open-nomad/nomad/acl_test.go
Tim Gross cf9e5f3327
acl: Fix panic when bogus token is passed (#15863)
If a consumer of the new `Authenticate` method gets passed a bogus token that's
a correctly-shaped UUID, it will correctly get an identity without a ACL
token. But most consumers will then panic when they consume this nil `ACLToken`
for authorization.

Because no API client should ever send a bogus auth token, update the
`Authenticate` method to create the identity with remote IP (for metrics
tracking) but also return an `ErrPermissionDenied`.
2023-01-25 10:03:17 -05:00

785 lines
23 KiB
Go

package nomad
import (
"fmt"
"path"
"testing"
"time"
msgpackrpc "github.com/hashicorp/net-rpc-msgpackrpc"
"github.com/hashicorp/nomad/acl"
"github.com/hashicorp/nomad/ci"
"github.com/hashicorp/nomad/helper/pointer"
"github.com/hashicorp/nomad/helper/uuid"
"github.com/hashicorp/nomad/nomad/mock"
"github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/nomad/structs/config"
"github.com/hashicorp/nomad/testutil"
"github.com/shoenig/test"
"github.com/shoenig/test/must"
"github.com/stretchr/testify/require"
)
func TestAuthenticate_mTLS(t *testing.T) {
ci.Parallel(t)
// Set up a cluster with mTLS and ACLs
dir := t.TempDir()
tlsCfg := &config.TLSConfig{
EnableHTTP: true,
EnableRPC: true,
VerifyServerHostname: true,
CAFile: "../helper/tlsutil/testdata/ca.pem",
CertFile: "../helper/tlsutil/testdata/nomad-foo.pem",
KeyFile: "../helper/tlsutil/testdata/nomad-foo-key.pem",
}
clientTLSCfg := tlsCfg.Copy()
clientTLSCfg.CertFile = "../helper/tlsutil/testdata/nomad-foo-client.pem"
clientTLSCfg.KeyFile = "../helper/tlsutil/testdata/nomad-foo-client-key.pem"
setCfg := func(name string, bootstrapExpect int) func(*Config) {
return func(c *Config) {
c.Region = "regionFoo"
c.AuthoritativeRegion = "regionFoo"
c.ACLEnabled = true
c.BootstrapExpect = bootstrapExpect
c.NumSchedulers = 0
c.DevMode = false
c.DataDir = path.Join(dir, name)
c.TLSConfig = tlsCfg
}
}
leader, cleanupLeader := TestServer(t, setCfg("node1", 1))
defer cleanupLeader()
testutil.WaitForLeader(t, leader.RPC)
follower, cleanupFollower := TestServer(t, setCfg("node2", 0))
defer cleanupFollower()
TestJoin(t, leader, follower)
testutil.WaitForLeader(t, leader.RPC)
testutil.Wait(t, func() (bool, error) {
keyset, err := follower.encrypter.activeKeySet()
return keyset != nil, err
})
rootToken := uuid.Generate()
var bootstrapResp *structs.ACLTokenUpsertResponse
codec := rpcClientWithTLS(t, follower, tlsCfg)
must.NoError(t, msgpackrpc.CallWithCodec(codec,
"ACL.Bootstrap", &structs.ACLTokenBootstrapRequest{
BootstrapSecret: rootToken,
WriteRequest: structs.WriteRequest{Region: "regionFoo"},
}, &bootstrapResp))
must.NotNil(t, bootstrapResp)
must.Len(t, 1, bootstrapResp.Tokens)
rootAccessor := bootstrapResp.Tokens[0].AccessorID
// create some ACL tokens directly into raft so we can bypass RPC validation
// around expiration times
token1 := mock.ACLToken()
token2 := mock.ACLToken()
expireTime := time.Now().Add(time.Second * -10)
token2.ExpirationTime = &expireTime
_, _, err := leader.raftApply(structs.ACLTokenUpsertRequestType,
&structs.ACLTokenUpsertRequest{Tokens: []*structs.ACLToken{token1, token2}})
must.NoError(t, err)
// create a node so we can test client RPCs
node := mock.Node()
nodeRegisterReq := &structs.NodeRegisterRequest{
Node: node,
WriteRequest: structs.WriteRequest{Region: "regionFoo"},
}
var nodeRegisterResp structs.NodeUpdateResponse
must.NoError(t, msgpackrpc.CallWithCodec(codec,
"Node.Register", nodeRegisterReq, &nodeRegisterResp))
must.NotNil(t, bootstrapResp)
// create some allocations so we can test WorkloadIdentity claims. we'll
// create directly into raft so we can bypass RPC validation and the whole
// eval, plan, etc. workflow.
