luxolus/open-consul
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-consul/acl/policy_test.go
Matt Keeler 1270a93274
Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675) 
Main Changes:

• method signature updates everywhere to account for passing around enterprise meta.
• populate the EnterpriseAuthorizerContext for all ACL related authorizations.
• ACL resource listings now operate like the catalog or kv listings in that the returned entries are filtered down to what the token is allowed to see. With Namespaces its no longer all or nothing.
• Modified the acl.Policy parsing to abstract away basic decoding so that enterprise can do it slightly differently. Also updated method signatures so that when parsing a policy it can take extra ent metadata to use during rules validation and policy creation.

Secondary Changes:

• Moved protobuf encoding functions out of the agentpb package to eliminate circular dependencies.
• Added custom JSON unmarshalers for a few ACL resource types (to support snake case and to get rid of mapstructure)
• AuthMethod validator cache is now an interface as these will be cached per-namespace for Consul Enterprise.
• Added checks for policy/role link existence at the RPC API so we don’t push the request through raft to have it fail internally.
• Forward ACL token delete request to the primary datacenter when the secondary DC doesn’t have the token.
• Added a bunch of ACL test helpers for inserting ACL resource test data.
2019-10-24 14:38:09 -04:00

1655 lines
32 KiB
Go
Raw Blame History

package acl
import (
"strings"
"testing"
"github.com/stretchr/testify/require"
)
func errStartsWith(t *testing.T, actual error, expected string) {
t.Helper()
require.Error(t, actual)
require.Truef(t, strings.HasPrefix(actual.Error(), expected), "Received unexpected error: %#v\nExpecting an error with the prefix: %q", actual, expected)
}
func TestPolicySourceParse(t *testing.T) {
ljoin := func(lines ...string) string {
return strings.Join(lines, "\n")
}
cases := []struct {
Name string
Syntax SyntaxVersion
Rules string
Expected *Policy
Err string
}{
{
"Legacy Basic",
SyntaxLegacy,
ljoin(
`agent "foo" { `,
` policy = "read" `,
`} `,
`agent "bar" { `,
` policy = "write" `,
`} `,
`event "" { `,
` policy = "read" `,
`} `,
`event "foo" { `,
` policy = "write" `,
`} `,
`event "bar" { `,
` policy = "deny" `,
`} `,
`key "" { `,
` policy = "read" `,
`} `,
`key "foo/" { `,
` policy = "write" `,
`} `,
`key "foo/bar/" { `,
` policy = "read" `,
`} `,
`key "foo/bar/baz" {`,
` policy = "deny" `,
`} `,
`keyring = "deny" `,
`node "" { `,
` policy = "read" `,
`} `,
`node "foo" { `,
` policy = "write" `,
`} `,
`node "bar" { `,
` policy = "deny" `,
`} `,
`operator = "deny" `,
`service "" { `,
` policy = "write" `,
`} `,
`service "foo" { `,
` policy = "read" `,
`} `,
`session "foo" { `,
` policy = "write" `,
`} `,
`session "bar" { `,
` policy = "deny" `,
`} `,
`query "" { `,
` policy = "read" `,
`} `,
`query "foo" { `,
` policy = "write" `,
`} `,
`query "bar" { `,
` policy = "deny" `,
`} `),
&Policy{PolicyRules: PolicyRules{
AgentPrefixes: []*AgentRule{
&AgentRule{
Node: "foo",
Policy: PolicyRead,
},
&AgentRule{
Node: "bar",
Policy: PolicyWrite,
},
},
EventPrefixes: []*EventRule{
&EventRule{
Event: "",
Policy: PolicyRead,
},
&EventRule{
Event: "foo",
Policy: PolicyWrite,
},
&EventRule{
Event: "bar",
Policy: PolicyDeny,
},
},
Keyring: PolicyDeny,
KeyPrefixes: []*KeyRule{
&KeyRule{
Prefix: "",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "foo/",
Policy: PolicyWrite,
},
&KeyRule{
Prefix: "foo/bar/",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "foo/bar/baz",
Policy: PolicyDeny,
},
},
NodePrefixes: []*NodeRule{
&NodeRule{
Name: "",
Policy: PolicyRead,
},
&NodeRule{
Name: "foo",
Policy: PolicyWrite,
},
&NodeRule{
Name: "bar",
Policy: PolicyDeny,
},
},
Operator: PolicyDeny,
PreparedQueryPrefixes: []*PreparedQueryRule{
&PreparedQueryRule{
Prefix: "",
Policy: PolicyRead,
},
&PreparedQueryRule{
Prefix: "foo",
Policy: PolicyWrite,
},
&PreparedQueryRule{
Prefix: "bar",
Policy: PolicyDeny,
},
},
ServicePrefixes: []*ServiceRule{
&ServiceRule{
Name: "",
Policy: PolicyWrite,
},
&ServiceRule{
Name: "foo",
Policy: PolicyRead,
},
},
SessionPrefixes: []*SessionRule{
&SessionRule{
Node: "foo",
Policy: PolicyWrite,
},
&SessionRule{
Node: "bar",
Policy: PolicyDeny,
},
},
}},
"",
},
{
"Legacy (JSON)",
SyntaxLegacy,
ljoin(
`{ `,
` "agent": { `,
` "foo": { `,
` "policy": "write" `,
` }, `,
` "bar": { `,
` "policy": "deny" `,
` } `,
` }, `,
` "event": { `,
` "": { `,
` "policy": "read" `,
` }, `,
` "foo": { `,
` "policy": "write" `,
` }, `,
` "bar": { `,
` "policy": "deny" `,
` } `,
` }, `,
` "key": { `,
` "": { `,
` "policy": "read" `,
` }, `,
` "foo/": { `,
` "policy": "write" `,
` }, `,
` "foo/bar/": { `,
` "policy": "read" `,
` }, `,
` "foo/bar/baz": { `,
` "policy": "deny" `,
` } `,
` }, `,
` "keyring": "deny", `,
` "node": { `,
` "": { `,
` "policy": "read" `,
` }, `,
` "foo": { `,
` "policy": "write" `,
` }, `,
` "bar": { `,
` "policy": "deny" `,
` } `,
` }, `,
` "operator": "deny", `,
` "query": { `,
` "": { `,
` "policy": "read" `,
` }, `,
` "foo": { `,
` "policy": "write" `,
` }, `,
` "bar": { `,
` "policy": "deny" `,
` } `,
` }, `,
` "service": { `,
` "": { `,
` "policy": "write" `,
` }, `,
` "foo": { `,
` "policy": "read" `,
` } `,
` }, `,
` "session": { `,
` "foo": { `,
` "policy": "write" `,
` }, `,
` "bar": { `,
` "policy": "deny" `,
` } `,
` } `,
`} `),
&Policy{PolicyRules: PolicyRules{
AgentPrefixes: []*AgentRule{
&AgentRule{
Node: "foo",
Policy: PolicyWrite,
},
&AgentRule{
Node: "bar",
Policy: PolicyDeny,
},
},
EventPrefixes: []*EventRule{
&EventRule{
Event: "",
Policy: PolicyRead,
},
&EventRule{
Event: "foo",
Policy: PolicyWrite,
},
&EventRule{
Event: "bar",
Policy: PolicyDeny,
},
},
Keyring: PolicyDeny,
KeyPrefixes: []*KeyRule{
&KeyRule{
Prefix: "",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "foo/",
Policy: PolicyWrite,
},
&KeyRule{
Prefix: "foo/bar/",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "foo/bar/baz",
Policy: PolicyDeny,
},
},
NodePrefixes: []*NodeRule{
&NodeRule{
Name: "",
Policy: PolicyRead,
},
&NodeRule{
Name: "foo",
Policy: PolicyWrite,
},
&NodeRule{
Name: "bar",
Policy: PolicyDeny,
},
},
Operator: PolicyDeny,
PreparedQueryPrefixes: []*PreparedQueryRule{
