Merge pull request #58 from x0rw/feature/acl-access-control-list

Add initial ACL support to consul-rs

Author: kushudai

.github/workflows/main.yml

@@ -33,7 +33,7 @@ jobs:
         env:
           # We pass the config as a JSON here to simulate one service with 3 nodes.
           # TODO: Ideally, we should use the same setup in local environment (`testdata/config.hcl`) in GHA test.
-          CONSUL_LOCAL_CONFIG: '{"acl": [{"default_policy": "allow", "enable_token_persistence": true, "enabled": true}], "services": [ {"address": "1.1.1.1", "checks": [], "id": "test-service-1", "name": "test-service", "port": 20001, "tags": ["first"]}, {"address": "2.2.2.2", "checks": [], "id": "test-service-2", "name": "test-service", "port": 20002, "tags": ["second"]}, {"address": "3.3.3.3", "checks": [], "id": "test-service-3", "name": "test-service", "port": 20003, "tags": ["third"]} ]}'
+          CONSUL_LOCAL_CONFIG: '{"acl":[{"enabled":true,"default_policy":"allow","enable_token_persistence":true,"tokens":[{"initial_management":"8fc9e787-674f-0709-cfd5-bfdabd73a70d"}]}],"services":[{"id":"test-service-1","name":"test-service","address":"1.1.1.1","port":20001,"checks":[],"tags":["first"]},{"id":"test-service-2","name":"test-service","address":"2.2.2.2","port":20002,"checks":[],"tags":["second"]},{"id":"test-service-3","name":"test-service","address":"3.3.3.3","port":20003,"checks":[],"tags":["third"]}]}'
 
     env:
       CONSUL_HTTP_ADDR: http://consul:8500
@@ -42,4 +42,4 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Test
-        run: cargo test ${{ matrix.features }}
+        run: cargo test "${{ matrix.features }}"

.github/workflows/publish.yml

@@ -13,15 +13,17 @@ jobs:
         env:
           # We pass the config as a JSON here to simulate one service with 3 nodes.
           # TODO: Ideally, we should use the same setup in local environment (`testdata/config.hcl`) in GHA test.
-          CONSUL_LOCAL_CONFIG: '{"acl": [{"default_policy": "allow", "enable_token_persistence": true, "enabled": true}], "services": [ {"address": "1.1.1.1", "checks": [], "id": "test-service-1", "name": "test-service", "port": 20001, "tags": ["first"]}, {"address": "2.2.2.2", "checks": [], "id": "test-service-2", "name": "test-service", "port": 20002, "tags": ["second"]}, {"address": "3.3.3.3", "checks": [], "id": "test-service-3", "name": "test-service", "port": 20003, "tags": ["third"]} ]}'
+          CONSUL_LOCAL_CONFIG: '{"acl":[{"enabled":true,"default_policy":"allow","enable_token_persistence":true,"tokens":[{"initial_management":"8fc9e787-674f-0709-cfd5-bfdabd73a70d"}]}],"services":[{"id":"test-service-1","name":"test-service","address":"1.1.1.1","port":20001,"checks":[],"tags":["first"]},{"id":"test-service-2","name":"test-service","address":"2.2.2.2","port":20002,"checks":[],"tags":["second"]},{"id":"test-service-3","name":"test-service","address":"3.3.3.3","port":20003,"checks":[],"tags":["third"]}]}'
     env:
       CONSUL_HTTP_ADDR: http://consul:8500
-
+    strategy:
+      matrix:
+        features: [""]
     steps:
       - uses: actions/checkout@v2
 
-      - name: Test
-        run: cargo test
+      - name: Tests
+        run: cargo test "${{ matrix.features }}"
 
   dry-run:
     runs-on: ubuntu-latest

.gitignore

@@ -11,3 +11,6 @@ Cargo.lock
 
 # Ignore auto-generated files from JetBrain products
 .idea/
+
+# Ignore .swp generated by vim
+**/*.swp

Cargo.toml

@@ -34,3 +34,4 @@ ureq = { version = "3", features = ["json"] }
 
 [dev-dependencies]
 tokio-test = "0.4"  # Explicitly add if missing
+

examples/create_acl_policy.rs

@@ -0,0 +1,18 @@
+use rs_consul::{Config, Consul, CreateACLPolicyRequest};
+
+#[tokio::main] // Enables async main
+async fn main() {
+    let consul_config = Config {
+        address: "http://localhost:8500".to_string(),
+        token: Some(String::from("8fc9e787-674f-0709-cfd5-bfdabd73a70d")), // use bootstraped
+        // token (with write perm)
+        ..Default::default()
+    };
+    let consul = Consul::new(consul_config);
+    let policy_payload = CreateACLPolicyRequest {
+        name: "dev-policy-test-1".to_owned(),
+        description: Some("this is not a test policy".to_owned()),
+        rules: Some("".to_owned()),
+    };
+    consul.create_acl_policy(&policy_payload).await.unwrap();
+}

