luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/agent/consul/intention_endpoint_test.go

1539 lines
41 KiB
Go
Raw Normal View History

agent/consul: start Intention RPC endpoints, starting with List
2018-02-28 18:04:27 +00:00
package consul
import (
"os"
"testing"
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-03-03 16:43:19 +00:00
"time"
agent/consul: start Intention RPC endpoints, starting with List
2018-02-28 18:04:27 +00:00
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
"github.com/hashicorp/consul/acl"
agent/consul: start Intention RPC endpoints, starting with List
2018-02-28 18:04:27 +00:00
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/testrpc"
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
msgpackrpc "github.com/hashicorp/net-rpc-msgpackrpc"
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
"github.com/stretchr/testify/assert"
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
"github.com/stretchr/testify/require"
agent/consul: start Intention RPC endpoints, starting with List
2018-02-28 18:04:27 +00:00
)
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
// Test basic creation
agent/consul: Intention.Apply, FSM methods, very little validation
2018-02-28 18:28:07 +00:00
func TestIntentionApply_new(t *testing.T) {
t.Parallel()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert := assert.New(t)
agent/consul: Intention.Apply, FSM methods, very little validation
2018-02-28 18:28:07 +00:00
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: &structs.Intention{
agent,agent/consul: set default namespaces
2018-03-03 16:51:40 +00:00
SourceNS: structs.IntentionDefaultNamespace,
SourceName: "test",
DestinationNS: structs.IntentionDefaultNamespace,
DestinationName: "test",
agent/structs: Intention validation
2018-03-03 17:43:37 +00:00
Action: structs.IntentionActionAllow,
agent/consul: set default intention SourceType, validate it
2018-03-03 17:55:27 +00:00
SourceType: structs.IntentionSourceConsul,
agent/structs: Intention validation
2018-03-03 17:43:37 +00:00
Meta: map[string]string{},
agent/consul: Intention.Apply, FSM methods, very little validation
2018-02-28 18:28:07 +00:00
},
}
var reply string
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-03-03 16:43:19 +00:00
// Record now to check created at time
now := time.Now()
agent/consul: Intention.Apply, FSM methods, very little validation
2018-02-28 18:28:07 +00:00
// Create
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
assert.NotEmpty(reply)
agent/consul: Intention.Apply, FSM methods, very little validation
2018-02-28 18:28:07 +00:00
agent/consul: Intention.Get endpoint
2018-02-28 18:44:49 +00:00
// Read
ixn.Intention.ID = reply
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
}
var resp structs.IndexedIntentions
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp))
assert.Len(resp.Intentions, 1)
agent/consul: Intention.Get endpoint
2018-02-28 18:44:49 +00:00
actual := resp.Intentions[0]
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Equal(resp.Index, actual.ModifyIndex)
assert.WithinDuration(now, actual.CreatedAt, 5*time.Second)
assert.WithinDuration(now, actual.UpdatedAt, 5*time.Second)
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-03-03 16:43:19 +00:00
agent/consul: Intention.Get endpoint
2018-02-28 18:44:49 +00:00
actual.CreateIndex, actual.ModifyIndex = 0, 0
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-03-03 16:43:19 +00:00
actual.CreatedAt = ixn.Intention.CreatedAt
actual.UpdatedAt = ixn.Intention.UpdatedAt
Implement Mesh Gateways This includes both ingress and egress functionality.
2019-06-18 00:52:01 +00:00
actual.Hash = ixn.Intention.Hash
agent/consul: set precedence value on struct itself
2018-06-07 04:11:37 +00:00
ixn.Intention.UpdatePrecedence()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Equal(ixn.Intention, actual)
agent/consul: Intention.Get endpoint
2018-02-28 18:44:49 +00:00
}
agent/consul: Intention.Apply, FSM methods, very little validation
2018-02-28 18:28:07 +00:00
}
agent/consul: set default intention SourceType, validate it
2018-03-03 17:55:27 +00:00
// Test the source type defaults
func TestIntentionApply_defaultSourceType(t *testing.T) {
t.Parallel()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert := assert.New(t)
agent/consul: set default intention SourceType, validate it
2018-03-03 17:55:27 +00:00
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: &structs.Intention{
SourceNS: structs.IntentionDefaultNamespace,
SourceName: "test",
DestinationNS: structs.IntentionDefaultNamespace,
DestinationName: "test",
Action: structs.IntentionActionAllow,
},
}
var reply string
// Create
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
assert.NotEmpty(reply)
agent/consul: set default intention SourceType, validate it
2018-03-03 17:55:27 +00:00
// Read
ixn.Intention.ID = reply
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
}
var resp structs.IndexedIntentions
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp))
assert.Len(resp.Intentions, 1)
agent/consul: set default intention SourceType, validate it
2018-03-03 17:55:27 +00:00
actual := resp.Intentions[0]
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Equal(structs.IntentionSourceConsul, actual.SourceType)
agent/consul: set default intention SourceType, validate it
2018-03-03 17:55:27 +00:00
}
}
agent/consul: creating intention must not have ID set
2018-03-01 05:16:45 +00:00
// Shouldn't be able to create with an ID set
func TestIntentionApply_createWithID(t *testing.T) {
t.Parallel()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert := assert.New(t)
agent/consul: creating intention must not have ID set
2018-03-01 05:16:45 +00:00
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: &structs.Intention{
ID: generateUUID(),
SourceName: "test",
},
}
var reply string
// Create
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.NotNil(err)
assert.Contains(err, "ID must be empty")
agent/consul: creating intention must not have ID set
