open-nomad/client/vaultclient/vaultclient_testing.go

package vaultclient

import (
	"sync"

	"github.com/hashicorp/nomad/helper/uuid"
	"github.com/hashicorp/nomad/nomad/structs"
	vaultapi "github.com/hashicorp/vault/api"
)

// MockVaultClient is used for testing the vaultclient integration and is safe
// for concurrent access.
type MockVaultClient struct {
	// stoppedTokens tracks the tokens that have stopped renewing
	stoppedTokens []string

	// renewTokens are the tokens that have been renewed and their error
	// channels
	renewTokens map[string]chan error

	// renewTokenErrors is used to return an error when the RenewToken is called
	// with the given token
	renewTokenErrors map[string]error

	// deriveTokenErrors maps an allocation ID and tasks to an error when the
	// token is derived
	deriveTokenErrors map[string]map[string]error

	// DeriveTokenFn allows the caller to control the DeriveToken function. If
	// not set an error is returned if found in DeriveTokenErrors and otherwise
	// a token is generated and returned
	DeriveTokenFn func(a *structs.Allocation, tasks []string) (map[string]string, error)

	mu sync.Mutex
}

// NewMockVaultClient returns a MockVaultClient for testing
func NewMockVaultClient() *MockVaultClient { return &MockVaultClient{} }

func (vc *MockVaultClient) DeriveToken(a *structs.Allocation, tasks []string) (map[string]string, error) {
	vc.mu.Lock()
	defer vc.mu.Unlock()

	if vc.DeriveTokenFn != nil {
		return vc.DeriveTokenFn(a, tasks)
	}

	tokens := make(map[string]string, len(tasks))
	for _, task := range tasks {
		if tasks, ok := vc.deriveTokenErrors[a.ID]; ok {
			if err, ok := tasks[task]; ok {
				return nil, err
			}
		}

		tokens[task] = uuid.Generate()
	}

	return tokens, nil
}

func (vc *MockVaultClient) SetDeriveTokenError(allocID string, tasks []string, err error) {
	vc.mu.Lock()
	defer vc.mu.Unlock()

	if vc.deriveTokenErrors == nil {
		vc.deriveTokenErrors = make(map[string]map[string]error, 10)
	}

	if _, ok := vc.deriveTokenErrors[allocID]; !ok {
		vc.deriveTokenErrors[allocID] = make(map[string]error, 10)
	}

	for _, task := range tasks {
		vc.deriveTokenErrors[allocID][task] = err
	}
}

func (vc *MockVaultClient) RenewToken(token string, interval int) (<-chan error, error) {
	vc.mu.Lock()
	defer vc.mu.Unlock()

	if err, ok := vc.renewTokenErrors[token]; ok {
		return nil, err
	}

	renewCh := make(chan error)
	if vc.renewTokens == nil {
		vc.renewTokens = make(map[string]chan error, 10)
	}
	vc.renewTokens[token] = renewCh
	return renewCh, nil
}

func (vc *MockVaultClient) SetRenewTokenError(token string, err error) {
	vc.mu.Lock()
	defer vc.mu.Unlock()

	if vc.renewTokenErrors == nil {
		vc.renewTokenErrors = make(map[string]error, 10)
	}

	vc.renewTokenErrors[token] = err
}

func (vc *MockVaultClient) StopRenewToken(token string) error {
	vc.mu.Lock()
	defer vc.mu.Unlock()

	vc.stoppedTokens = append(vc.stoppedTokens, token)
	return nil
}

func (vc *MockVaultClient) Start() {}

func (vc *MockVaultClient) Stop() {}

func (vc *MockVaultClient) GetConsulACL(string, string) (*vaultapi.Secret, error) { return nil, nil }

// StoppedTokens tracks the tokens that have stopped renewing
func (vc *MockVaultClient) StoppedTokens() []string {
	vc.mu.Lock()
	defer vc.mu.Unlock()
	return vc.stoppedTokens
}

// RenewTokens are the tokens that have been renewed and their error
// channels
func (vc *MockVaultClient) RenewTokens() map[string]chan error {
	vc.mu.Lock()
	defer vc.mu.Unlock()
	return vc.renewTokens
}

// RenewTokenErrors is used to return an error when the RenewToken is called
// with the given token
func (vc *MockVaultClient) RenewTokenErrors() map[string]error {
	vc.mu.Lock()
	defer vc.mu.Unlock()
	return vc.renewTokenErrors
}

// DeriveTokenErrors maps an allocation ID and tasks to an error when the
// token is derived
func (vc *MockVaultClient) DeriveTokenErrors() map[string]map[string]error {
	vc.mu.Lock()
	defer vc.mu.Unlock()
	return vc.deriveTokenErrors
}
Alloc runner tests 2016-09-16 00:24:09 +00:00			`package vaultclient`

			`import (`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`"sync"`

Remove `structs` import from `api` Goes a step further and removes structs import from api's tests as well by moving GenerateUUID to its own package. 2017-09-29 16:58:48 +00:00			`"github.com/hashicorp/nomad/helper/uuid"`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`"github.com/hashicorp/nomad/nomad/structs"`
			`vaultapi "github.com/hashicorp/vault/api"`
			`)`

tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`// MockVaultClient is used for testing the vaultclient integration and is safe`
			`// for concurrent access.`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`type MockVaultClient struct {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`// stoppedTokens tracks the tokens that have stopped renewing`
			`stoppedTokens []string`
Alloc runner tests 2016-09-16 00:24:09 +00:00
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`// renewTokens are the tokens that have been renewed and their error`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`// channels`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`renewTokens map[string]chan error`
Alloc runner tests 2016-09-16 00:24:09 +00:00
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`// renewTokenErrors is used to return an error when the RenewToken is called`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`// with the given token`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`renewTokenErrors map[string]error`
Alloc runner tests 2016-09-16 00:24:09 +00:00
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`// deriveTokenErrors maps an allocation ID and tasks to an error when the`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`// token is derived`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`deriveTokenErrors map[string]map[string]error`
Tests 2016-10-18 18:22:16 +00:00
Comments 2016-10-18 18:36:04 +00:00			`// DeriveTokenFn allows the caller to control the DeriveToken function. If`
			`// not set an error is returned if found in DeriveTokenErrors and otherwise`
			`// a token is generated and returned`
Tests 2016-10-18 18:22:16 +00:00			`DeriveTokenFn func(a *structs.Allocation, tasks []string) (map[string]string, error)`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00
			`mu sync.Mutex`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`}`