examples/create_acl_token.rs

@@ -0,0 +1,50 @@
+//
+// curl --request PUT \
+//   --url http://localhost:8500/v1/acl/token \
+//   --header "X-Consul-Token: 8fc9e787-674f-0709-cfd5-bfdabd73a70d" \
+//   --header "Content-Type: application/json" \
+//   --data '{
+//     "Description": "Minimal token for read-only access",
+//     "Policies": [
+//       {
+//         "Name": "dev-policy-test-1"
+//       }
+//     ]
+//   }'
+//
+
+use rs_consul::{Config, Consul, CreateACLTokenPayload};
+#[tokio::main] // Enables async main
+async fn main() {
+    let consul_config = Config {
+        address: "http://localhost:8500".to_string(),
+        token: Some(String::from("8fc9e787-674f-0709-cfd5-bfdabd73a70d")), // use bootstraped
+        // token (with write perm)
+        ..Default::default()
+    };
+    let consul = Consul::new(consul_config);
+    let token_payload = CreateACLTokenPayload {
+        description: Some("Test token".to_owned()),
+        ..Default::default()
+    };
+    let result = consul.create_acl_token(&token_payload).await.unwrap();
+    println!(
+        "
+Token created successfully:
+    accessor_id: {}
+    secret_id: {}
+    description: {}
+    policies: {:#?}
+    local: {}
+    create_time:{}
+    hash: {}
+",
+        result.accessor_id,
+        result.secret_id,
+        result.description,
+        result.policies,
+        result.local,
+        result.create_time,
+        result.hash,
+    );
+}

examples/delete_acl_token.rs

@@ -0,0 +1,18 @@
+use rs_consul::{Config, Consul};
+
+#[tokio::main] // Enables async main
+async fn main() {
+    let consul_config = Config {
+        address: "http://localhost:8500".to_string(),
+        token: Some(String::from("8fc9e787-674f-0709-cfd5-bfdabd73a70d")), // use bootstraped
+        // token (with write perm)
+        ..Default::default()
+    };
+    let consul = Consul::new(consul_config);
+    let _res = consul
+        .delete_acl_token("58df5025-134c-8999-6bc3-992fe268a39e".to_string())
+        .await
+        .unwrap();
+
+    println!("Token deleted successfully");
+}

examples/get_acl_policies.rs

@@ -0,0 +1,28 @@
+use rs_consul::{Config, Consul};
+
+#[tokio::main] // Enables async main
+async fn main() {
+    let consul_config = Config {
+        address: "http://localhost:8500".to_string(),
+        token: Some(String::from("8fc9e787-674f-0709-cfd5-bfdabd73a70d")), // use bootstraped
+        // token (with write perm)
+        ..Default::default()
+    };
+    let consul = Consul::new(consul_config);
+    let acl_policies = consul.get_acl_policies().await.unwrap();
+
+    println!("{} Policies found", acl_policies.len());
+    for (i, policy) in acl_policies.iter().enumerate() {
+        println!(
+            "id #{}\n\
+        ├─ ID: {}\n\
+        ├─ Name: {}\n\
+        └─ Description: {}",
+            i + 1,
+            policy.id,
+            policy.name,
+            policy.description,
+        );
+        println!("\n=========\n")
+    }
+}

examples/get_acl_tokens.rs

@@ -0,0 +1,35 @@
+use rs_consul::{Config, Consul};
+
+#[tokio::main] // Enables async main
+async fn main() {
+    let consul_config = Config {
+        address: "http://localhost:8500".to_string(),
+        token: Some(String::from("8fc9e787-674f-0709-cfd5-bfdabd73a70d")), // use bootstraped
+        // token (with write perm)
+        ..Default::default()
+    };
+    let consul = Consul::new(consul_config);
+    let acl_tokens = consul.get_acl_tokens().await.unwrap();
+
+    println!("{} Tokens found", acl_tokens.len());
+    for (i, token) in acl_tokens.iter().enumerate() {
+        println!(
+            "Token #{}\n\
+        ├─ Accessor ID: {}\n\
+        ├─ Secret ID: {}\n\
+        ├─ Description: {}\n\
+        └─ Policies: {}",
+            i + 1,
+            token.accessor_id,
+            token.secret_id,
+            token.description,
+            token
+                .policies
+                .iter()
+                .map(|p| format!(" ({:?})", p))
+                .collect::<Vec<_>>()
+                .join(", ")
+        );
+        println!("\n=========\n")
+    }
+}

examples/lock.rs

@@ -0,0 +1,34 @@
+use rs_consul::{Config, Consul, types::*};
+
+#[tokio::main] // Enables async main
+async fn main() {
+    let consul_config = Config {
+        address: "http://localhost:8500".to_string(),
+        token: None, // Token is None in developpement mode
+        ..Default::default()
+    };
+    let consul = Consul::new(consul_config);
+
+    let node_id = "root-node";
+    let service_name = "new-service-1";
+    let payload = RegisterEntityPayload {
+        ID: None,
+        Node: node_id.to_string(),
+        Address: "127.0.0.1".to_string(),
+        Datacenter: None,
+        TaggedAddresses: Default::default(),
+        NodeMeta: Default::default(),
+        Service: Some(RegisterEntityService {
+            ID: None,
+            Service: service_name.to_string(),
+            Tags: vec![],
+            TaggedAddresses: Default::default(),
+            Meta: Default::default(),
+            Port: Some(42424),
+            Namespace: None,
+        }),
+        Checks: vec![],
+        SkipNodeUpdate: None,
+    };
+    consul.register_entity(&payload).await.unwrap();
+}