consul: testing acl filters in isolation
This commit is contained in:
parent
e413b0e7c7
commit
63a2737cac
|
@ -3,6 +3,7 @@ package consul
|
|||
import (
|
||||
"errors"
|
||||
"log"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
|
@ -201,6 +202,14 @@ type aclFilter struct {
|
|||
logger *log.Logger
|
||||
}
|
||||
|
||||
// newAclFilter constructs a new aclFilter.
|
||||
func newAclFilter(acl acl.ACL, logger *log.Logger) *aclFilter {
|
||||
if logger == nil {
|
||||
logger = log.New(os.Stdout, "", log.LstdFlags)
|
||||
}
|
||||
return &aclFilter{acl, logger}
|
||||
}
|
||||
|
||||
// filterService is used to determine if a service is accessible for an ACL.
|
||||
func (f *aclFilter) filterService(service string) bool {
|
||||
if service == "" || service == ConsulServiceID {
|
||||
|
@ -326,7 +335,7 @@ func (s *Server) filterACL(token string, subj interface{}) error {
|
|||
}
|
||||
|
||||
// Create the filter
|
||||
filt := &aclFilter{acl, s.logger}
|
||||
filt := newAclFilter(acl, s.logger)
|
||||
|
||||
switch v := subj.(type) {
|
||||
case *structs.IndexedHealthChecks:
|
||||
|
|
|
@ -674,6 +674,193 @@ func TestACL_MultiDC_Found(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestACL_filterHealthChecks(t *testing.T) {
|
||||
// Create some health checks
|
||||
hc := structs.HealthChecks{
|
||||
&structs.HealthCheck{
|
||||
Node: "node1",
|
||||
CheckID: "check1",
|
||||
ServiceName: "foo",
|
||||
},
|
||||
}
|
||||
|
||||
// Try permissive filtering
|
||||
filt := newAclFilter(acl.AllowAll(), nil)
|
||||
filt.filterHealthChecks(&hc)
|
||||
if len(hc) != 1 {
|
||||
t.Fatalf("bad: %#v", hc)
|
||||
}
|
||||
|
||||
// Try restrictive filtering
|
||||
filt = newAclFilter(acl.DenyAll(), nil)
|
||||
filt.filterHealthChecks(&hc)
|
||||
if len(hc) != 0 {
|
||||
t.Fatalf("bad: %#v", hc)
|
||||
}
|
||||
}
|
||||
|
||||
func TestACL_filterServices(t *testing.T) {
|
||||
// Create some services
|
||||
services := structs.Services{
|
||||
"service1": []string{},
|
||||
"service2": []string{},
|
||||
}
|
||||
|
||||
// Try permissive filtering
|
||||
filt := newAclFilter(acl.AllowAll(), nil)
|
||||
filt.filterServices(services)
|
||||
if len(services) != 2 {
|
||||
t.Fatalf("bad: %#v", services)
|
||||
}
|
||||
|
||||
// Try restrictive filtering
|
||||
filt = newAclFilter(acl.DenyAll(), nil)
|
||||
filt.filterServices(services)
|
||||
if len(services) != 0 {
|
||||
t.Fatalf("bad: %#v", services)
|
||||
}
|
||||
}
|
||||
|
||||
func TestACL_filterServiceNodes(t *testing.T) {
|
||||
// Create some service nodes
|
||||
nodes := structs.ServiceNodes{
|
||||
structs.ServiceNode{
|
||||
Node: "node1",
|
||||
ServiceName: "foo",
|
||||
},
|
||||
}
|
||||
|
||||
// Try permissive filtering
|
||||
filt := newAclFilter(acl.AllowAll(), nil)
|
||||
filt.filterServiceNodes(&nodes)
|
||||
if len(nodes) != 1 {
|
||||
t.Fatalf("bad: %#v", nodes)
|
||||
}
|
||||
|
||||
// Try restrictive filtering
|
||||
filt = newAclFilter(acl.DenyAll(), nil)
|
||||
filt.filterServiceNodes(&nodes)
|
||||
if len(nodes) != 0 {
|
||||
t.Fatalf("bad: %#v", nodes)
|
||||
}
|
||||
}
|
||||
|
||||
func TestACL_filterNodeServices(t *testing.T) {
