2016-08-30 02:09:57 +00:00
|
|
|
package consul
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
2017-09-25 22:27:04 +00:00
|
|
|
"time"
|
2016-08-30 02:09:57 +00:00
|
|
|
|
2021-08-06 22:00:58 +00:00
|
|
|
msgpackrpc "github.com/hashicorp/net-rpc-msgpackrpc"
|
|
|
|
"github.com/hashicorp/raft"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
2017-08-23 14:52:48 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
2017-07-06 10:34:00 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2019-03-27 12:54:56 +00:00
|
|
|
"github.com/hashicorp/consul/sdk/freeport"
|
2017-04-19 23:00:11 +00:00
|
|
|
"github.com/hashicorp/consul/testrpc"
|
2016-08-30 02:09:57 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestOperator_RaftGetConfiguration(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2017-06-27 13:22:18 +00:00
|
|
|
t.Parallel()
|
2016-08-30 02:09:57 +00:00
|
|
|
dir1, s1 := testServer(t)
|
|
|
|
defer os.RemoveAll(dir1)
|
|
|
|
defer s1.Shutdown()
|
|
|
|
codec := rpcClient(t, s1)
|
|
|
|
defer codec.Close()
|
|
|
|
|
2018-12-12 20:09:42 +00:00
|
|
|
testrpc.WaitForTestAgent(t, s1.RPC, "dc1")
|
2016-08-30 02:09:57 +00:00
|
|
|
|
|
|
|
arg := structs.DCSpecificRequest{
|
|
|
|
Datacenter: "dc1",
|
|
|
|
}
|
|
|
|
var reply structs.RaftConfigurationResponse
|
|
|
|
if err := msgpackrpc.CallWithCodec(codec, "Operator.RaftGetConfiguration", &arg, &reply); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
future := s1.raft.GetConfiguration()
|
|
|
|
if err := future.Error(); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2016-08-30 18:30:56 +00:00
|
|
|
if len(future.Configuration().Servers) != 1 {
|
|
|
|
t.Fatalf("bad: %v", future.Configuration().Servers)
|
|
|
|
}
|
|
|
|
me := future.Configuration().Servers[0]
|
2016-08-30 02:09:57 +00:00
|
|
|
expected := structs.RaftConfigurationResponse{
|
2016-08-30 18:30:56 +00:00
|
|
|
Servers: []*structs.RaftServer{
|
2020-06-16 17:19:31 +00:00
|
|
|
{
|
2017-09-26 14:34:12 +00:00
|
|
|
ID: me.ID,
|
|
|
|
Node: s1.config.NodeName,
|
|
|
|
Address: me.Address,
|
|
|
|
Leader: true,
|
|
|
|
Voter: true,
|
|
|
|
ProtocolVersion: "3",
|
2016-08-30 18:30:56 +00:00
|
|
|
},
|
2016-08-30 02:09:57 +00:00
|
|
|
},
|
2016-08-30 18:30:56 +00:00
|
|
|
Index: future.Index(),
|
2016-08-30 02:09:57 +00:00
|
|
|
}
|
2020-06-02 16:41:25 +00:00
|
|
|
require.Equal(t, expected, reply)
|
2016-08-30 02:09:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestOperator_RaftGetConfiguration_ACLDeny(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2017-06-27 13:22:18 +00:00
|
|
|
t.Parallel()
|
2016-08-30 02:09:57 +00:00
|
|
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
2021-08-06 22:00:58 +00:00
|
|
|
c.PrimaryDatacenter = "dc1"
|
2018-10-19 16:04:07 +00:00
|
|
|
c.ACLsEnabled = true
|
2016-08-30 02:09:57 +00:00
|
|
|
c.ACLMasterToken = "root"
|
2021-08-06 22:39:39 +00:00
|
|
|
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
2016-08-30 02:09:57 +00:00
|
|
|
})
|
|
|
|
defer os.RemoveAll(dir1)
|
|
|
|
defer s1.Shutdown()
|
|
|
|
codec := rpcClient(t, s1)
|
|
|
|
defer codec.Close()
|
|
|
|
|
2020-05-29 21:16:03 +00:00
|
|
|
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root"))
|
2016-08-30 02:09:57 +00:00
|
|
|
|
|
|
|
// Make a request with no token to make sure it gets denied.
|
|
|
|
arg := structs.DCSpecificRequest{
|
|
|
|
Datacenter: "dc1",
|
|
|
|
}
|
|
|
|
var reply structs.RaftConfigurationResponse
|
|
|
|
err := msgpackrpc.CallWithCodec(codec, "Operator.RaftGetConfiguration", &arg, &reply)
|
2017-08-23 14:52:48 +00:00
|
|
|
if !acl.IsErrPermissionDenied(err) {
|
2016-08-30 02:09:57 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create an ACL with operator read permissions.