&PreparedQueryRule{
Prefix: "",
Policy: PolicyRead,
},
&PreparedQueryRule{
Prefix: "foo",
Policy: PolicyWrite,
},
&PreparedQueryRule{
Prefix: "bar",
Policy: PolicyDeny,
},
},
ServicePrefixes: []*ServiceRule{
&ServiceRule{
Name: "",
Policy: PolicyWrite,
},
&ServiceRule{
Name: "foo",
Policy: PolicyRead,
},
},
SessionPrefixes: []*SessionRule{
&SessionRule{
Node: "foo",
Policy: PolicyWrite,
},
&SessionRule{
Node: "bar",
Policy: PolicyDeny,
},
},
}},
"",
},
{
"Service No Intentions (Legacy)",
SyntaxLegacy,
ljoin(
`service "foo" { `,
` policy = "write"`,
`} `),
&Policy{PolicyRules: PolicyRules{
ServicePrefixes: []*ServiceRule{
{
Name: "foo",
Policy: "write",
},
},
}},
"",
},
{
"Service Intentions (Legacy)",
SyntaxLegacy,
ljoin(
`service "foo" { `,
` policy = "write" `,
` intentions = "read"`,
`} `),
&Policy{PolicyRules: PolicyRules{
ServicePrefixes: []*ServiceRule{
{
Name: "foo",
Policy: "write",
Intentions: "read",
},
},
}},
"",
},
{
"Service Intention: invalid value (Legacy)",
SyntaxLegacy,
ljoin(
`service "foo" { `,
` policy = "write" `,
` intentions = "foo"`,
`} `),
nil,
"Invalid service intentions policy",
},
{
"Bad Policy - ACL",
SyntaxCurrent,
`acl = "list"`, // there is no list policy but this helps to exercise another check in isPolicyValid
nil,
"Invalid acl policy",
},
{
"Bad Policy - Agent",
SyntaxCurrent,
`agent "foo" { policy = "nope" }`,
nil,
"Invalid agent policy",
},
{
"Bad Policy - Agent Prefix",
SyntaxCurrent,
`agent_prefix "foo" { policy = "nope" }`,
nil,
"Invalid agent_prefix policy",
},
{
"Bad Policy - Key",
SyntaxCurrent,
`key "foo" { policy = "nope" }`,
nil,
"Invalid key policy",
},
{
"Bad Policy - Key Prefix",
SyntaxCurrent,
`key_prefix "foo" { policy = "nope" }`,
nil,
"Invalid key_prefix policy",
},
{
"Bad Policy - Node",
SyntaxCurrent,
`node "foo" { policy = "nope" }`,
nil,
"Invalid node policy",
},
{
"Bad Policy - Node Prefix",
SyntaxCurrent,
`node_prefix "foo" { policy = "nope" }`,
nil,
"Invalid node_prefix policy",
},
{
"Bad Policy - Service",
SyntaxCurrent,
`service "foo" { policy = "nope" }`,
nil,
"Invalid service policy",
},
{
"Bad Policy - Service Prefix",
SyntaxCurrent,
`service_prefix "foo" { policy = "nope" }`,
nil,
"Invalid service_prefix policy",
},
{
"Bad Policy - Session",
SyntaxCurrent,
`session "foo" { policy = "nope" }`,
nil,
"Invalid session policy",
},
{
"Bad Policy - Session Prefix",
SyntaxCurrent,
`session_prefix "foo" { policy = "nope" }`,
nil,
"Invalid session_prefix policy",
},
{
"Bad Policy - Event",
SyntaxCurrent,
`event "foo" { policy = "nope" }`,
nil,
"Invalid event policy",
},
{
"Bad Policy - Event Prefix",
SyntaxCurrent,
`event_prefix "foo" { policy = "nope" }`,
nil,
"Invalid event_prefix policy",
},
{
"Bad Policy - Prepared Query",
SyntaxCurrent,
`query "foo" { policy = "nope" }`,
nil,
"Invalid query policy",
},
{
"Bad Policy - Prepared Query Prefix",
SyntaxCurrent,
`query_prefix "foo" { policy = "nope" }`,
nil,
"Invalid query_prefix policy",
},
{
"Bad Policy - Keyring",
SyntaxCurrent,
`keyring = "nope"`,
nil,
"Invalid keyring policy",
},
{
"Bad Policy - Operator",
SyntaxCurrent,
`operator = "nope"`,
nil,
"Invalid operator policy",
},
{
"Keyring Empty",