2018-03-01 05:16:45 +00:00
}
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
// Test basic updating
func TestIntentionApply_updateGood(t *testing.T) {
t.Parallel()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert := assert.New(t)
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: &structs.Intention{
agent,agent/consul: set default namespaces
2018-03-03 16:51:40 +00:00
SourceNS: structs.IntentionDefaultNamespace,
SourceName: "test",
DestinationNS: structs.IntentionDefaultNamespace,
DestinationName: "test",
agent/structs: Intention validation
2018-03-03 17:43:37 +00:00
Action: structs.IntentionActionAllow,
agent/consul: set default intention SourceType, validate it
2018-03-03 17:55:27 +00:00
SourceType: structs.IntentionSourceConsul,
agent/structs: Intention validation
2018-03-03 17:43:37 +00:00
Meta: map[string]string{},
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
},
}
var reply string
// Create
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
assert.NotEmpty(reply)
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-03-03 16:43:19 +00:00
// Read CreatedAt
var createdAt time.Time
ixn.Intention.ID = reply
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
}
var resp structs.IndexedIntentions
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp))
assert.Len(resp.Intentions, 1)
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-03-03 16:43:19 +00:00
actual := resp.Intentions[0]
createdAt = actual.CreatedAt
}
// Sleep a bit so that the updated at will definitely be different, not much
time.Sleep(1 * time.Millisecond)
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
// Update
ixn.Op = structs.IntentionOpUpdate
ixn.Intention.ID = reply
agent/consul: set precedence value on struct itself
2018-06-07 04:11:37 +00:00
ixn.Intention.SourceName = "*"
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
// Read
ixn.Intention.ID = reply
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
}
var resp structs.IndexedIntentions
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp))
assert.Len(resp.Intentions, 1)
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
actual := resp.Intentions[0]
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Equal(createdAt, actual.CreatedAt)
assert.WithinDuration(time.Now(), actual.UpdatedAt, 5*time.Second)
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-03-03 16:43:19 +00:00
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
actual.CreateIndex, actual.ModifyIndex = 0, 0
agent/consul: set CreatedAt, UpdatedAt on intentions
2018-03-03 16:43:19 +00:00
actual.CreatedAt = ixn.Intention.CreatedAt
actual.UpdatedAt = ixn.Intention.UpdatedAt
Implement Mesh Gateways This includes both ingress and egress functionality.
2019-06-18 00:52:01 +00:00
actual.Hash = ixn.Intention.Hash
agent/consul: set precedence value on struct itself
2018-06-07 04:11:37 +00:00
ixn.Intention.UpdatePrecedence()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Equal(ixn.Intention, actual)
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
}
}
// Shouldn't be able to update a non-existent intention
func TestIntentionApply_updateNonExist(t *testing.T) {
t.Parallel()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert := assert.New(t)
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpUpdate,
Intention: &structs.Intention{
ID: generateUUID(),
SourceName: "test",
},
}
var reply string
// Create
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.NotNil(err)
assert.Contains(err, "Cannot modify non-existent intention")
agent/consul: support updating intentions
2018-03-01 05:11:35 +00:00
}
agent/consul: test that Apply works to delete an intention
2018-03-01 23:48:48 +00:00
// Test basic deleting
func TestIntentionApply_deleteGood(t *testing.T) {
t.Parallel()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert := assert.New(t)
agent/consul: test that Apply works to delete an intention
2018-03-01 23:48:48 +00:00
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: &structs.Intention{
agent/structs: Intention validation
2018-03-03 17:43:37 +00:00
SourceNS: "test",
SourceName: "test",
DestinationNS: "test",
DestinationName: "test",
Action: structs.IntentionActionAllow,
agent/consul: test that Apply works to delete an intention
2018-03-01 23:48:48 +00:00
},
}
var reply string
// Create
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
assert.NotEmpty(reply)
agent/consul: test that Apply works to delete an intention
2018-03-01 23:48:48 +00:00
// Delete
ixn.Op = structs.IntentionOpDelete
ixn.Intention.ID = reply
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: test that Apply works to delete an intention
2018-03-01 23:48:48 +00:00
// Read
ixn.Intention.ID = reply
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
}
var resp structs.IndexedIntentions
err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp)
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.NotNil(err)
assert.Contains(err, ErrIntentionNotFound.Error())
agent/consul: test that Apply works to delete an intention
2018-03-01 23:48:48 +00:00
}
}
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
// Test apply with a deny ACL
func TestIntentionApply_aclDeny(t *testing.T) {
t.Parallel()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert := assert.New(t)
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Create an ACL with write permissions
var token string
{
var rules = `
service "foo" {
policy = "deny"
intentions = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
Type: structs.ACLTokenTypeClient,
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
}
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
}
ixn.Intention.DestinationName = "foobar"
// Create without a token should error since default deny
var reply string
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.True(acl.IsErrPermissionDenied(err))
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
// Now add the token and try again.
