rule has several key properties: - It is scoped to a partition, and MUST be defined in the default namespace. - Its access level must be "read', "write", or "deny". - Granting an access level will apply to all peerings. This ACL rule cannot be used to selective grant access to some peerings but not others. - If the peering rule is not specified, we fall back to the "operator" rule and then the default ACL rule.
2022-07-22 20:42:23 +00:00
method: "PeeringRead",
Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646) Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
2022-06-29 20:38:17 +00:00
resource: ResourcePeering,
access: "read",
ret: Allow,
},
{
[OSS] Add new peering ACL rule (#13848) This commit adds a new ACL rule named "peering" to authorize actions taken against peering-related endpoints. The "peering" rule has several key properties: - It is scoped to a partition, and MUST be defined in the default namespace. - Its access level must be "read', "write", or "deny". - Granting an access level will apply to all peerings. This ACL rule cannot be used to selective grant access to some peerings but not others. - If the peering rule is not specified, we fall back to the "operator" rule and then the default ACL rule.
2022-07-22 20:42:23 +00:00
method: "PeeringRead",
Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646) Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
2022-06-29 20:38:17 +00:00
resource: ResourcePeering,
access: "read",
ret: Deny,
},
{
[OSS] Add new peering ACL rule (#13848) This commit adds a new ACL rule named "peering" to authorize actions taken against peering-related endpoints. The "peering" rule has several key properties: - It is scoped to a partition, and MUST be defined in the default namespace. - Its access level must be "read', "write", or "deny". - Granting an access level will apply to all peerings. This ACL rule cannot be used to selective grant access to some peerings but not others. - If the peering rule is not specified, we fall back to the "operator" rule and then the default ACL rule.
2022-07-22 20:42:23 +00:00
method: "PeeringWrite",
Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646) Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
2022-06-29 20:38:17 +00:00
resource: ResourcePeering,
access: "write",
ret: Allow,
},
{
[OSS] Add new peering ACL rule (#13848) This commit adds a new ACL rule named "peering" to authorize actions taken against peering-related endpoints. The "peering" rule has several key properties: - It is scoped to a partition, and MUST be defined in the default namespace. - Its access level must be "read', "write", or "deny". - Granting an access level will apply to all peerings. This ACL rule cannot be used to selective grant access to some peerings but not others. - If the peering rule is not specified, we fall back to the "operator" rule and then the default ACL rule.
2022-07-22 20:42:23 +00:00
method: "PeeringWrite",
Allow the /v1/internal/acl/authorize endpoint to authorize the “peering” resource (#13646) Currently this just checks for operator read. In the near future it will check for peering specific rules once those are implemented.
2022-06-29 20:38:17 +00:00
resource: ResourcePeering,
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "PreparedQueryRead",
resource: ResourceQuery,
segment: "foo",
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "PreparedQueryRead",
resource: ResourceQuery,
segment: "foo",
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "PreparedQueryWrite",
resource: ResourceQuery,
segment: "foo",
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "PreparedQueryWrite",
resource: ResourceQuery,
segment: "foo",
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceQuery,
segment: "foo",
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "ServiceRead",
resource: ResourceService,
segment: "foo",
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "ServiceRead",
resource: ResourceService,
segment: "foo",
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "ServiceWrite",
resource: ResourceService,
segment: "foo",
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "ServiceWrite",
resource: ResourceService,
segment: "foo",
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceSession,
segment: "foo",
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "SessionRead",
resource: ResourceSession,
segment: "foo",
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "SessionRead",
resource: ResourceSession,
segment: "foo",
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "SessionWrite",
resource: ResourceSession,
segment: "foo",
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "SessionWrite",
resource: ResourceSession,
segment: "foo",
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceSession,
segment: "foo",
access: "list",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyRead",
resource: ResourceKey,
segment: "foo",
access: "read",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyRead",
resource: ResourceKey,
segment: "foo",
access: "read",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyWrite",
resource: ResourceKey,
segment: "foo",
access: "write",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyWrite",
resource: ResourceKey,
segment: "foo",
access: "write",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyList",
resource: ResourceKey,
segment: "foo",
access: "list",
ret: Deny,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
method: "KeyList",
resource: ResourceKey,
segment: "foo",
access: "list",
ret: Allow,
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: ResourceKey,
segment: "foo",
access: "deny",
ret: Deny,
err: "Invalid access level",
},
Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'
2020-06-16 17:19:31 +00:00
{
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
resource: "not-a-real-resource",
access: "read",
ret: Deny,
err: "Invalid ACL resource requested:",
},
}
for _, tcase := range cases {
t.Run(testName(tcase), func(t *testing.T) {
Leadership transfer cmd (#14132) * add leadership transfer command * add RPC call test (flaky) * add missing import * add changelog * add command registration * Apply suggestions from code review Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> * add the possibility of providing an id to raft leadership transfer. Add few tests. * delete old file from cherry pick * rename changelog filename to PR # * rename changelog and fix import * fix failing test * check for OperatorWrite Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> * rename from leader-transfer to transfer-leader * remove version check and add test for operator read * move struct to operator.go * first pass * add code for leader transfer in the grpc backend and tests * wire the http endpoint to the new grpc endpoint * remove the RPC endpoint * remove non needed struct * fix naming * add mog glue to API * fix comment * remove dead code * fix linter error * change package name for proto file * remove error wrapping * fix failing test * add command registration * add grpc service mock tests * fix receiver to be pointer * use defined values Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> * reuse MockAclAuthorizer * add documentation * remove usage of external.TokenFromContext * fix failing tests * fix proto generation * Apply suggestions from code review Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Apply suggestions from code review * add more context in doc for the reason * Apply suggestions from docs code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * regenerate proto * fix linter errors Co-authored-by: github-team-consul-core <github-team-consul-core@hashicorp.com> Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com> Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
2022-11-14 20:35:12 +00:00
m := &MockAuthorizer{}
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
if tcase.err == "" {
Rename EnterpriseAuthorizerContext -> AuthorizerContext
2019-12-18 18:43:24 +00:00
var nilCtx *AuthorizerContext
[Feature] API: Add a internal endpoint to query for ACL authori… (#6888) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.
2019-12-06 14:25:26 +00:00
if tcase.segment != "" {
m.On(tcase.method, tcase.segment, nilCtx).Return(tcase.ret)
} else {
m.On(tcase.method, nilCtx).Return(tcase.ret)
}
}
ret, err := Enforce(m, tcase.resource, tcase.segment, tcase.access, nil)
if tcase.err == "" {
require.NoError(t, err)
} else {
require.Error(t, err)
require.Contains(t, err.Error(), tcase.err)
}
require.Equal(t, tcase.ret, ret)
m.AssertExpectations(t)
})
}
}