From af6360086c2436daee06dbcc0cbe544172cce46a Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Fri, 13 Oct 2017 13:45:10 -0700 Subject: [PATCH] policy list and token self commands --- command/acl_policy_info_test.go | 2 +- command/acl_policy_list.go | 84 +++++++++++++++++++ command/acl_policy_list_test.go | 55 ++++++++++++ command/acl_token_self.go | 70 ++++++++++++++++ command/acl_token_self_test.go | 57 +++++++++++++ commands.go | 10 +++ website/source/docs/commands/acl.html.md.erb | 7 +- .../docs/commands/acl/policy-info.html.md.erb | 4 +- .../docs/commands/acl/policy-list.html.md.erb | 32 +++++++ .../docs/commands/acl/token-self.html.md.erb | 41 +++++++++ website/source/layouts/docs.erb | 21 +++++ 11 files changed, 378 insertions(+), 5 deletions(-) create mode 100644 command/acl_policy_list.go create mode 100644 command/acl_policy_list_test.go create mode 100644 command/acl_token_self.go create mode 100644 command/acl_token_self_test.go create mode 100644 website/source/docs/commands/acl/policy-list.html.md.erb create mode 100644 website/source/docs/commands/acl/token-self.html.md.erb diff --git a/command/acl_policy_info_test.go b/command/acl_policy_info_test.go index 07aa78fe2..19bf13088 100644 --- a/command/acl_policy_info_test.go +++ b/command/acl_policy_info_test.go @@ -13,7 +13,7 @@ import ( "github.com/stretchr/testify/assert" ) -func TestACLPolicyListCommand(t *testing.T) { +func TestACLPolicyInfoCommand(t *testing.T) { assert := assert.New(t) t.Parallel() config := func(c *agent.Config) { diff --git a/command/acl_policy_list.go b/command/acl_policy_list.go new file mode 100644 index 000000000..cf9ed255b --- /dev/null +++ b/command/acl_policy_list.go @@ -0,0 +1,84 @@ +package command + +import ( + "fmt" + "strings" + + "github.com/hashicorp/nomad/api" + "github.com/posener/complete" +) + +type ACLPolicyListCommand struct { + Meta +} + +func (c *ACLPolicyListCommand) Help() string { + helpText := ` +Usage: nomad acl policy list + +List is used to list available ACL policies. + +General Options: + + ` + generalOptionsUsage() + + return strings.TrimSpace(helpText) +} + +func (c *ACLPolicyListCommand) AutocompleteFlags() complete.Flags { + return c.Meta.AutocompleteFlags(FlagSetClient) +} + +func (c *ACLPolicyListCommand) AutocompleteArgs() complete.Predictor { + return complete.PredictNothing +} + +func (c *ACLPolicyListCommand) Synopsis() string { + return "List ACL policies" +} + +func (c *ACLPolicyListCommand) Run(args []string) int { + flags := c.Meta.FlagSet("acl policy list", FlagSetClient) + flags.Usage = func() { c.Ui.Output(c.Help()) } + if err := flags.Parse(args); err != nil { + return 1 + } + + // Check that we got no arguments + args = flags.Args() + if l := len(args); l != 0 { + c.Ui.Error(c.Help()) + return 1 + } + + // Get the HTTP client + client, err := c.Meta.Client() + if err != nil { + c.Ui.Error(fmt.Sprintf("Error initializing client: %s", err)) + return 1 + } + + // Fetch info on the policy + policies, _, err := client.ACLPolicies().List(nil) + if err != nil { + c.Ui.Error(fmt.Sprintf("Error listing ACL policies: %s", err)) + return 1 + } + + c.Ui.Output(formatPolicies(policies)) + return 0 +} + +func formatPolicies(policies []*api.ACLPolicyListStub) string { + if len(policies) == 0 { + return "No policies found" + } + + output := make([]string, 0, len(policies)+1) + output = append(output, fmt.Sprintf("Name|Description")) + for _, p := range policies { + output = append(output, fmt.Sprintf("%s|%s", p.Name, p.Description)) + } + + return formatList(output) +} diff --git a/command/acl_policy_list_test.go b/command/acl_policy_list_test.go new file mode 100644 index 000000000..36f2940b9 --- /dev/null +++ b/command/acl_policy_list_test.go @@ -0,0 +1,55 @@ +package command + +import ( + "strings" + "testing" + + "github.com/hashicorp/nomad/acl" + "github.com/hashicorp/nomad/command/agent" + "github.com/hashicorp/nomad/nomad/mock" + "github.com/hashicorp/nomad/nomad/structs" + "github.com/mitchellh/cli" + "github.com/stretchr/testify/assert" +) + +func TestACLPolicyListCommand(t *testing.T) { + assert := assert.New(t) + t.Parallel() + config := func(c *agent.Config) { + c.ACL.Enabled = true + } + + srv, _, url := testServer(t, true, config) + state := srv.Agent.Server().State() + defer srv.Shutdown() + + // Bootstrap an initial ACL token + token := srv.RootToken + assert.NotNil(token, "failed to bootstrap ACL token") + + // Create a test ACLPolicy + policy := &structs.ACLPolicy{ + Name: "testPolicy", + Rules: acl.PolicyWrite, + } + policy.SetHash() + assert.Nil(state.UpsertACLPolicies(1000, []*structs.ACLPolicy{policy})) + + ui := new(cli.MockUi) + cmd := &ACLPolicyListCommand{Meta: Meta{Ui: ui, flagAddress: url}} + + // Attempt to list policies without a valid management token + invalidToken := mock.ACLToken() + code := cmd.Run([]string{"-address=" + url, "-token=" + invalidToken.SecretID}) + assert.Equal(1, code) + + // Apply a policy with a valid management token + code = cmd.Run([]string{"-address=" + url, "-token=" + token.SecretID}) + assert.Equal(0, code) + + // Check the output + out := ui.OutputWriter.String() + if !strings.Contains(out, policy.Name) { + t.Fatalf("bad: %v", out) + } +} diff --git a/command/acl_token_self.go b/command/acl_token_self.go new file mode 100644 index 000000000..e2586cdd3 --- /dev/null +++ b/command/acl_token_self.go @@ -0,0 +1,70 @@ +package command + +import ( + "fmt" + "strings" + + "github.com/posener/complete" +) + +type ACLTokenSelfCommand struct { + Meta +} + +func (c *ACLTokenSelfCommand) Help() string { + helpText := ` +Usage: nomad acl token self + +Self is used to fetch information about the currently set ACL token. + +General Options: + + ` + generalOptionsUsage() + + return strings.TrimSpace(helpText) +} + +func (c *ACLTokenSelfCommand) AutocompleteFlags() complete.Flags { + return c.Meta.AutocompleteFlags(FlagSetClient) +} + +func (c *ACLTokenSelfCommand) AutocompleteArgs() complete.Predictor { + return complete.PredictNothing +} + +func (c *ACLTokenSelfCommand) Synopsis() string { + return "Lookup self ACL token" +} + +func (c *ACLTokenSelfCommand) Run(args []string) int { + flags := c.Meta.FlagSet("acl token self", FlagSetClient) + flags.Usage = func() { c.Ui.Output(c.Help()) } + if err := flags.Parse(args); err != nil { + return 1 + } + + // Check that we have exactly one argument + args = flags.Args() + if l := len(args); l != 0 { + c.Ui.Error(c.Help()) + return 1 + } + + // Get the HTTP client + client, err := c.Meta.Client() + if err != nil { + c.Ui.Error(fmt.Sprintf("Error initializing client: %s", err)) + return 1 + } + + // Get the specified token information + token, _, err := client.ACLTokens().Self(nil) + if err != nil { + c.Ui.Error(fmt.Sprintf("Error fetching self token: %s", err)) + return 1 + } + + // Format the output + c.Ui.Output(formatKVACLToken(token)) + return 0 +} diff --git a/command/acl_token_self_test.go