consul: better tests for acl filtering

2015-06-11 13:23:49 -07:00 · 2015-06-11 13:23:49 -07:00 · 77721e3a1a
parent a4d34b66d6
commit 77721e3a1a
3 changed files with 237 additions and 353 deletions
--- a/consul/catalog_endpoint_test.go
+++ b/consul/catalog_endpoint_test.go
@ -778,18 +778,14 @@ func TestCatalogRegister_FailedCase1(t *testing.T) {
 	}
 }
-func TestCatalog_filterACL(t *testing.T) {
+func testACLFilterServer(t *testing.T) (dir, token string, srv *Server, client *rpc.Client) {
-	dir, srv := testServerWithConfig(t, func(c *Config) {
+	dir, srv = testServerWithConfig(t, func(c *Config) {
 		c.ACLDatacenter = "dc1"
 		c.ACLMasterToken = "root"
 		c.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir)
 	defer srv.Shutdown()
 	client := rpcClient(t, srv)
 	defer client.Close()
 	client = rpcClient(t, srv)
 	testutil.WaitForLeader(t, client.Call, "dc1")
 	// Create a new token
@ -803,8 +799,7 @@ func TestCatalog_filterACL(t *testing.T) {
 		},
 		WriteRequest: structs.WriteRequest{Token: "root"},
 	}
-	var id string
+	if err := client.Call("ACL.Apply", &arg, &token); err != nil {
 	if err := client.Call("ACL.Apply", &arg, &id); err != nil {
 		t.Fatalf("err: %v", err)
 	}
@ -847,90 +842,101 @@ func TestCatalog_filterACL(t *testing.T) {
 	if err := client.Call("Catalog.Register", &regArg, nil); err != nil {
 		t.Fatalf("err: %s", err)
 	}
 	return
 }
-	// Catalog.ListServices properly filters and returns services
+func TestCatalog_ListServices_FilterACL(t *testing.T) {
-	{
+	dir, token, srv, client := testACLFilterServer(t)
-		opt := structs.DCSpecificRequest{
+	defer os.RemoveAll(dir)
-			Datacenter:   "dc1",
+	defer srv.Shutdown()
-			QueryOptions: structs.QueryOptions{Token: id},
+	defer client.Close()
-		}
+
-		reply := structs.IndexedServices{}
+	opt := structs.DCSpecificRequest{
-		if err := client.Call("Catalog.ListServices", &opt, &reply); err != nil {
+		Datacenter:   "dc1",
-			t.Fatalf("err: %s", err)
+		QueryOptions: structs.QueryOptions{Token: token},
-		}
+	}
-		if _, ok := reply.Services["foo"]; !ok {
+	reply := structs.IndexedServices{}
-			t.Fatalf("bad: %#v", reply.Services)
+	if err := client.Call("Catalog.ListServices", &opt, &reply); err != nil {
-		}
+		t.Fatalf("err: %s", err)
-		if _, ok := reply.Services["bar"]; ok {
+	}
-			t.Fatalf("bad: %#v", reply.Services)
+	if _, ok := reply.Services["foo"]; !ok {
 		t.Fatalf("bad: %#v", reply.Services)
 	}
 	if _, ok := reply.Services["bar"]; ok {
 		t.Fatalf("bad: %#v", reply.Services)
 	}
 }
 func TestCatalog_ServiceNodes_FilterACL(t *testing.T) {
 	dir, token, srv, client := testACLFilterServer(t)
 	defer os.RemoveAll(dir)
 	defer srv.Shutdown()
 	defer client.Close()
 	opt := structs.ServiceSpecificRequest{
 		Datacenter:   "dc1",
 		ServiceName:  "foo",
 		QueryOptions: structs.QueryOptions{Token: token},
 	}
 	reply := structs.IndexedServiceNodes{}
 	if err := client.Call("Catalog.ServiceNodes", &opt, &reply); err != nil {
 		t.Fatalf("err: %s", err)
 	}
 	found := false
