github.com/hernad/nomad@v1.6.112/command/agent/consul/acl_testing.go (about) 1 // Copyright (c) HashiCorp, Inc. 2 // SPDX-License-Identifier: MPL-2.0 3 4 package consul 5 6 import ( 7 "errors" 8 "sync" 9 "time" 10 11 "github.com/hashicorp/consul/api" 12 "github.com/hashicorp/go-hclog" 13 "github.com/hernad/nomad/helper/uuid" 14 ) 15 16 var _ ACLsAPI = (*MockACLsAPI)(nil) 17 18 // MockACLsAPI is a mock of consul.ACLsAPI 19 type MockACLsAPI struct { 20 logger hclog.Logger 21 22 lock sync.Mutex 23 state struct { 24 index uint64 25 error error 26 tokens map[string]*api.ACLToken 27 } 28 } 29 30 func NewMockACLsAPI(l hclog.Logger) *MockACLsAPI { 31 return &MockACLsAPI{ 32 logger: l.Named("mock_consul"), 33 state: struct { 34 index uint64 35 error error 36 tokens map[string]*api.ACLToken 37 }{tokens: make(map[string]*api.ACLToken)}, 38 } 39 } 40 41 // Example Consul policies for use in tests. 42 const ( 43 ExamplePolicyID1 = "a7c86856-0af5-4ab5-8834-03f4517e5564" 44 ExamplePolicyID2 = "ffa1b66c-967d-4468-8775-c687b5cfc16e" 45 ExamplePolicyID3 = "f68f0c36-51f8-4343-97dd-f0d4816c915f" 46 ExamplePolicyID4 = "1087ff34-b8a0-9bb3-9430-d2f758f52bd3" 47 ) 48 49 func (m *MockACLsAPI) PolicyRead(policyID string, _ *api.QueryOptions) (*api.ACLPolicy, *api.QueryMeta, error) { 50 switch policyID { 51 52 case ExamplePolicyID1: 53 return &api.ACLPolicy{ 54 ID: ExamplePolicyID1, 55 Name: "example-policy-1", 56 Rules: `service "service1" { policy = "write" }`, 57 }, nil, nil 58 59 case ExamplePolicyID2: 60 return &api.ACLPolicy{ 61 ID: ExamplePolicyID2, 62 Rules: `service_prefix "foo-" { policy = "write" }`, 63 }, nil, nil 64 65 case ExamplePolicyID3: 66 return &api.ACLPolicy{ 67 ID: ExamplePolicyID3, 68 Rules: ` 69 service "service1" { policy = "read" } 70 service "service2" { policy = "write" }`, 71 }, nil, nil 72 73 case ExamplePolicyID4: 74 return &api.ACLPolicy{ 75 ID: ExamplePolicyID4, 76 Rules: `key_prefix "" { policy = "read" }`, 77 }, nil, nil 78 79 default: 80 return nil, nil, errors.New("no such policy") 81 } 82 } 83 84 // Example Consul roles for use in tests. 85 const ( 86 ExampleRoleID1 = "e569a3a8-7dfb-b024-e492-e790fe3c4183" 87 ExampleRoleID2 = "88c825f4-d0da-1c2b-0c1c-cc9fe84c4468" 88 ExampleRoleID3 = "b19b2058-6205-6dff-d2b0-470f29b8e627" 89 ) 90 91 func (m *MockACLsAPI) RoleRead(roleID string, _ *api.QueryOptions) (*api.ACLRole, *api.QueryMeta, error) { 92 switch roleID { 93 case ExampleRoleID1: 94 return &api.ACLRole{ 95 ID: ExampleRoleID1, 96 Name: "example-role-1", 97 Policies: []*api.ACLRolePolicyLink{{ 98 ID: ExamplePolicyID1, 99 Name: "example-policy-1", 100 }}, 101 ServiceIdentities: nil, 102 }, nil, nil 103 case ExampleRoleID2: 104 return &api.ACLRole{ 105 ID: ExampleRoleID2, 106 Name: "example-role-2", 107 Policies: []*api.ACLRolePolicyLink{{ 108 ID: ExamplePolicyID2, 109 Name: "example-policy-2", 110 }}, 111 ServiceIdentities: nil, 112 }, nil, nil 113 case ExampleRoleID3: 114 return &api.ACLRole{ 115 ID: ExampleRoleID3, 116 Name: "example-role-3", 117 Policies: nil, // todo add more if needed 118 ServiceIdentities: nil, // todo add more if needed 119 }, nil, nil 120 default: 121 return nil, nil, nil 122 } 123 } 124 125 // Example Consul ACL tokens for use in tests. These tokens belong to the 126 // default Consul namespace. 