2017-08-20 23:00:54 +00:00
|
|
|
package client
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/hashicorp/nomad/acl"
|
|
|
|
"github.com/hashicorp/nomad/client/config"
|
|
|
|
"github.com/hashicorp/nomad/nomad/mock"
|
|
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
|
|
"github.com/hashicorp/nomad/testutil"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestClient_ACL_resolveTokenValue(t *testing.T) {
|
2017-08-22 00:31:32 +00:00
|
|
|
s1, _, _ := testACLServer(t, nil)
|
2017-08-20 23:00:54 +00:00
|
|
|
defer s1.Shutdown()
|
|
|
|
testutil.WaitForLeader(t, s1.RPC)
|
|
|
|
|
|
|
|
c1 := testClient(t, func(c *config.Config) {
|
|
|
|
c.RPCHandler = s1
|
2017-08-22 00:31:32 +00:00
|
|
|
c.ACLEnabled = true
|
2017-08-20 23:00:54 +00:00
|
|
|
})
|
|
|
|
defer c1.Shutdown()
|
|
|
|
|
|
|
|
// Create a policy / token
|
|
|
|
policy := mock.ACLPolicy()
|
|
|
|
policy2 := mock.ACLPolicy()
|
|
|
|
token := mock.ACLToken()
|
|
|
|
token.Policies = []string{policy.Name, policy2.Name}
|
|
|
|
token2 := mock.ACLToken()
|
|
|
|
token2.Type = structs.ACLManagementToken
|
|
|
|
token2.Policies = nil
|
|
|
|
err := s1.State().UpsertACLPolicies(100, []*structs.ACLPolicy{policy, policy2})
|
|
|
|
assert.Nil(t, err)
|
|
|
|
err = s1.State().UpsertACLTokens(110, []*structs.ACLToken{token, token2})
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
|
|
|
// Test the client resolution
|
|
|
|
out0, err := c1.resolveTokenValue("")
|
|
|
|
assert.Nil(t, err)
|
|
|
|
assert.NotNil(t, out0)
|
|
|
|
assert.Equal(t, structs.AnonymousACLToken, out0)
|
|
|
|
|
|
|
|
// Test the client resolution
|
|
|
|
out1, err := c1.resolveTokenValue(token.SecretID)
|
|
|
|
assert.Nil(t, err)
|
|
|
|
assert.NotNil(t, out1)
|
|
|
|
assert.Equal(t, token, out1)
|
|
|
|
|
|
|
|
out2, err := c1.resolveTokenValue(token2.SecretID)
|
|
|
|
assert.Nil(t, err)
|
|
|
|
assert.NotNil(t, out2)
|
|
|
|
assert.Equal(t, token2, out2)
|
|
|
|
|
|
|
|
out3, err := c1.resolveTokenValue(token.SecretID)
|
|
|
|
assert.Nil(t, err)
|
|
|
|
assert.NotNil(t, out3)
|
|
|
|
if out1 != out3 {
|
|
|
|
t.Fatalf("bad caching")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestClient_ACL_resolvePolicies(t *testing.T) {
|
2017-08-22 00:31:32 +00:00
|
|
|
s1, _, root := testACLServer(t, nil)
|
2017-08-20 23:00:54 +00:00
|
|
|
defer s1.Shutdown()
|
|
|
|
testutil.WaitForLeader(t, s1.RPC)
|
|
|
|
|
|
|
|
c1 := testClient(t, func(c *config.Config) {
|
|
|
|
c.RPCHandler = s1
|
2017-08-22 00:31:32 +00:00
|
|
|
c.ACLEnabled = true
|
2017-08-20 23:00:54 +00:00
|
|
|
})
|
|
|
|
defer c1.Shutdown()
|
|
|
|
|
|
|
|
// Create a policy / token
|
|
|
|
policy := mock.ACLPolicy()
|
|
|
|
policy2 := mock.ACLPolicy()
|
|
|
|
token := mock.ACLToken()
|
|
|
|
token.Policies = []string{policy.Name, policy2.Name}
|
|
|
|
token2 := mock.ACLToken()
|
|
|
|
token2.Type = structs.ACLManagementToken
|
|
|
|
token2.Policies = nil
|
|
|
|
err := s1.State().UpsertACLPolicies(100, []*structs.ACLPolicy{policy, policy2})
|
|
|
|
assert.Nil(t, err)
|
|
|
|
err = s1.State().UpsertACLTokens(110, []*structs.ACLToken{token, token2})
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
|
|
|
// Test the client resolution
