github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20265 Commits
1702 Branches
457 Tags
697 MiB
Tree: ea5bcde903
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ea5bcde903'
${ noResults }
consul/acl/static_authorizer_test.go

101 lines
3.8 KiB
Raw Normal View History Unescape

Add copyright headers for acl, api and bench folders (#16706) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files * copyright headers for agent folder * fix merge conflicts * copyright headers for agent folder * Ignore test data files * fix proto files * ignore agent/uiserver folder for now * copyright headers for agent folder * Add copyright headers for acl, api and bench folders
2 years ago
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
ACL Authorizer overhaul (#6620) * ACL Authorizer overhaul To account for upcoming features every Authorization function can now take an extra *acl.EnterpriseAuthorizerContext. These are unused in OSS and will always be nil. Additionally the acl package has received some thorough refactoring to enable all of the extra Consul Enterprise specific authorizations including moving sentinel enforcement into the stubbed structs. The Authorizer funcs now return an acl.EnforcementDecision instead of a boolean. This improves the overall interface as it makes multiple Authorizers easily chainable as they now indicate whether they had an authoritative decision or should use some other defaults. A ChainedAuthorizer was added to handle this Authorizer enforcement chain and will never itself return a non-authoritative decision. * Include stub for extra enterprise rules in the global management policy * Allow for an upgrade of the global-management policy
5 years ago
package acl
import (
"testing"
)
func TestStaticAuthorizer(t *testing.T) {
t.Run("AllowAll", func(t *testing.T) {
authz := AllowAll()
checkDenyACLRead(t, authz, "foo", nil)
checkDenyACLWrite(t, authz, "foo", nil)
checkAllowAgentRead(t, authz, "foo", nil)
checkAllowAgentWrite(t, authz, "foo", nil)
checkAllowEventRead(t, authz, "foo", nil)
checkAllowEventWrite(t, authz, "foo", nil)
checkAllowIntentionDefaultAllow(t, authz, "foo", nil)
checkAllowIntentionRead(t, authz, "foo", nil)
checkAllowIntentionWrite(t, authz, "foo", nil)
checkAllowKeyRead(t, authz, "foo", nil)
checkAllowKeyList(t, authz, "foo", nil)
checkAllowKeyringRead(t, authz, "foo", nil)
checkAllowKeyringWrite(t, authz, "foo", nil)
checkAllowKeyWrite(t, authz, "foo", nil)
checkAllowKeyWritePrefix(t, authz, "foo", nil)
checkAllowNodeRead(t, authz, "foo", nil)
checkAllowNodeWrite(t, authz, "foo", nil)
checkAllowOperatorRead(t, authz, "foo", nil)
checkAllowOperatorWrite(t, authz, "foo", nil)
checkAllowPreparedQueryRead(t, authz, "foo", nil)
checkAllowPreparedQueryWrite(t, authz, "foo", nil)
checkAllowServiceRead(t, authz, "foo", nil)
checkAllowServiceWrite(t, authz, "foo", nil)
checkAllowSessionRead(t, authz, "foo", nil)
checkAllowSessionWrite(t, authz, "foo", nil)
checkDenySnapshot(t, authz, "foo", nil)
})
t.Run("DenyAll", func(t *testing.T) {
authz := DenyAll()
checkDenyACLRead(t, authz, "foo", nil)
checkDenyACLWrite(t, authz, "foo", nil)
checkDenyAgentRead(t, authz, "foo", nil)
checkDenyAgentWrite(t, authz, "foo", nil)
checkDenyEventRead(t, authz, "foo", nil)
checkDenyEventWrite(t, authz, "foo", nil)
checkDenyIntentionDefaultAllow(t, authz, "foo", nil)
checkDenyIntentionRead(t, authz, "foo", nil)
checkDenyIntentionWrite(t, authz, "foo", nil)
checkDenyKeyRead(t, authz, "foo", nil)
checkDenyKeyList(t, authz, "foo", nil)
checkDenyKeyringRead(t, authz, "foo", nil)
checkDenyKeyringWrite(t, authz, "foo", nil)
checkDenyKeyWrite(t, authz, "foo", nil)
checkDenyKeyWritePrefix(t, authz, "foo", nil)
checkDenyNodeRead(t, authz, "foo", nil)
checkDenyNodeWrite(t, authz, "foo", nil)
checkDenyOperatorRead(t, authz, "foo", nil)
checkDenyOperatorWrite(t, authz, "foo", nil)
checkDenyPreparedQueryRead(t, authz, "foo", nil)
checkDenyPreparedQueryWrite(t, authz, "foo", nil)
checkDenyServiceRead(t, authz, "foo", nil)
checkDenyServiceWrite(t, authz, "foo", nil)
checkDenySessionRead(t, authz, "foo", nil)
checkDenySessionWrite(t, authz, "foo", nil)
checkDenySnapshot(t, authz, "foo", nil)
})
t.Run("ManageAll", func(t *testing.T) {
authz := ManageAll()
checkAllowACLRead(t, authz, "foo", nil)
checkAllowACLWrite(t, authz, "foo", nil)
checkAllowAgentRead(t, authz, "foo", nil)
checkAllowAgentWrite(t, authz, "foo", nil)
checkAllowEventRead(t, authz, "foo", nil)
checkAllowEventWrite(t, authz, "foo", nil)
checkAllowIntentionDefaultAllow(t, authz, "foo", nil)
checkAllowIntentionRead(t, authz, "foo", nil)
checkAllowIntentionWrite(t, authz, "foo", nil)
checkAllowKeyRead(t, authz, "foo", nil)
checkAllowKeyList(t, authz, "foo", nil)
checkAllowKeyringRead(t, authz, "foo", nil)
checkAllowKeyringWrite(t, authz, "foo", nil)
checkAllowKeyWrite(t, authz, "foo", nil)
checkAllowKeyWritePrefix(t, authz, "foo", nil)
checkAllowNodeRead(t, authz, "foo", nil)
checkAllowNodeWrite(t, authz, "foo", nil)
checkAllowOperatorRead(t, authz, "foo", nil)
checkAllowOperatorWrite(t, authz, "foo", nil)
checkAllowPreparedQueryRead(t, authz, "foo", nil)
checkAllowPreparedQueryWrite(t, authz, "foo", nil)
checkAllowServiceRead(t, authz, "foo", nil)
checkAllowServiceWrite(t, authz, "foo", nil)
checkAllowSessionRead(t, authz, "foo", nil)
checkAllowSessionWrite(t, authz, "foo", nil)
checkAllowSnapshot(t, authz, "foo", nil)
})
}