2014-08-06 17:30:47 +00:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"encoding/json"
|
2018-10-19 16:04:07 +00:00
|
|
|
"io"
|
2014-08-06 17:30:47 +00:00
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
|
|
|
"testing"
|
2015-05-06 02:25:10 +00:00
|
|
|
|
2017-07-06 10:34:00 +00:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2018-08-06 23:46:09 +00:00
|
|
|
"github.com/hashicorp/consul/testrpc"
|
2018-10-19 16:04:07 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2014-08-06 17:30:47 +00:00
|
|
|
)
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
// NOTE: The tests contained herein are designed to test the HTTP API
|
2019-03-06 17:13:28 +00:00
|
|
|
// They are not intended to thoroughly test the backing RPC
|
2018-10-19 16:04:07 +00:00
|
|
|
// functionality as that will be done with other tests.
|
|
|
|
|
2017-11-28 21:47:30 +00:00
|
|
|
func TestACL_Disabled_Response(t *testing.T) {
|
|
|
|
t.Parallel()
|
2019-02-14 15:59:14 +00:00
|
|
|
a := NewTestAgent(t, t.Name(), "")
|
2017-11-28 21:47:30 +00:00
|
|
|
defer a.Shutdown()
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
type testCase struct {
|
|
|
|
name string
|
|
|
|
fn func(resp http.ResponseWriter, req *http.Request) (interface{}, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
tests := []testCase{
|
|
|
|
{"ACLBootstrap", a.srv.ACLBootstrap},
|
|
|
|
{"ACLReplicationStatus", a.srv.ACLReplicationStatus},
|
|
|
|
{"AgentToken", a.srv.AgentToken}, // See TestAgent_Token
|
|
|
|
{"ACLRulesTranslate", a.srv.ACLRulesTranslate},
|
|
|
|
{"ACLRulesTranslateLegacyToken", a.srv.ACLRulesTranslateLegacyToken},
|
|
|
|
{"ACLPolicyList", a.srv.ACLPolicyList},
|
|
|
|
{"ACLPolicyCRUD", a.srv.ACLPolicyCRUD},
|
|
|
|
{"ACLPolicyCreate", a.srv.ACLPolicyCreate},
|
|
|
|
{"ACLTokenList", a.srv.ACLTokenList},
|
|
|
|
{"ACLTokenCreate", a.srv.ACLTokenCreate},
|
|
|
|
{"ACLTokenSelf", a.srv.ACLTokenSelf},
|
|
|
|
{"ACLTokenCRUD", a.srv.ACLTokenCRUD},
|
2017-11-28 21:47:30 +00:00
|
|
|
}
|
2018-08-06 23:46:09 +00:00
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
2018-10-19 16:04:07 +00:00
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2017-11-28 21:47:30 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/should/not/care", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
2018-10-19 16:04:07 +00:00
|
|
|
obj, err := tt.fn(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Nil(t, obj)
|
|
|
|
require.Equal(t, http.StatusUnauthorized, resp.Code)
|
|
|
|
require.Contains(t, resp.Body.String(), "ACL support disabled")
|
2017-11-28 21:47:30 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func jsonBody(v interface{}) io.Reader {
|
2014-08-06 17:30:47 +00:00
|
|
|
body := bytes.NewBuffer(nil)
|
|
|
|
enc := json.NewEncoder(body)
|
2018-10-19 16:04:07 +00:00
|
|
|
enc.Encode(v)
|
|
|
|
return body
|
2014-08-06 17:30:47 +00:00
|
|
|
}
|
|
|
|
|
2017-08-03 00:05:18 +00:00
|
|
|
func TestACL_Bootstrap(t *testing.T) {
|
|
|
|
t.Parallel()
|
2019-02-14 15:59:14 +00:00
|
|
|
a := NewTestAgent(t, t.Name(), TestACLConfig()+`
|
2018-10-19 16:04:07 +00:00
|
|
|
acl_master_token = ""
|
|
|
|
`)
|
2017-08-03 00:05:18 +00:00
|
|
|
defer a.Shutdown()
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
method string
|
|
|
|
code int
|
|
|
|
token bool
|
|
|
|
}{
|
|
|
|
{"bootstrap", "PUT", http.StatusOK, true},
|
|
|
|
{"not again", "PUT", http.StatusForbidden, false},
|
|
|
|
}
|
2018-08-06 23:46:09 +00:00
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
2017-08-03 00:05:18 +00:00
