luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

agent/consul: convert intention ACLs to testify/assert

This commit is contained in:
Mitchell Hashimoto 2018-03-06 10:51:26 -08:00
parent 6a8bba7d48
commit 23ee0888ec
No known key found for this signature in database
GPG Key ID: 744E147AA52F5B0A
3 changed files with 77 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
acl/policy_test.go
View File

@ -4,6 +4,8 @@ import (
"reflect"
"strings"
"testing"
"github.com/stretchr/testify/assert"
)
func TestParse_table(t *testing.T) {
@ -69,21 +71,14 @@ service "foo" {
for _, tc := range cases {
t.Run(tc.Name, func(t *testing.T) {
assert := assert.New(t)
actual, err := Parse(tc.Input, nil)
if (err != nil) != (tc.Err != "") {
t.Fatalf("err: %s", err)
}
assert.Equal(tc.Err != "", err != nil, err)
if err != nil {
if !strings.Contains(err.Error(), tc.Err) {
t.Fatalf("err: %s", err)
}
assert.Contains(err.Error(), tc.Err)
return
}
if !reflect.DeepEqual(actual, tc.Expected) {
t.Fatalf("bad: %#v", actual)
}
assert.Equal(tc.Expected, actual)
})
}
}

23
agent/consul/acl_test.go
View File

@ -11,6 +11,7 @@ import (
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/testrpc"
"github.com/hashicorp/consul/testutil/retry"
"github.com/stretchr/testify/assert"
)
var testACLPolicy = `
@ -849,6 +850,8 @@ node "node1" {
func TestACL_filterIntentions(t *testing.T) {
t.Parallel()
assert := assert.New(t)
fill := func() structs.Intentions {
return structs.Intentions{
&structs.Intention{
@ -867,9 +870,7 @@ func TestACL_filterIntentions(t *testing.T) {
ixns := fill()
filt := newACLFilter(acl.AllowAll(), nil, false)
filt.filterIntentions(&ixns)
if len(ixns) != 2 {
t.Fatalf("bad: %#v", ixns)
}
assert.Len(ixns, 2)
}
// Try restrictive filtering.
@ -877,9 +878,7 @@ func TestACL_filterIntentions(t *testing.T) {
ixns := fill()
filt := newACLFilter(acl.DenyAll(), nil, false)
filt.filterIntentions(&ixns)
if len(ixns) != 0 {
t.Fatalf("bad: %#v", ixns)
}
assert.Len(ixns, 0)
}
// Policy to see one
@ -888,22 +887,16 @@ service "foo" {
policy = "read"
}
`, nil)
if err != nil {
t.Fatalf("err %v", err)
}
assert.Nil(err)
perms, err := acl.New(acl.DenyAll(), policy, nil)
if err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(err)
// Filter
{
ixns := fill()
filt := newACLFilter(perms, nil, false)
filt.filterIntentions(&ixns)
if len(ixns) != 1 {
t.Fatalf("bad: %#v", ixns)
}
assert.Len(ixns, 1)
}
}

