consul/internal/resource/resourcetest/acls.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package resourcetest

import (
	"testing"

	"github.com/stretchr/testify/require"
	"google.golang.org/protobuf/reflect/protoreflect"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/agent/structs"
	"github.com/hashicorp/consul/internal/resource"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

const (
	DENY    = "deny"
	ALLOW   = "allow"
	DEFAULT = "default"
)

var checkF = func(t *testing.T, expect string, got error) {
	switch expect {
	case ALLOW:
		if acl.IsErrPermissionDenied(got) {
			t.Fatal("should be allowed")
		}
	case DENY:
		if !acl.IsErrPermissionDenied(got) {
			t.Fatal("should be denied")
		}
	case DEFAULT:
		require.Nil(t, got, "expected fallthrough decision")
	default:
		t.Fatalf("unexpected expectation: %q", expect)
	}
}

type ACLTestCase struct {
	Rules string

	// AuthCtx is optional. If not provided an empty one will be used.
	AuthCtx *acl.AuthorizerContext

	// One of either Res or Data/Owner/Typ should be set.
	Res   *pbresource.Resource
	Data  protoreflect.ProtoMessage
	Owner *pbresource.ID
	Typ   *pbresource.Type

	ReadOK  string
	WriteOK string
	ListOK  string

	ReadHookRequiresResource bool
}

func RunACLTestCase(t *testing.T, tc ACLTestCase, registry resource.Registry) {
	var (
		typ *pbresource.Type
		res *pbresource.Resource
	)
	if tc.Res != nil {
		require.Nil(t, tc.Data)
		require.Nil(t, tc.Owner)
		require.Nil(t, tc.Typ)
		typ = tc.Res.Id.GetType()
		res = tc.Res
	} else {
		require.NotNil(t, tc.Data)
		require.NotNil(t, tc.Typ)
		typ = tc.Typ

		resolvedType, ok := registry.Resolve(typ)
		require.True(t, ok)

		res = Resource(tc.Typ, "test").
			WithTenancy(DefaultTenancyForType(t, resolvedType)).
			WithOwner(tc.Owner).
			WithData(t, tc.Data).
			Build()
	}

	reg, ok := registry.Resolve(typ)
	require.True(t, ok)

	ValidateAndNormalize(t, registry, res)

	config := acl.Config{
		WildcardName: structs.WildcardSpecifier,
	}
	authz, err := acl.NewAuthorizerFromRules(tc.Rules, &config, nil)
	require.NoError(t, err)
	authz = acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.DenyAll()})

	if tc.AuthCtx == nil {
		tc.AuthCtx = &acl.AuthorizerContext{}
	}

	if tc.ReadHookRequiresResource {
		err = reg.ACLs.Read(authz, tc.AuthCtx, res.Id, nil)
		require.ErrorIs(t, err, resource.ErrNeedResource, "read hook should require the data payload")
	}

	t.Run("read", func(t *testing.T) {
		err := reg.ACLs.Read(authz, tc.AuthCtx, res.Id, res)
		checkF(t, tc.ReadOK, err)
	})
	t.Run("write", func(t *testing.T) {
		err := reg.ACLs.Write(authz, tc.AuthCtx, res)
		checkF(t, tc.WriteOK, err)
	})
	t.Run("list", func(t *testing.T) {
		err := reg.ACLs.List(authz, tc.AuthCtx)
		checkF(t, tc.ListOK, err)
	})
}
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: BUSL-1.1`

			`package resourcetest`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`"google.golang.org/protobuf/reflect/protoreflect"`

			`"github.com/hashicorp/consul/acl"`
			`"github.com/hashicorp/consul/agent/structs"`
			`"github.com/hashicorp/consul/internal/resource"`
			`"github.com/hashicorp/consul/proto-public/pbresource"`
			`)`

			`const (`
			`DENY = "deny"`
			`ALLOW = "allow"`
			`DEFAULT = "default"`
			`)`

			`var checkF = func(t *testing.T, expect string, got error) {`
			`switch expect {`
			`case ALLOW:`
			`if acl.IsErrPermissionDenied(got) {`
			`t.Fatal("should be allowed")`
			`}`
			`case DENY:`
			`if !acl.IsErrPermissionDenied(got) {`
			`t.Fatal("should be denied")`
			`}`
			`case DEFAULT:`
			`require.Nil(t, got, "expected fallthrough decision")`
			`default:`
			`t.Fatalf("unexpected expectation: %q", expect)`
			`}`
			`}`