job := mock.Job()
_, _, err = leader.raftApply(structs.JobRegisterRequestType,
&structs.JobRegisterRequest{Job: job})
must.NoError(t, err)
alloc1 := mock.Alloc()
alloc1.NodeID = node.ID
alloc1.ClientStatus = structs.AllocClientStatusFailed
alloc1.Job = job
alloc1.JobID = job.ID
alloc2 := mock.Alloc()
alloc2.NodeID = node.ID
alloc2.Job = job
alloc2.JobID = job.ID
alloc2.ClientStatus = structs.AllocClientStatusRunning
claims1 := alloc1.ToTaskIdentityClaims(nil, "web")
claims1Token, _, err := leader.encrypter.SignClaims(claims1)
must.NoError(t, err, must.Sprint("could not sign claims"))
claims2 := alloc2.ToTaskIdentityClaims(nil, "web")
claims2Token, _, err := leader.encrypter.SignClaims(claims2)
must.NoError(t, err, must.Sprint("could not sign claims"))
planReq := &structs.ApplyPlanResultsRequest{
AllocUpdateRequest: structs.AllocUpdateRequest{
Alloc: []*structs.Allocation{alloc1, alloc2},
Job: job,
},
}
_, _, err = leader.raftApply(structs.ApplyPlanResultsRequestType, planReq)
must.NoError(t, err)
testutil.WaitForResult(func() (bool, error) {
store := follower.fsm.State()
alloc, err := store.AllocByID(nil, alloc1.ID)
return alloc != nil, err
}, func(err error) {
t.Fatalf("alloc was not replicated via raft: %v", err) // should never happen
})
testCases := []struct {
name string
tlsCfg *config.TLSConfig
stale bool
testToken string
expectAccessor string
expectClientID string
expectAllocID string
expectTLSName string
expectIP string
expectErr string
expectIDKey string
sendFromPeer *Server
}{
{
name: "root token",
tlsCfg: clientTLSCfg, // TODO: this is a mixed use cert
testToken: rootToken,
expectAccessor: rootAccessor,
expectIDKey: fmt.Sprintf("token:%s", rootAccessor),
},
{
name: "from peer to leader without token", // ex. Eval.Dequeue
tlsCfg: tlsCfg,
expectTLSName: "regionFoo.nomad",
expectAccessor: "anonymous",
expectIP: follower.GetConfig().RPCAddr.IP.String(),
sendFromPeer: follower,
expectIDKey: "token:anonymous",
},
{
// note: this test is somewhat bogus because under test all the
// servers share the same IP address with the RPC client
name: "anonymous forwarded from peer to leader",
tlsCfg: tlsCfg,
expectAccessor: "anonymous",
expectTLSName: "regionFoo.nomad",
expectIP: "127.0.0.1",
expectIDKey: "token:anonymous",
},
{
name: "invalid token",
tlsCfg: clientTLSCfg,
testToken: uuid.Generate(),
expectTLSName: "regionFoo.nomad",
expectIP: follower.GetConfig().RPCAddr.IP.String(),
expectIDKey: "regionFoo.nomad:127.0.0.1",
expectErr: "rpc error: Permission denied",
},
{
name: "from peer to leader with leader ACL", // ex. core job GC
tlsCfg: tlsCfg,
testToken: leader.getLeaderAcl(),
expectTLSName: "regionFoo.nomad",
expectAccessor: "leader",
expectIP: follower.GetConfig().RPCAddr.IP.String(),
sendFromPeer: follower,
expectIDKey: "token:leader",
},
{
name: "from client", // ex. Node.GetAllocs
tlsCfg: clientTLSCfg,
testToken: node.SecretID,
expectClientID: node.ID,
expectIDKey: fmt.Sprintf("client:%s", node.ID),
},
{
name: "from failed workload", // ex. Variables.List
tlsCfg: clientTLSCfg,
testToken: claims1Token,
expectErr: "rpc error: allocation is terminal",
},
{
name: "from running workload", // ex. Variables.List
tlsCfg: clientTLSCfg,
testToken: claims2Token,
expectAllocID: alloc2.ID,
expectIDKey: fmt.Sprintf("alloc:%s", alloc2.ID),
},
{
name: "valid user token",
tlsCfg: clientTLSCfg,
testToken: token1.SecretID,
expectAccessor: token1.AccessorID,
