github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

agent: update some tests that were using legacy ACL endpoints 

The tests were updated to use the new ACL endpoints now that the legacy ones have been removed.
pull/10661/head
Daniel Nephin 2021-07-20 17:52:34 -04:00
parent 7ecd2e5466
commit 858071d55a
2 changed files with 59 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
agent/acl_endpoint.go
View File

@ -459,7 +459,7 @@ func (s *HTTPHandlers) ACLTokenCreate(resp http.ResponseWriter, req *http.Reques
return nil, nil return nil, nil
} }
return s.aclTokenSetInternal(resp, req, "", true) return s.aclTokenSetInternal(req, "", true)
} }
func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) { func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
@ -494,11 +494,11 @@ func (s *HTTPHandlers) ACLTokenGet(resp http.ResponseWriter, req *http.Request,
return out.Token, nil return out.Token, nil
} }
func (s *HTTPHandlers) ACLTokenSet(resp http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) { func (s *HTTPHandlers) ACLTokenSet(_ http.ResponseWriter, req *http.Request, tokenID string) (interface{}, error) {
return s.aclTokenSetInternal(resp, req, tokenID, false) return s.aclTokenSetInternal(req, tokenID, false)
} }
func (s *HTTPHandlers) aclTokenSetInternal(_resp http.ResponseWriter, req *http.Request, tokenID string, create bool) (interface{}, error) { func (s *HTTPHandlers) aclTokenSetInternal(req *http.Request, tokenID string, create bool) (interface{}, error) {
args := structs.ACLTokenSetRequest{ args := structs.ACLTokenSetRequest{
Datacenter: s.agent.config.Datacenter, Datacenter: s.agent.config.Datacenter,
Create: create, Create: create,

