1package api
2
3import (
4	"strings"
5	"testing"
6	"time"
7
8	"github.com/hashicorp/consul/sdk/testutil/retry"
9
10	"github.com/stretchr/testify/require"
11)
12
13func TestAPI_ACLBootstrap(t *testing.T) {
14	// TODO (slackpad) We currently can't inject the version, and the
15	// version in the binary depends on Git tags, so we can't reliably
16	// test this until we are just running an agent in-process here and
17	// have full control over the config.
18}
19
20func TestAPI_ACLCreateDestroy(t *testing.T) {
21	t.Parallel()
22	c, s := makeACLClient(t)
23	defer s.Stop()
24	s.WaitForSerfCheck(t)
25
26	acl := c.ACL()
27
28	ae := ACLEntry{
29		Name:  "API test",
30		Type:  ACLClientType,
31		Rules: `key "" { policy = "deny" }`,
32	}
33
34	id, wm, err := acl.Create(&ae, nil)
35	if err != nil {
36		t.Fatalf("err: %v", err)
37	}
38
39	if wm.RequestTime == 0 {
40		t.Fatalf("bad: %v", wm)
41	}
42
43	if id == "" {
44		t.Fatalf("invalid: %v", id)
45	}
46
47	ae2, _, err := acl.Info(id, nil)
48	if err != nil {
49		t.Fatalf("err: %v", err)
50	}
51
52	if ae2.Name != ae.Name || ae2.Type != ae.Type || ae2.Rules != ae.Rules {
53		t.Fatalf("Bad: %#v", ae2)
54	}
55
56	wm, err = acl.Destroy(id, nil)
57	if err != nil {
58		t.Fatalf("err: %v", err)
59	}
60
61	if wm.RequestTime == 0 {
62		t.Fatalf("bad: %v", wm)
63	}
64}
65
66func TestAPI_ACLCloneDestroy(t *testing.T) {
67	t.Parallel()
68	c, s := makeACLClient(t)
69	defer s.Stop()
70
71	acl := c.ACL()
72
73	id, wm, err := acl.Clone(c.config.Token, nil)
74	if err != nil {
75		t.Fatalf("err: %v", err)
76	}
77
78	if wm.RequestTime == 0 {
79		t.Fatalf("bad: %v", wm)
80	}
81
82	if id == "" {
83		t.Fatalf("invalid: %v", id)
84	}
85
86	wm, err = acl.Destroy(id, nil)
87	if err != nil {
88		t.Fatalf("err: %v", err)
89	}
90
91	if wm.RequestTime == 0 {
92		t.Fatalf("bad: %v", wm)
93	}
94}
95
96func TestAPI_ACLInfo(t *testing.T) {
97	t.Parallel()
98	c, s := makeACLClient(t)
99	defer s.Stop()
100
101	acl := c.ACL()
102
103	ae, qm, err := acl.Info(c.config.Token, nil)
104	if err != nil {
105		t.Fatalf("err: %v", err)
106	}
107
108	if qm.LastIndex == 0 {
109		t.Fatalf("bad: %v", qm)
110	}
111	if !qm.KnownLeader {
112		t.Fatalf("bad: %v", qm)
113	}
114
115	if ae == nil || ae.ID != c.config.Token || ae.Type != ACLManagementType {
116		t.Fatalf("bad: %#v", ae)
117	}
118}
119
120func TestAPI_ACLList(t *testing.T) {
121	t.Parallel()
122	c, s := makeACLClient(t)
123	defer s.Stop()
124
125	acl := c.ACL()
126
127	acls, qm, err := acl.List(nil)
128	if err != nil {
129		t.Fatalf("err: %v", err)
130	}
131
132	// anon token is a new token
133	if len(acls) < 1 {
134		t.Fatalf("bad: %v", acls)
135	}
136
137	if qm.LastIndex == 0 {
138		t.Fatalf("bad: %v", qm)
139	}
140	if !qm.KnownLeader {
141		t.Fatalf("bad: %v", qm)
142	}
143}
144
145func TestAPI_ACLReplication(t *testing.T) {
146	t.Parallel()
147	c, s := makeACLClient(t)
148	defer s.Stop()
149
150	acl := c.ACL()
151
152	repl, qm, err := acl.Replication(nil)
153	if err != nil {
154		t.Fatalf("err: %v", err)