|
|
|
|
var token string
|
|
|
|
{
|
|
|
|
var rules = `
|
|
|
|
operator = "read"
|
|
|
|
`
|
|
|
|
|
|
|
|
req := structs.ACLRequest{
|
|
|
|
Datacenter: "dc1",
|
|
|
|
Op: structs.ACLSet,
|
|
|
|
ACL: structs.ACL{
|
|
|
|
Name: "User token",
|
2018-10-19 16:04:07 +00:00
|
|
|
Type: structs.ACLTokenTypeClient,
|
2016-08-30 02:09:57 +00:00
|
|
|
Rules: rules,
|
|
|
|
},
|
|
|
|
WriteRequest: structs.WriteRequest{Token: "root"},
|
|
|
|
}
|
|
|
|
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now it should go through.
|
|
|
|
arg.Token = token
|
|
|
|
if err := msgpackrpc.CallWithCodec(codec, "Operator.RaftGetConfiguration", &arg, &reply); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
future := s1.raft.GetConfiguration()
|
|
|
|
if err := future.Error(); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2016-08-30 18:30:56 +00:00
|
|
|
if len(future.Configuration().Servers) != 1 {
|
|
|
|
t.Fatalf("bad: %v", future.Configuration().Servers)
|
|
|
|
}
|
|
|
|
me := future.Configuration().Servers[0]
|
2016-08-30 02:09:57 +00:00
|
|
|
expected := structs.RaftConfigurationResponse{
|
2016-08-30 18:30:56 +00:00
|
|
|
Servers: []*structs.RaftServer{
|
2020-06-16 17:19:31 +00:00
|
|
|
{
|
2017-09-26 14:34:12 +00:00
|
|
|
ID: me.ID,
|
|
|
|
Node: s1.config.NodeName,
|
|
|
|
Address: me.Address,
|
|
|
|
Leader: true,
|
|
|
|
Voter: true,
|
|
|
|
ProtocolVersion: "3",
|
2016-08-30 18:30:56 +00:00
|
|
|
},
|
2016-08-30 02:09:57 +00:00
|
|
|
},
|
2016-08-30 18:30:56 +00:00
|
|
|
Index: future.Index(),
|
2016-08-30 02:09:57 +00:00
|
|
|
}
|
2020-06-02 16:41:25 +00:00
|
|
|
require.Equal(t, expected, reply)
|
2016-08-30 02:09:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestOperator_RaftRemovePeerByAddress(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2017-06-27 13:22:18 +00:00
|
|
|
t.Parallel()
|
2016-08-30 02:09:57 +00:00
|
|
|
dir1, s1 := testServer(t)
|
|
|
|
defer os.RemoveAll(dir1)
|
|
|
|
defer s1.Shutdown()
|
|
|
|
codec := rpcClient(t, s1)
|
|
|
|
defer codec.Close()
|
|
|
|
|
2017-04-19 23:00:11 +00:00
|
|
|
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
2016-08-30 02:09:57 +00:00
|
|
|
|
2019-08-27 21:16:41 +00:00
|
|
|
ports := freeport.MustTake(1)
|
|
|
|
defer freeport.Return(ports)
|
|
|
|
|
2016-08-30 02:09:57 +00:00
|
|
|
// Try to remove a peer that's not there.
|
2017-03-30 01:09:41 +00:00
|
|
|
arg := structs.RaftRemovePeerRequest{
|
2016-08-30 02:09:57 +00:00
|
|
|
Datacenter: "dc1",
|
2019-08-27 21:16:41 +00:00
|
|
|
Address: raft.ServerAddress(fmt.Sprintf("127.0.0.1:%d", ports[0])),
|
2016-08-30 02:09:57 +00:00
|
|
|
}
|
|
|
|
var reply struct{}
|
|
|
|
err := msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByAddress", &arg, &reply)
|
|
|
|
if err == nil || !strings.Contains(err.Error(), "not found in the Raft configuration") {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Add it manually to Raft.
|
|
|
|
{
|
2017-09-25 22:27:04 +00:00
|
|
|
id := raft.ServerID("fake-node-id")
|
|
|
|
future := s1.raft.AddVoter(id, arg.Address, 0, time.Second)
|
2016-08-30 02:09:57 +00:00
|
|
|
if err := future.Error(); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make sure it's there.
