Added a test for ACL token passing

Author: Dariusz Jedrzejczyk

consul/consul_test.go

@@ -1057,3 +1057,51 @@ func Test_substituteEnvironment(t *testing.T) {
 		})
 	}
 }
+
+func TestACLTokenPassing(t *testing.T) {
+	// given
+	t.Parallel()
+	server := CreateSecuredTestServer(t)
+	defer server.Stop()
+
+	bareClient := ClientAtServer(server)
+	bareClient.config.Tag = "marathon"
+
+	clientWithToken := SecuredClientAtServer(server)
+	clientWithToken.config.Tag = "marathon"
+
+	// and
+	app := utils.ConsulApp("serviceA", 1)
+	app.Tasks[0].Host = server.Config.Bind
+	app.Labels["test"] = "tag"
+
+	// when
+	err := bareClient.Register(&app.Tasks[0], app)
+
+	// then
+	assert.NoError(t, err, "Though it seems surprising, consul should not report an error here")
+
+	// when
+	services, _ := clientWithToken.GetAllServices()
+
+	// then
+	assert.Len(t, services, 0, "Registration without ACL token should be blocked by ACLs")
+
+	// when
+	err = clientWithToken.Register(&app.Tasks[0], app)
+	assert.NoError(t, err, "Registering service with proper ACL token should not report errors")
+
+	// when
+	services, _ = clientWithToken.GetAllServices()
+
+	// then
+	assert.Len(t, services, 1, "Expecting a registered service after using ACL token")
+	assert.Equal(t, "serviceA", services[0].Name)
+	assert.Equal(t, []string{"marathon", "test", "marathon-task:serviceA.0"}, services[0].Tags)
+
+	// when
+	services, _ = clientWithToken.GetAllServices()
+
+	// then
+	assert.Len(t, services, 0, "Reading services list without ACL token should yield empty response")
+}

consul/consul_test_server.go

@@ -32,6 +32,32 @@ func CreateTestServer(t *testing.T) *testutil.TestServer {
 	return server
 }
 
+const MasterToken = "masterToken"
+
+func CreateSecuredTestServer(t *testing.T) *testutil.TestServer {
+	ports, err := getPorts(6)
+	assert.NoError(t, err)
+
+	server, err := testutil.NewTestServerConfig(func(c *testutil.TestServerConfig) {
+		c.Datacenter = fmt.Sprint("dc-", time.Now().UnixNano())
+		c.Ports = &testutil.TestPortConfig{
+			DNS:     ports[0],
+			HTTP:    ports[1],
+			RPC:     ports[2],
+			SerfLan: ports[3],
+			SerfWan: ports[4],
+			Server:  ports[5],
+		}
+		c.ACLDatacenter = c.Datacenter
+		c.ACLDefaultPolicy = "deny"
+		c.ACLMasterToken = MasterToken
+	})
+
+	assert.NoError(t, err)
+
+	return server
+}
+
 // Ask the kernel for free open ports that are ready to use
 func getPorts(number int) ([]int, error) {
 	ports := make([]int, number)
@@ -61,6 +87,10 @@ func ClientAtServer(server *testutil.TestServer) *Consul {
 	return consulClientAtAddress(server.Config.Bind, server.Config.Ports.HTTP)
 }
 
+func SecuredClientAtServer(server *testutil.TestServer) *Consul {
+	return secureConsulClientAtAddress(server.Config.Bind, server.Config.Ports.HTTP)
+}
+
 func FailingClient() *Consul {
 	host, port := "192.0.2.5", 5555
 	config := Config{
@@ -87,3 +117,18 @@ func consulClientAtAddress(host string, port int) *Consul {
 	consul.AddAgent(host)
 	return consul
 }
+
+func secureConsulClientAtAddress(host string, port int) *Consul {
+	config := Config{
+		Timeout:             timeutil.Interval{Duration: 10 * time.Second},
+		Port:                fmt.Sprintf("%d", port),
+		ConsulNameSeparator: ".",
+		EnableTagOverride:   true,
+		LocalAgentHost:      host,
+		Token:               MasterToken,
+	}
+	consul := New(config)
+	// initialize the agents cache with a single client pointing at provided location
+	consul.AddAgent(host)
+	return consul
+}