ixn.WriteRequest.Token = token
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
// Read
ixn.Intention.ID = reply
{
req := &structs.IntentionQueryRequest{
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
QueryOptions: structs.QueryOptions{Token: "root"},
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
}
var resp structs.IndexedIntentions
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp))
assert.Len(resp.Intentions, 1)
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
actual := resp.Intentions[0]
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Equal(resp.Index, actual.ModifyIndex)
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
actual.CreateIndex, actual.ModifyIndex = 0, 0
actual.CreatedAt = ixn.Intention.CreatedAt
actual.UpdatedAt = ixn.Intention.UpdatedAt
Implement Mesh Gateways This includes both ingress and egress functionality.
2019-06-18 00:52:01 +00:00
actual.Hash = ixn.Intention.Hash
agent/consul: set precedence value on struct itself
2018-06-07 04:11:37 +00:00
ixn.Intention.UpdatePrecedence()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Equal(ixn.Intention, actual)
agent/consul: Basic ACL on Intention.Apply
2018-03-04 08:39:56 +00:00
}
}
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
func TestIntention_WildcardACLEnforcement(t *testing.T) {
t.Parallel()
dir, srv := testACLServerWithConfig(t, nil, false)
defer os.RemoveAll(dir)
defer srv.Shutdown()
codec := rpcClient(t, srv)
defer codec.Close()
testrpc.WaitForLeader(t, srv.RPC, "dc1")
// create some test policies.
writeToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "write" }`)
require.NoError(t, err)
readToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "read" }`)
require.NoError(t, err)
exactToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "*" { policy = "deny" intentions = "write" }`)
require.NoError(t, err)
wildcardPrefixToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "*" { policy = "deny" intentions = "write" }`)
require.NoError(t, err)
fooToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "foo" { policy = "deny" intentions = "write" }`)
require.NoError(t, err)
denyToken, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "" { policy = "deny" intentions = "deny" }`)
require.NoError(t, err)
doIntentionCreate := func(t *testing.T, token string, deny bool) string {
t.Helper()
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: &structs.Intention{
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "*",
Action: structs.IntentionActionAllow,
SourceType: structs.IntentionSourceConsul,
},
WriteRequest: structs.WriteRequest{Token: token},
}
var reply string
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
if deny {
require.Error(t, err)
require.True(t, acl.IsErrPermissionDenied(err))
return ""
} else {
require.NoError(t, err)
require.NotEmpty(t, reply)
return reply
}
}
t.Run("deny-write-for-read-token", func(t *testing.T) {
// This tests ensures that tokens with only read access to all intentions
// cannot create a wildcard intention
doIntentionCreate(t, readToken.SecretID, true)
})
t.Run("deny-write-for-exact-wildcard-rule", func(t *testing.T) {
// This test ensures that having a rules like:
// service "*" {
// intentions = "write"
// }
// will not actually allow creating an intention with a wildcard service name
doIntentionCreate(t, exactToken.SecretID, true)
})
t.Run("deny-write-for-prefix-wildcard-rule", func(t *testing.T) {
// This test ensures that having a rules like:
// service_prefix "*" {
// intentions = "write"
// }
// will not actually allow creating an intention with a wildcard service name
doIntentionCreate(t, wildcardPrefixToken.SecretID, true)
})
var intentionID string
allowWriteOk := t.Run("allow-write", func(t *testing.T) {
// tests that a token with all the required privileges can create
// intentions with a wildcard destination
intentionID = doIntentionCreate(t, writeToken.SecretID, false)
})
requireAllowWrite := func(t *testing.T) {
t.Helper()
if !allowWriteOk {
t.Skip("Skipping because the allow-write subtest failed")
}
}
doIntentionRead := func(t *testing.T, token string, deny bool) {
t.Helper()
requireAllowWrite(t)
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: intentionID,
QueryOptions: structs.QueryOptions{Token: token},
}
var resp structs.IndexedIntentions
err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp)
if deny {
require.Error(t, err)
require.True(t, acl.IsErrPermissionDenied(err))
} else {
require.NoError(t, err)
require.Len(t, resp.Intentions, 1)
require.Equal(t, "*", resp.Intentions[0].DestinationName)
}
}
t.Run("allow-read-for-write-token", func(t *testing.T) {
doIntentionRead(t, writeToken.SecretID, false)
})
t.Run("allow-read-for-read-token", func(t *testing.T) {
doIntentionRead(t, readToken.SecretID, false)
})
t.Run("allow-read-for-exact-wildcard-token", func(t *testing.T) {
// this is allowed because, the effect of the policy is to grant
// intention:write on the service named "*". When reading the
// intention we will validate that the token has read permissions
// for any intention that would match the wildcard.
