mirror of https://github.com/hashicorp/consul
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1654 lines
30 KiB
1654 lines
30 KiB
package acl |
|
|
|
import ( |
|
"strings" |
|
"testing" |
|
|
|
"github.com/stretchr/testify/require" |
|
) |
|
|
|
func errStartsWith(t *testing.T, actual error, expected string) { |
|
t.Helper() |
|
require.Error(t, actual) |
|
require.Truef(t, strings.HasPrefix(actual.Error(), expected), "Received unexpected error: %#v\nExpecting an error with the prefix: %q", actual, expected) |
|
} |
|
|
|
func TestPolicySourceParse(t *testing.T) { |
|
ljoin := func(lines ...string) string { |
|
return strings.Join(lines, "\n") |
|
} |
|
cases := []struct { |
|
Name string |
|
Syntax SyntaxVersion |
|
Rules string |
|
Expected *Policy |
|
Err string |
|
}{ |
|
{ |
|
"Legacy Basic", |
|
SyntaxLegacy, |
|
ljoin( |
|
`agent "foo" { `, |
|
` policy = "read" `, |
|
`} `, |
|
`agent "bar" { `, |
|
` policy = "write" `, |
|
`} `, |
|
`event "" { `, |
|
` policy = "read" `, |
|
`} `, |
|
`event "foo" { `, |
|
` policy = "write" `, |
|
`} `, |
|
`event "bar" { `, |
|
` policy = "deny" `, |
|
`} `, |
|
`key "" { `, |
|
` policy = "read" `, |
|
`} `, |
|
`key "foo/" { `, |
|
` policy = "write" `, |
|
`} `, |
|
`key "foo/bar/" { `, |
|
` policy = "read" `, |
|
`} `, |
|
`key "foo/bar/baz" {`, |
|
` policy = "deny" `, |
|
`} `, |
|
`keyring = "deny" `, |
|
`node "" { `, |
|
` policy = "read" `, |
|
`} `, |
|
`node "foo" { `, |
|
` policy = "write" `, |
|
`} `, |
|
`node "bar" { `, |
|
` policy = "deny" `, |
|
`} `, |
|
`operator = "deny" `, |
|
`service "" { `, |
|
` policy = "write" `, |
|
`} `, |
|
`service "foo" { `, |
|
` policy = "read" `, |
|
`} `, |
|
`session "foo" { `, |
|
` policy = "write" `, |
|
`} `, |
|
`session "bar" { `, |
|
` policy = "deny" `, |
|
`} `, |
|
`query "" { `, |
|
` policy = "read" `, |
|
`} `, |
|
`query "foo" { `, |
|
` policy = "write" `, |
|
`} `, |
|
`query "bar" { `, |
|
` policy = "deny" `, |
|
`} `), |
|
&Policy{PolicyRules: PolicyRules{ |
|
AgentPrefixes: []*AgentRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "bar", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
EventPrefixes: []*EventRule{ |
|
{ |
|
Event: "", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Event: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Event: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Keyring: PolicyDeny, |
|
KeyPrefixes: []*KeyRule{ |
|
{ |
|
Prefix: "", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "foo/", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "foo/bar/", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "foo/bar/baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
NodePrefixes: []*NodeRule{ |
|
{ |
|
Name: "", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Name: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Name: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Operator: PolicyDeny, |
|
PreparedQueryPrefixes: []*PreparedQueryRule{ |
|
{ |
|
Prefix: "", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
ServicePrefixes: []*ServiceRule{ |
|
{ |
|
Name: "", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Name: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
}, |
|
SessionPrefixes: []*SessionRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
"", |
|
}, |
|
{ |
|
"Legacy (JSON)", |
|
SyntaxLegacy, |
|
ljoin( |
|
`{ `, |
|
` "agent": { `, |
|
` "foo": { `, |
|
` "policy": "write" `, |
|
` }, `, |
|
` "bar": { `, |
|
` "policy": "deny" `, |
|
` } `, |
|
` }, `, |
|
` "event": { `, |
|
` "": { `, |
|
` "policy": "read" `, |
|
` }, `, |
|
` "foo": { `, |
|
` "policy": "write" `, |
|
` }, `, |
|
` "bar": { `, |
|
` "policy": "deny" `, |
|
` } `, |
|
` }, `, |
|
