client: fixing policy resolution after ACL endpoint enforcement
This commit is contained in:
Armon Dadgar
parent
18ddb910fa
commit
f31cd6a618
|
|
@ -91,7 +91,7 @@ func (c *Client) ResolveToken(secretID string) (*acl.ACL, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Resolve the policies
|
// Resolve the policies
|
||||||
policies, err := c.resolvePolicies(token.Policies)
|
policies, err := c.resolvePolicies(token.SecretID, token.Policies)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
@ -150,7 +150,7 @@ func (c *Client) resolveTokenValue(secretID string) (*structs.ACLToken, error) {
|
||||||
// We cache the policies locally, and fault them from a server as necessary. Policies
|
// We cache the policies locally, and fault them from a server as necessary. Policies
|
||||||
// are cached for a TTL, and then refreshed. If a server cannot be reached, the cache TTL
|
// are cached for a TTL, and then refreshed. If a server cannot be reached, the cache TTL
|
||||||
// will be ignored to gracefully handle outages.
|
// will be ignored to gracefully handle outages.
|
||||||
func (c *Client) resolvePolicies(policies []string) ([]*structs.ACLPolicy, error) {
|
func (c *Client) resolvePolicies(secretID string, policies []string) ([]*structs.ACLPolicy, error) {
|
||||||
var out []*structs.ACLPolicy
|
var out []*structs.ACLPolicy
|
||||||
var expired []*structs.ACLPolicy
|
var expired []*structs.ACLPolicy
|
||||||
var missing []string
|
var missing []string
|
||||||
|
|
@ -185,7 +185,10 @@ func (c *Client) resolvePolicies(policies []string) ([]*structs.ACLPolicy, error
|
||||||
}
|
}
|
||||||
req := structs.ACLPolicySetRequest{
|
req := structs.ACLPolicySetRequest{
|
||||||
Names: fetch,
|
Names: fetch,
|
||||||
QueryOptions: structs.QueryOptions{Region: c.Region()},
|
QueryOptions: structs.QueryOptions{
|
||||||
|
Region: c.Region(),
|
||||||
|
SecretID: secretID,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
var resp structs.ACLPolicySetResponse
|
var resp structs.ACLPolicySetResponse
|
||||||
if err := c.RPC("ACL.GetPolicies", &req, &resp); err != nil {
|
if err := c.RPC("ACL.GetPolicies", &req, &resp); err != nil {
|
||||||
|
|
|
||||||
|
|
@ -12,12 +12,13 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestClient_ACL_resolveTokenValue(t *testing.T) {
|
func TestClient_ACL_resolveTokenValue(t *testing.T) {
|
||||||
s1, _ := testServer(t, nil)
|
s1, _, _ := testACLServer(t, nil)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
testutil.WaitForLeader(t, s1.RPC)
|
testutil.WaitForLeader(t, s1.RPC)
|
||||||
|
|
||||||
c1 := testClient(t, func(c *config.Config) {
|
c1 := testClient(t, func(c *config.Config) {
|
||||||
c.RPCHandler = s1
|
c.RPCHandler = s1
|
||||||
|
c.ACLEnabled = true
|
||||||
})
|
})
|
||||||
defer c1.Shutdown()
|
defer c1.Shutdown()
|
||||||
|
|
||||||
|
|
@ -60,12 +61,13 @@ func TestClient_ACL_resolveTokenValue(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestClient_ACL_resolvePolicies(t *testing.T) {
|
func TestClient_ACL_resolvePolicies(t *testing.T) {
|
||||||
s1, _ := testServer(t, nil)
|
s1, _, root := testACLServer(t, nil)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
testutil.WaitForLeader(t, s1.RPC)
|
testutil.WaitForLeader(t, s1.RPC)
|
||||||
|
|
||||||
c1 := testClient(t, func(c *config.Config) {
|
c1 := testClient(t, func(c *config.Config) {
|
||||||
c.RPCHandler = s1
|
c.RPCHandler = s1
|
||||||
|
c.ACLEnabled = true
|
||||||
})
|
})
|
||||||
defer c1.Shutdown()
|
defer c1.Shutdown()
|
||||||
|
|
||||||
|
|
@ -83,12 +85,12 @@ func TestClient_ACL_resolvePolicies(t *testing.T) {
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
|
|
||||||
// Test the client resolution
|
// Test the client resolution
|
||||||
out, err := c1.resolvePolicies([]string{policy.Name, policy2.Name})
|
out, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
assert.Equal(t, 2, len(out))
|
assert.Equal(t, 2, len(out))
|
||||||
|
|
||||||
// Test caching
|
// Test caching
|
||||||
out2, err := c1.resolvePolicies([]string{policy.Name, policy2.Name})
|
out2, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
assert.Equal(t, 2, len(out2))
|
assert.Equal(t, 2, len(out2))
|
||||||
|
|
||||||
|
|
@ -115,7 +117,7 @@ func TestClient_ACL_ResolveToken_Disabled(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestClient_ACL_ResolveToken(t *testing.T) {
|
func TestClient_ACL_ResolveToken(t *testing.T) {
|
||||||
s1, _ := testServer(t, nil)
|
s1, _, _ := testACLServer(t, nil)
|
||||||
defer s1.Shutdown()
|
defer s1.Shutdown()
|
||||||
testutil.WaitForLeader(t, s1.RPC)
|
testutil.WaitForLeader(t, s1.RPC)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,21 @@ func getPort() int {
|
||||||
return 1030 + int(rand.Int31n(6440))
|
return 1030 + int(rand.Int31n(6440))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func testACLServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string, *structs.ACLToken) {
|
||||||
|
server, addr := testServer(t, func(c *nomad.Config) {
|
||||||
|
c.ACLEnabled = true
|
||||||
|
if cb != nil {
|
||||||
|
cb(c)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
token := mock.ACLManagementToken()
|
||||||
|
err := server.State().BootstrapACLTokens(1, token)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to bootstrap ACL token: %v", err)
|
||||||
|
}
|
||||||
|
return server, addr, token
|
||||||
|
}
|
||||||
|
|
||||||
func testServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string) {
|
func testServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string) {
|
||||||
// Setup the default settings
|
// Setup the default settings
|
||||||
config := nomad.DefaultConfig()
|
config := nomad.DefaultConfig()
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue