github.com/blixtra/nomad@v0.7.2-0.20171221000451-da9a1d7bb050/acl/acl_test.go (about) 1 package acl 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/assert" 7 ) 8 9 func TestCapabilitySet(t *testing.T) { 10 var cs capabilitySet = make(map[string]struct{}) 11 12 // Check no capabilities by default 13 if cs.Check(PolicyDeny) { 14 t.Fatalf("unexpected check") 15 } 16 17 // Do a set and check 18 cs.Set(PolicyDeny) 19 if !cs.Check(PolicyDeny) { 20 t.Fatalf("missing check") 21 } 22 23 // Clear and check 24 cs.Clear() 25 if cs.Check(PolicyDeny) { 26 t.Fatalf("unexpected check") 27 } 28 } 29 30 func TestMaxPrivilege(t *testing.T) { 31 type tcase struct { 32 Privilege string 33 PrecedenceOver []string 34 } 35 tcases := []tcase{ 36 { 37 PolicyDeny, 38 []string{PolicyDeny, PolicyWrite, PolicyRead, ""}, 39 }, 40 { 41 PolicyWrite, 42 []string{PolicyWrite, PolicyRead, ""}, 43 }, 44 { 45 PolicyRead, 46 []string{PolicyRead, ""}, 47 }, 48 } 49 50 for idx1, tc := range tcases { 51 for idx2, po := range tc.PrecedenceOver { 52 if maxPrivilege(tc.Privilege, po) != tc.Privilege { 53 t.Fatalf("failed %d %d", idx1, idx2) 54 } 55 if maxPrivilege(po, tc.Privilege) != tc.Privilege { 56 t.Fatalf("failed %d %d", idx1, idx2) 57 } 58 } 59 } 60 } 61 62 func TestACLManagement(t *testing.T) { 63 assert := assert.New(t) 64 65 // Create management ACL 66 acl, err := NewACL(true, nil) 67 assert.Nil(err) 68 69 // Check default namespace rights 70 assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs)) 71 assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob)) 72 assert.True(acl.AllowNamespace("default")) 73 74 // Check non-specified namespace 75 assert.True(acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs)) 76 assert.True(acl.AllowNamespace("foo")) 77 78 // Check the other simpler operations 79 assert.True(acl.IsManagement()) 80 assert.True(acl.AllowAgentRead()) 81 assert.True(acl.AllowAgentWrite()) 82 assert.True(acl.AllowNodeRead()) 83 assert.True(acl.AllowNodeWrite()) 84 assert.True(acl.AllowOperatorRead()) 85 assert.True(acl.AllowOperatorWrite()) 86 assert.True(acl.AllowQuotaRead()) 87 assert.True(acl.AllowQuotaWrite()) 88 } 89 90 func TestACLMerge(t *testing.T) { 91 assert := assert.New(t) 92 93 // Merge read + write policy 94 p1, err := Parse(readAll) 95 assert.Nil(err) 96 p2, err := Parse(writeAll) 97 assert.Nil(err) 98 acl, err := NewACL(false, []*Policy{p1, p2}) 99 assert.Nil(err) 100 101 // Check default namespace rights 102 assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs)) 103 assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob)) 104 assert.True(acl.AllowNamespace("default")) 105 106 // Check non-specified namespace 107 assert.False(acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs)) 108 assert.False(acl.AllowNamespace("foo")) 109 110 // Check the other simpler operations 111 assert.False(acl.IsManagement()) 112 assert.True(acl.AllowAgentRead()) 113 assert.True(acl.AllowAgentWrite()) 114 assert.True(acl.AllowNodeRead()) 115 assert.True(acl.AllowNodeWrite()) 116 assert.True(acl.AllowOperatorRead()) 117 assert.True(acl.AllowOperatorWrite()) 118 assert.True(acl.AllowQuotaRead()) 119 assert.True(acl.AllowQuotaWrite()) 120 121 // Merge read + blank 122 p3, err := Parse("") 