open-consul/command/agent/keyring_test.go

package agent

import (
	"fmt"
	"io/ioutil"
	"os"
	"path/filepath"
	"strings"
	"testing"

	"github.com/hashicorp/consul/testutil"
)

func TestAgent_LoadKeyrings(t *testing.T) {
	key := "tbLJg26ZJyJ9pK3qhc9jig=="

	// Should be no configured keyring file by default
	a1 := NewTestAgent(t.Name(), nil)
	defer a1.Shutdown()

	c1 := a1.Config.ConsulConfig
	if c1.SerfLANConfig.KeyringFile != "" {
		t.Fatalf("bad: %#v", c1.SerfLANConfig.KeyringFile)
	}
	if c1.SerfLANConfig.MemberlistConfig.Keyring != nil {
		t.Fatalf("keyring should not be loaded")
	}
	if c1.SerfWANConfig.KeyringFile != "" {
		t.Fatalf("bad: %#v", c1.SerfLANConfig.KeyringFile)
	}
	if c1.SerfWANConfig.MemberlistConfig.Keyring != nil {
		t.Fatalf("keyring should not be loaded")
	}

	// Server should auto-load LAN and WAN keyring files
	a2 := &TestAgent{Name: t.Name(), Key: key}
	a2.Start()
	defer a2.Shutdown()

	c2 := a2.Config.ConsulConfig
	if c2.SerfLANConfig.KeyringFile == "" {
		t.Fatalf("should have keyring file")
	}
	if c2.SerfLANConfig.MemberlistConfig.Keyring == nil {
		t.Fatalf("keyring should be loaded")
	}
	if c2.SerfWANConfig.KeyringFile == "" {
		t.Fatalf("should have keyring file")
	}
	if c2.SerfWANConfig.MemberlistConfig.Keyring == nil {
		t.Fatalf("keyring should be loaded")
	}

	// Client should auto-load only the LAN keyring file
	conf3 := TestConfig()
	conf3.Server = false
	a3 := &TestAgent{Name: t.Name(), Config: conf3, Key: key}
	a3.Start()
	defer a3.Shutdown()

	c3 := a3.Config.ConsulConfig
	if c3.SerfLANConfig.KeyringFile == "" {
		t.Fatalf("should have keyring file")
	}
	if c3.SerfLANConfig.MemberlistConfig.Keyring == nil {
		t.Fatalf("keyring should be loaded")
	}
	if c3.SerfWANConfig.KeyringFile != "" {
		t.Fatalf("bad: %#v", c3.SerfWANConfig.KeyringFile)
	}
	if c3.SerfWANConfig.MemberlistConfig.Keyring != nil {
		t.Fatalf("keyring should not be loaded")
	}
}

func TestAgent_InitKeyring(t *testing.T) {
	key1 := "tbLJg26ZJyJ9pK3qhc9jig=="
	key2 := "4leC33rgtXKIVUr9Nr0snQ=="
	expected := fmt.Sprintf(`["%s"]`, key1)

	dir := testutil.TempDir(t, "consul")
	defer os.RemoveAll(dir)

	file := filepath.Join(dir, "keyring")

	// First initialize the keyring
	if err := initKeyring(file, key1); err != nil {
		t.Fatalf("err: %s", err)
	}

	content, err := ioutil.ReadFile(file)
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if string(content) != expected {
		t.Fatalf("bad: %s", content)
	}

	// Try initializing again with a different key
	if err := initKeyring(file, key2); err != nil {
		t.Fatalf("err: %s", err)
	}

	// Content should still be the same
	content, err = ioutil.ReadFile(file)
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if string(content) != expected {
		t.Fatalf("bad: %s", content)
	}
}

func TestAgentKeyring_ACL(t *testing.T) {
	key1 := "tbLJg26ZJyJ9pK3qhc9jig=="
	key2 := "4leC33rgtXKIVUr9Nr0snQ=="

	conf := TestACLConfig()
	conf.ACLDatacenter = "dc1"
	conf.ACLMasterToken = "root"
	conf.ACLDefaultPolicy = "deny"
	a := &TestAgent{Name: t.Name(), Config: conf, Key: key1}
	a.Start()
	defer a.Shutdown()

	// List keys without access fails
	_, err := a.ListKeys("", 0)
	if err == nil || !strings.Contains(err.Error(), "denied") {
		t.Fatalf("expected denied error, got: %#v", err)
	}

