1aceff7806
Most job subcommands allow for job ID prefix match as a convenience functionality so users don't have to type the full job ID. But this introduces a hard ACL requirement that the token used to run these commands have the `list-jobs` permission, even if the token has enough permission to execute the basic command action and the user passed an exact job ID. This change softens this requirement by not failing the prefix match in case the request results in a permission denied error and instead using the information passed by the user directly.
202 lines
4.8 KiB
Go
202 lines
4.8 KiB
Go
package command
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/nomad/api"
|
|
"github.com/hashicorp/nomad/ci"
|
|
"github.com/hashicorp/nomad/command/agent"
|
|
"github.com/hashicorp/nomad/nomad/mock"
|
|
structs "github.com/hashicorp/nomad/nomad/structs"
|
|
"github.com/mitchellh/cli"
|
|
"github.com/posener/complete"
|
|
"github.com/shoenig/test/must"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestJobRevertCommand_Implements(t *testing.T) {
|
|
ci.Parallel(t)
|
|
var _ cli.Command = &JobDispatchCommand{}
|
|
}
|
|
|
|
func TestJobRevertCommand_Fails(t *testing.T) {
|
|
ci.Parallel(t)
|
|
ui := cli.NewMockUi()
|
|
cmd := &JobRevertCommand{Meta: Meta{Ui: ui}}
|
|
|
|
// Fails on misuse
|
|
if code := cmd.Run([]string{"some", "bad", "args"}); code != 1 {
|
|
t.Fatalf("expected exit code 1, got: %d", code)
|
|
}
|
|
if out := ui.ErrorWriter.String(); !strings.Contains(out, commandErrorText(cmd)) {
|
|
t.Fatalf("expected help output, got: %s", out)
|
|
}
|
|
ui.ErrorWriter.Reset()
|
|
|
|
if code := cmd.Run([]string{"-address=nope", "foo", "1"}); code != 1 {
|
|
t.Fatalf("expected exit code 1, got: %d", code)
|
|
}
|
|
if out := ui.ErrorWriter.String(); !strings.Contains(out, "Error querying job prefix") {
|
|
t.Fatalf("expected failed query error, got: %s", out)
|
|
}
|
|
ui.ErrorWriter.Reset()
|
|
}
|
|
|
|
func TestJobRevertCommand_AutocompleteArgs(t *testing.T) {
|
|
ci.Parallel(t)
|
|
assert := assert.New(t)
|
|
|
|
srv, _, url := testServer(t, true, nil)
|
|
defer srv.Shutdown()
|
|
|
|
ui := cli.NewMockUi()
|
|
cmd := &JobRevertCommand{Meta: Meta{Ui: ui, flagAddress: url}}
|
|
|
|
// Create a fake job
|
|
state := srv.Agent.Server().State()
|
|
j := mock.Job()
|
|
assert.Nil(state.UpsertJob(structs.MsgTypeTestSetup, 1000, j))
|
|
|
|
prefix := j.ID[:len(j.ID)-5]
|
|
args := complete.Args{Last: prefix}
|
|
predictor := cmd.AutocompleteArgs()
|
|
|
|
res := predictor.Predict(args)
|
|
assert.Equal(1, len(res))
|
|
assert.Equal(j.ID, res[0])
|
|
}
|
|
|
|
func TestJobRevertCommand_ACL(t *testing.T) {
|
|
ci.Parallel(t)
|
|
|
|
// Start server with ACL enabled.
