github.com/hernad/nomad@v1.6.112/ui/tests/unit/abilities/allocation-test.js

github.com/hernad/nomad@v1.6.112/ui/tests/unit/abilities/allocation-test.js (about)

     1  /**
     2   * Copyright (c) HashiCorp, Inc.
     3   * SPDX-License-Identifier: MPL-2.0
     4   */
     5  
     6  /* eslint-disable ember/avoid-leaking-state-in-ember-objects */
     7  import { module, test } from 'qunit';
     8  import { setupTest } from 'ember-qunit';
     9  import Service from '@ember/service';
    10  import setupAbility from 'nomad-ui/tests/helpers/setup-ability';
    11  
    12  module('Unit | Ability | allocation', function (hooks) {
    13    setupTest(hooks);
    14    setupAbility('allocation')(hooks);
    15  
    16    test('it permits alloc exec when ACLs are disabled', function (assert) {
    17      const mockToken = Service.extend({
    18        aclEnabled: false,
    19      });
    20  
    21      this.owner.register('service:token', mockToken);
    22  
    23      assert.ok(this.can.can('exec allocation'));
    24    });
    25  
    26    test('it permits alloc exec for management tokens', function (assert) {
    27      const mockToken = Service.extend({
    28        aclEnabled: true,
    29        selfToken: { type: 'management' },
    30      });
    31  
    32      this.owner.register('service:token', mockToken);
    33  
    34      assert.ok(this.can.can('exec allocation'));
    35    });
    36  
    37    test('it permits alloc exec for client tokens with a policy that has namespace alloc-exec', function (assert) {
    38      const mockSystem = Service.extend({
    39        aclEnabled: true,
    40      });
    41  
    42      const mockToken = Service.extend({
    43        aclEnabled: true,
    44        selfToken: { type: 'client' },
    45        selfTokenPolicies: [
    46          {
    47            rulesJSON: {
    48              Namespaces: [
    49                {
    50                  Name: 'aNamespace',
    51                  Capabilities: ['alloc-exec'],
    52                },
    53              ],
    54            },
    55          },
    56        ],
    57      });
    58  
    59      this.owner.register('service:system', mockSystem);
    60      this.owner.register('service:token', mockToken);
    61  
    62      assert.ok(
    63        this.can.can('exec allocation', null, { namespace: 'aNamespace' })
    64      );
    65    });
    66  
    67    test('it permits alloc exec for client tokens with a policy that has default namespace alloc-exec and no capabilities for active namespace', function (assert) {
    68      const mockSystem = Service.extend({
    69        aclEnabled: true,
    70      });
    71  
    72      const mockToken = Service.extend({
    73        aclEnabled: true,
    74        selfToken: { type: 'client' },
    75        selfTokenPolicies: [
    76          {
    77            rulesJSON: {
    78              Namespaces: [
    79                {
    80                  Name: 'aNamespace',
    81                  Capabilities: [],
    82                },
    83                {
    84                  Name: 'default',
    85                  Capabilities: ['alloc-exec'],
    86                },
    87              ],
    88            },
    89          },
    90        ],
    91      });
    92  
    93      this.owner.register('service:system', mockSystem);
    94      this.owner.register('service:token', mockToken);
    95  
    96      assert.ok(
    97        this.can.can('exec allocation', null, { namespace: 'anotherNamespace' })
    98      );
    99    });
   100  
   101    test('it blocks alloc exec for client tokens with a policy that has no alloc-exec capability', function (assert) {
   102      const mockSystem = Service.extend({
   103        aclEnabled: true,
   104      });
   105  
   106      const mockToken = Service.extend({
   107        aclEnabled: true,
   108        selfToken: { type: 'client' },
   109        selfTokenPolicies: [
   110          {
   111            rulesJSON: {
   112              Namespaces: [
   113                {
   114                  Name: 'aNamespace',
   115                  Capabilities: ['list-jobs'],
   116                },
   117              ],
   118            },
   119          },
   120        ],
   121      });
   122  
   123      this.owner.register('service:system', mockSystem);
   124      this.owner.register('service:token', mockToken);
   125  
   126      assert.ok(
   127        this.can.cannot('exec allocation', null, { namespace: 'aNamespace' })
   128      );
   129    });
   130  
   131    test('it handles globs in namespace names', function (assert) {
   132      const mockSystem = Service.extend({
   133        aclEnabled: true,
   134      });
   135  
   136      const mockToken = Service.extend({
   137        aclEnabled: true,
   138        selfToken: { type: 'client' },
   139        selfTokenPolicies: [
   140          {
   141            rulesJSON: {
   142              Namespaces: [
   143                {
   144                  Name: 'production-*',
   145                  Capabilities: ['alloc-exec'],
   146                },
   147                {
   148                  Name: 'production-api',
   149                  Capabilities: ['alloc-exec'],
   150                },
   151                {
   152                  Name: 'production-web',
   153                  Capabilities: [],
   154                },
   155                {
   156                  Name: '*-suffixed',
   157                  Capabilities: ['alloc-exec'],
   158                },
   159                {
   160                  Name: '*-more-suffixed',
   161                  Capabilities: [],
   162                },
   163                {
   164                  Name: '*-abc-*',
   165                  Capabilities: ['alloc-exec'],
   166                },
   167              ],
   168            },
   169          },
   170        ],
   171      });
   172  
   173      this.owner.register('service:system', mockSystem);
   174      this.owner.register('service:token', mockToken);
   175  
   176      assert.ok(
   177        this.can.cannot('exec allocation', null, { namespace: 'production-web' })
   178      );
   179      assert.ok(
   180        this.can.can('exec allocation', null, { namespace: 'production-api' })
   181      );
   182      assert.ok(
   183        this.can.can('exec allocation', null, { namespace: 'production-other' })
   184      );
   185      assert.ok(
   186        this.can.can('exec allocation', null, { namespace: 'something-suffixed' })
   187      );
   188      assert.ok(
   189        this.can.cannot('exec allocation', null, {
   190          namespace: 'something-more-suffixed',
   191        }),
   192        'expected the namespace with the greatest number of matched characters to be chosen'
   193      );
   194      assert.ok(
   195        this.can.can('exec allocation', null, { namespace: '000-abc-999' }),
   196        'expected to be able to match against more than one wildcard'
   197      );
   198    });
   199  });