|
||||
// Create some node services
|
||||
services := structs.NodeServices{
|
||||
Node: structs.Node{
|
||||
Node: "node1",
|
||||
},
|
||||
Services: map[string]*structs.NodeService{
|
||||
"foo": &structs.NodeService{
|
||||
ID: "foo",
|
||||
Service: "foo",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// Try permissive filtering
|
||||
filt := newAclFilter(acl.AllowAll(), nil)
|
||||
filt.filterNodeServices(&services)
|
||||
if len(services.Services) != 1 {
|
||||
t.Fatalf("bad: %#v", services.Services)
|
||||
}
|
||||
|
||||
// Try restrictive filtering
|
||||
filt = newAclFilter(acl.DenyAll(), nil)
|
||||
filt.filterNodeServices(&services)
|
||||
if len(services.Services) != 0 {
|
||||
t.Fatalf("bad: %#v", services.Services)
|
||||
}
|
||||
}
|
||||
|
||||
func TestACL_filterCheckServiceNodes(t *testing.T) {
|
||||
// Create some nodes
|
||||
nodes := structs.CheckServiceNodes{
|
||||
structs.CheckServiceNode{
|
||||
Node: structs.Node{
|
||||
Node: "node1",
|
||||
},
|
||||
Service: structs.NodeService{
|
||||
ID: "foo",
|
||||
Service: "foo",
|
||||
},
|
||||
Checks: structs.HealthChecks{
|
||||
&structs.HealthCheck{
|
||||
Node: "node1",
|
||||
CheckID: "check1",
|
||||
ServiceName: "foo",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// Try permissive filtering
|
||||
filt := newAclFilter(acl.AllowAll(), nil)
|
||||
filt.filterCheckServiceNodes(&nodes)
|
||||
if len(nodes) != 1 {
|
||||
t.Fatalf("bad: %#v", nodes)
|
||||
}
|
||||
if len(nodes[0].Checks) != 1 {
|
||||
t.Fatalf("bad: %#v", nodes[0].Checks)
|
||||
}
|
||||
|
||||
// Try restrictive filtering
|
||||
filt = newAclFilter(acl.DenyAll(), nil)
|
||||
filt.filterCheckServiceNodes(&nodes)
|
||||
if len(nodes) != 0 {
|
||||
t.Fatalf("bad: %#v", nodes)
|
||||
}
|
||||
}
|
||||
|
||||
func TestACL_filterNodeDump(t *testing.T) {
|
||||
// Create a node dump
|
||||
dump := structs.NodeDump{
|
||||
&structs.NodeInfo{
|
||||
Node: "node1",
|
||||
Services: []*structs.NodeService{
|
||||
&structs.NodeService{
|
||||
ID: "foo",
|
||||
Service: "foo",
|
||||
},
|
||||
},
|
||||
Checks: []*structs.HealthCheck{
|
||||
&structs.HealthCheck{
|
||||
Node: "node1",
|
||||
CheckID: "check1",
|
||||
ServiceName: "foo",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// Try permissive filtering
|
||||
filt := newAclFilter(acl.AllowAll(), nil)
|
||||
filt.filterNodeDump(&dump)
|
||||
if len(dump) != 1 {
|
||||
t.Fatalf("bad: %#v", dump)
|
||||
}
|
||||
if len(dump[0].Services) != 1 {
|
||||
t.Fatalf("bad: %#v", dump[0].Services)
|
||||
}
|
||||
if len(dump[0].Checks) != 1 {
|
||||
t.Fatalf("bad: %#v", dump[0].Checks)
|
||||
}
|
||||
|
||||
// Try restrictive filtering
|
||||
filt = newAclFilter(acl.DenyAll(), nil)
|
||||
filt.filterNodeDump(&dump)
|
||||
if len(dump) != 1 {
|
||||
t.Fatalf("bad: %#v", dump)
|
||||
}
|
||||
if len(dump[0].Services) != 0 {
|
||||
t.Fatalf("bad: %#v", dump[0].Services)
|
||||
}
|
||||
if len(dump[0].Checks) != 0 {
|
||||
t.Fatalf("bad: %#v", dump[0].Checks)
|
||||
}
|
||||
}
|
||||
|
||||
var testACLPolicy = `
|
||||
key "" {
|
||||
policy = "deny"
|
||||
|
|
Loading…
Reference in New Issue