199
agent/consul/intention_endpoint_test.go
View File

@ -307,6 +307,8 @@ func TestIntentionApply_deleteGood(t *testing.T) {
// Test apply with a deny ACL
func TestIntentionApply_aclDeny(t *testing.T) {
t.Parallel()
assert := assert.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
@ -338,9 +340,7 @@ service "foo" {
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
// Setup a basic record to create
@ -354,47 +354,38 @@ service "foo" {
// Create without a token should error since default deny
var reply string
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
if !acl.IsErrPermissionDenied(err) {
t.Fatalf("bad: %v", err)
}
assert.True(acl.IsErrPermissionDenied(err))
// Now add the token and try again.
ixn.WriteRequest.Token = token
if err = msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
// Read
ixn.Intention.ID = reply
{
req := &structs.IntentionQueryRequest{
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
Datacenter: "dc1",
IntentionID: ixn.Intention.ID,
QueryOptions: structs.QueryOptions{Token: "root"},
}
var resp structs.IndexedIntentions
if err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp); err != nil {
t.Fatalf("err: %v", err)
}
if len(resp.Intentions) != 1 {
t.Fatalf("bad: %v", resp)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp))
assert.Len(resp.Intentions, 1)
actual := resp.Intentions[0]
if resp.Index != actual.ModifyIndex {
t.Fatalf("bad index: %d", resp.Index)
}
assert.Equal(resp.Index, actual.ModifyIndex)
actual.CreateIndex, actual.ModifyIndex = 0, 0
actual.CreatedAt = ixn.Intention.CreatedAt
actual.UpdatedAt = ixn.Intention.UpdatedAt
if !reflect.DeepEqual(actual, ixn.Intention) {
t.Fatalf("bad:\n\n%#v\n\n%#v", actual, ixn.Intention)
}
assert.Equal(ixn.Intention, actual)
}
}
// Test apply with delete and a default deny ACL
func TestIntentionApply_aclDelete(t *testing.T) {
t.Parallel()
assert := assert.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
@ -426,9 +417,7 @@ service "foo" {
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
// Setup a basic record to create
@ -442,24 +431,18 @@ service "foo" {
// Create
var reply string
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("bad: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
// Try to do a delete with no token; this should get rejected.
ixn.Op = structs.IntentionOpDelete
ixn.Intention.ID = reply
ixn.WriteRequest.Token = ""
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
if !acl.IsErrPermissionDenied(err) {
t.Fatalf("bad: %v", err)
}
assert.True(acl.IsErrPermissionDenied(err))
// Try again with the original token. This should go through.
ixn.WriteRequest.Token = token
if err = msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
// Verify it is gone
{
@ -469,15 +452,16 @@ service "foo" {
}
var resp structs.IndexedIntentions
err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp)
if err == nil || err.Error() != ErrIntentionNotFound.Error() {
t.Fatalf("err: %v", err)
}
assert.NotNil(err)
assert.Contains(err.Error(), ErrIntentionNotFound.Error())
}
}
// Test apply with update and a default deny ACL
func TestIntentionApply_aclUpdate(t *testing.T) {
t.Parallel()
assert := assert.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
@ -509,9 +493,7 @@ service "foo" {
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
// Setup a basic record to create
@ -525,29 +507,25 @@ service "foo" {
// Create
var reply string
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("bad: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
// Try to do an update without a token; this should get rejected.
ixn.Op = structs.IntentionOpUpdate
ixn.Intention.ID = reply
ixn.WriteRequest.Token = ""
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
if !acl.IsErrPermissionDenied(err) {
t.Fatalf("bad: %v", err)
}
assert.True(acl.IsErrPermissionDenied(err))
// Try again with the original token; this should go through.
ixn.WriteRequest.Token = token
if err = msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
}
// Test apply with a management token
func TestIntentionApply_aclManagement(t *testing.T) {
t.Parallel()
assert := assert.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
@ -571,27 +549,23 @@ func TestIntentionApply_aclManagement(t *testing.T) {
// Create
var reply string
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("bad: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
ixn.Intention.ID = reply
// Update
ixn.Op = structs.IntentionOpUpdate
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
// Delete
ixn.Op = structs.IntentionOpDelete
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
}
// Test update changing the name where an ACL won't allow it
func TestIntentionApply_aclUpdateChange(t *testing.T) {
t.Parallel()
assert := assert.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
@ -623,9 +597,7 @@ service "foo" {
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
// Setup a basic record to create
@ -639,9 +611,7 @@ service "foo" {
// Create
var reply string