155	}
156
157	if repl == nil {
158		t.Fatalf("bad: %v", repl)
159	}
160
161	if repl.Running {
162		t.Fatal("bad: repl should not be running")
163	}
164
165	if repl.Enabled {
166		t.Fatal("bad: repl should not be enabled")
167	}
168
169	if qm.RequestTime == 0 {
170		t.Fatalf("bad: %v", qm)
171	}
172}
173
174func TestAPI_ACLPolicy_CreateReadDelete(t *testing.T) {
175	t.Parallel()
176	c, s := makeACLClient(t)
177	defer s.Stop()
178
179	acl := c.ACL()
180
181	created, wm, err := acl.PolicyCreate(&ACLPolicy{
182		Name:        "test-policy",
183		Description: "test-policy description",
184		Rules:       `node_prefix "" { policy = "read" }`,
185		Datacenters: []string{"dc1"},
186	}, nil)
187
188	require.NoError(t, err)
189	require.NotNil(t, created)
190	require.NotEqual(t, "", created.ID)
191	require.NotEqual(t, 0, wm.RequestTime)
192
193	read, qm, err := acl.PolicyRead(created.ID, nil)
194	require.NoError(t, err)
195	require.NotEqual(t, 0, qm.LastIndex)
196	require.True(t, qm.KnownLeader)
197
198	require.Equal(t, created, read)
199
200	wm, err = acl.PolicyDelete(created.ID, nil)
201	require.NoError(t, err)
202	require.NotEqual(t, 0, wm.RequestTime)
203
204	read, _, err = acl.PolicyRead(created.ID, nil)
205	require.Nil(t, read)
206	require.Error(t, err)
207}
208
209func TestAPI_ACLPolicy_CreateReadByNameDelete(t *testing.T) {
210	t.Parallel()
211	c, s := makeACLClient(t)
212	defer s.Stop()
213
214	acl := c.ACL()
215
216	created, wm, err := acl.PolicyCreate(&ACLPolicy{
217		Name:        "test-policy",
218		Description: "test-policy description",
219		Rules:       `node_prefix "" { policy = "read" }`,
220		Datacenters: []string{"dc1"},
221	}, nil)
222
223	require.NoError(t, err)
224	require.NotNil(t, created)
225	require.NotEqual(t, "", created.ID)
226	require.NotEqual(t, 0, wm.RequestTime)
227
228	read, qm, err := acl.PolicyReadByName(created.Name, nil)
229	require.NoError(t, err)
230	require.NotEqual(t, 0, qm.LastIndex)
231	require.True(t, qm.KnownLeader)
232
233	require.Equal(t, created, read)
234
235	wm, err = acl.PolicyDelete(created.ID, nil)
236	require.NoError(t, err)
237	require.NotEqual(t, 0, wm.RequestTime)
238
239	read, _, err = acl.PolicyRead(created.ID, nil)
240	require.Nil(t, read)
241	require.Error(t, err)
242}
243
244func TestAPI_ACLPolicy_CreateUpdate(t *testing.T) {
245	t.Parallel()
246	c, s := makeACLClient(t)
247	defer s.Stop()
248
249	acl := c.ACL()
250
251	created, _, err := acl.PolicyCreate(&ACLPolicy{
252		Name:        "test-policy",
253		Description: "test-policy description",
254		Rules:       `node_prefix "" { policy = "read" }`,
255		Datacenters: []string{"dc1"},
256	}, nil)
257
258	require.NoError(t, err)
259	require.NotNil(t, created)
260	require.NotEqual(t, "", created.ID)
261
262	read, _, err := acl.PolicyRead(created.ID, nil)
263	require.NoError(t, err)
264	require.Equal(t, created, read)
265
266	read.Rules += ` service_prefix "" { policy = "read" }`
267	read.Datacenters = nil
268
269	updated, wm, err := acl.PolicyUpdate(read, nil)
