consul

Commit Graph

Author	SHA1	Message	Date
Florian Apolloner	077b0a48a3	Allow Operator Generated bootstrap token (#14437 ) Add support to provide an initial token via the bootstrap HTTP API, similar to hashicorp/nomad#12520	2 years ago
Semir Patel	bafa5c7156	Pass remote addr of incoming HTTP requests through to RPC(..) calls (#15700 )	2 years ago
Freddy	f99df57840	[OSS] Add new peering ACL rule (#13848 ) This commit adds a new ACL rule named "peering" to authorize actions taken against peering-related endpoints. The "peering" rule has several key properties: - It is scoped to a partition, and MUST be defined in the default namespace. - Its access level must be "read', "write", or "deny". - Granting an access level will apply to all peerings. This ACL rule cannot be used to selective grant access to some peerings but not others. - If the peering rule is not specified, we fall back to the "operator" rule and then the default ACL rule.	2 years ago
Mathew Estafanous	474385d153	Unify various status errors into one HTTP error type. (#12594 ) Replaces specific error types for HTTP Status codes with a generic HTTPError type. Co-authored-by: Chris S. Kim <ckim@hashicorp.com>	3 years ago
Blake Covarrubias	c786c49282	acl: Clarify node/service identities must be lowercase (#12807 ) Modify ACL error message for invalid node/service identities names to clearly state only lowercase alphanumeric characters are supported.	3 years ago
Kyle Havlovitz	b21b4346b4	Add expanded token read flag and endpoint option	3 years ago
Ashwin Venkatesh	6e6cd928a2	Parse datacenter from request (#12370 ) * Parse datacenter from request - Parse the value of the datacenter from the create/delete requests for AuthMethods and BindingRules so that they can be created in and deleted from the datacenters specified in the request.	3 years ago
Dan Upton	ca3aca92c4	[OSS] Remove remaining references to master (#11827 )	3 years ago
Mathew Estafanous	0fdd1318e9	Ensure consistency with error-handling across all handlers. (#11599 )	3 years ago
Dan Upton	205ce9a69d	Remove references to "master" ACL tokens in tests (#11751 )	3 years ago
Dan Upton	7fe81171d9	Rename `ACLMasterToken` => `ACLInitialManagementToken` (#11746 )	3 years ago
Chris S. Kim	54e4d1b7b2	ENT to OSS sync (#11703 )	3 years ago
Daniel Nephin	e8312d6b5a	testing: remove unnecessary calls to freeport Previously we believe it was necessary for all code that required ports to use freeport to prevent conflicts. https://github.com/dnephin/freeport-test shows that it is actually save to use port 0 (`127.0.0.1:0`) as long as it is passed directly to `net.Listen`, and the listener holds the port for as long as it is needed. This works because freeport explicitly avoids the ephemeral port range, and port 0 always uses that range. As you can see from the test output of https://github.com/dnephin/freeport-test, the two systems never use overlapping ports. This commit converts all uses of freeport that were being passed directly to a net.Listen to use port 0 instead. This allows us to remove a bit of wrapping we had around httptest, in a couple places.	3 years ago
Daniel Nephin	56f9238d15	go-sso: remove returnFunc now that freeport handles return	3 years ago
Daniel Nephin	18b3ac33e8	acl: remove unused translate rules endpoint The CLI command does not use this endpoint, so we can remove it. It was missed in an earlier pass.	3 years ago
R.B. Boyer	ee372a854a	acl: adding a new mesh resource	3 years ago
Daniel Nephin	c2b24adb5f	acl: remove ACLRulesTranslateLegacyToken API endpoint	3 years ago
Daniel Nephin	7ecd2e5466	http: update legacy ACL endpoints to return an error Also move a test for the ACLReplicationStatus endpoint into the correct file.	3 years ago
Evan Culver	13bd86527b	Add support for returning ACL secret IDs for accessors with acl:write (#10546 )	3 years ago
