Merge pull request #3325 from hashicorp/f-acl-client
/v1/client/gc ACL enforcement
This commit is contained in:
commit
44455f5e93
|
@ -23,7 +23,7 @@ func TestACLPolicyApplyCommand(t *testing.T) {
|
|||
defer srv.Shutdown()
|
||||
|
||||
// Bootstrap an initial ACL token
|
||||
token := srv.Token
|
||||
token := srv.RootToken
|
||||
assert.NotNil(token, "failed to bootstrap ACL token")
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
|
|
|
@ -26,7 +26,7 @@ func TestACLPolicyDeleteCommand(t *testing.T) {
|
|||
defer srv.Shutdown()
|
||||
|
||||
// Bootstrap an initial ACL token
|
||||
token := srv.Token
|
||||
token := srv.RootToken
|
||||
assert.NotNil(token, "failed to bootstrap ACL token")
|
||||
|
||||
// Create a test ACLPolicy
|
||||
|
|
|
@ -25,7 +25,7 @@ func TestACLPolicyListCommand(t *testing.T) {
|
|||
defer srv.Shutdown()
|
||||
|
||||
// Bootstrap an initial ACL token
|
||||
token := srv.Token
|
||||
token := srv.RootToken
|
||||
assert.NotNil(token, "failed to bootstrap ACL token")
|
||||
|
||||
// Create a test ACLPolicy
|
||||
|
|
|
@ -21,7 +21,7 @@ func TestACLTokenCreateCommand(t *testing.T) {
|
|||
defer srv.Shutdown()
|
||||
|
||||
// Bootstrap an initial ACL token
|
||||
token := srv.Token
|
||||
token := srv.RootToken
|
||||
assert.NotNil(token, "failed to bootstrap ACL token")
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
|
|
|
@ -25,7 +25,7 @@ func TestACLTokenDeleteCommand_ViaEnvVariable(t *testing.T) {
|
|||
defer srv.Shutdown()
|
||||
|
||||
// Bootstrap an initial ACL token
|
||||
token := srv.Token
|
||||
token := srv.RootToken
|
||||
assert.NotNil(token, "failed to bootstrap ACL token")
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
|
|
|
@ -25,7 +25,7 @@ func TestACLTokenInfoCommand_ViaEnvVar(t *testing.T) {
|
|||
state := srv.Agent.Server().State()
|
||||
|
||||
// Bootstrap an initial ACL token
|
||||
token := srv.Token
|
||||
token := srv.RootToken
|
||||
assert.NotNil(token, "failed to bootstrap ACL token")
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
|
|
|
@ -22,7 +22,7 @@ func TestACLTokenUpdateCommand(t *testing.T) {
|
|||
defer srv.Shutdown()
|
||||
|
||||
// Bootstrap an initial ACL token
|
||||
token := srv.Token
|
||||
token := srv.RootToken
|
||||
assert.NotNil(token, "failed to bootstrap ACL token")
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
|
|
|
@ -20,7 +20,7 @@ func TestHTTP_ACLPolicyList(t *testing.T) {
|
|||
Policies: []*structs.ACLPolicy{p1, p2, p3},
|
||||
WriteRequest: structs.WriteRequest{
|
||||
Region: "global",
|
||||
SecretID: s.Token.SecretID,
|
||||
SecretID: s.RootToken.SecretID,
|
||||
},
|
||||
}
|
||||
var resp structs.GenericResponse
|
||||
|
@ -34,7 +34,7 @@ func TestHTTP_ACLPolicyList(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.ACLPoliciesRequest(respW, req)
|
||||
|
@ -69,7 +69,7 @@ func TestHTTP_ACLPolicyQuery(t *testing.T) {
|
|||
Policies: []*structs.ACLPolicy{p1},
|
||||
WriteRequest: structs.WriteRequest{
|
||||
Region: "global",
|
||||
SecretID: s.Token.SecretID,
|
||||
SecretID: s.RootToken.SecretID,
|
||||
},
|
||||
}
|
||||
var resp structs.GenericResponse
|
||||
|
@ -83,7 +83,7 @@ func TestHTTP_ACLPolicyQuery(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.ACLPolicySpecificRequest(respW, req)
|
||||
|
@ -121,7 +121,7 @@ func TestHTTP_ACLPolicyCreate(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.ACLPolicySpecificRequest(respW, req)
|
||||
|
@ -153,7 +153,7 @@ func TestHTTP_ACLPolicyDelete(t *testing.T) {