doIntentionRead(t, exactToken.SecretID, false)
})
t.Run("allow-read-for-prefix-wildcard-token", func(t *testing.T) {
// this is allowed for the same reasons as for the
// exact-wildcard-token case
doIntentionRead(t, wildcardPrefixToken.SecretID, false)
})
t.Run("deny-read-for-deny-token", func(t *testing.T) {
doIntentionRead(t, denyToken.SecretID, true)
})
doIntentionList := func(t *testing.T, token string, deny bool) {
t.Helper()
requireAllowWrite(t)
req := &structs.DCSpecificRequest{
Datacenter: "dc1",
QueryOptions: structs.QueryOptions{Token: token},
}
var resp structs.IndexedIntentions
err := msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp)
// even with permission denied this should return success but with an empty list
require.NoError(t, err)
if deny {
require.Empty(t, resp.Intentions)
} else {
require.Len(t, resp.Intentions, 1)
require.Equal(t, "*", resp.Intentions[0].DestinationName)
}
}
t.Run("allow-list-for-write-token", func(t *testing.T) {
doIntentionList(t, writeToken.SecretID, false)
})
t.Run("allow-list-for-read-token", func(t *testing.T) {
doIntentionList(t, readToken.SecretID, false)
})
t.Run("allow-list-for-exact-wildcard-token", func(t *testing.T) {
doIntentionList(t, exactToken.SecretID, false)
})
t.Run("allow-list-for-prefix-wildcard-token", func(t *testing.T) {
doIntentionList(t, wildcardPrefixToken.SecretID, false)
})
t.Run("deny-list-for-deny-token", func(t *testing.T) {
doIntentionList(t, denyToken.SecretID, true)
})
doIntentionMatch := func(t *testing.T, token string, deny bool) {
t.Helper()
requireAllowWrite(t)
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
Match: &structs.IntentionQueryMatch{
Type: structs.IntentionMatchDestination,
Entries: []structs.IntentionMatchEntry{
structs.IntentionMatchEntry{
Namespace: "default",
Name: "*",
},
},
},
QueryOptions: structs.QueryOptions{Token: token},
}
var resp structs.IndexedIntentionMatches
err := msgpackrpc.CallWithCodec(codec, "Intention.Match", req, &resp)
if deny {
require.Error(t, err)
require.Empty(t, resp.Matches)
} else {
require.NoError(t, err)
require.Len(t, resp.Matches, 1)
require.Len(t, resp.Matches[0], 1)
require.Equal(t, "*", resp.Matches[0][0].DestinationName)
}
}
t.Run("allow-match-for-write-token", func(t *testing.T) {
doIntentionMatch(t, writeToken.SecretID, false)
})
t.Run("allow-match-for-read-token", func(t *testing.T) {
doIntentionMatch(t, readToken.SecretID, false)
})
t.Run("allow-match-for-exact-wildcard-token", func(t *testing.T) {
doIntentionMatch(t, exactToken.SecretID, false)
})
t.Run("allow-match-for-prefix-wildcard-token", func(t *testing.T) {
doIntentionMatch(t, wildcardPrefixToken.SecretID, false)
})
t.Run("deny-match-for-deny-token", func(t *testing.T) {
doIntentionMatch(t, denyToken.SecretID, true)
})
doIntentionUpdate := func(t *testing.T, token string, dest string, deny bool) {
t.Helper()
requireAllowWrite(t)
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpUpdate,
Intention: &structs.Intention{
ID: intentionID,
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: dest,
Action: structs.IntentionActionAllow,
SourceType: structs.IntentionSourceConsul,
},
WriteRequest: structs.WriteRequest{Token: token},
}
var reply string
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
if deny {
require.Error(t, err)
require.True(t, acl.IsErrPermissionDenied(err))
} else {
require.NoError(t, err)
}
}
t.Run("deny-update-for-foo-token", func(t *testing.T) {
doIntentionUpdate(t, fooToken.SecretID, "foo", true)
})
t.Run("allow-update-for-prefix-token", func(t *testing.T) {
// this tests that regardless of going from a wildcard intention
// to a non-wildcard or the opposite direction that the permissions
// are checked correctly. This also happens to leave the intention
// in a state ready for verifying similar things with deletion
doIntentionUpdate(t, writeToken.SecretID, "foo", false)
doIntentionUpdate(t, writeToken.SecretID, "*", false)
})
doIntentionDelete := func(t *testing.T, token string, deny bool) {
t.Helper()
requireAllowWrite(t)
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpDelete,
Intention: &structs.Intention{
ID: intentionID,
},
WriteRequest: structs.WriteRequest{Token: token},
}
var reply string
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
if deny {
require.Error(t, err)
require.True(t, acl.IsErrPermissionDenied(err))
} else {
require.NoError(t, err)
}
}
t.Run("deny-delete-for-read-token", func(t *testing.T) {
doIntentionDelete(t, readToken.SecretID, true)
})
t.Run("deny-delete-for-exact-wildcard-rule", func(t *testing.T) {
// This test ensures that having a rules like:
// service "*" {
// intentions = "write"
// }
// will not actually allow deleting an intention with a wildcard service name
doIntentionDelete(t, exactToken.SecretID, true)
})
t.Run("deny-delete-for-prefix-wildcard-rule", func(t *testing.T) {
// This test ensures that having a rules like:
// service_prefix "*" {
// intentions = "write"
// }
// will not actually allow creating an intention with a wildcard service name
doIntentionDelete(t, wildcardPrefixToken.SecretID, true)
})
t.Run("allow-delete", func(t *testing.T) {
// tests that a token with all the required privileges can delete
// intentions with a wildcard destination
doIntentionDelete(t, writeToken.SecretID, false)
})
}
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
// Test apply with delete and a default deny ACL
func TestIntentionApply_aclDelete(t *testing.T) {
t.Parallel()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert := assert.New(t)
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Create an ACL with write permissions
var token string
{
var rules = `
service "foo" {
policy = "deny"
intentions = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
Type: structs.ACLTokenTypeClient,
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
}
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
}
ixn.Intention.DestinationName = "foobar"
ixn.WriteRequest.Token = token
// Create
var reply string
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
// Try to do a delete with no token; this should get rejected.