|
2017-08-22 00:31:32 +00:00
|
|
|
out, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
|
2017-08-20 23:00:54 +00:00
|
|
|
assert.Nil(t, err)
|
|
|
|
assert.Equal(t, 2, len(out))
|
|
|
|
|
|
|
|
// Test caching
|
2017-08-22 00:31:32 +00:00
|
|
|
out2, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
|
2017-08-20 23:00:54 +00:00
|
|
|
assert.Nil(t, err)
|
|
|
|
assert.Equal(t, 2, len(out2))
|
|
|
|
|
|
|
|
// Check we get the same objects back (ignore ordering)
|
|
|
|
if out[0] != out2[0] && out[0] != out2[1] {
|
|
|
|
t.Fatalf("bad caching")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-23 20:49:08 +00:00
|
|
|
func TestClient_ACL_ResolveToken_Disabled(t *testing.T) {
|
2017-08-20 23:00:54 +00:00
|
|
|
s1, _ := testServer(t, nil)
|
|
|
|
defer s1.Shutdown()
|
|
|
|
testutil.WaitForLeader(t, s1.RPC)
|
|
|
|
|
|
|
|
c1 := testClient(t, func(c *config.Config) {
|
|
|
|
c.RPCHandler = s1
|
|
|
|
})
|
|
|
|
defer c1.Shutdown()
|
|
|
|
|
|
|
|
// Should always get nil when disabled
|
2017-08-23 20:49:08 +00:00
|
|
|
aclObj, err := c1.ResolveToken("blah")
|
2017-08-20 23:00:54 +00:00
|
|
|
assert.Nil(t, err)
|
|
|
|
assert.Nil(t, aclObj)
|
|
|
|
}
|
|
|
|
|
2017-08-23 20:49:08 +00:00
|
|
|
func TestClient_ACL_ResolveToken(t *testing.T) {
|
2017-08-22 00:31:32 +00:00
|
|
|
s1, _, _ := testACLServer(t, nil)
|
2017-08-20 23:00:54 +00:00
|
|
|
defer s1.Shutdown()
|
|
|
|
testutil.WaitForLeader(t, s1.RPC)
|
|
|
|
|
|
|
|
c1 := testClient(t, func(c *config.Config) {
|
|
|
|
c.RPCHandler = s1
|
|
|
|
c.ACLEnabled = true
|
|
|
|
})
|
|
|
|
defer c1.Shutdown()
|
|
|
|
|
|
|
|
// Create a policy / token
|
|
|
|
policy := mock.ACLPolicy()
|
|
|
|
policy2 := mock.ACLPolicy()
|
|
|
|
token := mock.ACLToken()
|
|
|
|
token.Policies = []string{policy.Name, policy2.Name}
|
|
|
|
token2 := mock.ACLToken()
|
|
|
|
token2.Type = structs.ACLManagementToken
|
|
|
|
token2.Policies = nil
|
|
|
|
err := s1.State().UpsertACLPolicies(100, []*structs.ACLPolicy{policy, policy2})
|
|
|
|
assert.Nil(t, err)
|
|
|
|
err = s1.State().UpsertACLTokens(110, []*structs.ACLToken{token, token2})
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
|
|
|
// Test the client resolution
|
2017-08-23 20:49:08 +00:00
|
|
|
out, err := c1.ResolveToken(token.SecretID)
|
2017-08-20 23:00:54 +00:00
|
|
|
assert.Nil(t, err)
|
|
|
|
assert.NotNil(t, out)
|
|
|
|
|
|
|
|
// Test caching
|
2017-08-23 20:49:08 +00:00
|
|
|
out2, err := c1.ResolveToken(token.SecretID)
|
2017-08-20 23:00:54 +00:00
|
|
|
assert.Nil(t, err)
|
|
|
|
if out != out2 {
|
|
|
|
t.Fatalf("should be cached")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Test management token
|
2017-08-23 20:49:08 +00:00
|
|
|
out3, err := c1.ResolveToken(token2.SecretID)
|
2017-08-20 23:00:54 +00:00
|
|
|
assert.Nil(t, err)
|
|
|
|
if acl.ManagementACL != out3 {
|
|
|
|
t.Fatalf("should be management")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Test bad token
|
2017-08-23 20:49:08 +00:00
|
|
|
out4, err := c1.ResolveToken(structs.GenerateUUID())
|
2017-08-21 03:18:18 +00:00
|
|
|
assert.Equal(t, structs.ErrTokenNotFound, err)
|
2017-08-20 23:00:54 +00:00
|
|
|
assert.Nil(t, out4)
|
|
|
|
}
|