expectIDKey: fmt.Sprintf("token:%s", token1.AccessorID),
},
{
name: "expired user token",
tlsCfg: clientTLSCfg,
testToken: token2.SecretID,
expectErr: "rpc error: ACL token expired",
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
req := &structs.GenericRequest{
QueryOptions: structs.QueryOptions{
Region: "regionFoo",
AllowStale: tc.stale,
AuthToken: tc.testToken,
},
}
var resp structs.ACLWhoAmIResponse
var err error
if tc.sendFromPeer != nil {
aclEndpoint := NewACLEndpoint(tc.sendFromPeer, nil)
err = aclEndpoint.WhoAmI(req, &resp)
} else {
err = msgpackrpc.CallWithCodec(codec, "ACL.WhoAmI", req, &resp)
}
if tc.expectErr != "" {
must.EqError(t, err, tc.expectErr)
return
}
must.NoError(t, err)
must.NotNil(t, resp)
must.NotNil(t, resp.Identity)
if tc.expectIDKey != "" {
must.Eq(t, tc.expectIDKey, resp.Identity.String(),
must.Sprintf("expected identity key for metrics to match"))
}
if tc.expectAccessor != "" {
must.NotNil(t, resp.Identity.ACLToken, must.Sprint("expected ACL token"))
test.Eq(t, tc.expectAccessor, resp.Identity.ACLToken.AccessorID,
test.Sprint("expected ACL token accessor ID"))
}
test.Eq(t, tc.expectClientID, resp.Identity.ClientID,
test.Sprint("expected client ID"))
if tc.expectAllocID != "" {
must.NotNil(t, resp.Identity.Claims, must.Sprint("expected claims"))
test.Eq(t, tc.expectAllocID, resp.Identity.Claims.AllocationID,
test.Sprint("expected workload identity"))
}
test.Eq(t, tc.expectTLSName, resp.Identity.TLSName, test.Sprint("expected TLS name"))
if tc.expectIP == "" {
test.Nil(t, resp.Identity.RemoteIP, test.Sprint("expected no remote IP"))
} else {
test.Eq(t, tc.expectIP, resp.Identity.RemoteIP.String())
}
})
}
}
func TestResolveACLToken(t *testing.T) {
ci.Parallel(t)
testCases := []struct {
name string
testFn func()
}{
{
name: "leader token",
testFn: func() {
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
// Check the leader ACL token is correctly set.
leaderACL := testServer.getLeaderAcl()
require.NotEmpty(t, leaderACL)
// Resolve the token and ensure it's a management token.
aclResp, err := testServer.ResolveToken(leaderACL)
require.NoError(t, err)
require.NotNil(t, aclResp)
require.True(t, aclResp.IsManagement())
},
},
{
name: "anonymous token",
testFn: func() {
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
// Call the function with an empty input secret ID which is
// classed as representing anonymous access in clusters with
// ACLs enabled.
aclResp, err := testServer.ResolveToken("")
require.NoError(t, err)
require.NotNil(t, aclResp)
require.False(t, aclResp.IsManagement())
},
},
{
name: "token not found",
testFn: func() {
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
// Call the function with randomly generated secret ID which
// does not exist within state.
aclResp, err := testServer.ResolveToken(uuid.Generate())
require.Equal(t, structs.ErrTokenNotFound, err)
require.Nil(t, aclResp)
},
},
{
name: "token expired",
testFn: func() {
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
// Create a mock token with an expiration time long in the
// past, and upsert.
token := mock.ACLToken()
token.ExpirationTime = pointer.Of(time.Date(
1970, time.January, 1, 0, 0, 0, 0, time.UTC))
err := testServer.State().UpsertACLTokens(
structs.MsgTypeTestSetup, 10, []*structs.ACLToken{token})
require.NoError(t, err)
// Perform the function call which should result in finding the
// token has expired.
