agent: update some tests that were using legacy ACL endpoints

The tests were updated to use the new ACL endpoints now that the legacy ones have been removed.
This commit is contained in:
Daniel Nephin 2021-07-20 17:52:34 -04:00
parent 10791b007d
commit d877673268
2 changed files with 59 additions and 73 deletions

View File

@ -459,7 +459,7 @@ func (s *HTTPHandlers) ACLTokenCreate(resp http.ResponseWriter, req *http.Reques
return nil, nil return nil, nil
} }
return s.aclTokenSetInternal(resp, req, "", true) return s.aclTokenSetInternal(req, "", true)
} }
func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) { func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
@ -494,11 +494,11 @@ func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request,
return out.Token, nil return out.Token, nil
} }
func (s *HTTPHandlers) ACLTokenSet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) { func (s *HTTPHandlers) ACLTokenSet(_ http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
return s.aclTokenSetInternal(resp, req, tokenID, false) return s.aclTokenSetInternal(req, tokenID, false)
} }
func (s *HTTPHandlers) aclTokenSetInternal(_resp http.ResponseWriter, req *http.Request, tokenID string, create bool) (interface{}, error) { func (s *HTTPHandlers) aclTokenSetInternal(req *http.Request, tokenID string, create bool) (interface{}, error) {
args := structs.ACLTokenSetRequest{ args := structs.ACLTokenSetRequest{
Datacenter: s.agent.config.Datacenter, Datacenter: s.agent.config.Datacenter,
Create: create, Create: create,

