open-consul/agent/consul/acl_token_exp_test.go

package consul

import (
	"os"
	"testing"
	"time"

	"github.com/hashicorp/consul/agent/structs"
	"github.com/hashicorp/consul/testrpc"
	"github.com/stretchr/testify/require"
)

func TestACLTokenReap_Primary(t *testing.T) {
	if testing.Short() {
		t.Skip("too slow for testing.Short")
	}

	t.Parallel()

	t.Run("global", func(t *testing.T) {
		t.Parallel()
		testACLTokenReap_Primary(t, false, true)
	})
	t.Run("local", func(t *testing.T) {
		t.Parallel()
		testACLTokenReap_Primary(t, true, false)
	})
}

func testACLTokenReap_Primary(t *testing.T, local, global bool) {
	// -------------------------------------------
	// A word of caution when testing reapExpiredACLTokens():
	//
	// The underlying memdb index used for reaping has a minimum granularity of
	// 1 second as it delegates to `time.Unix()`. This test will have to be
	// deliberately slow to allow for necessary sleeps.  If you try to make it
	// operate faster (using expiration ttls of milliseconds) it will be flaky.
	// -------------------------------------------

	t.Helper()
	require.NotEqual(t, local, global)

	dir1, s1 := testServerWithConfig(t, func(c *Config) {
		c.ACLDatacenter = "dc1"
		c.ACLsEnabled = true
		c.ACLMasterToken = "root"
		c.ACLTokenMinExpirationTTL = 10 * time.Millisecond
		c.ACLTokenMaxExpirationTTL = 8 * time.Second
	})
	defer os.RemoveAll(dir1)
	defer s1.Shutdown()

	testrpc.WaitForLeader(t, s1.RPC, "dc1")

	codec := rpcClient(t, s1)
	defer codec.Close()

	acl := ACL{srv: s1}

	masterTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root")
	require.NoError(t, err)

	listTokens := func() (localTokens, globalTokens []string, err error) {
		req := structs.ACLTokenListRequest{
			Datacenter:   "dc1",
			QueryOptions: structs.QueryOptions{Token: "root"},
		}

		var res structs.ACLTokenListResponse
		err = acl.TokenList(&req, &res)
		if err != nil {
			return nil, nil, err
		}

		for _, tok := range res.Tokens {
			if tok.Local {
				localTokens = append(localTokens, tok.AccessorID)
			} else {
				globalTokens = append(globalTokens, tok.AccessorID)
			}
		}

		return localTokens, globalTokens, nil
	}

	requireTokenMatch := func(t *testing.T, expect []string) {
		t.Helper()

		var expectLocal, expectGlobal []string
		// The master token and the anonymous token are always going to be
		// present and global.
		expectGlobal = append(expectGlobal, masterTokenAccessorID)
		expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID)

		if local {
			expectLocal = append(expectLocal, expect...)
		} else {
			expectGlobal = append(expectGlobal, expect...)
		}

		localTokens, globalTokens, err := listTokens()
		require.NoError(t, err)
		require.ElementsMatch(t, expectLocal, localTokens)
		require.ElementsMatch(t, expectGlobal, globalTokens)
	}

	// initial sanity check
	requireTokenMatch(t, []string{})

	t.Run("no tokens", func(t *testing.T) {
		n, err := s1.reapExpiredACLTokens(local, global)
		require.NoError(t, err)
		require.Equal(t, 0, n)

		requireTokenMatch(t, []string{})
	})

	// 2 normal
	token1, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {
		token.Local = local
	})
	require.NoError(t, err)
	token2, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {
		token.Local = local
	})
	require.NoError(t, err)

	requireTokenMatch(t, []string{
		token1.AccessorID,
		token2.AccessorID,
	})

	t.Run("only normal tokens", func(t *testing.T) {
		n, err := s1.reapExpiredACLTokens(local, global)
		require.NoError(t, err)
		require.Equal(t, 0, n)

		requireTokenMatch(t, []string{
			token1.AccessorID,
			token2.AccessorID,
		})
	})

	// 2 expiring
	token3, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {
		token.ExpirationTTL = 1 * time.Second
		token.Local = local
	})
	require.NoError(t, err)
	token4, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {
		token.ExpirationTTL = 5 * time.Second
		token.Local = local
	})
	require.NoError(t, err)