270	require.NoError(t, err)
271	require.Equal(t, created.ID, updated.ID)
272	require.Equal(t, created.Description, updated.Description)
273	require.Equal(t, read.Rules, updated.Rules)
274	require.Equal(t, created.CreateIndex, updated.CreateIndex)
275	require.NotEqual(t, created.ModifyIndex, updated.ModifyIndex)
276	require.Nil(t, updated.Datacenters)
277	require.NotEqual(t, 0, wm.RequestTime)
278
279	updated_read, _, err := acl.PolicyRead(created.ID, nil)
280	require.NoError(t, err)
281	require.Equal(t, updated, updated_read)
282}
283
284func TestAPI_ACLPolicy_List(t *testing.T) {
285	t.Parallel()
286	c, s := makeACLClient(t)
287	defer s.Stop()
288
289	acl := c.ACL()
290
291	created1, _, err := acl.PolicyCreate(&ACLPolicy{
292		Name:        "policy1",
293		Description: "policy1 description",
294		Rules:       `node_prefix "" { policy = "read" }`,
295		Datacenters: []string{"dc1"},
296	}, nil)
297
298	require.NoError(t, err)
299	require.NotNil(t, created1)
300	require.NotEqual(t, "", created1.ID)
301
302	created2, _, err := acl.PolicyCreate(&ACLPolicy{
303		Name:        "policy2",
304		Description: "policy2 description",
305		Rules:       `service "app" { policy = "write" }`,
306		Datacenters: []string{"dc1", "dc2"},
307	}, nil)
308
309	require.NoError(t, err)
310	require.NotNil(t, created2)
311	require.NotEqual(t, "", created2.ID)
312
313	created3, _, err := acl.PolicyCreate(&ACLPolicy{
314		Name:        "policy3",
315		Description: "policy3 description",
316		Rules:       `acl = "read"`,
317	}, nil)
318
319	require.NoError(t, err)
320	require.NotNil(t, created3)
321	require.NotEqual(t, "", created3.ID)
322
323	policies, qm, err := acl.PolicyList(nil)
324	require.NoError(t, err)
325	require.Len(t, policies, 4)
326	require.NotEqual(t, 0, qm.LastIndex)
327	require.True(t, qm.KnownLeader)
328
329	policyMap := make(map[string]*ACLPolicyListEntry)
330	for _, policy := range policies {
331		policyMap[policy.ID] = policy
332	}
333
334	policy1, ok := policyMap[created1.ID]
335	require.True(t, ok)
336	require.NotNil(t, policy1)
337	require.Equal(t, created1.Name, policy1.Name)
338	require.Equal(t, created1.Description, policy1.Description)
339	require.Equal(t, created1.CreateIndex, policy1.CreateIndex)
340	require.Equal(t, created1.ModifyIndex, policy1.ModifyIndex)
341	require.Equal(t, created1.Hash, policy1.Hash)
342	require.ElementsMatch(t, created1.Datacenters, policy1.Datacenters)
343
344	policy2, ok := policyMap[created2.ID]
345	require.True(t, ok)
346	require.NotNil(t, policy2)
347	require.Equal(t, created2.Name, policy2.Name)
348	require.Equal(t, created2.Description, policy2.Description)
349	require.Equal(t, created2.CreateIndex, policy2.CreateIndex)
350	require.Equal(t, created2.ModifyIndex, policy2.ModifyIndex)
351	require.Equal(t, created2.Hash, policy2.Hash)
352	require.ElementsMatch(t, created2.Datacenters, policy2.Datacenters)
353
354	policy3, ok := policyMap[created3.ID]
355	require.True(t, ok)
356	require.NotNil(t, policy3)