|
|
srv, client, url := testServer(t, true, func(c *agent.Config) {
|
|
c.ACL.Enabled = true
|
|
})
|
|
defer srv.Shutdown()
|
|
|
|
testCases := []struct {
|
|
name string
|
|
jobPrefix bool
|
|
aclPolicy string
|
|
expectedErr string
|
|
}{
|
|
{
|
|
name: "no token",
|
|
aclPolicy: "",
|
|
expectedErr: api.PermissionDeniedErrorContent,
|
|
},
|
|
{
|
|
name: "missing submit-job",
|
|
aclPolicy: `
|
|
namespace "default" {
|
|
capabilities = ["read-job"]
|
|
}
|
|
`,
|
|
expectedErr: api.PermissionDeniedErrorContent,
|
|
},
|
|
{
|
|
name: "submit-job allowed but can't monitor eval without read-job",
|
|
aclPolicy: `
|
|
namespace "default" {
|
|
capabilities = ["submit-job"]
|
|
}
|
|
`,
|
|
expectedErr: "No evaluation with id",
|
|
},
|
|
{
|
|
name: "submit-job allowed and can monitor eval with read-job",
|
|
aclPolicy: `
|
|
namespace "default" {
|
|
capabilities = ["read-job", "submit-job"]
|
|
}
|
|
`,
|
|
},
|
|
{
|
|
name: "job prefix requires list-job",
|
|
jobPrefix: true,
|
|
aclPolicy: `
|
|
namespace "default" {
|
|
capabilities = ["submit-job"]
|
|
}
|
|
`,
|
|
expectedErr: "not found",
|
|
},
|
|
{
|
|
name: "job prefix works with list-job but can't monitor eval without read-job",
|
|
jobPrefix: true,
|
|
aclPolicy: `
|
|
namespace "default" {
|
|
capabilities = ["submit-job", "list-jobs"]
|
|
}
|
|
`,
|
|
expectedErr: "No evaluation with id",
|
|
},
|
|
{
|
|
name: "job prefix works with list-job and can monitor eval with read-job",
|
|
jobPrefix: true,
|
|
aclPolicy: `
|
|
namespace "default" {
|
|
capabilities = ["read-job", "submit-job", "list-jobs"]
|
|
}
|
|
`,
|
|
},
|
|
}
|
|
|
|
for i, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
ui := cli.NewMockUi()
|
|
cmd := &JobRevertCommand{Meta: Meta{Ui: ui}}
|
|
args := []string{
|
|
"-address", url,
|
|
}
|
|
|
|
// Create a job.
|
|
job := mock.MinJob()
|
|
state := srv.Agent.Server().State()
|
|
err := state.UpsertJob(structs.MsgTypeTestSetup, uint64(300+i), job)
|
|
must.NoError(t, err)
|
|
defer func() {
|
|
client.Jobs().Deregister(job.ID, true, &api.WriteOptions{
|
|
AuthToken: srv.RootToken.SecretID,
|
|
})
|
|
}()
|
|
|
|
// Modify job to create new version.
|
|
newJob := job.Copy()
|
|
newJob.Meta = map[string]string{
|
|
"test": tc.name,
|
|
}
|
|
newJob.Version = uint64(i)
|
|
err = state.UpsertJob(structs.MsgTypeTestSetup, uint64(301+i), newJob)
|
|
must.NoError(t, err)
|
|
|
|
if tc.aclPolicy != "" {
|
|
// Create ACL token with test case policy and add it to the
|
|
// command.
|
|
policyName := nonAlphaNum.ReplaceAllString(tc.name, "-")
|
|
token := mock.CreatePolicyAndToken(t, state, uint64(302+i), policyName, tc.aclPolicy)
|
|
args = append(args, "-token", token.SecretID)
|
|
}
|
|
|
|
// Add job ID or job ID prefix to the command.
|
|
if tc.jobPrefix {
|
|
args = append(args, job.ID[:3])
|
|
} else {
|
|
args = append(args, job.ID)
|
|
}
|
|
|
|
// Run command reverting job to version 0.
|
|
args = append(args, "0")
|
|
code := cmd.Run(args)
|
|
if tc.expectedErr == "" {
|
|
must.Zero(t, code)
|
|
} else {
|
|
must.One(t, code)
|
|
must.StrContains(t, ui.ErrorWriter.String(), tc.expectedErr)
|
|
}
|
|
})
|
|
}
|
|
}
|