mirror of https://github.com/hashicorp/consul
agent: update some tests that were using legacy ACL endpoints
The tests were updated to use the new ACL endpoints now that the legacy ones have been removed.pull/10661/head
Daniel Nephin
parent
7ecd2e5466
commit
858071d55a
|
|
@ -459,7 +459,7 @@ func (s *HTTPHandlers) ACLTokenCreate(resp http.ResponseWriter, req *http.Reques
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
return s.aclTokenSetInternal(resp, req, "", true)
|
||||
return s.aclTokenSetInternal(req, "", true)
|
||||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
|
||||
|
|
@ -494,11 +494,11 @@ func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request,
|
|||
return out.Token, nil
|
||||
}
|
||||
|
||||
func (s *HTTPHandlers) ACLTokenSet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
|
||||
return s.aclTokenSetInternal(resp, req, tokenID, false)
|
||||
func (s *HTTPHandlers) ACLTokenSet(_ http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
|
||||
return s.aclTokenSetInternal(req, tokenID, false)
|
||||
}
|
||||
|
||||
func (s *HTTPHandlers) aclTokenSetInternal(_resp http.ResponseWriter, req *http.Request, tokenID string, create bool) (interface{}, error) {
|
||||
func (s *HTTPHandlers) aclTokenSetInternal(req *http.Request, tokenID string, create bool) (interface{}, error) {
|
||||
args := structs.ACLTokenSetRequest{
|
||||
Datacenter: s.agent.config.Datacenter,
|
||||
Create: create,
|
||||
|
|
|
|||
|
|
@ -45,20 +45,29 @@ import (
|
|||
"github.com/hashicorp/consul/types"
|
||||
)
|
||||
|
||||
func makeReadOnlyAgentACL(t *testing.T, srv *HTTPHandlers) string {
|
||||
args := map[string]interface{}{
|
||||
"Name": "User Token",
|
||||
"Type": "client",
|
||||
"Rules": `agent "" { policy = "read" }`,
|
||||
func createACLTokenWithAgentReadPolicy(t *testing.T, srv *HTTPHandlers) string {
|
||||
policyReq := &structs.ACLPolicy{
|
||||
Name: "agent-read",
|
||||
Rules: `agent_prefix "" { policy = "read" }`,
|
||||
}
|
||||
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
|
||||
|
||||
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonReader(policyReq))
|
||||
resp := httptest.NewRecorder()
|
||||
obj, err := srv.ACLCreate(resp, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
_, err := srv.ACLPolicyCreate(resp, req)
|
||||
require.NoError(t, err)
|
||||
|
||||
tokenReq := &structs.ACLToken{
|
||||
Description: "agent-read-token-for-test",
|
||||
Policies: []structs.ACLTokenPolicyLink{{Name: "agent-read"}},
|
||||
}
|
||||
aclResp := obj.(aclCreateResponse)
|
||||
return aclResp.ID
|
||||
|
||||
req, _ = http.NewRequest("PUT", "/v1/acl/token?token=root", jsonReader(tokenReq))
|
||||
resp = httptest.NewRecorder()
|
||||
tokInf, err := srv.ACLTokenCreate(resp, req)
|
||||
require.NoError(t, err)
|
||||
svcToken, ok := tokInf.(*structs.ACLToken)
|
||||
require.True(t, ok)
|
||||
return svcToken.SecretID
|
||||
}
|
||||
|
||||
func TestAgent_Services(t *testing.T) {
|
||||
|
|
@ -1386,7 +1395,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
|
|||
})
|
||||
|
||||
t.Run("read-only token", func(t *testing.T) {
|
||||
ro := makeReadOnlyAgentACL(t, a.srv)
|
||||
ro := createACLTokenWithAgentReadPolicy(t, a.srv)
|
||||
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/self?token=%s", ro), nil)
|
||||
if _, err := a.srv.AgentSelf(nil, req); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1419,7 +1428,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) {
|
|||
})
|
||||
|
||||
t.Run("read-only token", func(t *testing.T) {
|
||||
ro := makeReadOnlyAgentACL(t, a.srv)
|
||||
ro := createACLTokenWithAgentReadPolicy(t, a.srv)
|
||||
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/metrics?token=%s", ro), nil)
|
||||
if _, err := a.srv.AgentMetrics(nil, req); err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1761,7 +1770,7 @@ func TestAgent_Reload_ACLDeny(t *testing.T) {
|
|||
})
|
||||
|
||||
t.Run("read-only token", func(t *testing.T) {
|
||||
ro := makeReadOnlyAgentACL(t, a.srv)
|
||||
ro := createACLTokenWithAgentReadPolicy(t, a.srv)
|
||||
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil)
|
||||
if _, err := a.srv.AgentReload(nil, req); !acl.IsErrPermissionDenied(err) {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -1958,7 +1967,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
|
|||
})
|
||||
|
||||
t.Run("read-only token", func(t *testing.T) {
|
||||
ro := makeReadOnlyAgentACL(t, a1.srv)
|
||||
ro := createACLTokenWithAgentReadPolicy(t, a1.srv)
|
||||
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil)
|
||||
if _, err := a1.srv.AgentJoin(nil, req); !acl.IsErrPermissionDenied(err) {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -2061,7 +2070,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
|
|||
})
|
||||
|
||||
t.Run("read-only token", func(t *testing.T) {
|
||||
ro := makeReadOnlyAgentACL(t, a.srv)
|
||||
ro := createACLTokenWithAgentReadPolicy(t, a.srv)
|
||||
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil)
|
||||
if _, err := a.srv.AgentLeave(nil, req); !acl.IsErrPermissionDenied(err) {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -2167,7 +2176,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
|
|||
})
|
||||
|
||||
t.Run("read-only token", func(t *testing.T) {
|
||||
ro := makeReadOnlyAgentACL(t, a.srv)
|
||||
ro := createACLTokenWithAgentReadPolicy(t, a.srv)
|
||||
req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", ro), nil)
|
||||
if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) {
|
||||
t.Fatalf("err: %v", err)
|
||||
|
|
@ -5599,23 +5608,7 @@ func TestAgentConnectCALeafCert_aclServiceWrite(t *testing.T) {
|
|||
require.Equal(200, resp.Code, "body: %s", resp.Body.String())
|
||||
}
|
||||
|
||||
// Create an ACL with service:write for our service
|
||||
var token string
|
||||
{
|
||||
args := map[string]interface{}{
|
||||
"Name": "User Token",
|
||||
"Type": "client",
|
||||
"Rules": `service "test" { policy = "write" }`,
|
||||
}
|
||||
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
|
||||
resp := httptest.NewRecorder()
|
||||
obj, err := a.srv.ACLCreate(resp, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
aclResp := obj.(aclCreateResponse)
|
||||
token = aclResp.ID
|
||||
}
|
||||
token := createACLTokenWithServicePolicy(t, a.srv, "write")
|
||||
|
||||
req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil)
|
||||
resp := httptest.NewRecorder()
|
||||
|
|
@ -5627,6 +5620,31 @@ func TestAgentConnectCALeafCert_aclServiceWrite(t *testing.T) {
|
|||
require.True(ok)
|
||||
}
|
||||
|
||||
func createACLTokenWithServicePolicy(t *testing.T, srv *HTTPHandlers, policy string) string {
|
||||
policyReq := &structs.ACLPolicy{
|
||||
Name: "service-test-write",
|
||||
Rules: fmt.Sprintf(`service "test" { policy = "%v" }`, policy),
|
||||
}
|
||||
|
||||
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonReader(policyReq))
|
||||
resp := httptest.NewRecorder()
|
||||
_, err := srv.ACLPolicyCreate(resp, req)
|
||||
require.NoError(t, err)
|
||||
|
||||
tokenReq := &structs.ACLToken{
|
||||
Description: "token-for-test",
|
||||
Policies: []structs.ACLTokenPolicyLink{{Name: "service-test-write"}},
|
||||
}
|
||||
|
||||
req, _ = http.NewRequest("PUT", "/v1/acl/token?token=root", jsonReader(tokenReq))
|
||||
resp = httptest.NewRecorder()
|
||||
tokInf, err := srv.ACLTokenCreate(resp, req)
|
||||
require.NoError(t, err)
|
||||
svcToken, ok := tokInf.(*structs.ACLToken)
|
||||
require.True(t, ok)
|
||||
return svcToken.SecretID
|
||||
}
|
||||
|
||||
func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip("too slow for testing.Short")
|
||||
|
|
@ -5660,23 +5678,7 @@ func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) {
|
|||
require.Equal(200, resp.Code, "body: %s", resp.Body.String())
|
||||
}
|
||||
|
||||
// Create an ACL with service:read for our service
|
||||
var token string
|
||||
{
|
||||
args := map[string]interface{}{
|
||||
"Name": "User Token",
|
||||
"Type": "client",
|
||||
"Rules": `service "test" { policy = "read" }`,
|
||||
}
|
||||
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
|
||||
resp := httptest.NewRecorder()
|
||||
obj, err := a.srv.ACLCreate(resp, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
aclResp := obj.(aclCreateResponse)
|
||||
token = aclResp.ID
|
||||
}
|
||||
token := createACLTokenWithServicePolicy(t, a.srv, "read")
|
||||
|
||||
req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil)
|
||||
resp := httptest.NewRecorder()
|
||||
|
|
@ -6665,26 +6667,10 @@ func TestAgentConnectAuthorize_serviceWrite(t *testing.T) {
|
|||
defer a.Shutdown()
|
||||
testrpc.WaitForLeader(t, a.RPC, "dc1")
|
||||
|
||||
// Create an ACL
|
||||
var token string
|
||||
{
|
||||
args := map[string]interface{}{
|
||||
"Name": "User Token",
|
||||
"Type": "client",
|
||||
"Rules": `service "foo" { policy = "read" }`,
|
||||
}
|
||||
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
|
||||
resp := httptest.NewRecorder()
|
||||
obj, err := a.srv.ACLCreate(resp, req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
aclResp := obj.(aclCreateResponse)
|
||||
token = aclResp.ID
|
||||
}
|
||||
token := createACLTokenWithServicePolicy(t, a.srv, "read")
|
||||
|
||||
args := &structs.ConnectAuthorizeRequest{
|
||||
Target: "foo",
|
||||
Target: "test",
|
||||
ClientCertURI: connect.TestSpiffeIDService(t, "web").URI().String(),
|
||||
}
|
||||
req, _ := http.NewRequest("POST",
|
||||
|
|
|
|||
Loading…
Reference in New Issue