nomad: fixup token policy validation

command/agent/consul/acl_testing.go

@@ -35,6 +35,7 @@ func NewMockACLsAPI(l hclog.Logger) *MockACLsAPI {
 	}
 }
 
+// Example Consul policies for use in tests.
 const (
 	ExamplePolicyID1 = "a7c86856-0af5-4ab5-8834-03f4517e5564"
 	ExamplePolicyID2 = "ffa1b66c-967d-4468-8775-c687b5cfc16e"
@@ -47,6 +48,7 @@ func (m *MockACLsAPI) PolicyRead(policyID string, _ *api.QueryOptions) (*api.ACL
 	case ExamplePolicyID1:
 		return &api.ACLPolicy{
 			ID:    ExamplePolicyID1,
+			Name:  "example-policy-1",
 			Rules: `service "service1" { policy = "write" }`,
 		}, nil, nil
 
@@ -69,44 +71,118 @@ service "service2" { policy = "write" }`,
 	}
 }
 
+// Example Consul roles for use in tests.
 const (
-	ExampleOperatorToken1 = "59c219c2-47e4-43f3-bb45-258fd13f59d5"
-	ExampleOperatorToken2 = "868cc216-e123-4c2b-b362-f4d4c087de8e"
-	ExampleOperatorToken3 = "6177d1b9-c0f6-4118-b891-d818a3cb80b1"
+	ExampleRoleID1 = "e569a3a8-7dfb-b024-e492-e790fe3c4183"
+	ExampleRoleID2 = "88c825f4-d0da-1c2b-0c1c-cc9fe84c4468"
+	ExampleRoleID3 = "b19b2058-6205-6dff-d2b0-470f29b8e627"
+)
+
+func (m *MockACLsAPI) RoleRead(roleID string, _ *api.QueryOptions) (*api.ACLRole, *api.QueryMeta, error) {
+	switch roleID {
+	case ExampleRoleID1:
+		return &api.ACLRole{
+			ID:   ExampleRoleID1,
+			Name: "example-role-1",
+			Policies: []*api.ACLRolePolicyLink{{
+				ID:   ExamplePolicyID1,
+				Name: "example-policy-1",
+			}},
+			ServiceIdentities: nil, // would it ever make sense ?
+		}, nil, nil
+	case ExampleRoleID2:
+		return &api.ACLRole{
+			ID:   ExampleRoleID2,
+			Name: "example-role-2",
+			Policies: []*api.ACLRolePolicyLink{{
+				ID:   ExamplePolicyID2,
+				Name: "example-policy-2",
+			}},
+			ServiceIdentities: nil,
+		}, nil, nil
+	case ExampleRoleID3:
+		return &api.ACLRole{
+			ID:                ExampleRoleID3,
+			Name:              "example-role-3",
+			Policies:          nil, // todo
+			ServiceIdentities: nil, // todo
+			ModifyIndex:       0,
+		}, nil, nil
+	default:
+		return nil, nil, nil
+	}
+}
+
+// Example Consul "operator" tokens for use in tests.
+
+const (
+	ExampleOperatorTokenID0 = "de591604-86eb-1e6f-8b44-d4db752921ae"
+	ExampleOperatorTokenID1 = "59c219c2-47e4-43f3-bb45-258fd13f59d5"
+	ExampleOperatorTokenID2 = "868cc216-e123-4c2b-b362-f4d4c087de8e"
+	ExampleOperatorTokenID3 = "6177d1b9-c0f6-4118-b891-d818a3cb80b1"
+	ExampleOperatorTokenID4 = "754ae26c-f3cc-e088-d486-9c0d20f5eaea"
+)
+
+var (
+	ExampleOperatorToken0 = &api.ACLToken{
+		SecretID:    ExampleOperatorTokenID0,
+		AccessorID:  "228865c6-3bf6-6683-df03-06dea2779088 ",
+		Description: "Operator Token 0",
+	}
+
+	ExampleOperatorToken1 = &api.ACLToken{
+		SecretID:    ExampleOperatorTokenID1,
+		AccessorID:  "e341bacd-535e-417c-8f45-f88d7faffcaf",
+		Description: "Operator Token 1",
+		Policies: []*api.ACLTokenPolicyLink{{
+			ID: ExamplePolicyID1,
+		}},
+	}
+
+	ExampleOperatorToken2 = &api.ACLToken{
+		SecretID:    ExampleOperatorTokenID2,
+		AccessorID:  "615b4d77-5164-4ec6-b616-24c0b24ac9cb",
+		Description: "Operator Token 2",
+		Policies: []*api.ACLTokenPolicyLink{{
+			ID: ExamplePolicyID2,
+		}},
+	}
+
+	ExampleOperatorToken3 = &api.ACLToken{
+		SecretID:    ExampleOperatorTokenID3,
+		AccessorID:  "6b7de0d7-15f7-45b4-95eb-fb775bfe3fdc",
+		Description: "Operator Token 3",
+		Policies: []*api.ACLTokenPolicyLink{{
+			ID: ExamplePolicyID3,
+		}},
+	}
+
+	ExampleOperatorToken4 = &api.ACLToken{
+		SecretID:    ExampleOperatorTokenID4,
+		AccessorID:  "7b5fdb1a-71e5-f3d8-2cfe-448d973f327d",
+		Description: "Operator Token 4",
+		Policies:    nil, // no direct policy, only roles
+		Roles: []*api.ACLTokenRoleLink{{
+			ID:   ExampleRoleID1,
+			Name: "example-role-1",
+		}},
+	}
 )
 