357	require.Equal(t, created3.Name, policy3.Name)
358	require.Equal(t, created3.Description, policy3.Description)
359	require.Equal(t, created3.CreateIndex, policy3.CreateIndex)
360	require.Equal(t, created3.ModifyIndex, policy3.ModifyIndex)
361	require.Equal(t, created3.Hash, policy3.Hash)
362	require.ElementsMatch(t, created3.Datacenters, policy3.Datacenters)
363
364	// make sure the 4th policy is the global management
365	policy4, ok := policyMap["00000000-0000-0000-0000-000000000001"]
366	require.True(t, ok)
367	require.NotNil(t, policy4)
368}
369
370func prepTokenPolicies(t *testing.T, acl *ACL) (policies []*ACLPolicy) {
371	policy, _, err := acl.PolicyCreate(&ACLPolicy{
372		Name:        "one",
373		Description: "one description",
374		Rules:       `acl = "read"`,
375		Datacenters: []string{"dc1", "dc2"},
376	}, nil)
377
378	require.NoError(t, err)
379	require.NotNil(t, policy)
380	policies = append(policies, policy)
381
382	policy, _, err = acl.PolicyCreate(&ACLPolicy{
383		Name:        "two",
384		Description: "two description",
385		Rules:       `node_prefix "" { policy = "read" }`,
386		Datacenters: []string{"dc1", "dc2"},
387	}, nil)
388
389	require.NoError(t, err)
390	require.NotNil(t, policy)
391	policies = append(policies, policy)
392
393	policy, _, err = acl.PolicyCreate(&ACLPolicy{
394		Name:        "three",
395		Description: "three description",
396		Rules:       `service_prefix "" { policy = "read" }`,
397	}, nil)
398
399	require.NoError(t, err)
400	require.NotNil(t, policy)
401	policies = append(policies, policy)
402
403	policy, _, err = acl.PolicyCreate(&ACLPolicy{
404		Name:        "four",
405		Description: "four description",
406		Rules:       `agent "foo" { policy = "write" }`,
407	}, nil)
408
409	require.NoError(t, err)
410	require.NotNil(t, policy)
411	policies = append(policies, policy)
412	return
413}
414
415func TestAPI_ACLToken_CreateReadDelete(t *testing.T) {
416	t.Parallel()
417	c, s := makeACLClient(t)
418	defer s.Stop()
419
420	acl := c.ACL()
421
422	policies := prepTokenPolicies(t, acl)
423
424	created, wm, err := acl.TokenCreate(&ACLToken{
425		Description: "token created",
426		Policies: []*ACLTokenPolicyLink{
427			{
428				ID: policies[0].ID,
429			},
430			{
431				ID: policies[1].ID,
432			},
433			{
434				Name: policies[2].Name,
435			},
436			{
437				Name: policies[3].Name,
438			},
439		},
440	}, nil)
441
442	require.NoError(t, err)
443	require.NotNil(t, created)
444	require.NotEqual(t, "", created.AccessorID)
445	require.NotEqual(t, "", created.SecretID)
446	require.NotEqual(t, 0, wm.RequestTime)
447
448	read, qm, err := acl.TokenRead(created.AccessorID, nil)
449	require.NoError(t, err)
450	require.Equal(t, created, read)
451	require.NotEqual(t, 0, qm.LastIndex)
452	require.True(t, qm.KnownLeader)
453
454	acl.c.config.Token = created.SecretID
455	self, _, err := acl.TokenReadSelf(nil)
456	require.NoError(t, err)
457	require.Equal(t, created, self)
458	acl.c.config.Token = "root"
459