|
|||
Policies: []*structs.ACLPolicy{p1},
|
||||
WriteRequest: structs.WriteRequest{
|
||||
Region: "global",
|
||||
SecretID: s.Token.SecretID,
|
||||
SecretID: s.RootToken.SecretID,
|
||||
},
|
||||
}
|
||||
var resp structs.GenericResponse
|
||||
|
@ -167,7 +167,7 @@ func TestHTTP_ACLPolicyDelete(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.ACLPolicySpecificRequest(respW, req)
|
||||
|
@ -232,7 +232,7 @@ func TestHTTP_ACLTokenList(t *testing.T) {
|
|||
Tokens: []*structs.ACLToken{p1, p2, p3},
|
||||
WriteRequest: structs.WriteRequest{
|
||||
Region: "global",
|
||||
SecretID: s.Token.SecretID,
|
||||
SecretID: s.RootToken.SecretID,
|
||||
},
|
||||
}
|
||||
var resp structs.ACLTokenUpsertResponse
|
||||
|
@ -246,7 +246,7 @@ func TestHTTP_ACLTokenList(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.ACLTokensRequest(respW, req)
|
||||
|
@ -282,7 +282,7 @@ func TestHTTP_ACLTokenQuery(t *testing.T) {
|
|||
Tokens: []*structs.ACLToken{p1},
|
||||
WriteRequest: structs.WriteRequest{
|
||||
Region: "global",
|
||||
SecretID: s.Token.SecretID,
|
||||
SecretID: s.RootToken.SecretID,
|
||||
},
|
||||
}
|
||||
var resp structs.ACLTokenUpsertResponse
|
||||
|
@ -297,7 +297,7 @@ func TestHTTP_ACLTokenQuery(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.ACLTokenSpecificRequest(respW, req)
|
||||
|
@ -334,7 +334,7 @@ func TestHTTP_ACLTokenCreate(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.ACLTokenSpecificRequest(respW, req)
|
||||
|
@ -365,7 +365,7 @@ func TestHTTP_ACLTokenDelete(t *testing.T) {
|
|||
Tokens: []*structs.ACLToken{p1},
|
||||
WriteRequest: structs.WriteRequest{
|
||||
Region: "global",
|
||||
SecretID: s.Token.SecretID,
|
||||
SecretID: s.RootToken.SecretID,
|
||||
},
|
||||
}
|
||||
var resp structs.ACLTokenUpsertResponse
|
||||
|
@ -380,7 +380,7 @@ func TestHTTP_ACLTokenDelete(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.ACLTokenSpecificRequest(respW, req)
|
||||
|
|
|
@ -103,6 +103,17 @@ func (s *HTTPServer) ClientGCRequest(resp http.ResponseWriter, req *http.Request
|
|||
if s.agent.client == nil {
|
||||
return nil, clientNotRunning
|
||||
}
|
||||
|
||||
var secret string
|
||||
s.parseToken(req, &secret)
|
||||
|
||||
// Check node write permissions
|
||||
if aclObj, err := s.agent.Client().ResolveToken(secret); err != nil {
|
||||
return nil, err
|
||||
} else if aclObj != nil && !aclObj.AllowNodeWrite() {
|
||||
return nil, structs.ErrPermissionDenied
|
||||
}
|
||||
|
||||
return nil, s.agent.Client().CollectAllAllocs()
|
||||
}
|
||||
|
||||
|
|
|
@ -8,8 +8,10 @@ import (
|
|||
"testing"
|
||||
|
||||
"github.com/golang/snappy"
|
||||
"github.com/hashicorp/nomad/acl"
|
||||
"github.com/hashicorp/nomad/nomad/mock"
|
||||
"github.com/hashicorp/nomad/nomad/structs"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestHTTP_AllocsList(t *testing.T) {
|
||||
|
@ -295,3 +297,53 @@ func TestHTTP_AllocAllGC(t *testing.T) {
|
|||
})
|
||||
|
||||
}
|
||||
|
||||
func TestHTTP_AllocAllGC_ACL(t *testing.T) {
|
||||
t.Parallel()
|
||||
assert := assert.New(t)
|
||||
httpACLTest(t, nil, func(s *TestAgent) {
|
||||
state := s.Agent.server.State()
|
||||
|
||||
// Make the HTTP request
|
||||
req, err := http.NewRequest("GET", "/v1/client/gc", nil)
|
||||
assert.Nil(err)
|
||||
|
||||
// Try request without a token and expect failure
|
||||
{
|
||||
respW := httptest.NewRecorder()
|
||||
_, err := s.Server.ClientGCRequest(respW, req)
|
||||
assert.NotNil(err)
|