 func (m *MockACLsAPI) TokenReadSelf(q *api.QueryOptions) (*api.ACLToken, *api.QueryMeta, error) {
 	switch q.Token {
 
-	case ExampleOperatorToken1:
-		return &api.ACLToken{
-			SecretID:    ExampleOperatorToken1,
-			AccessorID:  "e341bacd-535e-417c-8f45-f88d7faffcaf",
-			Description: "operator token 1",
-			Policies: []*api.ACLTokenPolicyLink{{
-				ID: ExamplePolicyID1,
-			}},
-		}, nil, nil
+	case ExampleOperatorTokenID1:
+		return ExampleOperatorToken1, nil, nil
 
-	case ExampleOperatorToken2:
-		return &api.ACLToken{
-			SecretID:    ExampleOperatorToken2,
-			AccessorID:  "615b4d77-5164-4ec6-b616-24c0b24ac9cb",
-			Description: "operator token 2",
-			Policies: []*api.ACLTokenPolicyLink{{
-				ID: ExamplePolicyID2,
-			}},
-		}, nil, nil
+	case ExampleOperatorTokenID2:
+		return ExampleOperatorToken2, nil, nil
 
-	case ExampleOperatorToken3:
-		return &api.ACLToken{
-			SecretID:    ExampleOperatorToken3,
-			AccessorID:  "6b7de0d7-15f7-45b4-95eb-fb775bfe3fdc",
-			Description: "operator token 3",
-			Policies: []*api.ACLTokenPolicyLink{{
-				ID: ExamplePolicyID3,
-			}},
-		}, nil, nil
+	case ExampleOperatorTokenID3:
+		return ExampleOperatorToken3, nil, nil
+
+	case ExampleOperatorTokenID4:
+		return ExampleOperatorToken4, nil, nil
 
 	default:
 		return nil, nil, errors.New("no such token")

command/agent/consul/client.go

@@ -93,15 +93,14 @@ type AgentAPI interface {
 	UpdateTTL(id, output, status string) error
 }
 
-// ACLsAPI is the consul/api.ACL API used by Nomad Server.
+// ACLsAPI is the consul/api.ACL API subset used by Nomad Server.
 type ACLsAPI interface {
-	// todo: RoleRead (...)
-
 	// We are looking up by [operator token] SecretID, which implies we need
 	// to use this method instead of the normal TokenRead, which can only be
 	// used to lookup tokens by their AccessorID.
 	TokenReadSelf(q *api.QueryOptions) (*api.ACLToken, *api.QueryMeta, error)
 	PolicyRead(policyID string, q *api.QueryOptions) (*api.ACLPolicy, *api.QueryMeta, error)
+	RoleRead(roleID string, q *api.QueryOptions) (*api.ACLRole, *api.QueryMeta, error)
 	TokenCreate(partial *api.ACLToken, q *api.WriteOptions) (*api.ACLToken, *api.WriteMeta, error)
 	TokenDelete(accessorID string, q *api.WriteOptions) (*api.WriteMeta, error)
 	TokenList(q *api.QueryOptions) ([]*api.ACLTokenListEntry, *api.QueryMeta, error)