diff --git a/command/acl_policy_apply_test.go b/command/acl_policy_apply_test.go index 7bba23613..c854bb3e2 100644 --- a/command/acl_policy_apply_test.go +++ b/command/acl_policy_apply_test.go @@ -23,7 +23,7 @@ func TestACLPolicyApplyCommand(t *testing.T) { defer srv.Shutdown() // Bootstrap an initial ACL token - token := srv.Token + token := srv.RootToken assert.NotNil(token, "failed to bootstrap ACL token") ui := new(cli.MockUi) diff --git a/command/acl_policy_delete_test.go b/command/acl_policy_delete_test.go index db7e16ad5..7e434915d 100644 --- a/command/acl_policy_delete_test.go +++ b/command/acl_policy_delete_test.go @@ -26,7 +26,7 @@ func TestACLPolicyDeleteCommand(t *testing.T) { defer srv.Shutdown() // Bootstrap an initial ACL token - token := srv.Token + token := srv.RootToken assert.NotNil(token, "failed to bootstrap ACL token") // Create a test ACLPolicy diff --git a/command/acl_policy_info_test.go b/command/acl_policy_info_test.go index c1ef07fa8..07aa78fe2 100644 --- a/command/acl_policy_info_test.go +++ b/command/acl_policy_info_test.go @@ -25,7 +25,7 @@ func TestACLPolicyListCommand(t *testing.T) { defer srv.Shutdown() // Bootstrap an initial ACL token - token := srv.Token + token := srv.RootToken assert.NotNil(token, "failed to bootstrap ACL token") // Create a test ACLPolicy diff --git a/command/acl_token_create_test.go b/command/acl_token_create_test.go index b29bbccf7..6d2141346 100644 --- a/command/acl_token_create_test.go +++ b/command/acl_token_create_test.go @@ -21,7 +21,7 @@ func TestACLTokenCreateCommand(t *testing.T) { defer srv.Shutdown() // Bootstrap an initial ACL token - token := srv.Token + token := srv.RootToken assert.NotNil(token, "failed to bootstrap ACL token") ui := new(cli.MockUi) diff --git a/command/acl_token_delete_test.go b/command/acl_token_delete_test.go index b6e3c7c9d..3c20de549 100644 --- a/command/acl_token_delete_test.go +++ b/command/acl_token_delete_test.go @@ -25,7 +25,7 @@ func TestACLTokenDeleteCommand_ViaEnvVariable(t *testing.T) { defer srv.Shutdown() // Bootstrap an initial ACL token - token := srv.Token + token := srv.RootToken assert.NotNil(token, "failed to bootstrap ACL token") ui := new(cli.MockUi) diff --git a/command/acl_token_info_test.go b/command/acl_token_info_test.go index 7777bf9a2..320448b6d 100644 --- a/command/acl_token_info_test.go +++ b/command/acl_token_info_test.go @@ -25,7 +25,7 @@ func TestACLTokenInfoCommand_ViaEnvVar(t *testing.T) { state := srv.Agent.Server().State() // Bootstrap an initial ACL token - token := srv.Token + token := srv.RootToken assert.NotNil(token, "failed to bootstrap ACL token") ui := new(cli.MockUi) diff --git a/command/acl_token_update_test.go b/command/acl_token_update_test.go index d1832ed37..478f6f4e6 100644 --- a/command/acl_token_update_test.go +++ b/command/acl_token_update_test.go @@ -22,7 +22,7 @@ func TestACLTokenUpdateCommand(t *testing.T) { defer srv.Shutdown() // Bootstrap an initial ACL token - token := srv.Token + token := srv.RootToken assert.NotNil(token, "failed to bootstrap ACL token") ui := new(cli.MockUi) diff --git a/command/agent/acl_endpoint_test.go b/command/agent/acl_endpoint_test.go index f87b8063d..103ff6685 100644 --- a/command/agent/acl_endpoint_test.go +++ b/command/agent/acl_endpoint_test.go @@ -20,7 +20,7 @@ func TestHTTP_ACLPolicyList(t *testing.T) { Policies: []*structs.ACLPolicy{p1, p2, p3}, WriteRequest: structs.WriteRequest{ Region: "global", - SecretID: s.Token.SecretID, + SecretID: s.RootToken.SecretID, }, } var resp structs.GenericResponse @@ -34,7 +34,7 @@ func TestHTTP_ACLPolicyList(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.ACLPoliciesRequest(respW, req) @@ -69,7 +69,7 @@ func TestHTTP_ACLPolicyQuery(t *testing.T) { Policies: []*structs.ACLPolicy{p1}, WriteRequest: structs.WriteRequest{ Region: "global", - SecretID: s.Token.SecretID, + SecretID: s.RootToken.SecretID, }, } var resp structs.GenericResponse @@ -83,7 +83,7 @@ func TestHTTP_ACLPolicyQuery(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.ACLPolicySpecificRequest(respW, req) @@ -121,7 +121,7 @@ func TestHTTP_ACLPolicyCreate(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.ACLPolicySpecificRequest(respW, req) @@ -153,7 +153,7 @@ func TestHTTP_ACLPolicyDelete(t *testing.T) { Policies: []*structs.ACLPolicy{p1}, WriteRequest: structs.WriteRequest{ Region: "global", - SecretID: s.Token.SecretID, + SecretID: s.RootToken.SecretID, }, } var resp structs.GenericResponse @@ -167,7 +167,7 @@ func TestHTTP_ACLPolicyDelete(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.ACLPolicySpecificRequest(respW, req) @@ -232,7 +232,7 @@ func TestHTTP_ACLTokenList(t *testing.T) { Tokens: []*structs.ACLToken{p1, p2, p3}, WriteRequest: structs.WriteRequest{ Region: "global", - SecretID: s.Token.SecretID, + SecretID: s.RootToken.SecretID, }, } var resp structs.ACLTokenUpsertResponse @@ -246,7 +246,7 @@ func TestHTTP_ACLTokenList(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.ACLTokensRequest(respW, req) @@ -282,7 +282,7 @@ func TestHTTP_ACLTokenQuery(t *testing.T) { Tokens: []*structs.ACLToken{p1}, WriteRequest: structs.WriteRequest{ Region: "global", - SecretID: s.Token.SecretID, + SecretID: s.RootToken.SecretID, }, } var resp structs.ACLTokenUpsertResponse @@ -297,7 +297,7 @@ func TestHTTP_ACLTokenQuery(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.ACLTokenSpecificRequest(respW, req) @@ -334,7 +334,7 @@ func TestHTTP_ACLTokenCreate(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.ACLTokenSpecificRequest(respW, req) @@ -365,7 +365,7 @@ func TestHTTP_ACLTokenDelete(t *testing.T) { Tokens: []*structs.ACLToken{p1}, WriteRequest: structs.WriteRequest{ Region: "global", - SecretID: s.Token.SecretID, + SecretID: s.RootToken.SecretID, }, } var resp structs.ACLTokenUpsertResponse @@ -380,7 +380,7 @@ func TestHTTP_ACLTokenDelete(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.ACLTokenSpecificRequest(respW, req) diff --git a/command/agent/alloc_endpoint.go b/command/agent/alloc_endpoint.go index 6628f505e..0116d8cf3 100644 --- a/command/agent/alloc_endpoint.go +++ b/command/agent/alloc_endpoint.go @@ -103,6 +103,17 @@ func (s *HTTPServer) ClientGCRequest(resp http.ResponseWriter, req *http.Request if s.agent.client == nil { return nil, clientNotRunning } + + var secret string + s.parseToken(req, &secret) + + // Check node write permissions + if aclObj, err := s.agent.Client().ResolveToken(secret); err != nil { + return nil, err + } else if aclObj != nil && !aclObj.AllowNodeWrite() { + return nil, structs.ErrPermissionDenied + } + return nil, s.agent.Client().CollectAllAllocs() } diff --git a/command/agent/alloc_endpoint_test.go b/command/agent/alloc_endpoint_test.go index 652eab5a7..4a223a471 100644 --- a/command/agent/alloc_endpoint_test.go +++ b/command/agent/alloc_endpoint_test.go @@ -8,8 +8,10 @@ import ( "testing" "github.com/golang/snappy" + "github.com/hashicorp/nomad/acl" "github.com/hashicorp/nomad/nomad/mock" "github.com/hashicorp/nomad/nomad/structs" + "github.com/stretchr/testify/assert" ) func TestHTTP_AllocsList(t *testing.T) { @@ -295,3 +297,53 @@ func TestHTTP_AllocAllGC(t *testing.T) { }) } + +func TestHTTP_AllocAllGC_ACL(t *testing.T) { + t.Parallel() + assert := assert.New(t) + httpACLTest(t, nil, func(s *TestAgent) { + state := s.Agent.server.State() + + // Make the HTTP request + req, err := http.NewRequest("GET", "/v1/client/gc", nil) + assert.Nil(err) + + // Try request without a token and expect failure + { + respW := httptest.NewRecorder() + _, err := s.Server.ClientGCRequest(respW, req) + assert.NotNil(err) + assert.Equal(err.Error(), structs.ErrPermissionDenied.Error()) + } + + // Try request with an invalid token and expect failure + { + respW := httptest.NewRecorder() + token := mock.CreatePolicyAndToken(t, state, 1005, "invalid", mock.NodePolicy(acl.PolicyRead)) + setToken(req, token) + _, err := s.Server.ClientGCRequest(respW, req) + assert.NotNil(err) + assert.Equal(err.Error(), structs.ErrPermissionDenied.Error()) + } + + // Try request with a valid token + { + respW := httptest.NewRecorder() + token := mock.CreatePolicyAndToken(t, state, 1007, "valid", mock.NodePolicy(acl.PolicyWrite)) + setToken(req, token) + _, err := s.Server.ClientGCRequest(respW, req) + assert.Nil(err) + assert.Equal(http.StatusOK, respW.Code) + } + + // Try