||||
assert.Equal(err.Error(), structs.ErrPermissionDenied.Error())
|
||||
}
|
||||
|
||||
// Try request with an invalid token and expect failure
|
||||
{
|
||||
respW := httptest.NewRecorder()
|
||||
token := mock.CreatePolicyAndToken(t, state, 1005, "invalid", mock.NodePolicy(acl.PolicyRead))
|
||||
setToken(req, token)
|
||||
_, err := s.Server.ClientGCRequest(respW, req)
|
||||
assert.NotNil(err)
|
||||
assert.Equal(err.Error(), structs.ErrPermissionDenied.Error())
|
||||
}
|
||||
|
||||
// Try request with a valid token
|
||||
{
|
||||
respW := httptest.NewRecorder()
|
||||
token := mock.CreatePolicyAndToken(t, state, 1007, "valid", mock.NodePolicy(acl.PolicyWrite))
|
||||
setToken(req, token)
|
||||
_, err := s.Server.ClientGCRequest(respW, req)
|
||||
assert.Nil(err)
|
||||
assert.Equal(http.StatusOK, respW.Code)
|
||||
}
|
||||
|
||||
// Try request with a management token
|
||||
{
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.RootToken)
|
||||
_, err := s.Server.ClientGCRequest(respW, req)
|
||||
assert.Nil(err)
|
||||
assert.Equal(http.StatusOK, respW.Code)
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
|
|
|
@ -200,7 +200,7 @@ func TestHTTP_JobsRegister_ACL(t *testing.T) {
|
|||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
respW := httptest.NewRecorder()
|
||||
setToken(req, s.Token)
|
||||
setToken(req, s.RootToken)
|
||||
|
||||
// Make the request
|
||||
obj, err := s.Server.JobsRequest(respW, req)
|
||||
|
|
|
@ -69,8 +69,8 @@ type TestAgent struct {
|
|||
// It is valid after Start().
|
||||
*Agent
|
||||
|
||||
// Token is auto-bootstrapped if ACLs are enabled
|
||||
Token *structs.ACLToken
|
||||
// RootToken is auto-bootstrapped if ACLs are enabled
|
||||
RootToken *structs.ACLToken
|
||||
}
|
||||
|
||||
// NewTestAgent returns a started agent with the given name and
|
||||
|
@ -174,9 +174,9 @@ func (a *TestAgent) Start() *TestAgent {
|
|||
// to do a bypass of this step. This is so we can test bootstrap
|
||||
// without having to pass down a special flag.
|
||||
if a.Config.ACL.Enabled && a.Config.Server.Enabled && a.Config.ACL.PolicyTTL != 0 {
|
||||
a.Token = mock.ACLManagementToken()
|
||||
a.RootToken = mock.ACLManagementToken()
|
||||
state := a.Agent.server.State()
|
||||
if err := state.BootstrapACLTokens(1, 0, a.Token); err != nil {
|
||||
if err := state.BootstrapACLTokens(1, 0, a.RootToken); err != nil {
|
||||
panic(fmt.Sprintf("token bootstrap failed: %v", err))
|
||||
}
|
||||
}
|
||||
|
|
|
@ -228,7 +228,7 @@ func TestJobStatusCommand_WithAccessPolicy(t *testing.T) {
|
|||
defer srv.Shutdown()
|
||||
|
||||
// Bootstrap an initial ACL token
|
||||
token := srv.Token
|
||||
token := srv.RootToken
|
||||
assert.NotNil(token, "failed to bootstrap ACL token")
|
||||
|
||||
// Register a job
|
||||
|
|
|
@ -227,13 +227,21 @@ func (a *ACL) GetPolicies(args *structs.ACLPolicySetRequest, reply *structs.ACLP
|
|||
}
|
||||
defer metrics.MeasureSince([]string{"nomad", "acl", "get_policies"}, time.Now())
|
||||
|
||||
var token *structs.ACLToken
|
||||
var err error
|
||||
if args.SecretID == "" {
|
||||
// No need to look up the anonymous token
|
||||
token = structs.AnonymousACLToken
|
||||
} else {
|
||||
// For client typed tokens, allow them to query any policies associated with that token.
|
||||
// This is used by clients which are resolving the policies to enforce. Any associated
|
||||
// policies need to be fetched so that the client can determine what to allow.
