1package api 2 3import ( 4 "strings" 5 "testing" 6 "time" 7 8 "github.com/hashicorp/consul/sdk/testutil/retry" 9 10 "github.com/stretchr/testify/require" 11) 12 13func TestAPI_ACLBootstrap(t *testing.T) { 14 // TODO (slackpad) We currently can't inject the version, and the 15 // version in the binary depends on Git tags, so we can't reliably 16 // test this until we are just running an agent in-process here and 17 // have full control over the config. 18} 19 20func TestAPI_ACLCreateDestroy(t *testing.T) { 21 t.Parallel() 22 c, s := makeACLClient(t) 23 defer s.Stop() 24 s.WaitForSerfCheck(t) 25 26 acl := c.ACL() 27 28 ae := ACLEntry{ 29 Name: "API test", 30 Type: ACLClientType, 31 Rules: `key "" { policy = "deny" }`, 32 } 33 34 id, wm, err := acl.Create(&ae, nil) 35 if err != nil { 36 t.Fatalf("err: %v", err) 37 } 38 39 if wm.RequestTime == 0 { 40 t.Fatalf("bad: %v", wm) 41 } 42 43 if id == "" { 44 t.Fatalf("invalid: %v", id) 45 } 46 47 ae2, _, err := acl.Info(id, nil) 48 if err != nil { 49 t.Fatalf("err: %v", err) 50 } 51 52 if ae2.Name != ae.Name || ae2.Type != ae.Type || ae2.Rules != ae.Rules { 53 t.Fatalf("Bad: %#v", ae2) 54 } 55 56 wm, err = acl.Destroy(id, nil) 57 if err != nil { 58 t.Fatalf("err: %v", err) 59 } 60 61 if wm.RequestTime == 0 { 62 t.Fatalf("bad: %v", wm) 63 } 64} 65 66func TestAPI_ACLCloneDestroy(t *testing.T) { 67 t.Parallel() 68 c, s := makeACLClient(t) 69 defer s.Stop() 70 71 acl := c.ACL() 72 73 id, wm, err := acl.Clone(c.config.Token, nil) 74 if err != nil { 75 t.Fatalf("err: %v", err) 76 } 77 78 if wm.RequestTime == 0 { 79 t.Fatalf("bad: %v", wm) 80 } 81 82 if id == "" { 83 t.Fatalf("invalid: %v", id) 84 } 85 86 wm, err = acl.Destroy(id, nil) 87 if err != nil { 88 t.Fatalf("err: %v", err) 89 } 90 91 if wm.RequestTime == 0 { 92 t.Fatalf("bad: %v", wm) 93 } 94} 95 96func TestAPI_ACLInfo(t *testing.T) { 97 t.Parallel() 98 c, s := makeACLClient(t) 99 defer s.Stop() 100 101 acl := c.ACL() 102 103 ae, qm, err := acl.Info(c.config.Token, nil) 104 if err != nil { 105 t.Fatalf("err: %v", err) 106 } 107 108 if qm.LastIndex == 0 { 109 t.Fatalf("bad: %v", qm) 110 } 111 if !qm.KnownLeader { 112 t.Fatalf("bad: %v", qm) 113 } 114 115 if ae == nil || ae.ID != c.config.Token || ae.Type != ACLManagementType { 116 t.Fatalf("bad: %#v", ae) 117 } 118} 119 120func TestAPI_ACLList(t *testing.T) { 121 t.Parallel() 122 c, s := makeACLClient(t) 123 defer s.Stop() 124 125 acl := c.ACL() 126 127 acls, qm, err := acl.List(nil) 128 if err != nil { 129 t.Fatalf("err: %v", err) 130 } 131 132 // anon token is a new token 133 if len(acls) < 1 { 134 t.Fatalf("bad: %v", acls) 135 } 136 137 if qm.LastIndex == 0 { 138 t.Fatalf("bad: %v", qm) 139 } 140 if !qm.KnownLeader { 141 t.Fatalf("bad: %v", qm) 142 } 143} 144 145func TestAPI_ACLReplication(t *testing.T) { 146 t.Parallel() 147 c, s := makeACLClient(t) 148 defer s.Stop() 149 150 acl := c.ACL() 151 152 repl, qm, err := acl.Replication(nil) 153 if err != nil { 154 t.Fatalf("err: %v", err) 155 } 156 157 if repl == nil { 158 t.Fatalf("bad: %v", repl) 159 } 160 161 if repl.Running { 162 t.Fatal("bad: repl should not be running") 163 } 164 165 if repl.Enabled { 166 t.Fatal("bad: repl should not be enabled") 167 } 168 169 if qm.RequestTime == 0 { 170 t.Fatalf("bad: %v", qm) 171 } 172} 173 174func TestAPI_ACLPolicy_CreateReadDelete(t *testing.T) { 175 t.Parallel() 176 c, s := makeACLClient(t) 177 defer s.Stop() 178 179 acl := c.ACL() 180 181 created, wm, err := acl.PolicyCreate(&ACLPolicy{ 182 Name: "test-policy", 183 Description: "test-policy description", 184 Rules: `node_prefix "" { policy = "read" }`, 185 Datacenters: []string{"dc1"}, 186 }, nil) 187 188 require.NoError(t, err) 189 require.NotNil(t, created) 190 require.NotEqual(t, "", created.ID) 191 require.NotEqual(t, 0, wm.RequestTime) 192 193 read, qm, err := acl.PolicyRead(created.ID, nil) 194 require.NoError(t, err) 195 require.NotEqual(t, 0, qm.LastIndex) 196 require.True(t, qm.KnownLeader) 197 198 require.Equal(t, created, read) 199 200 wm, err = acl.PolicyDelete(created.ID, nil) 201 require.NoError(t, err) 202 require.NotEqual(t, 0, wm.RequestTime) 203 204 read, _, err = acl.PolicyRead(created.ID, nil) 205 require.Nil(t, read) 206 require.Error(t, err) 207} 208 209func TestAPI_ACLPolicy_CreateReadByNameDelete(t *testing.T) { 210 t.Parallel() 211 c, s := makeACLClient(t) 212 defer s.Stop() 213 214 acl := c.ACL() 215 216 created, wm, err := acl.PolicyCreate(&ACLPolicy{ 217 Name: "test-policy", 218 Description: "test-policy description", 219 Rules: `node_prefix "" { policy = "read" }`, 220 Datacenters: []string{"dc1"}, 221 }, nil) 222 223 require.NoError(t, err) 224 require.NotNil(t, created) 225 require.NotEqual(t, "", created.ID) 226 require.NotEqual(t, 0, wm.RequestTime) 227 228 read, qm, err := acl.PolicyReadByName(created.Name, nil) 229 require.NoError(t, err) 230 require.NotEqual(t, 0, qm.LastIndex) 231 require.True(t, qm.KnownLeader) 232 233 require.Equal(t, created, read) 234 235 wm, err = acl.PolicyDelete(created.ID, nil) 236 require.NoError(t, err) 237 require.NotEqual(t, 0, wm.RequestTime) 238 239 read, _, err = acl.PolicyRead(created.ID, nil) 240 require.Nil(t, read) 241 require.Error(t, err) 242} 243 244func TestAPI_ACLPolicy_CreateUpdate(t *testing.T) { 245 t.Parallel() 246 c, s := makeACLClient(t) 247 defer s.Stop() 248 249 acl := c.ACL() 250 251 created, _, err := acl.PolicyCreate(&ACLPolicy{ 252 Name: "test-policy", 253 Description: "test-policy description", 254 Rules: `node_prefix "" { policy = "read" }`, 255 Datacenters: []string{"dc1"}, 256 }, nil) 257 258 require.NoError(t, err) 259 require.NotNil(t, created) 260 require.NotEqual(t, "", created.ID) 261 262 read, _, err := acl.PolicyRead(created.ID, nil) 263 require.NoError(t, err) 264 require.Equal(t, created, read) 265 266 read.Rules += ` service_prefix "" { policy = "read" }` 267 read.Datacenters = nil 268 269 