ixn.Op = structs.IntentionOpDelete
ixn.Intention.ID = reply
ixn.WriteRequest.Token = ""
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.True(acl.IsErrPermissionDenied(err))
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
// Try again with the original token. This should go through.
ixn.WriteRequest.Token = token
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
// Verify it is gone
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
}
var resp structs.IndexedIntentions
err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp)
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.NotNil(err)
assert.Contains(err.Error(), ErrIntentionNotFound.Error())
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
}
}
// Test apply with update and a default deny ACL
func TestIntentionApply_aclUpdate(t *testing.T) {
t.Parallel()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert := assert.New(t)
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Create an ACL with write permissions
var token string
{
var rules = `
service "foo" {
policy = "deny"
intentions = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
Type: structs.ACLTokenTypeClient,
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
}
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
}
ixn.Intention.DestinationName = "foobar"
ixn.WriteRequest.Token = token
// Create
var reply string
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
// Try to do an update without a token; this should get rejected.
ixn.Op = structs.IntentionOpUpdate
ixn.Intention.ID = reply
ixn.WriteRequest.Token = ""
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.True(acl.IsErrPermissionDenied(err))
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
// Try again with the original token; this should go through.
ixn.WriteRequest.Token = token
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: tests for ACLs on Intention.Apply update/delete
2018-03-04 08:55:23 +00:00
}
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
// Test apply with a management token
func TestIntentionApply_aclManagement(t *testing.T) {
t.Parallel()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert := assert.New(t)
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
}
ixn.Intention.DestinationName = "foobar"
ixn.WriteRequest.Token = "root"
// Create
var reply string
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
ixn.Intention.ID = reply
// Update
ixn.Op = structs.IntentionOpUpdate
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
// Delete
ixn.Op = structs.IntentionOpDelete
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
}
// Test update changing the name where an ACL won't allow it
func TestIntentionApply_aclUpdateChange(t *testing.T) {
t.Parallel()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert := assert.New(t)
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Create an ACL with write permissions
var token string
{
var rules = `
service "foo" {
policy = "deny"
intentions = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
Type: structs.ACLTokenTypeClient,
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
}
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
}
ixn.Intention.DestinationName = "bar"
ixn.WriteRequest.Token = "root"
// Create
var reply string
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
// Try to do an update without a token; this should get rejected.
ixn.Op = structs.IntentionOpUpdate
ixn.Intention.ID = reply
ixn.Intention.DestinationName = "foo"
ixn.WriteRequest.Token = token
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.True(acl.IsErrPermissionDenied(err))
agent/consul: Intention.Apply ACL on rename
2018-03-04 19:35:39 +00:00
}
agent/consul: Intention.Get ACLs
2018-03-04 19:53:52 +00:00
// Test reading with ACLs
func TestIntentionGet_acl(t *testing.T) {
t.Parallel()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert := assert.New(t)
agent/consul: Intention.Get ACLs
2018-03-04 19:53:52 +00:00
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: Intention.Get ACLs
2018-03-04 19:53:52 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Create an ACL with service write permissions. This will grant
// intentions read.