` "key": { `, |
|
` "": { `, |
|
` "policy": "read" `, |
|
` }, `, |
|
` "foo/": { `, |
|
` "policy": "write" `, |
|
` }, `, |
|
` "foo/bar/": { `, |
|
` "policy": "read" `, |
|
` }, `, |
|
` "foo/bar/baz": { `, |
|
` "policy": "deny" `, |
|
` } `, |
|
` }, `, |
|
` "keyring": "deny", `, |
|
` "node": { `, |
|
` "": { `, |
|
` "policy": "read" `, |
|
` }, `, |
|
` "foo": { `, |
|
` "policy": "write" `, |
|
` }, `, |
|
` "bar": { `, |
|
` "policy": "deny" `, |
|
` } `, |
|
` }, `, |
|
` "operator": "deny", `, |
|
` "query": { `, |
|
` "": { `, |
|
` "policy": "read" `, |
|
` }, `, |
|
` "foo": { `, |
|
` "policy": "write" `, |
|
` }, `, |
|
` "bar": { `, |
|
` "policy": "deny" `, |
|
` } `, |
|
` }, `, |
|
` "service": { `, |
|
` "": { `, |
|
` "policy": "write" `, |
|
` }, `, |
|
` "foo": { `, |
|
` "policy": "read" `, |
|
` } `, |
|
` }, `, |
|
` "session": { `, |
|
` "foo": { `, |
|
` "policy": "write" `, |
|
` }, `, |
|
` "bar": { `, |
|
` "policy": "deny" `, |
|
` } `, |
|
` } `, |
|
`} `), |
|
&Policy{PolicyRules: PolicyRules{ |
|
AgentPrefixes: []*AgentRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
EventPrefixes: []*EventRule{ |
|
{ |
|
Event: "", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Event: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Event: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Keyring: PolicyDeny, |
|
KeyPrefixes: []*KeyRule{ |
|
{ |
|
Prefix: "", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "foo/", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "foo/bar/", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "foo/bar/baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
NodePrefixes: []*NodeRule{ |
|
{ |
|
Name: "", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Name: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Name: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Operator: PolicyDeny, |
|
PreparedQueryPrefixes: []*PreparedQueryRule{ |
|
{ |
|
Prefix: "", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
ServicePrefixes: []*ServiceRule{ |
|
{ |
|
Name: "", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Name: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
}, |
|
SessionPrefixes: []*SessionRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
"", |
|
}, |
|
{ |
|
"Service No Intentions (Legacy)", |
|
SyntaxLegacy, |
|
ljoin( |
|
`service "foo" { `, |
|
` policy = "write"`, |
|
`} `), |
|
&Policy{PolicyRules: PolicyRules{ |
|
ServicePrefixes: []*ServiceRule{ |
|
{ |
|
Name: "foo", |
|
Policy: "write", |
|
}, |
|
}, |
|
}}, |
|
"", |
|
}, |
|
{ |
|
"Service Intentions (Legacy)", |
|
SyntaxLegacy, |
|
ljoin( |
|
`service "foo" { `, |
|
` policy = "write" `, |
|
` intentions = "read"`, |
|
`} `), |
|
&Policy{PolicyRules: PolicyRules{ |
|
ServicePrefixes: []*ServiceRule{ |
|
{ |
|
Name: "foo", |
|
Policy: "write", |
|
Intentions: "read", |
|
}, |
|
}, |
|
}}, |
|
"", |
|
}, |
|
{ |
|
"Service Intention: invalid value (Legacy)", |
|
SyntaxLegacy, |
|
ljoin( |
|
`service "foo" { `, |
|
` policy = "write" `, |
|
` intentions = "foo"`, |
|
`} `), |
|
nil, |
|
"Invalid service intentions policy", |
|
}, |
|
{ |
|
"Bad Policy - ACL", |
|
|
|
SyntaxCurrent, |
|
`acl = "list"`, // there is no list policy but this helps to exercise another check in isPolicyValid |
|
nil, |
|
"Invalid acl policy", |
|
}, |
|
{ |
|
"Bad Policy - Agent", |
|
SyntaxCurrent, |
|
`agent "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid agent policy", |
|
}, |
|
{ |
|
"Bad Policy - Agent Prefix", |
|
SyntaxCurrent, |
|
`agent_prefix "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid agent_prefix policy", |
|
}, |
|
{ |
|
"Bad Policy - Key", |
|
SyntaxCurrent, |
|
`key "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid key policy", |