127 const ( 128 ExampleOperatorTokenID0 = "de591604-86eb-1e6f-8b44-d4db752921ae" 129 ExampleOperatorTokenID1 = "59c219c2-47e4-43f3-bb45-258fd13f59d5" 130 ExampleOperatorTokenID2 = "868cc216-e123-4c2b-b362-f4d4c087de8e" 131 ExampleOperatorTokenID3 = "6177d1b9-c0f6-4118-b891-d818a3cb80b1" 132 ExampleOperatorTokenID4 = "754ae26c-f3cc-e088-d486-9c0d20f5eaea" 133 ExampleOperatorTokenID5 = "097cbb45-506b-c79c-ec38-82eb0dc0794a" 134 ExampleOperatorTokenID6 = "6268bd42-6f72-4c90-9c83-90ed6336dcf9" 135 ) 136 137 // Example Consul ACL tokens for use in tests that match the policies as the 138 // tokens above, but these belong to the "banana" Consul namespace. 139 const ( 140 ExampleOperatorTokenID10 = "ddfe688f-655f-e8dd-1db5-5650eed00aeb" 141 ExampleOperatorTokenID11 = "46d09394-598c-1e55-b7fd-64cd2f409707" 142 ExampleOperatorTokenID12 = "a041cb88-0f4b-0314-89f6-10e1e093d2e5" 143 ExampleOperatorTokenID13 = "cc22a583-243f-3258-14ad-db0e56749657" 144 ExampleOperatorTokenID14 = "5b6d0508-13a6-4bc3-33a1-ba1941e1175b" 145 ExampleOperatorTokenID15 = "e9db1754-c075-d0fc-0a7e-de1e9e7bff98" 146 ) 147 148 // Example Consul ACL tokens for use in tests that match the policies as the 149 // tokens above, but these belong to the "default" Consul namespace. 150 const ( 151 ExampleOperatorTokenID20 = "937b3287-557c-5af8-beb0-d62191988719" 152 ExampleOperatorTokenID21 = "067fd927-abfb-d98f-b693-bb05dccea565" 153 ExampleOperatorTokenID22 = "71f8030f-f6bd-6157-6614-ba6a0bbfba9f" 154 ExampleOperatorTokenID23 = "1dfd2982-b7a1-89ec-09b4-74712983d13c" 155 ExampleOperatorTokenID24 = "d26dbc2a-d5d8-e3d9-8a38-e05dec499124" 156 ExampleOperatorTokenID25 = "dd5a8eef-554c-a1f9-fdb8-f25eb77258bc" 157 ) 158 159 var ( 160 // In no Consul namespace (OSS, ENT w/o Namespaces) 161 162 ExampleOperatorToken0 = &api.ACLToken{ 163 SecretID: ExampleOperatorTokenID0, 164 AccessorID: "228865c6-3bf6-6683-df03-06dea2779088 ", 165 Description: "Operator Token 0", 166 Namespace: "", 167 } 168 169 ExampleOperatorToken1 = &api.ACLToken{ 170 SecretID: ExampleOperatorTokenID1, 171 AccessorID: "e341bacd-535e-417c-8f45-f88d7faffcaf", 172 Description: "Operator Token 1", 173 Policies: []*api.ACLTokenPolicyLink{{ 174 ID: ExamplePolicyID1, 175 }}, 176 Namespace: "", 177 } 178 179 ExampleOperatorToken2 = &api.ACLToken{ 180 SecretID: ExampleOperatorTokenID2, 181 AccessorID: "615b4d77-5164-4ec6-b616-24c0b24ac9cb", 182 Description: "Operator Token 2", 183 Policies: []*api.ACLTokenPolicyLink{{ 184 ID: ExamplePolicyID2, 185 }}, 186 Namespace: "", 187 } 188 189 ExampleOperatorToken3 = &api.ACLToken{ 190 SecretID: ExampleOperatorTokenID3, 191 AccessorID: "6b7de0d7-15f7-45b4-95eb-fb775bfe3fdc", 192 Description: "Operator Token 3", 193 Policies: []*api.ACLTokenPolicyLink{{ 194 ID: ExamplePolicyID3, 195 }}, 196 Namespace: "", 197 } 198 199 ExampleOperatorToken4 = &api.ACLToken{ 200 SecretID: ExampleOperatorTokenID4, 201 AccessorID: "7b5fdb1a-71e5-f3d8-2cfe-448d973f327d", 202 