	// 2 more normal
	token5, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {
		token.Local = local
	})
	require.NoError(t, err)
	token6, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {
		token.Local = local
	})
	require.NoError(t, err)

	requireTokenMatch(t, []string{
		token1.AccessorID,
		token2.AccessorID,
		token3.AccessorID,
		token4.AccessorID,
		token5.AccessorID,
		token6.AccessorID,
	})

	t.Run("mixed but nothing expired yet", func(t *testing.T) {
		n, err := s1.reapExpiredACLTokens(local, global)
		require.NoError(t, err)
		require.Equal(t, 0, n)

		requireTokenMatch(t, []string{
			token1.AccessorID,
			token2.AccessorID,
			token3.AccessorID,
			token4.AccessorID,
			token5.AccessorID,
			token6.AccessorID,
		})
	})

	time.Sleep(token3.ExpirationTime.Sub(time.Now()) + 10*time.Millisecond)

	t.Run("one should be reaped", func(t *testing.T) {
		n, err := s1.reapExpiredACLTokens(local, global)
		require.NoError(t, err)
		require.Equal(t, 1, n)

		requireTokenMatch(t, []string{
			token1.AccessorID,
			token2.AccessorID,
			// token3.AccessorID,
			token4.AccessorID,
			token5.AccessorID,
			token6.AccessorID,
		})
	})

	time.Sleep(token4.ExpirationTime.Sub(time.Now()) + 10*time.Millisecond)

	t.Run("two should be reaped", func(t *testing.T) {
		n, err := s1.reapExpiredACLTokens(local, global)
		require.NoError(t, err)
		require.Equal(t, 1, n)

		requireTokenMatch(t, []string{
			token1.AccessorID,
			token2.AccessorID,
			// token3.AccessorID,
			// token4.AccessorID,
			token5.AccessorID,
			token6.AccessorID,
		})
	})
}
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`package consul`

			`import (`
			`"os"`
			`"testing"`
			`"time"`

			`"github.com/hashicorp/consul/agent/structs"`
			`"github.com/hashicorp/consul/testrpc"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestACLTokenReap_Primary(t *testing.T) {`
testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ``` 2020-12-07 18:42:55 +00:00			`if testing.Short() {`
			`t.Skip("too slow for testing.Short")`
			`}`

acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00			`t.Parallel()`

			`t.Run("global", func(t *testing.T) {`
			`t.Parallel()`
			`testACLTokenReap_Primary(t, false, true)`
			`})`
			`t.Run("local", func(t *testing.T) {`
			`t.Parallel()`
			`testACLTokenReap_Primary(t, true, false)`
			`})`
			`}`

			`func testACLTokenReap_Primary(t *testing.T, local, global bool) {`
			`// -------------------------------------------`
			`// A word of caution when testing reapExpiredACLTokens():`
			`//`
			`// The underlying memdb index used for reaping has a minimum granularity of`
			// 1 second as it delegates to `time.Unix()`. This test will have to be
			`// deliberately slow to allow for necessary sleeps. If you try to make it`
			`// operate faster (using expiration ttls of milliseconds) it will be flaky.`
			`// -------------------------------------------`

			`t.Helper()`
			`require.NotEqual(t, local, global)`

			`dir1, s1 := testServerWithConfig(t, func(c *Config) {`
			`c.ACLDatacenter = "dc1"`
			`c.ACLsEnabled = true`
			`c.ACLMasterToken = "root"`
			`c.ACLTokenMinExpirationTTL = 10 * time.Millisecond`
			`c.ACLTokenMaxExpirationTTL = 8 * time.Second`
			`})`
			`defer os.RemoveAll(dir1)`
			`defer s1.Shutdown()`

			`testrpc.WaitForLeader(t, s1.RPC, "dc1")`

			`codec := rpcClient(t, s1)`
			`defer codec.Close()`

acl: adding support for kubernetes auth provider login (#5600) * auth providers * binding rules * auth provider for kubernetes * login/logout 2019-04-26 17:49:28 +00:00			`acl := ACL{srv: s1}`
acl: tokens can be created with an optional expiration time (#5353) 2019-04-08 17:05:51 +00:00
			`masterTokenAccessorID, err := retrieveTestTokenAccessorForSecret(codec, "root", "dc1", "root")`
			`require.NoError(t, err)`

			`listTokens := func() (localTokens, globalTokens []string, err error) {`
			`req := structs.ACLTokenListRequest{`
			`Datacenter: "dc1",`
			`QueryOptions: structs.QueryOptions{Token: "root"},`
			`}`

			`var res structs.ACLTokenListResponse`
			`err = acl.TokenList(&req, &res)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`for _, tok := range res.Tokens {`
			`if tok.Local {`
			`localTokens = append(localTokens, tok.AccessorID)`
			`} else {`
			`globalTokens = append(globalTokens, tok.AccessorID)`
			`}`
			`}`