460	_, err = acl.TokenDelete(created.AccessorID, nil)
461	require.NoError(t, err)
462
463	read, _, err = acl.TokenRead(created.AccessorID, nil)
464	require.Nil(t, read)
465	require.Error(t, err)
466}
467
468func TestAPI_ACLToken_CreateUpdate(t *testing.T) {
469	t.Parallel()
470	c, s := makeACLClient(t)
471	defer s.Stop()
472
473	acl := c.ACL()
474
475	policies := prepTokenPolicies(t, acl)
476
477	created, _, err := acl.TokenCreate(&ACLToken{
478		Description: "token created",
479		Policies: []*ACLTokenPolicyLink{
480			{
481				ID: policies[0].ID,
482			},
483			{
484				Name: policies[2].Name,
485			},
486		},
487	}, nil)
488
489	require.NoError(t, err)
490	require.NotNil(t, created)
491	require.NotEqual(t, "", created.AccessorID)
492	require.NotEqual(t, "", created.SecretID)
493
494	read, _, err := acl.TokenRead(created.AccessorID, nil)
495	require.NoError(t, err)
496	require.Equal(t, created, read)
497
498	read.Policies = append(read.Policies, &ACLTokenPolicyLink{ID: policies[1].ID})
499	read.Policies = append(read.Policies, &ACLTokenPolicyLink{Name: policies[2].Name})
500
501	expectedPolicies := []*ACLTokenPolicyLink{
502		{
503			ID:   policies[0].ID,
504			Name: policies[0].Name,
505		},
506		{
507			ID:   policies[1].ID,
508			Name: policies[1].Name,
509		},
510		{
511			ID:   policies[2].ID,
512			Name: policies[2].Name,
513		},
514	}
515
516	updated, wm, err := acl.TokenUpdate(read, nil)
517	require.NoError(t, err)
518	require.Equal(t, created.AccessorID, updated.AccessorID)
519	require.Equal(t, created.SecretID, updated.SecretID)
520	require.Equal(t, created.Description, updated.Description)
521	require.Equal(t, created.CreateIndex, updated.CreateIndex)
522	require.NotEqual(t, created.ModifyIndex, updated.ModifyIndex)
523	require.ElementsMatch(t, expectedPolicies, updated.Policies)
524	require.NotEqual(t, 0, wm.RequestTime)
525
526	updated_read, _, err := acl.TokenRead(created.AccessorID, nil)
527	require.NoError(t, err)
528	require.Equal(t, updated, updated_read)
529}
530
531func TestAPI_ACLToken_List(t *testing.T) {
532	t.Parallel()
533	c, s := makeACLClient(t)
534	defer s.Stop()
535
536	acl := c.ACL()
537	s.WaitForSerfCheck(t)
538
539	policies := prepTokenPolicies(t, acl)
540
541	created1, _, err := acl.TokenCreate(&ACLToken{
542		Description: "token created1",
543		Policies: []*ACLTokenPolicyLink{
544			{
545				ID: policies[0].ID,
546			},
547		},
548	}, nil)
549
550	require.NoError(t, err)
551	require.NotNil(t, created1)
552	require.NotEqual(t, "", created1.AccessorID)
553	require.NotEqual(t, "", created1.SecretID)
554
555	created2, _, err := acl.TokenCreate(&ACLToken{
556		Description: "token created2",
557		Policies: []*ACLTokenPolicyLink{
558			{
559				ID: policies[1].ID,
560			},
561		},
562	}, nil)
563
564	require.NoError(t, err)
565	require.NotNil(t, created2)
566	require.NotEqual(t, "", created2.AccessorID)
567	require.NotEqual(t, "", created2.SecretID)
568
569	created3, _, err := acl.TokenCreate(&ACLToken{
570		Description: "token created3",