|
}, |
|
{ |
|
"Bad Policy - Key Prefix", |
|
SyntaxCurrent, |
|
`key_prefix "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid key_prefix policy", |
|
}, |
|
{ |
|
"Bad Policy - Node", |
|
SyntaxCurrent, |
|
`node "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid node policy", |
|
}, |
|
{ |
|
"Bad Policy - Node Prefix", |
|
SyntaxCurrent, |
|
`node_prefix "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid node_prefix policy", |
|
}, |
|
{ |
|
"Bad Policy - Service", |
|
SyntaxCurrent, |
|
`service "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid service policy", |
|
}, |
|
{ |
|
"Bad Policy - Service Prefix", |
|
SyntaxCurrent, |
|
`service_prefix "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid service_prefix policy", |
|
}, |
|
{ |
|
"Bad Policy - Session", |
|
SyntaxCurrent, |
|
`session "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid session policy", |
|
}, |
|
{ |
|
"Bad Policy - Session Prefix", |
|
SyntaxCurrent, |
|
`session_prefix "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid session_prefix policy", |
|
}, |
|
{ |
|
"Bad Policy - Event", |
|
SyntaxCurrent, |
|
`event "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid event policy", |
|
}, |
|
{ |
|
"Bad Policy - Event Prefix", |
|
SyntaxCurrent, |
|
`event_prefix "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid event_prefix policy", |
|
}, |
|
{ |
|
"Bad Policy - Prepared Query", |
|
SyntaxCurrent, |
|
`query "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid query policy", |
|
}, |
|
{ |
|
"Bad Policy - Prepared Query Prefix", |
|
SyntaxCurrent, |
|
`query_prefix "foo" { policy = "nope" }`, |
|
nil, |
|
"Invalid query_prefix policy", |
|
}, |
|
{ |
|
"Bad Policy - Keyring", |
|
SyntaxCurrent, |
|
`keyring = "nope"`, |
|
nil, |
|
"Invalid keyring policy", |
|
}, |
|
{ |
|
"Bad Policy - Operator", |
|
SyntaxCurrent, |
|
`operator = "nope"`, |
|
nil, |
|
"Invalid operator policy", |
|
}, |
|
{ |
|
"Keyring Empty", |
|
SyntaxCurrent, |
|
`keyring = ""`, |
|
&Policy{PolicyRules: PolicyRules{Keyring: ""}}, |
|
"", |
|
}, |
|
{ |
|
"Operator Empty", |
|
SyntaxCurrent, |
|
`operator = ""`, |
|
&Policy{PolicyRules: PolicyRules{Operator: ""}}, |
|
"", |
|
}, |
|
} |
|
|
|
for _, tc := range cases { |
|
t.Run(tc.Name, func(t *testing.T) { |
|
req := require.New(t) |
|
actual, err := NewPolicyFromSource("", 0, tc.Rules, tc.Syntax, nil, nil) |
|
if tc.Err != "" { |
|
errStartsWith(t, err, tc.Err) |
|
} else { |
|
req.Equal(tc.Expected, actual) |
|
} |
|
}) |
|
} |
|
} |
|
|
|
func TestMergePolicies(t *testing.T) { |
|
type mergeTest struct { |
|
name string |
|
input []*Policy |
|
expected *Policy |
|
} |
|
|
|
tests := []mergeTest{ |
|
{ |
|
name: "Agents", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
Agents: []*AgentRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "baz", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
AgentPrefixes: []*AgentRule{ |
|
{ |
|
Node: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "222", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
Agents: []*AgentRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
AgentPrefixes: []*AgentRule{ |
|
{ |
|
Node: "000", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}, |
|
}}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
Agents: []*AgentRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
AgentPrefixes: []*AgentRule{ |
|
{ |
|
Node: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
{ |
|
name: "Events", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
Events: []*EventRule{ |
|
{ |
|
Event: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Event: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Event: "baz", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