|
||||
token, err := a.srv.State().ACLTokenBySecretID(nil, args.SecretID)
|
||||
token, err = a.srv.State().ACLTokenBySecretID(nil, args.SecretID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if token == nil {
|
||||
return structs.ErrTokenNotFound
|
||||
}
|
||||
|
|
|
@ -101,10 +101,10 @@ func TestAllocEndpoint_List_ACL(t *testing.T) {
|
|||
stubAllocs[0].ModifyIndex = 1000
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
// Lookup the allocs without a token and expect failure
|
||||
get := &structs.AllocListRequest{
|
||||
|
@ -262,10 +262,10 @@ func TestAllocEndpoint_GetAlloc_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertAllocs(1000, allocs), "UpsertAllocs")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
// Lookup the alloc without a token and expect failure
|
||||
get := &structs.AllocSpecificRequest{
|
||||
|
|
|
@ -63,10 +63,10 @@ func TestDeploymentEndpoint_GetDeployment_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
// Lookup the deployments without a token and expect failure
|
||||
get := &structs.DeploymentSpecificRequest{
|
||||
|
@ -216,10 +216,10 @@ func TestDeploymentEndpoint_Fail_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
// Mark the deployment as failed
|
||||
req := &structs.DeploymentFailRequest{
|
||||
|
@ -408,10 +408,10 @@ func TestDeploymentEndpoint_Pause_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
// Mark the deployment as failed
|
||||
req := &structs.DeploymentPauseRequest{
|
||||
|
@ -551,10 +551,10 @@ func TestDeploymentEndpoint_Promote_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertAllocs(1001, []*structs.Allocation{a}), "UpsertAllocs")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
// Promote the deployment
|
||||
req := &structs.DeploymentPromoteRequest{
|
||||
|
@ -703,10 +703,10 @@ func TestDeploymentEndpoint_SetAllocHealth_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertAllocs(1001, []*structs.Allocation{a}), "UpsertAllocs")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
// Set the alloc as healthy
|
||||
req := &structs.DeploymentAllocHealthRequest{
|
||||
|
@ -921,10 +921,10 @@ func TestDeploymentEndpoint_List_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertDeployment(1000, d), "UpsertDeployment")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get := &structs.DeploymentListRequest{
|
||||
QueryOptions: structs.QueryOptions{
|
||||
|
@ -1088,10 +1088,10 @@ func TestDeploymentEndpoint_Allocations_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertAllocs(1001, []*structs.Allocation{a}), "UpsertAllocs")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get := &structs.DeploymentSpecificRequest{
|
||||
DeploymentID: d.ID,
|
||||
|
|
|
@ -73,10 +73,10 @@ func TestEvalEndpoint_GetEval_ACL(t *testing.T) {
|
|||
state.UpsertEvals(1000, []*structs.Evaluation{eval1})
|
||||
|
||||
// Create ACL tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get := &structs.EvalSpecificRequest{
|
||||
EvalID: eval1.ID,
|
||||
|
@ -611,10 +611,10 @@ func TestEvalEndpoint_List_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertEvals(1000, []*structs.Evaluation{eval1, eval2}))
|
||||
|
||||
// Create ACL tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get := &structs.EvalListRequest{
|
||||
QueryOptions: structs.QueryOptions{
|
||||
|
@ -781,10 +781,10 @@ func TestEvalEndpoint_Allocations_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertAllocs(1000, []*structs.Allocation{alloc1, alloc2}))
|
||||
|
||||
// Create ACL tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get := &structs.EvalSpecificRequest{
|
||||
EvalID: alloc1.EvalID,
|
||||
|
|
|
@ -1064,8 +1064,8 @@ func TestJobEndpoint_Revert_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Attempt to fetch the response with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
revertReq.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.JobRegisterResponse
|
||||
|
@ -1080,8 +1080,8 @@ func TestJobEndpoint_Revert_ACL(t *testing.T) {
|
|||
assert.Nil(err)
|
||||
|
||||
// Try with a valid non-management token
|
||||
validToken := CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
|
||||
revertReq.SecretID = validToken.SecretID
|
||||
var validResp2 structs.JobRegisterResponse
|
||||
|
@ -1187,8 +1187,8 @@ func TestJobEndpoint_Stable_ACL(t *testing.T) {
|
|||
assert.Contains("Permission denied", err.Error())
|
||||
|
||||
