Skip to content

Commit

Permalink
Merge pull request #3393 from hashicorp/b-delete-nonexistent-tokens
Browse files Browse the repository at this point in the history
Return error if tokens cannot be deleted because they do not exist
  • Loading branch information
chelseakomlo authored Oct 16, 2017
2 parents 3e42a6f + 27cef91 commit d65be7e
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 0 deletions.
7 changes: 7 additions & 0 deletions nomad/acl_endpoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
"strings"
"time"

metrics "github.com/armon/go-metrics"
Expand Down Expand Up @@ -578,12 +579,14 @@ func (a *ACL) DeleteTokens(args *structs.ACLTokenDeleteRequest, reply *structs.G
// Determine if we are deleting local or global tokens
hasGlobal := false
allGlobal := true
nonexistentTokens := make([]string, 0)
for _, accessor := range args.AccessorIDs {
token, err := state.ACLTokenByAccessorID(nil, accessor)
if err != nil {
return fmt.Errorf("token lookup failed: %v", err)
}
if token == nil {
nonexistentTokens = append(nonexistentTokens, accessor)
continue
}
if token.Global {
Expand All @@ -593,6 +596,10 @@ func (a *ACL) DeleteTokens(args *structs.ACLTokenDeleteRequest, reply *structs.G
}
}

if len(nonexistentTokens) != 0 {
return fmt.Errorf("Cannot delete nonexistent tokens: %v", strings.Join(nonexistentTokens, ", "))
}

// Disallow mixed requests with global and non-global tokens since we forward
// the entire request as a single batch.
if hasGlobal {
Expand Down
27 changes: 27 additions & 0 deletions nomad/acl_endpoint_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -907,6 +907,33 @@ func TestACLEndpoint_DeleteTokens(t *testing.T) {
assert.NotEqual(t, uint64(0), resp.Index)
}

func TestACLEndpoint_DeleteTokens_WithNonexistantToken(t *testing.T) {
t.Parallel()
assert := assert.New(t)

s1, root := testACLServer(t, nil)
defer s1.Shutdown()
codec := rpcClient(t, s1)
testutil.WaitForLeader(t, s1.RPC)

nonExistentToken := mock.ACLToken()

// Lookup the policies
req := &structs.ACLTokenDeleteRequest{
AccessorIDs: []string{nonExistentToken.AccessorID},
WriteRequest: structs.WriteRequest{
Region: "global",
AuthToken: root.SecretID,
},
}
var resp structs.GenericResponse
err := msgpackrpc.CallWithCodec(codec, "ACL.DeleteTokens", req, &resp)

assert.NotNil(err)
expectedError := fmt.Sprintf("Cannot delete nonexistent tokens: %s", nonExistentToken.AccessorID)
assert.Contains(expectedError, err.Error())
}

func TestACLEndpoint_Bootstrap(t *testing.T) {
t.Parallel()
s1 := testServer(t, func(c *Config) {
Expand Down

0 comments on commit d65be7e

Please sign in to comment.