From 86d1565064c02dc1c2dfba9fb366e5e69dbae143 Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Thu, 20 Jan 2022 11:24:07 -0500 Subject: [PATCH] Add unit test for anonymous token behavior. --- control-plane/go.mod | 2 + control-plane/go.sum | 4 +- .../server-acl-init/command_ent_test.go | 87 +++++++++++++++++++ 3 files changed, 91 insertions(+), 2 deletions(-) diff --git a/control-plane/go.mod b/control-plane/go.mod index 93e5bc5c77..e8842f4643 100644 --- a/control-plane/go.mod +++ b/control-plane/go.mod @@ -129,4 +129,6 @@ require ( sigs.k8s.io/yaml v1.2.0 // indirect ) +replace github.com/hashicorp/consul/sdk v0.9.0 => github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8 + go 1.17 diff --git a/control-plane/go.sum b/control-plane/go.sum index 879cb915bf..42ee98bb0f 100644 --- a/control-plane/go.sum +++ b/control-plane/go.sum @@ -300,9 +300,9 @@ github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBt github.com/hashicorp/consul/api v1.12.0 h1:k3y1FYv6nuKyNTqj6w9gXOx5r5CfLj/k/euUeBXj1OY= github.com/hashicorp/consul/api v1.12.0/go.mod h1:6pVBMo0ebnYdt2S3H87XhekM/HHrUoTD2XXb/VrZVy0= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8 h1:1O/CANaJGcL6urr47PLoPZ0oQcGLUlGpYoRLYAYFSDs= +github.com/hashicorp/consul/sdk v0.4.1-0.20220120214936-7568f3a102a8/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= -github.com/hashicorp/consul/sdk v0.9.0 h1:NGSHAU7X3yDCjo8WBUbNOtD3BSqv8u0vu3+zNxgmxQI= -github.com/hashicorp/consul/sdk v0.9.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= diff --git a/control-plane/subcommand/server-acl-init/command_ent_test.go b/control-plane/subcommand/server-acl-init/command_ent_test.go index af240e4960..3a550f0ec4 100644 --- a/control-plane/subcommand/server-acl-init/command_ent_test.go +++ b/control-plane/subcommand/server-acl-init/command_ent_test.go @@ -7,6 +7,8 @@ import ( "strings" "testing" + "github.com/hashicorp/consul-k8s/control-plane/consul" + "github.com/hashicorp/consul-k8s/control-plane/subcommand/common" "github.com/hashicorp/consul/api" "github.com/hashicorp/consul/sdk/testutil" "github.com/mitchellh/cli" @@ -206,6 +208,54 @@ func TestRun_ConnectInject_NamespaceMirroring(t *testing.T) { } } +// Test that the anonymous token is created in the default partition from +// a non-default partition. +func TestRun_AnonymousToken_CreatedFromNonDefaultPartition(t *testing.T) { + bootToken := "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" + tokenFile := common.WriteTempFile(t, bootToken) + server, stopFn := partitionedSetup(t, bootToken, "test") + defer stopFn() + k8s := fake.NewSimpleClientset() + setUpK8sServiceAccount(t, k8s, ns) + + ui := cli.NewMockUi() + cmd := Command{ + UI: ui, + clientset: k8s, + } + cmd.init() + args := []string{ + "-server-address=" + strings.Split(server.HTTPAddr, ":")[0], + "-server-port=" + strings.Split(server.HTTPAddr, ":")[1], + "-resource-prefix=" + resourcePrefix, + "-k8s-namespace=" + ns, + "-bootstrap-token-file", tokenFile, + "-enable-partitions", + "-allow-dns", + "-partition=test", + "-enable-namespaces", + } + responseCode := cmd.Run(args) + require.Equal(t, 0, responseCode, ui.ErrorWriter.String()) + + consul, err := api.NewClient(&api.Config{ + Address: server.HTTPAddr, + Token: bootToken, + }) + require.NoError(t, err) + + anonPolicyName := "anonymous-token-policy" + // Check that the anonymous token policy was created. + policy := policyExists(t, anonPolicyName, consul) + // Should be a global policy. + require.Len(t, policy.Datacenters, 0) + + // Check that the anonymous token has the policy. + tokenData, _, err := consul.ACL().TokenReadSelf(&api.QueryOptions{Token: "anonymous"}) + require.NoError(t, err) + require.Equal(t, anonPolicyName, tokenData.Policies[0].Name) +} + // Test that ACL policies get updated if namespaces/partition config changes. func TestRun_ACLPolicyUpdates(t *testing.T) { t.Parallel() @@ -1037,3 +1087,40 @@ func completeEnterpriseSetup(t *testing.T) (*fake.Clientset, *testutil.TestServe return k8s, svr } + +// partitionedSetup is a helper function which creates a server and a consul agent that runs as +// a client in the provided partitionName. The bootToken is the token used as the bootstrap token +// for both the client and the server. The helper creates a server, then creates a partition with +// the provided partitionName and then creates a client in said partition. +func partitionedSetup(t *testing.T, bootToken string, partitionName string) (*testutil.TestServer, func()) { + server, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) { + c.ACL.Enabled = true + c.ACL.Tokens.Master = bootToken + }) + require.NoError(t, err) + server.WaitForLeader(t) + + serverAPIClient, err := consul.NewClient(&api.Config{ + Address: server.HTTPAddr, + Token: bootToken, + }) + require.NoError(t, err) + + _, _, err = serverAPIClient.Partitions().Create(context.Background(), &api.Partition{Name: partitionName}, &api.WriteOptions{}) + require.NoError(t, err) + + partitionedClient, err := testutil.NewTestServerConfigT(t, func(c *testutil.TestServerConfig) { + c.Server = false + c.Bootstrap = false + c.Partition = partitionName + c.RetryJoin = []string{server.LANAddr} + c.ACL.Enabled = true + c.ACL.Tokens.Agent = bootToken + }) + require.NoError(t, err) + + return server, func() { + server.Stop() + partitionedClient.Stop() + } +}