2023-04-10 15:36:59 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2017-09-15 04:55:25 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
2023-02-07 11:05:41 +00:00
|
|
|
"encoding/json"
|
2017-09-15 04:55:25 +00:00
|
|
|
"testing"
|
|
|
|
|
2022-08-17 13:49:52 +00:00
|
|
|
"github.com/hashicorp/nomad/api"
|
2022-03-15 12:42:43 +00:00
|
|
|
"github.com/hashicorp/nomad/ci"
|
2017-09-15 04:55:25 +00:00
|
|
|
"github.com/hashicorp/nomad/command/agent"
|
|
|
|
"github.com/mitchellh/cli"
|
2022-08-17 20:22:26 +00:00
|
|
|
"github.com/shoenig/test/must"
|
2022-07-20 08:06:23 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2017-09-15 04:55:25 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestACLTokenCreateCommand(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
2022-07-20 08:06:23 +00:00
|
|
|
|
2017-09-15 04:55:25 +00:00
|
|
|
config := func(c *agent.Config) {
|
|
|
|
c.ACL.Enabled = true
|
|
|
|
}
|
|
|
|
|
|
|
|
srv, _, url := testServer(t, true, config)
|
2022-12-21 14:23:58 +00:00
|
|
|
defer srv.Shutdown()
|
2017-09-15 04:55:25 +00:00
|
|
|
|
|
|
|
// Bootstrap an initial ACL token
|
2017-10-04 22:06:21 +00:00
|
|
|
token := srv.RootToken
|
2022-08-17 20:22:26 +00:00
|
|
|
must.NotNil(t, token)
|
2017-09-15 04:55:25 +00:00
|
|
|
|
2020-10-05 14:07:41 +00:00
|
|
|
ui := cli.NewMockUi()
|
2017-09-15 04:55:25 +00:00
|
|
|
cmd := &ACLTokenCreateCommand{Meta: Meta{Ui: ui, flagAddress: url}}
|
|
|
|
|
2017-09-15 18:08:46 +00:00
|
|
|
// Request to create a new token without providing a valid management token
|
2020-06-25 16:59:25 +00:00
|
|
|
code := cmd.Run([]string{"-address=" + url, "-token=foo", "-policy=foo", "-type=client"})
|
2022-08-17 20:22:26 +00:00
|
|
|
must.One(t, code)
|
2017-09-15 04:55:25 +00:00
|
|
|
|
2022-07-20 08:06:23 +00:00
|
|
|
// Request to create a new token with a valid management token that does
|
|
|
|
// not have an expiry set.
|
2020-06-25 16:59:25 +00:00
|
|
|
code = cmd.Run([]string{"-address=" + url, "-token=" + token.SecretID, "-policy=foo", "-type=client"})
|
2022-07-20 08:06:23 +00:00
|
|
|
require.Equal(t, 0, code)
|
2017-09-15 04:55:25 +00:00
|
|
|
|
|
|
|
// Check the output
|
|
|
|
out := ui.OutputWriter.String()
|
2022-07-20 08:06:23 +00:00
|
|
|
require.Contains(t, out, "[foo]")
|
2022-08-24 14:14:49 +00:00
|
|
|
require.Contains(t, out, "Expiry Time = <none>")
|
2022-07-20 08:06:23 +00:00
|
|
|
|
|
|
|
ui.OutputWriter.Reset()
|
|
|
|
ui.ErrorWriter.Reset()
|
|
|
|
|
2023-02-07 11:05:41 +00:00
|
|
|
// Test with a no-expiry token and -json/-t flag
|
|
|
|
testCasesNoTTL := []string{"-json", "-t='{{ .Policies }}'"}
|
|
|
|
var jsonMap map[string]interface{}
|
|
|
|
for _, outputFormatFlag := range testCasesNoTTL {
|
|
|
|
code = cmd.Run([]string{"-address=" + url, "-token=" + token.SecretID, "-policy=foo", "-type=client", outputFormatFlag})
|
|
|
|
require.Equal(t, 0, code)
|
|
|
|
|
|
|
|
// Check the output
|
|
|
|
out = ui.OutputWriter.String()
|
|
|
|
require.Contains(t, out, "foo")
|
|
|
|
if outputFormatFlag == "-json" {
|
|
|
|
err := json.Unmarshal([]byte(out), &jsonMap)
|
|
|
|
require.Nil(t, err, "Output not in JSON format")
|
|
|
|
}
|
|
|
|
|
|
|
|
ui.OutputWriter.Reset()
|
|
|
|
ui.ErrorWriter.Reset()
|
|
|
|
}
|
|
|
|
|
2022-07-20 08:06:23 +00:00
|
|
|
// Create a new token that has an expiry TTL set and check the response.
