2017-08-04 00:41:33 +00:00
|
|
|
package acl
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
2022-03-15 12:42:43 +00:00
|
|
|
"github.com/hashicorp/nomad/ci"
|
2017-08-04 00:41:33 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestParse(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
|
|
|
|
2017-08-04 00:41:33 +00:00
|
|
|
type tcase struct {
|
|
|
|
Raw string
|
|
|
|
ErrStr string
|
|
|
|
Expect *Policy
|
|
|
|
}
|
|
|
|
tcases := []tcase{
|
|
|
|
{
|
|
|
|
`
|
|
|
|
namespace "default" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"",
|
|
|
|
&Policy{
|
|
|
|
Namespaces: []*NamespacePolicy{
|
2017-09-26 22:26:33 +00:00
|
|
|
{
|
2017-08-04 00:41:33 +00:00
|
|
|
Name: "default",
|
|
|
|
Policy: PolicyRead,
|
|
|
|
Capabilities: []string{
|
|
|
|
NamespaceCapabilityListJobs,
|
2022-02-01 23:54:53 +00:00
|
|
|
NamespaceCapabilityParseJob,
|
2017-08-04 00:41:33 +00:00
|
|
|
NamespaceCapabilityReadJob,
|
2020-03-17 21:32:39 +00:00
|
|
|
NamespaceCapabilityCSIListVolume,
|
|
|
|
NamespaceCapabilityCSIReadVolume,
|
2020-03-22 14:21:51 +00:00
|
|
|
NamespaceCapabilityReadJobScaling,
|
|
|
|
NamespaceCapabilityListScalingPolicies,
|
|
|
|
NamespaceCapabilityReadScalingPolicy,
|
2017-08-04 00:41:33 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
namespace "default" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
namespace "other" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
namespace "secret" {
|
|
|
|
capabilities = ["deny", "read-logs"]
|
|
|
|
}
|
2022-06-20 15:21:03 +00:00
|
|
|
namespace "apps" {
|
|
|
|
secure_variables {
|
|
|
|
path "jobs/write-does-not-imply-read-or-delete" {
|
|
|
|
capabilities = ["write"]
|
|
|
|
}
|
|
|
|
path "project/read-implies-list" {
|
|
|
|
capabilities = ["read"]
|
|
|
|
}
|
|
|
|
path "project/explicit" {
|
|
|
|
capabilities = ["read", "list", "destroy"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-03-22 14:21:51 +00:00
|
|
|
namespace "autoscaler" {
|
2020-03-24 19:29:34 +00:00
|
|
|
policy = "scale"
|
2020-03-22 14:21:51 +00:00
|
|
|
}
|
2017-08-04 00:41:33 +00:00
|
|
|
agent {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
node {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
operator {
|
|
|
|
policy = "deny"
|
|
|
|
}
|
2017-10-13 21:36:02 +00:00
|
|
|
quota {
|
|
|
|
policy = "read"
|
|
|
|
}
|
2020-03-17 21:32:39 +00:00
|
|
|
plugin {
|
|
|
|
policy = "read"
|
|
|
|
}
|
2017-08-04 00:41:33 +00:00
|
|
|
`,
|
|
|
|
"",
|
|
|
|
&Policy{
|
|
|
|
Namespaces: []*NamespacePolicy{
|
2017-09-26 22:26:33 +00:00
|
|
|
{
|
2017-08-04 00:41:33 +00:00
|
|
|
Name: "default",
|
|
|
|
Policy: PolicyRead,
|
|
|
|
Capabilities: []string{
|
|
|
|
NamespaceCapabilityListJobs,
|
2022-02-01 23:54:53 +00:00
|
|
|
NamespaceCapabilityParseJob,
|
2017-08-04 00:41:33 +00:00
|
|
|
NamespaceCapabilityReadJob,
|
2020-03-17 21:32:39 +00:00
|
|
|
NamespaceCapabilityCSIListVolume,
|
|
|
|
NamespaceCapabilityCSIReadVolume,
|
2020-03-22 14:21:51 +00:00
|
|
|
NamespaceCapabilityReadJobScaling,
|
|
|
|
NamespaceCapabilityListScalingPolicies,
|
|
|
|
NamespaceCapabilityReadScalingPolicy,
|
2017-08-04 00:41:33 +00:00
|
|
|
},
|
|
|
|
},
|
2017-09-26 22:26:33 +00:00
|
|
|
{
|
2017-08-04 00:41:33 +00:00
|
|
|
Name: "other",
|
|
|
|
Policy: PolicyWrite,
|
|
|
|
Capabilities: []string{
|
|
|
|
NamespaceCapabilityListJobs,
|
2022-02-01 23:54:53 +00:00
|
|
|
NamespaceCapabilityParseJob,
|
2017-08-04 00:41:33 +00:00
|
|
|
NamespaceCapabilityReadJob,
|
2020-03-17 21:32:39 +00:00
|
|
|
NamespaceCapabilityCSIListVolume,
|
|
|
|
NamespaceCapabilityCSIReadVolume,
|
2020-03-22 14:21:51 +00:00
|
|
|
NamespaceCapabilityReadJobScaling,
|
|
|
|
NamespaceCapabilityListScalingPolicies,
|
|
|
|
NamespaceCapabilityReadScalingPolicy,
