From f31cd6a618c0b414d3e3c144d34dd298c9d5a32d Mon Sep 17 00:00:00 2001 From: Armon Dadgar Date: Mon, 21 Aug 2017 17:31:32 -0700 Subject: [PATCH] client: fixing policy resolution after ACL endpoint enforcement --- client/acl.go | 11 +++++++---- client/acl_test.go | 12 +++++++----- client/client_test.go | 15 +++++++++++++++ 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/client/acl.go b/client/acl.go index 719dbb998..a38567585 100644 --- a/client/acl.go +++ b/client/acl.go @@ -91,7 +91,7 @@ func (c *Client) ResolveToken(secretID string) (*acl.ACL, error) { } // Resolve the policies - policies, err := c.resolvePolicies(token.Policies) + policies, err := c.resolvePolicies(token.SecretID, token.Policies) if err != nil { return nil, err } @@ -150,7 +150,7 @@ func (c *Client) resolveTokenValue(secretID string) (*structs.ACLToken, error) { // We cache the policies locally, and fault them from a server as necessary. Policies // are cached for a TTL, and then refreshed. If a server cannot be reached, the cache TTL // will be ignored to gracefully handle outages. -func (c *Client) resolvePolicies(policies []string) ([]*structs.ACLPolicy, error) { +func (c *Client) resolvePolicies(secretID string, policies []string) ([]*structs.ACLPolicy, error) { var out []*structs.ACLPolicy var expired []*structs.ACLPolicy var missing []string @@ -184,8 +184,11 @@ func (c *Client) resolvePolicies(policies []string) ([]*structs.ACLPolicy, error fetch = append(fetch, p.Name) } req := structs.ACLPolicySetRequest{ - Names: fetch, - QueryOptions: structs.QueryOptions{Region: c.Region()}, + Names: fetch, + QueryOptions: structs.QueryOptions{ + Region: c.Region(), + SecretID: secretID, + }, } var resp structs.ACLPolicySetResponse if err := c.RPC("ACL.GetPolicies", &req, &resp); err != nil { diff --git a/client/acl_test.go b/client/acl_test.go index 9a791e9fc..90a08b0e0 100644 --- a/client/acl_test.go +++ b/client/acl_test.go @@ -12,12 +12,13 @@ import ( ) func TestClient_ACL_resolveTokenValue(t *testing.T) { - s1, _ := testServer(t, nil) + s1, _, _ := testACLServer(t, nil) defer s1.Shutdown() testutil.WaitForLeader(t, s1.RPC) c1 := testClient(t, func(c *config.Config) { c.RPCHandler = s1 + c.ACLEnabled = true }) defer c1.Shutdown() @@ -60,12 +61,13 @@ func TestClient_ACL_resolveTokenValue(t *testing.T) { } func TestClient_ACL_resolvePolicies(t *testing.T) { - s1, _ := testServer(t, nil) + s1, _, root := testACLServer(t, nil) defer s1.Shutdown() testutil.WaitForLeader(t, s1.RPC) c1 := testClient(t, func(c *config.Config) { c.RPCHandler = s1 + c.ACLEnabled = true }) defer c1.Shutdown() @@ -83,12 +85,12 @@ func TestClient_ACL_resolvePolicies(t *testing.T) { assert.Nil(t, err) // Test the client resolution - out, err := c1.resolvePolicies([]string{policy.Name, policy2.Name}) + out, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name}) assert.Nil(t, err) assert.Equal(t, 2, len(out)) // Test caching - out2, err := c1.resolvePolicies([]string{policy.Name, policy2.Name}) + out2, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name}) assert.Nil(t, err) assert.Equal(t, 2, len(out2)) @@ -115,7 +117,7 @@ func TestClient_ACL_ResolveToken_Disabled(t *testing.T) { } func TestClient_ACL_ResolveToken(t *testing.T) { - s1, _ := testServer(t, nil) + s1, _, _ := testACLServer(t, nil) defer s1.Shutdown() testutil.WaitForLeader(t, s1.RPC) diff --git a/client/client_test.go b/client/client_test.go index 30baff15b..0e77e6cb8 100644 --- a/client/client_test.go +++ b/client/client_test.go @@ -30,6 +30,21 @@ func getPort() int { return 1030 + int(rand.Int31n(6440)) } +func testACLServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string, *structs.ACLToken) { + server, addr := testServer(t, func(c *nomad.Config) { + c.ACLEnabled = true + if cb != nil { + cb(c) + } + }) + token := mock.ACLManagementToken() + err := server.State().BootstrapACLTokens(1, token) + if err != nil { + t.Fatalf("failed to bootstrap ACL token: %v", err) + } + return server, addr, token +} + func testServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string) { // Setup the default settings config := nomad.DefaultConfig()