 	for _, sn := range reply.ServiceNodes {
 		if sn.ServiceID == "foo" {
 			found = true
 			break
 		}
 	}
 	if !found {
 		t.Fatalf("bad: %#v", reply.ServiceNodes)
 	}
-	// Catalog.ServiceNodes returns services we have access to
+	// Filters services we can't access
-	{
+	opt = structs.ServiceSpecificRequest{
-		opt := structs.ServiceSpecificRequest{
+		Datacenter:   "dc1",
-			Datacenter:   "dc1",
+		ServiceName:  "bar",
-			ServiceName:  "foo",
+		QueryOptions: structs.QueryOptions{Token: token},
-			QueryOptions: structs.QueryOptions{Token: id},
+	}
-		}
+	reply = structs.IndexedServiceNodes{}
-		reply := structs.IndexedServiceNodes{}
+	if err := client.Call("Catalog.ServiceNodes", &opt, &reply); err != nil {
-		if err := client.Call("Catalog.ServiceNodes", &opt, &reply); err != nil {
+		t.Fatalf("err: %s", err)
-			t.Fatalf("err: %s", err)
+	}
-		}
+	for _, sn := range reply.ServiceNodes {
-		found := false
+		if sn.ServiceID == "bar" {
 		for _, sn := range reply.ServiceNodes {
 			if sn.ServiceID == "foo" {
 				found = true
 				break
 			}
 		}
 		if !found {
 			t.Fatalf("bad: %#v", reply.ServiceNodes)
 		}
 	}
 }
-	// Catalog.ServiceNodes filters services we can't access
+func TestCatalog_NodeServices_FilterACL(t *testing.T) {
-	{
+	dir, token, srv, client := testACLFilterServer(t)
-		opt := structs.ServiceSpecificRequest{
+	defer os.RemoveAll(dir)
-			Datacenter:   "dc1",
+	defer srv.Shutdown()
-			ServiceName:  "bar",
+	defer client.Close()
-			QueryOptions: structs.QueryOptions{Token: id},
+
 	opt := structs.NodeSpecificRequest{
 		Datacenter:   "dc1",
 		Node:         srv.config.NodeName,
 		QueryOptions: structs.QueryOptions{Token: token},
 	}
 	reply := structs.IndexedNodeServices{}
 	if err := client.Call("Catalog.NodeServices", &opt, &reply); err != nil {
 		t.Fatalf("err: %s", err)
 	}
 	found := false
 	for _, svc := range reply.NodeServices.Services {
 		if svc.ID == "bar" {
 			t.Fatalf("bad: %#v", reply.NodeServices.Services)
 		}
-		reply := structs.IndexedServiceNodes{}
+		if svc.ID == "foo" {
-		if err := client.Call("Catalog.ServiceNodes", &opt, &reply); err != nil {
+			found = true
-			t.Fatalf("err: %s", err)
+			break
 		}
 		for _, sn := range reply.ServiceNodes {
 			if sn.ServiceID == "bar" {
 				t.Fatalf("bad: %#v", reply.ServiceNodes)
 			}
 		}
 	}
-
+	if !found {
-	// Catalog.NodeServices filters and returns services properly
+		t.Fatalf("bad: %#v", reply.NodeServices)
 	{
 		opt := structs.NodeSpecificRequest{
 			Datacenter:   "dc1",
 			Node:         srv.config.NodeName,
 			QueryOptions: structs.QueryOptions{Token: id},
 		}
 		reply := structs.IndexedNodeServices{}
 		if err := client.Call("Catalog.NodeServices", &opt, &reply); err != nil {
 			t.Fatalf("err: %s", err)
 		}
 		found := false
 		for _, svc := range reply.NodeServices.Services {
 			if svc.ID == "bar" {
 				t.Fatalf("bad: %#v", reply.NodeServices.Services)
 			}
 			if svc.ID == "foo" {
 				found = true
 				break
 			}
 		}
 		if !found {
 			t.Fatalf("bad: %#v", reply.NodeServices)
 		}
 	}
 }
--- a/consul/health_endpoint_test.go
+++ b/consul/health_endpoint_test.go
@ -223,155 +223,96 @@ func TestHealth_ServiceNodes(t *testing.T) {
 	}
 }
-func TestHealth_filterACL(t *testing.T) {
+func TestHealth_NodeChecks_FilterACL(t *testing.T) {
-	dir, srv := testServerWithConfig(t, func(c *Config) {
+	dir, token, srv, client := testACLFilterServer(t)
 		c.ACLDatacenter = "dc1"
 		c.ACLMasterToken = "root"
 		c.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir)
 	defer srv.Shutdown()
 	client := rpcClient(t, srv)
 	defer client.Close()
-	testutil.WaitForLeader(t, client.Call, "dc1")
+	opt := structs.NodeSpecificRequest{
-
+		Datacenter:   "dc1",
-	// Create a new token
+		Node:         srv.config.NodeName,
-	arg := structs.ACLRequest{
+		QueryOptions: structs.QueryOptions{Token: token},
 		Datacenter: "dc1",
 		Op:         structs.ACLSet,
 		ACL: structs.ACL{
 			Name:  "User token",
 			Type:  structs.ACLTypeClient,
 			Rules: testRegisterRules,
 		},
 		WriteRequest: structs.WriteRequest{Token: "root"},
 	}
-	var id string
+	reply := structs.IndexedHealthChecks{}
-	if err := client.Call("ACL.Apply", &arg, &id); err != nil {
+	if err := client.Call("Health.NodeChecks", &opt, &reply); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 	// Register a service we have access to
 	regArg := structs.RegisterRequest{
 		Datacenter: "dc1",
 		Node:       srv.config.NodeName,
 		Address:    "127.0.0.1",
 		Service: &structs.NodeService{
 			ID:      "foo",
 			Service: "foo",
 		},
 		Check: &structs.HealthCheck{
 			CheckID:   "service:foo",
 			Name:      "service:foo",
 			ServiceID: "foo",
 		},
 		WriteRequest: structs.WriteRequest{Token: "root"},
 	}
 	if err := client.Call("Catalog.Register", &regArg, nil); err != nil {
 		t.Fatalf("err: %s", err)
 	}
-
+	found := false
-	// Register a service we don't have access to
+	for _, chk := range reply.HealthChecks {
-	regArg = structs.RegisterRequest{
+		switch chk.ServiceName {
-		Datacenter: "dc1",
+		case "foo":
-		Node:       srv.config.NodeName,
+			found = true
-		Address:    "127.0.0.1",
+		case "bar":
 		Service: &structs.NodeService{
 			ID:      "bar",
 			Service: "bar",
 		},
 		Check: &structs.HealthCheck{
 			CheckID:   "service:bar",
 			Name:      "service:bar",
 			ServiceID: "bar",
 		},
 		WriteRequest: structs.WriteRequest{Token: "root"},
 	}
 	if err := client.Call("Catalog.Register", &regArg, nil); err != nil {
 		t.Fatalf("err: %s", err)
 	}
 	// Health.NodeChecks properly filters and returns services
 	{
 		opt := structs.NodeSpecificRequest{
 			Datacenter:   "dc1",
 			Node:         srv.config.NodeName,
 			QueryOptions: structs.QueryOptions{Token: id},
 		}
 		reply := structs.IndexedHealthChecks{}
 		if err := client.Call("Health.NodeChecks", &opt, &reply); err != nil {
 			t.Fatalf("err: %s", err)
 		}
 		found := false
 		for _, chk := range reply.HealthChecks {
 			switch chk.ServiceName {
 			case "foo":
 				found = true
 			case "bar":