var token string
{
var rules = `
service "foo" {
policy = "write"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
Type: structs.ACLTokenTypeClient,
agent/consul: Intention.Get ACLs
2018-03-04 19:53:52 +00:00
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
agent/consul: Intention.Get ACLs
2018-03-04 19:53:52 +00:00
}
// Setup a basic record to create
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
}
ixn.Intention.DestinationName = "foobar"
ixn.WriteRequest.Token = "root"
// Create
var reply string
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: Intention.Get ACLs
2018-03-04 19:53:52 +00:00
ixn.Intention.ID = reply
// Read without token should be error
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
}
var resp structs.IndexedIntentions
err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp)
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.True(acl.IsErrPermissionDenied(err))
assert.Len(resp.Intentions, 0)
agent/consul: Intention.Get ACLs
2018-03-04 19:53:52 +00:00
}
// Read with token should work
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
QueryOptions: structs.QueryOptions{Token: token},
}
var resp structs.IndexedIntentions
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp))
assert.Len(resp.Intentions, 1)
agent/consul: Intention.Get ACLs
2018-03-04 19:53:52 +00:00
}
}
agent/consul: start Intention RPC endpoints, starting with List
2018-02-28 18:04:27 +00:00
func TestIntentionList(t *testing.T) {
t.Parallel()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert := assert.New(t)
agent/consul: start Intention RPC endpoints, starting with List
2018-02-28 18:04:27 +00:00
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Test with no intentions inserted yet
{
req := &structs.DCSpecificRequest{
Datacenter: "dc1",
}
var resp structs.IndexedIntentions
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
assert.NotNil(resp.Intentions)
assert.Len(resp.Intentions, 0)
agent/consul: start Intention RPC endpoints, starting with List
2018-02-28 18:04:27 +00:00
}
}
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
// Test listing with ACLs
func TestIntentionList_acl(t *testing.T) {
t.Parallel()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
dir1, s1 := testServerWithConfig(t, testServerACLConfig(nil))
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
waitForNewACLs(t, s1)
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service_prefix "foo" { policy = "write" }`)
require.NoError(t, err)
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
// Create a few records
for _, name := range []string{"foobar", "bar", "baz"} {
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
}
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
ixn.Intention.SourceNS = "default"
ixn.Intention.DestinationNS = "default"
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
ixn.Intention.DestinationName = name
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
ixn.WriteRequest.Token = TestDefaultMasterToken
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
// Create
var reply string
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
// Test with no token
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
t.Run("no-token", func(t *testing.T) {
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
req := &structs.DCSpecificRequest{
Datacenter: "dc1",
}
var resp structs.IndexedIntentions
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
require.Len(t, resp.Intentions, 0)
})
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
// Test with management token
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
t.Run("master-token", func(t *testing.T) {
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
req := &structs.DCSpecificRequest{
Datacenter: "dc1",
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
QueryOptions: structs.QueryOptions{Token: TestDefaultMasterToken},
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
var resp structs.IndexedIntentions
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
require.Len(t, resp.Intentions, 3)
})
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
// Test with user token
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
t.Run("user-token", func(t *testing.T) {
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
req := &structs.DCSpecificRequest{
Datacenter: "dc1",
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
QueryOptions: structs.QueryOptions{Token: token.SecretID},
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
var resp structs.IndexedIntentions
Enable filtering language support for the v1/connect/intentions… (#7593) * Enable filtering language support for the v1/connect/intentions listing API * Update website for filtering of Intentions * Update website/source/api/connect/intentions.html.md
2020-04-07 15:48:44 +00:00
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
require.Len(t, resp.Intentions, 1)
})
t.Run("filtered", func(t *testing.T) {
req := &structs.DCSpecificRequest{
Datacenter: "dc1",
QueryOptions: structs.QueryOptions{
Token: TestDefaultMasterToken,
Filter: "DestinationName == foobar",
},
}
var resp structs.IndexedIntentions
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
require.Len(t, resp.Intentions, 1)
})
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
// Test basic matching. We don't need to exhaustively test inputs since this
// is tested in the agent/consul/state package.
func TestIntentionMatch_good(t *testing.T) {
t.Parallel()
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert := assert.New(t)
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Create some records
{
insert := [][]string{
Add tests all the way up through the endpoints to ensure duplicate src/destination is supported and so ultimately deny/allow nesting works. Also adds a sanity check test for `api.Agent().ConnectAuthorize()` and a fix for a trivial bug in it.
2018-04-05 11:53:42 +00:00
{"foo", "*", "foo", "*"},
{"foo", "*", "foo", "bar"},
{"foo", "*", "foo", "baz"}, // shouldn't match
{"foo", "*", "bar", "bar"}, // shouldn't match
{"foo", "*", "bar", "*"}, // shouldn't match
{"foo", "*", "*", "*"},
{"bar", "*", "foo", "bar"}, // duplicate destination different source
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
}
for _, v := range insert {
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: &structs.Intention{
Add tests all the way up through the endpoints to ensure duplicate src/destination is supported and so ultimately deny/allow nesting works. Also adds a sanity check test for `api.Agent().ConnectAuthorize()` and a fix for a trivial bug in it.
2018-04-05 11:53:42 +00:00
SourceNS: v[0],
SourceName: v[1],
DestinationNS: v[2],
DestinationName: v[3],
agent/structs: Intention validation
2018-03-03 17:43:37 +00:00
Action: structs.IntentionActionAllow,
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
},
}
// Create
var reply string
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
}
}
// Match
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
Match: &structs.IntentionQueryMatch{
Type: structs.IntentionMatchDestination,
Entries: []structs.IntentionMatchEntry{
{
Namespace: "foo",
Name: "bar",
},
},
},
}
var resp structs.IndexedIntentionMatches
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Match", req, &resp))
assert.Len(resp.Matches, 1)
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
Add tests all the way up through the endpoints to ensure duplicate src/destination is supported and so ultimately deny/allow nesting works. Also adds a sanity check test for `api.Agent().ConnectAuthorize()` and a fix for a trivial bug in it.
