Beispiel #1
0
func TestACL_filterNodeServices(t *testing.T) {
	// Create some node services
	services := structs.NodeServices{
		Node: &structs.Node{
			Node: "node1",
		},
		Services: map[string]*structs.NodeService{
			"foo": &structs.NodeService{
				ID:      "foo",
				Service: "foo",
			},
		},
	}

	// Try permissive filtering
	filt := newAclFilter(acl.AllowAll(), nil)
	filt.filterNodeServices(&services)
	if len(services.Services) != 1 {
		t.Fatalf("bad: %#v", services.Services)
	}

	// Try restrictive filtering
	filt = newAclFilter(acl.DenyAll(), nil)
	filt.filterNodeServices(&services)
	if len(services.Services) != 0 {
		t.Fatalf("bad: %#v", services.Services)
	}
}
Beispiel #2
0
// lookupACL is used when we are non-authoritative, and need
// to resolve an ACL
func (c *aclCache) lookupACL(id, authDC string) (acl.ACL, error) {
	// Check the cache for the ACL
	var cached *aclCacheEntry
	raw, ok := c.acls.Get(id)
	if ok {
		cached = raw.(*aclCacheEntry)
	}

	// Check for live cache
	if cached != nil && time.Now().Before(cached.Expires) {
		metrics.IncrCounter([]string{"consul", "acl", "cache_hit"}, 1)
		return cached.ACL, nil
	} else {
		metrics.IncrCounter([]string{"consul", "acl", "cache_miss"}, 1)
	}

	// Attempt to refresh the policy
	args := structs.ACLPolicyRequest{
		Datacenter: authDC,
		ACL:        id,
	}
	if cached != nil {
		args.ETag = cached.ETag
	}
	var out structs.ACLPolicy
	err := c.rpc("ACL.GetPolicy", &args, &out)

	// Handle the happy path
	if err == nil {
		return c.useACLPolicy(id, authDC, cached, &out)
	}

	// Check for not-found
	if strings.Contains(err.Error(), aclNotFound) {
		return nil, errors.New(aclNotFound)
	} else {
		c.logger.Printf("[ERR] consul.acl: Failed to get policy for '%s': %v", id, err)
	}

	// Unable to refresh, apply the down policy
	switch c.config.ACLDownPolicy {
	case "allow":
		return acl.AllowAll(), nil
	case "extend-cache":
		if cached != nil {
			return cached.ACL, nil
		}
		fallthrough
	default:
		return acl.DenyAll(), nil
	}
}
Beispiel #3
0
func TestACL_filterNodeDump(t *testing.T) {
	// Create a node dump
	dump := structs.NodeDump{
		&structs.NodeInfo{
			Node: "node1",
			Services: []*structs.NodeService{
				&structs.NodeService{
					ID:      "foo",
					Service: "foo",
				},
			},
			Checks: []*structs.HealthCheck{
				&structs.HealthCheck{
					Node:        "node1",
					CheckID:     "check1",
					ServiceName: "foo",
				},
			},
		},
	}

	// Try permissive filtering
	filt := newAclFilter(acl.AllowAll(), nil)
	filt.filterNodeDump(&dump)
	if len(dump) != 1 {
		t.Fatalf("bad: %#v", dump)
	}
	if len(dump[0].Services) != 1 {
		t.Fatalf("bad: %#v", dump[0].Services)
	}
	if len(dump[0].Checks) != 1 {
		t.Fatalf("bad: %#v", dump[0].Checks)
	}

	// Try restrictive filtering
	filt = newAclFilter(acl.DenyAll(), nil)
	filt.filterNodeDump(&dump)
	if len(dump) != 1 {
		t.Fatalf("bad: %#v", dump)
	}
	if len(dump[0].Services) != 0 {
		t.Fatalf("bad: %#v", dump[0].Services)
	}
	if len(dump[0].Checks) != 0 {
		t.Fatalf("bad: %#v", dump[0].Checks)
	}
}
Beispiel #4
0
func TestACL_filterServices(t *testing.T) {
	// Create some services
	services := structs.Services{
		"service1": []string{},
		"service2": []string{},
	}

	// Try permissive filtering
	filt := newAclFilter(acl.AllowAll(), nil)
	filt.filterServices(services)
	if len(services) != 2 {
		t.Fatalf("bad: %#v", services)
	}

	// Try restrictive filtering
	filt = newAclFilter(acl.DenyAll(), nil)
	filt.filterServices(services)
	if len(services) != 0 {
		t.Fatalf("bad: %#v", services)
	}
}
Beispiel #5
0
func TestACL_filterCheckServiceNodes(t *testing.T) {
	// Create some nodes
	nodes := structs.CheckServiceNodes{
		structs.CheckServiceNode{
			Node: &structs.Node{
				Node: "node1",
			},
			Service: &structs.NodeService{
				ID:      "foo",
				Service: "foo",
			},
			Checks: structs.HealthChecks{
				&structs.HealthCheck{
					Node:        "node1",
					CheckID:     "check1",
					ServiceName: "foo",
				},
			},
		},
	}