|
|
|
|
{
|
|
|
|
future := s1.raft.GetConfiguration()
|
|
|
|
if err := future.Error(); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
configuration := future.Configuration()
|
|
|
|
if len(configuration.Servers) != 2 {
|
|
|
|
t.Fatalf("bad: %v", configuration)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove it, now it should go through.
|
|
|
|
if err := msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByAddress", &arg, &reply); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make sure it's not there.
|
|
|
|
{
|
|
|
|
future := s1.raft.GetConfiguration()
|
|
|
|
if err := future.Error(); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
configuration := future.Configuration()
|
|
|
|
if len(configuration.Servers) != 1 {
|
|
|
|
t.Fatalf("bad: %v", configuration)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestOperator_RaftRemovePeerByAddress_ACLDeny(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2017-06-27 13:22:18 +00:00
|
|
|
t.Parallel()
|
2016-08-30 02:09:57 +00:00
|
|
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
2021-08-06 22:00:58 +00:00
|
|
|
c.PrimaryDatacenter = "dc1"
|
2018-10-19 16:04:07 +00:00
|
|
|
c.ACLsEnabled = true
|
2016-08-30 02:09:57 +00:00
|
|
|
c.ACLMasterToken = "root"
|
2021-08-06 22:39:39 +00:00
|
|
|
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
2016-08-30 02:09:57 +00:00
|
|
|
})
|
|
|
|
defer os.RemoveAll(dir1)
|
|
|
|
defer s1.Shutdown()
|
|
|
|
codec := rpcClient(t, s1)
|
|
|
|
defer codec.Close()
|
|
|
|
|
2020-05-29 21:16:03 +00:00
|
|
|
testrpc.WaitForTestAgent(t, s1.RPC, "dc1", testrpc.WithToken("root"))
|
2016-08-30 02:09:57 +00:00
|
|
|
|
|
|
|
// Make a request with no token to make sure it gets denied.
|
2017-03-30 01:09:41 +00:00
|
|
|
arg := structs.RaftRemovePeerRequest{
|
2016-08-30 02:09:57 +00:00
|
|
|
Datacenter: "dc1",
|
|
|
|
Address: raft.ServerAddress(s1.config.RPCAddr.String()),
|
|
|
|
}
|
|
|
|
var reply struct{}
|
|
|
|
err := msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByAddress", &arg, &reply)
|
2017-08-23 14:52:48 +00:00
|
|
|
if !acl.IsErrPermissionDenied(err) {
|
2016-08-30 02:09:57 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create an ACL with operator write permissions.
|
|
|
|
var token string
|
|
|
|
{
|
|
|
|
var rules = `
|
|
|
|
operator = "write"
|
|
|
|
`
|
|
|
|
|
|
|
|
req := structs.ACLRequest{
|
|
|
|
Datacenter: "dc1",
|
|
|
|
Op: structs.ACLSet,
|
|
|
|
ACL: structs.ACL{
|
|
|
|
Name: "User token",
|
2018-10-19 16:04:07 +00:00
|
|
|
Type: structs.ACLTokenTypeClient,
|
2016-08-30 02:09:57 +00:00
|
|
|
Rules: rules,
|
|
|
|
},
|
|
|
|
WriteRequest: structs.WriteRequest{Token: "root"},
|
|
|
|
}
|
|
|
|
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now it should kick back for being an invalid config, which means it
|
|
|
|
// tried to do the operation.
|
|
|
|
arg.Token = token
|
|
|
|
err = msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByAddress", &arg, &reply)
|
|
|
|
if err == nil || !strings.Contains(err.Error(), "at least one voter") {
|
2017-03-30 01:09:41 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestOperator_RaftRemovePeerByID(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2017-06-27 13:22:18 +00:00
|
|
|
t.Parallel()
|
2017-03-30 01:09:41 +00:00
|
|
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
|
|
|
c.RaftConfig.ProtocolVersion = 3
|
|
|
|
})
|
|
|
|
defer os.RemoveAll(dir1)
|
|
|
|
defer s1.Shutdown()
|
|
|
|
codec := rpcClient(t, s1)
|
|
|
|
defer codec.Close()
|
|
|
|
|
2017-04-19 23:00:11 +00:00
|
|
|
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
2017-03-30 01:09:41 +00:00
|
|
|
|
|
|
|
// Try to remove a peer that's not there.
