mirror of
https://github.com/gravitational/teleport
synced 2024-10-22 02:03:24 +00:00
recovered more tests
This commit is contained in:
Sasha Klizhentas
parent
5755f7f74f
commit
66a52519fc
|
|
@ -41,7 +41,6 @@ import (
|
|||
type APIConfig struct {
|
||||
AuthServer *AuthServer
|
||||
SessionService session.Service
|
||||
AccessChecker services.AccessChecker
|
||||
AuditLog events.IAuditLog
|
||||
NewChecker NewChecker
|
||||
}
|
||||
|
|
|
|||
|
|
@ -84,19 +84,20 @@ func (s *APISuite) SetUpTest(c *C) {
|
|||
c.Assert(err, IsNil)
|
||||
|
||||
s.AccessS = local.NewAccessService(s.bk)
|
||||
s.WebS = local.NewIdentityService(s.bk, 10, time.Duration(time.Hour))
|
||||
|
||||
checker, err := NewAccessChecker(s.AccessS, s.WebS)(teleport.RoleAdmin.User())
|
||||
newChecker, err := NewAccessChecker(s.AccessS, s.WebS)
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
apiServer := NewAPIServer(&APIConfig{
|
||||
AuthServer: s.a,
|
||||
AccessChecker: checker,
|
||||
NewChecker: newChecker,
|
||||
SessionService: s.sessions,
|
||||
AuditLog: s.alog,
|
||||
})
|
||||
s.srv = httptest.NewServer(apiServer)
|
||||
|
||||
clt, err := NewClient(s.srv.URL, nil)
|
||||
clt, err := NewClient(s.srv.URL, nil, roundtrip.BasicAuth(teleport.RoleAdmin.User(), "<something>"))
|
||||
c.Assert(err, IsNil)
|
||||
s.clt = clt
|
||||
|
||||
|
|
@ -104,7 +105,6 @@ func (s *APISuite) SetUpTest(c *C) {
|
|||
s.LockS = local.NewLockService(s.bk)
|
||||
s.PresenceS = local.NewPresenceService(s.bk)
|
||||
s.ProvisioningS = local.NewProvisioningService(s.bk)
|
||||
s.WebS = local.NewIdentityService(s.bk, 10, time.Duration(time.Hour))
|
||||
}
|
||||
|
||||
func (s *APISuite) TearDownTest(c *C) {
|
||||
|
|
@ -146,16 +146,19 @@ func (s *APISuite) TestGenerateKeysAndCerts(c *C) {
|
|||
_, pub, err = s.clt.GenerateKeyPair("")
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
err = s.clt.UpsertUser(
|
||||
&services.TeleportUser{Name: "user1", AllowedLogins: []string{"user1"}})
|
||||
user := &services.TeleportUser{Name: "user1", AllowedLogins: []string{"user1"}}
|
||||
err = s.clt.UpsertUser(user)
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
checker, err := NewAccessChecker(s.AccessS, s.WebS)("user1")
|
||||
err = s.clt.UpsertRole(services.RoleForUser(user))
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
newChecker, err := NewAccessChecker(s.AccessS, s.WebS)
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
userServer := NewAPIServer(&APIConfig{
|
||||
AuthServer: s.a,
|
||||
AccessChecker: checker,
|
||||
NewChecker: newChecker,
|
||||
SessionService: s.sessions,
|
||||
AuditLog: s.alog,
|
||||
})
|
||||
|
|
@ -180,7 +183,7 @@ func (s *APISuite) TestGenerateKeysAndCerts(c *C) {
|
|||
roundtrip.BasicAuth("user1", "two")(&userClient.Client)
|
||||
cert, err = userClient.GenerateUserCert(pub, "user1", 40*time.Hour)
|
||||
c.Assert(err, NotNil)
|
||||
c.Assert(err, ErrorMatches, ".*cannot request a certificate for user1 for 40h0m0s")
|
||||
c.Assert(err, ErrorMatches, ".*cannot request a certificate for 40h0m0s")
|
||||
|
||||
// apply HTTP Auth to generate user cert:
|
||||
roundtrip.BasicAuth("user1", "two")(&userClient.Client)
|
||||
|
|
|
|||
|
|
@ -346,7 +346,7 @@ func (a *AuthWithRoles) GenerateHostCert(
|
|||
|
||||
func (a *AuthWithRoles) GenerateUserCert(key []byte, user string, ttl time.Duration) ([]byte, error) {
|
||||
if err := a.currentUserAction(user); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
return nil, trace.AccessDenied("%v cannot request a certificate for %v", a.user, user)
|
||||
}
|
||||
// check signing TTL and return a list of allowed logins
|
||||
allowedLogins, err := a.checker.CheckLogins(ttl)
|
||||
|
|
|
|||
|
|
@ -24,8 +24,14 @@ import (
|
|||
)
|
||||
|
||||
// NewAccessChecker returns new access checker that's using roles and users
|
||||
func NewAccessChecker(access services.Access, identity services.Identity) NewChecker {
|
||||
return (&AccessCheckers{Access: access, Identity: identity}).GetChecker
|
||||
func NewAccessChecker(access services.Access, identity services.Identity) (NewChecker, error) {