EventPrefixes: []*EventRule{ |
|
{ |
|
Event: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Event: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Event: "222", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
Events: []*EventRule{ |
|
{ |
|
Event: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Event: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
EventPrefixes: []*EventRule{ |
|
{ |
|
Event: "000", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Event: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
Events: []*EventRule{ |
|
{ |
|
Event: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Event: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Event: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
EventPrefixes: []*EventRule{ |
|
{ |
|
Event: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Event: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Event: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
{ |
|
name: "Node", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
Nodes: []*NodeRule{ |
|
{ |
|
Name: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Name: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Name: "baz", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
NodePrefixes: []*NodeRule{ |
|
{ |
|
Name: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Name: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Name: "222", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
Nodes: []*NodeRule{ |
|
{ |
|
Name: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Name: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
NodePrefixes: []*NodeRule{ |
|
{ |
|
Name: "000", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Name: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}, |
|
}}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
Nodes: []*NodeRule{ |
|
{ |
|
Name: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Name: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Name: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
NodePrefixes: []*NodeRule{ |
|
{ |
|
Name: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Name: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Name: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
{ |
|
name: "Keys", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
Keys: []*KeyRule{ |
|
{ |
|
Prefix: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "baz", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "zoo", |
|
Policy: PolicyList, |
|
}, |
|
}, |
|
KeyPrefixes: []*KeyRule{ |
|
{ |
|
Prefix: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "222", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "333", |
|
Policy: PolicyList, |
|
}, |
|
}, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
Keys: []*KeyRule{ |
|
{ |
|
Prefix: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
{ |
|
Prefix: "zoo", |
|
Policy: PolicyRead, |
|
}, |
|
}, |
|
KeyPrefixes: []*KeyRule{ |
|
{ |
|
Prefix: "000", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
{ |
|
Prefix: "333", |
|
Policy: PolicyRead, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
Keys: []*KeyRule{ |
|
{ |
|
Prefix: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
{ |
|
Prefix: "zoo", |
|
Policy: PolicyList, |
|
}, |
|
}, |
|
KeyPrefixes: []*KeyRule{ |
|
{ |
|
Prefix: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
{ |
|
Prefix: "333", |
|
Policy: PolicyList, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
{ |
|
name: "Services", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
Services: []*ServiceRule{ |
|
{ |
|
Name: "foo", |
|
Policy: PolicyWrite, |
|
Intentions: PolicyWrite, |
|
}, |