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
req, _ := http.NewRequest(tt.method, "/v1/acl/bootstrap", nil)
|
|
|
|
out, err := a.srv.ACLBootstrap(resp, req)
|
2018-10-19 16:04:07 +00:00
|
|
|
if tt.token && err != nil {
|
2017-08-03 00:05:18 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if got, want := resp.Code, tt.code; got != want {
|
|
|
|
t.Fatalf("got %d want %d", got, want)
|
|
|
|
}
|
|
|
|
if tt.token {
|
2018-10-19 16:04:07 +00:00
|
|
|
wrap, ok := out.(*aclBootstrapResponse)
|
2017-08-03 00:05:18 +00:00
|
|
|
if !ok {
|
|
|
|
t.Fatalf("bad: %T", out)
|
|
|
|
}
|
|
|
|
if len(wrap.ID) != len("xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx") {
|
|
|
|
t.Fatalf("bad: %v", wrap)
|
|
|
|
}
|
2018-10-19 16:04:07 +00:00
|
|
|
if wrap.ID != wrap.SecretID {
|
|
|
|
t.Fatalf("bad: %v", wrap)
|
|
|
|
}
|
2017-08-03 00:05:18 +00:00
|
|
|
} else {
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad: %T", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
func TestACL_HTTP(t *testing.T) {
|
2017-05-21 07:54:40 +00:00
|
|
|
t.Parallel()
|
2019-02-14 15:59:14 +00:00
|
|
|
a := NewTestAgent(t, t.Name(), TestACLConfig())
|
2017-05-21 18:31:20 +00:00
|
|
|
defer a.Shutdown()
|
2014-08-06 17:30:47 +00:00
|
|
|
|
2018-08-06 23:46:09 +00:00
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
2017-05-21 18:31:20 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
idMap := make(map[string]string)
|
|
|
|
policyMap := make(map[string]*structs.ACLPolicy)
|
|
|
|
tokenMap := make(map[string]*structs.ACLToken)
|
|
|
|
|
|
|
|
// This is all done as a subtest for a couple reasons
|
|
|
|
// 1. It uses only 1 test agent and these are
|
|
|
|
// somewhat expensive to bring up and tear down often
|
|
|
|
// 2. Instead of having to bring up a new agent and prime
|
|
|
|
// the ACL system with some data before running the test
|
|
|
|
// we can intelligently order these tests so we can still
|
|
|
|
// test everything with less actual operations and do
|
|
|
|
// so in a manner that is less prone to being flaky
|
|
|
|
// 3. While this test will be large it should
|
|
|
|
t.Run("Policy", func(t *testing.T) {
|
|
|
|
t.Run("Create", func(t *testing.T) {
|
|
|
|
policyInput := &structs.ACLPolicy{
|
|
|
|
Name: "test",
|
|
|
|
Description: "test",
|
|
|
|
Rules: `acl = "read"`,
|
|
|
|
Datacenters: []string{"dc1"},
|
|
|
|
}
|
2017-05-21 18:31:20 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonBody(policyInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLPolicyCreate(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
policy, ok := obj.(*structs.ACLPolicy)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
// 36 = length of the string form of uuids
|
|
|
|
require.Len(t, policy.ID, 36)
|
|
|
|
require.Equal(t, policyInput.Name, policy.Name)
|
|
|
|
require.Equal(t, policyInput.Description, policy.Description)
|
|
|
|
require.Equal(t, policyInput.Rules, policy.Rules)
|
|
|
|
require.Equal(t, policyInput.Datacenters, policy.Datacenters)
|
|
|
|
require.True(t, policy.CreateIndex > 0)
|
|
|
|
require.Equal(t, policy.CreateIndex, policy.ModifyIndex)
|
|
|
|
require.NotNil(t, policy.Hash)
|
|
|
|
require.NotEqual(t, policy.Hash, []byte{})
|
|
|
|
|
|
|
|
idMap["policy-test"] = policy.ID
|
|
|
|
policyMap[policy.ID] = policy
|
|
|
|
})
|
2014-08-06 17:30:47 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("Minimal", func(t *testing.T) {
|
|
|
|
policyInput := &structs.ACLPolicy{
|
|
|
|
Name: "minimal",
|
|
|
|
Rules: `key_prefix "" { policy = "read" }`,
|
|
|
|
}
|
