github.com/ThomasObenaus/nomad@v0.11.1/acl/policy_test.go (about) 1 package acl 2 3 import ( 4 "fmt" 5 "strings" 6 "testing" 7 8 "github.com/stretchr/testify/assert" 9 ) 10 11 func TestParse(t *testing.T) { 12 type tcase struct { 13 Raw string 14 ErrStr string 15 Expect *Policy 16 } 17 tcases := []tcase{ 18 { 19 ` 20 namespace "default" { 21 policy = "read" 22 } 23 `, 24 "", 25 &Policy{ 26 Namespaces: []*NamespacePolicy{ 27 { 28 Name: "default", 29 Policy: PolicyRead, 30 Capabilities: []string{ 31 NamespaceCapabilityListJobs, 32 NamespaceCapabilityReadJob, 33 NamespaceCapabilityCSIListVolume, 34 NamespaceCapabilityCSIReadVolume, 35 NamespaceCapabilityReadJobScaling, 36 NamespaceCapabilityListScalingPolicies, 37 NamespaceCapabilityReadScalingPolicy, 38 }, 39 }, 40 }, 41 }, 42 }, 43 { 44 ` 45 namespace "default" { 46 policy = "read" 47 } 48 namespace "other" { 49 policy = "write" 50 } 51 namespace "secret" { 52 capabilities = ["deny", "read-logs"] 53 } 54 namespace "autoscaler" { 55 policy = "scale" 56 } 57 agent { 58 policy = "read" 59 } 60 node { 61 policy = "write" 62 } 63 operator { 64 policy = "deny" 65 } 66 quota { 67 policy = "read" 68 } 69 plugin { 70 policy = "read" 71 } 72 `, 73 "", 74 &Policy{ 75 Namespaces: []*NamespacePolicy{ 76 { 77 Name: "default", 78 Policy: PolicyRead, 79 Capabilities: []string{ 80 NamespaceCapabilityListJobs, 81 NamespaceCapabilityReadJob, 82 NamespaceCapabilityCSIListVolume, 83 NamespaceCapabilityCSIReadVolume, 84 NamespaceCapabilityReadJobScaling, 85 NamespaceCapabilityListScalingPolicies, 86 NamespaceCapabilityReadScalingPolicy, 87 }, 88 }, 89 { 90 Name: "other", 91 Policy: PolicyWrite, 92 Capabilities: []string{ 93 NamespaceCapabilityListJobs, 94 NamespaceCapabilityReadJob, 95 NamespaceCapabilityCSIListVolume, 96 NamespaceCapabilityCSIReadVolume, 97 NamespaceCapabilityReadJobScaling, 98 NamespaceCapabilityListScalingPolicies, 99 NamespaceCapabilityReadScalingPolicy, 100 NamespaceCapabilityScaleJob, 101 NamespaceCapabilitySubmitJob, 102 NamespaceCapabilityDispatchJob, 103 NamespaceCapabilityReadLogs, 104 NamespaceCapabilityReadFS, 105 NamespaceCapabilityAllocExec, 106 NamespaceCapabilityAllocLifecycle, 107 NamespaceCapabilityCSIMountVolume, 108 NamespaceCapabilityCSIWriteVolume, 109 }, 110 }, 111 { 112 Name: "secret", 113 Capabilities: []string{ 114 NamespaceCapabilityDeny, 115 NamespaceCapabilityReadLogs, 116 }, 117 }, 118 { 119 Name: "autoscaler", 120 Policy: PolicyScale, 121 Capabilities: []string{ 122 NamespaceCapabilityListScalingPolicies, 123 NamespaceCapabilityReadScalingPolicy, 124 NamespaceCapabilityReadJobScaling, 125 NamespaceCapabilityScaleJob, 126 }, 127 }, 128 }, 129 Agent: &AgentPolicy{ 130 Policy: PolicyRead, 131 }, 132 Node: &NodePolicy{ 133 Policy: PolicyWrite, 134 }, 135 Operator: &OperatorPolicy{ 136 Policy: PolicyDeny, 137 }, 138 Quota: &QuotaPolicy{ 139 Policy: PolicyRead, 140 }, 141 Plugin: &PluginPolicy{ 142 Policy: PolicyRead, 143 }, 144 }, 145 }, 146 { 147 ` 148 namespace "default" { 149 policy = "foo" 150 } 151 `, 152 "Invalid namespace policy", 153 nil, 154 }, 155 { 156 ` 157 namespace "default" { 158 capabilities = ["deny", "foo"] 159 } 160 `, 161 "Invalid namespace capability", 162 nil, 163 }, 164 { 165 ` 166 agent { 167 policy = "foo" 168 } 169 `, 170 "Invalid agent policy", 171 nil, 172 }, 173 { 174 ` 175 node { 176 policy = "foo" 177 } 178 `, 179 "Invalid node policy", 180 nil, 181 }, 182 { 183 ` 184 operator { 185 policy = "foo" 186 } 187 `, 188 "Invalid operator policy", 189 nil, 190 }, 191 { 192 ` 193 quota { 194 policy = "foo" 195 } 196 `, 197 "Invalid quota policy", 198 nil, 199 }, 200 { 201 ` 202 { 203 "Name": "my-policy", 204 "Description": "This is a great policy", 205 "Rules": "anything" 206 } 207 `, 208 "Invalid policy", 209 nil, 210 }, 211 { 212 ` 213 namespace "has a space"{ 214 policy = "read" 215 } 216 `, 217 "Invalid namespace name", 218 nil, 219 }, 220 { 221 ` 222 namespace "default" { 223 capabilities = ["sentinel-override"] 224 } 225 `, 226 "", 227 &Policy{ 228 Namespaces: []*NamespacePolicy{ 229 { 230 Name: "default", 231 Policy: "", 232 Capabilities: []string{ 233 NamespaceCapabilitySentinelOverride, 234 }, 235 }, 236 }, 237 }, 238 }, 239 { 240 ` 241 host_volume "production-tls-*" { 242 capabilities = ["mount-readonly"] 243 } 244 `, 245 "", 246 &Policy{ 247 HostVolumes: []*HostVolumePolicy{ 248 { 249 Name: "production-tls-*", 250 Policy: "", 251 Capabilities: []string{ 252 HostVolumeCapabilityMountReadOnly, 253 }, 254 }, 255 }, 256 }, 257 }, 258 { 259 ` 260 host_volume "production-tls-*" { 261 capabilities = ["mount-readwrite"] 262 } 263 `, 264 "", 265 &Policy{ 266 HostVolumes: []*HostVolumePolicy{ 267 { 268 Name: "production-tls-*", 269 Policy: "", 270 Capabilities: []string{ 271 HostVolumeCapabilityMountReadWrite, 272 }, 273 }, 274 }, 275 }, 276 }, 277 { 278 ` 279 host_volume "volume has a space" { 280 capabilities = ["mount-readwrite"] 281 } 282 `, 283 "Invalid host volume name", 284 nil, 285 }, 286 { 287 ` 288 plugin { 289 policy = "list" 290 } 291 `, 292 "", 293 &Policy{ 294 Plugin: &PluginPolicy{ 295 Policy: PolicyList, 296 }, 297 }, 298 }, 299 { 300 ` 301 plugin { 302 policy = "reader" 303 } 304 `, 305 "Invalid plugin policy", 306 nil, 307 }, 308 } 309 310 for idx, tc := range tcases { 311 t.Run(fmt.Sprintf("%d", idx), func(t *testing.T) { 312 p, err := Parse(tc.Raw) 313 if err != nil { 314 if tc.ErrStr == "" { 315 t.Fatalf("Unexpected err: %v", err) 316 } 317 if !strings.Contains(err.Error(), tc.ErrStr) { 318 t.Fatalf("Unexpected err: %v", err) 319 } 320 return 321 } 322 if err == nil && tc.ErrStr != "" { 323 t.Fatalf("Missing expected err") 324 } 325 tc.Expect.Raw = tc.Raw 326 assert.EqualValues(t, tc.Expect, p) 327 }) 328 } 329 }