571		Policies: []*ACLTokenPolicyLink{
572			{
573				ID: policies[2].ID,
574			},
575		},
576	}, nil)
577
578	require.NoError(t, err)
579	require.NotNil(t, created3)
580	require.NotEqual(t, "", created3.AccessorID)
581	require.NotEqual(t, "", created3.SecretID)
582
583	tokens, qm, err := acl.TokenList(nil)
584	require.NoError(t, err)
585	// 3 + anon + master
586	require.Len(t, tokens, 5)
587	require.NotEqual(t, 0, qm.LastIndex)
588	require.True(t, qm.KnownLeader)
589
590	tokenMap := make(map[string]*ACLTokenListEntry)
591	for _, token := range tokens {
592		tokenMap[token.AccessorID] = token
593	}
594
595	token1, ok := tokenMap[created1.AccessorID]
596	require.True(t, ok)
597	require.NotNil(t, token1)
598	require.Equal(t, created1.SecretID, token1.SecretID)
599	require.Equal(t, created1.Description, token1.Description)
600	require.Equal(t, created1.CreateIndex, token1.CreateIndex)
601	require.Equal(t, created1.ModifyIndex, token1.ModifyIndex)
602	require.Equal(t, created1.Hash, token1.Hash)
603	require.ElementsMatch(t, created1.Policies, token1.Policies)
604
605	token2, ok := tokenMap[created2.AccessorID]
606	require.True(t, ok)
607	require.NotNil(t, token2)
608	require.Equal(t, created2.SecretID, token2.SecretID)
609	require.Equal(t, created2.Description, token2.Description)
610	require.Equal(t, created2.CreateIndex, token2.CreateIndex)
611	require.Equal(t, created2.ModifyIndex, token2.ModifyIndex)
612	require.Equal(t, created2.Hash, token2.Hash)
613	require.ElementsMatch(t, created2.Policies, token2.Policies)
614
615	token3, ok := tokenMap[created3.AccessorID]
616	require.True(t, ok)
617	require.NotNil(t, token3)
618	require.Equal(t, created3.SecretID, token3.SecretID)
619	require.Equal(t, created3.Description, token3.Description)
620	require.Equal(t, created3.CreateIndex, token3.CreateIndex)
621	require.Equal(t, created3.ModifyIndex, token3.ModifyIndex)
622	require.Equal(t, created3.Hash, token3.Hash)
623	require.ElementsMatch(t, created3.Policies, token3.Policies)
624
625	// make sure the there is an anon token
626	token4, ok := tokenMap["00000000-0000-0000-0000-000000000002"]
627	require.True(t, ok)
628	require.NotNil(t, token4)
629
630	// ensure the 5th token is the root master token
631	root, _, err := acl.TokenReadSelf(nil)
632	require.NoError(t, err)
633	require.NotNil(t, root)
634	token5, ok := tokenMap[root.AccessorID]
635	require.True(t, ok)
636	require.NotNil(t, token5)
637}
638
639func TestAPI_ACLToken_Clone(t *testing.T) {
640	t.Parallel()
641	c, s := makeACLClient(t)
642	defer s.Stop()
643
644	acl := c.ACL()
645
646	master, _, err := acl.TokenReadSelf(nil)
647	require.NoError(t, err)
648	require.NotNil(t, master)
649
650	cloned, _, err := acl.TokenClone(master.AccessorID, "cloned", nil)
651	require.NoError(t, err)
652	require.NotNil(t, cloned)
653	require.NotEqual(t, master.AccessorID, cloned.AccessorID)
654	require.NotEqual(t, master.SecretID, cloned.SecretID)
655	require.Equal(t, "cloned", cloned.Description)