2015-05-06 02:25:10 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonBody(policyInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLPolicyCreate(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
policy, ok := obj.(*structs.ACLPolicy)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
// 36 = length of the string form of uuids
|
|
|
|
require.Len(t, policy.ID, 36)
|
|
|
|
require.Equal(t, policyInput.Name, policy.Name)
|
|
|
|
require.Equal(t, policyInput.Description, policy.Description)
|
|
|
|
require.Equal(t, policyInput.Rules, policy.Rules)
|
|
|
|
require.Equal(t, policyInput.Datacenters, policy.Datacenters)
|
|
|
|
require.True(t, policy.CreateIndex > 0)
|
|
|
|
require.Equal(t, policy.CreateIndex, policy.ModifyIndex)
|
|
|
|
require.NotNil(t, policy.Hash)
|
|
|
|
require.NotEqual(t, policy.Hash, []byte{})
|
|
|
|
|
|
|
|
idMap["policy-minimal"] = policy.ID
|
|
|
|
policyMap[policy.ID] = policy
|
|
|
|
})
|
2017-05-21 18:31:20 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("Name Chars", func(t *testing.T) {
|
|
|
|
policyInput := &structs.ACLPolicy{
|
|
|
|
Name: "read-all_nodes-012",
|
|
|
|
Rules: `node_prefix "" { policy = "read" }`,
|
|
|
|
}
|
2018-08-06 23:46:09 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonBody(policyInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLPolicyCreate(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
policy, ok := obj.(*structs.ACLPolicy)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
// 36 = length of the string form of uuids
|
|
|
|
require.Len(t, policy.ID, 36)
|
|
|
|
require.Equal(t, policyInput.Name, policy.Name)
|
|
|
|
require.Equal(t, policyInput.Description, policy.Description)
|
|
|
|
require.Equal(t, policyInput.Rules, policy.Rules)
|
|
|
|
require.Equal(t, policyInput.Datacenters, policy.Datacenters)
|
|
|
|
require.True(t, policy.CreateIndex > 0)
|
|
|
|
require.Equal(t, policy.CreateIndex, policy.ModifyIndex)
|
|
|
|
require.NotNil(t, policy.Hash)
|
|
|
|
require.NotEqual(t, policy.Hash, []byte{})
|
|
|
|
|
|
|
|
idMap["policy-read-all-nodes"] = policy.ID
|
|
|
|
policyMap[policy.ID] = policy
|
|
|
|
})
|
2015-05-06 02:25:10 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("Update Name ID Mistmatch", func(t *testing.T) {
|
|
|
|
policyInput := &structs.ACLPolicy{
|
|
|
|
ID: "ac7560be-7f11-4d6d-bfcf-15633c2090fd",
|
|
|
|
Name: "read-all-nodes",
|
|
|
|
Description: "Can read all node information",
|
|
|
|
Rules: `node_prefix "" { policy = "read" }`,
|
|
|
|
Datacenters: []string{"dc1"},
|
|
|
|
}
|
2015-11-15 05:05:37 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/policy/"+idMap["policy-read-all-nodes"]+"?token=root", jsonBody(policyInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
_, err := a.srv.ACLPolicyCRUD(resp, req)
|
|
|
|
require.Error(t, err)
|
|
|
|
_, ok := err.(BadRequestError)
|
|
|
|
require.True(t, ok)
|
|
|
|
})
|
2017-05-21 18:31:20 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("Policy CRUD Missing ID in URL", func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest("GET", "/v1/acl/policy/?token=root", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
_, err := a.srv.ACLPolicyCRUD(resp, req)
|
|
|
|
require.Error(t, err)
|
|
|
|
_, ok := err.(BadRequestError)
|
|
|
|
require.True(t, ok)
|
|
|
|
})
|
2014-08-06 17:30:47 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("Update", func(t *testing.T) {
|
|
|
|
policyInput := &structs.ACLPolicy{
|
|
|
|
Name: "read-all-nodes",
|
|
|
|
Description: "Can read all node information",
|
|
|
|
Rules: `node_prefix "" { policy = "read" }`,
