2023-03-28 19:12:30 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 19:12:30 +00:00
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
package roleupdate
|
|
|
|
|
|
|
|
import (
|
2020-02-15 15:06:05 +00:00
|
|
|
"encoding/json"
|
2019-04-15 20:43:19 +00:00
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent"
|
|
|
|
"github.com/hashicorp/consul/api"
|
|
|
|
"github.com/hashicorp/consul/testrpc"
|
|
|
|
"github.com/mitchellh/cli"
|
2020-02-15 15:06:05 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2019-04-15 20:43:19 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
|
|
|
uuid "github.com/hashicorp/go-uuid"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestRoleUpdateCommand_noTabs(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') {
|
|
|
|
t.Fatal("help has tabs")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestRoleUpdateCommand(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
2020-03-31 19:59:56 +00:00
|
|
|
a := agent.NewTestAgent(t, `
|
2019-04-15 20:43:19 +00:00
|
|
|
primary_datacenter = "dc1"
|
|
|
|
acl {
|
|
|
|
enabled = true
|
|
|
|
tokens {
|
2021-12-07 12:48:50 +00:00
|
|
|
initial_management = "root"
|
2019-04-15 20:43:19 +00:00
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
defer a.Shutdown()
|
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
|
|
|
|
client := a.Client()
|
|
|
|
|
|
|
|
// Create 2 policies
|
|
|
|
policy1, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy1"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
policy2, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy2"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// create a role
|
|
|
|
role, _, err := client.ACL().RoleCreate(
|
|
|
|
&api.ACLRole{
|
|
|
|
Name: "test-role",
|
|
|
|
ServiceIdentities: []*api.ACLServiceIdentity{
|
2020-06-16 17:19:31 +00:00
|
|
|
{
|
2019-04-15 20:43:19 +00:00
|
|
|
ServiceName: "fake",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-06-16 16:54:27 +00:00
|
|
|
run := func(t *testing.T, args []string) *api.ACLRole {
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
|
|
|
|
code := cmd.Run(append(args, "-format=json", "-http-addr="+a.HTTPAddr()))
|
|
|
|
require.Equal(t, 0, code, "err: %s", ui.ErrorWriter.String())
|
|
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
|
|
|
|
var role api.ACLRole
|
|
|
|
require.NoError(t, json.Unmarshal(ui.OutputWriter.Bytes(), &role))
|
|
|
|
return &role
|
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
t.Run("update a role that does not exist", func(t *testing.T) {
|
|
|
|
fakeID, err := uuid.GenerateUUID()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-id=" + fakeID,
|
|
|
|
"-token=root",
|
|
|
|
"-policy-name=" + policy1.Name,
|
|
|
|
"-description=test role edited",
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
|
|
|
require.Equal(t, code, 1)
|
|
|
|
require.Contains(t, ui.ErrorWriter.String(), "Role not found with ID")
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with policy by name", func(t *testing.T) {
|
2020-06-16 16:54:27 +00:00
|
|
|
_ = run(t, []string{
|
2019-04-15 20:43:19 +00:00
|
|
|
"-id=" + role.ID,
|
|
|
|
"-token=root",
|
|
|
|
"-policy-name=" + policy1.Name,
|
|
|
|
"-description=test role edited",
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2019-04-15 20:43:19 +00:00
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "test role edited", role.Description)
|
|
|
|
require.Len(t, role.Policies, 1)
|
|
|
|
require.Len(t, role.ServiceIdentities, 1)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with policy by id", func(t *testing.T) {
|
|
|
|
// also update with no description shouldn't delete the current
|
|
|
|
// description
|
2020-06-16 16:54:27 +00:00
|
|
|
_ = run(t, []string{
|
2019-04-15 20:43:19 +00:00
|
|
|
"-id=" + role.ID,
|
|
|
|
"-token=root",
|
|
|
|
"-policy-id=" + policy2.ID,
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2019-04-15 20:43:19 +00:00
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "test role edited", role.Description)
|
|
|
|
require.Len(t, role.Policies, 2)
|
|
|
|
require.Len(t, role.ServiceIdentities, 1)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with service identity", func(t *testing.T) {
|
2020-06-16 16:54:27 +00:00
|
|
|
_ = run(t, []string{
|
2019-04-15 20:43:19 +00:00
|
|
|
"-id=" + role.ID,
|
|
|