Mark Anderson	b9d22f48cd	Add fields to the /acl/auth-methods endpoint. (#9741 ) * A GET of the /acl/auth-method/:name endpoint returns the fields MaxTokenTTL and TokenLocality, while a LIST (/acl/auth-methods) does not. The list command returns a filtered subset of the full set. This is somewhat deliberate, so that secrets aren't shown, but the TTL and Locality fields aren't (IMO) security critical, and it is useful for the front end to be able to show them. For consistency these changes mirror the 'omit empty' and string representation choices made for the GET call. This includes changes to the gRPC and API code in the client. The new output looks similar to this curl 'http://localhost:8500/v1/acl/auth-methods' \| jq '.' { "MaxTokenTTL": "8m20s", "Name": "minikube-ttl-local2", "Type": "kubernetes", "Description": "minikube auth method", "TokenLocality": "local", "CreateIndex": 530, "ModifyIndex": 530, "Namespace": "default" } ] Signed-off-by: Mark Anderson <manderson@hashicorp.com> * Add changelog Signed-off-by: Mark Anderson <manderson@hashicorp.com>	4 years ago
Daniel Nephin	b9e60c0775	testing: skip slow tests with -short Add a skip condition to all tests slower than 100ms. This change was made using `gotestsum tool slowest` with data from the last 3 CI runs of master. See https://github.com/gotestyourself/gotestsum#finding-and-skipping-slow-tests With this change: ``` $ time go test -count=1 -short ./agent ok github.com/hashicorp/consul/agent 0.743s real 0m4.791s $ time go test -count=1 -short ./agent/consul ok github.com/hashicorp/consul/agent/consul 4.229s real 0m8.769s ```	4 years ago
Daniel Nephin	068b43df90	Enable gofmt simplify Code changes done automatically with 'gofmt -s -w'	5 years ago
Matt Keeler	d3881dd754	ACL Node Identities (#7970 ) A Node Identity is very similar to a service identity. Its main targeted use is to allow creating tokens for use by Consul agents that will grant the necessary permissions for all the typical agent operations (node registration, coordinate updates, anti-entropy). Half of this commit is for golden file based tests of the acl token and role cli output. Another big updates was to refactor many of the tests in agent/consul/acl_endpoint_test.go to use the same style of tests and the same helpers. Besides being less boiler plate in the tests it also uses a common way of starting a test server with ACLs that should operate without any warnings regarding deprecated non-uuid master tokens etc.	5 years ago
R.B. Boyer	1efafd7523	acl: add auth method for JWTs (#7846 )	5 years ago
R.B. Boyer	8927b54121	test: move some test helpers over from enterprise (#7754 )	5 years ago
Daniel Nephin	475659a132	Remove name from NewTestAgent Using: git grep -l 'NewTestAgent(t, t.Name(),' \| \ xargs sed -i -e 's/NewTestAgent(t, t.Name(),/NewTestAgent(t,/g'	5 years ago
Alejandro Baez	bafa69bb69	Add PolicyReadByName for API (#6615 )	5 years ago
Matt Keeler	deb91f3d3c	[Feature] API: Add a internal endpoint to query for ACL authori… (#6888 ) * Implement endpoint to query whether the given token is authorized for a set of operations * Updates to allow for remote ACL authorization via RPC This is only used when making an authorization request to a different datacenter.	5 years ago
Matt Keeler	4daa1585b0	ACL Token ID Initialization (#5307 )	6 years ago
R.B. Boyer	e47d7eeddb	acl: adding support for kubernetes auth provider login (#5600 ) * auth providers * binding rules * auth provider for kubernetes * login/logout	6 years ago
R.B. Boyer	f4a3b9d518	fix typos reported by golangci-lint:misspell (#5434 )	6 years ago
Matt Keeler	766d771017	Pass a testing.T into NewTestAgent and TestAgent.Start (#5342 ) This way we can avoid unnecessary panics which cause other tests not to run. This doesn't remove all the possibilities for panics causing other tests not to run, it just fixes the TestAgent	6 years ago