	// List keys with access works
	_, err = a.ListKeys("root", 0)
	if err != nil {
		t.Fatalf("err: %s", err)
	}

	// Install without access fails
	_, err = a.InstallKey(key2, "", 0)
	if err == nil || !strings.Contains(err.Error(), "denied") {
		t.Fatalf("expected denied error, got: %#v", err)
	}

	// Install with access works
	_, err = a.InstallKey(key2, "root", 0)
	if err != nil {
		t.Fatalf("err: %s", err)
	}

	// Use without access fails
	_, err = a.UseKey(key2, "", 0)
	if err == nil || !strings.Contains(err.Error(), "denied") {
		t.Fatalf("expected denied error, got: %#v", err)
	}

	// Use with access works
	_, err = a.UseKey(key2, "root", 0)
	if err != nil {
		t.Fatalf("err: %s", err)
	}

	// Remove without access fails
	_, err = a.RemoveKey(key1, "", 0)
	if err == nil || !strings.Contains(err.Error(), "denied") {
		t.Fatalf("expected denied error, got: %#v", err)
	}

	// Remove with access works
	_, err = a.RemoveKey(key1, "root", 0)
	if err != nil {
		t.Fatalf("err: %s", err)
	}
}
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`package agent`

			`import (`
agent: ignore -encrypt if provided when keyring exists 2014-10-09 22:28:38 +00:00			`"fmt"`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`"io/ioutil"`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`"os"`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`"path/filepath"`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`"strings"`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`"testing"`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00
test: add helper for ioutil.TempDir/TempFile This creates a simplified helper for temporary directories and files. All path names are prefixed with the name of the current test. All files and directories are stored either in /tmp/consul-test or /tmp if the former could not be created. Using the system temp dir breaks some tests on macOS where the unix socket path becomes too long. 2017-05-12 13:41:13 +00:00			`"github.com/hashicorp/consul/testutil"`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`)`

			`func TestAgent_LoadKeyrings(t *testing.T) {`
			`key := "tbLJg26ZJyJ9pK3qhc9jig=="`

			`// Should be no configured keyring file by default`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`a1 := NewTestAgent(t.Name(), nil)`
			`defer a1.Shutdown()`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`c1 := a1.Config.ConsulConfig`
			`if c1.SerfLANConfig.KeyringFile != "" {`
			`t.Fatalf("bad: %#v", c1.SerfLANConfig.KeyringFile)`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c1.SerfLANConfig.MemberlistConfig.Keyring != nil {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("keyring should not be loaded")`
			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c1.SerfWANConfig.KeyringFile != "" {`
			`t.Fatalf("bad: %#v", c1.SerfLANConfig.KeyringFile)`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c1.SerfWANConfig.MemberlistConfig.Keyring != nil {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("keyring should not be loaded")`
			`}`

			`// Server should auto-load LAN and WAN keyring files`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`a2 := &TestAgent{Name: t.Name(), Key: key}`
			`a2.Start()`
			`defer a2.Shutdown()`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`c2 := a2.Config.ConsulConfig`
			`if c2.SerfLANConfig.KeyringFile == "" {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("should have keyring file")`
			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c2.SerfLANConfig.MemberlistConfig.Keyring == nil {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("keyring should be loaded")`
			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c2.SerfWANConfig.KeyringFile == "" {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("should have keyring file")`
			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c2.SerfWANConfig.MemberlistConfig.Keyring == nil {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("keyring should be loaded")`
			`}`

			`// Client should auto-load only the LAN keyring file`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`conf3 := TestConfig()`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`conf3.Server = false`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`a3 := &TestAgent{Name: t.Name(), Config: conf3, Key: key}`
			`a3.Start()`
			`defer a3.Shutdown()`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`c3 := a3.Config.ConsulConfig`
			`if c3.SerfLANConfig.KeyringFile == "" {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("should have keyring file")`
			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c3.SerfLANConfig.MemberlistConfig.Keyring == nil {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("keyring should be loaded")`
			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c3.SerfWANConfig.KeyringFile != "" {`
			`t.Fatalf("bad: %#v", c3.SerfWANConfig.KeyringFile)`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`}`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`if c3.SerfWANConfig.MemberlistConfig.Keyring != nil {`
agent: split keyring functionality out of agent.go 2014-09-21 18:21:54 +00:00			`t.Fatalf("keyring should not be loaded")`
			`}`
			`}`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00
			`func TestAgent_InitKeyring(t *testing.T) {`
			`key1 := "tbLJg26ZJyJ9pK3qhc9jig=="`
			`key2 := "4leC33rgtXKIVUr9Nr0snQ=="`
agent: ignore -encrypt if provided when keyring exists 2014-10-09 22:28:38 +00:00			expected := fmt.Sprintf(`["%s"]`, key1)
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00
test: add helper for ioutil.TempDir/TempFile This creates a simplified helper for temporary directories and files. All path names are prefixed with the name of the current test. All files and directories are stored either in /tmp/consul-test or /tmp if the former could not be created. Using the system temp dir breaks some tests on macOS where the unix socket path becomes too long. 2017-05-12 13:41:13 +00:00			`dir := testutil.TempDir(t, "consul")`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`defer os.RemoveAll(dir)`