|
|
|
|
Datacenters: []string{"dc1"},
|
|
|
|
}
|
2014-08-06 17:30:47 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/policy/"+idMap["policy-read-all-nodes"]+"?token=root", jsonBody(policyInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLPolicyCRUD(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
policy, ok := obj.(*structs.ACLPolicy)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
// 36 = length of the string form of uuids
|
|
|
|
require.Len(t, policy.ID, 36)
|
|
|
|
require.Equal(t, policyInput.Name, policy.Name)
|
|
|
|
require.Equal(t, policyInput.Description, policy.Description)
|
|
|
|
require.Equal(t, policyInput.Rules, policy.Rules)
|
|
|
|
require.Equal(t, policyInput.Datacenters, policy.Datacenters)
|
|
|
|
require.True(t, policy.CreateIndex > 0)
|
|
|
|
require.True(t, policy.CreateIndex < policy.ModifyIndex)
|
|
|
|
require.NotNil(t, policy.Hash)
|
|
|
|
require.NotEqual(t, policy.Hash, []byte{})
|
|
|
|
|
|
|
|
idMap["policy-read-all-nodes"] = policy.ID
|
|
|
|
policyMap[policy.ID] = policy
|
|
|
|
})
|
2014-08-06 17:30:47 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("ID Supplied", func(t *testing.T) {
|
|
|
|
policyInput := &structs.ACLPolicy{
|
|
|
|
ID: "12123d01-37f1-47e6-b55b-32328652bd38",
|
|
|
|
Name: "with-id",
|
|
|
|
Description: "test",
|
|
|
|
Rules: `acl = "read"`,
|
|
|
|
Datacenters: []string{"dc1"},
|
|
|
|
}
|
2017-07-15 03:43:30 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonBody(policyInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
_, err := a.srv.ACLPolicyCreate(resp, req)
|
|
|
|
require.Error(t, err)
|
|
|
|
_, ok := err.(BadRequestError)
|
|
|
|
require.True(t, ok)
|
|
|
|
})
|
2017-05-21 18:31:20 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("Invalid payload", func(t *testing.T) {
|
|
|
|
body := bytes.NewBuffer(nil)
|
|
|
|
body.Write([]byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9})
|
2014-08-06 17:30:47 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", body)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
_, err := a.srv.ACLPolicyCreate(resp, req)
|
|
|
|
require.Error(t, err)
|
|
|
|
_, ok := err.(BadRequestError)
|
|
|
|
require.True(t, ok)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Delete", func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest("DELETE", "/v1/acl/policy/"+idMap["policy-minimal"]+"?token=root", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
_, err := a.srv.ACLPolicyCRUD(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
delete(policyMap, idMap["policy-minimal"])
|
|
|
|
delete(idMap, "policy-minimal")
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("List", func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest("GET", "/v1/acl/policies?token=root", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
raw, err := a.srv.ACLPolicyList(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
policies, ok := raw.(structs.ACLPolicyListStubs)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
// 2 we just created + global management
|
|
|
|
require.Len(t, policies, 3)
|
|
|
|
|
|
|
|
for policyID, expected := range policyMap {
|
|
|
|
found := false
|
|
|
|
for _, actual := range policies {
|
|
|
|
if actual.ID == policyID {
|
|
|
|
require.Equal(t, expected.Name, actual.Name)
|
|
|
|
require.Equal(t, expected.Datacenters, actual.Datacenters)
|
|
|
|
require.Equal(t, expected.Hash, actual.Hash)
|
|
|
|
require.Equal(t, expected.CreateIndex, actual.CreateIndex)
|
|
|
|
require.Equal(t, expected.ModifyIndex, actual.ModifyIndex)