aclResp, err := testServer.ResolveToken(uuid.Generate())
require.Equal(t, structs.ErrTokenNotFound, err)
require.Nil(t, aclResp)
},
},
{
name: "management token",
testFn: func() {
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
// Generate a management token and upsert this.
managementToken := mock.ACLToken()
managementToken.Type = structs.ACLManagementToken
managementToken.Policies = nil
err := testServer.State().UpsertACLTokens(
structs.MsgTypeTestSetup, 10, []*structs.ACLToken{managementToken})
require.NoError(t, err)
// Resolve the token and check that we received a management
// ACL.
aclResp, err := testServer.ResolveToken(managementToken.SecretID)
require.Nil(t, err)
require.NotNil(t, aclResp)
require.True(t, aclResp.IsManagement())
require.Equal(t, acl.ManagementACL, aclResp)
},
},
{
name: "client token with policies only",
testFn: func() {
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
// Generate a client token with associated policies and upsert
// these.
policy1 := mock.ACLPolicy()
policy2 := mock.ACLPolicy()
err := testServer.State().UpsertACLPolicies(
structs.MsgTypeTestSetup, 10, []*structs.ACLPolicy{policy1, policy2})
clientToken := mock.ACLToken()
clientToken.Policies = []string{policy1.Name, policy2.Name}
err = testServer.State().UpsertACLTokens(
structs.MsgTypeTestSetup, 20, []*structs.ACLToken{clientToken})
require.NoError(t, err)
// Resolve the token and check that we received a client
// ACL with appropriate permissions.
aclResp, err := testServer.ResolveToken(clientToken.SecretID)
require.Nil(t, err)
require.NotNil(t, aclResp)
require.False(t, aclResp.IsManagement())
allowed := aclResp.AllowNamespaceOperation("default", acl.NamespaceCapabilityListJobs)
require.True(t, allowed)
allowed = aclResp.AllowNamespaceOperation("other", acl.NamespaceCapabilityListJobs)
require.False(t, allowed)
// Resolve the same token again and ensure we get the same
// result.
aclResp2, err := testServer.ResolveToken(clientToken.SecretID)
require.Nil(t, err)
require.NotNil(t, aclResp2)
require.Equal(t, aclResp, aclResp2)
// Bust the cache by upserting the policy
err = testServer.State().UpsertACLPolicies(
structs.MsgTypeTestSetup, 30, []*structs.ACLPolicy{policy1})
require.Nil(t, err)
// Resolve the same token again, should get different value
aclResp3, err := testServer.ResolveToken(clientToken.SecretID)
require.Nil(t, err)
require.NotNil(t, aclResp3)
require.NotEqual(t, aclResp2, aclResp3)
},
},
{
name: "client token with roles only",
testFn: func() {
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
// Create a client token that only has a link to a role.
policy1 := mock.ACLPolicy()
policy2 := mock.ACLPolicy()
err := testServer.State().UpsertACLPolicies(
structs.MsgTypeTestSetup, 10, []*structs.ACLPolicy{policy1, policy2})
aclRole := mock.ACLRole()
aclRole.Policies = []*structs.ACLRolePolicyLink{
{Name: policy1.Name},
{Name: policy2.Name},
}
err = testServer.State().UpsertACLRoles(
structs.MsgTypeTestSetup, 30, []*structs.ACLRole{aclRole}, false)
require.NoError(t, err)
clientToken := mock.ACLToken()
clientToken.Policies = []string{}
clientToken.Roles = []*structs.ACLTokenRoleLink{{ID: aclRole.ID}}
err = testServer.State().UpsertACLTokens(
structs.MsgTypeTestSetup, 30, []*structs.ACLToken{clientToken})
require.NoError(t, err)
// Resolve the token and check that we received a client
// ACL with appropriate permissions.
aclResp, err := testServer.ResolveToken(clientToken.SecretID)
require.Nil(t, err)
require.NotNil(t, aclResp)
require.False(t, aclResp.IsManagement())
allowed := aclResp.AllowNamespaceOperation("default", acl.NamespaceCapabilityListJobs)
require.True(t, allowed)
allowed = aclResp.AllowNamespaceOperation("other", acl.NamespaceCapabilityListJobs)
require.False(t, allowed)
// Remove the policies from the ACL role and ensure the resolution
// permissions are updated.