// Expect failure for request with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
stableReq.SecretID = invalidToken.SecretID
|
||||
var invalidStableResp structs.JobStabilityResponse
|
||||
|
@ -1203,8 +1203,8 @@ func TestJobEndpoint_Stable_ACL(t *testing.T) {
|
|||
assert.Nil(err)
|
||||
|
||||
// Attempt to fetch with a valid token
|
||||
validToken := CreatePolicyAndToken(t, state, 1005, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
|
||||
stableReq.SecretID = validToken.SecretID
|
||||
var validStableResp2 structs.JobStabilityResponse
|
||||
|
@ -1331,8 +1331,8 @@ func TestJobEndpoint_Evaluate_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Attempt to fetch the response with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
reEval.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.JobRegisterResponse
|
||||
|
@ -1347,8 +1347,8 @@ func TestJobEndpoint_Evaluate_ACL(t *testing.T) {
|
|||
assert.Nil(err)
|
||||
|
||||
// Fetch the response with a valid token
|
||||
validToken := CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
reEval.SecretID = validToken.SecretID
|
||||
var validResp2 structs.JobRegisterResponse
|
||||
|
@ -1636,8 +1636,8 @@ func TestJobEndpoint_Deregister_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Expect failure for request with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
req.SecretID = invalidToken.SecretID
|
||||
|
||||
var invalidResp structs.JobDeregisterResponse
|
||||
|
@ -1654,8 +1654,8 @@ func TestJobEndpoint_Deregister_ACL(t *testing.T) {
|
|||
assert.NotEqual(validResp.Index, 0)
|
||||
|
||||
// Expect success with a valid token
|
||||
validToken := CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilitySubmitJob}))
|
||||
req.SecretID = validToken.SecretID
|
||||
|
||||
var validResp2 structs.JobDeregisterResponse
|
||||
|
@ -1970,8 +1970,8 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Expect failure for request with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.SingleJobResponse
|
||||
|
@ -1987,8 +1987,8 @@ func TestJobEndpoint_GetJob_ACL(t *testing.T) {
|
|||
assert.Equal(job.ID, validResp.Job.ID)
|
||||
|
||||
// Looking up the job with a valid token should succeed
|
||||
validToken := CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
get.SecretID = validToken.SecretID
|
||||
var validResp2 structs.SingleJobResponse
|
||||
|
@ -2181,8 +2181,8 @@ func TestJobEndpoint_GetJobVersions_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Expect failure for request with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.JobVersionsResponse
|
||||
|
@ -2197,8 +2197,8 @@ func TestJobEndpoint_GetJobVersions_ACL(t *testing.T) {
|
|||
assert.Nil(err)
|
||||
|
||||
// Expect success for request with a valid token
|
||||
validToken := CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
get.SecretID = validToken.SecretID
|
||||
var validResp2 structs.JobVersionsResponse
|
||||
|
@ -2522,8 +2522,8 @@ func TestJobEndpoint_Summary_ACL(t *testing.T) {
|
|||
state := srv.fsm.State()
|
||||
|
||||
// Expect failure for request with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
req.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.JobSummaryResponse
|
||||
|
@ -2531,8 +2531,8 @@ func TestJobEndpoint_Summary_ACL(t *testing.T) {
|
|||
assert.NotNil(err)
|
||||
|
||||
// Try with a valid token
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
req.SecretID = validToken.SecretID
|
||||
var authResp structs.JobSummaryResponse
|
||||
|
@ -2735,8 +2735,8 @@ func TestJobEndpoint_ListJobs_WithACL(t *testing.T) {
|
|||
assert.Equal(job.ID, mgmtResp.Jobs[0].ID)
|
||||
|
||||
// Expect failure for request with a token that has incorrect permissions
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
req.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.JobListResponse
|
||||
|
@ -2744,8 +2744,8 @@ func TestJobEndpoint_ListJobs_WithACL(t *testing.T) {
|
|||
assert.NotNil(err)
|
||||
|
||||
// Try with a valid token with correct permissions
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
var validResp structs.JobListResponse
|
||||
req.SecretID = validToken.SecretID
|
||||
|
||||
|
@ -2898,8 +2898,8 @@ func TestJobEndpoint_Allocations_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Attempt to fetch the response with an invalid token should fail
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.JobAllocationsResponse
|
||||
|
@ -2914,8 +2914,8 @@ func TestJobEndpoint_Allocations_ACL(t *testing.T) {