 				t.Fatalf("bad: %#v", reply.HealthChecks)
 			}
 		}
 		if !found {
 			t.Fatalf("bad: %#v", reply.HealthChecks)
 		}
 	}
-
+	if !found {
-	// Health.ServiceChecks properly filters and returns services
+		t.Fatalf("bad: %#v", reply.HealthChecks)
-	{
+	}
-		opt := structs.ServiceSpecificRequest{
+}
-			Datacenter:   "dc1",
+
-			ServiceName:  "foo",
+func TestHealth_ServiceChecks_FilterACL(t *testing.T) {
-			QueryOptions: structs.QueryOptions{Token: id},
+	dir, token, srv, client := testACLFilterServer(t)
-		}
+	defer os.RemoveAll(dir)
-		reply := structs.IndexedHealthChecks{}
+	defer srv.Shutdown()
-		if err := client.Call("Health.ServiceChecks", &opt, &reply); err != nil {
+	defer client.Close()
-			t.Fatalf("err: %s", err)
+
-		}
+	opt := structs.ServiceSpecificRequest{
-		found := false
+		Datacenter:   "dc1",
-		for _, chk := range reply.HealthChecks {
+		ServiceName:  "foo",
-			if chk.ServiceName == "foo" {
+		QueryOptions: structs.QueryOptions{Token: token},
-				found = true
+	}
-				break
+	reply := structs.IndexedHealthChecks{}
-			}
+	if err := client.Call("Health.ServiceChecks", &opt, &reply); err != nil {
-		}
+		t.Fatalf("err: %s", err)
-		if !found {
+	}
-			t.Fatalf("bad: %#v", reply.HealthChecks)
+	found := false
-		}
+	for _, chk := range reply.HealthChecks {
-
+		if chk.ServiceName == "foo" {
-		opt.ServiceName = "bar"
+			found = true
-		reply = structs.IndexedHealthChecks{}
+			break
-		if err := client.Call("Health.ServiceChecks", &opt, &reply); err != nil {
+		}
-			t.Fatalf("err: %s", err)
+	}
-		}
+	if !found {
-		if len(reply.HealthChecks) != 0 {
+		t.Fatalf("bad: %#v", reply.HealthChecks)
-			t.Fatalf("bad: %#v", reply.HealthChecks)
+	}
-		}
+
-	}
+	opt.ServiceName = "bar"
-
+	reply = structs.IndexedHealthChecks{}
-	// Health.ServiceNodes properly filters and returns services
+	if err := client.Call("Health.ServiceChecks", &opt, &reply); err != nil {
-	{
+		t.Fatalf("err: %s", err)
-		opt := structs.ServiceSpecificRequest{
+	}
-			Datacenter:   "dc1",
+	if len(reply.HealthChecks) != 0 {
-			ServiceName:  "foo",
+		t.Fatalf("bad: %#v", reply.HealthChecks)
-			QueryOptions: structs.QueryOptions{Token: id},
+	}
-		}
+}
-		reply := structs.IndexedCheckServiceNodes{}
+
-		if err := client.Call("Health.ServiceNodes", &opt, &reply); err != nil {
+func TestHealth_ServiceNodes_FilterACL(t *testing.T) {
-			t.Fatalf("err: %s", err)
+	dir, token, srv, client := testACLFilterServer(t)
-		}
+	defer os.RemoveAll(dir)
-		if len(reply.Nodes) != 1 {
+	defer srv.Shutdown()
-			t.Fatalf("bad: %#v", reply.Nodes)
+	defer client.Close()
-		}
+
-
+	opt := structs.ServiceSpecificRequest{
-		opt.ServiceName = "bar"
+		Datacenter:   "dc1",
-		reply = structs.IndexedCheckServiceNodes{}
+		ServiceName:  "foo",
-		if err := client.Call("Health.ServiceNodes", &opt, &reply); err != nil {
+		QueryOptions: structs.QueryOptions{Token: token},
-			t.Fatalf("err: %s", err)
+	}
-		}
+	reply := structs.IndexedCheckServiceNodes{}
-		if len(reply.Nodes) != 0 {