Matt Keeler	18b29c45c4	New ACLs (#4791 ) This PR is almost a complete rewrite of the ACL system within Consul. It brings the features more in line with other HashiCorp products. Obviously there is quite a bit left to do here but most of it is related docs, testing and finishing the last few commands in the CLI. I will update the PR description and check off the todos as I finish them over the next few days/week. Description At a high level this PR is mainly to split ACL tokens from Policies and to split the concepts of Authorization from Identities. A lot of this PR is mostly just to support CRUD operations on ACLTokens and ACLPolicies. These in and of themselves are not particularly interesting. The bigger conceptual changes are in how tokens get resolved, how backwards compatibility is handled and the separation of policy from identity which could lead the way to allowing for alternative identity providers. On the surface and with a new cluster the ACL system will look very similar to that of Nomads. Both have tokens and policies. Both have local tokens. The ACL management APIs for both are very similar. I even ripped off Nomad's ACL bootstrap resetting procedure. There are a few key differences though. Nomad requires token and policy replication where Consul only requires policy replication with token replication being opt-in. In Consul local tokens only work with token replication being enabled though. All policies in Nomad are globally applicable. In Consul all policies are stored and replicated globally but can be scoped to a subset of the datacenters. This allows for more granular access management. Unlike Nomad, Consul has legacy baggage in the form of the original ACL system. The ramifications of this are: A server running the new system must still support other clients using the legacy system. A client running the new system must be able to use the legacy RPCs when the servers in its datacenter are running the legacy system. The primary ACL DC's servers running in legacy mode needs to be a gate that keeps everything else in the entire multi-DC cluster running in legacy mode. So not only does this PR implement the new ACL system but has a legacy mode built in for when the cluster isn't ready for new ACLs. Also detecting that new ACLs can be used is automatic and requires no configuration on the part of administrators. This process is detailed more in the "Transitioning from Legacy to New ACL Mode" section below.	6 years ago
Pierre Souchay	cec5d72396	BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test (#4472 ) - Improve resilience of testrpc.WaitForLeader() - Add additionall retry to CI - Increase "go test" timeout to 8m - Add wait for cluster leader to several tests in the agent package - Add retry to some tests in the api and command packages	6 years ago
James Phillips	29367cd5ae	Moves ACL disabled response logic down into endpoints. This lets us make the registration of endpoints less fancy, on the road to adding a registration mechanism.	7 years ago
Frank Schröder	1e461110e6	agent: consolidate handling of 405 Method Not Allowed (#3405 ) * agent: consolidate http method not allowed checks This patch uses the error handling of the http handlers to handle HTTP method not allowed errors across all available endpoints. It also adds a test for testing whether the endpoints respond with the correct status code. * agent: do not panic on metrics tests * agent: drop other tests for MethodNotAllowed * agent: align /agent/join with reality /agent/join uses PUT instead of GET as documented. * agent: align /agent/check/{fail,warn,pass} with reality /agent/check/{fail,warn,pass} uses PUT instead of GET as documented. * fix some tests * Drop more tests for method not allowed * Align TestAgent_RegisterService_InvalidAddress with reality * Changes API client join to use PUT instead of GET. * Fixes agent endpoint verbs and removes obsolete tests. * Updates the change log.	7 years ago