123 assert.Nil(err) 124 acl, err = NewACL(false, []*Policy{p1, p3}) 125 assert.Nil(err) 126 127 // Check default namespace rights 128 assert.True(acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs)) 129 assert.False(acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob)) 130 131 // Check non-specified namespace 132 assert.False(acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs)) 133 134 // Check the other simpler operations 135 assert.False(acl.IsManagement()) 136 assert.True(acl.AllowAgentRead()) 137 assert.False(acl.AllowAgentWrite()) 138 assert.True(acl.AllowNodeRead()) 139 assert.False(acl.AllowNodeWrite()) 140 assert.True(acl.AllowOperatorRead()) 141 assert.False(acl.AllowOperatorWrite()) 142 assert.True(acl.AllowQuotaRead()) 143 assert.False(acl.AllowQuotaWrite()) 144 145 // Merge read + deny 146 p4, err := Parse(denyAll) 147 assert.Nil(err) 148 acl, err = NewACL(false, []*Policy{p1, p4}) 149 assert.Nil(err) 150 151 // Check default namespace rights 152 assert.False(acl.AllowNamespaceOperation("default", NamespaceCapabilityListJobs)) 153 assert.False(acl.AllowNamespaceOperation("default", NamespaceCapabilitySubmitJob)) 154 155 // Check non-specified namespace 156 assert.False(acl.AllowNamespaceOperation("foo", NamespaceCapabilityListJobs)) 157 158 // Check the other simpler operations 159 assert.False(acl.IsManagement()) 160 assert.False(acl.AllowAgentRead()) 161 assert.False(acl.AllowAgentWrite()) 162 assert.False(acl.AllowNodeRead()) 163 assert.False(acl.AllowNodeWrite()) 164 assert.False(acl.AllowOperatorRead()) 165 assert.False(acl.AllowOperatorWrite()) 166 assert.False(acl.AllowQuotaRead()) 167 assert.False(acl.AllowQuotaWrite()) 168 } 169 170 var readAll = ` 171 namespace "default" { 172 policy = "read" 173 } 174 agent { 175 policy = "read" 176 } 177 node { 178 policy = "read" 179 } 180 operator { 181 policy = "read" 182 } 183 quota { 184 policy = "read" 185 } 186 ` 187 188 var writeAll = ` 189 namespace "default" { 190 policy = "write" 191 } 192 agent { 193 policy = "write" 194 } 195 node { 196 policy = "write" 197 } 198 operator { 199 policy = "write" 200 } 201 quota { 202 policy = "write" 203 } 204 ` 205 206 var denyAll = ` 207 namespace "default" { 208 policy = "deny" 209 } 210 agent { 211 policy = "deny" 212 } 213 node { 214 policy = "deny" 215 } 216 operator { 217 policy = "deny" 218 } 219 quota { 220 policy = "deny" 221 } 222 ` 223 224 func TestAllowNamespace(t *testing.T) { 225 tests := []struct { 226 Policy string 227 Allow bool 228 }{ 229 { 230 Policy: `namespace "foo" {}`, 231 Allow: false, 232 }, 233 { 234 Policy: `namespace "foo" { policy = "deny" }`, 235 Allow: false, 236 }, 237 { 238 Policy: `namespace "foo" { capabilities = ["deny"] }`, 239 Allow: false, 240 }, 241 { 242 Policy: `namespace "foo" { capabilities = ["list-jobs"] }`, 243 Allow: true, 244 }, 245 { 246 Policy: `namespace "foo" { policy = "read" }`, 247 Allow: true, 248 }, 249 } 250 251 for _, tc := range tests { 252 t.Run(tc.Policy, func(t *testing.T) { 253 assert := assert.New(t) 254 255 policy, err := Parse(tc.Policy) 256 assert.Nil(err) 257 258 acl, err := NewACL(false, []*Policy{policy}) 259 assert.Nil(err) 260 261 assert.Equal(tc.Allow, acl.AllowNamespace("foo")) 262 }) 263 } 264 }