From d877673268d29847ea1bdb1e8c39e5aba4f59c58 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Tue, 20 Jul 2021 17:52:34 -0400
Subject: [PATCH] agent: update some tests that were using legacy ACL endpoints

The tests were updated to use the new ACL endpoints now that the legacy ones have been removed.
---
 agent/acl_endpoint.go        |   8 +--
 agent/agent_endpoint_test.go | 124 ++++++++++++++++-------------------
 2 files changed, 59 insertions(+), 73 deletions(-)

diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go
index f5f1d6f57..a0445d8fc 100644
--- a/agent/acl_endpoint.go
+++ b/agent/acl_endpoint.go
@@ -459,7 +459,7 @@ func (s *HTTPHandlers) ACLTokenCreate(resp http.ResponseWriter, req *http.Reques
 		return nil, nil
 	}
 
-	return s.aclTokenSetInternal(resp, req, "", true)
+	return s.aclTokenSetInternal(req, "", true)
 }
 
 func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
@@ -494,11 +494,11 @@ func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request,
 	return out.Token, nil
 }
 
-func (s *HTTPHandlers) ACLTokenSet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
-	return s.aclTokenSetInternal(resp, req, tokenID, false)
+func (s *HTTPHandlers) ACLTokenSet(_ http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
+	return s.aclTokenSetInternal(req, tokenID, false)
 }
 
-func (s *HTTPHandlers) aclTokenSetInternal(_resp http.ResponseWriter, req *http.Request, tokenID string, create bool) (interface{}, error) {
+func (s *HTTPHandlers) aclTokenSetInternal(req *http.Request, tokenID string, create bool) (interface{}, error) {
 	args := structs.ACLTokenSetRequest{
 		Datacenter: s.agent.config.Datacenter,
 		Create:     create,
diff --git a/agent/agent_endpoint_test.go b/agent/agent_endpoint_test.go
index a953b2764..0febf1405 100644
--- a/agent/agent_endpoint_test.go
+++ b/agent/agent_endpoint_test.go
@@ -45,20 +45,29 @@ import (
 	"github.com/hashicorp/consul/types"
 )
 
-func makeReadOnlyAgentACL(t *testing.T, srv *HTTPHandlers) string {
-	args := map[string]interface{}{
-		"Name":  "User Token",
-		"Type":  "client",
-		"Rules": `agent "" { policy = "read" }`,
+func createACLTokenWithAgentReadPolicy(t *testing.T, srv *HTTPHandlers) string {
+	policyReq := &structs.ACLPolicy{
+		Name:  "agent-read",
+		Rules: `agent_prefix "" { policy = "read" }`,
 	}
-	req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
+
+	req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonReader(policyReq))
 	resp := httptest.NewRecorder()
-	obj, err := srv.ACLCreate(resp, req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
+	_, err := srv.ACLPolicyCreate(resp, req)
+	require.NoError(t, err)
+
+	tokenReq := &structs.ACLToken{
+		Description: "agent-read-token-for-test",
+		Policies:    []structs.ACLTokenPolicyLink{{Name: "agent-read"}},
 	}
-	aclResp := obj.(aclCreateResponse)
-	return aclResp.ID
+
+	req, _ = http.NewRequest("PUT", "/v1/acl/token?token=root", jsonReader(tokenReq))
+	resp = httptest.NewRecorder()
+	tokInf, err := srv.ACLTokenCreate(resp, req)
+	require.NoError(t, err)
+	svcToken, ok := tokInf.(*structs.ACLToken)
+	require.True(t, ok)
+	return svcToken.SecretID
 }
 
 func TestAgent_Services(t *testing.T) {
@@ -1386,7 +1395,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
 	})
 
 	t.Run("read-only token", func(t *testing.T) {
-		ro := makeReadOnlyAgentACL(t, a.srv)
+		ro := createACLTokenWithAgentReadPolicy(t, a.srv)
 		req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/self?token=%s", ro), nil)
 		if _, err := a.srv.AgentSelf(nil, req); err != nil {
 			t.Fatalf("err: %v", err)
@@ -1419,7 +1428,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) {
 	})
 
 	t.Run("read-only token", func(t *testing.T) {
-		ro := makeReadOnlyAgentACL(t, a.srv)
+		ro := createACLTokenWithAgentReadPolicy(t, a.srv)
 		req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/metrics?token=%s", ro), nil)
 		if _, err := a.srv.AgentMetrics(nil, req); err != nil {
 			t.Fatalf("err: %v", err)
@@ -1761,7 +1770,7 @@ func TestAgent_Reload_ACLDeny(t *testing.T) {
 	})
 
 	t.Run("read-only token", func(t *testing.T) {
-		ro := makeReadOnlyAgentACL(t, a.srv)
+		ro := createACLTokenWithAgentReadPolicy(t, a.srv)
 		req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil)
 		if _, err := a.srv.AgentReload(nil, req); !acl.IsErrPermissionDenied(err) {
 			t.Fatalf("err: %v", err)
@@ -1958,7 +1967,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
 	})
 