Frank Schröder	12216583a1	New config parser, HCL support, multiple bind addrs (#3480 ) * new config parser for agent This patch implements a new config parser for the consul agent which makes the following changes to the previous implementation: * add HCL support * all configuration fragments in tests and for default config are expressed as HCL fragments * HCL fragments can be provided on the command line so that they can eventually replace the command line flags. * HCL/JSON fragments are parsed into a temporary Config structure which can be merged using reflection (all values are pointers). The existing merge logic of overwrite for values and append for slices has been preserved. * A single builder process generates a typed runtime configuration for the agent. The new implementation is more strict and fails in the builder process if no valid runtime configuration can be generated. Therefore, additional validations in other parts of the code should be removed. The builder also pre-computes all required network addresses so that no address/port magic should be required where the configuration is used and should therefore be removed. * Upgrade github.com/hashicorp/hcl to support int64 * improve error messages * fix directory permission test * Fix rtt test * Fix ForceLeave test * Skip performance test for now until we know what to do * Update github.com/hashicorp/memberlist to update log prefix * Make memberlist use the default logger * improve config error handling * do not fail on non-existing data-dir * experiment with non-uniform timeouts to get a handle on stalled leader elections * Run tests for packages separately to eliminate the spurious port conflicts * refactor private address detection and unify approach for ipv4 and ipv6. Fixes #2825 * do not allow unix sockets for DNS * improve bind and advertise addr error handling * go through builder using test coverage * minimal update to the docs * more coverage tests fixed * more tests * fix makefile * cleanup * fix port conflicts with external port server 'porter' * stop test server on error * do not run api test that change global ENV concurrently with the other tests * Run remaining api tests concurrently * no need for retry with the port number service * monkey patch race condition in go-sockaddr until we understand why that fails * monkey patch hcl decoder race condidtion until we understand why that fails * monkey patch spurious errors in strings.EqualFold from here * add test for hcl decoder race condition. Run with go test -parallel 128 * Increase timeout again * cleanup * don't log port allocations by default * use base command arg parsing to format help output properly * handle -dc deprecation case in Build * switch autopilot.max_trailing_logs to int * remove duplicate test case * remove unused methods * remove comments about flag/config value inconsistencies * switch got and want around since the error message was misleading. * Removes a stray debug log. * Removes a stray newline in imports. * Fixes TestACL_Version8. * Runs go fmt. * Adds a default case for unknown address types. * Reoders and reformats some imports. * Adds some comments and fixes typos. * Reorders imports. * add unix socket support for dns later * drop all deprecated flags and arguments * fix wrong field name * remove stray node-id file * drop unnecessary patch section in test * drop duplicate test * add test for LeaveOnTerm and SkipLeaveOnInt in client mode * drop "bla" and add clarifying comment for the test * split up tests to support enterprise/non-enterprise tests * drop raft multiplier and derive values during build phase * sanitize runtime config reflectively and add test * detect invalid config fields * fix tests with invalid config fields * use different values for wan sanitiziation test * drop recursor in favor of recursors * allow dns_config.udp_answer_limit to be zero * make sure tests run on machines with multiple ips * Fix failing tests in a few more places by providing a bind address in the test * Gets rid of skipped TestAgent_CheckPerformanceSettings and adds case for builder. * Add porter to server_test.go to make tests there less flaky * go fmt	7 years ago
