open-consul/command/login/login_test.go

317 lines
7.5 KiB
Go
Raw Normal View History

package login
import (
"io/ioutil"
"os"
"path/filepath"
"strings"
"testing"
"github.com/hashicorp/consul/agent"
"github.com/hashicorp/consul/agent/consul/authmethod/kubeauth"
"github.com/hashicorp/consul/agent/consul/authmethod/testauth"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/command/acl"
"github.com/hashicorp/consul/sdk/testutil"
"github.com/hashicorp/consul/testrpc"
"github.com/mitchellh/cli"
"github.com/stretchr/testify/require"
)
func TestLoginCommand_noTabs(t *testing.T) {
t.Parallel()
if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') {
t.Fatal("help has tabs")
}
}
func TestLoginCommand(t *testing.T) {
t.Parallel()
testDir := testutil.TempDir(t, "acl")
defer os.RemoveAll(testDir)
a := agent.NewTestAgent(t, `
primary_datacenter = "dc1"
acl {
enabled = true
tokens {
master = "root"
}
}`)
defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1")
client := a.Client()
t.Run("method is required", func(t *testing.T) {
ui := cli.NewMockUi()
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
}
code := cmd.Run(args)
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String())
require.Contains(t, ui.ErrorWriter.String(), "Missing required '-method' flag")
})
tokenSinkFile := filepath.Join(testDir, "test.token")
t.Run("token-sink-file is required", func(t *testing.T) {
ui := cli.NewMockUi()
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-method=test",
}
code := cmd.Run(args)
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String())
require.Contains(t, ui.ErrorWriter.String(), "Missing required '-token-sink-file' flag")
})
t.Run("bearer-token-file is required", func(t *testing.T) {
defer os.Remove(tokenSinkFile)
ui := cli.NewMockUi()
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-method=test",
"-token-sink-file", tokenSinkFile,
}
code := cmd.Run(args)
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String())
require.Contains(t, ui.ErrorWriter.String(), "Missing required '-bearer-token-file' flag")
})
bearerTokenFile := filepath.Join(testDir, "bearer.token")
t.Run("bearer-token-file is empty", func(t *testing.T) {
defer os.Remove(tokenSinkFile)
require.NoError(t, ioutil.WriteFile(bearerTokenFile, []byte(""), 0600))
ui := cli.NewMockUi()
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-method=test",
"-token-sink-file", tokenSinkFile,
"-bearer-token-file", bearerTokenFile,
}
code := cmd.Run(args)
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String())
require.Contains(t, ui.ErrorWriter.String(), "No bearer token found in")
})
require.NoError(t, ioutil.WriteFile(bearerTokenFile, []byte("demo-token"), 0600))
t.Run("try login with no method configured", func(t *testing.T) {
defer os.Remove(tokenSinkFile)
ui := cli.NewMockUi()
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-method=test",
"-token-sink-file", tokenSinkFile,
"-bearer-token-file", bearerTokenFile,
}
code := cmd.Run(args)
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String())
require.Contains(t, ui.ErrorWriter.String(), "403 (ACL not found)")
})
testSessionID := testauth.StartSession()
defer testauth.ResetSession(testSessionID)
testauth.InstallSessionToken(
testSessionID,
"demo-token",
"default", "demo", "76091af4-4b56-11e9-ac4b-708b11801cbe",
)
{
_, _, err := client.ACL().AuthMethodCreate(
&api.ACLAuthMethod{
Name: "test",
Type: "testing",
Config: map[string]interface{}{
"SessionID": testSessionID,
},
},