Description: "Operator Token 4", 203 Policies: nil, // no direct policy, only roles 204 Roles: []*api.ACLTokenRoleLink{{ 205 ID: ExampleRoleID1, 206 Name: "example-role-1", 207 }}, 208 Namespace: "", 209 } 210 211 ExampleOperatorToken5 = &api.ACLToken{ 212 SecretID: ExampleOperatorTokenID5, 213 AccessorID: "cf39aad5-00c3-af23-cf0b-75d41e12f28d", 214 Description: "Operator Token 5", 215 Policies: []*api.ACLTokenPolicyLink{{ 216 ID: ExamplePolicyID4, 217 }}, 218 Namespace: "", 219 } 220 221 ExampleOperatorToken6 = &api.ACLToken{ 222 SecretID: ExampleOperatorTokenID6, 223 AccessorID: "93786935-8856-6e17-0488-c5370a1f044e", 224 Description: "Operator Token 6", 225 ServiceIdentities: []*api.ACLServiceIdentity{ 226 {ServiceName: "service1"}, 227 }, 228 Namespace: "", 229 } 230 231 // In Consul namespace "banana" 232 233 ExampleOperatorToken10 = &api.ACLToken{ 234 SecretID: ExampleOperatorTokenID10, 235 AccessorID: "76a2c3b5-5d64-9089-f701-660eec2d3554", 236 Description: "Operator Token 0", 237 Namespace: "banana", 238 } 239 240 ExampleOperatorToken11 = &api.ACLToken{ 241 SecretID: ExampleOperatorTokenID11, 242 AccessorID: "40f2a36a-0a65-1972-106c-b2e5dd46d6e8", 243 Description: "Operator Token 1", 244 Policies: []*api.ACLTokenPolicyLink{{ 245 ID: ExamplePolicyID1, 246 }}, 247 Namespace: "banana", 248 } 249 250 ExampleOperatorToken12 = &api.ACLToken{ 251 SecretID: ExampleOperatorTokenID12, 252 AccessorID: "894f2c5c-b285-71bf-4acb-6344cecf71f3", 253 Description: "Operator Token 2", 254 Policies: []*api.ACLTokenPolicyLink{{ 255 ID: ExamplePolicyID2, 256 }}, 257 Namespace: "banana", 258 } 259 260 ExampleOperatorToken13 = &api.ACLToken{ 261 SecretID: ExampleOperatorTokenID13, 262 AccessorID: "2a81ec0b-692e-845e-f5b8-c33c05e5af22", 263 Description: "Operator Token 3", 264 Policies: []*api.ACLTokenPolicyLink{{ 265 ID: ExamplePolicyID3, 266 }}, 267 Namespace: "banana", 268 } 269 270 ExampleOperatorToken14 = &api.ACLToken{ 271 SecretID: ExampleOperatorTokenID14, 272 AccessorID: "4273f1cc-5626-7a77-dc65-1f24af035ed5d", 273 Description: "Operator Token 4", 274 Policies: nil, // no direct policy, only roles 275 Roles: []*api.ACLTokenRoleLink{{ 276 ID: ExampleRoleID1, 277 Name: "example-role-1", 278 }}, 279 Namespace: "banana", 280 } 281 282 ExampleOperatorToken15 = &api.ACLToken{ 283 SecretID: ExampleOperatorTokenID15, 284 AccessorID: "5b78e186-87d8-c1ad-966f-f5fa87b05c9a", 285 Description: "Operator Token 5", 286 Policies: []*api.ACLTokenPolicyLink{{ 287 ID: ExamplePolicyID4, 288 }}, 289 Namespace: "banana", 290 } 291 292 // In Consul namespace "default" 293 294 ExampleOperatorToken20 = &api.ACLToken{ 295 SecretID: ExampleOperatorTokenID20, 296 AccessorID: "228865c6-3bf6-6683-df03-06dea2779088", 297 Description: "Operator Token 0", 298 // Should still be able to register jobs where no namespace was set 299 Namespace: "default", 300 } 301 302 ExampleOperatorToken21 = &api.ACLToken{ 303 SecretID: ExampleOperatorTokenID21, 304 AccessorID: "54d01af9-5036-31d3-296b-b15b941d7aa2", 305 Description: "Operator Token 1", 306 Policies: []*api.ACLTokenPolicyLink{{ 307 ID: ExamplePolicyID1, 308 }}, 309 // Should still be able to register jobs where no namespace was set 310 Namespace: "default", 311 } 312 313 ExampleOperatorToken22 = &api.ACLToken{ 314 SecretID: ExampleOperatorTokenID22, 315 AccessorID: "894f2c5c-b285-71bf-4acb-6344cecf71f3", 316 Description: "Operator Token 2", 317 Policies: []*api.ACLTokenPolicyLink{{ 318 ID: ExamplePolicyID2, 319 }}, 320 Namespace: "default", 321 } 322 323 ExampleOperatorToken23 = &api.ACLToken{ 324 SecretID: ExampleOperatorTokenID23, 325 AccessorID: "2a81ec0b-692e-845e-f5b8-c33c05e5af22", 326 Description: "Operator Token 3", 327 Policies: []*api.ACLTokenPolicyLink{{ 328 ID: ExamplePolicyID3, 329 }}, 330 Namespace: "default", 331 } 332 333 ExampleOperatorToken24 = &api.ACLToken{ 334 SecretID: ExampleOperatorTokenID24, 335 AccessorID: "4273f1cc-5626-7a77-dc65-1f24af035ed5d", 336 Description: "Operator Token 4", 337 Policies: nil, // no direct policy, only roles 338 Roles: []*api.ACLTokenRoleLink{{ 339 ID: ExampleRoleID1, 340 Name: "example-role-1", 341 }}, 342 Namespace: "default", 343 } 344 345 ExampleOperatorToken25 = &api.ACLToken{ 346 SecretID: ExampleOperatorTokenID25, 347 AccessorID: "5b78e186-87d8-c1ad-966f-f5fa87b05c9a", 348 Description: "Operator Token 5", 349 Policies: []*api.ACLTokenPolicyLink{{ 350 ID: ExamplePolicyID4, 351 }}, 352 Namespace: "default", 353 } 354 ) 355 356 func (m *MockACLsAPI) TokenReadSelf(q *api.QueryOptions) (*api.ACLToken, *api.QueryMeta, error) { 357 switch q.Token { 358 359 case ExampleOperatorTokenID1: 360 return ExampleOperatorToken1, nil, nil 361 362 case ExampleOperatorTokenID2: 363 return ExampleOperatorToken2, nil, nil 364 365 case ExampleOperatorTokenID3: 366 return ExampleOperatorToken3, nil, nil 367 368 case ExampleOperatorTokenID4: 369 return ExampleOperatorToken4, nil, nil 370 371 case ExampleOperatorTokenID5: 372 return ExampleOperatorToken5, nil, nil 373 374 case ExampleOperatorTokenID10: 375 return ExampleOperatorToken10, nil, nil 376 377 case ExampleOperatorTokenID11: 378 return ExampleOperatorToken11, nil, nil 379 380 case ExampleOperatorTokenID12: 381 return ExampleOperatorToken12, nil, nil 382 383 case ExampleOperatorTokenID13: 384 return ExampleOperatorToken13, nil, nil 385 386 case ExampleOperatorTokenID14: 387 return ExampleOperatorToken14, nil, nil 388 389 case ExampleOperatorTokenID15: 390 return ExampleOperatorToken15, nil, nil 391 392 case ExampleOperatorTokenID20: 393 return ExampleOperatorToken20, nil, nil 394 395 case ExampleOperatorTokenID21: 396 return ExampleOperatorToken21, nil, nil 397 398 case ExampleOperatorTokenID22: 399 return ExampleOperatorToken22, nil, nil 400 401 case ExampleOperatorTokenID23: 402 return ExampleOperatorToken23, nil, nil 403 404 case ExampleOperatorTokenID24: 405 return ExampleOperatorToken24, nil, nil 406 407 case ExampleOperatorTokenID25: 408 return ExampleOperatorToken25, nil, nil 409 410 default: 411 return nil, nil, errors.New("no such token") 412 } 413 } 414 415 // SetError is a helper method for configuring an error that will be returned 416 // on future calls to mocked methods. 