luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/agent/proxycfg-glue/trust_bundle_test.go

404 lines
12 KiB
Go
Raw Normal View History

proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
package proxycfgglue
import (
"context"
"testing"
Implement/Utilize secrets for Peering Replication Stream (#13977)
2022-08-01 14:33:18 +00:00
"github.com/stretchr/testify/require"
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
"github.com/hashicorp/consul/acl"
Add ACL enforcement to peering endpoints
2022-07-12 23:18:05 +00:00
cachetype "github.com/hashicorp/consul/agent/cache-types"
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
"github.com/hashicorp/consul/agent/consul/state"
"github.com/hashicorp/consul/agent/proxycfg"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/lib"
"github.com/hashicorp/consul/proto/pbpeering"
"github.com/hashicorp/consul/sdk/testutil"
)
func TestServerTrustBundle(t *testing.T) {
const (
index uint64 = 123
peerName = "peer1"
)
store := state.NewStateStore(nil)
fix: persist peering CA updates to dialing clusters (#15243) fix: persist peering CA updates to dialing clusters
2022-11-04 16:53:20 +00:00
// Peering must exist for ptb write to succeed
require.NoError(t, store.PeeringWrite(index-1, &pbpeering.PeeringWriteRequest{
Peering: &pbpeering.Peering{
Name: peerName,
ID: "2ae8c79e-242e-4f4a-afd6-9aede8831c5f",
},
}))
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
require.NoError(t, store.PeeringTrustBundleWrite(index, &pbpeering.PeeringTrustBundle{
PeerName: peerName,
TrustDomain: "before.com",
}))
dataSource := ServerTrustBundle(ServerDataSourceDeps{
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(acl.ManageAll()),
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
})
eventCh := make(chan proxycfg.UpdateEvent)
Add ACL enforcement to peering endpoints
2022-07-12 23:18:05 +00:00
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleReadRequest{
Request: &pbpeering.TrustBundleReadRequest{
Name: peerName,
},
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
}, "", eventCh)
require.NoError(t, err)
testutil.RunStep(t, "initial state", func(t *testing.T) {
result := getEventResult[*pbpeering.TrustBundleReadResponse](t, eventCh)
require.Equal(t, "before.com", result.Bundle.TrustDomain)
})
testutil.RunStep(t, "update trust bundle", func(t *testing.T) {
require.NoError(t, store.PeeringTrustBundleWrite(index+1, &pbpeering.PeeringTrustBundle{
PeerName: peerName,
TrustDomain: "after.com",
}))
result := getEventResult[*pbpeering.TrustBundleReadResponse](t, eventCh)
require.Equal(t, "after.com", result.Bundle.TrustDomain)
})
}
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
func TestServerTrustBundle_ACLEnforcement(t *testing.T) {
const (
index uint64 = 123
peerName = "peer1"
)
store := state.NewStateStore(nil)
fix: persist peering CA updates to dialing clusters (#15243) fix: persist peering CA updates to dialing clusters
2022-11-04 16:53:20 +00:00
// Peering must exist for ptb write to succeed
require.NoError(t, store.PeeringWrite(index-1, &pbpeering.PeeringWriteRequest{
Peering: &pbpeering.Peering{
Name: peerName,
ID: "2ae8c79e-242e-4f4a-afd6-9aede8831c5f",
},
}))
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
require.NoError(t, store.PeeringTrustBundleWrite(index, &pbpeering.PeeringTrustBundle{
PeerName: peerName,
TrustDomain: "before.com",
}))
testutil.RunStep(t, "can read", func(t *testing.T) {
authz := policyAuthorizer(t, `
service "web" { policy = "write" }`)
dataSource := ServerTrustBundle(ServerDataSourceDeps{
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(authz),
})
eventCh := make(chan proxycfg.UpdateEvent)
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleReadRequest{
Request: &pbpeering.TrustBundleReadRequest{
Name: peerName,
},
}, "", eventCh)
require.NoError(t, err)
result := getEventResult[*pbpeering.TrustBundleReadResponse](t, eventCh)
require.Equal(t, "before.com", result.Bundle.TrustDomain)
})
testutil.RunStep(t, "can't read", func(t *testing.T) {
authz := policyAuthorizer(t, ``)
dataSource := ServerTrustBundle(ServerDataSourceDeps{
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(authz),
})
eventCh := make(chan proxycfg.UpdateEvent)
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleReadRequest{
Request: &pbpeering.TrustBundleReadRequest{
Name: peerName,
},
}, "", eventCh)
require.NoError(t, err)
err = getEventError(t, eventCh)
require.Contains(t, err.Error(), "provided token lacks permission 'service:write' on \"any service\"")
})
}
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
func TestServerTrustBundleList(t *testing.T) {
const index uint64 = 123