&api.WriteOptions{Token: "root"},
)
require.NoError(t, err)
}
t.Run("try login with method configured but no binding rules", func(t *testing.T) {
defer os.Remove(tokenSinkFile)
ui := cli.NewMockUi()
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-method=test",
"-token-sink-file", tokenSinkFile,
"-bearer-token-file", bearerTokenFile,
}
code := cmd.Run(args)
require.Equal(t, 1, code, "err: %s", ui.ErrorWriter.String())
require.Contains(t, ui.ErrorWriter.String(), "403 (Permission denied)")
})
{
_, _, err := client.ACL().BindingRuleCreate(&api.ACLBindingRule{
AuthMethod: "test",
BindType: api.BindingRuleBindTypeService,
BindName: "${serviceaccount.name}",
Selector: "serviceaccount.namespace==default",
},
&api.WriteOptions{Token: "root"},
)
require.NoError(t, err)
}
t.Run("try login with method configured and binding rules", func(t *testing.T) {
defer os.Remove(tokenSinkFile)
ui := cli.NewMockUi()
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-method=test",
"-token-sink-file", tokenSinkFile,
"-bearer-token-file", bearerTokenFile,
}
code := cmd.Run(args)
require.Equal(t, 0, code, "err: %s", ui.ErrorWriter.String())
require.Empty(t, ui.ErrorWriter.String())
require.Empty(t, ui.OutputWriter.String())
raw, err := ioutil.ReadFile(tokenSinkFile)
require.NoError(t, err)
token := strings.TrimSpace(string(raw))
require.Len(t, token, 36, "must be a valid uid: %s", token)
})
}
func TestLoginCommand_k8s(t *testing.T) {
t.Parallel()
testDir := testutil.TempDir(t, "acl")
defer os.RemoveAll(testDir)
a := agent.NewTestAgent(t, `
primary_datacenter = "dc1"
acl {
enabled = true
tokens {
master = "root"
}
}`)
defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1")
client := a.Client()
tokenSinkFile := filepath.Join(testDir, "test.token")
bearerTokenFile := filepath.Join(testDir, "bearer.token")
// the "B" jwt will be the one being reviewed
require.NoError(t, ioutil.WriteFile(bearerTokenFile, []byte(acl.TestKubernetesJWT_B), 0600))
// spin up a fake api server
testSrv := kubeauth.StartTestAPIServer(t)
defer testSrv.Stop()
testSrv.AuthorizeJWT(acl.TestKubernetesJWT_A)
testSrv.SetAllowedServiceAccount(
"default",
"demo",
"76091af4-4b56-11e9-ac4b-708b11801cbe",
"",
acl.TestKubernetesJWT_B,
)
{
_, _, err := client.ACL().AuthMethodCreate(
&api.ACLAuthMethod{
Name: "k8s",
Type: "kubernetes",
Config: map[string]interface{}{
"Host": testSrv.Addr(),
"CACert": testSrv.CACert(),
// the "A" jwt will be the one with token review privs
"ServiceAccountJWT": acl.TestKubernetesJWT_A,
},
},
&api.WriteOptions{Token: "root"},
)
require.NoError(t, err)
}
{
_, _, err := client.ACL().BindingRuleCreate(&api.ACLBindingRule{
AuthMethod: "k8s",
BindType: api.BindingRuleBindTypeService,
BindName: "${serviceaccount.name}",
Selector: "serviceaccount.namespace==default",
},
&api.WriteOptions{Token: "root"},
)
require.NoError(t, err)
}
t.Run("try login with method configured and binding rules", func(t *testing.T) {
defer os.Remove(tokenSinkFile)
ui := cli.NewMockUi()
cmd := New(ui)
args := []string{
"-http-addr=" + a.HTTPAddr(),
"-token=root",
"-method=k8s",
"-token-sink-file", tokenSinkFile,
"-bearer-token-file", bearerTokenFile,
}
code := cmd.Run(args)
require.Equal(t, 0, code, "err: %s", ui.ErrorWriter.String())
require.Empty(t, ui.ErrorWriter.String())
require.Empty(t, ui.OutputWriter.String())
raw, err := ioutil.ReadFile(tokenSinkFile)
require.NoError(t, err)
token := strings.TrimSpace(string(raw))
require.Len(t, token, 36, "must be a valid uid: %s", token)
})
}