aclRole.Policies = []*structs.ACLRolePolicyLink{}
err = testServer.State().UpsertACLRoles(
structs.MsgTypeTestSetup, 40, []*structs.ACLRole{aclRole}, false)
require.NoError(t, err)
aclResp, err = testServer.ResolveToken(clientToken.SecretID)
require.Nil(t, err)
require.NotNil(t, aclResp)
require.False(t, aclResp.IsManagement())
require.False(t, aclResp.AllowNamespaceOperation("default", acl.NamespaceCapabilityListJobs))
},
},
{
name: "client with roles and policies",
testFn: func() {
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
// Generate two policies, each with a different namespace
// permission set.
policy1 := &structs.ACLPolicy{
Name: "policy-" + uuid.Generate(),
Rules: `namespace "platform" { policy = "write"}`,
CreateIndex: 10,
ModifyIndex: 10,
}
policy1.SetHash()
policy2 := &structs.ACLPolicy{
Name: "policy-" + uuid.Generate(),
Rules: `namespace "web" { policy = "write"}`,
CreateIndex: 10,
ModifyIndex: 10,
}
policy2.SetHash()
err := testServer.State().UpsertACLPolicies(
structs.MsgTypeTestSetup, 10, []*structs.ACLPolicy{policy1, policy2})
require.NoError(t, err)
// Create a role which references the policy that has access to
// the web namespace.
aclRole := mock.ACLRole()
aclRole.Policies = []*structs.ACLRolePolicyLink{{Name: policy2.Name}}
err = testServer.State().UpsertACLRoles(
structs.MsgTypeTestSetup, 20, []*structs.ACLRole{aclRole}, false)
require.NoError(t, err)
// Create a token which references the policy and role.
clientToken := mock.ACLToken()
clientToken.Policies = []string{policy1.Name}
clientToken.Roles = []*structs.ACLTokenRoleLink{{ID: aclRole.ID}}
err = testServer.State().UpsertACLTokens(
structs.MsgTypeTestSetup, 30, []*structs.ACLToken{clientToken})
require.NoError(t, err)
// Resolve the token and check that we received a client
// ACL with appropriate permissions.
aclResp, err := testServer.ResolveToken(clientToken.SecretID)
require.Nil(t, err)
require.NotNil(t, aclResp)
require.False(t, aclResp.IsManagement())
allowed := aclResp.AllowNamespaceOperation("platform", acl.NamespaceCapabilityListJobs)
require.True(t, allowed)
allowed = aclResp.AllowNamespaceOperation("web", acl.NamespaceCapabilityListJobs)
require.True(t, allowed)
},
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
tc.testFn()
})
}
}
func TestResolveSecretToken(t *testing.T) {
ci.Parallel(t)
testServer, _, testServerCleanup := TestACLServer(t, nil)
defer testServerCleanup()
testutil.WaitForLeader(t, testServer.RPC)
testCases := []struct {
name string
testFn func(testServer *Server)
}{
{
name: "valid token",
testFn: func(testServer *Server) {
// Generate and upsert a token.
token := mock.ACLToken()
err := testServer.State().UpsertACLTokens(
structs.MsgTypeTestSetup, 10, []*structs.ACLToken{token})
require.NoError(t, err)
// Attempt to look up the token and perform checks.
tokenResp, err := testServer.ResolveSecretToken(token.SecretID)
require.NoError(t, err)
require.NotNil(t, tokenResp)
require.Equal(t, token, tokenResp)
},
},
{
name: "anonymous token",
testFn: func(testServer *Server) {
// Call the function with an empty input secret ID which is
// classed as representing anonymous access in clusters with
// ACLs enabled.
tokenResp, err := testServer.ResolveSecretToken("")
require.NoError(t, err)
require.NotNil(t, tokenResp)
require.Equal(t, structs.AnonymousACLToken, tokenResp)
},
},
{
name: "token not found",
testFn: func(testServer *Server) {
// Call the function with randomly generated secret ID which
// does not exist within state.
tokenResp, err := testServer.ResolveSecretToken(uuid.Generate())
require.Equal(t, structs.ErrTokenNotFound, err)
require.Nil(t, tokenResp)
},
},
{
name: "token expired",
testFn: func(testServer *Server) {
// Create a mock token with an expiration time long in the
// past, and upsert.
