github.com/manicqin/nomad@v0.9.5/acl/policy_test.go (about) 1 package acl 2 3 import ( 4 "fmt" 5 "strings" 6 "testing" 7 8 "github.com/stretchr/testify/assert" 9 ) 10 11 func TestParse(t *testing.T) { 12 type tcase struct { 13 Raw string 14 ErrStr string 15 Expect *Policy 16 } 17 tcases := []tcase{ 18 { 19 ` 20 namespace "default" { 21 policy = "read" 22 } 23 `, 24 "", 25 &Policy{ 26 Namespaces: []*NamespacePolicy{ 27 { 28 Name: "default", 29 Policy: PolicyRead, 30 Capabilities: []string{ 31 NamespaceCapabilityListJobs, 32 NamespaceCapabilityReadJob, 33 }, 34 }, 35 }, 36 }, 37 }, 38 { 39 ` 40 namespace "default" { 41 policy = "read" 42 } 43 namespace "other" { 44 policy = "write" 45 } 46 namespace "secret" { 47 capabilities = ["deny", "read-logs"] 48 } 49 agent { 50 policy = "read" 51 } 52 node { 53 policy = "write" 54 } 55 operator { 56 policy = "deny" 57 } 58 quota { 59 policy = "read" 60 } 61 `, 62 "", 63 &Policy{ 64 Namespaces: []*NamespacePolicy{ 65 { 66 Name: "default", 67 Policy: PolicyRead, 68 Capabilities: []string{ 69 NamespaceCapabilityListJobs, 70 NamespaceCapabilityReadJob, 71 }, 72 }, 73 { 74 Name: "other", 75 Policy: PolicyWrite, 76 Capabilities: []string{ 77 NamespaceCapabilityListJobs, 78 NamespaceCapabilityReadJob, 79 NamespaceCapabilitySubmitJob, 80 NamespaceCapabilityDispatchJob, 81 NamespaceCapabilityReadLogs, 82 NamespaceCapabilityReadFS, 83 NamespaceCapabilityAllocExec, 84 NamespaceCapabilityAllocLifecycle, 85 }, 86 }, 87 { 88 Name: "secret", 89 Capabilities: []string{ 90 NamespaceCapabilityDeny, 91 NamespaceCapabilityReadLogs, 92 }, 93 }, 94 }, 95 Agent: &AgentPolicy{ 96 Policy: PolicyRead, 97 }, 98 Node: &NodePolicy{ 99 Policy: PolicyWrite, 100 }, 101 Operator: &OperatorPolicy{ 102 Policy: PolicyDeny, 103 }, 104 Quota: &QuotaPolicy{ 105 Policy: PolicyRead, 106 }, 107 }, 108 }, 109 { 110 ` 111 namespace "default" { 112 policy = "foo" 113 } 114 `, 115 "Invalid namespace policy", 116 nil, 117 }, 118 { 119 ` 120 namespace "default" { 121 capabilities = ["deny", "foo"] 122 } 123 `, 124 "Invalid namespace capability", 125 nil, 126 }, 127 { 128 ` 129 agent { 130 policy = "foo" 131 } 132 `, 133 "Invalid agent policy", 134 nil, 135 }, 136 { 137 ` 138 node { 139 policy = "foo" 140 } 141 `, 142 "Invalid node policy", 143 nil, 144 }, 145 { 146 ` 147 operator { 148 policy = "foo" 149 } 150 `, 151 "Invalid operator policy", 152 nil, 153 }, 154 { 155 ` 156 quota { 157 policy = "foo" 158 } 159 `, 160 "Invalid quota policy", 161 nil, 162 }, 163 { 164 ` 165 { 166 "Name": "my-policy", 167 "Description": "This is a great policy", 168 "Rules": "anything" 169 } 170 `, 171 "Invalid policy", 172 nil, 173 }, 174 { 175 ` 176 namespace "has a space"{ 177 policy = "read" 178 } 179 `, 180 "Invalid namespace name", 181 nil, 182 }, 183 { 184 ` 185 namespace "default" { 186 capabilities = ["sentinel-override"] 187 } 188 `, 189 "", 190 &Policy{ 191 Namespaces: []*NamespacePolicy{ 192 { 193 Name: "default", 194 Policy: "", 195 Capabilities: []string{ 196 NamespaceCapabilitySentinelOverride, 197 }, 198 }, 199 }, 200 }, 201 }, 202 { 203 ` 204 host_volume "production-tls-*" { 205 capabilities = ["mount-readonly"] 206 } 207 `, 208 "", 209 &Policy{ 210 HostVolumes: []*HostVolumePolicy{ 211 { 212 Name: "production-tls-*", 213 Policy: "", 214 Capabilities: []string{ 215 HostVolumeCapabilityMountReadOnly, 216 }, 217 }, 218 }, 219 }, 220 }, 221 { 222 ` 223 host_volume "production-tls-*" { 224 capabilities = ["mount-readwrite"] 225 } 226 `, 227 "", 228 &Policy{ 229 HostVolumes: []*HostVolumePolicy{ 230 { 231 Name: "production-tls-*", 232 Policy: "", 233 Capabilities: []string{ 234 HostVolumeCapabilityMountReadWrite, 235 }, 236 }, 237 }, 238 }, 239 }, 240 { 241 ` 242 host_volume "volume has a space" { 243 capabilities = ["mount-readwrite"] 244 } 245 `, 246 "Invalid host volume name", 247 nil, 248 }, 249 } 250 251 for idx, tc := range tcases { 252 t.Run(fmt.Sprintf("%d", idx), func(t *testing.T) { 253 p, err := Parse(tc.Raw) 254 if err != nil { 255 if tc.ErrStr == "" { 256 t.Fatalf("Unexpected err: %v", err) 257 } 258 if !strings.Contains(err.Error(), tc.ErrStr) { 259 t.Fatalf("Unexpected err: %v", err) 260 } 261 return 262 } 263 if err == nil && tc.ErrStr != "" { 264 t.Fatalf("Missing expected err") 265 } 266 tc.Expect.Raw = tc.Raw 267 assert.EqualValues(t, tc.Expect, p) 268 }) 269 } 270 }