open-nomad/nomad/acl_test.go

package nomad

import (
	"testing"

	lru "github.com/hashicorp/golang-lru"
	"github.com/hashicorp/nomad/acl"
	"github.com/hashicorp/nomad/ci"
	"github.com/hashicorp/nomad/helper/uuid"
	"github.com/hashicorp/nomad/nomad/mock"
	"github.com/hashicorp/nomad/nomad/state"
	"github.com/hashicorp/nomad/nomad/structs"
	"github.com/hashicorp/nomad/testutil"
	"github.com/stretchr/testify/assert"
)

func TestResolveACLToken(t *testing.T) {
	ci.Parallel(t)

	// Create mock state store and cache
	state := state.TestStateStore(t)
	cache, err := lru.New2Q(16)
	assert.Nil(t, err)

	// Create a policy / token
	policy := mock.ACLPolicy()
	policy2 := mock.ACLPolicy()
	token := mock.ACLToken()
	token.Policies = []string{policy.Name, policy2.Name}
	token2 := mock.ACLToken()
	token2.Type = structs.ACLManagementToken
	token2.Policies = nil
	err = state.UpsertACLPolicies(structs.MsgTypeTestSetup, 100, []*structs.ACLPolicy{policy, policy2})
	assert.Nil(t, err)
	err = state.UpsertACLTokens(structs.MsgTypeTestSetup, 110, []*structs.ACLToken{token, token2})
	assert.Nil(t, err)

	snap, err := state.Snapshot()
	assert.Nil(t, err)

	// Attempt resolution of blank token. Should return anonymous policy
	aclObj, err := resolveTokenFromSnapshotCache(snap, cache, "")
	assert.Nil(t, err)
	assert.NotNil(t, aclObj)

	// Attempt resolution of unknown token. Should fail.
	randID := uuid.Generate()
	aclObj, err = resolveTokenFromSnapshotCache(snap, cache, randID)
	assert.Equal(t, structs.ErrTokenNotFound, err)
	assert.Nil(t, aclObj)

	// Attempt resolution of management token. Should get singleton.
	aclObj, err = resolveTokenFromSnapshotCache(snap, cache, token2.SecretID)
	assert.Nil(t, err)
	assert.NotNil(t, aclObj)
	assert.Equal(t, true, aclObj.IsManagement())
	if aclObj != acl.ManagementACL {
		t.Fatalf("expected singleton")
	}

	// Attempt resolution of client token
	aclObj, err = resolveTokenFromSnapshotCache(snap, cache, token.SecretID)
	assert.Nil(t, err)
	assert.NotNil(t, aclObj)

	// Check that the ACL object is sane
	assert.Equal(t, false, aclObj.IsManagement())
	allowed := aclObj.AllowNamespaceOperation("default", acl.NamespaceCapabilityListJobs)
	assert.Equal(t, true, allowed)
	allowed = aclObj.AllowNamespaceOperation("other", acl.NamespaceCapabilityListJobs)
	assert.Equal(t, false, allowed)

	// Resolve the same token again, should get cache value
	aclObj2, err := resolveTokenFromSnapshotCache(snap, cache, token.SecretID)
	assert.Nil(t, err)
	assert.NotNil(t, aclObj2)
	if aclObj != aclObj2 {
		t.Fatalf("expected cached value")
	}

	// Bust the cache by upserting the policy
	err = state.UpsertACLPolicies(structs.MsgTypeTestSetup, 120, []*structs.ACLPolicy{policy})
	assert.Nil(t, err)
	snap, err = state.Snapshot()
	assert.Nil(t, err)

