client: fixing policy resolution after ACL endpoint enforcement

This commit is contained in:
Armon Dadgar 2017-08-21 17:31:32 -07:00
parent 18ddb910fa
commit f31cd6a618
3 changed files with 29 additions and 9 deletions

View File

@ -91,7 +91,7 @@ func (c *Client) ResolveToken(secretID string) (*acl.ACL, error) {
}
// Resolve the policies
policies, err := c.resolvePolicies(token.Policies)
policies, err := c.resolvePolicies(token.SecretID, token.Policies)
if err != nil {
return nil, err
}
@ -150,7 +150,7 @@ func (c *Client) resolveTokenValue(secretID string) (*structs.ACLToken, error) {
// We cache the policies locally, and fault them from a server as necessary. Policies
// are cached for a TTL, and then refreshed. If a server cannot be reached, the cache TTL
// will be ignored to gracefully handle outages.
func (c *Client) resolvePolicies(policies []string) ([]*structs.ACLPolicy, error) {
func (c *Client) resolvePolicies(secretID string, policies []string) ([]*structs.ACLPolicy, error) {
var out []*structs.ACLPolicy
var expired []*structs.ACLPolicy
var missing []string
@ -185,7 +185,10 @@ func (c *Client) resolvePolicies(policies []string) ([]*structs.ACLPolicy, error
}
req := structs.ACLPolicySetRequest{
Names: fetch,
QueryOptions: structs.QueryOptions{Region: c.Region()},
QueryOptions: structs.QueryOptions{
Region: c.Region(),
SecretID: secretID,
},
}
var resp structs.ACLPolicySetResponse
if err := c.RPC("ACL.GetPolicies", &req, &resp); err != nil {

View File

@ -12,12 +12,13 @@ import (
)
func TestClient_ACL_resolveTokenValue(t *testing.T) {
s1, _ := testServer(t, nil)
s1, _, _ := testACLServer(t, nil)
defer s1.Shutdown()
testutil.WaitForLeader(t, s1.RPC)
c1 := testClient(t, func(c *config.Config) {
c.RPCHandler = s1
c.ACLEnabled = true
})
defer c1.Shutdown()
@ -60,12 +61,13 @@ func TestClient_ACL_resolveTokenValue(t *testing.T) {
}
func TestClient_ACL_resolvePolicies(t *testing.T) {
s1, _ := testServer(t, nil)
s1, _, root := testACLServer(t, nil)
defer s1.Shutdown()
testutil.WaitForLeader(t, s1.RPC)
c1 := testClient(t, func(c *config.Config) {
c.RPCHandler = s1
c.ACLEnabled = true
})
defer c1.Shutdown()
@ -83,12 +85,12 @@ func TestClient_ACL_resolvePolicies(t *testing.T) {
assert.Nil(t, err)
// Test the client resolution
out, err := c1.resolvePolicies([]string{policy.Name, policy2.Name})
out, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
assert.Nil(t, err)
assert.Equal(t, 2, len(out))
// Test caching
out2, err := c1.resolvePolicies([]string{policy.Name, policy2.Name})
out2, err := c1.resolvePolicies(root.SecretID, []string{policy.Name, policy2.Name})
assert.Nil(t, err)
assert.Equal(t, 2, len(out2))
@ -115,7 +117,7 @@ func TestClient_ACL_ResolveToken_Disabled(t *testing.T) {
}
func TestClient_ACL_ResolveToken(t *testing.T) {
s1, _ := testServer(t, nil)
s1, _, _ := testACLServer(t, nil)
defer s1.Shutdown()
testutil.WaitForLeader(t, s1.RPC)

View File

@ -30,6 +30,21 @@ func getPort() int {
return 1030 + int(rand.Int31n(6440))
}
func testACLServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string, *structs.ACLToken) {
server, addr := testServer(t, func(c *nomad.Config) {
c.ACLEnabled = true
if cb != nil {
cb(c)
}
})
token := mock.ACLManagementToken()
err := server.State().BootstrapACLTokens(1, token)
if err != nil {
t.Fatalf("failed to bootstrap ACL token: %v", err)
}
return server, addr, token
}
func testServer(t *testing.T, cb func(*nomad.Config)) (*nomad.Server, string) {
// Setup the default settings
config := nomad.DefaultConfig()