+	if err := client.Call("Health.ServiceNodes", &opt, &reply); err != nil {
-			t.Fatalf("bad: %#v", reply.Nodes)
+		t.Fatalf("err: %s", err)
-		}
+	}
 	if len(reply.Nodes) != 1 {
 		t.Fatalf("bad: %#v", reply.Nodes)
 	}
 	opt.ServiceName = "bar"
 	reply = structs.IndexedCheckServiceNodes{}
 	if err := client.Call("Health.ServiceNodes", &opt, &reply); err != nil {
 		t.Fatalf("err: %s", err)
 	}
 	if len(reply.Nodes) != 0 {
 		t.Fatalf("bad: %#v", reply.Nodes)
 	}
 }
--- a/consul/internal_endpoint_test.go
+++ b/consul/internal_endpoint_test.go
@ -239,152 +239,89 @@ func TestInternal_KeyringOperation(t *testing.T) {
 	}
 }
-func TestInternal_filterACL(t *testing.T) {
+func TestInternal_NodeInfo_FilterACL(t *testing.T) {
-	dir, srv := testServerWithConfig(t, func(c *Config) {
+	dir, token, srv, client := testACLFilterServer(t)
 		c.ACLDatacenter = "dc1"
 		c.ACLMasterToken = "root"
 		c.ACLDefaultPolicy = "deny"
 	})
 	defer os.RemoveAll(dir)
 	defer srv.Shutdown()
 	client := rpcClient(t, srv)
 	defer client.Close()
-	testutil.WaitForLeader(t, client.Call, "dc1")
+	opt := structs.NodeSpecificRequest{
-
+		Datacenter:   "dc1",
-	// Create a new token
+		Node:         srv.config.NodeName,
-	arg := structs.ACLRequest{
+		QueryOptions: structs.QueryOptions{Token: token},
 		Datacenter: "dc1",
 		Op:         structs.ACLSet,
 		ACL: structs.ACL{
 			Name:  "User token",
 			Type:  structs.ACLTypeClient,
 			Rules: testRegisterRules,
 		},
 		WriteRequest: structs.WriteRequest{Token: "root"},
 	}
-	var id string
+	reply := structs.IndexedNodeDump{}
-	if err := client.Call("ACL.Apply", &arg, &id); err != nil {
+	if err := client.Call("Health.NodeChecks", &opt, &reply); err != nil {
 		t.Fatalf("err: %v", err)
 	}
 	// Register a service we have access to
 	regArg := structs.RegisterRequest{
 		Datacenter: "dc1",
 		Node:       srv.config.NodeName,
 		Address:    "127.0.0.1",
 		Service: &structs.NodeService{
 			ID:      "foo",
 			Service: "foo",
 		},
 		Check: &structs.HealthCheck{
 			CheckID:   "service:foo",
 			Name:      "service:foo",
 			ServiceID: "foo",
 		},
 		WriteRequest: structs.WriteRequest{Token: "root"},
 	}
 	if err := client.Call("Catalog.Register", &regArg, nil); err != nil {
 		t.Fatalf("err: %s", err)
 	}
-
+	for _, info := range reply.Dump {
-	// Register a service we don't have access to
+		found := false
-	regArg = structs.RegisterRequest{
+		for _, chk := range info.Checks {
-		Datacenter: "dc1",
+			if chk.ServiceName == "foo" {
-		Node:       srv.config.NodeName,
+				found = true
 		Address:    "127.0.0.1",
 		Service: &structs.NodeService{
 			ID:      "bar",
 			Service: "bar",
 		},
 		Check: &structs.HealthCheck{
 			CheckID:   "service:bar",
 			Name:      "service:bar",
 			ServiceID: "bar",
 		},
 		WriteRequest: structs.WriteRequest{Token: "root"},
 	}
 	if err := client.Call("Catalog.Register", &regArg, nil); err != nil {
 		t.Fatalf("err: %s", err)
 	}
 	// Internal.NodeInfo filters services properly
 	{
 		opt := structs.NodeSpecificRequest{