request with a management token + { + respW := httptest.NewRecorder() + setToken(req, s.RootToken) + _, err := s.Server.ClientGCRequest(respW, req) + assert.Nil(err) + assert.Equal(http.StatusOK, respW.Code) + } + }) + +} diff --git a/command/agent/job_endpoint_test.go b/command/agent/job_endpoint_test.go index a8083950f..779463970 100644 --- a/command/agent/job_endpoint_test.go +++ b/command/agent/job_endpoint_test.go @@ -200,7 +200,7 @@ func TestHTTP_JobsRegister_ACL(t *testing.T) { t.Fatalf("err: %v", err) } respW := httptest.NewRecorder() - setToken(req, s.Token) + setToken(req, s.RootToken) // Make the request obj, err := s.Server.JobsRequest(respW, req) diff --git a/command/agent/testagent.go b/command/agent/testagent.go index 111abd776..dab7754f9 100644 --- a/command/agent/testagent.go +++ b/command/agent/testagent.go @@ -69,8 +69,8 @@ type TestAgent struct { // It is valid after Start(). *Agent - // Token is auto-bootstrapped if ACLs are enabled - Token *structs.ACLToken + // RootToken is auto-bootstrapped if ACLs are enabled + RootToken *structs.ACLToken } // NewTestAgent returns a started agent with the given name and @@ -174,9 +174,9 @@ func (a *TestAgent) Start() *TestAgent { // to do a bypass of this step. This is so we can test bootstrap // without having to pass down a special flag. if a.Config.ACL.Enabled && a.Config.Server.Enabled && a.Config.ACL.PolicyTTL != 0 { - a.Token = mock.ACLManagementToken() + a.RootToken = mock.ACLManagementToken() state := a.Agent.server.State() - if err := state.BootstrapACLTokens(1, 0, a.Token); err != nil { + if err := state.BootstrapACLTokens(1, 0, a.RootToken); err != nil { panic(fmt.Sprintf("token bootstrap failed: %v", err)) } } diff --git a/command/job_status_test.go b/command/job_status_test.go index b0971db22..5a7c71ce8 100644 --- a/command/job_status_test.go +++ b/command/job_status_test.go @@ -228,7 +228,7 @@ func TestJobStatusCommand_WithAccessPolicy(t *testing.T) { defer srv.Shutdown() // Bootstrap an initial ACL token - token := srv.Token + token := srv.RootToken assert.NotNil(token, "failed to bootstrap ACL token") // Register a job diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go index 4fe225b48..c17de71b6 100644 --- a/nomad/acl_endpoint.go +++ b/nomad/acl_endpoint.go @@ -227,13 +227,21 @@ func (a *ACL) GetPolicies(args *structs.ACLPolicySetRequest, reply *structs.ACLP } defer metrics.MeasureSince([]string{"nomad", "acl", "get_policies"}, time.Now()) - // For client typed tokens, allow them to query any policies associated with that token. - // This is used by clients which are resolving the policies to enforce. Any associated - // policies need to be fetched so that the client can determine what to allow. - token, err := a.srv.State().ACLTokenBySecretID(nil, args.SecretID) - if err != nil { - return err + var token *structs.ACLToken + var err error + if args.SecretID == "" { + // No need to look up the anonymous token + token = structs.AnonymousACLToken + } else { + // For client typed tokens, allow them to query any policies associated with that token. + // This is used by clients which are resolving the policies to enforce. Any associated + // policies need to be fetched so that the client can determine what to allow. + token, err = a.srv.State().ACLTokenBySecretID(nil, args.SecretID) + if err != nil { + return err + } } + if token == nil { return structs.ErrTokenNotFound } diff --git a/nomad/alloc_endpoint_test.go b/nomad/alloc_endpoint_test.go index 09841d0aa..0a941286d 100644 --- a/nomad/alloc_endpoint_test.go +++ b/nomad/alloc_endpoint_test.go @@ -101,10 +101,10 @@ func TestAllocEndpoint_List_ACL(t *testing.T) { stubAllocs[0].ModifyIndex = 1000 // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) // Lookup the allocs without a token and expect failure get := &structs.AllocListRequest{ @@ -262,10 +262,10 @@ func TestAllocEndpoint_GetAlloc_ACL(t *testing.T) { assert.Nil(state.UpsertAllocs(1000, allocs), "UpsertAllocs") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) // Lookup the alloc without a token and expect failure get := &structs.AllocSpecificRequest{ diff --git