SyntaxCurrent,
`keyring = ""`,
&Policy{PolicyRules: PolicyRules{Keyring: ""}},
"",
},
{
"Operator Empty",
SyntaxCurrent,
`operator = ""`,
&Policy{PolicyRules: PolicyRules{Operator: ""}},
"",
},
}
for _, tc := range cases {
t.Run(tc.Name, func(t *testing.T) {
req := require.New(t)
actual, err := NewPolicyFromSource("", 0, tc.Rules, tc.Syntax, nil, nil)
if tc.Err != "" {
errStartsWith(t, err, tc.Err)
} else {
req.Equal(tc.Expected, actual)
}
})
}
}
func TestMergePolicies(t *testing.T) {
type mergeTest struct {
name string
input []*Policy
expected *Policy
}
tests := []mergeTest{
{
name: "Agents",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
Agents: []*AgentRule{
&AgentRule{
Node: "foo",
Policy: PolicyWrite,
},
&AgentRule{
Node: "bar",
Policy: PolicyRead,
},
&AgentRule{
Node: "baz",
Policy: PolicyWrite,
},
},
AgentPrefixes: []*AgentRule{
&AgentRule{
Node: "000",
Policy: PolicyWrite,
},
&AgentRule{
Node: "111",
Policy: PolicyRead,
},
&AgentRule{
Node: "222",
Policy: PolicyWrite,
},
},
}},
&Policy{PolicyRules: PolicyRules{
Agents: []*AgentRule{
&AgentRule{
Node: "foo",
Policy: PolicyRead,
},
&AgentRule{
Node: "baz",
Policy: PolicyDeny,
},
},
AgentPrefixes: []*AgentRule{
&AgentRule{
Node: "000",
Policy: PolicyRead,
},
&AgentRule{
Node: "222",
Policy: PolicyDeny,
},
},
},
}},
expected: &Policy{PolicyRules: PolicyRules{
Agents: []*AgentRule{
&AgentRule{
Node: "foo",
Policy: PolicyWrite,
},
&AgentRule{
Node: "bar",
Policy: PolicyRead,
},
&AgentRule{
Node: "baz",
Policy: PolicyDeny,
},
},
AgentPrefixes: []*AgentRule{
&AgentRule{
Node: "000",
Policy: PolicyWrite,
},
&AgentRule{
Node: "111",
Policy: PolicyRead,
},
&AgentRule{
Node: "222",
Policy: PolicyDeny,
},
},
}},
},
{
name: "Events",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
Events: []*EventRule{
&EventRule{
Event: "foo",
Policy: PolicyWrite,
},
&EventRule{
Event: "bar",
Policy: PolicyRead,
},
&EventRule{
Event: "baz",
Policy: PolicyWrite,
},
},
EventPrefixes: []*EventRule{
&EventRule{
Event: "000",
Policy: PolicyWrite,
},
&EventRule{
Event: "111",
Policy: PolicyRead,
},
&EventRule{
Event: "222",
Policy: PolicyWrite,
},
},
}},
&Policy{PolicyRules: PolicyRules{
Events: []*EventRule{
&EventRule{
Event: "foo",
Policy: PolicyRead,
},
&EventRule{
Event: "baz",
Policy: PolicyDeny,
},
},
EventPrefixes: []*EventRule{
&EventRule{
Event: "000",
Policy: PolicyRead,
},
&EventRule{
Event: "222",
Policy: PolicyDeny,
},
},
}},
},
expected: &Policy{PolicyRules: PolicyRules{
Events: []*EventRule{
&EventRule{
Event: "foo",
Policy: PolicyWrite,
},
&EventRule{
Event: "bar",
Policy: PolicyRead,
},
&EventRule{
Event: "baz",
Policy: PolicyDeny,
},
},
EventPrefixes: []*EventRule{
&EventRule{
Event: "000",
Policy: PolicyWrite,
},
&EventRule{
Event: "111",
Policy: PolicyRead,
},
&EventRule{
Event: "222",
Policy: PolicyDeny,
},
},
}},
},
{
name: "Node",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
Nodes: []*NodeRule{
&NodeRule{
Name: "foo",
Policy: PolicyWrite,
},
&NodeRule{
Name: "bar",
Policy: PolicyRead,
},
&NodeRule{
Name: "baz",
Policy: PolicyWrite,
},
},
NodePrefixes: []*NodeRule{
&NodeRule{
Name: "000",
Policy: PolicyWrite,
},
&NodeRule{
Name: "111",