b/command/acl_token_self_test.go new file mode 100644 index 000000000..80625dbb2 --- /dev/null +++ b/command/acl_token_self_test.go @@ -0,0 +1,57 @@ +package command + +import ( + "os" + "strings" + "testing" + + "github.com/hashicorp/nomad/acl" + "github.com/hashicorp/nomad/command/agent" + "github.com/hashicorp/nomad/nomad/mock" + "github.com/hashicorp/nomad/nomad/structs" + "github.com/mitchellh/cli" + "github.com/stretchr/testify/assert" +) + +func TestACLTokenSelfCommand_ViaEnvVar(t *testing.T) { + assert := assert.New(t) + t.Parallel() + config := func(c *agent.Config) { + c.ACL.Enabled = true + } + + srv, _, url := testServer(t, true, config) + defer srv.Shutdown() + state := srv.Agent.Server().State() + + // Bootstrap an initial ACL token + token := srv.RootToken + assert.NotNil(token, "failed to bootstrap ACL token") + + ui := new(cli.MockUi) + cmd := &ACLTokenSelfCommand{Meta: Meta{Ui: ui, flagAddress: url}} + + // Create a valid token + mockToken := mock.ACLToken() + mockToken.Policies = []string{acl.PolicyWrite} + mockToken.SetHash() + assert.Nil(state.UpsertACLTokens(1000, []*structs.ACLToken{mockToken})) + + // Attempt to fetch info on a token without providing a valid management + // token + invalidToken := mock.ACLToken() + os.Setenv("NOMAD_TOKEN", invalidToken.SecretID) + code := cmd.Run([]string{"-address=" + url}) + assert.Equal(1, code) + + // Fetch info on a token with a valid token + os.Setenv("NOMAD_TOKEN", mockToken.SecretID) + code = cmd.Run([]string{"-address=" + url}) + assert.Equal(0, code) + + // Check the output + out := ui.OutputWriter.String() + if !strings.Contains(out, mockToken.AccessorID) { + t.Fatalf("bad: %v", out) + } +} diff --git a/commands.go b/commands.go index c0c613580..f2f48564b 100644 --- a/commands.go +++ b/commands.go @@ -56,6 +56,11 @@ func Commands(metaPtr *command.Meta) map[string]cli.CommandFactory { Meta: meta, }, nil }, + "acl policy list": func() (cli.Command, error) { + return &command.ACLPolicyListCommand{ + Meta: meta, + }, nil + }, "acl token": func() (cli.Command, error) { return &command.ACLTokenCommand{ Meta: meta, @@ -81,6 +86,11 @@ func Commands(metaPtr *command.Meta) map[string]cli.CommandFactory { Meta: meta, }, nil }, + "acl token self": func() (cli.Command, error) { + return &command.ACLTokenSelfCommand{ + Meta: meta, + }, nil + }, "alloc-status": func() (cli.Command, error) { return &command.AllocStatusCommand{ Meta: meta, diff --git a/website/source/docs/commands/acl.html.md.erb b/website/source/docs/commands/acl.html.md.erb index 30c33c047..624f8c033 100644 --- a/website/source/docs/commands/acl.html.md.erb +++ b/website/source/docs/commands/acl.html.md.erb @@ -23,17 +23,20 @@ subcommands are available: * [`acl policy apply`][policyapply] - Create or update ACL policies * [`acl policy delete`][policydelete] - Delete an existing ACL policies * [`acl policy info`][policyinfo] - Fetch information on an existing ACL policy +* [`acl policy list`][policylist] - List available ACL policies * [`acl token create`][tokencreate] - Create new ACL token -* [`acl token update`][tokenupdate] - Update existing ACL token * [`acl token delete`][tokendelete] - Delete an existing ACL token * [`acl token info`][tokeninfo] - Get info on an existing ACL token +* [`acl token self`][tokenself] - Get info on self ACL token +* [`acl token update`][tokenupdate] - Update existing ACL token [bootstrap]: /docs/commands/acl/bootstrap.html [policyapply]: /docs/commands/acl/policy-apply.html [policydelete]: /docs/commands/acl/policy-delete.html [policyinfo]: /docs/commands/acl/policy-info.html +[policylist]: /docs/commands/acl/policy-list.html [tokencreate]: /docs/commands/acl/token-create.html [tokenupdate]: /docs/commands/acl/token-update.html [tokendelete]: /docs/commands/acl/token-delete.html [tokeninfo]: /docs/commands/acl/token-info.html - +[tokenself]: /docs/commands/acl/token-self.html diff --git a/website/source/docs/commands/acl/policy-info.html.md.erb b/website/source/docs/commands/acl/policy-info.html.md.erb index b79c8fb63..4a809ebd3 100644 --- a/website/source/docs/commands/acl/policy-info.html.md.erb +++ b/website/source/docs/commands/acl/policy-info.html.md.erb @@ -3,8 +3,8 @@ layout: "docs" page_title: "Commands: acl policy info" sidebar_current: "docs-commands-acl-policy-info" description: > -The policy info command is used to fetch information on an existing ACL -policy. + The policy info command is used to fetch information on an existing ACL + policy. --- # Command: acl policy info diff --git a/website/source/docs/commands/acl/policy-list.html.md.erb b/website/source/docs/commands/acl/policy-list.html.md.erb new file mode 100644 index 000000000..475ea6655 --- /dev/null +++ b/website/source/docs/commands/acl/policy-list.html.md.erb @@ -0,0 +1,32 @@ +--- +layout: "docs" +page_title: "Commands: acl policy list" +sidebar_current: "docs-commands-acl-policy-list" +description: > + The policy list command is used to list available ACL policies. +--- + +# Command: acl policy info + +The `acl policy list` command is used to list available ACL policies. + +## Usage + +``` +nomad acl policy list +``` + +## General Options + +<%= partial "docs/commands/_general_options" %> + +## Examples + +List all ACL policies: + +``` +$ nomad acl policy list +Name Description +default-ns Write access to the default namespace +node-read Node read access +``` diff --git a/website/source/docs/commands/acl/token-self.html.md.erb b/website/source/docs/commands/acl/token-self.html.md.erb new file mode 100644 index 000000000..1fd33f06c --- /dev/null +++ b/website/source/docs/commands/acl/token-self.html.md.erb @@ -0,0 +1,41 @@ +--- +layout: "docs" +page_title: "Commands: acl token self" +sidebar_current: "docs-commands-acl-token-self" +description: > + The token self command is used to fetch information about the currently set + ACL token. +--- + +# Command: acl token self + +The `acl token self` command is used to fetch information about the currently set ACL token. + +## Usage + +``` +nomad acl token self +``` + +## General Options + +<%= partial "docs/commands/_general_options" %> + +## Examples + +Fetch information about an existing ACL token: + +``` +$ export NOMAD_TOKEN=d532c40a-30f1-695c-19e5-c35b882b0efd + +$ nomad acl tokenjself +Accessor ID = d532c40a-30f1-695c-19e5-c35b882b0efd +Secret ID = 85310d07-9afa-ef53-0933-0c043cd673c7 +Name = my token +Type = client +Global = false +Policies = [foo bar] +Create Time = 2017-09-15 05:04:41.814954949 +0000 UTC +Create Index = 8 +Modify Index = 8 +``` diff --git a/website/source/layouts/docs.erb b/website/source/layouts/docs.erb index dd9b0ba08..634347ee9 100644 --- a/website/source/layouts/docs.erb +++ b/website/source/layouts/docs.erb @@ -179,9 +179,30 @@ > acl policy apply + > + acl policy delete + + > + acl policy info + + > + acl policy list + > acl token create + > + acl token delete + + > + acl token info + + > + acl token self + + > + acl token update + >