2014-09-21 18:21:54 +00:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
2014-10-09 22:28:38 +00:00
|
|
|
"fmt"
|
2014-10-04 20:43:10 +00:00
|
|
|
"io/ioutil"
|
2014-09-21 18:21:54 +00:00
|
|
|
"os"
|
2014-10-04 20:43:10 +00:00
|
|
|
"path/filepath"
|
2015-07-07 21:14:06 +00:00
|
|
|
"strings"
|
2014-09-21 18:21:54 +00:00
|
|
|
"testing"
|
2015-07-07 21:14:06 +00:00
|
|
|
|
2017-04-19 23:00:11 +00:00
|
|
|
"github.com/hashicorp/consul/testrpc"
|
2014-09-21 18:21:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestAgent_LoadKeyrings(t *testing.T) {
|
2017-04-27 00:40:40 +00:00
|
|
|
t.Parallel()
|
2014-09-21 18:21:54 +00:00
|
|
|
key := "tbLJg26ZJyJ9pK3qhc9jig=="
|
|
|
|
|
|
|
|
// Should be no configured keyring file by default
|
|
|
|
conf1 := nextConfig()
|
|
|
|
dir1, agent1 := makeAgent(t, conf1)
|
|
|
|
defer os.RemoveAll(dir1)
|
|
|
|
defer agent1.Shutdown()
|
|
|
|
|
|
|
|
c := agent1.config.ConsulConfig
|
|
|
|
if c.SerfLANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("bad: %#v", c.SerfLANConfig.KeyringFile)
|
|
|
|
}
|
|
|
|
if c.SerfLANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
if c.SerfWANConfig.KeyringFile != "" {
|
|
|
|
t.Fatalf("bad: %#v", c.SerfLANConfig.KeyringFile)
|
|
|
|
}
|
|
|
|
if c.SerfWANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Server should auto-load LAN and WAN keyring files
|
|
|
|
conf2 := nextConfig()
|
|
|
|
dir2, agent2 := makeAgentKeyring(t, conf2, key)
|
|
|
|
defer os.RemoveAll(dir2)
|
|
|
|
defer agent2.Shutdown()
|
|
|
|
|
|
|
|
c = agent2.config.ConsulConfig
|
|
|
|
if c.SerfLANConfig.KeyringFile == "" {
|
|
|
|
t.Fatalf("should have keyring file")
|
|
|
|
}
|
|
|
|
if c.SerfLANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if c.SerfWANConfig.KeyringFile == "" {
|
|
|
|
t.Fatalf("should have keyring file")
|
|
|
|
}
|
|
|
|
if c.SerfWANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Client should auto-load only the LAN keyring file
|
|
|
|
conf3 := nextConfig()
|
|
|
|
conf3.Server = false
|
|
|
|
dir3, agent3 := makeAgentKeyring(t, conf3, key)
|
|
|
|
defer os.RemoveAll(dir3)
|
|
|
|
defer agent3.Shutdown()
|
|
|
|
|
|
|
|
c = agent3.config.ConsulConfig
|
|
|
|
if c.SerfLANConfig.KeyringFile == "" {
|
|
|
|
t.Fatalf("should have keyring file")
|
|
|
|
}
|
|
|
|
if c.SerfLANConfig.MemberlistConfig.Keyring == nil {
|
|
|
|
t.Fatalf("keyring should be loaded")
|
|
|
|
}
|
|
|
|
if c.SerfWANConfig.KeyringFile != "" {
|
2014-10-10 18:13:30 +00:00
|
|
|
t.Fatalf("bad: %#v", c.SerfWANConfig.KeyringFile)
|
2014-09-21 18:21:54 +00:00
|
|
|
}
|
|
|
|
if c.SerfWANConfig.MemberlistConfig.Keyring != nil {
|
|
|
|
t.Fatalf("keyring should not be loaded")
|
|
|
|
}
|
|
|
|
}
|
2014-10-04 20:43:10 +00:00
|
|
|
|
|
|
|
func TestAgent_InitKeyring(t *testing.T) {
|
2017-04-27 00:40:40 +00:00
|
|
|
t.Parallel()
|
2014-10-04 20:43:10 +00:00
|
|
|
key1 := "tbLJg26ZJyJ9pK3qhc9jig=="
|
|
|
|
key2 := "4leC33rgtXKIVUr9Nr0snQ=="
|
2014-10-09 22:28:38 +00:00
|
|
|
expected := fmt.Sprintf(`["%s"]`, key1)
|
2014-10-04 20:43:10 +00:00
|
|
|
|
|
|
|
dir, err := ioutil.TempDir("", "consul")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
defer os.RemoveAll(dir)
|
|
|
|
|
|
|
|
file := filepath.Join(dir, "keyring")
|
|
|
|
|
|
|
|
// First initialize the keyring
|
2014-10-10 18:13:30 +00:00
|
|
|
if err := initKeyring(file, key1); err != nil {
