test: add helper for permission denied check

This commit is contained in:
Frank Schroeder 2017-05-09 14:17:21 +02:00 committed by Frank Schröder
parent 6073c53089
commit 4174cc283b
3 changed files with 32 additions and 47 deletions

View File

@ -537,7 +537,7 @@ func TestACL_vetServiceRegister(t *testing.T) {
ID: "my-service", ID: "my-service",
Service: "service", Service: "service",
}) })
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -551,7 +551,7 @@ func TestACL_vetServiceRegister(t *testing.T) {
ID: "my-service", ID: "my-service",
Service: "service", Service: "service",
}) })
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
} }
@ -589,7 +589,7 @@ func TestACL_vetServiceUpdate(t *testing.T) {
// Update without write privs. // Update without write privs.
err = agent.vetServiceUpdate("service-ro", "my-service") err = agent.vetServiceUpdate("service-ro", "my-service")
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
} }
@ -625,7 +625,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
ServiceID: "my-service", ServiceID: "my-service",
ServiceName: "service", ServiceName: "service",
}) })
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -641,7 +641,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
err = agent.vetCheckRegister("node-ro", &structs.HealthCheck{ err = agent.vetCheckRegister("node-ro", &structs.HealthCheck{
CheckID: types.CheckID("my-check"), CheckID: types.CheckID("my-check"),
}) })
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -661,7 +661,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
ServiceID: "my-service", ServiceID: "my-service",
ServiceName: "service", ServiceName: "service",
}) })
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -674,7 +674,7 @@ func TestACL_vetCheckRegister(t *testing.T) {
ServiceID: "my-service", ServiceID: "my-service",
ServiceName: "service", ServiceName: "service",
}) })
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
} }
@ -717,7 +717,7 @@ func TestACL_vetCheckUpdate(t *testing.T) {
// Update service check without write privs. // Update service check without write privs.
err = agent.vetCheckUpdate("service-ro", "my-service-check") err = agent.vetCheckUpdate("service-ro", "my-service-check")
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -732,7 +732,7 @@ func TestACL_vetCheckUpdate(t *testing.T) {
// Update without write privs. // Update without write privs.
err = agent.vetCheckUpdate("node-ro", "my-node-check") err = agent.vetCheckUpdate("node-ro", "my-node-check")
if err == nil || !strings.Contains(err.Error(), permissionDenied) { if !isPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
} }

