consul: testing acl filters in isolation
This commit is contained in:
parent
e413b0e7c7
commit
63a2737cac
|
@ -3,6 +3,7 @@ package consul
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"log"
|
"log"
|
||||||
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -201,6 +202,14 @@ type aclFilter struct {
|
||||||
logger *log.Logger
|
logger *log.Logger
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// newAclFilter constructs a new aclFilter.
|
||||||
|
func newAclFilter(acl acl.ACL, logger *log.Logger) *aclFilter {
|
||||||
|
if logger == nil {
|
||||||
|
logger = log.New(os.Stdout, "", log.LstdFlags)
|
||||||
|
}
|
||||||
|
return &aclFilter{acl, logger}
|
||||||
|
}
|
||||||
|
|
||||||
// filterService is used to determine if a service is accessible for an ACL.
|
// filterService is used to determine if a service is accessible for an ACL.
|
||||||
func (f *aclFilter) filterService(service string) bool {
|
func (f *aclFilter) filterService(service string) bool {
|
||||||
if service == "" || service == ConsulServiceID {
|
if service == "" || service == ConsulServiceID {
|
||||||
|
@ -326,7 +335,7 @@ func (s *Server) filterACL(token string, subj interface{}) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create the filter
|
// Create the filter
|
||||||
filt := &aclFilter{acl, s.logger}
|
filt := newAclFilter(acl, s.logger)
|
||||||
|
|
||||||
switch v := subj.(type) {
|
switch v := subj.(type) {
|
||||||
case *structs.IndexedHealthChecks:
|
case *structs.IndexedHealthChecks:
|
||||||
|
|
|
@ -674,6 +674,193 @@ func TestACL_MultiDC_Found(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestACL_filterHealthChecks(t *testing.T) {
|
||||||
|
// Create some health checks
|
||||||
|
hc := structs.HealthChecks{
|
||||||
|
&structs.HealthCheck{
|
||||||
|
Node: "node1",
|
||||||
|
CheckID: "check1",
|
||||||
|
ServiceName: "foo",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try permissive filtering
|
||||||
|
filt := newAclFilter(acl.AllowAll(), nil)
|
||||||
|
filt.filterHealthChecks(&hc)
|
||||||
|
if len(hc) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", hc)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try restrictive filtering
|
||||||
|
filt = newAclFilter(acl.DenyAll(), nil)
|
||||||
|
filt.filterHealthChecks(&hc)
|
||||||
|
if len(hc) != 0 {
|
||||||
|
t.Fatalf("bad: %#v", hc)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestACL_filterServices(t *testing.T) {
|
||||||
|
// Create some services
|
||||||
|
services := structs.Services{
|
||||||
|
"service1": []string{},
|
||||||
|
"service2": []string{},
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try permissive filtering
|
||||||
|
filt := newAclFilter(acl.AllowAll(), nil)
|
||||||
|
filt.filterServices(services)
|
||||||
|
if len(services) != 2 {
|
||||||
|
t.Fatalf("bad: %#v", services)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try restrictive filtering
|
||||||
|
filt = newAclFilter(acl.DenyAll(), nil)
|
||||||
|
filt.filterServices(services)
|
||||||
|
if len(services) != 0 {
|
||||||
|
t.Fatalf("bad: %#v", services)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestACL_filterServiceNodes(t *testing.T) {
|
||||||
|
// Create some service nodes
|
||||||
|
nodes := structs.ServiceNodes{
|
||||||
|
structs.ServiceNode{
|
||||||
|
Node: "node1",
|
||||||
|
ServiceName: "foo",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try permissive filtering
|
||||||
|
filt := newAclFilter(acl.AllowAll(), nil)
|
||||||
|
filt.filterServiceNodes(&nodes)
|
||||||
|
if len(nodes) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", nodes)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try restrictive filtering
|
||||||
|
filt = newAclFilter(acl.DenyAll(), nil)
|
||||||
|
filt.filterServiceNodes(&nodes)
|
||||||
|
if len(nodes) != 0 {
|
||||||
|