a/nomad/deployment_endpoint_test.go b/nomad/deployment_endpoint_test.go index cc540391f..aba18810d 100644 --- a/nomad/deployment_endpoint_test.go +++ b/nomad/deployment_endpoint_test.go @@ -63,10 +63,10 @@ func TestDeploymentEndpoint_GetDeployment_ACL(t *testing.T) { assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) // Lookup the deployments without a token and expect failure get := &structs.DeploymentSpecificRequest{ @@ -216,10 +216,10 @@ func TestDeploymentEndpoint_Fail_ACL(t *testing.T) { assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) // Mark the deployment as failed req := &structs.DeploymentFailRequest{ @@ -408,10 +408,10 @@ func TestDeploymentEndpoint_Pause_ACL(t *testing.T) { assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) // Mark the deployment as failed req := &structs.DeploymentPauseRequest{ @@ -551,10 +551,10 @@ func TestDeploymentEndpoint_Promote_ACL(t *testing.T) { assert.Nil(state.UpsertAllocs(1001, []*structs.Allocation{a}), "UpsertAllocs") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) // Promote the deployment req := &structs.DeploymentPromoteRequest{ @@ -703,10 +703,10 @@ func TestDeploymentEndpoint_SetAllocHealth_ACL(t *testing.T) { assert.Nil(state.UpsertAllocs(1001, []*structs.Allocation{a}), "UpsertAllocs") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) // Set the alloc as healthy req := &structs.DeploymentAllocHealthRequest{ @@ -921,10 +921,10 @@ func TestDeploymentEndpoint_List_ACL(t *testing.T) { assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get := &structs.DeploymentListRequest{ QueryOptions: structs.QueryOptions{ @@ -1088,10 +1088,10 @@ func TestDeploymentEndpoint_Allocations_ACL(t *testing.T) { assert.Nil(state.UpsertAllocs(1001, []*structs.Allocation{a}), "UpsertAllocs") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get := &structs.DeploymentSpecificRequest{ DeploymentID: d.ID, diff --git a/nomad/eval_endpoint_test.go b/nomad/eval_endpoint_test.go index 24a3e40f0..7ed5bf75c 100644 --- a/nomad/eval_endpoint_test.go +++ b/nomad/eval_endpoint_test.go @@ -73,10 +73,10 @@ func TestEvalEndpoint_GetEval_ACL(t *testing.T) { state.UpsertEvals(1000, []*structs.Evaluation{eval1}) // Create ACL tokens - validToken := CreatePolicyAndToken(t, state, 1003, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get := &structs.EvalSpecificRequest{ EvalID: eval1.ID, @@ -611,10 +611,10 @@ func TestEvalEndpoint_List_ACL(t *testing.T) { assert.Nil(state.UpsertEvals(1000, []*structs.Evaluation{eval1, eval2})) // Create ACL tokens - validToken := CreatePolicyAndToken(t, state, 1003, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get := &structs.EvalListRequest{ QueryOptions: structs.QueryOptions{ @@ -781,10 +781,10 @@ func TestEvalEndpoint_Allocations_ACL(t *testing.T) { assert.Nil(state.UpsertAllocs(1000, []*structs.Allocation{alloc1, alloc2})) // Create ACL tokens - validToken := CreatePolicyAndToken(t, state, 1003, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get := &structs.EvalSpecificRequest{ EvalID: alloc1.EvalID, diff --git a/nomad/job_endpoint_test.go b/nomad/job_endpoint_test.go index edd0a0bdf..ec153242b 100644 --- a/nomad/job_endpoint_test.go +++ b/nomad/job_endpoint_test.go @@ -1064,8 +1064,8 @@ func TestJobEndpoint_Revert_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) revertReq.SecretID = invalidToken.SecretID var invalidResp structs.JobRegisterResponse @@ -1080,8 +1080,8 @@ func TestJobEndpoint_Revert_ACL(t *testing.T) { assert.Nil(err) // Try with a valid non-management token - validToken := CreatePolicyAndToken(t, state, 1003, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) revertReq.SecretID = validToken.SecretID var validResp2 structs.JobRegisterResponse @@ -1187,8 +1187,8 @@ func TestJobEndpoint_Stable_ACL(t *testing.T) { assert.Contains("Permission denied", err.Error()) // Expect failure for request with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) stableReq.SecretID = invalidToken.SecretID var invalidStableResp structs.JobStabilityResponse @@ -1203,8 +1203,8 @@ func TestJobEndpoint_Stable_ACL(t *testing.T) { assert.Nil(err) // Attempt to fetch with a valid token - validToken := CreatePolicyAndToken(t, state, 1005, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) stableReq.SecretID = validToken.SecretID var validStableResp2 structs.JobStabilityResponse @@ -1331,8 +1331,8 @@ func TestJobEndpoint_Evaluate_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) reEval.SecretID = invalidToken.SecretID var invalidResp structs.JobRegisterResponse @@ -1347,8 +1347,8 @@ func TestJobEndpoint_Evaluate_ACL(t *testing.T) { assert.Nil(err) // Fetch the response with a valid token - validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) reEval.SecretID = validToken.SecretID var validResp2 structs.JobRegisterResponse @@ -1636,8 +1636,8 @@ func TestJobEndpoint_Deregister_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Expect failure for request with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) req.SecretID = invalidToken.SecretID var invalidResp structs.JobDeregisterResponse @@ -1654,8 +1654,8 @@ func TestJobEndpoint_Deregister_ACL(t *testing.T) { assert.NotEqual(validResp.Index, 0) // Expect success with a valid token - validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob})) req.SecretID = validToken.SecretID var validResp2 structs.JobDeregisterResponse @@ -1970,8 +1970,8 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Expect failure for request with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get.SecretID = invalidToken.SecretID var invalidResp structs.SingleJobResponse @@ -1987,8 +1987,8 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) { assert.Equal(job.ID, validResp.Job.ID) // Looking up the job with a valid token should succeed - validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) get.SecretID = validToken.SecretID var validResp2 structs.SingleJobResponse @@ -2181,8 +2181,8 @@ func TestJobEndpoint_GetJobVersions_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Expect failure for request with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get.SecretID = invalidToken.SecretID var invalidResp structs.JobVersionsResponse @@ -2197,8 +2197,8 @@ func TestJobEndpoint_GetJobVersions_ACL(t *testing.T) { assert.Nil(err) // Expect success for request with a valid token - validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) get.SecretID = validToken.SecretID var validResp2 structs.JobVersionsResponse @@ -2522,8 +2522,8 @@ func TestJobEndpoint_Summary_ACL(t *testing.T) { state := srv.fsm.State() // Expect failure for request with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) req.SecretID = invalidToken.SecretID var invalidResp structs.JobSummaryResponse @@ -2531,8 +2531,8 @@ func TestJobEndpoint_Summary_ACL(t *testing.T) { assert.NotNil(err) // Try with a valid token - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) req.SecretID = validToken.SecretID var authResp structs.JobSummaryResponse @@ -2735,8 +2735,8 @@ func TestJobEndpoint_ListJobs_WithACL(t *testing.T) { assert.Equal(job.ID, mgmtResp.Jobs[0].ID) // Expect failure for request with a token that has incorrect permissions - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) req.SecretID = invalidToken.SecretID var invalidResp structs.JobListResponse @@ -2744,8 +2744,8 @@ func TestJobEndpoint_ListJobs_WithACL(t *testing.T) { assert.NotNil(err) // Try with a valid token with correct permissions - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) var validResp structs.JobListResponse req.SecretID = validToken.SecretID @@ -2898,8 +2898,8 @@ func TestJobEndpoint_Allocations_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with an invalid token should fail - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get.SecretID = invalidToken.SecretID var invalidResp structs.JobAllocationsResponse @@ -2914,8 +2914,8 @@ func TestJobEndpoint_Allocations_ACL(t *testing.T) { assert.Nil(err) // Attempt to fetch the response with valid management token should succeed - validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) get.SecretID = validToken.SecretID var validResp2 structs.JobAllocationsResponse @@ -3055,8 +3055,8 @@ func TestJobEndpoint_Evaluations_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get.SecretID = invalidToken.SecretID var