|
|||
assert.Nil(err)
|
||||
|
||||
// Attempt to fetch the response with valid management token should succeed
|
||||
validToken := CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
get.SecretID = validToken.SecretID
|
||||
var validResp2 structs.JobAllocationsResponse
|
||||
|
@ -3055,8 +3055,8 @@ func TestJobEndpoint_Evaluations_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Attempt to fetch the response with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.JobEvaluationsResponse
|
||||
|
@ -3072,8 +3072,8 @@ func TestJobEndpoint_Evaluations_ACL(t *testing.T) {
|
|||
assert.Equal(2, len(validResp.Evaluations))
|
||||
|
||||
// Attempt to fetch with valid token should succeed
|
||||
validToken := CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
get.SecretID = validToken.SecretID
|
||||
var validResp2 structs.JobEvaluationsResponse
|
||||
|
@ -3205,8 +3205,8 @@ func TestJobEndpoint_Deployments_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Attempt to fetch the response with an invalid token
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.DeploymentListResponse
|
||||
|
@ -3222,8 +3222,8 @@ func TestJobEndpoint_Deployments_ACL(t *testing.T) {
|
|||
assert.Len(validResp.Deployments, 2, "deployments for job")
|
||||
|
||||
// Lookup with valid token should succeed
|
||||
validToken := CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1005, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
get.SecretID = validToken.SecretID
|
||||
var validResp2 structs.DeploymentListResponse
|
||||
|
@ -3352,8 +3352,8 @@ func TestJobEndpoint_LatestDeployment_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Attempt to fetch the response with an invalid token should fail
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
|
||||
get.SecretID = invalidToken.SecretID
|
||||
var invalidResp structs.SingleDeploymentResponse
|
||||
|
@ -3370,8 +3370,8 @@ func TestJobEndpoint_LatestDeployment_ACL(t *testing.T) {
|
|||
assert.Equal(d2.ID, validResp.Deployment.ID, "latest deployment for job")
|
||||
|
||||
// Fetching latest deployment with a valid token should succeed
|
||||
validToken := CreatePolicyAndToken(t, state, 1004, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1004, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
get.SecretID = validToken.SecretID
|
||||
var validResp2 structs.SingleDeploymentResponse
|
||||
|
@ -3852,8 +3852,8 @@ func TestJobEndpoint_Dispatch_ACL(t *testing.T) {
|
|||
assert.Contains(err.Error(), "Permission denied")
|
||||
|
||||
// Attempt to fetch the response with an invalid token should fail
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1001, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityListJobs}))
|
||||
req.SecretID = invalidToken.SecretID
|
||||
|
||||
var invalidResp structs.JobDispatchResponse
|
||||
|
@ -3872,8 +3872,8 @@ func TestJobEndpoint_Dispatch_ACL(t *testing.T) {
|
|||
assert.NotEqual(validResp.DispatchedJobID, "")
|
||||
|
||||
// Dispatch with a valid token should succeed
|
||||
validToken := CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob}))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1003, "test-valid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityDispatchJob}))
|
||||
req.SecretID = validToken.SecretID
|
||||
|
||||
var validResp2 structs.JobDispatchResponse
|
||||
|
|
|
@ -1,15 +1,20 @@
|
|||
package nomad
|
||||
package mock
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/nomad/nomad/mock"
|
||||
"github.com/hashicorp/nomad/nomad/state"
|
||||
"github.com/hashicorp/nomad/nomad/structs"
|
||||
"github.com/mitchellh/go-testing-interface"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
// StateStore defines the methods required from state.StateStore but avoids a
|
||||
// circular dependency.
|
||||
type StateStore interface {
|
||||
UpsertACLPolicies(index uint64, policies []*structs.ACLPolicy) error
|
||||
UpsertACLTokens(index uint64, tokens []*structs.ACLToken) error
|
||||
}
|
||||
|
||||
// NamespacePolicy is a helper for generating the policy hcl for a given
|
||||
// namepsace. Either policy or capabilities may be nil but not both.
|
||||
func NamespacePolicy(namespace string, policy string, capabilities []string) string {
|
||||
|
@ -30,7 +35,7 @@ func NodePolicy(policy string) string {
|
|||
}
|
||||
|
||||
// CreatePolicy creates a policy with the given name and rule.