Policy: PolicyRead,
},
&NodeRule{
Name: "222",
Policy: PolicyWrite,
},
},
}},
&Policy{PolicyRules: PolicyRules{
Nodes: []*NodeRule{
&NodeRule{
Name: "foo",
Policy: PolicyRead,
},
&NodeRule{
Name: "baz",
Policy: PolicyDeny,
},
},
NodePrefixes: []*NodeRule{
&NodeRule{
Name: "000",
Policy: PolicyRead,
},
&NodeRule{
Name: "222",
Policy: PolicyDeny,
},
},
},
}},
expected: &Policy{PolicyRules: PolicyRules{
Nodes: []*NodeRule{
&NodeRule{
Name: "foo",
Policy: PolicyWrite,
},
&NodeRule{
Name: "bar",
Policy: PolicyRead,
},
&NodeRule{
Name: "baz",
Policy: PolicyDeny,
},
},
NodePrefixes: []*NodeRule{
&NodeRule{
Name: "000",
Policy: PolicyWrite,
},
&NodeRule{
Name: "111",
Policy: PolicyRead,
},
&NodeRule{
Name: "222",
Policy: PolicyDeny,
},
},
}},
},
{
name: "Keys",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
Keys: []*KeyRule{
&KeyRule{
Prefix: "foo",
Policy: PolicyWrite,
},
&KeyRule{
Prefix: "bar",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "baz",
Policy: PolicyWrite,
},
&KeyRule{
Prefix: "zoo",
Policy: PolicyList,
},
},
KeyPrefixes: []*KeyRule{
&KeyRule{
Prefix: "000",
Policy: PolicyWrite,
},
&KeyRule{
Prefix: "111",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "222",
Policy: PolicyWrite,
},
&KeyRule{
Prefix: "333",
Policy: PolicyList,
},
},
}},
&Policy{PolicyRules: PolicyRules{
Keys: []*KeyRule{
&KeyRule{
Prefix: "foo",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "baz",
Policy: PolicyDeny,
},
&KeyRule{
Prefix: "zoo",
Policy: PolicyRead,
},
},
KeyPrefixes: []*KeyRule{
&KeyRule{
Prefix: "000",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "222",
Policy: PolicyDeny,
},
&KeyRule{
Prefix: "333",
Policy: PolicyRead,
},
},
}},
},
expected: &Policy{PolicyRules: PolicyRules{
Keys: []*KeyRule{
&KeyRule{
Prefix: "foo",
Policy: PolicyWrite,
},
&KeyRule{
Prefix: "bar",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "baz",
Policy: PolicyDeny,
},
&KeyRule{
Prefix: "zoo",
Policy: PolicyList,
},
},
KeyPrefixes: []*KeyRule{
&KeyRule{
Prefix: "000",
Policy: PolicyWrite,
},
&KeyRule{
Prefix: "111",
Policy: PolicyRead,
},
&KeyRule{
Prefix: "222",
Policy: PolicyDeny,
},
&KeyRule{
Prefix: "333",
Policy: PolicyList,
},
},
}},
},
{
name: "Services",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
Services: []*ServiceRule{
&ServiceRule{
Name: "foo",
Policy: PolicyWrite,
Intentions: PolicyWrite,
},
&ServiceRule{
Name: "bar",
Policy: PolicyRead,
Intentions: PolicyRead,
},
&ServiceRule{
Name: "baz",
Policy: PolicyWrite,
Intentions: PolicyWrite,
},
},
ServicePrefixes: []*ServiceRule{
&ServiceRule{
Name: "000",
Policy: PolicyWrite,
Intentions: PolicyWrite,
},
&ServiceRule{
Name: "111",
Policy: PolicyRead,
Intentions: PolicyRead,
},
&ServiceRule{
Name: "222",
Policy: PolicyWrite,
Intentions: PolicyWrite,
},
},
}},
&Policy{PolicyRules: PolicyRules{
Services: []*ServiceRule{
&ServiceRule{
Name: "foo",
Policy: PolicyRead,
Intentions: PolicyRead,
},
&ServiceRule{
Name: "baz",
Policy: PolicyDeny,
Intentions: PolicyDeny,
},
},
ServicePrefixes: []*ServiceRule{
&ServiceRule{
Name: "000",
Policy: PolicyRead,
Intentions: PolicyRead,
},
&ServiceRule{
Name: "222",
Policy: PolicyDeny,
Intentions: PolicyDeny,