invalidResp structs.JobEvaluationsResponse @@ -3072,8 +3072,8 @@ func TestJobEndpoint_Evaluations_ACL(t *testing.T) { assert.Equal(2, len(validResp.Evaluations)) // Attempt to fetch with valid token should succeed - validToken := CreatePolicyAndToken(t, state, 1003, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) get.SecretID = validToken.SecretID var validResp2 structs.JobEvaluationsResponse @@ -3205,8 +3205,8 @@ func TestJobEndpoint_Deployments_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with an invalid token - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get.SecretID = invalidToken.SecretID var invalidResp structs.DeploymentListResponse @@ -3222,8 +3222,8 @@ func TestJobEndpoint_Deployments_ACL(t *testing.T) { assert.Len(validResp.Deployments, 2, "deployments for job") // Lookup with valid token should succeed - validToken := CreatePolicyAndToken(t, state, 1005, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) get.SecretID = validToken.SecretID var validResp2 structs.DeploymentListResponse @@ -3352,8 +3352,8 @@ func TestJobEndpoint_LatestDeployment_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with an invalid token should fail - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) get.SecretID = invalidToken.SecretID var invalidResp structs.SingleDeploymentResponse @@ -3370,8 +3370,8 @@ func TestJobEndpoint_LatestDeployment_ACL(t *testing.T) { assert.Equal(d2.ID, validResp.Deployment.ID, "latest deployment for job") // Fetching latest deployment with a valid token should succeed - validToken := CreatePolicyAndToken(t, state, 1004, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1004, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) get.SecretID = validToken.SecretID var validResp2 structs.SingleDeploymentResponse @@ -3852,8 +3852,8 @@ func TestJobEndpoint_Dispatch_ACL(t *testing.T) { assert.Contains(err.Error(), "Permission denied") // Attempt to fetch the response with an invalid token should fail - invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) + invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs})) req.SecretID = invalidToken.SecretID var invalidResp structs.JobDispatchResponse @@ -3872,8 +3872,8 @@ func TestJobEndpoint_Dispatch_ACL(t *testing.T) { assert.NotEqual(validResp.DispatchedJobID, "") // Dispatch with a valid token should succeed - validToken := CreatePolicyAndToken(t, state, 1003, "test-valid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob})) + validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob})) req.SecretID = validToken.SecretID var validResp2 structs.JobDispatchResponse diff --git a/nomad/acl_testutil_test.go b/nomad/mock/acl.go similarity index 70% rename from nomad/acl_testutil_test.go rename to nomad/mock/acl.go index 2e7e511a2..ddac3675e 100644 --- a/nomad/acl_testutil_test.go +++ b/nomad/mock/acl.go @@ -1,15 +1,20 @@ -package nomad +package mock import ( "fmt" - "testing" - "github.com/hashicorp/nomad/nomad/mock" - "github.com/hashicorp/nomad/nomad/state" "github.com/hashicorp/nomad/nomad/structs" + "github.com/mitchellh/go-testing-interface" "github.com/stretchr/testify/assert" ) +// StateStore defines the methods required from state.StateStore but avoids a +// circular dependency. +type StateStore interface { + UpsertACLPolicies(index uint64, policies []*structs.ACLPolicy) error + UpsertACLTokens(index uint64, tokens []*structs.ACLToken) error +} + // NamespacePolicy is a helper for generating the policy hcl for a given // namepsace. Either policy or capabilities may be nil but not both. func NamespacePolicy(namespace string, policy string, capabilities []string) string { @@ -30,7 +35,7 @@ func NodePolicy(policy string) string { } // CreatePolicy creates a policy with the given name and rule. -func CreatePolicy(t *testing.T, state *state.StateStore, index uint64, name, rule string) { +func CreatePolicy(t testing.T, state StateStore, index uint64, name, rule string) { t.Helper() // Create the ACLPolicy @@ -43,11 +48,11 @@ func CreatePolicy(t *testing.T, state *state.StateStore, index uint64, name, rul } // CreateToken creates a local, client token for the given policies -func