diff --git a/internal/catalog/internal/testhelpers/acl_hooks_test_helpers.go b/internal/catalog/internal/testhelpers/acl_hooks_test_helpers.go index c1a00edf53ef1..8575615d8d3a5 100644 --- a/internal/catalog/internal/testhelpers/acl_hooks_test_helpers.go +++ b/internal/catalog/internal/testhelpers/acl_hooks_test_helpers.go @@ -93,6 +93,14 @@ func RunWorkloadSelectingTypeACLsTests[T WorkloadSelecting](t *testing.T, typ *p WriteOK: resourcetest.ALLOW, ListOK: resourcetest.DEFAULT, }, + "service test write with prefixed selectors and a policy with a specific service": { + Rules: `service "test" { policy = "write" } service "workload" { policy = "read" }`, + Data: getData(&pbcatalog.WorkloadSelector{Prefixes: []string{"workload"}}), + Typ: typ, + ReadOK: resourcetest.ALLOW, + WriteOK: resourcetest.DENY, + ListOK: resourcetest.DEFAULT, + }, } for name, tc := range cases { diff --git a/internal/catalog/internal/types/dns_policy_test.go b/internal/catalog/internal/types/dns_policy_test.go index 9f74366592e51..1303d2878cf71 100644 --- a/internal/catalog/internal/types/dns_policy_test.go +++ b/internal/catalog/internal/types/dns_policy_test.go @@ -175,7 +175,6 @@ func TestDNSPolicyACLs(t *testing.T) { Weights: &pbcatalog.Weights{Passing: 1, Warning: 0}, } }, - func(registry resource.Registry) { - RegisterDNSPolicy(registry) - }) + RegisterDNSPolicy, + ) } diff --git a/internal/catalog/internal/types/health_checks_test.go b/internal/catalog/internal/types/health_checks_test.go index 26c09a419d1da..c9cdf01ae84cf 100644 --- a/internal/catalog/internal/types/health_checks_test.go +++ b/internal/catalog/internal/types/health_checks_test.go @@ -203,7 +203,6 @@ func TestHealthChecksACLs(t *testing.T) { func(selector *pbcatalog.WorkloadSelector) *pbcatalog.HealthChecks { return &pbcatalog.HealthChecks{Workloads: selector} }, - func(registry resource.Registry) { - RegisterHealthChecks(registry) - }) + RegisterHealthChecks, + ) } diff --git a/internal/catalog/internal/types/health_status_test.go b/internal/catalog/internal/types/health_status_test.go index 644d9effb347f..9482e4770e40a 100644 --- a/internal/catalog/internal/types/health_status_test.go +++ b/internal/catalog/internal/types/health_status_test.go @@ -292,6 +292,24 @@ func TestHealthStatusACLs(t *testing.T) { WriteOK: resourcetest.ALLOW, ListOK: resourcetest.DEFAULT, }, + "node test read with workload owner": { + Rules: `node "test" { policy = "read" }`, + Data: healthStatusData, + Owner: workload, + Typ: pbcatalog.HealthStatusType, + ReadOK: resourcetest.DENY, + WriteOK: resourcetest.DENY, + ListOK: resourcetest.DEFAULT, + }, + "node test write with workload owner": { + Rules: `node "test" { policy = "write" }`, + Data: healthStatusData, + Owner: workload, + Typ: pbcatalog.HealthStatusType, + ReadOK: resourcetest.DENY, + WriteOK: resourcetest.DENY, + ListOK: resourcetest.DEFAULT, + }, } for name, tc := range cases { diff --git a/internal/catalog/internal/types/service_test.go b/internal/catalog/internal/types/service_test.go index 1de151568e123..18649dda9a0a5 100644 --- a/internal/catalog/internal/types/service_test.go +++ b/internal/catalog/internal/types/service_test.go @@ -282,7 +282,6 @@ func TestServiceACLs(t *testing.T) { func(selector *pbcatalog.WorkloadSelector) *pbcatalog.Service { return &pbcatalog.Service{Workloads: selector} }, - func(registry resource.Registry) { - RegisterService(registry) - }) + RegisterService, + ) } diff --git a/internal/mesh/internal/types/destinations_configuration_test.go b/internal/mesh/internal/types/destinations_configuration_test.go index d8287bfa09192..edd1dc0d6192d 100644 --- a/internal/mesh/internal/types/destinations_configuration_test.go +++ b/internal/mesh/internal/types/destinations_configuration_test.go @@ -7,7 +7,6 @@ import ( "testing" catalogtesthelpers "github.com/hashicorp/consul/internal/catalog/catalogtest/helpers" - "github.com/hashicorp/consul/internal/resource" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v2beta1" pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1" ) @@ -17,7 +16,6 @@ func TestDestinationsConfigurationACLs(t *testing.T) { func(selector *pbcatalog.WorkloadSelector) *pbmesh.DestinationsConfiguration { return &pbmesh.DestinationsConfiguration{Workloads: selector} }, - func(registry resource.Registry) { - RegisterDestinationsConfiguration(registry) - }) + RegisterDestinationsConfiguration, + ) } diff --git a/internal/mesh/internal/types/destinations_test.go b/internal/mesh/internal/types/destinations_test.go index 369b3d6a18c48..a458117f1570d 100644 --- a/internal/mesh/internal/types/destinations_test.go +++ b/internal/mesh/internal/types/destinations_test.go @@ -203,7 +203,6 @@ func TestDestinationsACLs(t *testing.T) { func(selector *pbcatalog.WorkloadSelector) *pbmesh.Destinations { return &pbmesh.Destinations{Workloads: selector} }, - func(registry resource.Registry) { - RegisterDestinations(registry) - }) + RegisterDestinations, + ) } diff --git a/internal/mesh/internal/types/proxy_configuration_test.go b/internal/mesh/internal/types/proxy_configuration_test.go index a4c388d41d1f7..64eb02de753e4 100644 --- a/internal/mesh/internal/types/proxy_configuration_test.go +++ b/internal/mesh/internal/types/proxy_configuration_test.go @@ -9,7 +9,6 @@ import ( "github.com/stretchr/testify/require" catalogtesthelpers "github.com/hashicorp/consul/internal/catalog/catalogtest/helpers" - "github.com/hashicorp/consul/internal/resource" "github.com/hashicorp/consul/internal/resource/resourcetest" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v2beta1" pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v2beta1" @@ -22,9 +21,8 @@ func TestProxyConfigurationACLs(t *testing.T) { func(selector *pbcatalog.WorkloadSelector) *pbmesh.ProxyConfiguration { return &pbmesh.ProxyConfiguration{Workloads: selector} }, - func(registry resource.Registry) { - RegisterProxyConfiguration(registry) - }) + RegisterProxyConfiguration, + ) } func TestMutateProxyConfiguration(t *testing.T) { diff --git a/internal/resource/resourcetest/acls.go b/internal/resource/resourcetest/acls.go index c73f3c4752d44..4aff9e30327b1 100644 --- a/internal/resource/resourcetest/acls.go +++ b/internal/resource/resourcetest/acls.go @@ -52,11 +52,15 @@ func RunACLTestCase(t *testing.T, tc ACLTestCase, registry resource.Registry) { reg, ok := registry.Resolve(tc.Typ) require.True(t, ok) + resolvedType, ok := registry.Resolve(tc.Typ) + require.True(t, ok) + res := Resource(tc.Typ, "test"). - WithTenancy(resource.DefaultNamespacedTenancy()). + WithTenancy(DefaultTenancyForType(t, resolvedType)). WithOwner(tc.Owner). WithData(t, tc.Data). Build() + ValidateAndNormalize(t, registry, res) config := acl.Config{ diff --git a/internal/resource/resourcetest/tenancy.go b/internal/resource/resourcetest/tenancy.go new file mode 100644 index 0000000000000..a4fa87e1d451f --- /dev/null +++ b/internal/resource/resourcetest/tenancy.go @@ -0,0 +1,23 @@ +package resourcetest + +import ( + "testing" + + "github.com/hashicorp/consul/internal/resource" + "github.com/hashicorp/consul/proto-public/pbresource" +) + +func DefaultTenancyForType(t *testing.T, reg resource.Registration) *pbresource.Tenancy { + switch reg.Scope { + case resource.ScopeNamespace: + return resource.DefaultNamespacedTenancy() + case resource.ScopePartition: + return resource.DefaultPartitionedTenancy() + case resource.ScopeCluster: + return resource.DefaultClusteredTenancy() + default: + t.Fatalf("unsupported resource scope: %v", reg.Scope) + return nil + } + return nil +}