|
{ |
|
Name: "bar", |
|
Policy: PolicyRead, |
|
Intentions: PolicyRead, |
|
}, |
|
{ |
|
Name: "baz", |
|
Policy: PolicyWrite, |
|
Intentions: PolicyWrite, |
|
}, |
|
}, |
|
ServicePrefixes: []*ServiceRule{ |
|
{ |
|
Name: "000", |
|
Policy: PolicyWrite, |
|
Intentions: PolicyWrite, |
|
}, |
|
{ |
|
Name: "111", |
|
Policy: PolicyRead, |
|
Intentions: PolicyRead, |
|
}, |
|
{ |
|
Name: "222", |
|
Policy: PolicyWrite, |
|
Intentions: PolicyWrite, |
|
}, |
|
}, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
Services: []*ServiceRule{ |
|
{ |
|
Name: "foo", |
|
Policy: PolicyRead, |
|
Intentions: PolicyRead, |
|
}, |
|
{ |
|
Name: "baz", |
|
Policy: PolicyDeny, |
|
Intentions: PolicyDeny, |
|
}, |
|
}, |
|
ServicePrefixes: []*ServiceRule{ |
|
{ |
|
Name: "000", |
|
Policy: PolicyRead, |
|
Intentions: PolicyRead, |
|
}, |
|
{ |
|
Name: "222", |
|
Policy: PolicyDeny, |
|
Intentions: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
Services: []*ServiceRule{ |
|
{ |
|
Name: "foo", |
|
Policy: PolicyWrite, |
|
Intentions: PolicyWrite, |
|
}, |
|
{ |
|
Name: "bar", |
|
Policy: PolicyRead, |
|
Intentions: PolicyRead, |
|
}, |
|
{ |
|
Name: "baz", |
|
Policy: PolicyDeny, |
|
Intentions: PolicyDeny, |
|
}, |
|
}, |
|
ServicePrefixes: []*ServiceRule{ |
|
{ |
|
Name: "000", |
|
Policy: PolicyWrite, |
|
Intentions: PolicyWrite, |
|
}, |
|
{ |
|
Name: "111", |
|
Policy: PolicyRead, |
|
Intentions: PolicyRead, |
|
}, |
|
{ |
|
Name: "222", |
|
Policy: PolicyDeny, |
|
Intentions: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
{ |
|
name: "Sessions", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
Sessions: []*SessionRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "baz", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
SessionPrefixes: []*SessionRule{ |
|
{ |
|
Node: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "222", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
Sessions: []*SessionRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
SessionPrefixes: []*SessionRule{ |
|
{ |
|
Node: "000", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
Sessions: []*SessionRule{ |
|
{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
SessionPrefixes: []*SessionRule{ |
|
{ |
|
Node: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Node: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Node: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
{ |
|
name: "Prepared Queries", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
PreparedQueries: []*PreparedQueryRule{ |
|
{ |
|
Prefix: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "baz", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
PreparedQueryPrefixes: []*PreparedQueryRule{ |
|
{ |
|
Prefix: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "222", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
PreparedQueries: []*PreparedQueryRule{ |
|
{ |
|
Prefix: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
PreparedQueryPrefixes: []*PreparedQueryRule{ |
|
{ |
|
Prefix: "000", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
PreparedQueries: []*PreparedQueryRule{ |
|
{ |
|
Prefix: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "bar", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
PreparedQueryPrefixes: []*PreparedQueryRule{ |
|
{ |
|
Prefix: "000", |
|
Policy: PolicyWrite, |
|
}, |
|
{ |
|
Prefix: "111", |
|
Policy: PolicyRead, |
|
}, |
|
{ |
|
Prefix: "222", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
}}, |
|
}, |
|
{ |
|
name: "Write Precedence", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
ACL: PolicyRead, |
|
Keyring: PolicyRead, |
|
Operator: PolicyRead, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
ACL: PolicyWrite, |
|
Keyring: PolicyWrite, |