2018-04-05 11:53:42 +00:00
expected := [][]string{
{"bar", "*", "foo", "bar"},
{"foo", "*", "foo", "bar"},
{"foo", "*", "foo", "*"},
{"foo", "*", "*", "*"},
}
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
var actual [][]string
for _, ixn := range resp.Matches[0] {
Add tests all the way up through the endpoints to ensure duplicate src/destination is supported and so ultimately deny/allow nesting works. Also adds a sanity check test for `api.Agent().ConnectAuthorize()` and a fix for a trivial bug in it.
2018-04-05 11:53:42 +00:00
actual = append(actual, []string{
ixn.SourceNS,
ixn.SourceName,
ixn.DestinationNS,
ixn.DestinationName,
})
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
}
agent: convert all intention tests to testify/assert
2018-03-06 18:35:20 +00:00
assert.Equal(expected, actual)
agent/consul: RPC endpoint for Intention.Match
2018-03-02 21:40:03 +00:00
}
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
// Test matching with ACLs
func TestIntentionMatch_acl(t *testing.T) {
t.Parallel()
agent/consul: convert intention ACLs to testify/assert
2018-03-06 18:51:26 +00:00
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
dir1, s1 := testACLServerWithConfig(t, nil, false)
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "bar" { policy = "write" }`)
require.NoError(t, err)
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
// Create some records
{
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
insert := []string{
"*",
"bar",
"baz",
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
for _, v := range insert {
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: structs.TestIntention(t),
}
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
ixn.Intention.DestinationName = v
ixn.WriteRequest.Token = TestDefaultMasterToken
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
// Create
var reply string
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
require.Nil(t, msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
}
// Test with no token
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
Match: &structs.IntentionQueryMatch{
Type: structs.IntentionMatchDestination,
Entries: []structs.IntentionMatchEntry{
{
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
Namespace: "default",
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
Name: "bar",
},
},
},
}
var resp structs.IndexedIntentionMatches
err := msgpackrpc.CallWithCodec(codec, "Intention.Match", req, &resp)
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
require.True(t, acl.IsErrPermissionDenied(err))
require.Len(t, resp.Matches, 0)
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
// Test with proper token
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
Match: &structs.IntentionQueryMatch{
Type: structs.IntentionMatchDestination,
Entries: []structs.IntentionMatchEntry{
{
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
Namespace: "default",
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
Name: "bar",
},
},
},
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
QueryOptions: structs.QueryOptions{Token: token.SecretID},
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
var resp structs.IndexedIntentionMatches
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.Match", req, &resp))
require.Len(t, resp.Matches, 1)
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
expected := []string{"bar", "*"}
var actual []string
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
for _, ixn := range resp.Matches[0] {
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
actual = append(actual, ixn.DestinationName)
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
Updates to Config Entries and Connect for Namespaces (#7116)
2020-01-24 15:04:58 +00:00
require.ElementsMatch(t, expected, actual)
agent/consul: Intention.Match ACLs
2018-03-05 02:32:28 +00:00
}
}
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
agent: rename test to check
2018-05-11 16:19:22 +00:00
// Test the Check method defaults to allow with no ACL set.
func TestIntentionCheck_defaultNoACL(t *testing.T) {
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
t.Parallel()
require := require.New(t)
dir1, s1 := testServer(t)
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Test
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
agent: rename test to check
2018-05-11 16:19:22 +00:00
Check: &structs.IntentionQueryCheck{
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
SourceNS: "foo",
SourceName: "bar",
DestinationNS: "foo",
DestinationName: "qux",
SourceType: structs.IntentionSourceConsul,
},
}
agent: rename test to check
2018-05-11 16:19:22 +00:00
var resp structs.IntentionQueryCheckResponse
require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp))
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
require.True(resp.Allowed)
}
Replace whitelist/blacklist terminology with allowlist/denylist (#7971) * Replace whitelist/blacklist terminology with allowlist/denylist
2020-05-29 18:19:16 +00:00
// Test the Check method defaults to deny with allowlist ACLs.
agent: rename test to check
2018-05-11 16:19:22 +00:00
func TestIntentionCheck_defaultACLDeny(t *testing.T) {
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
t.Parallel()
require := require.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
agent: rename test to check
2018-05-11 16:19:22 +00:00
// Check
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
agent: rename test to check
2018-05-11 16:19:22 +00:00
Check: &structs.IntentionQueryCheck{
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
SourceNS: "foo",
SourceName: "bar",
DestinationNS: "foo",
DestinationName: "qux",
SourceType: structs.IntentionSourceConsul,
},
}
req.Token = "root"
agent: rename test to check
2018-05-11 16:19:22 +00:00
var resp structs.IntentionQueryCheckResponse
require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp))
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
require.False(resp.Allowed)
}
Replace whitelist/blacklist terminology with allowlist/denylist (#7971) * Replace whitelist/blacklist terminology with allowlist/denylist
2020-05-29 18:19:16 +00:00
// Test the Check method defaults to deny with denylist ACLs.