token := mock.ACLToken()
token.ExpirationTime = pointer.Of(time.Date(
1970, time.January, 1, 0, 0, 0, 0, time.UTC))
err := testServer.State().UpsertACLTokens(
structs.MsgTypeTestSetup, 10, []*structs.ACLToken{token})
require.NoError(t, err)
// Perform the function call which should result in finding the
// token has expired.
tokenResp, err := testServer.ResolveSecretToken(uuid.Generate())
require.Equal(t, structs.ErrTokenNotFound, err)
require.Nil(t, tokenResp)
},
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
tc.testFn(testServer)
})
}
}
func TestResolveClaims(t *testing.T) {
ci.Parallel(t)
srv, _, cleanup := TestACLServer(t, nil)
defer cleanup()
store := srv.fsm.State()
index := uint64(100)
alloc := mock.Alloc()
claims := &structs.IdentityClaims{
Namespace: alloc.Namespace,
JobID: alloc.Job.ID,
AllocationID: alloc.ID,
TaskName: alloc.Job.TaskGroups[0].Tasks[0].Name,
}
// unrelated policy
policy0 := mock.ACLPolicy()
// policy for job
policy1 := mock.ACLPolicy()
policy1.JobACL = &structs.JobACL{
Namespace: claims.Namespace,
JobID: claims.JobID,
}
// policy for job and group
policy2 := mock.ACLPolicy()
policy2.JobACL = &structs.JobACL{
Namespace: claims.Namespace,
JobID: claims.JobID,
Group: alloc.Job.TaskGroups[0].Name,
}
// policy for job and group and task
policy3 := mock.ACLPolicy()
policy3.JobACL = &structs.JobACL{
Namespace: claims.Namespace,
JobID: claims.JobID,
Group: alloc.Job.TaskGroups[0].Name,
Task: claims.TaskName,
}
// policy for job and group but different task
policy4 := mock.ACLPolicy()
policy4.JobACL = &structs.JobACL{
Namespace: claims.Namespace,
JobID: claims.JobID,
Group: alloc.Job.TaskGroups[0].Name,
Task: "another",
}
// policy for job but different group
policy5 := mock.ACLPolicy()
policy5.JobACL = &structs.JobACL{
Namespace: claims.Namespace,
JobID: claims.JobID,
Group: "another",
}
// policy for same namespace but different job
policy6 := mock.ACLPolicy()
policy6.JobACL = &structs.JobACL{
Namespace: claims.Namespace,
JobID: "another",
}
// policy for same job in different namespace
policy7 := mock.ACLPolicy()
policy7.JobACL = &structs.JobACL{
Namespace: "another",
JobID: claims.JobID,
}
index++
err := store.UpsertACLPolicies(structs.MsgTypeTestSetup, index, []*structs.ACLPolicy{
policy0, policy1, policy2, policy3, policy4, policy5, policy6, policy7})
must.NoError(t, err)
aclObj, err := srv.ResolveClaims(claims)
must.Nil(t, aclObj)
must.EqError(t, err, "allocation does not exist")
// upsert the allocation
index++
err = store.UpsertAllocs(structs.MsgTypeTestSetup, index, []*structs.Allocation{alloc})
must.NoError(t, err)
aclObj, err = srv.ResolveClaims(claims)
must.NoError(t, err)
must.NotNil(t, aclObj)
// Check that the ACL object looks reasonable
must.False(t, aclObj.IsManagement())
must.True(t, aclObj.AllowNamespaceOperation("default", acl.NamespaceCapabilityListJobs))
must.False(t, aclObj.AllowNamespaceOperation("other", acl.NamespaceCapabilityListJobs))
// Resolve the same claim again, should get cache value
aclObj2, err := srv.ResolveClaims(claims)
must.NoError(t, err)
must.NotNil(t, aclObj)
must.Eq(t, aclObj, aclObj2, must.Sprintf("expected cached value"))
policies, err := srv.resolvePoliciesForClaims(claims)
must.NoError(t, err)
must.Len(t, 3, policies)
must.SliceContainsAll(t, policies, []*structs.ACLPolicy{policy1, policy2, policy3})
}