mirror of https://github.com/hashicorp/consul
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
295 lines
6.5 KiB
295 lines
6.5 KiB
// Copyright (c) HashiCorp, Inc. |
|
// SPDX-License-Identifier: BUSL-1.1 |
|
|
|
package logout |
|
|
|
import ( |
|
"strings" |
|
"testing" |
|
|
|
"github.com/hashicorp/go-uuid" |
|
"github.com/mitchellh/cli" |
|
"github.com/stretchr/testify/require" |
|
|
|
"github.com/hashicorp/consul/agent" |
|
"github.com/hashicorp/consul/agent/consul/authmethod/kubeauth" |
|
"github.com/hashicorp/consul/agent/consul/authmethod/testauth" |
|
"github.com/hashicorp/consul/api" |
|
"github.com/hashicorp/consul/command/acl" |
|
"github.com/hashicorp/consul/testrpc" |
|
) |
|
|
|
func TestLogout_noTabs(t *testing.T) { |
|
t.Parallel() |
|
|
|
if strings.ContainsRune(New(cli.NewMockUi()).Help(), '\t') { |
|
t.Fatal("help has tabs") |
|
} |
|
} |
|
|
|
func TestLogoutCommand(t *testing.T) { |
|
if testing.Short() { |
|
t.Skip("too slow for testing.Short") |
|
} |
|
|
|
t.Parallel() |
|
|
|
a := agent.NewTestAgent(t, ` |
|
primary_datacenter = "dc1" |
|
acl { |
|
enabled = true |
|
tokens { |
|
initial_management = "root" |
|
} |
|
}`) |
|
|
|
defer a.Shutdown() |
|
testrpc.WaitForLeader(t, a.RPC, "dc1") |
|
|
|
client := a.Client() |
|
|
|
t.Run("no token specified", func(t *testing.T) { |
|
ui := cli.NewMockUi() |
|
cmd := New(ui) |
|
|
|
args := []string{ |
|
"-http-addr=" + a.HTTPAddr(), |
|
} |
|
|
|
code := cmd.Run(args) |
|
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String()) |
|
require.Contains(t, ui.ErrorWriter.String(), "401 (Supplied token does not exist)") |
|
}) |
|
|
|
t.Run("logout of deleted token", func(t *testing.T) { |
|
fakeID, err := uuid.GenerateUUID() |
|
require.NoError(t, err) |
|
|
|
ui := cli.NewMockUi() |
|
cmd := New(ui) |
|
|
|
args := []string{ |
|
"-http-addr=" + a.HTTPAddr(), |
|
"-token=" + fakeID, |
|
} |
|
|
|
code := cmd.Run(args) |
|
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String()) |
|
require.Contains(t, ui.ErrorWriter.String(), "403 (ACL not found)") |
|
}) |
|
|
|
plainToken, _, err := client.ACL().TokenCreate( |
|
&api.ACLToken{Description: "test"}, |
|
&api.WriteOptions{Token: "root"}, |
|
) |
|
require.NoError(t, err) |
|
|
|
t.Run("logout of ordinary token", func(t *testing.T) { |
|
ui := cli.NewMockUi() |
|
cmd := New(ui) |
|
|
|
args := []string{ |
|
"-http-addr=" + a.HTTPAddr(), |
|
"-token=" + plainToken.SecretID, |
|
} |
|
|
|
code := cmd.Run(args) |
|
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String()) |
|
require.Contains(t, ui.ErrorWriter.String(), "403 (Permission denied: token wasn't created via login)") |
|
}) |
|
|
|
testSessionID := testauth.StartSession() |
|
defer testauth.ResetSession(testSessionID) |
|
|
|
testauth.InstallSessionToken( |
|
testSessionID, |
|
"demo-token", |
|
"default", "demo", "76091af4-4b56-11e9-ac4b-708b11801cbe", |
|
) |
|
|
|
{ |
|
_, _, err := client.ACL().AuthMethodCreate( |
|
&api.ACLAuthMethod{ |
|
Name: "test", |
|
Type: "testing", |
|
Config: map[string]interface{}{ |
|
"SessionID": testSessionID, |
|
}, |
|
}, |
|
&api.WriteOptions{Token: "root"}, |
|
) |
|
require.NoError(t, err) |
|
} |
|
{ |
|
_, _, err := client.ACL().BindingRuleCreate(&api.ACLBindingRule{ |
|
AuthMethod: "test", |
|
BindType: api.BindingRuleBindTypeService, |
|
BindName: "${serviceaccount.name}", |
|
}, |
|
&api.WriteOptions{Token: "root"}, |
|
) |
|
require.NoError(t, err) |
|
} |
|
|
|
var loginTokenSecret string |
|
{ |
|
tok, _, err := client.ACL().Login(&api.ACLLoginParams{ |
|
AuthMethod: "test", |
|
BearerToken: "demo-token", |
|
}, nil) |
|
require.NoError(t, err) |
|
|
|
loginTokenSecret = tok.SecretID |
|
} |
|
|
|
t.Run("logout of login token", func(t *testing.T) { |