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("bad: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
// Try to do an update without a token; this should get rejected.
ixn.Op = structs.IntentionOpUpdate
@ -649,14 +619,14 @@ service "foo" {
ixn.Intention.DestinationName = "foo"
ixn.WriteRequest.Token = token
err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply)
if !acl.IsErrPermissionDenied(err) {
t.Fatalf("bad: %v", err)
}
assert.True(acl.IsErrPermissionDenied(err))
}
// Test reading with ACLs
func TestIntentionGet_acl(t *testing.T) {
t.Parallel()
assert := assert.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
@ -688,9 +658,7 @@ service "foo" {
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
// Setup a basic record to create
@ -704,9 +672,7 @@ service "foo" {
// Create
var reply string
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
ixn.Intention.ID = reply
// Read without token should be error
@ -718,12 +684,8 @@ service "foo" {
var resp structs.IndexedIntentions
err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp)
if !acl.IsErrPermissionDenied(err) {
t.Fatalf("bad: %v", err)
}
if len(resp.Intentions) != 0 {
t.Fatalf("bad: %v", resp)
}
assert.True(acl.IsErrPermissionDenied(err))
assert.Len(resp.Intentions, 0)
}
// Read with token should work
@ -735,12 +697,8 @@ service "foo" {
}
var resp structs.IndexedIntentions
if err := msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp); err != nil {
t.Fatalf("err: %v", err)
}
if len(resp.Intentions) != 1 {
t.Fatalf("bad: %v", resp)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Get", req, &resp))
assert.Len(resp.Intentions, 1)
}
}
@ -771,6 +729,8 @@ func TestIntentionList(t *testing.T) {
// Test listing with ACLs
func TestIntentionList_acl(t *testing.T) {
t.Parallel()
assert := assert.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
@ -802,9 +762,7 @@ service "foo" {
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
// Create a few records
@ -819,9 +777,7 @@ service "foo" {
// Create
var reply string
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
}
// Test with no token
@ -830,13 +786,8 @@ service "foo" {
Datacenter: "dc1",
}
var resp structs.IndexedIntentions
if err := msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp); err != nil {
t.Fatalf("err: %v", err)
}
if len(resp.Intentions) != 0 {
t.Fatalf("bad: %v", resp)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
assert.Len(resp.Intentions, 0)
}
// Test with management token
@ -846,13 +797,8 @@ service "foo" {
QueryOptions: structs.QueryOptions{Token: "root"},
}
var resp structs.IndexedIntentions
if err := msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp); err != nil {
t.Fatalf("err: %v", err)
}
if len(resp.Intentions) != 3 {
t.Fatalf("bad: %v", resp)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
assert.Len(resp.Intentions, 3)
}
// Test with user token
@ -862,13 +808,8 @@ service "foo" {
QueryOptions: structs.QueryOptions{Token: token},
}
var resp structs.IndexedIntentions
if err := msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp); err != nil {
t.Fatalf("err: %v", err)
}
if len(resp.Intentions) != 1 {
t.Fatalf("bad: %v", resp)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.List", req, &resp))
assert.Len(resp.Intentions, 1)
}
}
@ -944,6 +885,8 @@ func TestIntentionMatch_good(t *testing.T) {
// Test matching with ACLs
func TestIntentionMatch_acl(t *testing.T) {
t.Parallel()
assert := assert.New(t)
dir1, s1 := testServerWithConfig(t, func(c *Config) {
c.ACLDatacenter = "dc1"
c.ACLMasterToken = "root"
@ -975,9 +918,7 @@ service "bar" {
},
WriteRequest: structs.WriteRequest{Token: "root"},
}
if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token))
}
// Create some records
@ -1003,9 +944,7 @@ service "bar" {
// Create
var reply string
if err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply); err != nil {
t.Fatalf("err: %v", err)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply))
}
}
@ -1025,13 +964,8 @@ service "bar" {
}
var resp structs.IndexedIntentionMatches
err := msgpackrpc.CallWithCodec(codec, "Intention.Match", req, &resp)
if !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err)
}
if len(resp.Matches) != 0 {
t.Fatalf("bad: %#v", resp.Matches)
}
assert.True(acl.IsErrPermissionDenied(err))
assert.Len(resp.Matches, 0)
}
// Test with proper token
@ -1050,13 +984,8 @@ service "bar" {
QueryOptions: structs.QueryOptions{Token: token},
}
var resp structs.IndexedIntentionMatches
if err := msgpackrpc.CallWithCodec(codec, "Intention.Match", req, &resp); err != nil {
t.Fatalf("err: %v", err)
}
if len(resp.Matches) != 1 {
t.Fatalf("bad: %#v", resp.Matches)
}
assert.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Match", req, &resp))
assert.Len(resp.Matches, 1)
expected := [][]string{{"foo", "bar"}, {"foo", "*"}, {"*", "*"}}
var actual [][]string
@ -1064,8 +993,6 @@ service "bar" {
actual = append(actual, []string{ixn.DestinationNS, ixn.DestinationName})
}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad (got, wanted):\n\n%#v\n\n%#v", actual, expected)
}
assert.Equal(expected, actual)
}
}