			`return localTokens, globalTokens, nil`
			`}`

			`requireTokenMatch := func(t *testing.T, expect []string) {`
			`t.Helper()`

			`var expectLocal, expectGlobal []string`
			`// The master token and the anonymous token are always going to be`
			`// present and global.`
			`expectGlobal = append(expectGlobal, masterTokenAccessorID)`
			`expectGlobal = append(expectGlobal, structs.ACLTokenAnonymousID)`

			`if local {`
			`expectLocal = append(expectLocal, expect...)`
			`} else {`
			`expectGlobal = append(expectGlobal, expect...)`
			`}`

			`localTokens, globalTokens, err := listTokens()`
			`require.NoError(t, err)`
			`require.ElementsMatch(t, expectLocal, localTokens)`
			`require.ElementsMatch(t, expectGlobal, globalTokens)`
			`}`

			`// initial sanity check`
			`requireTokenMatch(t, []string{})`

			`t.Run("no tokens", func(t *testing.T) {`
			`n, err := s1.reapExpiredACLTokens(local, global)`
			`require.NoError(t, err)`
			`require.Equal(t, 0, n)`

			`requireTokenMatch(t, []string{})`
			`})`

			`// 2 normal`
			`token1, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {`
			`token.Local = local`
			`})`
			`require.NoError(t, err)`
			`token2, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {`
			`token.Local = local`
			`})`
			`require.NoError(t, err)`

			`requireTokenMatch(t, []string{`
			`token1.AccessorID,`
			`token2.AccessorID,`
			`})`

			`t.Run("only normal tokens", func(t *testing.T) {`
			`n, err := s1.reapExpiredACLTokens(local, global)`
			`require.NoError(t, err)`
			`require.Equal(t, 0, n)`

			`requireTokenMatch(t, []string{`
			`token1.AccessorID,`
			`token2.AccessorID,`
			`})`
			`})`

			`// 2 expiring`
			`token3, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {`
			`token.ExpirationTTL = 1 * time.Second`
			`token.Local = local`
			`})`
			`require.NoError(t, err)`
			`token4, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {`
			`token.ExpirationTTL = 5 * time.Second`
			`token.Local = local`
			`})`
			`require.NoError(t, err)`

			`// 2 more normal`
			`token5, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {`
			`token.Local = local`
			`})`
			`require.NoError(t, err)`
			`token6, err := upsertTestToken(codec, "root", "dc1", func(token *structs.ACLToken) {`
			`token.Local = local`
			`})`
			`require.NoError(t, err)`

			`requireTokenMatch(t, []string{`
			`token1.AccessorID,`
			`token2.AccessorID,`
			`token3.AccessorID,`
			`token4.AccessorID,`
			`token5.AccessorID,`
			`token6.AccessorID,`
			`})`

			`t.Run("mixed but nothing expired yet", func(t *testing.T) {`
			`n, err := s1.reapExpiredACLTokens(local, global)`
			`require.NoError(t, err)`
			`require.Equal(t, 0, n)`

			`requireTokenMatch(t, []string{`
			`token1.AccessorID,`
			`token2.AccessorID,`
			`token3.AccessorID,`
			`token4.AccessorID,`
			`token5.AccessorID,`
			`token6.AccessorID,`
			`})`
			`})`

			`time.Sleep(token3.ExpirationTime.Sub(time.Now()) + 10*time.Millisecond)`

			`t.Run("one should be reaped", func(t *testing.T) {`
			`n, err := s1.reapExpiredACLTokens(local, global)`
			`require.NoError(t, err)`
			`require.Equal(t, 1, n)`

			`requireTokenMatch(t, []string{`
			`token1.AccessorID,`
			`token2.AccessorID,`
			`// token3.AccessorID,`
			`token4.AccessorID,`
			`token5.AccessorID,`
			`token6.AccessorID,`
			`})`
			`})`

			`time.Sleep(token4.ExpirationTime.Sub(time.Now()) + 10*time.Millisecond)`

			`t.Run("two should be reaped", func(t *testing.T) {`
			`n, err := s1.reapExpiredACLTokens(local, global)`
			`require.NoError(t, err)`
			`require.Equal(t, 1, n)`

			`requireTokenMatch(t, []string{`
			`token1.AccessorID,`
			`token2.AccessorID,`
			`// token3.AccessorID,`
			`// token4.AccessorID,`
			`token5.AccessorID,`
			`token6.AccessorID,`
			`})`
			`})`
			`}`