diff --git a/internal/mesh/internal/types/destination_policy_test.go b/internal/mesh/internal/types/destination_policy_test.go index 96c897f88845..8edb51b2d831 100644 --- a/internal/mesh/internal/types/destination_policy_test.go +++ b/internal/mesh/internal/types/destination_policy_test.go @@ -11,7 +11,6 @@ import ( "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/durationpb" - "github.com/hashicorp/consul/acl" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/internal/resource" "github.com/hashicorp/consul/internal/resource/resourcetest" @@ -534,54 +533,15 @@ func TestDestinationPolicyACLs(t *testing.T) { return res } - type testcase struct { - res *pbresource.Resource - rules string - check func(t *testing.T, authz acl.Authorizer, res *pbresource.Resource) - readOK string - writeOK string - } - const ( - DENY = "deny" - ALLOW = "allow" - DEFAULT = "default" + DENY = resourcetest.DENY + ALLOW = resourcetest.ALLOW + DEFAULT = resourcetest.DEFAULT ) - checkF := func(t *testing.T, name string, expect string, got error) { - switch expect { - case ALLOW: - if acl.IsErrPermissionDenied(got) { - t.Fatal(name + " should be allowed") - } - case DENY: - if !acl.IsErrPermissionDenied(got) { - t.Fatal(name + " should be denied") - } - case DEFAULT: - require.Nil(t, got, name+" expected fallthrough decision") - default: - t.Fatalf(name+" unexpected expectation: %q", expect) - } - } - - reg, ok := registry.Resolve(pbmesh.DestinationPolicyType) - require.True(t, ok) - - run := func(t *testing.T, name string, tc testcase) { + run := func(t *testing.T, name string, tc resourcetest.ACLTestCase) { t.Run(name, func(t *testing.T) { - config := acl.Config{ - WildcardName: structs.WildcardSpecifier, - } - authz, err := acl.NewAuthorizerFromRules(tc.rules, &config, nil) - require.NoError(t, err) - authz = acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.DenyAll()}) - - authCtx := resource.AuthorizerContext(tc.res.Id.Tenancy) - - checkF(t, "read", tc.readOK, reg.ACLs.Read(authz, authCtx, tc.res.Id, nil)) - checkF(t, "write", tc.writeOK, reg.ACLs.Write(authz, authCtx, tc.res)) - checkF(t, "list", DEFAULT, reg.ACLs.List(authz, authCtx)) + resourcetest.RunACLTestCase(t, tc, registry) }) } @@ -601,11 +561,13 @@ func TestDestinationPolicyACLs(t *testing.T) { } assert := func(t *testing.T, name string, rules string, res *pbresource.Resource, readOK, writeOK string) { - tc := testcase{ - res: res, - rules: rules, - readOK: readOK, - writeOK: writeOK, + tc := resourcetest.ACLTestCase{ + AuthCtx: resource.AuthorizerContext(res.Id.Tenancy), + Rules: rules, + Res: res, + ReadOK: readOK, + WriteOK: writeOK, + ListOK: DEFAULT, } run(t, name, tc) } diff --git a/internal/resource/resourcetest/acls.go b/internal/resource/resourcetest/acls.go index 4ce8cc9d7ae0..3f77c7fec490 100644 --- a/internal/resource/resourcetest/acls.go +++ b/internal/resource/resourcetest/acls.go @@ -41,6 +41,9 @@ var checkF = func(t *testing.T, expect string, got error) { type ACLTestCase struct { Rules string + // AuthCtx is optional. If not provided an empty one will be used. + AuthCtx *acl.AuthorizerContext + // One of either Res or Data/Owner/Typ should be set. Res *pbresource.Resource Data protoreflect.ProtoMessage @@ -92,21 +95,25 @@ func RunACLTestCase(t *testing.T, tc ACLTestCase, registry resource.Registry) { require.NoError(t, err) authz = acl.NewChainedAuthorizer([]acl.Authorizer{authz, acl.DenyAll()}) + if tc.AuthCtx == nil { + tc.AuthCtx = &acl.AuthorizerContext{} + } + if tc.ReadHookRequiresResource { - err = reg.ACLs.Read(authz, &acl.AuthorizerContext{}, res.Id, nil) + err = reg.ACLs.Read(authz, tc.AuthCtx, res.Id, nil) require.ErrorIs(t, err, resource.ErrNeedResource, "read hook should require the data payload") } t.Run("read", func(t *testing.T) { - err := reg.ACLs.Read(authz, &acl.AuthorizerContext{}, res.Id, res) + err := reg.ACLs.Read(authz, tc.AuthCtx, res.Id, res) checkF(t, tc.ReadOK, err) }) t.Run("write", func(t *testing.T) { - err := reg.ACLs.Write(authz, &acl.AuthorizerContext{}, res) + err := reg.ACLs.Write(authz, tc.AuthCtx, res) checkF(t, tc.WriteOK, err) }) t.Run("list", func(t *testing.T) { - err := reg.ACLs.List(authz, &acl.AuthorizerContext{}) + err := reg.ACLs.List(authz, tc.AuthCtx) checkF(t, tc.ListOK, err) }) }