648 lines
16 KiB
Go
648 lines
16 KiB
Go
package authmethodupdate
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/consul/agent"
|
|
"github.com/hashicorp/consul/agent/connect"
|
|
"github.com/hashicorp/consul/api"
|
|
"github.com/hashicorp/consul/command/acl"
|
|
"github.com/hashicorp/consul/logger"
|
|
"github.com/hashicorp/consul/sdk/testutil"
|
|
"github.com/hashicorp/consul/testrpc"
|
|
"github.com/hashicorp/go-uuid"
|
|
"github.com/mitchellh/cli"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
// activate testing auth method
|
|
_ "github.com/hashicorp/consul/agent/consul/authmethod/testauth"
|
|
)
|
|
|
|
func TestAuthMethodUpdateCommand_noTabs(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') {
|
|
t.Fatal("help has tabs")
|
|
}
|
|
}
|
|
|
|
func TestAuthMethodUpdateCommand(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
testDir := testutil.TempDir(t, "acl")
|
|
defer os.RemoveAll(testDir)
|
|
|
|
a := agent.NewTestAgent(t, t.Name(), `
|
|
primary_datacenter = "dc1"
|
|
acl {
|
|
enabled = true
|
|
tokens {
|
|
master = "root"
|
|
}
|
|
}`)
|
|
|
|
a.Agent.LogWriter = logger.NewLogWriter(512)
|
|
|
|
defer a.Shutdown()
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
client := a.Client()
|
|
|
|
t.Run("update without name", func(t *testing.T) {
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 1)
|
|
require.Contains(t, ui.ErrorWriter.String(), "Cannot update an auth method without specifying the -name parameter")
|
|
})
|
|
|
|
t.Run("update nonexistent method", func(t *testing.T) {
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-name=test",
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 1)
|
|
require.Contains(t, ui.ErrorWriter.String(), "Auth method not found with name")
|
|
})
|
|
|
|
createAuthMethod := func(t *testing.T) string {
|
|
id, err := uuid.GenerateUUID()
|
|
require.NoError(t, err)
|
|
|
|
methodName := "test-" + id
|
|
|
|
_, _, err = client.ACL().AuthMethodCreate(
|
|
&api.ACLAuthMethod{
|
|
Name: methodName,
|
|
Type: "testing",
|
|
Description: "test",
|
|
},
|
|
&api.WriteOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
|
|
return methodName
|
|
}
|
|
|
|
t.Run("update all fields", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0)
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
})
|
|
}
|
|
|
|
func TestAuthMethodUpdateCommand_noMerge(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
testDir := testutil.TempDir(t, "acl")
|
|
defer os.RemoveAll(testDir)
|
|
|
|
a := agent.NewTestAgent(t, t.Name(), `
|
|
primary_datacenter = "dc1"
|
|
acl {
|
|
enabled = true
|
|
tokens {
|
|
master = "root"
|
|
}
|
|
}`)
|
|
|
|
a.Agent.LogWriter = logger.NewLogWriter(512)
|
|
|
|
defer a.Shutdown()
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
client := a.Client()
|
|
|
|
t.Run("update without name", func(t *testing.T) {
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-no-merge",
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 1)
|
|
require.Contains(t, ui.ErrorWriter.String(), "Cannot update an auth method without specifying the -name parameter")
|
|
})
|
|
|
|
t.Run("update nonexistent method", func(t *testing.T) {
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-no-merge",
|
|
"-name=test",
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 1)
|
|
require.Contains(t, ui.ErrorWriter.String(), "Auth method not found with name")
|
|
})
|
|
|
|
createAuthMethod := func(t *testing.T) string {
|
|
id, err := uuid.GenerateUUID()
|
|
require.NoError(t, err)
|
|
|
|
methodName := "test-" + id
|
|
|
|
_, _, err = client.ACL().AuthMethodCreate(
|
|
&api.ACLAuthMethod{
|
|
Name: methodName,
|
|
Type: "testing",
|
|
Description: "test",
|
|
},
|
|
&api.WriteOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
|
|
return methodName
|
|
}
|
|
|
|
t.Run("update all fields", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-no-merge",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0, "err: %s", ui.ErrorWriter.String())
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
})
|
|
}
|
|
|
|
func TestAuthMethodUpdateCommand_k8s(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
testDir := testutil.TempDir(t, "acl")
|
|
defer os.RemoveAll(testDir)
|
|
|
|