656	require.ElementsMatch(t, master.Policies, cloned.Policies)
657
658	read, _, err := acl.TokenRead(cloned.AccessorID, nil)
659	require.NoError(t, err)
660	require.NotNil(t, read)
661	require.Equal(t, cloned, read)
662}
663
664//
665func TestAPI_AuthMethod_List(t *testing.T) {
666	t.Parallel()
667	c, s := makeACLClient(t)
668	defer s.Stop()
669
670	acl := c.ACL()
671	s.WaitForSerfCheck(t)
672
673	method1 := ACLAuthMethod{
674		Name:          "test_1",
675		Type:          "kubernetes",
676		Description:   "test 1",
677		MaxTokenTTL:   260 * time.Second,
678		TokenLocality: "global",
679		Config:        AuthMethodCreateKubernetesConfigHelper(),
680	}
681
682	created1, wm, err := acl.AuthMethodCreate(&method1, nil)
683
684	require.NoError(t, err)
685	require.NotNil(t, created1)
686	require.NotEqual(t, "", created1.Name)
687	require.NotEqual(t, 0, wm.RequestTime)
688
689	method2 := ACLAuthMethod{
690		Name:          "test_2",
691		Type:          "kubernetes",
692		Description:   "test 2",
693		MaxTokenTTL:   0,
694		TokenLocality: "local",
695		Config:        AuthMethodCreateKubernetesConfigHelper(),
696	}
697
698	_, _, err = acl.AuthMethodCreate(&method2, nil)
699	require.NoError(t, err)
700
701	entries, _, err := acl.AuthMethodList(nil)
702	require.NoError(t, err)
703	require.NotNil(t, entries)
704	require.Equal(t, 2, len(entries))
705
706	{
707		entry := entries[0]
708		require.Equal(t, "test_1", entry.Name)
709		require.Equal(t, 260*time.Second, entry.MaxTokenTTL)
710		require.Equal(t, "global", entry.TokenLocality)
711	}
712	{
713		entry := entries[1]
714		require.Equal(t, "test_2", entry.Name)
715		require.Equal(t, time.Duration(0), entry.MaxTokenTTL)
716		require.Equal(t, "local", entry.TokenLocality)
717	}
718}
719
720func AuthMethodCreateKubernetesConfigHelper() (result map[string]interface{}) {
721	var pemData = `
722-----BEGIN CERTIFICATE-----
723MIIE1DCCArwCCQC2kx7TchbxAzANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQGEwJV
724UzELMAkGA1UECAwCV0ExEDAOBgNVBAcMB1NlYXR0bGUwHhcNMjEwMTI3MDIzNDA1
725WhcNMjIwMTI3MDIzNDA1WjAsMQswCQYDVQQGEwJVUzELMAkGA1UECAwCV0ExEDAO
726BgNVBAcMB1NlYXR0bGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt
727j3zRFLg2A2DcZFwoc1HvIsGzqcfvxjee/OQjKyIuXbdpbJGIahB2piNYtd49zU/5
728ofRAuqIQOco3V9LfL52I7NchNBvPQOrXjbpcM3qF2qQvunVlnnaPCIf8S5hsFMaq
729w2/+jnLjaUdXGJ9bold5E/bms87uRahvhUpY7MhkSDNsAen+YThpwucc9JFRmrz3
730EXGtTzcpyEn9b0s6ut9mum2UVqghAQyLeW8cNx1zeg6Bi5USjOKF6CQgF7o4kZ9X
731D0Nk5vB9eePs/q5N9LHkDFKVCmzAYgzcQeGZFEzNcgK7N5y+aB2xXKpH3tydpwRd
732uS+g05Jvk8M8P34wteUb8tq3jZuY7UYzlINMSrPuZdFhcGjmxPjC5hl1SZy4vF1s
733GAD9RsleTZ8yeC6Cfo4mba214C9CqYkC2NBw2HO53pzO/tYI844QPhjmVBJ7bb35
734S052HD7m+AzbfY6w9CDH4D4mzIM4u1yRB6OlXdXTH58BhgxHdEnugLYr13QlVWRW
7354nZgMFKiTY7cBscpPcVRsne/VR9VwSatp3adj+G8+WUtwQLJC2OcCFYvmHfdSOs0
736B15LH/tGeJcfKViKC9ifPq5abVZByr66jTQMAdBWet03OBnmLqJs9TI4wci0MkK/
737HlHYdy734rReD81LY9fCRCRFV4ZtMx2rfj7cqgKLlwIDAQABMA0GCSqGSIb3DQEB
738CwUAA4ICAQB6ji6wA9ROFx8ZhLPlEnDiielSUN8LR2K8cmAjxxffJo3GxRH/zZYl