},
},
}},
},
expected: &Policy{PolicyRules: PolicyRules{
Services: []*ServiceRule{
&ServiceRule{
Name: "foo",
Policy: PolicyWrite,
Intentions: PolicyWrite,
},
&ServiceRule{
Name: "bar",
Policy: PolicyRead,
Intentions: PolicyRead,
},
&ServiceRule{
Name: "baz",
Policy: PolicyDeny,
Intentions: PolicyDeny,
},
},
ServicePrefixes: []*ServiceRule{
&ServiceRule{
Name: "000",
Policy: PolicyWrite,
Intentions: PolicyWrite,
},
&ServiceRule{
Name: "111",
Policy: PolicyRead,
Intentions: PolicyRead,
},
&ServiceRule{
Name: "222",
Policy: PolicyDeny,
Intentions: PolicyDeny,
},
},
}},
},
{
name: "Sessions",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
Sessions: []*SessionRule{
&SessionRule{
Node: "foo",
Policy: PolicyWrite,
},
&SessionRule{
Node: "bar",
Policy: PolicyRead,
},
&SessionRule{
Node: "baz",
Policy: PolicyWrite,
},
},
SessionPrefixes: []*SessionRule{
&SessionRule{
Node: "000",
Policy: PolicyWrite,
},
&SessionRule{
Node: "111",
Policy: PolicyRead,
},
&SessionRule{
Node: "222",
Policy: PolicyWrite,
},
},
}},
&Policy{PolicyRules: PolicyRules{
Sessions: []*SessionRule{
&SessionRule{
Node: "foo",
Policy: PolicyRead,
},
&SessionRule{
Node: "baz",
Policy: PolicyDeny,
},
},
SessionPrefixes: []*SessionRule{
&SessionRule{
Node: "000",
Policy: PolicyRead,
},
&SessionRule{
Node: "222",
Policy: PolicyDeny,
},
},
}},
},
expected: &Policy{PolicyRules: PolicyRules{
Sessions: []*SessionRule{
&SessionRule{
Node: "foo",
Policy: PolicyWrite,
},
&SessionRule{
Node: "bar",
Policy: PolicyRead,
},
&SessionRule{
Node: "baz",
Policy: PolicyDeny,
},
},
SessionPrefixes: []*SessionRule{
&SessionRule{
Node: "000",
Policy: PolicyWrite,
},
&SessionRule{
Node: "111",
Policy: PolicyRead,
},
&SessionRule{
Node: "222",
Policy: PolicyDeny,
},
},
}},
},
{
name: "Prepared Queries",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
PreparedQueries: []*PreparedQueryRule{
&PreparedQueryRule{
Prefix: "foo",
Policy: PolicyWrite,
},
&PreparedQueryRule{
Prefix: "bar",
Policy: PolicyRead,
},
&PreparedQueryRule{
Prefix: "baz",
Policy: PolicyWrite,
},
},
PreparedQueryPrefixes: []*PreparedQueryRule{
&PreparedQueryRule{
Prefix: "000",
Policy: PolicyWrite,
},
&PreparedQueryRule{
Prefix: "111",
Policy: PolicyRead,
},
&PreparedQueryRule{
Prefix: "222",
Policy: PolicyWrite,
},
},
}},
&Policy{PolicyRules: PolicyRules{
PreparedQueries: []*PreparedQueryRule{
&PreparedQueryRule{
Prefix: "foo",
Policy: PolicyRead,
},
&PreparedQueryRule{
Prefix: "baz",
Policy: PolicyDeny,
},
},
PreparedQueryPrefixes: []*PreparedQueryRule{
&PreparedQueryRule{
Prefix: "000",
Policy: PolicyRead,
},
&PreparedQueryRule{
Prefix: "222",
Policy: PolicyDeny,
},
},
}},
},
expected: &Policy{PolicyRules: PolicyRules{
PreparedQueries: []*PreparedQueryRule{
&PreparedQueryRule{
Prefix: "foo",
Policy: PolicyWrite,
},
&PreparedQueryRule{
Prefix: "bar",
Policy: PolicyRead,
},
&PreparedQueryRule{
Prefix: "baz",
Policy: PolicyDeny,
},
},
PreparedQueryPrefixes: []*PreparedQueryRule{
&PreparedQueryRule{
Prefix: "000",
Policy: PolicyWrite,
},
&PreparedQueryRule{
Prefix: "111",
Policy: PolicyRead,
},
&PreparedQueryRule{
Prefix: "222",
Policy: PolicyDeny,
},
},
}},
},
{