			`// NewMockVaultClient returns a MockVaultClient for testing`
			`func NewMockVaultClient() *MockVaultClient { return &MockVaultClient{} }`

			`func (vc MockVaultClient) DeriveToken(a structs.Allocation, tasks []string) (map[string]string, error) {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`

Tests 2016-10-18 18:22:16 +00:00			`if vc.DeriveTokenFn != nil {`
			`return vc.DeriveTokenFn(a, tasks)`
			`}`

Alloc runner tests 2016-09-16 00:24:09 +00:00			`tokens := make(map[string]string, len(tasks))`
			`for _, task := range tasks {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`if tasks, ok := vc.deriveTokenErrors[a.ID]; ok {`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`if err, ok := tasks[task]; ok {`
			`return nil, err`
			`}`
			`}`

Remove `structs` import from `api` Goes a step further and removes structs import from api's tests as well by moving GenerateUUID to its own package. 2017-09-29 16:58:48 +00:00			`tokens[task] = uuid.Generate()`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`}`

			`return tokens, nil`
			`}`

			`func (vc *MockVaultClient) SetDeriveTokenError(allocID string, tasks []string, err error) {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`

			`if vc.deriveTokenErrors == nil {`
			`vc.deriveTokenErrors = make(map[string]map[string]error, 10)`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`}`

nomad: proxy requests for Service Identity tokens between Clients and Consul Nomad jobs may be configured with a TaskGroup which contains a Service definition that is Consul Connect enabled. These service definitions end up establishing a Consul Connect Proxy Task (e.g. envoy, by default). In the case where Consul ACLs are enabled, a Service Identity token is required for these tasks to run & connect, etc. This changeset enables the Nomad Server to recieve RPC requests for the derivation of SI tokens on behalf of instances of Consul Connect using Tasks. Those tokens are then relayed back to the requesting Client, which then injects the tokens in the secrets directory of the Task. 2019-12-06 20:46:46 +00:00			`if _, ok := vc.deriveTokenErrors[allocID]; !ok {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.deriveTokenErrors[allocID] = make(map[string]error, 10)`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`}`

			`for _, task := range tasks {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.deriveTokenErrors[allocID][task] = err`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`}`
			`}`

			`func (vc *MockVaultClient) RenewToken(token string, interval int) (<-chan error, error) {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`

			`if err, ok := vc.renewTokenErrors[token]; ok {`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`return nil, err`
			`}`

			`renewCh := make(chan error)`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`if vc.renewTokens == nil {`
			`vc.renewTokens = make(map[string]chan error, 10)`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`}`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.renewTokens[token] = renewCh`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`return renewCh, nil`
			`}`

			`func (vc *MockVaultClient) SetRenewTokenError(token string, err error) {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`

			`if vc.renewTokenErrors == nil {`
			`vc.renewTokenErrors = make(map[string]error, 10)`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`}`

tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.renewTokenErrors[token] = err`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`}`

			`func (vc *MockVaultClient) StopRenewToken(token string) error {`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`

			`vc.stoppedTokens = append(vc.stoppedTokens, token)`
Alloc runner tests 2016-09-16 00:24:09 +00:00			`return nil`
			`}`

client: enable nomad client to request and set SI tokens for tasks When a job is configured with Consul Connect aware tasks (i.e. sidecar), the Nomad Client should be able to request from Consul (through Nomad Server) Service Identity tokens specific to those tasks. 2019-11-27 21:41:45 +00:00			`func (vc *MockVaultClient) Start() {}`

			`func (vc *MockVaultClient) Stop() {}`

Alloc runner tests 2016-09-16 00:24:09 +00:00			`func (vc MockVaultClient) GetConsulACL(string, string) (vaultapi.Secret, error) { return nil, nil }`
tests: port TestTaskRunner_BlockForVault from 0.8 Also fix race conditions in the mock vault client. 2019-02-12 21:46:09 +00:00
			`// StoppedTokens tracks the tokens that have stopped renewing`
			`func (vc *MockVaultClient) StoppedTokens() []string {`
			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`
			`return vc.stoppedTokens`
			`}`

			`// RenewTokens are the tokens that have been renewed and their error`
			`// channels`
			`func (vc *MockVaultClient) RenewTokens() map[string]chan error {`
			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`
			`return vc.renewTokens`
			`}`

			`// RenewTokenErrors is used to return an error when the RenewToken is called`
			`// with the given token`
			`func (vc *MockVaultClient) RenewTokenErrors() map[string]error {`
			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`
			`return vc.renewTokenErrors`
			`}`

			`// DeriveTokenErrors maps an allocation ID and tasks to an error when the`
			`// token is derived`
			`func (vc *MockVaultClient) DeriveTokenErrors() map[string]map[string]error {`
			`vc.mu.Lock()`
			`defer vc.mu.Unlock()`
			`return vc.deriveTokenErrors`
			`}`