diff --git a/agent/consul/catalog_endpoint_test.go b/agent/consul/catalog_endpoint_test.go index 5b0ea4542..7fb5720dd 100644 --- a/agent/consul/catalog_endpoint_test.go +++ b/agent/consul/catalog_endpoint_test.go @@ -8,6 +8,8 @@ import ( "testing" "time" + "github.com/hashicorp/go-uuid" + msgpackrpc "github.com/hashicorp/net-rpc-msgpackrpc" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -191,28 +193,15 @@ func TestCatalog_Register_ACLDeny(t *testing.T) { codec := rpcClient(t, s1) defer codec.Close() - // Create the ACL. - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` + rules := ` service "foo" { policy = "write" } node "foo" { policy = "write" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var id string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &id); err != nil { - t.Fatalf("err: %v", err) - } +` + id := createToken(t, codec, rules) argR := structs.RegisterRequest{ Datacenter: "dc1", @@ -272,6 +261,36 @@ node "foo" { } } +func createToken(t *testing.T, cc rpc.ClientCodec, policyRules string) string { + t.Helper() + + reqPolicy := structs.ACLPolicySetRequest{ + Datacenter: "dc1", + Policy: structs.ACLPolicy{ + Name: "the-policy", + Rules: policyRules, + }, + WriteRequest: structs.WriteRequest{Token: "root"}, + } + err := msgpackrpc.CallWithCodec(cc, "ACL.PolicySet", &reqPolicy, &structs.ACLPolicy{}) + require.NoError(t, err) + + token, err := uuid.GenerateUUID() + require.NoError(t, err) + + reqToken := structs.ACLTokenSetRequest{ + Datacenter: "dc1", + ACLToken: structs.ACLToken{ + SecretID: token, + Policies: []structs.ACLTokenPolicyLink{{Name: "the-policy"}}, + }, + WriteRequest: structs.WriteRequest{Token: "root"}, + } + err = msgpackrpc.CallWithCodec(cc, "ACL.TokenSet", &reqToken, &structs.ACLToken{}) + require.NoError(t, err) + return token +} + func TestCatalog_Register_ForwardLeader(t *testing.T) { if testing.Short() { t.Skip("too slow for testing.Short") @@ -438,26 +457,15 @@ func TestCatalog_Register_ConnectProxy_ACLDestinationServiceName(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1") - // Create the ACL. - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` + rules := ` service "foo" { policy = "write" } node "foo" { policy = "write" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var token string - assert.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &token)) +` + token := createToken(t, codec, rules) // Register should fail because we don't have permission on the destination args := structs.TestRegisterRequestProxy(t) @@ -567,14 +575,7 @@ func TestCatalog_Deregister_ACLDeny(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1") - // Create the ACL. - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` + rules := ` node "node" { policy = "write" } @@ -582,14 +583,8 @@ node "node" { service "service" { policy = "write" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var id string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &id); err != nil { - t.Fatalf("err: %v", err) - } +` + id := createToken(t, codec, rules) // Register a node, node check, service, and service check. argR := structs.RegisterRequest{ @@ -1325,25 +1320,12 @@ func TestCatalog_ListNodes_ACLFilter(t *testing.T) { } } - // Create an ACL that can read the node. - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: fmt.Sprintf(` + rules := fmt.Sprintf(` node "%s" { policy = "read" } -`, s1.config.NodeName), - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var id string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &id); err != nil { - t.Fatalf("err: %v", err) - } +`, s1.config.NodeName) + id := createToken(t, codec, rules) // Now try with the token and it will go through. args.Token = id @@ -2425,24 +2407,13 @@ func TestCatalog_ListServiceNodes_ConnectProxy_ACL(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1") - // Create the ACL. - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` -service "foo" { + rules := ` +service_prefix "foo" { policy = "write" } -node "" { policy = "read" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var token string - require.NoError(t, msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &token)) +node_prefix "" { policy = "read" } +` + token := createToken(t, codec, rules) { // Register a proxy @@ -2717,27 +2688,15 @@ func testACLFilterServer(t *testing.T) (dir, token string, srv *Server, codec rp codec = rpcClient(t, srv) testrpc.WaitForTestAgent(t, srv.RPC, "dc1", testrpc.WithToken("root")) - // Create a new token - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: ` -service "foo" { + rules := ` +service_prefix "foo" { policy = "write" } -node "" { +node_prefix "" { policy = "read" } -`, - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &token); err != nil { - t.Fatalf("err: %v", err) - } +` + token = createToken(t, codec, rules) // Register a service regArg := structs.RegisterRequest{ @@ -2896,25 +2855,12 @@ func TestCatalog_NodeServices_ACLDeny(t *testing.T) { t.Fatalf("should not nil") } - // Create an ACL that can read the node. - arg := structs.ACLRequest{ - Datacenter: "dc1", - Op: structs.ACLSet, - ACL: structs.ACL{ - Name: "User token", - Type: structs.ACLTokenTypeClient, - Rules: fmt.Sprintf(` -node "%s" { + rules := fmt.Sprintf(` +node_prefix "%s" { policy = "read" } -`, s1.config.NodeName), - }, - WriteRequest: structs.WriteRequest{Token: "root"}, - } - var id string - if err := msgpackrpc.CallWithCodec(codec, "ACL.Apply", &arg, &id); err != nil { - t.Fatalf("err: %v", err) - } +`, s1.config.NodeName) + id := createToken(t, codec, rules) // Now try with the token and it will go through. args.Token = id