client: fixing policy resolution after ACL endpoint enforcement

2017-08-21 17:31:32 -07:00 · 2017-08-21 17:31:32 -07:00 · f31cd6a618
parent 18ddb910fa
commit f31cd6a618
3 changed files with 29 additions and 9 deletions
--- a/client/acl.go
+++ b/client/acl.go
@ -91,7 +91,7 @@ func (c *Client) ResolveToken(secretID string) (*acl.ACL, error) {
 	}

 	// Resolve the policies
-	policies, err := c.resolvePolicies(token.Policies)
+	policies, err := c.resolvePolicies(token.SecretID, token.Policies)
 	if err != nil {
 		return nil, err
 	}
@ -150,7 +150,7 @@ func (c *Client) resolveTokenValue(secretID string) (*structs.ACLToken, error) {
 // We cache the policies locally, and fault them from a server as necessary. Policies
 // are cached for a TTL, and then refreshed. If a server cannot be reached, the cache TTL
 // will be ignored to gracefully handle outages.
-func (c *Client) resolvePolicies(policies []string) ([]*structs.ACLPolicy, error) {
+func (c *Client) resolvePolicies(secretID string, policies []string) ([]*structs.ACLPolicy, error) {
 	var out []*structs.ACLPolicy
 	var expired []*structs.ACLPolicy
 	var missing []string
@ -184,8 +184,11 @@ func (c *Client) resolvePolicies(policies []string) ([]*structs.ACLPolicy, error
 		fetch = append(fetch, p.Name)
 	}
 	req := structs.ACLPolicySetRequest{
-		Names:        fetch,
-		QueryOptions: structs.QueryOptions{Region: c.Region()},
+		Names: fetch,
+		QueryOptions: structs.QueryOptions{
+			Region:   c.Region(),
+			SecretID: secretID,
+		},
 	}
 	var resp structs.ACLPolicySetResponse
 	if err := c.RPC("ACL.GetPolicies", &req, &resp); err != nil {
--- a/client/acl_test.go
+++ b/client/acl_test.go
@ -12,12 +12,13 @@ import (
 )

 func TestClient_ACL_resolveTokenValue(t *testing.T) {
-	s1, _ := testServer(t, nil)
+	s1, _, _ := testACLServer(t, nil)
 	defer s1.Shutdown()
 	testutil.WaitForLeader(t, s1.RPC)

 	c1 := testClient(t, func(c *config.Config) {
 		c.RPCHandler = s1
+		c.ACLEnabled = true
 	})
 	defer c1.Shutdown()

@ -60,12 +61,13 @@ func TestClient_ACL_resolveTokenValue(t *testing.T) {
 }

 func TestClient_ACL_resolvePolicies(t *testing.T) {
-	s1, _ := testServer(t, nil)
+	s1, _, root := testACLServer(t, nil)
 	defer s1.Shutdown()
 	testutil.WaitForLeader(t, s1.RPC)

 	c1 := testClient(t, func(c *config.Config) {
 		c.RPCHandler = s1
+		c.ACLEnabled = true
 	})
 	defer c1.Shutdown()

@ -83,12 +85,12 @@ func TestClient_ACL_resolvePolicies(t *testing.T) {
 	assert.Nil(t, err)

 	// Test the client resolution
-	out, err := c1.resolvePolicies([]string{policy.Name, policy2.Name})
+	out, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
 	assert.Nil(t, err)
 	assert.Equal(t, 2, len(out))

 	// Test caching
-	out2, err := c1.resolvePolicies([]string{policy.Name, policy2.Name})
+	out2, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
 	assert.Nil(t, err)
 	assert.Equal(t, 2, len(out2))

@ -115,7 +117,7 @@ func TestClient_ACL_ResolveToken_Disabled(t *testing.T) {
 }

 func TestClient_ACL_ResolveToken(t *testing.T) {
-	s1, _ := testServer(t, nil)
+	s1, _, _ := testACLServer(t, nil)
 	defer s1.Shutdown()
 	testutil.WaitForLeader(t, s1.RPC)

--- a/client/client_test.go
+++ b/client/client_test.go
@ -30,6 +30,21 @@ func getPort() int {
 	return 1030 + int(rand.Int31n(6440))
 }

+func testACLServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string, *structs.ACLToken) {
+	server, addr := testServer(t, func(c *nomad.Config) {
+		c.ACLEnabled = true
+		if cb != nil {
+			cb(c)
+		}
+	})
+	token := mock.ACLManagementToken()
+	err := server.State().BootstrapACLTokens(1, token)
+	if err != nil {
+		t.Fatalf("failed to bootstrap ACL token: %v", err)
+	}
+	return server, addr, token
+}
+
 func testServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string) {
 	// Setup the default settings
 	config := nomad.DefaultConfig()