t.Fatalf("bad: %#v", nodes)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestACL_filterNodeServices(t *testing.T) {
|
||||||
|
// Create some node services
|
||||||
|
services := structs.NodeServices{
|
||||||
|
Node: structs.Node{
|
||||||
|
Node: "node1",
|
||||||
|
},
|
||||||
|
Services: map[string]*structs.NodeService{
|
||||||
|
"foo": &structs.NodeService{
|
||||||
|
ID: "foo",
|
||||||
|
Service: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try permissive filtering
|
||||||
|
filt := newAclFilter(acl.AllowAll(), nil)
|
||||||
|
filt.filterNodeServices(&services)
|
||||||
|
if len(services.Services) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", services.Services)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try restrictive filtering
|
||||||
|
filt = newAclFilter(acl.DenyAll(), nil)
|
||||||
|
filt.filterNodeServices(&services)
|
||||||
|
if len(services.Services) != 0 {
|
||||||
|
t.Fatalf("bad: %#v", services.Services)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestACL_filterCheckServiceNodes(t *testing.T) {
|
||||||
|
// Create some nodes
|
||||||
|
nodes := structs.CheckServiceNodes{
|
||||||
|
structs.CheckServiceNode{
|
||||||
|
Node: structs.Node{
|
||||||
|
Node: "node1",
|
||||||
|
},
|
||||||
|
Service: structs.NodeService{
|
||||||
|
ID: "foo",
|
||||||
|
Service: "foo",
|
||||||
|
},
|
||||||
|
Checks: structs.HealthChecks{
|
||||||
|
&structs.HealthCheck{
|
||||||
|
Node: "node1",
|
||||||
|
CheckID: "check1",
|
||||||
|
ServiceName: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try permissive filtering
|
||||||
|
filt := newAclFilter(acl.AllowAll(), nil)
|
||||||
|
filt.filterCheckServiceNodes(&nodes)
|
||||||
|
if len(nodes) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", nodes)
|
||||||
|
}
|
||||||
|
if len(nodes[0].Checks) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", nodes[0].Checks)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try restrictive filtering
|
||||||
|
filt = newAclFilter(acl.DenyAll(), nil)
|
||||||
|
filt.filterCheckServiceNodes(&nodes)
|
||||||
|
if len(nodes) != 0 {
|
||||||
|
t.Fatalf("bad: %#v", nodes)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestACL_filterNodeDump(t *testing.T) {
|
||||||
|
// Create a node dump
|
||||||
|
dump := structs.NodeDump{
|
||||||
|
&structs.NodeInfo{
|
||||||
|
Node: "node1",
|
||||||
|
Services: []*structs.NodeService{
|
||||||
|
&structs.NodeService{
|
||||||
|
ID: "foo",
|
||||||
|
Service: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Checks: []*structs.HealthCheck{
|
||||||
|
&structs.HealthCheck{
|
||||||
|
Node: "node1",
|
||||||
|
CheckID: "check1",
|
||||||
|
ServiceName: "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try permissive filtering
|
||||||
|
filt := newAclFilter(acl.AllowAll(), nil)
|
||||||
|
filt.filterNodeDump(&dump)
|
||||||
|
if len(dump) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", dump)
|
||||||
|
}
|
||||||
|
if len(dump[0].Services) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", dump[0].Services)
|
||||||
|
}
|
||||||
|
if len(dump[0].Checks) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", dump[0].Checks)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try restrictive filtering
|
||||||
|
filt = newAclFilter(acl.DenyAll(), nil)
|
||||||
|
filt.filterNodeDump(&dump)
|
||||||
|
if len(dump) != 1 {
|
||||||
|
t.Fatalf("bad: %#v", dump)
|
||||||
|
}
|
||||||
|
if len(dump[0].Services) != 0 {
|
||||||
|
t.Fatalf("bad: %#v", dump[0].Services)
|
||||||
|
}
|
||||||
|
if len(dump[0].Checks) != 0 {
|
||||||
|
t.Fatalf("bad: %#v", dump[0].Checks)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
var testACLPolicy = `
|
var testACLPolicy = `
|
||||||
key "" {
|
key "" {
|
||||||
policy = "deny"
|
policy = "deny"
|
||||||
|
|
Loading…
Reference in New Issue