mirror of https://github.com/hashicorp/consul
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
411 lines
6.1 KiB
411 lines
6.1 KiB
package acl |
|
|
|
import ( |
|
"reflect" |
|
"strings" |
|
"testing" |
|
) |
|
|
|
func TestACLPolicy_Parse_HCL(t *testing.T) { |
|
inp := ` |
|
agent "foo" { |
|
policy = "read" |
|
} |
|
agent "bar" { |
|
policy = "write" |
|
} |
|
event "" { |
|
policy = "read" |
|
} |
|
event "foo" { |
|
policy = "write" |
|
} |
|
event "bar" { |
|
policy = "deny" |
|
} |
|
key "" { |
|
policy = "read" |
|
} |
|
key "foo/" { |
|
policy = "write" |
|
} |
|
key "foo/bar/" { |
|
policy = "read" |
|
} |
|
key "foo/bar/baz" { |
|
policy = "deny" |
|
} |
|
keyring = "deny" |
|
node "" { |
|
policy = "read" |
|
} |
|
node "foo" { |
|
policy = "write" |
|
} |
|
node "bar" { |
|
policy = "deny" |
|
} |
|
operator = "deny" |
|
service "" { |
|
policy = "write" |
|
} |
|
service "foo" { |
|
policy = "read" |
|
} |
|
session "foo" { |
|
policy = "write" |
|
} |
|
session "bar" { |
|
policy = "deny" |
|
} |
|
query "" { |
|
policy = "read" |
|
} |
|
query "foo" { |
|
policy = "write" |
|
} |
|
query "bar" { |
|
policy = "deny" |
|
} |
|
` |
|
exp := &Policy{ |
|
Agents: []*AgentPolicy{ |
|
&AgentPolicy{ |
|
Node: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
&AgentPolicy{ |
|
Node: "bar", |
|
Policy: PolicyWrite, |
|
}, |
|
}, |
|
Events: []*EventPolicy{ |
|
&EventPolicy{ |
|
Event: "", |
|
Policy: PolicyRead, |
|
}, |
|
&EventPolicy{ |
|
Event: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&EventPolicy{ |
|
Event: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Keyring: PolicyDeny, |
|
Keys: []*KeyPolicy{ |
|
&KeyPolicy{ |
|
Prefix: "", |
|
Policy: PolicyRead, |
|
}, |
|
&KeyPolicy{ |
|
Prefix: "foo/", |
|
Policy: PolicyWrite, |
|
}, |
|
&KeyPolicy{ |
|
Prefix: "foo/bar/", |
|
Policy: PolicyRead, |
|
}, |
|
&KeyPolicy{ |
|
Prefix: "foo/bar/baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Nodes: []*NodePolicy{ |
|
&NodePolicy{ |
|
Name: "", |
|
Policy: PolicyRead, |
|
}, |
|
&NodePolicy{ |
|
Name: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&NodePolicy{ |
|
Name: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Operator: PolicyDeny, |
|
PreparedQueries: []*PreparedQueryPolicy{ |
|
&PreparedQueryPolicy{ |
|
Prefix: "", |
|
Policy: PolicyRead, |
|
}, |
|
&PreparedQueryPolicy{ |
|
Prefix: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&PreparedQueryPolicy{ |
|
Prefix: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Services: []*ServicePolicy{ |
|
&ServicePolicy{ |
|
Name: "", |
|
Policy: PolicyWrite, |
|
}, |
|
&ServicePolicy{ |
|
Name: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
}, |
|
Sessions: []*SessionPolicy{ |
|
&SessionPolicy{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&SessionPolicy{ |
|
Node: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
} |
|
|
|
out, err := Parse(inp) |
|
if err != nil { |
|
t.Fatalf("err: %v", err) |
|
} |
|
|
|
if !reflect.DeepEqual(out, exp) { |
|
t.Fatalf("bad: %#v %#v", out, exp) |
|
} |
|
} |
|
|
|
func TestACLPolicy_Parse_JSON(t *testing.T) { |
|
inp := `{ |
|
"agent": { |
|
"foo": { |
|
"policy": "write" |
|
}, |
|
"bar": { |
|
"policy": "deny" |
|
} |
|
}, |
|
"event": { |
|
"": { |
|
"policy": "read" |
|
}, |
|
"foo": { |
|
"policy": "write" |
|
}, |
|
"bar": { |
|
"policy": "deny" |
|
} |
|
}, |
|
"key": { |
|
"": { |
|
"policy": "read" |
|
}, |
|
"foo/": { |
|
"policy": "write" |
|
}, |
|
"foo/bar/": { |
|
"policy": "read" |
|
}, |
|
"foo/bar/baz": { |
|
"policy": "deny" |
|
} |
|
}, |
|
"keyring": "deny", |
|