	// Resolve the same token again, should get different value
	aclObj3, err := resolveTokenFromSnapshotCache(snap, cache, token.SecretID)
	assert.Nil(t, err)
	assert.NotNil(t, aclObj3)
	if aclObj == aclObj3 {
		t.Fatalf("unexpected cached value")
	}
}

func TestResolveACLToken_LeaderToken(t *testing.T) {
	ci.Parallel(t)
	assert := assert.New(t)
	s1, _, cleanupS1 := TestACLServer(t, nil)
	defer cleanupS1()
	testutil.WaitForLeader(t, s1.RPC)

	leaderAcl := s1.getLeaderAcl()
	assert.NotEmpty(leaderAcl)
	token, err := s1.ResolveToken(leaderAcl)
	assert.Nil(err)
	if assert.NotNil(token) {
		assert.True(token.IsManagement())
	}
}

func TestResolveSecretToken(t *testing.T) {
	ci.Parallel(t)

	s1, _, cleanupS1 := TestACLServer(t, nil)
	defer cleanupS1()
	testutil.WaitForLeader(t, s1.RPC)

	state := s1.State()
	leaderToken := s1.getLeaderAcl()
	assert.NotEmpty(t, leaderToken)

	token := mock.ACLToken()

	err := state.UpsertACLTokens(structs.MsgTypeTestSetup, 110, []*structs.ACLToken{token})
	assert.Nil(t, err)

	respToken, err := s1.ResolveSecretToken(token.SecretID)
	assert.Nil(t, err)
	if assert.NotNil(t, respToken) {
		assert.NotEmpty(t, respToken.AccessorID)
	}

}
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`package nomad`

			`import (`
			`"testing"`

			`lru "github.com/hashicorp/golang-lru"`
			`"github.com/hashicorp/nomad/acl"`
ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:42:43 +00:00			`"github.com/hashicorp/nomad/ci"`
Remove `structs` import from `api` Goes a step further and removes structs import from api's tests as well by moving GenerateUUID to its own package. 2017-09-29 16:58:48 +00:00			`"github.com/hashicorp/nomad/helper/uuid"`
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`"github.com/hashicorp/nomad/nomad/mock"`
			`"github.com/hashicorp/nomad/nomad/state"`
			`"github.com/hashicorp/nomad/nomad/structs"`
leader acl token 2017-10-23 19:50:37 +00:00			`"github.com/hashicorp/nomad/testutil"`
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestResolveACLToken(t *testing.T) {`
ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:42:43 +00:00			`ci.Parallel(t)`
leader acl token 2017-10-23 19:50:37 +00:00
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`// Create mock state store and cache`
sync 2017-10-13 21:36:02 +00:00			`state := state.TestStateStore(t)`
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`cache, err := lru.New2Q(16)`
			`assert.Nil(t, err)`

			`// Create a policy / token`
			`policy := mock.ACLPolicy()`
			`policy2 := mock.ACLPolicy()`
			`token := mock.ACLToken()`
			`token.Policies = []string{policy.Name, policy2.Name}`
			`token2 := mock.ACLToken()`
			`token2.Type = structs.ACLManagementToken`
			`token2.Policies = nil`
Event Stream: Track ACL changes, unsubscribe on invalidating changes (#9447) * upsertaclpolicies * delete acl policies msgtype * upsert acl policies msgtype * delete acl tokens msgtype * acl bootstrap msgtype wip unsubscribe on token delete test that subscriptions are closed after an ACL token has been deleted Start writing policyupdated test * update test to use before/after policy * add SubscribeWithACLCheck to run acl checks on subscribe * update rpc endpoint to use broker acl check * Add and use subscriptions.closeSubscriptionFunc This fixes the issue of not being able to defer unlocking the mutex on the event broker in the for loop. handle acl policy updates * rpc endpoint test for terminating acl change * add comments Co-authored-by: Kris Hicks <khicks@hashicorp.com> 2020-12-01 16:11:34 +00:00			`err = state.UpsertACLPolicies(structs.MsgTypeTestSetup, 100, []*structs.ACLPolicy{policy, policy2})`
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`assert.Nil(t, err)`
Event Stream: Track ACL changes, unsubscribe on invalidating changes (#9447) * upsertaclpolicies * delete acl policies msgtype * upsert acl policies msgtype * delete acl tokens msgtype * acl bootstrap msgtype wip unsubscribe on token delete test that subscriptions are closed after an ACL token has been deleted Start writing policyupdated test * update test to use before/after policy * add SubscribeWithACLCheck to run acl checks on subscribe * update rpc endpoint to use broker acl check * Add and use subscriptions.closeSubscriptionFunc This fixes the issue of not being able to defer unlocking the mutex on the event broker in the for loop. handle acl policy updates * rpc endpoint test for terminating acl change * add comments Co-authored-by: Kris Hicks <khicks@hashicorp.com> 2020-12-01 16:11:34 +00:00			`err = state.UpsertACLTokens(structs.MsgTypeTestSetup, 110, []*structs.ACLToken{token, token2})`
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`assert.Nil(t, err)`

