mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
157 lines
3.4 KiB
Go
157 lines
3.4 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
//go:build linux
|
|
// +build linux
|
|
|
|
// todo(shoenig): Once Connect is supported on Windows, we'll need to make this
|
|
// set of tests work there too.
|
|
|
|
package taskrunner
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/nomad/ci"
|
|
"github.com/hashicorp/nomad/client/allocrunner/interfaces"
|
|
"github.com/hashicorp/nomad/helper/testlog"
|
|
"github.com/hashicorp/nomad/helper/uuid"
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
|
"github.com/stretchr/testify/require"
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
var _ interfaces.TaskPrestartHook = (*sidsHook)(nil)
|
|
|
|
func sidecar(task string) (string, structs.TaskKind) {
|
|
name := structs.ConnectProxyPrefix + "-" + task
|
|
kind := structs.TaskKind(structs.ConnectProxyPrefix + ":" + task)
|
|
return name, kind
|
|
}
|
|
|
|
func TestSIDSHook_recoverToken(t *testing.T) {
|
|
ci.Parallel(t)
|
|
r := require.New(t)
|
|
|
|
secrets := t.TempDir()
|
|
|
|
taskName, taskKind := sidecar("foo")
|
|
h := newSIDSHook(sidsHookConfig{
|
|
task: &structs.Task{
|
|
Name: taskName,
|
|
Kind: taskKind,
|
|
},
|
|
logger: testlog.HCLogger(t),
|
|
})
|
|
|
|
expected := uuid.Generate()
|
|
err := h.writeToken(secrets, expected)
|
|
r.NoError(err)
|
|
|
|
token, err := h.recoverToken(secrets)
|
|
r.NoError(err)
|
|
r.Equal(expected, token)
|
|
}
|
|
|
|
func TestSIDSHook_recoverToken_empty(t *testing.T) {
|
|
ci.Parallel(t)
|
|
r := require.New(t)
|
|
|
|
secrets := t.TempDir()
|
|
|
|
taskName, taskKind := sidecar("foo")
|
|
h := newSIDSHook(sidsHookConfig{
|
|
task: &structs.Task{
|
|
Name: taskName,
|
|
Kind: taskKind,
|
|
},
|
|
logger: testlog.HCLogger(t),
|
|
})
|
|
|
|
token, err := h.recoverToken(secrets)
|
|
r.NoError(err)
|
|
r.Empty(token)
|
|
}
|
|
|
|
func TestSIDSHook_recoverToken_unReadable(t *testing.T) {
|
|
ci.Parallel(t)
|
|
// This test fails when running as root because the test case for checking
|
|
// the error condition when the file is unreadable fails (root can read the
|
|
// file even though the permissions are set to 0200).
|
|
if unix.Geteuid() == 0 {
|
|
t.Skip("test only works as non-root")
|
|
}
|
|
|
|
r := require.New(t)
|
|
|
|
secrets := t.TempDir()
|
|
|
|
err := os.Chmod(secrets, 0000)
|
|
r.NoError(err)
|
|
|
|
taskName, taskKind := sidecar("foo")
|
|
h := newSIDSHook(sidsHookConfig{
|
|
task: &structs.Task{
|
|
Name: taskName,
|
|
Kind: taskKind,
|
|
},
|
|
logger: testlog.HCLogger(t),
|
|
})
|
|
|
|
_, err = h.recoverToken(secrets)
|
|
r.Error(err)
|
|
}
|
|
|
|
func TestSIDSHook_writeToken(t *testing.T) {
|
|
ci.Parallel(t)
|
|
r := require.New(t)
|
|
|
|
secrets := t.TempDir()
|
|
|
|
id := uuid.Generate()
|
|
h := new(sidsHook)
|
|
err := h.writeToken(secrets, id)
|
|
r.NoError(err)
|
|
|
|
content, err := os.ReadFile(filepath.Join(secrets, sidsTokenFile))
|
|
r.NoError(err)
|
|
r.Equal(id, string(content))
|
|
}
|
|
|
|
func TestSIDSHook_writeToken_unWritable(t *testing.T) {
|
|
ci.Parallel(t)
|
|
// This test fails when running as root because the test case for checking
|
|
// the error condition when the file is unreadable fails (root can read the
|
|
// file even though the permissions are set to 0200).
|
|
if unix.Geteuid() == 0 {
|
|
t.Skip("test only works as non-root")
|
|
}
|
|
|
|
r := require.New(t)
|
|
|
|
secrets := t.TempDir()
|
|
|
|
err := os.Chmod(secrets, 0000)
|
|
r.NoError(err)
|
|
|
|
id := uuid.Generate()
|
|
h := new(sidsHook)
|
|
err = h.writeToken(secrets, id)
|
|
r.Error(err)
|
|
}
|
|
|
|
func Test_SIDSHook_writeToken_nonExistent(t *testing.T) {
|
|
ci.Parallel(t)
|
|
r := require.New(t)
|
|
|
|
base := t.TempDir()
|
|
secrets := filepath.Join(base, "does/not/exist")
|
|
|
|
id := uuid.Generate()
|
|
h := new(sidsHook)
|
|
err := h.writeToken(secrets, id)
|
|
r.Error(err)
|
|
}
|