|
Operator: PolicyWrite, |
|
}}, |
|
}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
ACL: PolicyWrite, |
|
Keyring: PolicyWrite, |
|
Operator: PolicyWrite, |
|
}}, |
|
}, |
|
{ |
|
name: "Deny Precedence", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
ACL: PolicyWrite, |
|
Keyring: PolicyWrite, |
|
Operator: PolicyWrite, |
|
}}, |
|
{PolicyRules: PolicyRules{ |
|
ACL: PolicyDeny, |
|
Keyring: PolicyDeny, |
|
Operator: PolicyDeny, |
|
}}, |
|
}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
ACL: PolicyDeny, |
|
Keyring: PolicyDeny, |
|
Operator: PolicyDeny, |
|
}}, |
|
}, |
|
{ |
|
name: "Read Precedence", |
|
input: []*Policy{ |
|
{PolicyRules: PolicyRules{ |
|
ACL: PolicyRead, |
|
Keyring: PolicyRead, |
|
Operator: PolicyRead, |
|
}}, |
|
{}, |
|
}, |
|
expected: &Policy{PolicyRules: PolicyRules{ |
|
ACL: PolicyRead, |
|
Keyring: PolicyRead, |
|
Operator: PolicyRead, |
|
}}, |
|
}, |
|
} |
|
|
|
req := require.New(t) |
|
|
|
for _, tcase := range tests { |
|
t.Run(tcase.name, func(t *testing.T) { |
|
act := MergePolicies(tcase.input) |
|
exp := tcase.expected |
|
req.Equal(exp.ACL, act.ACL) |
|
req.Equal(exp.Keyring, act.Keyring) |
|
req.Equal(exp.Operator, act.Operator) |
|
req.ElementsMatch(exp.Agents, act.Agents) |
|
req.ElementsMatch(exp.AgentPrefixes, act.AgentPrefixes) |
|
req.ElementsMatch(exp.Events, act.Events) |
|
req.ElementsMatch(exp.EventPrefixes, act.EventPrefixes) |
|
req.ElementsMatch(exp.Keys, act.Keys) |
|
req.ElementsMatch(exp.KeyPrefixes, act.KeyPrefixes) |
|
req.ElementsMatch(exp.Nodes, act.Nodes) |
|
req.ElementsMatch(exp.NodePrefixes, act.NodePrefixes) |
|
req.ElementsMatch(exp.PreparedQueries, act.PreparedQueries) |
|
req.ElementsMatch(exp.PreparedQueryPrefixes, act.PreparedQueryPrefixes) |
|
req.ElementsMatch(exp.Services, act.Services) |
|
req.ElementsMatch(exp.ServicePrefixes, act.ServicePrefixes) |
|
req.ElementsMatch(exp.Sessions, act.Sessions) |
|
req.ElementsMatch(exp.SessionPrefixes, act.SessionPrefixes) |
|
}) |
|
} |
|
|
|
} |
|
|
|
func TestRulesTranslate(t *testing.T) { |
|
input := ` |
|
# top level comment |
|
|
|
# block comment |
|
agent "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
key "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
node "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
event "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
service "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
session "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
query "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# comment |
|
keyring = "write" |
|
|
|
# comment |
|
operator = "write" |
|
` |
|
|
|
expected := ` |
|
# top level comment |
|
|
|
# block comment |
|
agent_prefix "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
key_prefix "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
node_prefix "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
event_prefix "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
service_prefix "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
session_prefix "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# block comment |
|
query_prefix "" { |
|
# policy comment |
|
policy = "write" |
|
} |
|
|
|
# comment |
|
keyring = "write" |
|
|
|
# comment |
|
operator = "write" |
|
` |
|
|
|
output, err := TranslateLegacyRules([]byte(input)) |
|
require.NoError(t, err) |
|
require.Equal(t, strings.Trim(expected, "\n"), string(output)) |
|
} |
|
|
|
func TestRulesTranslate_GH5493(t *testing.T) { |
|
input := ` |
|
{ |
|
"key": { |
|
"": { |
|
"policy": "read" |
|
}, |
|
"key": { |
|
"policy": "read" |
|
}, |
|
"policy": { |
|
"policy": "read" |
|
}, |
|
"privatething1/": { |
|
"policy": "deny" |
|
}, |
|