|
2014-10-04 20:43:10 +00:00
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
2014-10-09 22:28:38 +00:00
|
|
|
content, err := ioutil.ReadFile(file)
|
2014-10-04 20:43:10 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
2014-10-09 22:28:38 +00:00
|
|
|
if string(content) != expected {
|
|
|
|
t.Fatalf("bad: %s", content)
|
2014-10-04 20:43:10 +00:00
|
|
|
}
|
|
|
|
|
2014-10-09 22:28:38 +00:00
|
|
|
// Try initializing again with a different key
|
2014-10-10 18:13:30 +00:00
|
|
|
if err := initKeyring(file, key2); err != nil {
|
2014-10-04 20:43:10 +00:00
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
2014-10-10 18:13:30 +00:00
|
|
|
// Content should still be the same
|
2014-10-09 22:28:38 +00:00
|
|
|
content, err = ioutil.ReadFile(file)
|
|
|
|
if err != nil {
|
2014-10-04 20:43:10 +00:00
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
2014-10-09 22:28:38 +00:00
|
|
|
if string(content) != expected {
|
|
|
|
t.Fatalf("bad: %s", content)
|
2014-10-04 20:43:10 +00:00
|
|
|
}
|
|
|
|
}
|
2015-07-07 21:14:06 +00:00
|
|
|
|
|
|
|
func TestAgentKeyring_ACL(t *testing.T) {
|
2017-04-27 00:40:40 +00:00
|
|
|
t.Parallel()
|
2015-07-07 21:14:06 +00:00
|
|
|
key1 := "tbLJg26ZJyJ9pK3qhc9jig=="
|
|
|
|
key2 := "4leC33rgtXKIVUr9Nr0snQ=="
|
|
|
|
|
|
|
|
conf := nextConfig()
|
|
|
|
conf.ACLDatacenter = "dc1"
|
|
|
|
conf.ACLMasterToken = "root"
|
|
|
|
conf.ACLDefaultPolicy = "deny"
|
|
|
|
dir, agent := makeAgentKeyring(t, conf, key1)
|
|
|
|
defer os.RemoveAll(dir)
|
|
|
|
defer agent.Shutdown()
|
|
|
|
|
2017-04-19 23:00:11 +00:00
|
|
|
testrpc.WaitForLeader(t, agent.RPC, "dc1")
|
2015-07-07 21:14:06 +00:00
|
|
|
|
|
|
|
// List keys without access fails
|
2017-02-02 02:42:41 +00:00
|
|
|
_, err := agent.ListKeys("", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
|
|
|
t.Fatalf("expected denied error, got: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// List keys with access works
|
2017-02-02 02:42:41 +00:00
|
|
|
_, err = agent.ListKeys("root", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Install without access fails
|
2017-02-02 02:42:41 +00:00
|
|
|
_, err = agent.InstallKey(key2, "", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
|
|
|
t.Fatalf("expected denied error, got: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Install with access works
|
2017-02-02 02:42:41 +00:00
|
|
|
_, err = agent.InstallKey(key2, "root", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use without access fails
|
2017-02-02 02:42:41 +00:00
|
|
|
_, err = agent.UseKey(key2, "", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
|
|
|
t.Fatalf("expected denied error, got: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use with access works
|
2017-02-02 02:42:41 +00:00
|
|
|
_, err = agent.UseKey(key2, "root", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove without access fails
|
2017-02-02 02:42:41 +00:00
|
|
|
_, err = agent.RemoveKey(key1, "", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err == nil || !strings.Contains(err.Error(), "denied") {
|
|
|
|
t.Fatalf("expected denied error, got: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Remove with access works
|
2017-02-02 02:42:41 +00:00
|
|
|
_, err = agent.RemoveKey(key1, "root", 0)
|
2015-07-07 21:14:06 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
}
|