	// Try permissive filtering
	filt := newAclFilter(acl.AllowAll(), nil)
	filt.filterCheckServiceNodes(&nodes)
	if len(nodes) != 1 {
		t.Fatalf("bad: %#v", nodes)
	}
	if len(nodes[0].Checks) != 1 {
		t.Fatalf("bad: %#v", nodes[0].Checks)
	}

	// Try restrictive filtering
	filt = newAclFilter(acl.DenyAll(), nil)
	filt.filterCheckServiceNodes(&nodes)
	if len(nodes) != 0 {
		t.Fatalf("bad: %#v", nodes)
	}
}
Beispiel #6
0
func TestACL_filterServiceNodes(t *testing.T) {
	// Create some service nodes
	nodes := structs.ServiceNodes{
		&structs.ServiceNode{
			Node:        "node1",
			ServiceName: "foo",
		},
	}

	// Try permissive filtering
	filt := newAclFilter(acl.AllowAll(), nil)
	filt.filterServiceNodes(&nodes)
	if len(nodes) != 1 {
		t.Fatalf("bad: %#v", nodes)
	}

	// Try restrictive filtering
	filt = newAclFilter(acl.DenyAll(), nil)
	filt.filterServiceNodes(&nodes)
	if len(nodes) != 0 {
		t.Fatalf("bad: %#v", nodes)
	}
}
Beispiel #7
0
func TestACL_filterHealthChecks(t *testing.T) {
	// Create some health checks
	hc := structs.HealthChecks{
		&structs.HealthCheck{
			Node:        "node1",
			CheckID:     "check1",
			ServiceName: "foo",
		},
	}

	// Try permissive filtering
	filt := newAclFilter(acl.AllowAll(), nil)
	filt.filterHealthChecks(&hc)
	if len(hc) != 1 {
		t.Fatalf("bad: %#v", hc)
	}

	// Try restrictive filtering
	filt = newAclFilter(acl.DenyAll(), nil)
	filt.filterHealthChecks(&hc)
	if len(hc) != 0 {
		t.Fatalf("bad: %#v", hc)
	}
}
Beispiel #8
0
func TestACL_DownPolicy_Allow(t *testing.T) {
	dir1, s1 := testServerWithConfig(t, func(c *Config) {
		c.ACLDatacenter = "dc1"
		c.ACLDownPolicy = "allow"
		c.ACLMasterToken = "root"
	})
	defer os.RemoveAll(dir1)
	defer s1.Shutdown()
	client := rpcClient(t, s1)
	defer client.Close()

	dir2, s2 := testServerWithConfig(t, func(c *Config) {
		c.ACLDatacenter = "dc1" // Enable ACLs!
		c.ACLDownPolicy = "allow"
		c.Bootstrap = false // Disable bootstrap
	})
	defer os.RemoveAll(dir2)
	defer s2.Shutdown()

	// Try to join
	addr := fmt.Sprintf("127.0.0.1:%d",
		s1.config.SerfLANConfig.MemberlistConfig.BindPort)
	if _, err := s2.JoinLAN([]string{addr}); err != nil {
		t.Fatalf("err: %v", err)
	}

	testutil.WaitForResult(func() (bool, error) {
		p1, _ := s1.raftPeers.Peers()
		return len(p1) == 2, errors.New(fmt.Sprintf("%v", p1))
	}, func(err error) {
		t.Fatalf("should have 2 peers: %v", err)
	})
	testutil.WaitForLeader(t, s1.RPC, "dc1")

	// Create a new token
	arg := structs.ACLRequest{
		Datacenter: "dc1",
		Op:         structs.ACLSet,
		ACL: structs.ACL{
			Name:  "User token",
			Type:  structs.ACLTypeClient,
			Rules: testACLPolicy,
		},
		WriteRequest: structs.WriteRequest{Token: "root"},
	}
	var id string
	if err := s1.RPC("ACL.Apply", &arg, &id); err != nil {
		t.Fatalf("err: %v", err)
	}

	// find the non-authoritative server
	var nonAuth *Server
	var auth *Server
	if !s1.IsLeader() {
		nonAuth = s1
		auth = s2
	} else {
		nonAuth = s2
		auth = s1
	}

	// Kill the authoritative server
	auth.Shutdown()

	// Token should resolve into a AllowAll
	aclR, err := nonAuth.resolveToken(id)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if aclR != acl.AllowAll() {
		t.Fatalf("bad acl: %#v", aclR)
	}
}