 	t.Run("read-only token", func(t *testing.T) {
-		ro := makeReadOnlyAgentACL(t, a1.srv)
+		ro := createACLTokenWithAgentReadPolicy(t, a1.srv)
 		req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil)
 		if _, err := a1.srv.AgentJoin(nil, req); !acl.IsErrPermissionDenied(err) {
 			t.Fatalf("err: %v", err)
@@ -2061,7 +2070,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
 	})
 
 	t.Run("read-only token", func(t *testing.T) {
-		ro := makeReadOnlyAgentACL(t, a.srv)
+		ro := createACLTokenWithAgentReadPolicy(t, a.srv)
 		req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil)
 		if _, err := a.srv.AgentLeave(nil, req); !acl.IsErrPermissionDenied(err) {
 			t.Fatalf("err: %v", err)
@@ -2167,7 +2176,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
 	})
 
 	t.Run("read-only token", func(t *testing.T) {
-		ro := makeReadOnlyAgentACL(t, a.srv)
+		ro := createACLTokenWithAgentReadPolicy(t, a.srv)
 		req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", ro), nil)
 		if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) {
 			t.Fatalf("err: %v", err)
@@ -5599,23 +5608,7 @@ func TestAgentConnectCALeafCert_aclServiceWrite(t *testing.T) {
 		require.Equal(200, resp.Code, "body: %s", resp.Body.String())
 	}
 
-	// Create an ACL with service:write for our service
-	var token string
-	{
-		args := map[string]interface{}{
-			"Name":  "User Token",
-			"Type":  "client",
-			"Rules": `service "test" { policy = "write" }`,
-		}
-		req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
-		resp := httptest.NewRecorder()
-		obj, err := a.srv.ACLCreate(resp, req)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-		aclResp := obj.(aclCreateResponse)
-		token = aclResp.ID
-	}
+	token := createACLTokenWithServicePolicy(t, a.srv, "write")
 
 	req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil)
 	resp := httptest.NewRecorder()
@@ -5627,6 +5620,31 @@ func TestAgentConnectCALeafCert_aclServiceWrite(t *testing.T) {
 	require.True(ok)
 }
 
+func createACLTokenWithServicePolicy(t *testing.T, srv *HTTPHandlers, policy string) string {
+	policyReq := &structs.ACLPolicy{
+		Name:  "service-test-write",
+		Rules: fmt.Sprintf(`service "test" { policy = "%v" }`, policy),
+	}
+
+	req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonReader(policyReq))
+	resp := httptest.NewRecorder()
+	_, err := srv.ACLPolicyCreate(resp, req)
+	require.NoError(t, err)
+
+	tokenReq := &structs.ACLToken{
+		Description: "token-for-test",
+		Policies:    []structs.ACLTokenPolicyLink{{Name: "service-test-write"}},
+	}
+
+	req, _ = http.NewRequest("PUT", "/v1/acl/token?token=root", jsonReader(tokenReq))
+	resp = httptest.NewRecorder()
+	tokInf, err := srv.ACLTokenCreate(resp, req)
+	require.NoError(t, err)
+	svcToken, ok := tokInf.(*structs.ACLToken)
+	require.True(t, ok)
+	return svcToken.SecretID
+}
+
 func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
@@ -5660,23 +5678,7 @@ func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) {
 		require.Equal(200, resp.Code, "body: %s", resp.Body.String())
 	}
 
-	// Create an ACL with service:read for our service
-	var token string
-	{
-		args := map[string]interface{}{
-			"Name":  "User Token",
-			"Type":  "client",
-			"Rules": `service "test" { policy = "read" }`,
-		}
-		req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
-		resp := httptest.NewRecorder()
-		obj, err := a.srv.ACLCreate(resp, req)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-		aclResp := obj.(aclCreateResponse)
-		token = aclResp.ID
-	}
+	token := createACLTokenWithServicePolicy(t, a.srv, "read")
 
 	req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil)
 	resp := httptest.NewRecorder()
@@ -6665,26 +6667,10 @@ func TestAgentConnectAuthorize_serviceWrite(t *testing.T) {
 	defer a.Shutdown()
 	testrpc.WaitForLeader(t, a.RPC, "dc1")
 
-	// Create an ACL
-	var token string
-	{
-		args := map[string]interface{}{
-			"Name":  "User Token",
-			"Type":  "client",
-			"Rules": `service "foo" { policy = "read" }`,
-		}
-		req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
-		resp := httptest.NewRecorder()
-		obj, err := a.srv.ACLCreate(resp, req)
-		if err != nil {
-			t.Fatalf("err: %v", err)
-		}
-		aclResp := obj.(aclCreateResponse)
-		token = aclResp.ID
-	}
+	token := createACLTokenWithServicePolicy(t, a.srv, "read")
 
 	args := &structs.ConnectAuthorizeRequest{
-		Target:        "foo",
+		Target:        "test",
 		ClientCertURI: connect.TestSpiffeIDService(t, "web").URI().String(),
 	}
 	req, _ := http.NewRequest("POST",