open-consul/agent/grpc-external/testutils/acl.go

package testutils

import (
	"testing"

	"github.com/stretchr/testify/require"

	"github.com/hashicorp/go-uuid"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/acl/resolver"
	"github.com/hashicorp/consul/agent/structs"
)

func ACLAnonymous(t *testing.T) resolver.Result {
	t.Helper()

	return resolver.Result{
		Authorizer: acl.DenyAll(),
		ACLIdentity: &structs.ACLToken{
			AccessorID: acl.AnonymousTokenID,
		},
	}
}

func ACLsDisabled(t *testing.T) resolver.Result {
	t.Helper()

	return resolver.Result{
		Authorizer: acl.ManageAll(),
	}
}

func ACLNoPermissions(t *testing.T) resolver.Result {
	t.Helper()

	return resolver.Result{
		Authorizer:  acl.DenyAll(),
		ACLIdentity: randomACLIdentity(t),
	}
}

func ACLServiceWriteAny(t *testing.T) resolver.Result {
	t.Helper()

	policy, err := acl.NewPolicyFromSource(`
		service "foo" {
			policy = "write"
		}
	`, nil, nil)
	require.NoError(t, err)

	authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)
	require.NoError(t, err)

	return resolver.Result{
		Authorizer:  authz,
		ACLIdentity: randomACLIdentity(t),
	}
}

func ACLServiceRead(t *testing.T, serviceName string) resolver.Result {
	t.Helper()

	aclRule := &acl.Policy{
		PolicyRules: acl.PolicyRules{
			Services: []*acl.ServiceRule{
				{
					Name:   serviceName,
					Policy: acl.PolicyRead,
				},
			},
		},
	}
	authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{aclRule}, nil)
	require.NoError(t, err)

	return resolver.Result{
		Authorizer:  authz,
		ACLIdentity: randomACLIdentity(t),
	}
}

func randomACLIdentity(t *testing.T) structs.ACLIdentity {
	id, err := uuid.GenerateUUID()
	require.NoError(t, err)

	return &structs.ACLToken{AccessorID: id}
}
[OSS] Supported dataplane features gRPC endpoint Adds a new gRPC service and endpoint to return the list of supported consul dataplane features. The Consul Dataplane will use this API to customize its interaction with that particular server. 2022-03-27 10:59:30 +00:00			`package testutils`
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00
			`import (`
			`"testing"`

[OSS] Supported dataplane features gRPC endpoint Adds a new gRPC service and endpoint to return the list of supported consul dataplane features. The Consul Dataplane will use this API to customize its interaction with that particular server. 2022-03-27 10:59:30 +00:00			`"github.com/stretchr/testify/require"`
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2022-04-05 21:10:06 +00:00
grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`"github.com/hashicorp/go-uuid"`

Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2022-04-05 21:10:06 +00:00			`"github.com/hashicorp/consul/acl"`
Move ACLResolveResult into acl/resolver package (#13467) Having this type live in the agent/consul package makes it difficult to put anything that relies on token resolution (e.g. the new gRPC services) in separate packages without introducing import cycles. For example, if package foo imports agent/consul for the ACLResolveResult type it means that agent/consul cannot import foo to register its service. We've previously worked around this by wrapping the ACLResolver to "downgrade" its return type to an acl.Authorizer - aside from the added complexity, this also loses the resolved identity information. In the future, we may want to move the whole ACLResolver into the acl/resolver package. For now, putting the result type there at least, fixes the immediate import cycle issues. 2022-06-17 09:24:43 +00:00			`"github.com/hashicorp/consul/acl/resolver"`
grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`"github.com/hashicorp/consul/agent/structs"`
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00			`)`

grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`func ACLAnonymous(t *testing.T) resolver.Result {`
Move ACLResolveResult into acl/resolver package (#13467) Having this type live in the agent/consul package makes it difficult to put anything that relies on token resolution (e.g. the new gRPC services) in separate packages without introducing import cycles. For example, if package foo imports agent/consul for the ACLResolveResult type it means that agent/consul cannot import foo to register its service. We've previously worked around this by wrapping the ACLResolver to "downgrade" its return type to an acl.Authorizer - aside from the added complexity, this also loses the resolved identity information. In the future, we may want to move the whole ACLResolver into the acl/resolver package. For now, putting the result type there at least, fixes the immediate import cycle issues. 2022-06-17 09:24:43 +00:00			`t.Helper()`

grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`return resolver.Result{`
			`Authorizer: acl.DenyAll(),`
			`ACLIdentity: &structs.ACLToken{`
Output user-friendly name for anonymous token (#15884) 2023-01-09 18:28:53 +00:00			`AccessorID: acl.AnonymousTokenID,`
grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`},`
			`}`
Move ACLResolveResult into acl/resolver package (#13467) Having this type live in the agent/consul package makes it difficult to put anything that relies on token resolution (e.g. the new gRPC services) in separate packages without introducing import cycles. For example, if package foo imports agent/consul for the ACLResolveResult type it means that agent/consul cannot import foo to register its service. We've previously worked around this by wrapping the ACLResolver to "downgrade" its return type to an acl.Authorizer - aside from the added complexity, this also loses the resolved identity information. In the future, we may want to move the whole ACLResolver into the acl/resolver package. For now, putting the result type there at least, fixes the immediate import cycle issues. 2022-06-17 09:24:43 +00:00			`}`

grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`func ACLsDisabled(t *testing.T) resolver.Result {`
Move ACLResolveResult into acl/resolver package (#13467) Having this type live in the agent/consul package makes it difficult to put anything that relies on token resolution (e.g. the new gRPC services) in separate packages without introducing import cycles. For example, if package foo imports agent/consul for the ACLResolveResult type it means that agent/consul cannot import foo to register its service. We've previously worked around this by wrapping the ACLResolver to "downgrade" its return type to an acl.Authorizer - aside from the added complexity, this also loses the resolved identity information. In the future, we may want to move the whole ACLResolver into the acl/resolver package. For now, putting the result type there at least, fixes the immediate import cycle issues. 2022-06-17 09:24:43 +00:00			`t.Helper()`

grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`return resolver.Result{`
grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`Authorizer: acl.ManageAll(),`
grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`}`
Move ACLResolveResult into acl/resolver package (#13467) Having this type live in the agent/consul package makes it difficult to put anything that relies on token resolution (e.g. the new gRPC services) in separate packages without introducing import cycles. For example, if package foo imports agent/consul for the ACLResolveResult type it means that agent/consul cannot import foo to register its service. We've previously worked around this by wrapping the ACLResolver to "downgrade" its return type to an acl.Authorizer - aside from the added complexity, this also loses the resolved identity information. In the future, we may want to move the whole ACLResolver into the acl/resolver package. For now, putting the result type there at least, fixes the immediate import cycle issues. 2022-06-17 09:24:43 +00:00			`}`

grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`func ACLNoPermissions(t *testing.T) resolver.Result {`
			`t.Helper()`

			`return resolver.Result{`
			`Authorizer: acl.DenyAll(),`
			`ACLIdentity: randomACLIdentity(t),`
			`}`
			`}`

			`func ACLServiceWriteAny(t *testing.T) resolver.Result {`
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00			`t.Helper()`

			policy, err := acl.NewPolicyFromSource(`
			`service "foo" {`
			`policy = "write"`
			`}`
Remove legacy acl policies (#15922) * remove legacy tokens * remove legacy acl policies * flatten test policies to _prefix address oss feedback re: phrasing and tests 2023-02-06 15:35:52 +00:00			`, nil, nil)
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00			`require.NoError(t, err)`

			`authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{policy}, nil)`
			`require.NoError(t, err)`

grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`return resolver.Result{`
			`Authorizer: authz,`
			`ACLIdentity: randomACLIdentity(t),`
			`}`
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00			`}`
[OSS] gRPC call to get envoy bootstrap params (#12825) Adds a new gRPC endpoint to get envoy bootstrap params. The new consul-dataplane service will use this endpoint to generate an envoy bootstrap configuration. 2022-04-20 00:24:21 +00:00
grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`func ACLServiceRead(t *testing.T, serviceName string) resolver.Result {`
[OSS] gRPC call to get envoy bootstrap params (#12825) Adds a new gRPC endpoint to get envoy bootstrap params. The new consul-dataplane service will use this endpoint to generate an envoy bootstrap configuration. 2022-04-20 00:24:21 +00:00			`t.Helper()`

			`aclRule := &acl.Policy{`
			`PolicyRules: acl.PolicyRules{`
			`Services: []*acl.ServiceRule{`
			`{`
			`Name: serviceName,`
			`Policy: acl.PolicyRead,`
			`},`
			`},`
			`},`
			`}`
			`authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{aclRule}, nil)`
			`require.NoError(t, err)`

grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`return resolver.Result{`
			`Authorizer: authz,`
			`ACLIdentity: randomACLIdentity(t),`
			`}`
			`}`

			`func randomACLIdentity(t *testing.T) structs.ACLIdentity {`
			`id, err := uuid.GenerateUUID()`
			`require.NoError(t, err)`

			`return &structs.ACLToken{AccessorID: id}`
[OSS] gRPC call to get envoy bootstrap params (#12825) Adds a new gRPC endpoint to get envoy bootstrap params. The new consul-dataplane service will use this endpoint to generate an envoy bootstrap configuration. 2022-04-20 00:24:21 +00:00			`}`