|
|
|
|
found = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
require.True(t, found)
|
|
|
|
}
|
|
|
|
})
|
2015-11-15 05:05:37 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("Read", func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest("GET", "/v1/acl/policy/"+idMap["policy-read-all-nodes"]+"?token=root", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
raw, err := a.srv.ACLPolicyCRUD(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
policy, ok := raw.(*structs.ACLPolicy)
|
|
|
|
require.True(t, ok)
|
|
|
|
require.Equal(t, policyMap[idMap["policy-read-all-nodes"]], policy)
|
|
|
|
})
|
2014-08-06 17:30:47 +00:00
|
|
|
})
|
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
t.Run("Token", func(t *testing.T) {
|
|
|
|
t.Run("Create", func(t *testing.T) {
|
|
|
|
tokenInput := &structs.ACLToken{
|
|
|
|
Description: "test",
|
|
|
|
Policies: []structs.ACLTokenPolicyLink{
|
|
|
|
structs.ACLTokenPolicyLink{
|
|
|
|
ID: idMap["policy-test"],
|
|
|
|
Name: policyMap[idMap["policy-test"]].Name,
|
|
|
|
},
|
|
|
|
structs.ACLTokenPolicyLink{
|
|
|
|
ID: idMap["policy-read-all-nodes"],
|
|
|
|
Name: policyMap[idMap["policy-read-all-nodes"]].Name,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
2014-08-06 17:30:47 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/token?token=root", jsonBody(tokenInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLTokenCreate(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
token, ok := obj.(*structs.ACLToken)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
// 36 = length of the string form of uuids
|
|
|
|
require.Len(t, token.AccessorID, 36)
|
|
|
|
require.Len(t, token.SecretID, 36)
|
|
|
|
require.Equal(t, tokenInput.Description, token.Description)
|
|
|
|
require.Equal(t, tokenInput.Policies, token.Policies)
|
|
|
|
require.True(t, token.CreateIndex > 0)
|
|
|
|
require.Equal(t, token.CreateIndex, token.ModifyIndex)
|
|
|
|
require.NotNil(t, token.Hash)
|
|
|
|
require.NotEqual(t, token.Hash, []byte{})
|
|
|
|
|
|
|
|
idMap["token-test"] = token.AccessorID
|
|
|
|
tokenMap[token.AccessorID] = token
|
|
|
|
})
|
|
|
|
t.Run("Create Local", func(t *testing.T) {
|
|
|
|
tokenInput := &structs.ACLToken{
|
|
|
|
Description: "local",
|
|
|
|
Policies: []structs.ACLTokenPolicyLink{
|
|
|
|
structs.ACLTokenPolicyLink{
|
|
|
|
ID: idMap["policy-test"],
|
|
|
|
Name: policyMap[idMap["policy-test"]].Name,
|
|
|
|
},
|
|
|
|
structs.ACLTokenPolicyLink{
|
|
|
|
ID: idMap["policy-read-all-nodes"],
|
|
|
|
Name: policyMap[idMap["policy-read-all-nodes"]].Name,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Local: true,
|
|
|
|
}
|
2014-08-12 21:48:36 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/token?token=root", jsonBody(tokenInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLTokenCreate(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
token, ok := obj.(*structs.ACLToken)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
// 36 = length of the string form of uuids
|
|
|
|
require.Len(t, token.AccessorID, 36)
|
|
|
|
require.Len(t, token.SecretID, 36)
|
|
|
|
require.Equal(t, tokenInput.Description, token.Description)
|
|
|
|
require.Equal(t, tokenInput.Policies, token.Policies)
|
|
|
|
require.True(t, token.CreateIndex > 0)
|
|
|
|
require.Equal(t, token.CreateIndex, token.ModifyIndex)
|
|
|
|
require.NotNil(t, token.Hash)
|
|
|
|
require.NotEqual(t, token.Hash, []byte{})
|
|
|
|
|
|
|
|
idMap["token-local"] = token.AccessorID
|
|
|
|
tokenMap[token.AccessorID] = token
|
|
|
|
})
|
|
|
|