"node": { |
|
"": { |
|
"policy": "read" |
|
}, |
|
"foo": { |
|
"policy": "write" |
|
}, |
|
"bar": { |
|
"policy": "deny" |
|
} |
|
}, |
|
"operator": "deny", |
|
"query": { |
|
"": { |
|
"policy": "read" |
|
}, |
|
"foo": { |
|
"policy": "write" |
|
}, |
|
"bar": { |
|
"policy": "deny" |
|
} |
|
}, |
|
"service": { |
|
"": { |
|
"policy": "write" |
|
}, |
|
"foo": { |
|
"policy": "read" |
|
} |
|
}, |
|
"session": { |
|
"foo": { |
|
"policy": "write" |
|
}, |
|
"bar": { |
|
"policy": "deny" |
|
} |
|
} |
|
}` |
|
exp := &Policy{ |
|
Agents: []*AgentPolicy{ |
|
&AgentPolicy{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&AgentPolicy{ |
|
Node: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Events: []*EventPolicy{ |
|
&EventPolicy{ |
|
Event: "", |
|
Policy: PolicyRead, |
|
}, |
|
&EventPolicy{ |
|
Event: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&EventPolicy{ |
|
Event: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Keyring: PolicyDeny, |
|
Keys: []*KeyPolicy{ |
|
&KeyPolicy{ |
|
Prefix: "", |
|
Policy: PolicyRead, |
|
}, |
|
&KeyPolicy{ |
|
Prefix: "foo/", |
|
Policy: PolicyWrite, |
|
}, |
|
&KeyPolicy{ |
|
Prefix: "foo/bar/", |
|
Policy: PolicyRead, |
|
}, |
|
&KeyPolicy{ |
|
Prefix: "foo/bar/baz", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Nodes: []*NodePolicy{ |
|
&NodePolicy{ |
|
Name: "", |
|
Policy: PolicyRead, |
|
}, |
|
&NodePolicy{ |
|
Name: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&NodePolicy{ |
|
Name: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Operator: PolicyDeny, |
|
PreparedQueries: []*PreparedQueryPolicy{ |
|
&PreparedQueryPolicy{ |
|
Prefix: "", |
|
Policy: PolicyRead, |
|
}, |
|
&PreparedQueryPolicy{ |
|
Prefix: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&PreparedQueryPolicy{ |
|
Prefix: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
Services: []*ServicePolicy{ |
|
&ServicePolicy{ |
|
Name: "", |
|
Policy: PolicyWrite, |
|
}, |
|
&ServicePolicy{ |
|
Name: "foo", |
|
Policy: PolicyRead, |
|
}, |
|
}, |
|
Sessions: []*SessionPolicy{ |
|
&SessionPolicy{ |
|
Node: "foo", |
|
Policy: PolicyWrite, |
|
}, |
|
&SessionPolicy{ |
|
Node: "bar", |
|
Policy: PolicyDeny, |
|
}, |
|
}, |
|
} |
|
|
|
out, err := Parse(inp) |
|
if err != nil { |
|
t.Fatalf("err: %v", err) |
|
} |
|
|
|
if !reflect.DeepEqual(out, exp) { |
|
t.Fatalf("bad: %#v %#v", out, exp) |
|
} |
|
} |
|
|
|
func TestACLPolicy_Keyring_Empty(t *testing.T) { |
|
inp := ` |
|
keyring = "" |
|
` |
|
exp := &Policy{ |
|
Keyring: "", |
|
} |
|
|
|
out, err := Parse(inp) |
|
if err != nil { |
|
t.Fatalf("err: %v", err) |
|
} |
|
|
|
if !reflect.DeepEqual(out, exp) { |
|
t.Fatalf("bad: %#v %#v", out, exp) |
|
} |
|
} |
|
|
|
func TestACLPolicy_Operator_Empty(t *testing.T) { |
|
inp := ` |
|
operator = "" |
|
` |
|
exp := &Policy{ |
|
Operator: "", |
|
} |
|
|
|
out, err := Parse(inp) |
|
if err != nil { |
|
t.Fatalf("err: %v", err) |
|
} |
|
|
|
if !reflect.DeepEqual(out, exp) { |
|
t.Fatalf("bad: %#v %#v", out, exp) |
|
} |
|
} |
|
|
|
func TestACLPolicy_Bad_Policy(t *testing.T) { |
|
cases := []string{ |
|
`agent "" { policy = "nope" }`, |
|
`event "" { policy = "nope" }`, |
|
`key "" { policy = "nope" }`, |
|
`keyring = "nope"`, |
|
`node "" { policy = "nope" }`, |
|
`operator = "nope"`, |
|
`query "" { policy = "nope" }`, |
|
`service "" { policy = "nope" }`, |
|
`session "" { policy = "nope" }`, |
|
} |
|
for _, c := range cases { |
|
_, err := Parse(c) |
|
if err == nil || !strings.Contains(err.Error(), "Invalid") { |
|
t.Fatalf("expected policy error, got: %#v", err) |
|
} |
|
} |
|
}
|
|
|