|
|
|
|
arg := structs.RaftRemovePeerRequest{
|
|
|
|
Datacenter: "dc1",
|
|
|
|
ID: raft.ServerID("e35bde83-4e9c-434f-a6ef-453f44ee21ea"),
|
|
|
|
}
|
|
|
|
var reply struct{}
|
|
|
|
err := msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByID", &arg, &reply)
|
|
|
|
if err == nil || !strings.Contains(err.Error(), "not found in the Raft configuration") {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Add it manually to Raft.
|
|
|
|
{
|
2019-08-27 21:16:41 +00:00
|
|
|
ports := freeport.MustTake(1)
|
|
|
|
defer freeport.Return(ports)
|
|
|
|
|
|
|
|
future := s1.raft.AddVoter(arg.ID, raft.ServerAddress(fmt.Sprintf("127.0.0.1:%d", ports[0])), 0, 0)
|
2017-03-30 01:09:41 +00:00
|
|
|
if err := future.Error(); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make sure it's there.
|
|
|
|
{
|
|
|
|
future := s1.raft.GetConfiguration()
|
|
|
|
if err := future.Error(); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
configuration := future.Configuration()
|
|
|
|
if len(configuration.Servers) != 2 {
|
|
|
|
t.Fatalf("bad: %v", configuration)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove it, now it should go through.
|
|
|
|
if err := msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByID", &arg, &reply); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make sure it's not there.
|
|
|
|
{
|
|
|
|
future := s1.raft.GetConfiguration()
|
|
|
|
if err := future.Error(); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
configuration := future.Configuration()
|
|
|
|
if len(configuration.Servers) != 1 {
|
|
|
|
t.Fatalf("bad: %v", configuration)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestOperator_RaftRemovePeerByID_ACLDeny(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2017-06-27 13:22:18 +00:00
|
|
|
t.Parallel()
|
2017-03-30 01:09:41 +00:00
|
|
|
dir1, s1 := testServerWithConfig(t, func(c *Config) {
|
2021-08-06 22:00:58 +00:00
|
|
|
c.PrimaryDatacenter = "dc1"
|
2018-10-19 16:04:07 +00:00
|
|
|
c.ACLsEnabled = true
|
2017-03-30 01:09:41 +00:00
|
|
|
c.ACLMasterToken = "root"
|
2021-08-06 22:39:39 +00:00
|
|
|
c.ACLResolverSettings.ACLDefaultPolicy = "deny"
|
2017-03-30 01:09:41 +00:00
|
|
|
c.RaftConfig.ProtocolVersion = 3
|
|
|
|
})
|
|
|
|
defer os.RemoveAll(dir1)
|
|
|
|
defer s1.Shutdown()
|
|
|
|
codec := rpcClient(t, s1)
|
|
|
|
defer codec.Close()
|
|
|
|
|
2017-04-19 23:00:11 +00:00
|
|
|
testrpc.WaitForLeader(t, s1.RPC, "dc1")
|
2017-03-30 01:09:41 +00:00
|
|
|
|
|
|
|
// Make a request with no token to make sure it gets denied.
|
|
|
|
arg := structs.RaftRemovePeerRequest{
|
|
|
|
Datacenter: "dc1",
|
|
|
|
ID: raft.ServerID(s1.config.NodeID),
|
|
|
|
}
|
|
|
|
var reply struct{}
|
|
|
|
err := msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByID", &arg, &reply)
|
2017-08-23 14:52:48 +00:00
|
|
|
if !acl.IsErrPermissionDenied(err) {
|
2017-03-30 01:09:41 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create an ACL with operator write permissions.
|
|
|
|
var token string
|
|
|
|
{
|
|
|
|
var rules = `
|
|
|
|
operator = "write"
|
|
|
|
`
|
|
|
|
|
|
|
|
req := structs.ACLRequest{
|
|
|
|
Datacenter: "dc1",
|
|
|
|
Op: structs.ACLSet,
|
|
|
|
ACL: structs.ACL{
|
|
|
|
Name: "User token",
|
2018-10-19 16:04:07 +00:00
|
|
|
Type: structs.ACLTokenTypeClient,
|
2017-03-30 01:09:41 +00:00
|
|
|
Rules: rules,
|
|
|
|
},
|
|
|
|
WriteRequest: structs.WriteRequest{Token: "root"},
|
|
|
|
}
|
|
|
|
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now it should kick back for being an invalid config, which means it
|
|
|
|
// tried to do the operation.
|
|
|
|
arg.Token = token
|
|
|
|
err = msgpackrpc.CallWithCodec(codec, "Operator.RaftRemovePeerByID", &arg, &reply)
|
|
|
|
if err == nil || !strings.Contains(err.Error(), "at least one voter") {
|
2016-08-30 02:09:57 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|