updated, wm, err := acl.PolicyUpdate(read, nil) 270 require.NoError(t, err) 271 require.Equal(t, created.ID, updated.ID) 272 require.Equal(t, created.Description, updated.Description) 273 require.Equal(t, read.Rules, updated.Rules) 274 require.Equal(t, created.CreateIndex, updated.CreateIndex) 275 require.NotEqual(t, created.ModifyIndex, updated.ModifyIndex) 276 require.Nil(t, updated.Datacenters) 277 require.NotEqual(t, 0, wm.RequestTime) 278 279 updated_read, _, err := acl.PolicyRead(created.ID, nil) 280 require.NoError(t, err) 281 require.Equal(t, updated, updated_read) 282} 283 284func TestAPI_ACLPolicy_List(t *testing.T) { 285 t.Parallel() 286 c, s := makeACLClient(t) 287 defer s.Stop() 288 289 acl := c.ACL() 290 291 created1, _, err := acl.PolicyCreate(&ACLPolicy{ 292 Name: "policy1", 293 Description: "policy1 description", 294 Rules: `node_prefix "" { policy = "read" }`, 295 Datacenters: []string{"dc1"}, 296 }, nil) 297 298 require.NoError(t, err) 299 require.NotNil(t, created1) 300 require.NotEqual(t, "", created1.ID) 301 302 created2, _, err := acl.PolicyCreate(&ACLPolicy{ 303 Name: "policy2", 304 Description: "policy2 description", 305 Rules: `service "app" { policy = "write" }`, 306 Datacenters: []string{"dc1", "dc2"}, 307 }, nil) 308 309 require.NoError(t, err) 310 require.NotNil(t, created2) 311 require.NotEqual(t, "", created2.ID) 312 313 created3, _, err := acl.PolicyCreate(&ACLPolicy{ 314 Name: "policy3", 315 Description: "policy3 description", 316 Rules: `acl = "read"`, 317 }, nil) 318 319 require.NoError(t, err) 320 require.NotNil(t, created3) 321 require.NotEqual(t, "", created3.ID) 322 323 policies, qm, err := acl.PolicyList(nil) 324 require.NoError(t, err) 325 require.Len(t, policies, 4) 326 require.NotEqual(t, 0, qm.LastIndex) 327 require.True(t, qm.KnownLeader) 328 329 policyMap := make(map[string]*ACLPolicyListEntry) 330 for _, policy := range policies { 331 policyMap[policy.ID] = policy 332 } 333 334 policy1, ok := policyMap[created1.ID] 335 require.True(t, ok) 336 require.NotNil(t, policy1) 337 require.Equal(t, created1.Name, policy1.Name) 338 require.Equal(t, created1.Description, policy1.Description) 339 require.Equal(t, created1.CreateIndex, policy1.CreateIndex) 340 require.Equal(t, created1.ModifyIndex, policy1.ModifyIndex) 341 require.Equal(t, created1.Hash, policy1.Hash) 342 require.ElementsMatch(t, created1.Datacenters, policy1.Datacenters) 343 344 policy2, ok := policyMap[created2.ID] 345 require.True(t, ok) 346 require.NotNil(t, policy2) 347 require.Equal(t, created2.Name, policy2.Name) 348 require.Equal(t, created2.Description, policy2.Description) 349 require.Equal(t, created2.CreateIndex, policy2.CreateIndex) 350 require.Equal(t, created2.ModifyIndex, policy2.ModifyIndex) 351 require.Equal(t, created2.Hash, policy2.Hash) 352 require.ElementsMatch(t, created2.Datacenters, policy2.Datacenters) 353 354 policy3, ok := policyMap[created3.ID] 355 require.True(t, ok) 