t.Run("Read", func(t *testing.T) {
|
|
|
|
expected := tokenMap[idMap["token-test"]]
|
|
|
|
req, _ := http.NewRequest("GET", "/v1/acl/token/"+expected.AccessorID+"?token=root", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLTokenCRUD(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
token, ok := obj.(*structs.ACLToken)
|
|
|
|
require.True(t, ok)
|
|
|
|
require.Equal(t, expected, token)
|
|
|
|
})
|
|
|
|
t.Run("Self", func(t *testing.T) {
|
|
|
|
expected := tokenMap[idMap["token-test"]]
|
|
|
|
req, _ := http.NewRequest("GET", "/v1/acl/token/self?token="+expected.SecretID, nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLTokenSelf(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
token, ok := obj.(*structs.ACLToken)
|
|
|
|
require.True(t, ok)
|
|
|
|
require.Equal(t, expected, token)
|
|
|
|
})
|
|
|
|
t.Run("Clone", func(t *testing.T) {
|
|
|
|
tokenInput := &structs.ACLToken{
|
|
|
|
Description: "cloned token",
|
|
|
|
}
|
2017-05-21 18:31:20 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
baseToken := tokenMap[idMap["token-test"]]
|
2016-08-05 04:32:36 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/token/"+baseToken.AccessorID+"/clone?token=root", jsonBody(tokenInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLTokenCRUD(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
token, ok := obj.(*structs.ACLToken)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
require.NotEqual(t, baseToken.AccessorID, token.AccessorID)
|
|
|
|
require.NotEqual(t, baseToken.SecretID, token.SecretID)
|
|
|
|
require.Equal(t, tokenInput.Description, token.Description)
|
|
|
|
require.Equal(t, baseToken.Policies, token.Policies)
|
|
|
|
require.True(t, token.CreateIndex > 0)
|
|
|
|
require.Equal(t, token.CreateIndex, token.ModifyIndex)
|
|
|
|
require.NotNil(t, token.Hash)
|
|
|
|
require.NotEqual(t, token.Hash, []byte{})
|
|
|
|
|
|
|
|
idMap["token-cloned"] = token.AccessorID
|
|
|
|
tokenMap[token.AccessorID] = token
|
|
|
|
})
|
|
|
|
t.Run("Update", func(t *testing.T) {
|
|
|
|
originalToken := tokenMap[idMap["token-cloned"]]
|
|
|
|
|
|
|
|
// Accessor and Secret will be filled in
|
|
|
|
tokenInput := &structs.ACLToken{
|
|
|
|
Description: "Better description for this cloned token",
|
|
|
|
Policies: []structs.ACLTokenPolicyLink{
|
|
|
|
structs.ACLTokenPolicyLink{
|
|
|
|
ID: idMap["policy-read-all-nodes"],
|
|
|
|
Name: policyMap[idMap["policy-read-all-nodes"]].Name,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
2017-05-21 18:31:20 +00:00
|
|
|
|
2018-10-19 16:04:07 +00:00
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/token/"+originalToken.AccessorID+"?token=root", jsonBody(tokenInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLTokenCRUD(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
token, ok := obj.(*structs.ACLToken)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
require.Equal(t, originalToken.AccessorID, token.AccessorID)
|
|
|
|
require.Equal(t, originalToken.SecretID, token.SecretID)
|
|
|
|
require.Equal(t, tokenInput.Description, token.Description)
|
|
|
|
require.Equal(t, tokenInput.Policies, token.Policies)
|
|
|
|
require.True(t, token.CreateIndex > 0)
|
|
|
|
require.True(t, token.CreateIndex < token.ModifyIndex)
|
|
|
|
require.NotNil(t, token.Hash)
|
|
|
|
require.NotEqual(t, token.Hash, []byte{})
|
|
|
|
require.NotEqual(t, token.Hash, originalToken.Hash)
|
|
|
|
|
|
|
|
tokenMap[token.AccessorID] = token