|
"-token=root",
|
|
|
|
"-service-identity=web",
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2019-04-15 20:43:19 +00:00
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "test role edited", role.Description)
|
|
|
|
require.Len(t, role.Policies, 2)
|
|
|
|
require.Len(t, role.ServiceIdentities, 2)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with service identity scoped to 2 DCs", func(t *testing.T) {
|
2020-06-16 16:54:27 +00:00
|
|
|
_ = run(t, []string{
|
2019-04-15 20:43:19 +00:00
|
|
|
"-id=" + role.ID,
|
|
|
|
"-token=root",
|
|
|
|
"-service-identity=db:abc,xyz",
|
2020-06-16 16:54:27 +00:00
|
|
|
})
|
2019-04-15 20:43:19 +00:00
|
|
|
|
2020-06-16 16:54:27 +00:00
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "test role edited", role.Description)
|
|
|
|
require.Len(t, role.Policies, 2)
|
|
|
|
require.Len(t, role.ServiceIdentities, 3)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with node identity", func(t *testing.T) {
|
|
|
|
_ = run(t, []string{
|
|
|
|
"-id=" + role.ID,
|
|
|
|
"-token=root",
|
|
|
|
"-node-identity=foo:bar",
|
|
|
|
})
|
2019-04-15 20:43:19 +00:00
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "test role edited", role.Description)
|
|
|
|
require.Len(t, role.Policies, 2)
|
|
|
|
require.Len(t, role.ServiceIdentities, 3)
|
2020-06-16 16:54:27 +00:00
|
|
|
require.Len(t, role.NodeIdentities, 1)
|
2019-04-15 20:43:19 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2020-02-15 15:06:05 +00:00
|
|
|
func TestRoleUpdateCommand_JSON(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2020-02-15 15:06:05 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
2020-03-31 19:59:56 +00:00
|
|
|
a := agent.NewTestAgent(t, `
|
2020-02-15 15:06:05 +00:00
|
|
|
primary_datacenter = "dc1"
|
|
|
|
acl {
|
|
|
|
enabled = true
|
|
|
|
tokens {
|
2021-12-07 12:48:50 +00:00
|
|
|
initial_management = "root"
|
2020-02-15 15:06:05 +00:00
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
defer a.Shutdown()
|
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
|
|
|
|
client := a.Client()
|
|
|
|
|
|
|
|
// Create policy
|
|
|
|
policy1, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy1"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleCreate(
|
|
|
|
&api.ACLRole{
|
|
|
|
Name: "test-role",
|
|
|
|
ServiceIdentities: []*api.ACLServiceIdentity{
|
2020-06-16 17:19:31 +00:00
|
|
|
{
|
2020-02-15 15:06:05 +00:00
|
|
|
ServiceName: "fake",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
t.Run("update a role that does not exist", func(t *testing.T) {
|
|
|
|
fakeID, err := uuid.GenerateUUID()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-id=" + fakeID,
|
|
|
|
"-token=root",
|
|
|
|
"-policy-name=" + policy1.Name,
|
|
|
|
"-description=test role edited",
|
|
|
|
"-format=json",
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
|
|
|
require.Equal(t, code, 1)
|
|
|
|
require.Contains(t, ui.ErrorWriter.String(), "Role not found with ID")
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with policy by name", func(t *testing.T) {
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-id=" + role.ID,
|
|
|
|
"-token=root",
|
|
|
|
"-policy-name=" + policy1.Name,
|
|
|
|
"-description=test role edited",
|
|
|
|
"-format=json",
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
|
|
|
require.Equal(t, code, 0, "err: %s", ui.ErrorWriter.String())
|
|
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
|
|
|
|
var jsonOutput json.RawMessage
|
|
|
|
err := json.Unmarshal([]byte(ui.OutputWriter.String()), &jsonOutput)
|
|
|
|
assert.NoError(t, err)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
func TestRoleUpdateCommand_noMerge(t *testing.T) {
|
2020-12-07 18:42:55 +00:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2019-04-15 20:43:19 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
2020-03-31 19:59:56 +00:00
|
|
|
a := agent.NewTestAgent(t, `
|
2019-04-15 20:43:19 +00:00
|
|
|
primary_datacenter = "dc1"
|
|
|
|
acl {
|
|
|
|
enabled = true
|
|
|
|
tokens {
|
2021-12-07 12:48:50 +00:00
|
|
|
initial_management = "root"
|
2019-04-15 20:43:19 +00:00
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
defer a.Shutdown()
|
|
|
|
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
|
|
|
|
|
|
|
client := a.Client()
|
|
|
|
|
|
|
|
// Create 3 policies
|
|
|
|