356 require.NotNil(t, policy3) 357 require.Equal(t, created3.Name, policy3.Name) 358 require.Equal(t, created3.Description, policy3.Description) 359 require.Equal(t, created3.CreateIndex, policy3.CreateIndex) 360 require.Equal(t, created3.ModifyIndex, policy3.ModifyIndex) 361 require.Equal(t, created3.Hash, policy3.Hash) 362 require.ElementsMatch(t, created3.Datacenters, policy3.Datacenters) 363 364 // make sure the 4th policy is the global management 365 policy4, ok := policyMap["00000000-0000-0000-0000-000000000001"] 366 require.True(t, ok) 367 require.NotNil(t, policy4) 368} 369 370func prepTokenPolicies(t *testing.T, acl *ACL) (policies []*ACLPolicy) { 371 policy, _, err := acl.PolicyCreate(&ACLPolicy{ 372 Name: "one", 373 Description: "one description", 374 Rules: `acl = "read"`, 375 Datacenters: []string{"dc1", "dc2"}, 376 }, nil) 377 378 require.NoError(t, err) 379 require.NotNil(t, policy) 380 policies = append(policies, policy) 381 382 policy, _, err = acl.PolicyCreate(&ACLPolicy{ 383 Name: "two", 384 Description: "two description", 385 Rules: `node_prefix "" { policy = "read" }`, 386 Datacenters: []string{"dc1", "dc2"}, 387 }, nil) 388 389 require.NoError(t, err) 390 require.NotNil(t, policy) 391 policies = append(policies, policy) 392 393 policy, _, err = acl.PolicyCreate(&ACLPolicy{ 394 Name: "three", 395 Description: "three description", 396 Rules: `service_prefix "" { policy = "read" }`, 397 }, nil) 398 399 require.NoError(t, err) 400 require.NotNil(t, policy) 401 policies = append(policies, policy) 402 403 policy, _, err = acl.PolicyCreate(&ACLPolicy{ 404 Name: "four", 405 Description: "four description", 406 Rules: `agent "foo" { policy = "write" }`, 407 }, nil) 408 409 require.NoError(t, err) 410 require.NotNil(t, policy) 411 policies = append(policies, policy) 412 return 413} 414 415func TestAPI_ACLToken_CreateReadDelete(t *testing.T) { 416 t.Parallel() 417 c, s := makeACLClient(t) 418 defer s.Stop() 419 420 acl := c.ACL() 421 422 policies := prepTokenPolicies(t, acl) 423 424 created, wm, err := acl.TokenCreate(&ACLToken{ 425 Description: "token created", 426 Policies: []*ACLTokenPolicyLink{ 427 { 428 ID: policies[0].ID, 429 }, 430 { 431 ID: policies[1].ID, 432 }, 433 { 434 Name: policies[2].Name, 435 }, 436 { 437 Name: policies[3].Name, 438 }, 439 }, 440 }, nil) 441 442 require.NoError(t, err) 443 require.NotNil(t, created) 444 require.NotEqual(t, "", created.AccessorID) 445 require.NotEqual(t, "", created.SecretID) 446 require.NotEqual(t, 0, wm.RequestTime) 447 448 read, qm, err := acl.TokenRead(created.AccessorID, nil) 449 require.NoError(t, err) 450 require.Equal(t, created, read) 451 require.NotEqual(t, 0, qm.LastIndex) 452 require.True(t, qm.KnownLeader) 453 454 acl.c.config.Token = created.SecretID 455 self, _, err := acl.TokenReadSelf(nil) 456 require.NoError(t, err) 457 require.Equal(t, created, self) 458 acl.c.config.Token = "root" 459 460 _, err = acl.TokenDelete(created.AccessorID, nil) 461 require.NoError(t, err) 462 463 read, _, err = acl.TokenRead(created.AccessorID, nil) 464 require.Nil(t, read) 465 require.Error(t, err) 466} 467 468func TestAPI_ACLToken_CreateUpdate(t *testing.T) { 469 t.Parallel() 470 c, s := makeACLClient(t) 471 defer s.Stop() 472 473 acl := c.ACL() 474 475 policies := prepTokenPolicies(t, acl) 476 477 created, _, err := acl.TokenCreate(&ACLToken{ 478 Description: "token created", 479 Policies: []*ACLTokenPolicyLink{ 480 { 481 ID: policies[0].ID, 482 }, 483 { 484 Name: policies[2].Name, 485 }, 486 }, 487 }, nil) 488 489 require.NoError(t, err) 490 require.NotNil(t, created) 491 require.NotEqual(t, "", created.AccessorID) 492 require.NotEqual(t, "", created.SecretID) 493 494 read, _, err := acl.TokenRead(created.AccessorID, nil) 495 require.NoError(t, err) 496 require.Equal(t, created, read) 497 498 read.Policies = append(read.Policies, &ACLTokenPolicyLink{ID: policies[1].ID}) 499 read.Policies = append(read.Policies, &ACLTokenPolicyLink{Name: policies[2].Name}) 500 501 expectedPolicies := []*ACLTokenPolicyLink{ 502 { 503 ID: policies[0].ID, 504 Name: policies[0].Name, 505 }, 506 { 507 ID: policies[1].ID, 508 Name: policies[1].Name, 509 }, 510 { 511 ID: policies[2].ID, 512 Name: policies[2].Name, 513 }, 514 } 515 516 updated, wm, err := acl.TokenUpdate(read, nil) 517 require.NoError(t, err) 518 require.Equal(t, created.AccessorID, updated.AccessorID) 519 require.Equal(t, created.SecretID, updated.SecretID) 520 require.Equal(t, created.Description, updated.Description) 521 require.Equal(t, created.CreateIndex, updated.CreateIndex) 522 require.NotEqual(t, created.ModifyIndex, updated.ModifyIndex) 523 require.ElementsMatch(t, expectedPolicies, updated.Policies) 524 require.NotEqual(t, 0, wm.RequestTime) 525 526 updated_read, _, err := acl.TokenRead(created.AccessorID, nil) 527 require.NoError(t, err) 528 require.Equal(t, updated, updated_read) 529} 530 531func TestAPI_ACLToken_List(t *testing.T) { 532 t.Parallel() 533 c, s := makeACLClient(t) 534 defer s.Stop() 535 536 acl := c.ACL() 537 s.WaitForSerfCheck(t) 538 539 policies := prepTokenPolicies(t, acl) 540 541 created1, _, err := acl.TokenCreate(&ACLToken{ 542 Description: "token created1", 543 Policies: []*ACLTokenPolicyLink{ 544 { 545 ID: policies[0].ID, 546 }, 547 }, 548 }, nil) 549 550 require.NoError(t, err) 551 require.NotNil(t, created1) 552 require.NotEqual(t, "", created1.AccessorID) 553 require.NotEqual(t, "", created1.SecretID) 554 555 created2, _, err := acl.TokenCreate(&ACLToken{ 556 Description: "token created2", 557 Policies: []*ACLTokenPolicyLink{ 558 { 559 ID: policies[1].ID, 560 }, 561 }, 562 }, nil) 563 564 require.NoError(t, err) 565 require.NotNil(t, created2) 566 require.NotEqual(t, "", created2.AccessorID) 567 require.NotEqual(t, "", created2.SecretID) 568 569 created3, _, err := acl.TokenCreate(&ACLToken{ 570 Description: "token created3", 571 Policies: []*ACLTokenPolicyLink{ 572 { 573 ID: policies[2].ID, 574 }, 575 }, 576 }, nil) 577 578 require.NoError(t, err) 579 require.NotNil(t, created3) 580 require.NotEqual(t, "", created3.AccessorID) 581 require.NotEqual(t, "", created3.SecretID) 582 583 tokens, qm, err := acl.TokenList(nil) 584 require.NoError(t, err) 585 // 3 + anon + master 586 require.Len(t, tokens, 5) 587 require.NotEqual(t, 0, qm.LastIndex) 588 require.True(t, qm.KnownLeader) 589 590 tokenMap := make(map[string]*ACLTokenListEntry) 591 for _, token := range tokens { 592 tokenMap[token.AccessorID] = token 593 } 594 595 token1, ok := tokenMap[created1.AccessorID] 596 require.True(t, ok) 597 require.NotNil(t, token1) 598 require.Equal(t, created1.SecretID, token1.SecretID) 599 require.Equal(t, created1.Description, token1.Description) 600 require.Equal(t, created1.CreateIndex, token1.CreateIndex) 601 require.Equal(t, created1.ModifyIndex, token1.ModifyIndex) 602 require.Equal(t, created1.Hash, token1.Hash) 603 require.ElementsMatch(t, created1.Policies, token1.Policies) 604 605 token2, ok := tokenMap[created2.AccessorID] 606 require.True(t, ok) 607 require.NotNil(t, token2) 608 require.Equal(t, created2.SecretID, token2.SecretID) 609 require.Equal(t, created2.Description, token2.Description) 610 require.Equal(t, created2.CreateIndex, token2.CreateIndex) 611 require.Equal(t, created2.ModifyIndex, token2.ModifyIndex) 612 require.Equal(t, created2.Hash, token2.Hash) 613 require.ElementsMatch(t, created2.Policies, token2.Policies) 614 615 token3, ok := tokenMap[created3.AccessorID] 616 require.True(t, ok) 617 require.NotNil(t, token3) 618 require.Equal(t, created3.SecretID, token3.SecretID) 619 require.Equal(t, created3.Description, token3.Description) 620 require.Equal(t, created3.CreateIndex, token3.CreateIndex) 621 require.Equal(t, created3.ModifyIndex, token3.ModifyIndex) 622 require.Equal(t, created3.Hash, token3.Hash) 623 require.ElementsMatch(t, created3.Policies, token3.Policies) 624 625 // make sure the there is an anon token 626 token4, ok := tokenMap["00000000-0000-0000-0000-000000000002"] 627 require.True(t, ok) 628 require.NotNil(t, token4) 629 630 // ensure the 5th token is the root master token 631 root, _, err := acl.TokenReadSelf(nil) 632 require.NoError(t, err) 633 require.NotNil(t, root) 634 token5, ok := tokenMap[root.AccessorID] 635 require.True(t, ok) 636 require.NotNil(t, token5) 637} 638 639func TestAPI_ACLToken_Clone(t *testing.T) { 640 t.Parallel() 641 c, s := makeACLClient(t) 642 defer s.Stop() 643 644 acl := c.ACL() 645 646 master, _, err := acl.TokenReadSelf(nil) 647 require.NoError(t, err) 648 require.NotNil(t, master) 649 650 cloned, _, err := acl.TokenClone(master.AccessorID, "cloned", nil) 651 require.NoError(t, err) 652 require.NotNil(t, cloned) 653 require.NotEqual(t, master.AccessorID, cloned.AccessorID) 654 require.NotEqual(t, master.SecretID, cloned.SecretID) 655 require.Equal(t, "cloned", cloned.Description) 