Frank Schroeder	831d84c940	build: make tests independent of build tags When the metadata server is scanning the agents for potential servers it is parsing the version number which the agent provided when it joined. This version number has to conform to a certain format, i.e. 'n.n.n'. Without this version number properly set some tests fail with error messages that disguise the root cause. The default version number is currently set to 'unknown' in version/version.go which does not parse and triggers the tests to fail. The work around is to use a build tag 'consul' which will use the version number set in version_base.go instead which has the correct format and is set to the current release version. In addition, some parts of the code also require the version number to be of a certain value. Setting it to '0.0.0' for example makes some tests pass and others fail since they don't pass the semantic check. When using go build/install/test one has to remember to use '-tags consul' or tests will fail with non-obvious error messages. Using build tags makes the build process more complex and error prone since it prevents the use of the plain go toolchain and - at least in its current form - introduces subtle build and test issues. We should try to eliminate build tags for anything else but platform specific code. This patch removes all references to specific version numbers in the code and tests and sets the default version to '9.9.9' which is syntactically correct and passes the semantic check. This solves the issue of running go build/install/test without tags for the OSS build.	7 years ago
Frank Schröder	a3934c263c	acl: consolidate error handling (#3401 ) The error handling of the ACL code relies on the presence of certain magic error messages. Since the error values are sent via RPC between older and newer consul agents we cannot just replace the magic values with typed errors and switch to type checks since this would break compatibility with older clients. Therefore, this patch moves all magic ACL error messages into the acl package and provides default error values and helper functions which determine the type of error.	7 years ago
Frank Schroeder	1acff3533e	agent: move agent/consul/structs to agent/structs	7 years ago
James Phillips	c0a5ad7903	Adds a new /v1/acl/bootstrap API (#3349 )	7 years ago
James Phillips	872cf9ff95	Changes ACL clone response to 403 if not authorized, or if token doesn't exist. (#3275 ) Fixes #1113	7 years ago
Frank Schroeder	1c75cf1af5	pkg refactor command/agent/* -> agent/* command/consul/* -> agent/consul/* command/agent/command{,_test}.go -> command/agent{,_test}.go command/base/command.go -> command/base.go command/base/* -> command/* commands.go -> command/commands.go The script which did the refactor is: ( cd $GOPATH/src/github.com/hashicorp/consul git mv command/agent/command.go command/agent.go git mv command/agent/command_test.go command/agent_test.go git mv command/agent/flag_slice_value{,_test}.go command/ git mv command/agent . git mv command/base/command.go command/base.go git mv command/base/config_util{,_test}.go command/ git mv commands.go command/ git mv consul agent rmdir command/base/ gsed -i -e 's\|package agent\|package command\|' command/agent{,_test}.go gsed -i -e 's\|package agent\|package command\|' command/flag_slice_value{,_test}.go gsed -i -e 's\|package base\|package command\|' command/base.go command/config_util{,_test}.go gsed -i -e 's\|package main\|package command\|' command/commands.go gsed -i -e 's\|base.Command\|BaseCommand\|' command/commands.go gsed -i -e 's\|agent.Command\|AgentCommand\|' command/commands.go gsed -i -e 's\|\tCommand:\|\tBaseCommand:\|' command/commands.go gsed -i -e 's\|base\.\|\|' command/commands.go gsed -i -e 's\|command\.\|\|' command/commands.go gsed -i -e 's\|command\|c\|' main.go gsed -i -e 's\|range Commands\|range command.Commands\|' main.go gsed -i -e 's\|Commands: Commands\|Commands: command.Commands\|' main.go gsed -i -e 's\|base\.BoolValue\|BoolValue\|' command/operator_autopilot_set.go gsed -i -e 's\|base\.DurationValue\|DurationValue\|' command/operator_autopilot_set.go gsed -i -e 's\|base\.StringValue\|StringValue\|' command/operator_autopilot_set.go gsed -i -e 's\|base\.UintValue\|UintValue\|' command/operator_autopilot_set.go gsed -i -e 's\|\bCommand\b\|BaseCommand\|' command/base.go gsed -i -e 's\|BaseCommand Options\|Command Options\|' command/base.go gsed -i -e 's\|base.Command\|BaseCommand\|' command/.go gsed -i -e 's\|c\.Command\|c.BaseCommand\|g' command/.go gsed -i -e 's\|\tCommand:\|\tBaseCommand:\|' command/_test.go gsed -i -e 's\|base\.