|
||||
if access == nil {
|
||||
return nil, trace.BadParameter("missing parameter access")
|
||||
}
|
||||
if identity == nil {
|
||||
return nil, trace.BadParameter("missing parameter identity")
|
||||
}
|
||||
return (&AccessCheckers{Access: access, Identity: identity}).GetChecker, nil
|
||||
}
|
||||
|
||||
// NewChecker is a function that returns new access checker based on username
|
||||
|
|
@ -130,11 +136,11 @@ func GetCheckerForSystemUsers(username string) (services.AccessChecker, error) {
|
|||
username,
|
||||
services.RoleSpec{
|
||||
MaxSessionTTL: services.MaxDuration(),
|
||||
Logins: []string{services.Wildcard},
|
||||
Logins: []string{},
|
||||
Namespaces: []string{services.Wildcard},
|
||||
NodeLabels: map[string]string{services.Wildcard: services.Wildcard},
|
||||
Resources: map[string][]string{
|
||||
services.Wildcard: services.RO(),
|
||||
services.Wildcard: services.RW(),
|
||||
},
|
||||
})
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ import (
|
|||
"github.com/gravitational/teleport/lib/defaults"
|
||||
"github.com/gravitational/teleport/lib/events"
|
||||
"github.com/gravitational/teleport/lib/services"
|
||||
"github.com/gravitational/teleport/lib/services/local"
|
||||
"github.com/gravitational/teleport/lib/services/suite"
|
||||
"github.com/gravitational/teleport/lib/session"
|
||||
"github.com/gravitational/teleport/lib/sshutils"
|
||||
|
|
@ -69,10 +70,15 @@ func (s *TunSuite) SetUpTest(c *C) {
|
|||
s.sessionServer, err = session.New(s.bk)
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
access := local.NewAccessService(s.bk)
|
||||
identity := local.NewIdentityService(s.bk, 10, time.Duration(time.Hour))
|
||||
|
||||
s.a = NewAuthServer(&InitConfig{
|
||||
Backend: s.bk,
|
||||
Authority: authority.New(),
|
||||
DomainName: "localhost",
|
||||
Access: access,
|
||||
Identity: identity,
|
||||
})
|
||||
|
||||
// set up host private key and certificate
|
||||
|
|
@ -84,7 +90,7 @@ func (s *TunSuite) SetUpTest(c *C) {
|
|||
hcert, err := s.a.GenerateHostCert(hpub, "localhost", "localhost", teleport.Roles{teleport.RoleNode}, 0)
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
checker, err := NewAccessChecker(s.a.Access, s.a.Identity)(teleport.RoleAdmin.User())
|
||||
newChecker, err := NewAccessChecker(s.a.Access, s.a.Identity)
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
signer, err := sshutils.NewSigner(hpriv, hcert)
|
||||
|
|
@ -92,7 +98,7 @@ func (s *TunSuite) SetUpTest(c *C) {
|
|||
s.signer = signer
|
||||
s.conf = &APIConfig{
|
||||
AuthServer: s.a,
|
||||
AccessChecker: checker,
|
||||
NewChecker: newChecker,
|
||||
SessionService: s.sessionServer,
|
||||
AuditLog: s.alog,
|
||||
}
|
||||
|
|
@ -104,7 +110,7 @@ func (s *TunSuite) SetUpTest(c *C) {
|
|||
}
|
||||
|
||||
func (s *TunSuite) TestUnixServerClient(c *C) {
|
||||
checker, err := NewAccessChecker(s.a.Access, s.a.Identity)(teleport.RoleAdmin.User())
|
||||
newChecker, err := NewAccessChecker(s.a.Access, s.a.Identity)
|
||||
c.Assert(err, IsNil)
|
||||
|
||||
tsrv, err := NewTunnel(
|
||||
|
|
@ -112,7 +118,7 @@ func (s *TunSuite) TestUnixServerClient(c *C) {
|
|||
s.signer,
|
||||
&APIConfig{
|
||||
AuthServer: s.a,
|
||||
AccessChecker: checker,
|
||||
NewChecker: newChecker,
|
||||
SessionService: s.sessionServer,
|
||||
AuditLog: s.alog,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -297,10 +297,10 @@ func (set RoleSet) CheckLogins(ttl time.Duration) ([]string, error) {
|
|||
}
|
||||
}
|
||||
if !matchedTTL {
|
||||
return nil, trace.AccessDenied("this user can not sign certificate for %v", ttl)
|
||||
return nil, trace.AccessDenied("this user cannot request a certificate for %v", ttl)
|
||||
}
|
||||
if len(logins) == 0 {
|
||||
return nil, trace.AccessDenied("this user can not create SSH sessions, has no logins")
|
||||
return nil, trace.AccessDenied("this user cannot create SSH sessions, has no logins")
|
||||
}
|
||||
out := make([]string, 0, len(logins))
|
||||
for login := range logins {
|
||||
|
|
|
|||
Loading…
Reference in a new issue