124
agent/agent_endpoint_test.go
View File

@ -45,20 +45,29 @@ import (
"github.com/hashicorp/consul/types" "github.com/hashicorp/consul/types"
) )
func makeReadOnlyAgentACL(t *testing.T, srv *HTTPHandlers) string { func createACLTokenWithAgentReadPolicy(t *testing.T, srv *HTTPHandlers) string {
args := map[string]interface{}{ policyReq := &structs.ACLPolicy{
"Name": "User Token", Name: "agent-read",
"Type": "client", Rules: `agent_prefix "" { policy = "read" }`,
"Rules": `agent "" { policy = "read" }`,
} }
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonReader(policyReq))
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
obj, err := srv.ACLCreate(resp, req) _, err := srv.ACLPolicyCreate(resp, req)
if err != nil { require.NoError(t, err)
t.Fatalf("err: %v", err)
tokenReq := &structs.ACLToken{
Description: "agent-read-token-for-test",
Policies: []structs.ACLTokenPolicyLink{{Name: "agent-read"}},
} }
aclResp := obj.(aclCreateResponse)
return aclResp.ID req, _ = http.NewRequest("PUT", "/v1/acl/token?token=root", jsonReader(tokenReq))
resp = httptest.NewRecorder()
tokInf, err := srv.ACLTokenCreate(resp, req)
require.NoError(t, err)
svcToken, ok := tokInf.(*structs.ACLToken)
require.True(t, ok)
return svcToken.SecretID
} }
func TestAgent_Services(t *testing.T) { func TestAgent_Services(t *testing.T) {
@ -1386,7 +1395,7 @@ func TestAgent_Self_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/self?token=%s", ro), nil) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/self?token=%s", ro), nil)
if _, err := a.srv.AgentSelf(nil, req); err != nil { if _, err := a.srv.AgentSelf(nil, req); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -1419,7 +1428,7 @@ func TestAgent_Metrics_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/metrics?token=%s", ro), nil) req, _ := http.NewRequest("GET", fmt.Sprintf("/v1/agent/metrics?token=%s", ro), nil)
if _, err := a.srv.AgentMetrics(nil, req); err != nil { if _, err := a.srv.AgentMetrics(nil, req); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -1761,7 +1770,7 @@ func TestAgent_Reload_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/reload?token=%s", ro), nil)
if _, err := a.srv.AgentReload(nil, req); !acl.IsErrPermissionDenied(err) { if _, err := a.srv.AgentReload(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -1958,7 +1967,7 @@ func TestAgent_Join_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a1.srv) ro := createACLTokenWithAgentReadPolicy(t, a1.srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/join/%s?token=%s", addr, ro), nil)
if _, err := a1.srv.AgentJoin(nil, req); !acl.IsErrPermissionDenied(err) { if _, err := a1.srv.AgentJoin(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -2061,7 +2070,7 @@ func TestAgent_Leave_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf("/v1/agent/leave?token=%s", ro), nil)
if _, err := a.srv.AgentLeave(nil, req); !acl.IsErrPermissionDenied(err) { if _, err := a.srv.AgentLeave(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -2167,7 +2176,7 @@ func TestAgent_ForceLeave_ACLDeny(t *testing.T) {
}) })
t.Run("read-only token", func(t *testing.T) { t.Run("read-only token", func(t *testing.T) {
ro := makeReadOnlyAgentACL(t, a.srv) ro := createACLTokenWithAgentReadPolicy(t, a.srv)
req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", ro), nil) req, _ := http.NewRequest("PUT", fmt.Sprintf(uri+"?token=%s", ro), nil)
if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) { if _, err := a.srv.AgentForceLeave(nil, req); !acl.IsErrPermissionDenied(err) {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
@ -5599,23 +5608,7 @@ func TestAgentConnectCALeafCert_aclServiceWrite(t *testing.T) {
require.Equal(200, resp.Code, "body: %s", resp.Body.String()) require.Equal(200, resp.Code, "body: %s", resp.Body.String())
} }
// Create an ACL with service:write for our service token := createACLTokenWithServicePolicy(t, a.srv, "write")
var token string
{
args := map[string]interface{}{
"Name": "User Token",
"Type": "client",
"Rules": `service "test" { policy = "write" }`,
}
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
resp := httptest.NewRecorder()
obj, err := a.srv.ACLCreate(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
aclResp := obj.(aclCreateResponse)
token = aclResp.ID
}
req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil) req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
@ -5627,6 +5620,31 @@ func TestAgentConnectCALeafCert_aclServiceWrite(t *testing.T) {
require.True(ok) require.True(ok)
} }
func createACLTokenWithServicePolicy(t *testing.T, srv *HTTPHandlers, policy string) string {
policyReq := &structs.ACLPolicy{
Name: "service-test-write",
Rules: fmt.Sprintf(`service "test" { policy = "%v" }`, policy),
}
req, _ := http.NewRequest("PUT", "/v1/acl/policy?token=root", jsonReader(policyReq))
resp := httptest.NewRecorder()
_, err := srv.ACLPolicyCreate(resp, req)
require.NoError(t, err)
tokenReq := &structs.ACLToken{
Description: "token-for-test",
Policies: []structs.ACLTokenPolicyLink{{Name: "service-test-write"}},
}
req, _ = http.NewRequest("PUT", "/v1/acl/token?token=root", jsonReader(tokenReq))
resp = httptest.NewRecorder()
tokInf, err := srv.ACLTokenCreate(resp, req)
require.NoError(t, err)
svcToken, ok := tokInf.(*structs.ACLToken)
require.True(t, ok)
return svcToken.SecretID
}
func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) { func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) {
if testing.Short() { if testing.Short() {
t.Skip("too slow for testing.Short") t.Skip("too slow for testing.Short")
@ -5660,23 +5678,7 @@ func TestAgentConnectCALeafCert_aclServiceReadDeny(t *testing.T) {
require.Equal(200, resp.Code, "body: %s", resp.Body.String()) require.Equal(200, resp.Code, "body: %s", resp.Body.String())
} }
// Create an ACL with service:read for our service token := createACLTokenWithServicePolicy(t, a.srv, "read")
var token string
{
args := map[string]interface{}{
"Name": "User Token",
"Type": "client",
"Rules": `service "test" { policy = "read" }`,
}
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
resp := httptest.NewRecorder()
obj, err := a.srv.ACLCreate(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
aclResp := obj.(aclCreateResponse)
token = aclResp.ID
}
req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil) req, _ := http.NewRequest("GET", "/v1/agent/connect/ca/leaf/test?token="+token, nil)
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
@ -6665,26 +6667,10 @@ func TestAgentConnectAuthorize_serviceWrite(t *testing.T) {
defer a.Shutdown() defer a.Shutdown()
testrpc.WaitForLeader(t, a.RPC, "dc1") testrpc.WaitForLeader(t, a.RPC, "dc1")
// Create an ACL token := createACLTokenWithServicePolicy(t, a.srv, "read")
var token string
{
args := map[string]interface{}{
"Name": "User Token",
"Type": "client",
"Rules": `service "foo" { policy = "read" }`,
}
req, _ := http.NewRequest("PUT", "/v1/acl/create?token=root", jsonReader(args))
resp := httptest.NewRecorder()
obj, err := a.srv.ACLCreate(resp, req)
if err != nil {
t.Fatalf("err: %v", err)
}
aclResp := obj.(aclCreateResponse)
token = aclResp.ID
}
args := &structs.ConnectAuthorizeRequest{ args := &structs.ConnectAuthorizeRequest{
Target: "foo", Target: "test",
ClientCertURI: connect.TestSpiffeIDService(t, "web").URI().String(), ClientCertURI: connect.TestSpiffeIDService(t, "web").URI().String(),
} }
req, _ := http.NewRequest("POST", req, _ := http.NewRequest("POST",