Add unit test for anonymous token behavior.

hashicorp · Jan 21, 2022 · 86d1565 · 86d1565
1 parent bac5d45
commit 86d1565
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 2 deletions.
diff --git a/control-plane/go.mod b/control-plane/go.mod
@@ -129,4 +129,6 @@ require (
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )
 
+replace github.com/hashicorp/consul/sdk v0.9.0 => github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8
+
 go 1.17
diff --git a/control-plane/go.sum b/control-plane/go.sum
@@ -300,9 +300,9 @@ github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBt
 github.com/hashicorp/consul/api v1.12.0 h1:k3y1FYv6nuKyNTqj6w9gXOx5r5CfLj/k/euUeBXj1OY=
 github.com/hashicorp/consul/api v1.12.0/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8 h1:1O/CANaJGcL6urr47PLoPZ0oQcGLUlGpYoRLYAYFSDs=
+github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
-github.com/hashicorp/consul/sdk v0.9.0 h1:NGSHAU7X3yDCjo8WBUbNOtD3BSqv8u0vu3+zNxgmxQI=
-github.com/hashicorp/consul/sdk v0.9.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=

diff --git a/control-plane/subcommand/server-acl-init/command_ent_test.go b/control-plane/subcommand/server-acl-init/command_ent_test.go
@@ -7,6 +7,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/hashicorp/consul-k8s/control-plane/consul"
+	"github.com/hashicorp/consul-k8s/control-plane/subcommand/common"
 	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/sdk/testutil"
 	"github.com/mitchellh/cli"
@@ -206,6 +208,54 @@ func TestRun_ConnectInject_NamespaceMirroring(t *testing.T) {
 	}
 }
 
+// Test that the anonymous token is created in the default partition from
+// a non-default partition.
+func TestRun_AnonymousToken_CreatedFromNonDefaultPartition(t *testing.T) {
+	bootToken := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+	tokenFile := common.WriteTempFile(t, bootToken)
+	server, stopFn := partitionedSetup(t, bootToken, "test")
+	defer stopFn()
+	k8s := fake.NewSimpleClientset()
+	setUpK8sServiceAccount(t, k8s, ns)
+
+	ui := cli.NewMockUi()
+	cmd := Command{
+		UI:        ui,
+		clientset: k8s,
+	}
+	cmd.init()
+	args := []string{
+		"-server-address=" + strings.Split(server.HTTPAddr, ":")[0],
+		"-server-port=" + strings.Split(server.HTTPAddr, ":")[1],
+		"-resource-prefix=" + resourcePrefix,
+		"-k8s-namespace=" + ns,
+		"-bootstrap-token-file", tokenFile,
+		"-enable-partitions",
+		"-allow-dns",
+		"-partition=test",
+		"-enable-namespaces",
+	}
+	responseCode := cmd.Run(args)
+	require.Equal(t, 0, responseCode, ui.ErrorWriter.String())
+
+	consul, err := api.NewClient(&api.Config{
+		Address: server.HTTPAddr,
+		Token:   bootToken,
+	})
+	require.NoError(t, err)
+
+	anonPolicyName := "anonymous-token-policy"
+	// Check that the anonymous token policy was created.
+	policy := policyExists(t, anonPolicyName, consul)
+	// Should be a global policy.
+	require.Len(t, policy.Datacenters, 0)
+
+	// Check that the anonymous token has the policy.
+	tokenData, _, err := consul.ACL().TokenReadSelf(&api.QueryOptions{Token: "anonymous"})
+	require.NoError(t, err)
+	require.Equal(t, anonPolicyName, tokenData.Policies[0].Name)
+}
+
 // Test that ACL policies get updated if namespaces/partition config changes.
 func TestRun_ACLPolicyUpdates(t *testing.T) {
 	t.Parallel()
@@ -1037,3 +1087,40 @@ func completeEnterpriseSetup(t *testing.T) (*fake.Clientset, *testutil.TestServe
 
 	return k8s, svr
 }
+
+// partitionedSetup is a helper function which creates a server and a consul agent that runs as
+// a client in the provided partitionName. The bootToken is the token used as the bootstrap token
+// for both the client and the server. The helper creates a server, then creates a partition with
+// the provided partitionName and then creates a client in said partition.
+func partitionedSetup(t *testing.T, bootToken string, partitionName string) (*testutil.TestServer, func()) {
+	server, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) {
+		c.ACL.Enabled = true
+		c.ACL.Tokens.Master = bootToken
+	})
+	require.NoError(t, err)
+	server.WaitForLeader(t)
+
+	serverAPIClient, err := consul.NewClient(&api.Config{
+		Address: server.HTTPAddr,
+		Token:   bootToken,
+	})
+	require.NoError(t, err)
+
+	_, _, err = serverAPIClient.Partitions().Create(context.Background(), &api.Partition{Name: partitionName}, &api.WriteOptions{})
+	require.NoError(t, err)
+
+	partitionedClient, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) {
+		c.Server = false
+		c.Bootstrap = false
+		c.Partition = partitionName
+		c.RetryJoin = []string{server.LANAddr}
+		c.ACL.Enabled = true
+		c.ACL.Tokens.Agent = bootToken
+	})
+	require.NoError(t, err)
+
+	return server, func() {
+		server.Stop()
+		partitionedClient.Stop()
+	}
+}