|
ui := cli.NewMockUi() |
|
cmd := New(ui) |
|
|
|
args := []string{ |
|
"-http-addr=" + a.HTTPAddr(), |
|
"-token=" + loginTokenSecret, |
|
} |
|
|
|
code := cmd.Run(args) |
|
require.Equal(t, code, 0, "err: %s", ui.ErrorWriter.String()) |
|
require.Empty(t, ui.ErrorWriter.String()) |
|
}) |
|
} |
|
|
|
func TestLogoutCommand_k8s(t *testing.T) { |
|
if testing.Short() { |
|
t.Skip("too slow for testing.Short") |
|
} |
|
|
|
t.Parallel() |
|
|
|
a := agent.NewTestAgent(t, ` |
|
primary_datacenter = "dc1" |
|
acl { |
|
enabled = true |
|
tokens { |
|
initial_management = "root" |
|
} |
|
}`) |
|
|
|
defer a.Shutdown() |
|
testrpc.WaitForLeader(t, a.RPC, "dc1") |
|
|
|
client := a.Client() |
|
|
|
t.Run("no token specified", func(t *testing.T) { |
|
ui := cli.NewMockUi() |
|
cmd := New(ui) |
|
|
|
args := []string{ |
|
"-http-addr=" + a.HTTPAddr(), |
|
} |
|
|
|
code := cmd.Run(args) |
|
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String()) |
|
require.Contains(t, ui.ErrorWriter.String(), "401 (Supplied token does not exist)") |
|
}) |
|
|
|
t.Run("logout of deleted token", func(t *testing.T) { |
|
fakeID, err := uuid.GenerateUUID() |
|
require.NoError(t, err) |
|
|
|
ui := cli.NewMockUi() |
|
cmd := New(ui) |
|
|
|
args := []string{ |
|
"-http-addr=" + a.HTTPAddr(), |
|
"-token=" + fakeID, |
|
} |
|
|
|
code := cmd.Run(args) |
|
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String()) |
|
require.Contains(t, ui.ErrorWriter.String(), "403 (ACL not found)") |
|
}) |
|
|
|
plainToken, _, err := client.ACL().TokenCreate( |
|
&api.ACLToken{Description: "test"}, |
|
&api.WriteOptions{Token: "root"}, |
|
) |
|
require.NoError(t, err) |
|
|
|
t.Run("logout of ordinary token", func(t *testing.T) { |
|
ui := cli.NewMockUi() |
|
cmd := New(ui) |
|
|
|
args := []string{ |
|
"-http-addr=" + a.HTTPAddr(), |
|
"-token=" + plainToken.SecretID, |
|
} |
|
|
|
code := cmd.Run(args) |
|
require.Equal(t, code, 1, "err: %s", ui.ErrorWriter.String()) |
|
require.Contains(t, ui.ErrorWriter.String(), "403 (Permission denied: token wasn't created via login)") |
|
}) |
|
|
|
// spin up a fake api server |
|
testSrv := kubeauth.StartTestAPIServer(t) |
|
defer testSrv.Stop() |
|
|
|
testSrv.AuthorizeJWT(acl.TestKubernetesJWT_A) |
|
testSrv.SetAllowedServiceAccount( |
|
"default", |
|
"demo", |
|
"76091af4-4b56-11e9-ac4b-708b11801cbe", |
|
"", |
|
acl.TestKubernetesJWT_B, |
|
) |
|
|
|
{ |
|
_, _, err := client.ACL().AuthMethodCreate( |
|
&api.ACLAuthMethod{ |
|
Name: "k8s", |
|
Type: "kubernetes", |
|
Config: map[string]interface{}{ |
|
"Host": testSrv.Addr(), |
|
"CACert": testSrv.CACert(), |
|
// the "A" jwt will be the one with token review privs |
|
"ServiceAccountJWT": acl.TestKubernetesJWT_A, |
|
}, |
|
}, |
|
&api.WriteOptions{Token: "root"}, |
|
) |
|
require.NoError(t, err) |
|
} |
|
{ |
|
_, _, err := client.ACL().BindingRuleCreate(&api.ACLBindingRule{ |
|
AuthMethod: "k8s", |
|
BindType: api.BindingRuleBindTypeService, |
|
BindName: "${serviceaccount.name}", |
|
}, |
|
&api.WriteOptions{Token: "root"}, |
|
) |
|
require.NoError(t, err) |
|
} |
|
|
|
var loginTokenSecret string |
|
{ |
|
tok, _, err := client.ACL().Login(&api.ACLLoginParams{ |
|
AuthMethod: "k8s", |
|
BearerToken: acl.TestKubernetesJWT_B, |
|
}, nil) |
|
require.NoError(t, err) |
|
|
|
loginTokenSecret = tok.SecretID |
|
} |
|
|
|
t.Run("logout of login token", func(t *testing.T) { |
|
ui := cli.NewMockUi() |
|
cmd := New(ui) |
|
|
|
args := []string{ |
|
"-http-addr=" + a.HTTPAddr(), |
|
"-token=" + loginTokenSecret, |
|
} |
|
|
|
code := cmd.Run(args) |
|
require.Equal(t, code, 0, "err: %s", ui.ErrorWriter.String()) |
|
require.Empty(t, ui.ErrorWriter.String()) |
|
}) |
|
}
|
|
|