656 require.ElementsMatch(t, master.Policies, cloned.Policies) 657 658 read, _, err := acl.TokenRead(cloned.AccessorID, nil) 659 require.NoError(t, err) 660 require.NotNil(t, read) 661 require.Equal(t, cloned, read) 662} 663 664// 665func TestAPI_AuthMethod_List(t *testing.T) { 666 t.Parallel() 667 c, s := makeACLClient(t) 668 defer s.Stop() 669 670 acl := c.ACL() 671 s.WaitForSerfCheck(t) 672 673 method1 := ACLAuthMethod{ 674 Name: "test_1", 675 Type: "kubernetes", 676 Description: "test 1", 677 MaxTokenTTL: 260 * time.Second, 678 TokenLocality: "global", 679 Config: AuthMethodCreateKubernetesConfigHelper(), 680 } 681 682 created1, wm, err := acl.AuthMethodCreate(&method1, nil) 683 684 require.NoError(t, err) 685 require.NotNil(t, created1) 686 require.NotEqual(t, "", created1.Name) 687 require.NotEqual(t, 0, wm.RequestTime) 688 689 method2 := ACLAuthMethod{ 690 Name: "test_2", 691 Type: "kubernetes", 692 Description: "test 2", 693 MaxTokenTTL: 0, 694 TokenLocality: "local", 695 Config: AuthMethodCreateKubernetesConfigHelper(), 696 } 697 698 _, _, err = acl.AuthMethodCreate(&method2, nil) 699 require.NoError(t, err) 700 701 entries, _, err := acl.AuthMethodList(nil) 702 require.NoError(t, err) 703 require.NotNil(t, entries) 704 require.Equal(t, 2, len(entries)) 705 706 { 707 entry := entries[0] 708 require.Equal(t, "test_1", entry.Name) 709 require.Equal(t, 260*time.Second, entry.MaxTokenTTL) 710 require.Equal(t, "global", entry.TokenLocality) 711 } 712 { 713 entry := entries[1] 714 require.Equal(t, "test_2", entry.Name) 715 require.Equal(t, time.Duration(0), entry.MaxTokenTTL) 716 require.Equal(t, "local", entry.TokenLocality) 717 } 718} 719 720func AuthMethodCreateKubernetesConfigHelper() (result map[string]interface{}) { 721 var pemData = ` 722-----BEGIN CERTIFICATE----- 723MIIE1DCCArwCCQC2kx7TchbxAzANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQGEwJV 724UzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUwHhcNMjEwMTI3MDIzNDA1 725WhcNMjIwMTI3MDIzNDA1WjAsMQswCQYDVQQGEwJVUzELMAkGA1UECAwCV0ExEDAO 726BgNVBAcMB1NlYXR0bGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt 727j3zRFLg2A2DcZFwoc1HvIsGzqcfvxjee/OQjKyIuXbdpbJGIahB2piNYtd49zU/5 728ofRAuqIQOco3V9LfL52I7NchNBvPQOrXjbpcM3qF2qQvunVlnnaPCIf8S5hsFMaq 729w2/+jnLjaUdXGJ9bold5E/bms87uRahvhUpY7MhkSDNsAen+YThpwucc9JFRmrz3 730EXGtTzcpyEn9b0s6ut9mum2UVqghAQyLeW8cNx1zeg6Bi5USjOKF6CQgF7o4kZ9X 731D0Nk5vB9eePs/q5N9LHkDFKVCmzAYgzcQeGZFEzNcgK7N5y+aB2xXKpH3tydpwRd 732uS+g05Jvk8M8P34wteUb8tq3jZuY7UYzlINMSrPuZdFhcGjmxPjC5hl1SZy4vF1s 733GAD9RsleTZ8yeC6Cfo4mba214C9CqYkC2NBw2HO53pzO/tYI844QPhjmVBJ7bb35 734S052HD7m+AzbfY6w9CDH4D4mzIM4u1yRB6OlXdXTH58BhgxHdEnugLYr13QlVWRW 7354nZgMFKiTY7cBscpPcVRsne/VR9VwSatp3adj+G8+WUtwQLJC2OcCFYvmHfdSOs0 736B15LH/tGeJcfKViKC9ifPq5abVZByr66jTQMAdBWet03OBnmLqJs9TI4wci0MkK/ 737HlHYdy734rReD81LY9fCRCRFV4ZtMx2rfj7cqgKLlwIDAQABMA0GCSqGSIb3DQEB 738CwUAA4ICAQB6ji6wA9ROFx8ZhLPlEnDiielSUN8LR2K8cmAjxxffJo3GxRH/zZYl 