policy1, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy1"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
policy2, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy2"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
policy3, _, err := client.ACL().PolicyCreate(
|
|
|
|
&api.ACLPolicy{Name: "test-policy3"},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// create a role
|
|
|
|
createRole := func(t *testing.T) *api.ACLRole {
|
|
|
|
roleUnq, err := uuid.GenerateUUID()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleCreate(
|
|
|
|
&api.ACLRole{
|
|
|
|
Name: "test-role-" + roleUnq,
|
|
|
|
Description: "original description",
|
|
|
|
ServiceIdentities: []*api.ACLServiceIdentity{
|
2020-06-16 17:19:31 +00:00
|
|
|
{
|
2019-04-15 20:43:19 +00:00
|
|
|
ServiceName: "fake",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Policies: []*api.ACLRolePolicyLink{
|
2020-06-16 17:19:31 +00:00
|
|
|
{
|
2019-04-15 20:43:19 +00:00
|
|
|
ID: policy3.ID,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
&api.WriteOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
return role
|
|
|
|
}
|
|
|
|
|
|
|
|
t.Run("update a role that does not exist", func(t *testing.T) {
|
|
|
|
fakeID, err := uuid.GenerateUUID()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-id=" + fakeID,
|
|
|
|
"-token=root",
|
|
|
|
"-policy-name=" + policy1.Name,
|
|
|
|
"-no-merge",
|
|
|
|
"-description=test role edited",
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
|
|
|
require.Equal(t, code, 1)
|
|
|
|
require.Contains(t, ui.ErrorWriter.String(), "Role not found with ID")
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with policy by name", func(t *testing.T) {
|
|
|
|
role := createRole(t)
|
|
|
|
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-id=" + role.ID,
|
|
|
|
"-name=" + role.Name,
|
|
|
|
"-token=root",
|
|
|
|
"-no-merge",
|
|
|
|
"-policy-name=" + policy1.Name,
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
|
|
|
require.Equal(t, code, 0, "err: %s", ui.ErrorWriter.String())
|
|
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "", role.Description)
|
|
|
|
require.Len(t, role.Policies, 1)
|
|
|
|
require.Len(t, role.ServiceIdentities, 0)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with policy by id", func(t *testing.T) {
|
|
|
|
role := createRole(t)
|
|
|
|
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-id=" + role.ID,
|
|
|
|
"-name=" + role.Name,
|
|
|
|
"-token=root",
|
|
|
|
"-no-merge",
|
|
|
|
"-policy-id=" + policy2.ID,
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
|
|
|
require.Equal(t, code, 0, "err: %s", ui.ErrorWriter.String())
|
|
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "", role.Description)
|
|
|
|
require.Len(t, role.Policies, 1)
|
|
|
|
require.Len(t, role.ServiceIdentities, 0)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with service identity", func(t *testing.T) {
|
|
|
|
role := createRole(t)
|
|
|
|
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-id=" + role.ID,
|
|
|
|
"-name=" + role.Name,
|
|
|
|
"-token=root",
|
|
|
|
"-no-merge",
|
|
|
|
"-service-identity=web",
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
|
|
|
require.Equal(t, code, 0, "err: %s", ui.ErrorWriter.String())
|
|
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "", role.Description)
|
|
|
|
require.Len(t, role.Policies, 0)
|
|
|
|
require.Len(t, role.ServiceIdentities, 1)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("update with service identity scoped to 2 DCs", func(t *testing.T) {
|
|
|
|
role := createRole(t)
|
|
|
|
|
|
|
|
ui := cli.NewMockUi()
|
|
|
|
cmd := New(ui)
|
|
|
|
args := []string{
|
|
|
|
"-http-addr=" + a.HTTPAddr(),
|
|
|
|
"-id=" + role.ID,
|
|
|
|
"-name=" + role.Name,
|
|
|
|
"-token=root",
|
|
|
|
"-no-merge",
|
|
|
|
"-service-identity=db:abc,xyz",
|
|
|
|
}
|
|
|
|
|
|
|
|
code := cmd.Run(args)
|
|
|
|
require.Equal(t, code, 0, "err: %s", ui.ErrorWriter.String())
|
|
|
|
require.Empty(t, ui.ErrorWriter.String())
|
|
|
|
|
|
|
|
role, _, err := client.ACL().RoleRead(
|
|
|
|
role.ID,
|
|
|
|
&api.QueryOptions{Token: "root"},
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, role)
|
|
|
|
require.Equal(t, "", role.Description)
|
|
|
|
require.Len(t, role.Policies, 0)
|
|
|
|
require.Len(t, role.ServiceIdentities, 1)
|
|
|
|
})
|
|
|
|
}
|