\|\|' command/_test.go gsed -i -e 's\|\bCommand\b\|AgentCommand\|' command/agent{,_test}.go gsed -i -e 's\|cmd.AgentCommand\|cmd.BaseCommand\|' command/agent.go gsed -i -e 's\|cli.AgentCommand = new(Command)\|cli.Command = new(AgentCommand)\|' command/agent_test.go gsed -i -e 's\|exec.AgentCommand\|exec.Command\|' command/agent_test.go gsed -i -e 's\|exec.BaseCommand\|exec.Command\|' command/agent_test.go gsed -i -e 's\|NewTestAgent\|agent.NewTestAgent\|' command/agent_test.go gsed -i -e 's\|= TestConfig\|= agent.TestConfig\|' command/agent_test.go gsed -i -e 's\|: RetryJoin\|: agent.RetryJoin\|' command/agent_test.go gsed -i -e 's\|\.\./\.\./\|../\|' command/config_util_test.go gsed -i -e 's\|\bverifyUniqueListeners\|VerifyUniqueListeners\|' agent/config{,_test}.go command/agent.go gsed -i -e 's\|\bserfLANKeyring\b\|SerfLANKeyring\|g' agent/{agent,keyring,testagent}.go command/agent.go gsed -i -e 's\|\bserfWANKeyring\b\|SerfWANKeyring\|g' agent/{agent,keyring,testagent}.go command/agent.go gsed -i -e 's\|\bNewAgent\b\|agent.New\|g' command/agent{,_test}.go gsed -i -e 's\|\bNewAgent\|New\|' agent/{acl_test,agent,testagent}.go gsed -i -e 's\|\bAgent\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bBool\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bConfig\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bDefaultConfig\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bDevConfig\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bMergeConfig\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bReadConfigPaths\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bParseMetaPair\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bSerfLANKeyring\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|\bSerfWANKeyring\b\|agent.&\|g' command/agent{,_test}.go gsed -i -e 's\|circonus\.agent\|circonus\|g' command/agent{,_test}.go gsed -i -e 's\|logger\.agent\|logger\|g' command/agent{,_test}.go gsed -i -e 's\|metrics\.agent\|metrics\|g' command/agent{,_test}.go gsed -i -e 's\|// agent.Agent\|// agent\|' command/agent{,_test}.go gsed -i -e 's\|a\.agent\.Config\|a.Config\|' command/agent{,_test}.go gsed -i -e 's\|agent\.AppendSliceValue\|AppendSliceValue\|' command/{configtest,validate}.go gsed -i -e 's\|consul/consul\|agent/consul\|' GNUmakefile gsed -i -e 's\|\.\./test\|../../test\|' agent/consul/server_test.go # fix imports f=$(grep -rl 'github.com/hashicorp/consul/command/agent' * \| grep '\.go') gsed -i -e 's\|github.com/hashicorp/consul/command/agent\|github.com/hashicorp/consul/agent\|' $f goimports -w $f f=$(grep -rl 'github.com/hashicorp/consul/consul' * \| grep '\.go') gsed -i -e 's\|github.com/hashicorp/consul/consul\|github.com/hashicorp/consul/agent/consul\|' $f goimports -w $f goimports -w command/*.go main.go )	8 years ago
Frank Schroeder	0f912c8aad	test: remove ACL options from default test config	8 years ago
Frank Schroeder	0be63d7060	test: refactor httpTest with TestAgent	8 years ago
Frank Schroeder	308f9929b3	test: run agent tests in parallel This brings down the test run from 108 sec to 15 sec. There is an occasional port conflict because of the nature the next port is chosen. So far it seems rare enough to live with it.	8 years ago
Frank Schroeder	1e89692cc1	test: drop error check on http.NewRequest Most URLs are static so the error check is redundant. The subsequent test wouldn't work if the url is wrong.	8 years ago
Frank Schroeder	48fa2962eb	Revert "test: Run command/agent tests in parallel" This reverts commit `17be40a733`.	8 years ago
Frank Schroeder	17be40a733	test: Run command/agent tests in parallel	8 years ago
James Phillips	d29af2ddc7	Adds an ACL replication status endpoint.	8 years ago

44 Commits (f5231b91571083cef41fe95ff2459ecd96728490)