739CM+DzU5VVzW6RGWuTNzcFNsxlaRx20sj5RyXLH90wFYLO2Rrs1XKWmqpfdN0Iiue 740W7rYdNPV7YPjIVQVoijEt8kwx24jE9mU5ILXe4+WKPWavG+dHA1r8lQdg7wmE/8R 741E/nSVtusuX0JRVdL96iy2HB37DYj+rJEE0C7fKAk51o0C4F6fOzUsWCaP/23pZNI 742rA6hCq2CJeT4ObVukCIrnylrckZs8ElcZ7PvJ9bCNvma+dAxbL0uEkv0q0feLeVh 743OTttNIVTUjYjr3KE6rtE1Rr35R/6HCK+zZDOkKf+TVEQsFuI4DRVEuntzjo9bgZf 744fAL6G+UXpzW440BJzmzADnSthawMZFdqVrrBzpzb+B2d9VLDEoyCCFzaJyj/Gyff 745kqxRFTHZJRKC/3iIRXOX64bIr1YmXHFHCBkcq7eyh1oeaTrGZ43HimaveWwcsPv/ 746SxTJANJHqf4BiFtVjN7LZXi3HUIRAsceEbd0TfW5be9SQ0tbDyyGYt/bXtBLGTIh 7479kerr9eWDHlpHMTyP01+Ua3EacbfgrmvD9sa3s6gC4SnwlvLdubmyLwoorCs77eF 74815bSOU7NsVZfwLw+M+DyNWPxI1BR/XOP+YoyTgIEChIC9eYnmlWU2Q== 749-----END CERTIFICATE-----` 750 751 result = map[string]interface{}{ 752 "Host": "https://192.0.2.42:8443", 753 "CACert": pemData, 754 "ServiceAccountJWT": `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImp0aSI6ImQxYTZiYzE5LWZiODItNDI5ZC05NmUxLTg1YTFjYjEyNGQ3MCIsImlhdCI6MTYxMTcxNTQ5NiwiZXhwIjoxNjExNzE5MDk2fQ.rrVS5h1Yw20eI41RsTl2YAqzKKikKNg3qMkDmspTPQs`, 755 } 756 return 757} 758 759func TestAPI_RulesTranslate_FromToken(t *testing.T) { 760 t.Parallel() 761 c, s := makeACLClient(t) 762 defer s.Stop() 763 764 acl := c.ACL() 765 766 ae := ACLEntry{ 767 Name: "API test", 768 Type: ACLClientType, 769 Rules: `key "" { policy = "deny" }`, 770 } 771 772 id, _, err := acl.Create(&ae, nil) 773 require.NoError(t, err) 774 775 var accessor string 776 acl.c.config.Token = id 777 778 // This relies on the token upgrade loop running in the background 779 // to assign an accessor 780 retry.Run(t, func(r *retry.R) { 781 token, _, err := acl.TokenReadSelf(nil) 782 require.NoError(r, err) 783 require.NotEqual(r, "", token.AccessorID) 784 accessor = token.AccessorID 785 }) 786 acl.c.config.Token = "root" 787 788 rules, err := acl.RulesTranslateToken(accessor) 789 require.NoError(t, err) 790 require.Equal(t, "key_prefix \"\" {\n policy = \"deny\"\n}", rules) 791} 792 793func TestAPI_RulesTranslate_Raw(t *testing.T) { 794 t.Parallel() 795 c, s := makeACLClient(t) 796 defer s.Stop() 797 798 acl := c.ACL() 799 800 input := `#start of policy 801agent "" { 802 policy = "read" 803} 804 805node "" { 806 policy = "read" 807} 808 809service "" { 810 policy = "read" 811} 812 813key "" { 814 policy = "read" 815} 816 817session "" { 818 policy = "read" 819} 820 821event "" { 822 policy = "read" 823} 824 825query "" { 826 policy = "read" 827}` 828 829 expected := `#start of policy 830agent_prefix "" { 831 policy = "read" 832} 833 834node_prefix "" { 835 policy = "read" 836} 837 838service_prefix "" { 839 policy = "read" 840} 841 842key_prefix "" { 843 policy = "read" 844} 845 846session_prefix "" { 847 policy = "read" 848} 849 850event_prefix "" { 851 policy = "read" 852} 853 854query_prefix "" { 855 policy = "read" 856}` 857 858 rules, err := acl.RulesTranslate(strings.NewReader(input)) 859 require.NoError(t, err) 860 require.Equal(t, expected, rules) 861} 862