|
|
|
|
NamespaceCapabilityScaleJob,
|
2017-08-04 00:41:33 +00:00
|
|
|
NamespaceCapabilitySubmitJob,
|
2017-09-29 21:22:36 +00:00
|
|
|
NamespaceCapabilityDispatchJob,
|
2017-08-04 00:41:33 +00:00
|
|
|
NamespaceCapabilityReadLogs,
|
|
|
|
NamespaceCapabilityReadFS,
|
2019-04-28 20:45:15 +00:00
|
|
|
NamespaceCapabilityAllocExec,
|
2019-03-05 09:39:06 +00:00
|
|
|
NamespaceCapabilityAllocLifecycle,
|
2020-03-17 21:32:39 +00:00
|
|
|
NamespaceCapabilityCSIMountVolume,
|
|
|
|
NamespaceCapabilityCSIWriteVolume,
|
2020-09-09 22:30:40 +00:00
|
|
|
NamespaceCapabilitySubmitRecommendation,
|
2017-08-04 00:41:33 +00:00
|
|
|
},
|
|
|
|
},
|
2017-09-26 22:26:33 +00:00
|
|
|
{
|
2017-08-04 00:41:33 +00:00
|
|
|
Name: "secret",
|
|
|
|
Capabilities: []string{
|
|
|
|
NamespaceCapabilityDeny,
|
|
|
|
NamespaceCapabilityReadLogs,
|
|
|
|
},
|
|
|
|
},
|
2022-06-20 15:21:03 +00:00
|
|
|
{
|
|
|
|
Name: "apps",
|
|
|
|
SecureVariables: &SecureVariablesPolicy{
|
|
|
|
Paths: []*SecureVariablesPathPolicy{
|
|
|
|
{
|
|
|
|
PathSpec: "jobs/write-does-not-imply-read-or-delete",
|
|
|
|
Capabilities: []string{SecureVariablesCapabilityWrite},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PathSpec: "project/read-implies-list",
|
|
|
|
Capabilities: []string{
|
|
|
|
SecureVariablesCapabilityRead,
|
|
|
|
SecureVariablesCapabilityList,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
PathSpec: "project/explicit",
|
|
|
|
Capabilities: []string{
|
|
|
|
SecureVariablesCapabilityRead,
|
|
|
|
SecureVariablesCapabilityList,
|
|
|
|
SecureVariablesCapabilityDestroy,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2020-03-22 14:21:51 +00:00
|
|
|
{
|
|
|
|
Name: "autoscaler",
|
2020-03-24 19:29:34 +00:00
|
|
|
Policy: PolicyScale,
|
2020-03-22 14:21:51 +00:00
|
|
|
Capabilities: []string{
|
|
|
|
NamespaceCapabilityListScalingPolicies,
|
|
|
|
NamespaceCapabilityReadScalingPolicy,
|
|
|
|
NamespaceCapabilityReadJobScaling,
|
|
|
|
NamespaceCapabilityScaleJob,
|
|
|
|
},
|
|
|
|
},
|
2017-08-04 00:41:33 +00:00
|
|
|
},
|
|
|
|
Agent: &AgentPolicy{
|
|
|
|
Policy: PolicyRead,
|
|
|
|
},
|
|
|
|
Node: &NodePolicy{
|
|
|
|
Policy: PolicyWrite,
|
|
|
|
},
|
|
|
|
Operator: &OperatorPolicy{
|
|
|
|
Policy: PolicyDeny,
|
|
|
|
},
|
2017-10-13 21:36:02 +00:00
|
|
|
Quota: &QuotaPolicy{
|
|
|
|
Policy: PolicyRead,
|
|
|
|
},
|
2020-03-17 21:32:39 +00:00
|
|
|
Plugin: &PluginPolicy{
|
|
|
|
Policy: PolicyRead,
|
|
|
|
},
|
2017-08-04 00:41:33 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
namespace "default" {
|
|
|
|
policy = "foo"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid namespace policy",
|
|
|
|
nil,
|
|
|
|
},
|
2022-08-15 21:06:36 +00:00
|
|
|
{
|
|
|
|
`
|
|
|
|
namespace "dev" {
|
|
|
|
secure_variables "*" {
|
|
|
|
capabilities = ["read", "write"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid secure variable policy: no secure variable paths in namespace dev",
|
|
|
|
nil,
|
|
|
|
},
|
2017-08-04 00:41:33 +00:00
|
|
|
{
|
|
|
|
`
|
|
|
|
namespace "default" {
|
|
|
|
capabilities = ["deny", "foo"]
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid namespace capability",
|
|
|
|
nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
agent {
|
|
|
|
policy = "foo"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid agent policy",
|
|
|
|
nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
node {
|
|
|
|
policy = "foo"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid node policy",
|
|
|
|
nil,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
operator {
|
|
|
|
policy = "foo"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid operator policy",
|
|
|
|
nil,
|
|
|
|
},
|
2017-10-13 21:36:02 +00:00
|
|
|
{
|