			`snap, err := state.Snapshot()`
			`assert.Nil(t, err)`

nomad: refactor to use CompileACLObject and handle anonymous token 2017-08-20 21:38:37 +00:00			`// Attempt resolution of blank token. Should return anonymous policy`
			`aclObj, err := resolveTokenFromSnapshotCache(snap, cache, "")`
			`assert.Nil(t, err)`
			`assert.NotNil(t, aclObj)`

nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`// Attempt resolution of unknown token. Should fail.`
Remove `structs` import from `api` Goes a step further and removes structs import from api's tests as well by moving GenerateUUID to its own package. 2017-09-29 16:58:48 +00:00			`randID := uuid.Generate()`
nomad: refactor to use CompileACLObject and handle anonymous token 2017-08-20 21:38:37 +00:00			`aclObj, err = resolveTokenFromSnapshotCache(snap, cache, randID)`
Add ErrPermissionDenied, rename TokenNotFound 2017-08-21 03:18:18 +00:00			`assert.Equal(t, structs.ErrTokenNotFound, err)`
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`assert.Nil(t, aclObj)`

			`// Attempt resolution of management token. Should get singleton.`
			`aclObj, err = resolveTokenFromSnapshotCache(snap, cache, token2.SecretID)`
			`assert.Nil(t, err)`
			`assert.NotNil(t, aclObj)`
			`assert.Equal(t, true, aclObj.IsManagement())`
Moving shared ACL objects 2017-08-20 01:29:04 +00:00			`if aclObj != acl.ManagementACL {`
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`t.Fatalf("expected singleton")`
			`}`

			`// Attempt resolution of client token`
			`aclObj, err = resolveTokenFromSnapshotCache(snap, cache, token.SecretID)`
			`assert.Nil(t, err)`
			`assert.NotNil(t, aclObj)`

			`// Check that the ACL object is sane`
			`assert.Equal(t, false, aclObj.IsManagement())`
			`allowed := aclObj.AllowNamespaceOperation("default", acl.NamespaceCapabilityListJobs)`
			`assert.Equal(t, true, allowed)`
			`allowed = aclObj.AllowNamespaceOperation("other", acl.NamespaceCapabilityListJobs)`
			`assert.Equal(t, false, allowed)`

			`// Resolve the same token again, should get cache value`
			`aclObj2, err := resolveTokenFromSnapshotCache(snap, cache, token.SecretID)`
			`assert.Nil(t, err)`
			`assert.NotNil(t, aclObj2)`
			`if aclObj != aclObj2 {`
			`t.Fatalf("expected cached value")`
			`}`

			`// Bust the cache by upserting the policy`
Event Stream: Track ACL changes, unsubscribe on invalidating changes (#9447) * upsertaclpolicies * delete acl policies msgtype * upsert acl policies msgtype * delete acl tokens msgtype * acl bootstrap msgtype wip unsubscribe on token delete test that subscriptions are closed after an ACL token has been deleted Start writing policyupdated test * update test to use before/after policy * add SubscribeWithACLCheck to run acl checks on subscribe * update rpc endpoint to use broker acl check * Add and use subscriptions.closeSubscriptionFunc This fixes the issue of not being able to defer unlocking the mutex on the event broker in the for loop. handle acl policy updates * rpc endpoint test for terminating acl change * add comments Co-authored-by: Kris Hicks <khicks@hashicorp.com> 2020-12-01 16:11:34 +00:00			`err = state.UpsertACLPolicies(structs.MsgTypeTestSetup, 120, []*structs.ACLPolicy{policy})`
nomad: adding ACL token resolution logic 2017-08-19 23:49:53 +00:00			`assert.Nil(t, err)`
			`snap, err = state.Snapshot()`
			`assert.Nil(t, err)`