name: "Write Precedence",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
ACL: PolicyRead,
Keyring: PolicyRead,
Operator: PolicyRead,
}},
&Policy{PolicyRules: PolicyRules{
ACL: PolicyWrite,
Keyring: PolicyWrite,
Operator: PolicyWrite,
}},
},
expected: &Policy{PolicyRules: PolicyRules{
ACL: PolicyWrite,
Keyring: PolicyWrite,
Operator: PolicyWrite,
}},
},
{
name: "Deny Precedence",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
ACL: PolicyWrite,
Keyring: PolicyWrite,
Operator: PolicyWrite,
}},
&Policy{PolicyRules: PolicyRules{
ACL: PolicyDeny,
Keyring: PolicyDeny,
Operator: PolicyDeny,
}},
},
expected: &Policy{PolicyRules: PolicyRules{
ACL: PolicyDeny,
Keyring: PolicyDeny,
Operator: PolicyDeny,
}},
},
{
name: "Read Precedence",
input: []*Policy{
&Policy{PolicyRules: PolicyRules{
ACL: PolicyRead,
Keyring: PolicyRead,
Operator: PolicyRead,
}},
&Policy{},
},
expected: &Policy{PolicyRules: PolicyRules{
ACL: PolicyRead,
Keyring: PolicyRead,
Operator: PolicyRead,
}},
},
}
req := require.New(t)
for _, tcase := range tests {
t.Run(tcase.name, func(t *testing.T) {
act := MergePolicies(tcase.input)
exp := tcase.expected
req.Equal(exp.ACL, act.ACL)
req.Equal(exp.Keyring, act.Keyring)
req.Equal(exp.Operator, act.Operator)
req.ElementsMatch(exp.Agents, act.Agents)
req.ElementsMatch(exp.AgentPrefixes, act.AgentPrefixes)
req.ElementsMatch(exp.Events, act.Events)
req.ElementsMatch(exp.EventPrefixes, act.EventPrefixes)
req.ElementsMatch(exp.Keys, act.Keys)
req.ElementsMatch(exp.KeyPrefixes, act.KeyPrefixes)
req.ElementsMatch(exp.Nodes, act.Nodes)
req.ElementsMatch(exp.NodePrefixes, act.NodePrefixes)
req.ElementsMatch(exp.PreparedQueries, act.PreparedQueries)
req.ElementsMatch(exp.PreparedQueryPrefixes, act.PreparedQueryPrefixes)
req.ElementsMatch(exp.Services, act.Services)
req.ElementsMatch(exp.ServicePrefixes, act.ServicePrefixes)
req.ElementsMatch(exp.Sessions, act.Sessions)
req.ElementsMatch(exp.SessionPrefixes, act.SessionPrefixes)
})
}
}
func TestRulesTranslate(t *testing.T) {
input := `
# top level comment
# block comment
agent "" {
# policy comment
policy = "write"
}
# block comment
key "" {
# policy comment
policy = "write"
}
# block comment
node "" {
# policy comment
policy = "write"
}
# block comment
event "" {
# policy comment
policy = "write"
}
# block comment
service "" {
# policy comment
policy = "write"
}
# block comment
session "" {
# policy comment
policy = "write"
}
# block comment
query "" {
# policy comment
policy = "write"
}
# comment
keyring = "write"
# comment
operator = "write"
`
expected := `
# top level comment
# block comment
agent_prefix "" {
# policy comment
policy = "write"
}
# block comment
key_prefix "" {
# policy comment
policy = "write"
}
# block comment
node_prefix "" {
# policy comment
policy = "write"
}
# block comment
event_prefix "" {
# policy comment
policy = "write"
}
# block comment
service_prefix "" {
# policy comment
policy = "write"
}
# block comment
session_prefix "" {
# policy comment
policy = "write"
}
# block comment
query_prefix "" {
# policy comment
policy = "write"
}
# comment
keyring = "write"
# comment
operator = "write"
`
output, err := TranslateLegacyRules([]byte(input))