"anapplication/private/": { |
|
"policy": "deny" |
|
}, |
|
"privatething2/": { |
|
"policy": "deny" |
|
} |
|
}, |
|
"session": { |
|
"": { |
|
"policy": "write" |
|
} |
|
}, |
|
"node": { |
|
"": { |
|
"policy": "read" |
|
} |
|
}, |
|
"agent": { |
|
"": { |
|
"policy": "read" |
|
} |
|
}, |
|
"service": { |
|
"": { |
|
"policy": "read" |
|
} |
|
}, |
|
"event": { |
|
"": { |
|
"policy": "read" |
|
} |
|
}, |
|
"query": { |
|
"": { |
|
"policy": "read" |
|
} |
|
} |
|
}` |
|
expected := ` |
|
key_prefix "" { |
|
policy = "read" |
|
} |
|
|
|
key_prefix "key" { |
|
policy = "read" |
|
} |
|
|
|
key_prefix "policy" { |
|
policy = "read" |
|
} |
|
|
|
key_prefix "privatething1/" { |
|
policy = "deny" |
|
} |
|
|
|
key_prefix "anapplication/private/" { |
|
policy = "deny" |
|
} |
|
|
|
key_prefix "privatething2/" { |
|
policy = "deny" |
|
} |
|
|
|
session_prefix "" { |
|
policy = "write" |
|
} |
|
|
|
node_prefix "" { |
|
policy = "read" |
|
} |
|
|
|
agent_prefix "" { |
|
policy = "read" |
|
} |
|
|
|
service_prefix "" { |
|
policy = "read" |
|
} |
|
|
|
event_prefix "" { |
|
policy = "read" |
|
} |
|
|
|
query_prefix "" { |
|
policy = "read" |
|
} |
|
` |
|
output, err := TranslateLegacyRules([]byte(input)) |
|
require.NoError(t, err) |
|
require.Equal(t, strings.Trim(expected, "\n"), string(output)) |
|
} |
|
|
|
func TestPrecedence(t *testing.T) { |
|
type testCase struct { |
|
name string |
|
a string |
|
b string |
|
expected bool |
|
} |
|
|
|
cases := []testCase{ |
|
{ |
|
name: "Deny Over Write", |
|
a: PolicyDeny, |
|
b: PolicyWrite, |
|
expected: true, |
|
}, |
|
{ |
|
name: "Deny Over List", |
|
a: PolicyDeny, |
|
b: PolicyList, |
|
expected: true, |
|
}, |
|
{ |
|
name: "Deny Over Read", |
|
a: PolicyDeny, |
|
b: PolicyRead, |
|
expected: true, |
|
}, |
|
{ |
|
name: "Deny Over Unknown", |
|
a: PolicyDeny, |
|
b: "not a policy", |
|
expected: true, |
|
}, |
|
{ |
|
name: "Write Over List", |
|
a: PolicyWrite, |
|
b: PolicyList, |
|
expected: true, |
|
}, |
|
{ |
|
name: "Write Over Read", |
|
a: PolicyWrite, |
|
b: PolicyRead, |
|
expected: true, |
|
}, |
|
{ |
|
name: "Write Over Unknown", |
|
a: PolicyWrite, |
|
b: "not a policy", |
|
expected: true, |
|
}, |
|
{ |
|
name: "List Over Read", |
|
a: PolicyList, |
|
b: PolicyRead, |
|
expected: true, |
|
}, |
|
{ |
|
name: "List Over Unknown", |
|
a: PolicyList, |
|
b: "not a policy", |
|
expected: true, |
|
}, |
|
{ |
|
name: "Read Over Unknown", |
|
a: PolicyRead, |
|
b: "not a policy", |
|
expected: true, |
|
}, |
|
{ |
|
name: "Write Over Deny", |
|
a: PolicyWrite, |
|
b: PolicyDeny, |
|
expected: false, |
|
}, |
|
{ |
|
name: "List Over Deny", |
|
a: PolicyList, |
|
b: PolicyDeny, |
|
expected: false, |
|
}, |
|
{ |
|
name: "Read Over Deny", |
|
a: PolicyRead, |
|
b: PolicyDeny, |
|
expected: false, |
|
}, |
|
{ |
|
name: "Deny Over Unknown", |
|
a: PolicyDeny, |
|
b: "not a policy", |
|
expected: true, |
|
}, |
|
{ |
|
name: "List Over Write", |
|
a: PolicyList, |
|
b: PolicyWrite, |
|
expected: false, |
|
}, |
|
{ |
|
name: "Read Over Write", |
|
a: PolicyRead, |
|
b: PolicyWrite, |
|
expected: false, |
|
}, |
|
{ |
|
name: "Unknown Over Write", |
|
a: "not a policy", |
|
b: PolicyWrite, |
|
expected: false, |
|
}, |
|
{ |
|
name: "Read Over List", |
|
a: PolicyRead, |
|
b: PolicyList, |
|
expected: false, |
|
}, |
|
{ |
|
name: "Unknown Over List", |
|
a: "not a policy", |
|
b: PolicyList, |
|
expected: false, |
|
}, |
|
{ |
|
name: "Unknown Over Read", |
|
a: "not a policy", |
|
b: PolicyRead, |
|
expected: false, |
|
}, |
|
} |
|
|
|
for _, tcase := range cases { |
|
t.Run(tcase.name, func(t *testing.T) { |
|
require.Equal(t, tcase.expected, takesPrecedenceOver(tcase.a, tcase.b)) |
|
}) |
|
} |
|
}
|
|
|