a := agent.NewTestAgent(t, t.Name(), `
|
|
primary_datacenter = "dc1"
|
|
acl {
|
|
enabled = true
|
|
tokens {
|
|
master = "root"
|
|
}
|
|
}`)
|
|
|
|
a.Agent.LogWriter = logger.NewLogWriter(512)
|
|
|
|
defer a.Shutdown()
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
client := a.Client()
|
|
|
|
ca := connect.TestCA(t, nil)
|
|
ca2 := connect.TestCA(t, nil)
|
|
|
|
createAuthMethod := func(t *testing.T) string {
|
|
id, err := uuid.GenerateUUID()
|
|
require.NoError(t, err)
|
|
|
|
methodName := "k8s-" + id
|
|
|
|
_, _, err = client.ACL().AuthMethodCreate(
|
|
&api.ACLAuthMethod{
|
|
Name: methodName,
|
|
Type: "kubernetes",
|
|
Description: "test",
|
|
Config: map[string]interface{}{
|
|
"Host": "https://foo.internal:8443",
|
|
"CACert": ca.RootCert,
|
|
"ServiceAccountJWT": acl.TestKubernetesJWT_A,
|
|
},
|
|
},
|
|
&api.WriteOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
|
|
return methodName
|
|
}
|
|
|
|
t.Run("update all fields", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-host", "https://foo-new.internal:8443",
|
|
"-kubernetes-ca-cert", ca2.RootCert,
|
|
"-kubernetes-service-account-jwt", acl.TestKubernetesJWT_B,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0)
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
|
|
config, err := api.ParseKubernetesAuthMethodConfig(method.Config)
|
|
require.NoError(t, err)
|
|
require.Equal(t, "https://foo-new.internal:8443", config.Host)
|
|
require.Equal(t, ca2.RootCert, config.CACert)
|
|
require.Equal(t, acl.TestKubernetesJWT_B, config.ServiceAccountJWT)
|
|
})
|
|
|
|
ca2File := filepath.Join(testDir, "ca2.crt")
|
|
require.NoError(t, ioutil.WriteFile(ca2File, []byte(ca2.RootCert), 0600))
|
|
|
|
t.Run("update all fields with cert file", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-host", "https://foo-new.internal:8443",
|
|
"-kubernetes-ca-cert", "@" + ca2File,
|
|
"-kubernetes-service-account-jwt", acl.TestKubernetesJWT_B,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0)
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
|
|
config, err := api.ParseKubernetesAuthMethodConfig(method.Config)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, "https://foo-new.internal:8443", config.Host)
|
|
require.Equal(t, ca2.RootCert, config.CACert)
|
|
require.Equal(t, acl.TestKubernetesJWT_B, config.ServiceAccountJWT)
|
|
})
|
|
|
|
t.Run("update all fields but k8s host", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-ca-cert", ca2.RootCert,
|
|
"-kubernetes-service-account-jwt", acl.TestKubernetesJWT_B,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0)
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
|
|
config, err := api.ParseKubernetesAuthMethodConfig(method.Config)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, "https://foo.internal:8443", config.Host)
|
|
require.Equal(t, ca2.RootCert, config.CACert)
|
|
require.Equal(t, acl.TestKubernetesJWT_B, config.ServiceAccountJWT)
|
|
})
|
|
|
|
t.Run("update all fields but k8s ca cert", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-host", "https://foo-new.internal:8443",
|
|
"-kubernetes-service-account-jwt", acl.TestKubernetesJWT_B,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0)
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
|
|
config, err := api.ParseKubernetesAuthMethodConfig(method.Config)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, "https://foo-new.internal:8443", config.Host)
|
|
require.Equal(t, ca.RootCert, config.CACert)
|
|
require.Equal(t, acl.TestKubernetesJWT_B, config.ServiceAccountJWT)
|
|
})
|
|
|
|
t.Run("update all fields but k8s jwt", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-host", "https://foo-new.internal:8443",
|
|
"-kubernetes-ca-cert", ca2.RootCert,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0)
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
|
|
config, err := api.ParseKubernetesAuthMethodConfig(method.Config)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, "https://foo-new.internal:8443", config.Host)
|
|
require.Equal(t, ca2.RootCert, config.CACert)
|
|
require.Equal(t, acl.TestKubernetesJWT_A, config.ServiceAccountJWT)
|
|
})
|
|
}
|
|
|
|
func TestAuthMethodUpdateCommand_k8s_noMerge(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