			`type ACLTestCase struct {`
mesh: add xRoute ACL hook tenancy tests (#19177) Enhance the xRoute ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`Rules string`

mesh: add DestinationPolicy ACL hook tenancy tests (#19178) Enhance the DestinationPolicy ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`// AuthCtx is optional. If not provided an empty one will be used.`
			`AuthCtx *acl.AuthorizerContext`

mesh: add xRoute ACL hook tenancy tests (#19177) Enhance the xRoute ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`// One of either Res or Data/Owner/Typ should be set.`
			`Res *pbresource.Resource`
			`Data protoreflect.ProtoMessage`
			`Owner *pbresource.ID`
			`Typ *pbresource.Type`

catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago			`ReadOK string`
			`WriteOK string`
			`ListOK string`
mesh: add xRoute ACL hook tenancy tests (#19177) Enhance the xRoute ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago
			`ReadHookRequiresResource bool`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago			`}`

			`func RunACLTestCase(t *testing.T, tc ACLTestCase, registry resource.Registry) {`
mesh: add xRoute ACL hook tenancy tests (#19177) Enhance the xRoute ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`var (`
			`typ *pbresource.Type`
			`res *pbresource.Resource`
			`)`
			`if tc.Res != nil {`
			`require.Nil(t, tc.Data)`
			`require.Nil(t, tc.Owner)`
			`require.Nil(t, tc.Typ)`
			`typ = tc.Res.Id.GetType()`
			`res = tc.Res`
			`} else {`
			`require.NotNil(t, tc.Data)`
			`require.NotNil(t, tc.Typ)`
			`typ = tc.Typ`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago
mesh: add xRoute ACL hook tenancy tests (#19177) Enhance the xRoute ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`resolvedType, ok := registry.Resolve(typ)`
			`require.True(t, ok)`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago
mesh: add xRoute ACL hook tenancy tests (#19177) Enhance the xRoute ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`res = Resource(tc.Typ, "test").`
			`WithTenancy(DefaultTenancyForType(t, resolvedType)).`
			`WithOwner(tc.Owner).`
			`WithData(t, tc.Data).`
			`Build()`
			`}`

			`reg, ok := registry.Resolve(typ)`
			`require.True(t, ok)`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago
			`ValidateAndNormalize(t, registry, res)`

			`config := acl.Config{`
			`WildcardName: structs.WildcardSpecifier,`
			`}`
			`authz, err := acl.NewAuthorizerFromRules(tc.Rules, &config, nil)`
			`require.NoError(t, err)`
			`authz = acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.DenyAll()})`

mesh: add DestinationPolicy ACL hook tenancy tests (#19178) Enhance the DestinationPolicy ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`if tc.AuthCtx == nil {`
			`tc.AuthCtx = &acl.AuthorizerContext{}`
			`}`

mesh: add xRoute ACL hook tenancy tests (#19177) Enhance the xRoute ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`if tc.ReadHookRequiresResource {`
mesh: add DestinationPolicy ACL hook tenancy tests (#19178) Enhance the DestinationPolicy ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`err = reg.ACLs.Read(authz, tc.AuthCtx, res.Id, nil)`
mesh: add xRoute ACL hook tenancy tests (#19177) Enhance the xRoute ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`require.ErrorIs(t, err, resource.ErrNeedResource, "read hook should require the data payload")`
			`}`

catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago			`t.Run("read", func(t *testing.T) {`
mesh: add DestinationPolicy ACL hook tenancy tests (#19178) Enhance the DestinationPolicy ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`err := reg.ACLs.Read(authz, tc.AuthCtx, res.Id, res)`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago			`checkF(t, tc.ReadOK, err)`
			`})`
			`t.Run("write", func(t *testing.T) {`
mesh: add DestinationPolicy ACL hook tenancy tests (#19178) Enhance the DestinationPolicy ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`err := reg.ACLs.Write(authz, tc.AuthCtx, res)`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago			`checkF(t, tc.WriteOK, err)`
			`})`
			`t.Run("list", func(t *testing.T) {`
mesh: add DestinationPolicy ACL hook tenancy tests (#19178) Enhance the DestinationPolicy ACL hook tests to cover tenanted situations. These tests will only execute in enterprise. 1 year ago			`err := reg.ACLs.List(authz, tc.AuthCtx)`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 1 year ago			`checkF(t, tc.ListOK, err)`
			`})`
			`}`