View File

@ -229,8 +229,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
// Try without a token. // Try without a token.
req, _ := http.NewRequest("GET", "/v1/agent/self", nil) req, _ := http.NewRequest("GET", "/v1/agent/self", nil)
_, err := srv.AgentSelf(nil, req) if _, err := srv.AgentSelf(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -330,16 +329,14 @@ func TestAgent_Reload_ACLDeny(t *testing.T) {
// Try without a token. // Try without a token.
req, _ := http.NewRequest("PUT", "/v1/agent/reload", nil) req, _ := http.NewRequest("PUT", "/v1/agent/reload", nil)
_, err := srv.AgentReload(nil, req) if _, err := srv.AgentReload(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
// Try with a read only token (resolved on the servers). // Try with a read only token (resolved on the servers).
ro := makeReadOnlyAgentACL(t, srv) ro := makeReadOnlyAgentACL(t, srv)
req, _ = http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil) req, _ = http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil)
_, err = srv.AgentReload(nil, req) if _, err := srv.AgentReload(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -500,8 +497,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
// Try without a token. // Try without a token.
{ {
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s", addr), nil) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s", addr), nil)
_, err := srv.AgentJoin(nil, req) if _, err := srv.AgentJoin(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
} }
@ -519,8 +515,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
ro := makeReadOnlyAgentACL(t, srv) ro := makeReadOnlyAgentACL(t, srv)
{ {
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil)
_, err := srv.AgentJoin(nil, req) if _, err := srv.AgentJoin(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
} }
@ -572,8 +567,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
defer srv.agent.Shutdown() defer srv.agent.Shutdown()
req, _ := http.NewRequest("PUT", "/v1/agent/leave", nil) req, _ := http.NewRequest("PUT", "/v1/agent/leave", nil)
_, err := srv.AgentLeave(nil, req) if _, err := srv.AgentLeave(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
}() }()
@ -601,8 +595,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
ro := makeReadOnlyAgentACL(t, srv) ro := makeReadOnlyAgentACL(t, srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil)
_, err := srv.AgentLeave(nil, req) if _, err := srv.AgentLeave(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
}() }()
@ -654,8 +647,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
// Try without a token. // Try without a token.
{ {
req, _ := http.NewRequest("GET", "/v1/agent/force-leave/nope", nil) req, _ := http.NewRequest("GET", "/v1/agent/force-leave/nope", nil)
_, err := srv.AgentForceLeave(nil, req) if _, err := srv.AgentForceLeave(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
} }
@ -673,8 +665,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
ro := makeReadOnlyAgentACL(t, srv) ro := makeReadOnlyAgentACL(t, srv)
{ {
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/force-leave/nope?token=%s", ro), nil) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/force-leave/nope?token=%s", ro), nil)
_, err := srv.AgentForceLeave(nil, req) if _, err := srv.AgentForceLeave(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
} }
@ -808,8 +799,7 @@ func TestAgent_RegisterCheck_ACLDeny(t *testing.T) {
}, },
} }
req.Body = encodeReq(args) req.Body = encodeReq(args)
_, err := srv.AgentRegisterCheck(nil, req) if _, err := srv.AgentRegisterCheck(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -861,8 +851,7 @@ func TestAgent_DeregisterCheckACLDeny(t *testing.T) {
// Try with no token. // Try with no token.
req, _ := http.NewRequest("GET", "/v1/agent/check/deregister/test", nil) req, _ := http.NewRequest("GET", "/v1/agent/check/deregister/test", nil)
_, err := srv.AgentDeregisterCheck(nil, req) if _, err := srv.AgentDeregisterCheck(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -915,8 +904,7 @@ func TestAgent_PassCheck_ACLDeny(t *testing.T) {
// Try with no token. // Try with no token.
req, _ := http.NewRequest("GET", "/v1/agent/check/pass/test", nil) req, _ := http.NewRequest("GET", "/v1/agent/check/pass/test", nil)
_, err := srv.AgentCheckPass(nil, req) if _, err := srv.AgentCheckPass(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -969,8 +957,7 @@ func TestAgent_WarnCheck_ACLDeny(t *testing.T) {
// Try with no token. // Try with no token.
req, _ := http.NewRequest("GET", "/v1/agent/check/warn/test", nil) req, _ := http.NewRequest("GET", "/v1/agent/check/warn/test", nil)
_, err := srv.AgentCheckWarn(nil, req) if _, err := srv.AgentCheckWarn(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -1023,8 +1010,7 @@ func TestAgent_FailCheck_ACLDeny(t *testing.T) {
// Try with no token. // Try with no token.
req, _ := http.NewRequest("GET", "/v1/agent/check/fail/test", nil) req, _ := http.NewRequest("GET", "/v1/agent/check/fail/test", nil)
_, err := srv.AgentCheckFail(nil, req) if _, err := srv.AgentCheckFail(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -1163,8 +1149,7 @@ func TestAgent_UpdateCheck_ACLDeny(t *testing.T) {
// Try with no token. // Try with no token.
req, _ := http.NewRequest("PUT", "/v1/agent/check/update/test", nil) req, _ := http.NewRequest("PUT", "/v1/agent/check/update/test", nil)
req.Body = encodeReq(checkUpdate{api.HealthPassing, "hello-passing"}) req.Body = encodeReq(checkUpdate{api.HealthPassing, "hello-passing"})
_, err := srv.AgentCheckUpdate(nil, req) if _, err := srv.AgentCheckUpdate(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -1256,8 +1241,7 @@ func TestAgent_RegisterService_ACLDeny(t *testing.T) {
// Try with no token. // Try with no token.
req, _ := http.NewRequest("GET", "/v1/agent/service/register", nil) req, _ := http.NewRequest("GET", "/v1/agent/service/register", nil)
req.Body = encodeReq(args) req.Body = encodeReq(args)
_, err := srv.AgentRegisterService(nil, req) if _, err := srv.AgentRegisterService(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -1349,8 +1333,7 @@ func TestAgent_DeregisterService_ACLDeny(t *testing.T) {
// Try without a token. // Try without a token.
req, _ := http.NewRequest("GET", "/v1/agent/service/deregister/test", nil) req, _ := http.NewRequest("GET", "/v1/agent/service/deregister/test", nil)
_, err := srv.AgentDeregisterService(nil, req) if _, err := srv.AgentDeregisterService(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -1505,8 +1488,7 @@ func TestAgent_ServiceMaintenance_ACLDeny(t *testing.T) {
// Try with no token. // Try with no token.
req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/test?enable=true&reason=broken", nil) req, _ := http.NewRequest("PUT", "/v1/agent/service/maintenance/test?enable=true&reason=broken", nil)
_, err := srv.AgentServiceMaintenance(nil, req) if _, err := srv.AgentServiceMaintenance(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -1610,8 +1592,7 @@ func TestAgent_NodeMaintenance_ACLDeny(t *testing.T) {
// Try with no token. // Try with no token.
req, _ := http.NewRequest("PUT", "/v1/agent/self/maintenance?enable=true&reason=broken", nil) req, _ := http.NewRequest("PUT", "/v1/agent/self/maintenance?enable=true&reason=broken", nil)
_, err := srv.AgentNodeMaintenance(nil, req) if _, err := srv.AgentNodeMaintenance(nil, req); !isPermissionDenied(err) {
if err == nil || !strings.Contains(err.Error(), permissionDenied) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }

View File

@ -697,3 +697,7 @@ func httpTestWithConfig(t *testing.T, f func(srv *HTTPServer), cb func(c *Config
testrpc.WaitForLeader(t, srv.agent.RPC, "dc1") testrpc.WaitForLeader(t, srv.agent.RPC, "dc1")
f(srv) f(srv)
} }
func isPermissionDenied(err error) bool {
return err != nil && strings.Contains(err.Error(), errPermissionDenied.Error())
}