|
|
|
|
code = cmd.Run([]string{"-address=" + url, "-token=" + token.SecretID, "-type=management", "-ttl=10m"})
|
|
|
|
require.Equal(t, 0, code)
|
|
|
|
|
|
|
|
out = ui.OutputWriter.String()
|
2022-08-24 14:14:49 +00:00
|
|
|
require.NotContains(t, out, "Expiry Time = <none>")
|
2023-02-07 11:05:41 +00:00
|
|
|
ui.OutputWriter.Reset()
|
|
|
|
ui.ErrorWriter.Reset()
|
|
|
|
|
|
|
|
// Test with a token that has expiry TTL set and -json/-t flag
|
|
|
|
testCasesWithTTL := [][]string{{"-json", "ExpirationTTL"}, {"-t='{{ .ExpirationTTL }}'", "10m0s"}}
|
|
|
|
for _, outputFormatFlag := range testCasesWithTTL {
|
|
|
|
code = cmd.Run([]string{"-address=" + url, "-token=" + token.SecretID, "-type=management", "-ttl=10m", outputFormatFlag[0]})
|
|
|
|
require.Equal(t, 0, code)
|
|
|
|
|
|
|
|
// Check the output
|
|
|
|
out = ui.OutputWriter.String()
|
|
|
|
if outputFormatFlag[0] == "-json" {
|
|
|
|
err := json.Unmarshal([]byte(out), &jsonMap)
|
|
|
|
require.Nil(t, err, "Output not in JSON format")
|
|
|
|
}
|
|
|
|
require.Contains(t, out, outputFormatFlag[1])
|
|
|
|
ui.OutputWriter.Reset()
|
|
|
|
ui.ErrorWriter.Reset()
|
|
|
|
}
|
2017-09-15 04:55:25 +00:00
|
|
|
}
|
2022-08-17 13:49:52 +00:00
|
|
|
|
|
|
|
func Test_generateACLTokenRoleLinks(t *testing.T) {
|
|
|
|
ci.Parallel(t)
|
|
|
|
|
|
|
|
inputRoleNames := []string{
|
|
|
|
"duplicate",
|
|
|
|
"policy1",
|
|
|
|
"policy2",
|
|
|
|
"duplicate",
|
|
|
|
}
|
|
|
|
inputRoleIDs := []string{
|
|
|
|
"77a780d8-2dee-7c7f-7822-6f5471c5cbb2",
|
|
|
|
"56850b06-a343-a772-1a5c-ad083fd8a50e",
|
|
|
|
"77a780d8-2dee-7c7f-7822-6f5471c5cbb2",
|
|
|
|
"77a780d8-2dee-7c7f-7822-6f5471c5cbb2",
|
|
|
|
}
|
|
|
|
expectedOutput := []*api.ACLTokenRoleLink{
|
|
|
|
{Name: "duplicate"},
|
|
|
|
{Name: "policy1"},
|
|
|
|
{Name: "policy2"},
|
|
|
|
{ID: "77a780d8-2dee-7c7f-7822-6f5471c5cbb2"},
|
|
|
|
{ID: "56850b06-a343-a772-1a5c-ad083fd8a50e"},
|
|
|
|
}
|
|
|
|
require.ElementsMatch(t, generateACLTokenRoleLinks(inputRoleNames, inputRoleIDs), expectedOutput)
|
|
|
|
}
|