|
||||
func CreatePolicy(t *testing.T, state *state.StateStore, index uint64, name, rule string) {
|
||||
func CreatePolicy(t testing.T, state StateStore, index uint64, name, rule string) {
|
||||
t.Helper()
|
||||
|
||||
// Create the ACLPolicy
|
||||
|
@ -43,11 +48,11 @@ func CreatePolicy(t *testing.T, state *state.StateStore, index uint64, name, rul
|
|||
}
|
||||
|
||||
// CreateToken creates a local, client token for the given policies
|
||||
func CreateToken(t *testing.T, state *state.StateStore, index uint64, policies []string) *structs.ACLToken {
|
||||
func CreateToken(t testing.T, state StateStore, index uint64, policies []string) *structs.ACLToken {
|
||||
t.Helper()
|
||||
|
||||
// Create the ACLToken
|
||||
token := mock.ACLToken()
|
||||
token := ACLToken()
|
||||
token.Policies = policies
|
||||
token.SetHash()
|
||||
assert.Nil(t, state.UpsertACLTokens(index, []*structs.ACLToken{token}))
|
||||
|
@ -56,7 +61,7 @@ func CreateToken(t *testing.T, state *state.StateStore, index uint64, policies [
|
|||
|
||||
// CreatePolicyAndToken creates a policy and then returns a token configured for
|
||||
// just that policy. CreatePolicyAndToken uses the given index and index+1.
|
||||
func CreatePolicyAndToken(t *testing.T, state *state.StateStore, index uint64, name, rule string) *structs.ACLToken {
|
||||
func CreatePolicyAndToken(t testing.T, state StateStore, index uint64, name, rule string) *structs.ACLToken {
|
||||
CreatePolicy(t, state, index, name, rule)
|
||||
return CreateToken(t, state, index+1, []string{name})
|
||||
}
|
|
@ -674,8 +674,8 @@ func TestClientEndpoint_UpdateDrain_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertNode(1, node), "UpsertNode")
|
||||
|
||||
// Create the policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NodePolicy(acl.PolicyWrite))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NodePolicy(acl.PolicyRead))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NodePolicy(acl.PolicyWrite))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NodePolicy(acl.PolicyRead))
|
||||
|
||||
// Update the status without a token and expect failure
|
||||
dereg := &structs.NodeUpdateDrainRequest{
|
||||
|
@ -925,8 +925,8 @@ func TestClientEndpoint_GetNode_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertNode(1, node), "UpsertNode")
|
||||
|
||||
// Create the policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NodePolicy(acl.PolicyRead))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NodePolicy(acl.PolicyDeny))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NodePolicy(acl.PolicyRead))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NodePolicy(acl.PolicyDeny))
|
||||
|
||||
// Lookup the node without a token and expect failure
|
||||
req := &structs.NodeSpecificRequest{
|
||||
|
@ -1158,11 +1158,11 @@ func TestClientEndpoint_GetAllocs_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertAllocs(5, allocs), "UpsertAllocs")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validDefaultToken := CreatePolicyAndToken(t, state, 1001, "test-default-valid", NodePolicy(acl.PolicyRead)+
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validNoNSToken := CreatePolicyAndToken(t, state, 1003, "test-alt-valid", NodePolicy(acl.PolicyRead))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1004, "test-invalid",
|
||||
NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validDefaultToken := mock.CreatePolicyAndToken(t, state, 1001, "test-default-valid", mock.NodePolicy(acl.PolicyRead)+
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
validNoNSToken := mock.CreatePolicyAndToken(t, state, 1003, "test-alt-valid", mock.NodePolicy(acl.PolicyRead))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1004, "test-invalid",
|
||||
mock.NamespacePolicy(structs.DefaultNamespace, "", []string{acl.NamespaceCapabilityReadJob}))
|
||||
|
||||
// Lookup the node without a token and expect failure
|
||||
req := &structs.NodeSpecificRequest{
|
||||
|
@ -1861,8 +1861,8 @@ func TestClientEndpoint_Evaluate_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertAllocs(3, []*structs.Allocation{alloc}), "UpsertAllocs")
|
||||
|
||||
// Create the policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NodePolicy(acl.PolicyWrite))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NodePolicy(acl.PolicyRead))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NodePolicy(acl.PolicyWrite))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NodePolicy(acl.PolicyRead))
|
||||
|
||||
// Re-evaluate without a token and expect failure
|
||||
req := &structs.NodeEvaluateRequest{
|
||||
|
@ -1975,8 +1975,8 @@ func TestClientEndpoint_ListNodes_ACL(t *testing.T) {
|
|||
assert.Nil(state.UpsertNode(1, node), "UpsertNode")
|
||||
|
||||
// Create the namespace policy and tokens
|
||||
validToken := CreatePolicyAndToken(t, state, 1001, "test-valid", NodePolicy(acl.PolicyRead))
|
||||
invalidToken := CreatePolicyAndToken(t, state, 1003, "test-invalid", NodePolicy(acl.PolicyDeny))
|
||||
validToken := mock.CreatePolicyAndToken(t, state, 1001, "test-valid", mock.NodePolicy(acl.PolicyRead))
|
||||
invalidToken := mock.CreatePolicyAndToken(t, state, 1003, "test-invalid", mock.NodePolicy(acl.PolicyDeny))
|
||||
|
||||
// Lookup the node without a token and expect failure
|
||||
req := &structs.NodeListRequest{
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
// +build !go1.9
|
||||
|
||||
package testing
|
||||
|
||||
import (
|
||||
|
|
|
@ -0,0 +1,108 @@
|
|||
// +build go1.9
|
||||
|
||||
// NOTE: This is a temporary copy of testing.go for Go 1.9 with the addition
|
||||
// of "Helper" to the T interface. Go 1.9 at the time of typing is in RC
|
||||
// and is set for release shortly. We'll support this on master as the default
|
||||
// as soon as 1.9 is released.