require.NoError(t, err)
require.Equal(t, strings.Trim(expected, "\n"), string(output))
}
func TestRulesTranslate_GH5493(t *testing.T) {
input := `
{
"key": {
"": {
"policy": "read"
},
"key": {
"policy": "read"
},
"policy": {
"policy": "read"
},
"privatething1/": {
"policy": "deny"
},
"anapplication/private/": {
"policy": "deny"
},
"privatething2/": {
"policy": "deny"
}
},
"session": {
"": {
"policy": "write"
}
},
"node": {
"": {
"policy": "read"
}
},
"agent": {
"": {
"policy": "read"
}
},
"service": {
"": {
"policy": "read"
}
},
"event": {
"": {
"policy": "read"
}
},
"query": {
"": {
"policy": "read"
}
}
}`
expected := `
key_prefix "" {
policy = "read"
}
key_prefix "key" {
policy = "read"
}
key_prefix "policy" {
policy = "read"
}
key_prefix "privatething1/" {
policy = "deny"
}
key_prefix "anapplication/private/" {
policy = "deny"
}
key_prefix "privatething2/" {
policy = "deny"
}
session_prefix "" {
policy = "write"
}
node_prefix "" {
policy = "read"
}
agent_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
event_prefix "" {
policy = "read"
}
query_prefix "" {
policy = "read"
}
`
output, err := TranslateLegacyRules([]byte(input))
require.NoError(t, err)
require.Equal(t, strings.Trim(expected, "\n"), string(output))
}
func TestPrecedence(t *testing.T) {
type testCase struct {
name string
a string
b string
expected bool
}
cases := []testCase{
{
name: "Deny Over Write",
a: PolicyDeny,
b: PolicyWrite,
expected: true,
},
{
name: "Deny Over List",
a: PolicyDeny,
b: PolicyList,
expected: true,
},
{
name: "Deny Over Read",
a: PolicyDeny,
b: PolicyRead,
expected: true,
},
{
name: "Deny Over Unknown",
a: PolicyDeny,
b: "not a policy",
expected: true,
},
{
name: "Write Over List",
a: PolicyWrite,
b: PolicyList,
expected: true,
},
{
name: "Write Over Read",
a: PolicyWrite,
b: PolicyRead,
expected: true,
},
{
name: "Write Over Unknown",
a: PolicyWrite,
b: "not a policy",
expected: true,
},
{
name: "List Over Read",
a: PolicyList,
b: PolicyRead,
expected: true,
},
{
name: "List Over Unknown",
a: PolicyList,
b: "not a policy",
expected: true,
},
{
name: "Read Over Unknown",
a: PolicyRead,
b: "not a policy",
expected: true,
},
{
name: "Write Over Deny",
a: PolicyWrite,
b: PolicyDeny,
expected: false,
},
{
name: "List Over Deny",
a: PolicyList,
b: PolicyDeny,
expected: false,
},
{
name: "Read Over Deny",
a: PolicyRead,
b: PolicyDeny,
expected: false,
},
{
name: "Deny Over Unknown",
a: PolicyDeny,
b: "not a policy",
expected: true,
},
{
name: "List Over Write",
a: PolicyList,
b: PolicyWrite,
expected: false,
},
{
name: "Read Over Write",
a: PolicyRead,
b: PolicyWrite,
expected: false,
},
{
name: "Unknown Over Write",
a: "not a policy",
b: PolicyWrite,
expected: false,
},
{
name: "Read Over List",
a: PolicyRead,
b: PolicyList,
expected: false,
},
{
name: "Unknown Over List",
a: "not a policy",
b: PolicyList,
expected: false,
},
{
name: "Unknown Over Read",
a: "not a policy",
b: PolicyRead,
expected: false,
},
}
for _, tcase := range cases {
t.Run(tcase.name, func(t *testing.T) {
require.Equal(t, tcase.expected, takesPrecedenceOver(tcase.a, tcase.b))
})
}
}
Reference in a new issue View git blame Copy permalink