			`// Resolve the same token again, should get different value`
			`aclObj3, err := resolveTokenFromSnapshotCache(snap, cache, token.SecretID)`
			`assert.Nil(t, err)`
			`assert.NotNil(t, aclObj3)`
			`if aclObj == aclObj3 {`
			`t.Fatalf("unexpected cached value")`
			`}`
			`}`
leader acl token 2017-10-23 19:50:37 +00:00
			`func TestResolveACLToken_LeaderToken(t *testing.T) {`
ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:42:43 +00:00			`ci.Parallel(t)`
leader acl token 2017-10-23 19:50:37 +00:00			`assert := assert.New(t)`
tests: swap lib/freeport for tweaked helper/freeport Copy the updated version of freeport (sdk/freeport), and tweak it for use in Nomad tests. This means staying below port 10000 to avoid conflicts with the lib/freeport that is still transitively used by the old version of consul that we vendor. Also provide implementations to find ephemeral ports of macOS and Windows environments. Ports acquired through freeport are supposed to be returned to freeport, which this change now also introduces. Many tests are modified to include calls to a cleanup function for Server objects. This should help quite a bit with some flakey tests, but not all of them. Our port problems will not go away completely until we upgrade our vendor version of consul. With Go modules, we'll probably do a 'replace' to swap out other copies of freeport with the one now in 'nomad/helper/freeport'. 2019-12-04 00:15:11 +00:00			`s1, _, cleanupS1 := TestACLServer(t, nil)`
			`defer cleanupS1()`
leader acl token 2017-10-23 19:50:37 +00:00			`testutil.WaitForLeader(t, s1.RPC)`

			`leaderAcl := s1.getLeaderAcl()`
			`assert.NotEmpty(leaderAcl)`
			`token, err := s1.ResolveToken(leaderAcl)`
			`assert.Nil(err)`
			`if assert.NotNil(token) {`
			`assert.True(token.IsManagement())`
			`}`
			`}`
Audit config, seams for enterprise audit features allow oss to parse sink duration clean up audit sink parsing ent eventer config reload fix typo SetEnabled to eventer interface client acl test rm dead code fix failing test 2020-03-22 16:17:33 +00:00
			`func TestResolveSecretToken(t *testing.T) {`
ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:42:43 +00:00			`ci.Parallel(t)`
Audit config, seams for enterprise audit features allow oss to parse sink duration clean up audit sink parsing ent eventer config reload fix typo SetEnabled to eventer interface client acl test rm dead code fix failing test 2020-03-22 16:17:33 +00:00
			`s1, _, cleanupS1 := TestACLServer(t, nil)`
			`defer cleanupS1()`
			`testutil.WaitForLeader(t, s1.RPC)`

			`state := s1.State()`
			`leaderToken := s1.getLeaderAcl()`
			`assert.NotEmpty(t, leaderToken)`

			`token := mock.ACLToken()`

Event Stream: Track ACL changes, unsubscribe on invalidating changes (#9447) * upsertaclpolicies * delete acl policies msgtype * upsert acl policies msgtype * delete acl tokens msgtype * acl bootstrap msgtype wip unsubscribe on token delete test that subscriptions are closed after an ACL token has been deleted Start writing policyupdated test * update test to use before/after policy * add SubscribeWithACLCheck to run acl checks on subscribe * update rpc endpoint to use broker acl check * Add and use subscriptions.closeSubscriptionFunc This fixes the issue of not being able to defer unlocking the mutex on the event broker in the for loop. handle acl policy updates * rpc endpoint test for terminating acl change * add comments Co-authored-by: Kris Hicks <khicks@hashicorp.com> 2020-12-01 16:11:34 +00:00			`err := state.UpsertACLTokens(structs.MsgTypeTestSetup, 110, []*structs.ACLToken{token})`
Audit config, seams for enterprise audit features allow oss to parse sink duration clean up audit sink parsing ent eventer config reload fix typo SetEnabled to eventer interface client acl test rm dead code fix failing test 2020-03-22 16:17:33 +00:00			`assert.Nil(t, err)`

			`respToken, err := s1.ResolveSecretToken(token.SecretID)`
			`assert.Nil(t, err)`
			`if assert.NotNil(t, respToken) {`
			`assert.NotEmpty(t, respToken.AccessorID)`
			`}`

			`}`