View File

@ -45,20 +45,29 @@ import (
"github.com/hashicorp/consul/types" "github.com/hashicorp/consul/types"
) )
func makeReadOnlyAgentACL(t *testing.T, srv *HTTPHandlers) string { func createACLTokenWithAgentReadPolicy(t *testing.T, srv *HTTPHandlers) string {
args := map[string]interface{}{ policyReq := &structs.ACLPolicy{
"Name": "User Token", Name: "agent-read",
"Type": "client", Rules: `agent_prefix "" { policy = "read" }`,
"Rules": `agent "" { policy = "read" }`,
} }
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonReader(policyReq))
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
obj, err := srv.ACLCreate(resp, req) _, err := srv.ACLPolicyCreate(resp, req)
if err != nil { require.NoError(t, err)
t.Fatalf("err: %v", err)
tokenReq := &structs.ACLToken{
Description: "agent-read-token-for-test",
Policies: []structs.ACLTokenPolicyLink{{Name: "agent-read"}},
} }
aclResp := obj.(aclCreateResponse)
return aclResp.ID req, _ = http.NewRequest("PUT", "/v1/acl/token?token=root", jsonReader(tokenReq))
resp = httptest.NewRecorder()
tokInf, err := srv.ACLTokenCreate(resp, req)
require.NoError(t, err)
svcToken, ok := tokInf.(*structs.ACLToken)
require.True(t, ok)
return svcToken.SecretID
} }
func TestAgent_Services(t *testing.T) { func TestAgent_Services(t *testing.T) {
@ -1386,7 +1395,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/self?token=%s", ro), nil) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/self?token=%s", ro), nil)
if _, err := a.srv.AgentSelf(nil, req); err != nil { if _, err := a.srv.AgentSelf(nil, req); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -1419,7 +1428,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/metrics?token=%s", ro), nil) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/metrics?token=%s", ro), nil)
if _, err := a.srv.AgentMetrics(nil, req); err != nil { if _, err := a.srv.AgentMetrics(nil, req); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -1761,7 +1770,7 @@ func TestAgent_Reload_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil)
if _, err := a.srv.AgentReload(nil, req); !acl.IsErrPermissionDenied(err) { if _, err := a.srv.AgentReload(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -1958,7 +1967,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a1.srv) ro := createACLTokenWithAgentReadPolicy(t, a1.srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil)
if _, err := a1.srv.AgentJoin(nil, req); !acl.IsErrPermissionDenied(err) { if _, err := a1.srv.AgentJoin(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -2061,7 +2070,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil)
if _, err := a.srv.AgentLeave(nil, req); !acl.IsErrPermissionDenied(err) { if _, err := a.srv.AgentLeave(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -2167,7 +2176,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", ro), nil)
if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) { if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -5599,23 +5608,7 @@ func TestAgentConnectCALeafCert_aclServiceWrite(t *testing.T) {
require.Equal(200, resp.Code, "body: %s", resp.Body.String()) require.Equal(200, resp.Code, "body: %s", resp.Body.String())
} }
// Create an ACL with service:write for our service token := createACLTokenWithServicePolicy(t, a.srv, "write")
var token string
{
args := map[string]interface{}{
"Name": "User Token",
"Type": "client",
"Rules": `service "test" { policy = "write" }`,
}
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
resp := httptest.NewRecorder()
obj, err := a.srv.ACLCreate(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
aclResp := obj.(aclCreateResponse)
token = aclResp.ID
}
req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil) req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
@ -5627,6 +5620,31 @@ func TestAgentConnectCALeafCert_aclServiceWrite(t *testing.T) {
require.True(ok) require.True(ok)
} }
func createACLTokenWithServicePolicy(t *testing.T, srv *HTTPHandlers, policy string) string {
policyReq := &structs.ACLPolicy{
Name: "service-test-write",
Rules: fmt.Sprintf(`service "test" { policy = "%v" }`, policy),
}
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonReader(policyReq))
resp := httptest.NewRecorder()
_, err := srv.ACLPolicyCreate(resp, req)
require.NoError(t, err)
tokenReq := &structs.ACLToken{
Description: "token-for-test",
Policies: []structs.ACLTokenPolicyLink{{Name: "service-test-write"}},
}
req, _ = http.NewRequest("PUT", "/v1/acl/token?token=root", jsonReader(tokenReq))
resp = httptest.NewRecorder()
tokInf, err := srv.ACLTokenCreate(resp, req)
require.NoError(t, err)
svcToken, ok := tokInf.(*structs.ACLToken)
require.True(t, ok)
return svcToken.SecretID
}
func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) { func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) {
if testing.Short() { if testing.Short() {
t.Skip("too slow for testing.Short") t.Skip("too slow for testing.Short")
@ -5660,23 +5678,7 @@ func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) {
require.Equal(200, resp.Code, "body: %s", resp.Body.String()) require.Equal(200, resp.Code, "body: %s", resp.Body.String())
} }
// Create an ACL with service:read for our service token := createACLTokenWithServicePolicy(t, a.srv, "read")
var token string
{
args := map[string]interface{}{
"Name": "User Token",
"Type": "client",
"Rules": `service "test" { policy = "read" }`,
}
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
resp := httptest.NewRecorder()
obj, err := a.srv.ACLCreate(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
aclResp := obj.(aclCreateResponse)
token = aclResp.ID
}
req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil) req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
@ -6665,26 +6667,10 @@ func TestAgentConnectAuthorize_serviceWrite(t *testing.T) {
defer a.Shutdown() defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1") testrpc.WaitForLeader(t, a.RPC, "dc1")
// Create an ACL token := createACLTokenWithServicePolicy(t, a.srv, "read")
var token string
{
args := map[string]interface{}{
"Name": "User Token",
"Type": "client",
"Rules": `service "foo" { policy = "read" }`,
}
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
resp := httptest.NewRecorder()
obj, err := a.srv.ACLCreate(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
aclResp := obj.(aclCreateResponse)
token = aclResp.ID
}
args := &structs.ConnectAuthorizeRequest{ args := &structs.ConnectAuthorizeRequest{
Target: "foo", Target: "test",
ClientCertURI: connect.TestSpiffeIDService(t, "web").URI().String(), ClientCertURI: connect.TestSpiffeIDService(t, "web").URI().String(),
} }
req, _ := http.NewRequest("POST", req, _ := http.NewRequest("POST",