github.com/hernad/nomad@v1.6.112/nomad/consul_oss_test.go (about) 1 // Copyright (c) HashiCorp, Inc. 2 // SPDX-License-Identifier: MPL-2.0 3 4 //go:build !ent 5 // +build !ent 6 7 package nomad 8 9 import ( 10 "context" 11 "errors" 12 "testing" 13 14 "github.com/hernad/nomad/ci" 15 "github.com/hernad/nomad/command/agent/consul" 16 "github.com/hernad/nomad/helper/testlog" 17 "github.com/hernad/nomad/nomad/structs" 18 "github.com/stretchr/testify/require" 19 ) 20 21 func TestConsulACLsAPI_CheckPermissions_oss(t *testing.T) { 22 ci.Parallel(t) 23 24 // In Nomad OSS, CheckPermissions will only receive "" as input for the 25 // namespace parameter - as the ConsulUsage map from namespace to usages will 26 // always contain one key - the empty string. 27 28 try := func(t *testing.T, namespace string, usage *structs.ConsulUsage, secretID string, exp error) { 29 logger := testlog.HCLogger(t) 30 aclAPI := consul.NewMockACLsAPI(logger) 31 cAPI := NewConsulACLsAPI(aclAPI, logger, nil) 32 33 err := cAPI.CheckPermissions(context.Background(), namespace, usage, secretID) 34 if exp == nil { 35 require.NoError(t, err) 36 } else { 37 require.Equal(t, exp.Error(), err.Error()) 38 } 39 } 40 41 t.Run("check-permissions kv read", func(t *testing.T) { 42 t.Run("uses kv has permission", func(t *testing.T) { 43 u := &structs.ConsulUsage{KV: true} 44 try(t, "", u, consul.ExampleOperatorTokenID5, nil) 45 }) 46 47 t.Run("uses kv without permission", func(t *testing.T) { 48 u := &structs.ConsulUsage{KV: true} 49 try(t, "", u, consul.ExampleOperatorTokenID1, errors.New("insufficient Consul ACL permissions to use template")) 50 }) 51 52 t.Run("uses kv no token", func(t *testing.T) { 53 u := &structs.ConsulUsage{KV: true} 54 try(t, "", u, "", errors.New("missing consul token")) 55 }) 56 57 t.Run("uses kv nonsense token", func(t *testing.T) { 58 u := &structs.ConsulUsage{KV: true} 59 try(t, "", u, "47d33e22-720a-7fe6-7d7f-418bf844a0be", errors.New("unable to read consul token: no such token")) 60 }) 61 62 t.Run("no kv no token", func(t *testing.T) { 63 u := &structs.ConsulUsage{KV: false} 64 try(t, "", u, "", nil) 65 }) 66 }) 67 68 t.Run("check-permissions service write", func(t *testing.T) { 69 usage := &structs.ConsulUsage{Services: []string{"service1"}} 70 71 t.Run("operator has service write", func(t *testing.T) { 72 try(t, "", usage, consul.ExampleOperatorTokenID1, nil) 73 }) 74 75 t.Run("operator has service_prefix write", func(t *testing.T) { 76 u := &structs.ConsulUsage{Services: []string{"foo-service1"}} 77 try(t, "", u, consul.ExampleOperatorTokenID2, nil) 78 }) 79 80 t.Run("operator has service_prefix write wrong prefix", func(t *testing.T) { 81 u := &structs.ConsulUsage{Services: []string{"bar-service1"}} 82 try(t, "", u, consul.ExampleOperatorTokenID2, errors.New(`insufficient Consul ACL permissions to write service "bar-service1"`)) 83 }) 84 85 t.Run("operator permissions insufficient", func(t *testing.T) { 86 try(t, "", usage, consul.ExampleOperatorTokenID3, errors.New(`insufficient Consul ACL permissions to write service "service1"`)) 87 }) 88 89 t.Run("operator provided no token", func(t *testing.T) { 90 try(t, "", usage, "", errors.New("missing consul token")) 91 }) 92 93 t.Run("operator provided nonsense token", func(t *testing.T) { 94 try(t, "", usage, "f1682bde-1e71-90b1-9204-85d35467ba61", errors.New("unable to read consul token: no such token")) 95 }) 96 }) 97 }