testDir := testutil.TempDir(t, "acl")
|
|
defer os.RemoveAll(testDir)
|
|
|
|
a := agent.NewTestAgent(t, t.Name(), `
|
|
primary_datacenter = "dc1"
|
|
acl {
|
|
enabled = true
|
|
tokens {
|
|
master = "root"
|
|
}
|
|
}`)
|
|
|
|
a.Agent.LogWriter = logger.NewLogWriter(512)
|
|
|
|
defer a.Shutdown()
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
client := a.Client()
|
|
|
|
ca := connect.TestCA(t, nil)
|
|
ca2 := connect.TestCA(t, nil)
|
|
|
|
createAuthMethod := func(t *testing.T) string {
|
|
id, err := uuid.GenerateUUID()
|
|
require.NoError(t, err)
|
|
|
|
methodName := "k8s-" + id
|
|
|
|
_, _, err = client.ACL().AuthMethodCreate(
|
|
&api.ACLAuthMethod{
|
|
Name: methodName,
|
|
Type: "kubernetes",
|
|
Description: "test",
|
|
Config: map[string]interface{}{
|
|
"Host": "https://foo.internal:8443",
|
|
"CACert": ca.RootCert,
|
|
"ServiceAccountJWT": acl.TestKubernetesJWT_A,
|
|
},
|
|
},
|
|
&api.WriteOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
|
|
return methodName
|
|
}
|
|
|
|
t.Run("update missing k8s host", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-no-merge",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-ca-cert", ca2.RootCert,
|
|
"-kubernetes-service-account-jwt", acl.TestKubernetesJWT_B,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 1)
|
|
require.Contains(t, ui.ErrorWriter.String(), "Missing required '-kubernetes-host' flag")
|
|
})
|
|
|
|
t.Run("update missing k8s ca cert", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-no-merge",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-host", "https://foo-new.internal:8443",
|
|
"-kubernetes-service-account-jwt", acl.TestKubernetesJWT_B,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 1)
|
|
require.Contains(t, ui.ErrorWriter.String(), "Missing required '-kubernetes-ca-cert' flag")
|
|
})
|
|
|
|
t.Run("update missing k8s jwt", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-no-merge",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-host", "https://foo-new.internal:8443",
|
|
"-kubernetes-ca-cert", ca2.RootCert,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 1)
|
|
require.Contains(t, ui.ErrorWriter.String(), "Missing required '-kubernetes-service-account-jwt' flag")
|
|
})
|
|
|
|
t.Run("update all fields", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-no-merge",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-host", "https://foo-new.internal:8443",
|
|
"-kubernetes-ca-cert", ca2.RootCert,
|
|
"-kubernetes-service-account-jwt", acl.TestKubernetesJWT_B,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0)
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
|
|
config, err := api.ParseKubernetesAuthMethodConfig(method.Config)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, "https://foo-new.internal:8443", config.Host)
|
|
require.Equal(t, ca2.RootCert, config.CACert)
|
|
require.Equal(t, acl.TestKubernetesJWT_B, config.ServiceAccountJWT)
|
|
})
|
|
|
|
ca2File := filepath.Join(testDir, "ca2.crt")
|
|
require.NoError(t, ioutil.WriteFile(ca2File, []byte(ca2.RootCert), 0600))
|
|
|
|
t.Run("update all fields with cert file", func(t *testing.T) {
|
|
name := createAuthMethod(t)
|
|
|
|
args := []string{
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
"-token=root",
|
|
"-no-merge",
|
|
"-name=" + name,
|
|
"-description", "updated description",
|
|
"-kubernetes-host", "https://foo-new.internal:8443",
|
|
"-kubernetes-ca-cert", "@" + ca2File,
|
|
"-kubernetes-service-account-jwt", acl.TestKubernetesJWT_B,
|
|
}
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := New(ui)
|
|
|
|
code := cmd.Run(args)
|
|
require.Equal(t, code, 0)
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
method, _, err := client.ACL().AuthMethodRead(
|
|
name,
|
|
&api.QueryOptions{Token: "root"},
|
|
)
|
|
require.NoError(t, err)
|
|
require.NotNil(t, method)
|
|
require.Equal(t, "updated description", method.Description)
|
|
|
|
config, err := api.ParseKubernetesAuthMethodConfig(method.Config)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, "https://foo-new.internal:8443", config.Host)
|
|
require.Equal(t, ca2.RootCert, config.CACert)
|
|
require.Equal(t, acl.TestKubernetesJWT_B, config.ServiceAccountJWT)
|
|
})
|
|
}
|