t.Run("list by service", func(t *testing.T) {
const (
serviceName = "web"
us = "default"
them = "peer2"
)
store := state.NewStateStore(nil)
require.NoError(t, store.CASetConfig(index, &structs.CAConfiguration{ClusterID: "cluster-id"}))
testutil.RunStep(t, "export service to peer", func(t *testing.T) {
Implement/Utilize secrets for Peering Replication Stream (#13977)
2022-08-01 14:33:18 +00:00
require.NoError(t, store.PeeringWrite(index, &pbpeering.PeeringWriteRequest{
Peering: &pbpeering.Peering{
ID: testUUID(t),
Name: them,
State: pbpeering.PeeringState_ACTIVE,
},
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
}))
require.NoError(t, store.PeeringTrustBundleWrite(index, &pbpeering.PeeringTrustBundle{
PeerName: them,
}))
require.NoError(t, store.EnsureConfigEntry(index, &structs.ExportedServicesConfigEntry{
Name: us,
Services: []structs.ExportedService{
{
Name: serviceName,
Consumers: []structs.ServiceConsumer{
Rename `PeerName` to `Peer` on prepared queries and exported services (#14854)
2022-10-04 18:46:15 +00:00
{Peer: them},
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
},
},
},
}))
})
dataSource := ServerTrustBundleList(ServerDataSourceDeps{
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
Datacenter: "dc1",
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(acl.ManageAll()),
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
})
eventCh := make(chan proxycfg.UpdateEvent)
Add ACL enforcement to peering endpoints
2022-07-12 23:18:05 +00:00
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleListRequest{
Request: &pbpeering.TrustBundleListByServiceRequest{
ServiceName: serviceName,
Partition: us,
},
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
}, "", eventCh)
require.NoError(t, err)
testutil.RunStep(t, "initial state", func(t *testing.T) {
result := getEventResult[*pbpeering.TrustBundleListByServiceResponse](t, eventCh)
require.Len(t, result.Bundles, 1)
})
testutil.RunStep(t, "unexport the service", func(t *testing.T) {
require.NoError(t, store.EnsureConfigEntry(index+1, &structs.ExportedServicesConfigEntry{
Name: us,
Services: []structs.ExportedService{},
}))
result := getEventResult[*pbpeering.TrustBundleListByServiceResponse](t, eventCh)
require.Len(t, result.Bundles, 0)
})
})
t.Run("list for mesh gateway", func(t *testing.T) {
store := state.NewStateStore(nil)
require.NoError(t, store.CASetConfig(index, &structs.CAConfiguration{ClusterID: "cluster-id"}))
fix: persist peering CA updates to dialing clusters (#15243) fix: persist peering CA updates to dialing clusters
2022-11-04 16:53:20 +00:00
// Peering must exist for ptb write to succeed
require.NoError(t, store.PeeringWrite(index, &pbpeering.PeeringWriteRequest{
Peering: &pbpeering.Peering{
Name: "peer1",
ID: "2ae8c79e-242e-4f4a-afd6-9aede8831c5f",
},
}))
require.NoError(t, store.PeeringWrite(index, &pbpeering.PeeringWriteRequest{
Peering: &pbpeering.Peering{
Name: "peer2",
ID: "e69f14e3-f253-43bc-bdbe-888994ca4f81",
},
}))
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
require.NoError(t, store.PeeringTrustBundleWrite(index, &pbpeering.PeeringTrustBundle{
PeerName: "peer1",
}))
require.NoError(t, store.PeeringTrustBundleWrite(index, &pbpeering.PeeringTrustBundle{
PeerName: "peer2",
}))
dataSource := ServerTrustBundleList(ServerDataSourceDeps{
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(acl.ManageAll()),
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
})
eventCh := make(chan proxycfg.UpdateEvent)
Add ACL enforcement to peering endpoints
2022-07-12 23:18:05 +00:00
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleListRequest{
Request: &pbpeering.TrustBundleListByServiceRequest{
Kind: string(structs.ServiceKindMeshGateway),
Partition: "default",
},
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
}, "", eventCh)
require.NoError(t, err)
result := getEventResult[*pbpeering.TrustBundleListByServiceResponse](t, eventCh)
require.Len(t, result.Bundles, 2)
})
}
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
func TestServerTrustBundleList_ACLEnforcement(t *testing.T) {
const index uint64 = 123
var (
authzWriteWeb = policyAuthorizer(t, `service "web" { policy = "write" }`)
authzWriteAll = policyAuthorizer(t, `service "" { policy = "write" }`)
authzNothing = policyAuthorizer(t, ``)
)
t.Run("ACL enforcement: list by service", func(t *testing.T) {
const (
serviceName = "web"
us = "default"
them = "peer2"
)
store := state.NewStateStore(nil)
require.NoError(t, store.CASetConfig(index, &structs.CAConfiguration{ClusterID: "cluster-id"}))
testutil.RunStep(t, "export service to peer", func(t *testing.T) {
Implement/Utilize secrets for Peering Replication Stream (#13977)