			`file := filepath.Join(dir, "keyring")`

			`// First initialize the keyring`
agent: fix loading keyring on agent start 2014-10-10 18:13:30 +00:00			`if err := initKeyring(file, key1); err != nil {`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`t.Fatalf("err: %s", err)`
			`}`

agent: ignore -encrypt if provided when keyring exists 2014-10-09 22:28:38 +00:00			`content, err := ioutil.ReadFile(file)`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
agent: ignore -encrypt if provided when keyring exists 2014-10-09 22:28:38 +00:00			`if string(content) != expected {`
			`t.Fatalf("bad: %s", content)`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`}`

agent: ignore -encrypt if provided when keyring exists 2014-10-09 22:28:38 +00:00			`// Try initializing again with a different key`
agent: fix loading keyring on agent start 2014-10-10 18:13:30 +00:00			`if err := initKeyring(file, key2); err != nil {`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`t.Fatalf("err: %s", err)`
			`}`

agent: fix loading keyring on agent start 2014-10-10 18:13:30 +00:00			`// Content should still be the same`
agent: ignore -encrypt if provided when keyring exists 2014-10-09 22:28:38 +00:00			`content, err = ioutil.ReadFile(file)`
			`if err != nil {`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`t.Fatalf("err: %s", err)`
			`}`
agent: ignore -encrypt if provided when keyring exists 2014-10-09 22:28:38 +00:00			`if string(content) != expected {`
			`t.Fatalf("bad: %s", content)`
agent: -encrypt appends to keyring if one exists 2014-10-04 20:43:10 +00:00			`}`
			`}`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00
			`func TestAgentKeyring_ACL(t *testing.T) {`
			`key1 := "tbLJg26ZJyJ9pK3qhc9jig=="`
			`key2 := "4leC33rgtXKIVUr9Nr0snQ=="`

agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`conf := TestACLConfig()`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`conf.ACLDatacenter = "dc1"`
			`conf.ACLMasterToken = "root"`
			`conf.ACLDefaultPolicy = "deny"`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`a := &TestAgent{Name: t.Name(), Config: conf, Key: key1}`
			`a.Start()`
			`defer a.Shutdown()`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00
			`// List keys without access fails`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`_, err := a.ListKeys("", 0)`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`if err == nil \|\| !strings.Contains(err.Error(), "denied") {`
			`t.Fatalf("expected denied error, got: %#v", err)`
			`}`

			`// List keys with access works`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`_, err = a.ListKeys("root", 0)`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

			`// Install without access fails`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`_, err = a.InstallKey(key2, "", 0)`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`if err == nil \|\| !strings.Contains(err.Error(), "denied") {`
			`t.Fatalf("expected denied error, got: %#v", err)`
			`}`

			`// Install with access works`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`_, err = a.InstallKey(key2, "root", 0)`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

			`// Use without access fails`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`_, err = a.UseKey(key2, "", 0)`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`if err == nil \|\| !strings.Contains(err.Error(), "denied") {`
			`t.Fatalf("expected denied error, got: %#v", err)`
			`}`

			`// Use with access works`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`_, err = a.UseKey(key2, "root", 0)`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

			`// Remove without access fails`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`_, err = a.RemoveKey(key1, "", 0)`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`if err == nil \|\| !strings.Contains(err.Error(), "denied") {`
			`t.Fatalf("expected denied error, got: %#v", err)`
			`}`

			`// Remove with access works`
agent: refactor tests for TestAgent Refactored tests that use * makeAgentXXX * makeDNSServerXXX * makeHTTPServerXXX 2017-05-21 07:11:09 +00:00			`_, err = a.RemoveKey(key1, "root", 0)`
agent: testing keyring ACLs 2015-07-07 21:14:06 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`}`