|
|
|
`
|
|
|
|
quota {
|
|
|
|
policy = "foo"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid quota policy",
|
|
|
|
nil,
|
|
|
|
},
|
2017-10-17 15:40:39 +00:00
|
|
|
{
|
|
|
|
`
|
|
|
|
{
|
|
|
|
"Name": "my-policy",
|
|
|
|
"Description": "This is a great policy",
|
|
|
|
"Rules": "anything"
|
|
|
|
}
|
|
|
|
`,
|
2017-10-17 16:21:38 +00:00
|
|
|
"Invalid policy",
|
2017-10-17 15:40:39 +00:00
|
|
|
nil,
|
|
|
|
},
|
2017-08-05 00:34:22 +00:00
|
|
|
{
|
|
|
|
`
|
|
|
|
namespace "has a space"{
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid namespace name",
|
|
|
|
nil,
|
|
|
|
},
|
2017-09-19 14:47:10 +00:00
|
|
|
{
|
|
|
|
`
|
|
|
|
namespace "default" {
|
|
|
|
capabilities = ["sentinel-override"]
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"",
|
|
|
|
&Policy{
|
|
|
|
Namespaces: []*NamespacePolicy{
|
2017-09-26 22:26:33 +00:00
|
|
|
{
|
2017-09-19 14:47:10 +00:00
|
|
|
Name: "default",
|
|
|
|
Policy: "",
|
|
|
|
Capabilities: []string{
|
|
|
|
NamespaceCapabilitySentinelOverride,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2019-05-08 11:14:24 +00:00
|
|
|
{
|
|
|
|
`
|
|
|
|
host_volume "production-tls-*" {
|
2019-08-21 18:13:16 +00:00
|
|
|
capabilities = ["mount-readonly"]
|
2019-05-08 11:14:24 +00:00
|
|
|
}
|
|
|
|
`,
|
|
|
|
"",
|
|
|
|
&Policy{
|
|
|
|
HostVolumes: []*HostVolumePolicy{
|
|
|
|
{
|
|
|
|
Name: "production-tls-*",
|
|
|
|
Policy: "",
|
|
|
|
Capabilities: []string{
|
2019-08-21 18:13:16 +00:00
|
|
|
HostVolumeCapabilityMountReadOnly,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
host_volume "production-tls-*" {
|
|
|
|
capabilities = ["mount-readwrite"]
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"",
|
|
|
|
&Policy{
|
|
|
|
HostVolumes: []*HostVolumePolicy{
|
|
|
|
{
|
|
|
|
Name: "production-tls-*",
|
|
|
|
Policy: "",
|
|
|
|
Capabilities: []string{
|
|
|
|
HostVolumeCapabilityMountReadWrite,
|
2019-05-08 11:14:24 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
host_volume "volume has a space" {
|
2019-08-21 18:13:16 +00:00
|
|
|
capabilities = ["mount-readwrite"]
|
2019-05-08 11:14:24 +00:00
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid host volume name",
|
|
|
|
nil,
|
|
|
|
},
|
2020-03-18 19:29:03 +00:00
|
|
|
{
|
|
|
|
`
|
|
|
|
plugin {
|
|
|
|
policy = "list"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"",
|
|
|
|
&Policy{
|
|
|
|
Plugin: &PluginPolicy{
|
|
|
|
Policy: PolicyList,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
`
|
|
|
|
plugin {
|
|
|
|
policy = "reader"
|
|
|
|
}
|
|
|
|
`,
|
|
|
|
"Invalid plugin policy",
|
|
|
|
nil,
|
|
|
|
},
|
2017-08-04 00:41:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for idx, tc := range tcases {
|
|
|
|
t.Run(fmt.Sprintf("%d", idx), func(t *testing.T) {
|
|
|
|
p, err := Parse(tc.Raw)
|
|
|
|
if err != nil {
|
|
|
|
if tc.ErrStr == "" {
|
|
|
|
t.Fatalf("Unexpected err: %v", err)
|
|
|
|
}
|
|
|
|
if !strings.Contains(err.Error(), tc.ErrStr) {
|
|
|
|
t.Fatalf("Unexpected err: %v", err)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if err == nil && tc.ErrStr != "" {
|
|
|
|
t.Fatalf("Missing expected err")
|
|
|
|
}
|
|
|
|
tc.Expect.Raw = tc.Raw
|
|
|
|
assert.EqualValues(t, tc.Expect, p)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2020-08-25 00:35:58 +00:00
|
|
|
|
|
|
|
func TestParse_BadInput(t *testing.T) {
|
2022-03-15 12:42:43 +00:00
|
|
|
ci.Parallel(t)
|
|
|
|
|
2020-08-25 00:35:58 +00:00
|
|
|
inputs := []string{
|
|
|
|
`namespace "\500" {}`,
|
|
|
|
}
|
|
|
|
|
|
|
|
for i, c := range inputs {
|
|
|
|
t.Run(fmt.Sprintf("%d: %v", i, c), func(t *testing.T) {
|
|
|
|
_, err := Parse(c)
|
|
|
|
assert.Error(t, err)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|