417 func (m *MockACLsAPI) SetError(err error) { 418 m.lock.Lock() 419 defer m.lock.Unlock() 420 m.state.error = err 421 } 422 423 // TokenCreate is a mock of ACLsAPI.TokenCreate 424 func (m *MockACLsAPI) TokenCreate(token *api.ACLToken, opts *api.WriteOptions) (*api.ACLToken, *api.WriteMeta, error) { 425 index, created, meta, err := m.tokenCreate(token, opts) 426 427 services := func(token *api.ACLToken) []string { 428 if token == nil { 429 return nil 430 } 431 var names []string 432 for _, id := range token.ServiceIdentities { 433 names = append(names, id.ServiceName) 434 } 435 return names 436 }(created) 437 438 description := func(token *api.ACLToken) string { 439 if token == nil { 440 return "<nil>" 441 } 442 return token.Description 443 }(created) 444 445 accessor := func(token *api.ACLToken) string { 446 if token == nil { 447 return "<nil>" 448 } 449 return token.AccessorID 450 }(created) 451 452 secret := func(token *api.ACLToken) string { 453 if token == nil { 454 return "<nil>" 455 } 456 return token.SecretID 457 }(created) 458 459 m.logger.Trace("TokenCreate()", "description", description, "service_identities", services, "accessor", accessor, "secret", secret, "index", index, "error", err) 460 return created, meta, err 461 } 462 463 func (m *MockACLsAPI) tokenCreate(token *api.ACLToken, _ *api.WriteOptions) (uint64, *api.ACLToken, *api.WriteMeta, error) { 464 m.lock.Lock() 465 defer m.lock.Unlock() 466 467 m.state.index++ 468 469 if m.state.error != nil { 470 return m.state.index, nil, nil, m.state.error 471 } 472 473 secret := &api.ACLToken{ 474 CreateIndex: m.state.index, 475 ModifyIndex: m.state.index, 476 AccessorID: uuid.Generate(), 477 SecretID: uuid.Generate(), 478 Description: token.Description, 479 ServiceIdentities: token.ServiceIdentities, 480 Namespace: token.Namespace, 481 CreateTime: time.Now(), 482 } 483 484 m.state.tokens[secret.AccessorID] = secret 485 486 w := &api.WriteMeta{ 487 RequestTime: 1 * time.Millisecond, 488 } 489 490 return m.state.index, secret, w, nil 491 } 492 493 // TokenDelete is a mock of ACLsAPI.TokenDelete 494 func (m *MockACLsAPI) TokenDelete(accessorID string, opts *api.WriteOptions) (*api.WriteMeta, error) { 495 meta, err := m.tokenDelete(accessorID, opts) 496 m.logger.Trace("TokenDelete()", "accessor", accessorID, "error", err) 497 return meta, err 498 } 499 500 func (m *MockACLsAPI) tokenDelete(tokenID string, _ *api.WriteOptions) (*api.WriteMeta, error) { 501 m.lock.Lock() 502 defer m.lock.Unlock() 503 504 m.state.index++ 505 506 if m.state.error != nil { 507 return nil, m.state.error 508 } 509 510 if _, exists := m.state.tokens[tokenID]; !exists { 511 return nil, nil // consul no-ops delete of non-existent token 512 } 513 514 delete(m.state.tokens, tokenID) 515 516 m.logger.Trace("TokenDelete()") 517 518 return nil, nil 519 } 520 521 // TokenList is a mock of ACLsAPI.TokenList 522 func (m *MockACLsAPI) TokenList(_ *api.QueryOptions) ([]*api.ACLTokenListEntry, *api.QueryMeta, error) { 523 m.lock.Lock() 524 defer m.lock.Unlock() 525 526 //todo(shoenig): will need this for background token reconciliation 527 // coming in another issue 528 529 return nil, nil, nil 530 }