agent: rename test to check
2018-05-11 16:19:22 +00:00
func TestIntentionCheck_defaultACLAllow(t *testing.T) {
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
t.Parallel()
require := require.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "allow"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
agent: rename test to check
2018-05-11 16:19:22 +00:00
// Check
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
agent: rename test to check
2018-05-11 16:19:22 +00:00
Check: &structs.IntentionQueryCheck{
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
SourceNS: "foo",
SourceName: "bar",
DestinationNS: "foo",
DestinationName: "qux",
SourceType: structs.IntentionSourceConsul,
},
}
req.Token = "root"
agent: rename test to check
2018-05-11 16:19:22 +00:00
var resp structs.IntentionQueryCheckResponse
require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp))
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
require.True(resp.Allowed)
}
agent: rename test to check
2018-05-11 16:19:22 +00:00
// Test the Check method requires service:read permission.
func TestIntentionCheck_aclDeny(t *testing.T) {
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
t.Parallel()
require := require.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
c.ACLsEnabled = true
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
c.ACLMasterToken = "root"
c.ACLDefaultPolicy = "deny"
})
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
// Create an ACL with service read permissions. This will grant permission.
var token string
{
var rules = `
service "bar" {
policy = "read"
}`
req := structs.ACLRequest{
Datacenter: "dc1",
Op: structs.ACLSet,
ACL: structs.ACL{
Name: "User token",
New ACLs (#4791) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.
2018-10-19 16:04:07 +00:00
Type: structs.ACLTokenTypeClient,
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
Rules: rules,
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
agent: rename test to check
2018-05-11 16:19:22 +00:00
// Check
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
agent: rename test to check
2018-05-11 16:19:22 +00:00
Check: &structs.IntentionQueryCheck{
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
SourceNS: "foo",
SourceName: "qux",
DestinationNS: "foo",
DestinationName: "baz",
SourceType: structs.IntentionSourceConsul,
},
}
req.Token = token
agent: rename test to check
2018-05-11 16:19:22 +00:00
var resp structs.IntentionQueryCheckResponse
err := msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp)
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
require.True(acl.IsErrPermissionDenied(err))
}
agent: rename test to check
2018-05-11 16:19:22 +00:00
// Test the Check method returns allow/deny properly.
func TestIntentionCheck_match(t *testing.T) {
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
t.Parallel()
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
dir1, s1 := testACLServerWithConfig(t, nil, false)
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
defer os.RemoveAll(dir1)
defer s1.Shutdown()
codec := rpcClient(t, s1)
defer codec.Close()
testrpc.WaitForLeader(t, s1.RPC, "dc1")
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
token, err := upsertTestTokenWithPolicyRules(codec, TestDefaultMasterToken, "dc1", `service "api" { policy = "read" }`)
require.NoError(t, err)
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
// Create some intentions
{
insert := [][]string{
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
{"web", "db"},
{"api", "db"},
{"web", "api"},
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
}
for _, v := range insert {
ixn := structs.IntentionRequest{
Datacenter: "dc1",
Op: structs.IntentionOpCreate,
Intention: &structs.Intention{
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
SourceNS: "default",
SourceName: v[0],
DestinationNS: "default",
DestinationName: v[1],
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
Action: structs.IntentionActionAllow,
},
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
WriteRequest: structs.WriteRequest{Token: TestDefaultMasterToken},
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
}
// Create
var reply string
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
}
}
agent: rename test to check
2018-05-11 16:19:22 +00:00
// Check
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
agent: rename test to check
2018-05-11 16:19:22 +00:00
Check: &structs.IntentionQueryCheck{
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
SourceNS: "default",
SourceName: "web",
DestinationNS: "default",
DestinationName: "api",
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
SourceType: structs.IntentionSourceConsul,
},
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
QueryOptions: structs.QueryOptions{Token: token.SecretID},
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
}
agent: rename test to check
2018-05-11 16:19:22 +00:00
var resp structs.IntentionQueryCheckResponse
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp))
require.True(t, resp.Allowed)
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
// Test no match for sanity
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
agent: rename test to check
2018-05-11 16:19:22 +00:00
Check: &structs.IntentionQueryCheck{
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
SourceNS: "default",
SourceName: "db",
DestinationNS: "default",
DestinationName: "api",
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
SourceType: structs.IntentionSourceConsul,
},
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
QueryOptions: structs.QueryOptions{Token: token.SecretID},
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
}
agent: rename test to check
2018-05-11 16:19:22 +00:00
var resp structs.IntentionQueryCheckResponse
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow.
2020-01-13 20:51:40 +00:00
require.NoError(t, msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp))
require.False(t, resp.Allowed)
agent/consul: implement Intention.Test endpoint
2018-05-11 05:35:47 +00:00
}
}