739CM+DzU5VVzW6RGWuTNzcFNsxlaRx20sj5RyXLH90wFYLO2Rrs1XKWmqpfdN0Iiue
740W7rYdNPV7YPjIVQVoijEt8kwx24jE9mU5ILXe4+WKPWavG+dHA1r8lQdg7wmE/8R
741E/nSVtusuX0JRVdL96iy2HB37DYj+rJEE0C7fKAk51o0C4F6fOzUsWCaP/23pZNI
742rA6hCq2CJeT4ObVukCIrnylrckZs8ElcZ7PvJ9bCNvma+dAxbL0uEkv0q0feLeVh
743OTttNIVTUjYjr3KE6rtE1Rr35R/6HCK+zZDOkKf+TVEQsFuI4DRVEuntzjo9bgZf
744fAL6G+UXpzW440BJzmzADnSthawMZFdqVrrBzpzb+B2d9VLDEoyCCFzaJyj/Gyff
745kqxRFTHZJRKC/3iIRXOX64bIr1YmXHFHCBkcq7eyh1oeaTrGZ43HimaveWwcsPv/
746SxTJANJHqf4BiFtVjN7LZXi3HUIRAsceEbd0TfW5be9SQ0tbDyyGYt/bXtBLGTIh
7479kerr9eWDHlpHMTyP01+Ua3EacbfgrmvD9sa3s6gC4SnwlvLdubmyLwoorCs77eF
74815bSOU7NsVZfwLw+M+DyNWPxI1BR/XOP+YoyTgIEChIC9eYnmlWU2Q==
749-----END CERTIFICATE-----`
750
751	result = map[string]interface{}{
752		"Host":              "https://192.0.2.42:8443",
753		"CACert":            pemData,
754		"ServiceAccountJWT": `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImp0aSI6ImQxYTZiYzE5LWZiODItNDI5ZC05NmUxLTg1YTFjYjEyNGQ3MCIsImlhdCI6MTYxMTcxNTQ5NiwiZXhwIjoxNjExNzE5MDk2fQ.rrVS5h1Yw20eI41RsTl2YAqzKKikKNg3qMkDmspTPQs`,
755	}
756	return
757}
758
759func TestAPI_RulesTranslate_FromToken(t *testing.T) {
760	t.Parallel()
761	c, s := makeACLClient(t)
762	defer s.Stop()
763
764	acl := c.ACL()
765
766	ae := ACLEntry{
767		Name:  "API test",
768		Type:  ACLClientType,
769		Rules: `key "" { policy = "deny" }`,
770	}
771
772	id, _, err := acl.Create(&ae, nil)
773	require.NoError(t, err)
774
775	var accessor string
776	acl.c.config.Token = id
777
778	// This relies on the token upgrade loop running in the background
779	// to assign an accessor
780	retry.Run(t, func(r *retry.R) {
781		token, _, err := acl.TokenReadSelf(nil)
782		require.NoError(r, err)
783		require.NotEqual(r, "", token.AccessorID)
784		accessor = token.AccessorID
785	})
786	acl.c.config.Token = "root"
787
788	rules, err := acl.RulesTranslateToken(accessor)
789	require.NoError(t, err)
790	require.Equal(t, "key_prefix \"\" {\n  policy = \"deny\"\n}", rules)
791}
792
793func TestAPI_RulesTranslate_Raw(t *testing.T) {
794	t.Parallel()
795	c, s := makeACLClient(t)
796	defer s.Stop()
797
798	acl := c.ACL()
799
800	input := `#start of policy
801agent "" {
802   policy = "read"
803}
804
805node "" {
806   policy = "read"
807}
808
809service "" {
810   policy = "read"
811}
812
813key "" {
814   policy = "read"
815}
816
817session "" {
818   policy = "read"
819}
820
821event "" {
822   policy = "read"
823}
824
825query "" {
826   policy = "read"
827}`
828
829	expected := `#start of policy
830agent_prefix "" {
831  policy = "read"
832}
833
834node_prefix "" {
835  policy = "read"
836}
837
838service_prefix "" {
839  policy = "read"
840}
841
842key_prefix "" {
843  policy = "read"
844}
845
846session_prefix "" {
847  policy = "read"
848}
849
850event_prefix "" {
851  policy = "read"
852}
853
854query_prefix "" {
855  policy = "read"
856}`
857
858	rules, err := acl.RulesTranslate(strings.NewReader(input))
859	require.NoError(t, err)
860	require.Equal(t, expected, rules)
861}
862