CreateToken(t *testing.T, state *state.StateStore, index uint64, policies []string) *structs.ACLToken { +func CreateToken(t testing.T, state StateStore, index uint64, policies []string) *structs.ACLToken { t.Helper() // Create the ACLToken - token := mock.ACLToken() + token := ACLToken() token.Policies = policies token.SetHash() assert.Nil(t, state.UpsertACLTokens(index, []*structs.ACLToken{token})) @@ -56,7 +61,7 @@ func CreateToken(t *testing.T, state *state.StateStore, index uint64, policies [ // CreatePolicyAndToken creates a policy and then returns a token configured for // just that policy. CreatePolicyAndToken uses the given index and index+1. -func CreatePolicyAndToken(t *testing.T, state *state.StateStore, index uint64, name, rule string) *structs.ACLToken { +func CreatePolicyAndToken(t testing.T, state StateStore, index uint64, name, rule string) *structs.ACLToken { CreatePolicy(t, state, index, name, rule) return CreateToken(t, state, index+1, []string{name}) } diff --git a/nomad/node_endpoint_test.go b/nomad/node_endpoint_test.go index 6a56ff6af..74f5feb36 100644 --- a/nomad/node_endpoint_test.go +++ b/nomad/node_endpoint_test.go @@ -674,8 +674,8 @@ func TestClientEndpoint_UpdateDrain_ACL(t *testing.T) { assert.Nil(state.UpsertNode(1, node), "UpsertNode") // Create the policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NodePolicy(acl.PolicyWrite)) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NodePolicy(acl.PolicyRead)) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NodePolicy(acl.PolicyWrite)) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NodePolicy(acl.PolicyRead)) // Update the status without a token and expect failure dereg := &structs.NodeUpdateDrainRequest{ @@ -925,8 +925,8 @@ func TestClientEndpoint_GetNode_ACL(t *testing.T) { assert.Nil(state.UpsertNode(1, node), "UpsertNode") // Create the policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NodePolicy(acl.PolicyRead)) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NodePolicy(acl.PolicyDeny)) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NodePolicy(acl.PolicyRead)) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NodePolicy(acl.PolicyDeny)) // Lookup the node without a token and expect failure req := &structs.NodeSpecificRequest{ @@ -1158,11 +1158,11 @@ func TestClientEndpoint_GetAllocs_ACL(t *testing.T) { assert.Nil(state.UpsertAllocs(5, allocs), "UpsertAllocs") // Create the namespace policy and tokens - validDefaultToken := CreatePolicyAndToken(t, state, 1001, "test-default-valid", NodePolicy(acl.PolicyRead)+ - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) - validNoNSToken := CreatePolicyAndToken(t, state, 1003, "test-alt-valid", NodePolicy(acl.PolicyRead)) - invalidToken := CreatePolicyAndToken(t, state, 1004, "test-invalid", - NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validDefaultToken := mock.CreatePolicyAndToken(t, state, 1001, "test-default-valid", mock.NodePolicy(acl.PolicyRead)+ + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) + validNoNSToken := mock.CreatePolicyAndToken(t, state, 1003, "test-alt-valid", mock.NodePolicy(acl.PolicyRead)) + invalidToken := mock.CreatePolicyAndToken(t, state, 1004, "test-invalid", + mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob})) // Lookup the node without a token and expect failure req := &structs.NodeSpecificRequest{ @@ -1861,8 +1861,8 @@ func TestClientEndpoint_Evaluate_ACL(t *testing.T) { assert.Nil(state.UpsertAllocs(3, []*structs.Allocation{alloc}), "UpsertAllocs") // Create the policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NodePolicy(acl.PolicyWrite)) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NodePolicy(acl.PolicyRead)) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NodePolicy(acl.PolicyWrite)) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NodePolicy(acl.PolicyRead)) // Re-evaluate without a token and expect failure req := &structs.NodeEvaluateRequest{ @@ -1975,8 +1975,8 @@ func TestClientEndpoint_ListNodes_ACL(t *testing.T) { assert.Nil(state.UpsertNode(1, node), "UpsertNode") // Create the namespace policy and tokens - validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NodePolicy(acl.PolicyRead)) - invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NodePolicy(acl.PolicyDeny)) + validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NodePolicy(acl.PolicyRead)) + invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NodePolicy(acl.PolicyDeny)) // Lookup the node without a token and expect failure req := &structs.NodeListRequest{ diff --git a/vendor/github.com/mitchellh/go-testing-interface/testing.go b/vendor/github.com/mitchellh/go-testing-interface/testing.go index 27f124bd1..204afb420 100644 --- a/vendor/github.com/mitchellh/go-testing-interface/testing.go +++ b/vendor/github.com/mitchellh/go-testing-interface/testing.go @@ -1,3 +1,5 @@ +// +build !go1.9 + package testing import ( diff --git a/vendor/github.com/mitchellh/go-testing-interface/testing_go19.go b/vendor/github.com/mitchellh/go-testing-interface/testing_go19.go new file mode 100644 index 000000000..31b42cadf --- /dev/null +++ b/vendor/github.com/mitchellh/go-testing-interface/testing_go19.go @@ -0,0 +1,108 @@ +// +build go1.9 + +// NOTE: This is a temporary copy of testing.go for Go 1.9 with the addition +// of "Helper" to the T interface. Go 1.9 at the time of typing is in RC +// and is set for release shortly. We'll support this on master as the default +// as soon as 1.9 is released. + +package testing + +import ( + "fmt" + "log" +) + +// T is the interface that mimics the standard library *testing.T. +// +// In unit tests you can just pass a *testing.T struct. At runtime, outside +// of tests, you can pass in a RuntimeT struct from this package. +type T interface { + Error(args ...interface{}) + Errorf(format string, args ...interface{}) + Fail() + FailNow() + Failed() bool + Fatal(args ...interface{}) + Fatalf(format string, args ...interface{}) + Log(args ...interface{}) + Logf(format string, args ...interface{}) + Name() string + Skip(args ...interface{}) + SkipNow() + Skipf(format string, args ...interface{}) + Skipped() bool + Helper() +} + +// RuntimeT implements T and can be instantiated and run at runtime to +// mimic *testing.T behavior. Unlike *testing.T, this will simply panic +// for calls to Fatal. For calls to Error, you'll have to check the errors +// list to determine whether to exit yourself. +type RuntimeT struct { + skipped bool + failed bool +} + +func (t *RuntimeT) Error(args ...interface{}) { + log.Println(fmt.Sprintln(args...)) + t.Fail() +} + +func (t *RuntimeT) Errorf(format string, args ...interface{}) { + log.Printf(format, args...) + t.Fail() +} + +func (t *RuntimeT) Fail() { + t.failed = true +} + +func (t *RuntimeT) FailNow() { + panic("testing.T failed, see logs for output (if any)") +} + +func (t *RuntimeT) Failed() bool { + return t.failed +} + +func (t *RuntimeT) Fatal(args ...interface{}) { + log.Print(args...) + t.FailNow() +} + +func (t *RuntimeT) Fatalf(format string, args ...interface{}) { + log.Printf(format, args...) + t.FailNow() +} + +func (t *RuntimeT) Log(args ...interface{}) { + log.Println(fmt.Sprintln(args...)) +} + +func (t *RuntimeT) Logf(format string, args ...interface{}) { + log.Println(fmt.Sprintf(format, args...)) +} + +func (t *RuntimeT) Name() string { + return "" +} + +func (t *RuntimeT) Skip(args ...interface{}) { + log.Print(args...) + t.SkipNow() +} + +func (t *RuntimeT) SkipNow() { + t.skipped = true +} + +func (t *RuntimeT) Skipf(format string, args ...interface{}) { + log.Printf(format, args...) + t.SkipNow() +} + +func (t *RuntimeT) Skipped() bool { + return t.skipped +} + +func (t *RuntimeT) Helper() {} diff --git a/vendor/vendor.json b/vendor/vendor.json index b03833360..09b34e76d 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -1130,10 +1130,10 @@ "revisionTime": "2017-03-09T13:30:38Z" }, { - "checksumSHA1": "NRba2rT64faub6rtxKVj7xM+QAo=", + "checksumSHA1": "bDdhmDk8q6utWrccBhEOa6IoGkE=", "path": "github.com/mitchellh/go-testing-interface", - "revision": "e1449340a7b207d8ca90d41466272ece75cbb5b5", - "revisionTime": "2017-07-25T22:03:13Z" + "revision": "a61a99592b77c9ba629d254a693acffaeb4b7e28", + "revisionTime": "2017-10-04T22:19:16Z" }, { "path": "github.com/mitchellh/hashstructure",