|
||||
|
||||
package testing
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
)
|
||||
|
||||
// T is the interface that mimics the standard library *testing.T.
|
||||
//
|
||||
// In unit tests you can just pass a *testing.T struct. At runtime, outside
|
||||
// of tests, you can pass in a RuntimeT struct from this package.
|
||||
type T interface {
|
||||
Error(args ...interface{})
|
||||
Errorf(format string, args ...interface{})
|
||||
Fail()
|
||||
FailNow()
|
||||
Failed() bool
|
||||
Fatal(args ...interface{})
|
||||
Fatalf(format string, args ...interface{})
|
||||
Log(args ...interface{})
|
||||
Logf(format string, args ...interface{})
|
||||
Name() string
|
||||
Skip(args ...interface{})
|
||||
SkipNow()
|
||||
Skipf(format string, args ...interface{})
|
||||
Skipped() bool
|
||||
Helper()
|
||||
}
|
||||
|
||||
// RuntimeT implements T and can be instantiated and run at runtime to
|
||||
// mimic *testing.T behavior. Unlike *testing.T, this will simply panic
|
||||
// for calls to Fatal. For calls to Error, you'll have to check the errors
|
||||
// list to determine whether to exit yourself.
|
||||
type RuntimeT struct {
|
||||
skipped bool
|
||||
failed bool
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Error(args ...interface{}) {
|
||||
log.Println(fmt.Sprintln(args...))
|
||||
t.Fail()
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Errorf(format string, args ...interface{}) {
|
||||
log.Printf(format, args...)
|
||||
t.Fail()
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Fail() {
|
||||
t.failed = true
|
||||
}
|
||||
|
||||
func (t *RuntimeT) FailNow() {
|
||||
panic("testing.T failed, see logs for output (if any)")
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Failed() bool {
|
||||
return t.failed
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Fatal(args ...interface{}) {
|
||||
log.Print(args...)
|
||||
t.FailNow()
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Fatalf(format string, args ...interface{}) {
|
||||
log.Printf(format, args...)
|
||||
t.FailNow()
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Log(args ...interface{}) {
|
||||
log.Println(fmt.Sprintln(args...))
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Logf(format string, args ...interface{}) {
|
||||
log.Println(fmt.Sprintf(format, args...))
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Name() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Skip(args ...interface{}) {
|
||||
log.Print(args...)
|
||||
t.SkipNow()
|
||||
}
|
||||
|
||||
func (t *RuntimeT) SkipNow() {
|
||||
t.skipped = true
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Skipf(format string, args ...interface{}) {
|
||||
log.Printf(format, args...)
|
||||
t.SkipNow()
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Skipped() bool {
|
||||
return t.skipped
|
||||
}
|
||||
|
||||
func (t *RuntimeT) Helper() {}
|
|
@ -1130,10 +1130,10 @@
|
|||
"revisionTime": "2017-03-09T13:30:38Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "NRba2rT64faub6rtxKVj7xM+QAo=",
|
||||
"checksumSHA1": "bDdhmDk8q6utWrccBhEOa6IoGkE=",
|
||||
"path": "github.com/mitchellh/go-testing-interface",
|
||||
"revision": "e1449340a7b207d8ca90d41466272ece75cbb5b5",
|
||||
"revisionTime": "2017-07-25T22:03:13Z"
|
||||
"revision": "a61a99592b77c9ba629d254a693acffaeb4b7e28",
|
||||
"revisionTime": "2017-10-04T22:19:16Z"
|
||||
},
|
||||
{
|
||||
"path": "github.com/mitchellh/hashstructure",
|
||||
|
|
Loading…
Reference in New Issue