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("CRUD Missing Token Accessor ID", func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest("GET", "/v1/acl/token/?token=root", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLTokenCRUD(resp, req)
|
|
|
|
require.Error(t, err)
|
|
|
|
require.Nil(t, obj)
|
|
|
|
_, ok := err.(BadRequestError)
|
|
|
|
require.True(t, ok)
|
|
|
|
})
|
|
|
|
t.Run("Update Accessor Mismatch", func(t *testing.T) {
|
|
|
|
originalToken := tokenMap[idMap["token-cloned"]]
|
|
|
|
|
|
|
|
// Accessor and Secret will be filled in
|
|
|
|
tokenInput := &structs.ACLToken{
|
|
|
|
AccessorID: "e8aeb69a-0ace-42b9-b95f-d1d9eafe1561",
|
|
|
|
Description: "Better description for this cloned token",
|
|
|
|
Policies: []structs.ACLTokenPolicyLink{
|
|
|
|
structs.ACLTokenPolicyLink{
|
|
|
|
ID: idMap["policy-read-all-nodes"],
|
|
|
|
Name: policyMap[idMap["policy-read-all-nodes"]].Name,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
req, _ := http.NewRequest("PUT", "/v1/acl/token/"+originalToken.AccessorID+"?token=root", jsonBody(tokenInput))
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
obj, err := a.srv.ACLTokenCRUD(resp, req)
|
|
|
|
require.Error(t, err)
|
|
|
|
require.Nil(t, obj)
|
|
|
|
_, ok := err.(BadRequestError)
|
|
|
|
require.True(t, ok)
|
|
|
|
})
|
|
|
|
t.Run("Delete", func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest("DELETE", "/v1/acl/token/"+idMap["token-cloned"]+"?token=root", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
_, err := a.srv.ACLTokenCRUD(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
delete(tokenMap, idMap["token-cloned"])
|
|
|
|
delete(idMap, "token-cloned")
|
|
|
|
})
|
|
|
|
t.Run("List", func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest("GET", "/v1/acl/tokens?token=root", nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
raw, err := a.srv.ACLTokenList(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
tokens, ok := raw.(structs.ACLTokenListStubs)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
|
|
|
// 3 tokens created but 1 was deleted + master token + anon token
|
|
|
|
require.Len(t, tokens, 4)
|
|
|
|
|
|
|
|
// this loop doesn't verify anything about the master token
|
|
|
|
for tokenID, expected := range tokenMap {
|
|
|
|
found := false
|
|
|
|
for _, actual := range tokens {
|
|
|
|
if actual.AccessorID == tokenID {
|
|
|
|
require.Equal(t, expected.Description, actual.Description)
|
|
|
|
require.Equal(t, expected.Policies, actual.Policies)
|
|
|
|
require.Equal(t, expected.Local, actual.Local)
|
|
|
|
require.Equal(t, expected.CreateTime, actual.CreateTime)
|
|
|
|
require.Equal(t, expected.Hash, actual.Hash)
|
|
|
|
require.Equal(t, expected.CreateIndex, actual.CreateIndex)
|
|
|
|
require.Equal(t, expected.ModifyIndex, actual.ModifyIndex)
|
|
|
|
found = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
require.True(t, found)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
t.Run("List by Policy", func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest("GET", "/v1/acl/tokens?token=root&policy="+structs.ACLPolicyGlobalManagementID, nil)
|
|
|
|
resp := httptest.NewRecorder()
|
|
|
|
raw, err := a.srv.ACLTokenList(resp, req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
tokens, ok := raw.(structs.ACLTokenListStubs)
|
|
|
|
require.True(t, ok)
|
|
|
|
require.Len(t, tokens, 1)
|
|
|
|
token := tokens[0]
|
|
|
|
require.Equal(t, "Master Token", token.Description)
|
|
|
|
require.Len(t, token.Policies, 1)
|
|
|
|
require.Equal(t, structs.ACLPolicyGlobalManagementID, token.Policies[0].ID)
|
|
|
|
})
|
|
|
|
})
|
2016-08-05 04:32:36 +00:00
|
|
|
}
|