From 397a588ca726cdb81e3da465aff1344d49ccfd23 Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Fri, 6 Jan 2023 03:37:43 -0600 Subject: [PATCH] backport of commit 822c3fea8aeb2596523c7fbd831df90864c77c2a (#15907) Co-authored-by: Daniel Upton --- .../services/connectca/sign_test.go | 14 +++++++------- .../dataplane/get_supported_features_test.go | 19 +++++++++++++++++++ agent/grpc-external/testutils/acl.go | 5 ++--- agent/grpc-external/utils.go | 2 +- 4 files changed, 29 insertions(+), 11 deletions(-) diff --git a/agent/grpc-external/services/connectca/sign_test.go b/agent/grpc-external/services/connectca/sign_test.go index 8ccaad4df1..5aa1f114b3 100644 --- a/agent/grpc-external/services/connectca/sign_test.go +++ b/agent/grpc-external/services/connectca/sign_test.go @@ -33,7 +33,7 @@ func TestSign_ConnectDisabled(t *testing.T) { func TestSign_Validation(t *testing.T) { aclResolver := &MockACLResolver{} aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything). - Return(testutils.ACLAllowAll(t), nil) + Return(testutils.ACLsDisabled(t), nil) server := NewServer(Config{ Logger: hclog.NewNullLogger(), @@ -90,7 +90,7 @@ func TestSign_Unauthenticated(t *testing.T) { func TestSign_PermissionDenied(t *testing.T) { aclResolver := &MockACLResolver{} aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything). - Return(testutils.ACLAllowAll(t), nil) + Return(testutils.ACLsDisabled(t), nil) caManager := &MockCAManager{} caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything). @@ -116,7 +116,7 @@ func TestSign_PermissionDenied(t *testing.T) { func TestSign_InvalidCSR(t *testing.T) { aclResolver := &MockACLResolver{} aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything). - Return(testutils.ACLAllowAll(t), nil) + Return(testutils.ACLsDisabled(t), nil) caManager := &MockCAManager{} caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything). @@ -142,7 +142,7 @@ func TestSign_InvalidCSR(t *testing.T) { func TestSign_RateLimited(t *testing.T) { aclResolver := &MockACLResolver{} aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything). - Return(testutils.ACLAllowAll(t), nil) + Return(testutils.ACLsDisabled(t), nil) caManager := &MockCAManager{} caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything). @@ -168,7 +168,7 @@ func TestSign_RateLimited(t *testing.T) { func TestSign_InternalError(t *testing.T) { aclResolver := &MockACLResolver{} aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything). - Return(testutils.ACLAllowAll(t), nil) + Return(testutils.ACLsDisabled(t), nil) caManager := &MockCAManager{} caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything). @@ -194,7 +194,7 @@ func TestSign_InternalError(t *testing.T) { func TestSign_Success(t *testing.T) { aclResolver := &MockACLResolver{} aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything). - Return(testutils.ACLAllowAll(t), nil) + Return(testutils.ACLsDisabled(t), nil) caManager := &MockCAManager{} caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything). @@ -220,7 +220,7 @@ func TestSign_Success(t *testing.T) { func TestSign_RPCForwarding(t *testing.T) { aclResolver := &MockACLResolver{} aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything). - Return(testutils.ACLAllowAll(t), nil) + Return(testutils.ACLsDisabled(t), nil) caManager := &MockCAManager{} caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything). diff --git a/agent/grpc-external/services/dataplane/get_supported_features_test.go b/agent/grpc-external/services/dataplane/get_supported_features_test.go index 31667e71de..86fcdb0c88 100644 --- a/agent/grpc-external/services/dataplane/get_supported_features_test.go +++ b/agent/grpc-external/services/dataplane/get_supported_features_test.go @@ -53,6 +53,25 @@ func TestSupportedDataplaneFeatures_Success(t *testing.T) { } } +func TestSupportedDataplaneFeatures_ACLsDisabled(t *testing.T) { + aclResolver := &MockACLResolver{} + aclResolver.On("ResolveTokenAndDefaultMeta", "", mock.Anything, mock.Anything). + Return(testutils.ACLsDisabled(t), nil) + + options := structs.QueryOptions{Token: ""} + ctx, err := external.ContextWithQueryOptions(context.Background(), options) + require.NoError(t, err) + + server := NewServer(Config{ + Logger: hclog.NewNullLogger(), + ACLResolver: aclResolver, + }) + client := testClient(t, server) + resp, err := client.GetSupportedDataplaneFeatures(ctx, &pbdataplane.GetSupportedDataplaneFeaturesRequest{}) + require.NoError(t, err) + require.Equal(t, 3, len(resp.SupportedDataplaneFeatures)) +} + func TestSupportedDataplaneFeatures_InvalidACLToken(t *testing.T) { // Mock the ACL resolver to return ErrNotFound. aclResolver := &MockACLResolver{} diff --git a/agent/grpc-external/testutils/acl.go b/agent/grpc-external/testutils/acl.go index 18fbd24461..ccb2e6a30e 100644 --- a/agent/grpc-external/testutils/acl.go +++ b/agent/grpc-external/testutils/acl.go @@ -23,12 +23,11 @@ func ACLAnonymous(t *testing.T) resolver.Result { } } -func ACLAllowAll(t *testing.T) resolver.Result { +func ACLsDisabled(t *testing.T) resolver.Result { t.Helper() return resolver.Result{ - Authorizer: acl.AllowAll(), - ACLIdentity: randomACLIdentity(t), + Authorizer: acl.ManageAll(), } } diff --git a/agent/grpc-external/utils.go b/agent/grpc-external/utils.go index 898c53feb3..4d6e918924 100644 --- a/agent/grpc-external/utils.go +++ b/agent/grpc-external/utils.go @@ -36,7 +36,7 @@ func RequireAnyValidACLToken(resolver ACLResolver, token string) error { return status.Error(codes.Unauthenticated, err.Error()) } - if id := authz.ACLIdentity; id == nil || id.ID() == structs.ACLTokenAnonymousID { + if id := authz.ACLIdentity; id != nil && id.ID() == structs.ACLTokenAnonymousID { return status.Error(codes.Unauthenticated, "An ACL token must be provided (via the `x-consul-token` metadata field) to call this endpoint") }