2022-08-01 14:33:18 +00:00
require.NoError(t, store.PeeringWrite(index, &pbpeering.PeeringWriteRequest{
Peering: &pbpeering.Peering{
ID: testUUID(t),
Name: them,
State: pbpeering.PeeringState_ACTIVE,
},
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
}))
require.NoError(t, store.PeeringTrustBundleWrite(index, &pbpeering.PeeringTrustBundle{
PeerName: them,
}))
require.NoError(t, store.EnsureConfigEntry(index, &structs.ExportedServicesConfigEntry{
Name: us,
Services: []structs.ExportedService{
{
Name: serviceName,
Consumers: []structs.ServiceConsumer{
Rename `PeerName` to `Peer` on prepared queries and exported services (#14854)
2022-10-04 18:46:15 +00:00
{Peer: them},
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
},
},
},
}))
})
testutil.RunStep(t, "can read", func(t *testing.T) {
dataSource := ServerTrustBundleList(ServerDataSourceDeps{
Datacenter: "dc1",
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(authzWriteWeb),
})
eventCh := make(chan proxycfg.UpdateEvent)
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleListRequest{
Request: &pbpeering.TrustBundleListByServiceRequest{
ServiceName: serviceName,
Partition: us,
},
}, "", eventCh)
require.NoError(t, err)
result := getEventResult[*pbpeering.TrustBundleListByServiceResponse](t, eventCh)
require.Len(t, result.Bundles, 1)
})
testutil.RunStep(t, "can't read", func(t *testing.T) {
dataSource := ServerTrustBundleList(ServerDataSourceDeps{
Datacenter: "dc1",
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(authzNothing),
})
eventCh := make(chan proxycfg.UpdateEvent)
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleListRequest{
Request: &pbpeering.TrustBundleListByServiceRequest{
ServiceName: serviceName,
Partition: us,
},
}, "", eventCh)
require.NoError(t, err)
err = getEventError(t, eventCh)
require.Contains(t, err.Error(), "provided token lacks permission 'service:write' on \"web\"")
})
})
t.Run("ACL Enforcement: list for mesh gateway", func(t *testing.T) {
store := state.NewStateStore(nil)
require.NoError(t, store.CASetConfig(index, &structs.CAConfiguration{ClusterID: "cluster-id"}))
fix: persist peering CA updates to dialing clusters (#15243) fix: persist peering CA updates to dialing clusters
2022-11-04 16:53:20 +00:00
// Peering must exist for ptb write to succeed
require.NoError(t, store.PeeringWrite(index, &pbpeering.PeeringWriteRequest{
Peering: &pbpeering.Peering{
Name: "peer1",
ID: "2ae8c79e-242e-4f4a-afd6-9aede8831c5f",
},
}))
require.NoError(t, store.PeeringWrite(index, &pbpeering.PeeringWriteRequest{
Peering: &pbpeering.Peering{
Name: "peer2",
ID: "e69f14e3-f253-43bc-bdbe-888994ca4f81",
},
}))
sync more acl enforcement sync w ent at 32756f7 Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
2022-07-28 19:01:52 +00:00
require.NoError(t, store.PeeringTrustBundleWrite(index, &pbpeering.PeeringTrustBundle{
PeerName: "peer1",
}))
require.NoError(t, store.PeeringTrustBundleWrite(index, &pbpeering.PeeringTrustBundle{
PeerName: "peer2",
}))
testutil.RunStep(t, "can read", func(t *testing.T) {
dataSource := ServerTrustBundleList(ServerDataSourceDeps{
Datacenter: "dc1",
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(authzWriteAll),
})
eventCh := make(chan proxycfg.UpdateEvent)
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleListRequest{
Request: &pbpeering.TrustBundleListByServiceRequest{
Kind: string(structs.ServiceKindMeshGateway),
Partition: "default",
},
}, "", eventCh)
require.NoError(t, err)
result := getEventResult[*pbpeering.TrustBundleListByServiceResponse](t, eventCh)
require.Len(t, result.Bundles, 2)
})
testutil.RunStep(t, "can't read", func(t *testing.T) {
dataSource := ServerTrustBundleList(ServerDataSourceDeps{
Datacenter: "dc1",
GetStore: func() Store { return store },
ACLResolver: newStaticResolver(authzNothing),
})
eventCh := make(chan proxycfg.UpdateEvent)
err := dataSource.Notify(context.Background(), &cachetype.TrustBundleListRequest{
Request: &pbpeering.TrustBundleListByServiceRequest{
Kind: string(structs.ServiceKindMeshGateway),
Partition: "default",
},
}, "", eventCh)
require.NoError(t, err)
err = getEventError(t, eventCh)
require.Contains(t, err.Error(), "provided token lacks permission 'service:write'")
})
})
}
proxycfg-glue: server-local implementation of `TrustBundle` and `TrustBundleList` This is the OSS portion of enterprise PR 2250. This PR provides server-local implementations of the proxycfg.TrustBundle and proxycfg.TrustBundleList interfaces, based on local blocking queries.
2022-07-12 10:39:27 +00:00
func testUUID(t *testing.T) string {
v, err := lib.GenerateUUID(nil)
require.NoError(t, err)
return v
}