 			Datacenter:   "dc1",
 			Node:         srv.config.NodeName,
 			QueryOptions: structs.QueryOptions{Token: id},
 		}
 		reply := structs.IndexedNodeDump{}
 		if err := client.Call("Health.NodeChecks", &opt, &reply); err != nil {
 			t.Fatalf("err: %s", err)
 		}
 		for _, info := range reply.Dump {
 			found := false
 			for _, chk := range info.Checks {
 				if chk.ServiceName == "foo" {
 					found = true
 				}
 				if chk.ServiceName == "bar" {
 					t.Fatalf("bad: %#v", info.Checks)
 				}
 			}
-			if !found {
+			if chk.ServiceName == "bar" {
 				t.Fatalf("bad: %#v", info.Checks)
 			}
 		}
 		if !found {
 			t.Fatalf("bad: %#v", info.Checks)
 		}
-			found = false
+		found = false
-			for _, svc := range info.Services {
+		for _, svc := range info.Services {
-				if svc.Service == "foo" {
+			if svc.Service == "foo" {
-					found = true
+				found = true
 				}
 				if svc.Service == "bar" {
 					t.Fatalf("bad: %#v", info.Services)
 				}
 			}
-			if !found {
+			if svc.Service == "bar" {
 				t.Fatalf("bad: %#v", info.Services)
 			}
 		}
-	}
+		if !found {
-
+			t.Fatalf("bad: %#v", info.Services)
-	// Internal.NodeDump filters services properly
+		}
-	{
+	}
-		opt := structs.DCSpecificRequest{
+}
-			Datacenter:   "dc1",
+
-			QueryOptions: structs.QueryOptions{Token: id},
+func TestInternal_NodeDump_FilterACL(t *testing.T) {
-		}
+	dir, token, srv, client := testACLFilterServer(t)
-		reply := structs.IndexedNodeDump{}
+	defer os.RemoveAll(dir)
-		if err := client.Call("Health.NodeChecks", &opt, &reply); err != nil {
+	defer srv.Shutdown()
-			t.Fatalf("err: %s", err)
+	defer client.Close()
-		}
+
-		for _, info := range reply.Dump {
+	opt := structs.DCSpecificRequest{
-			found := false
+		Datacenter:   "dc1",
-			for _, chk := range info.Checks {
+		QueryOptions: structs.QueryOptions{Token: token},
-				if chk.ServiceName == "foo" {
+	}
-					found = true
+	reply := structs.IndexedNodeDump{}
-				}
+	if err := client.Call("Health.NodeChecks", &opt, &reply); err != nil {
-				if chk.ServiceName == "bar" {
+		t.Fatalf("err: %s", err)
-					t.Fatalf("bad: %#v", info.Checks)
+	}
-				}
+	for _, info := range reply.Dump {
-			}
+		found := false
-			if !found {
+		for _, chk := range info.Checks {
-				t.Fatalf("bad: %#v", info.Checks)
+			if chk.ServiceName == "foo" {
-			}
+				found = true
-
+			}
-			found = false
+			if chk.ServiceName == "bar" {
-			for _, svc := range info.Services {
+				t.Fatalf("bad: %#v", info.Checks)
-				if svc.Service == "foo" {
+			}
-					found = true
+		}
-				}
+		if !found {
-				if svc.Service == "bar" {
+			t.Fatalf("bad: %#v", info.Checks)
-					t.Fatalf("bad: %#v", info.Services)
+		}
-				}
+
-			}
+		found = false
-			if !found {
+		for _, svc := range info.Services {
-				t.Fatalf("bad: %#v", info.Services)
+			if svc.Service == "foo" {
-			}
+				found = true
 			}
 			if svc.Service == "bar" {
 				t.Fatalf("bad: %#v", info.Services)
 			}
 		}
 		if !found {
 			t.Fatalf("bad: %#v", info.Services)
 		}
 	}
 }