自学教程：C++ ACLs类代码示例

// Testing route with good ACLs.TEST_F(TeardownTest, TeardownEndpointGoodACLs){  // Setup ACLs so that the default principal can teardown the  // framework.  ACLs acls;  mesos::ACL::ShutdownFramework* acl = acls.add_shutdown_frameworks();  acl->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());  acl->mutable_framework_principals()->add_values(      DEFAULT_CREDENTIAL.principal());  master::Flags flags = CreateMasterFlags();  flags.acls = acls;  Try<PID<Master> > master = StartMaster(flags);  ASSERT_SOME(master);  MockScheduler sched;  MesosSchedulerDriver driver(      &sched, DEFAULT_FRAMEWORK_INFO, master.get(), DEFAULT_CREDENTIAL);  Future<FrameworkID> frameworkId;  EXPECT_CALL(sched, registered(&driver, _, _))    .WillOnce(FutureArg<1>(&frameworkId));  ASSERT_EQ(DRIVER_RUNNING, driver.start());  AWAIT_READY(frameworkId);  process::http::Headers headers;  headers["Authorization"] = "Basic " +    base64::encode(DEFAULT_CREDENTIAL.principal() +                   ":" + DEFAULT_CREDENTIAL.secret());  Future<Response> response = process::http::post(      master.get(),      "teardown",      headers,      "frameworkId=" + frameworkId.get().value());  AWAIT_READY(response);  AWAIT_EXPECT_RESPONSE_STATUS_EQ(OK().status, response);  driver.stop();  driver.join();  Shutdown();}

TYPED_TEST(AuthorizationTest, OnlySomePrincipalsRunAsSomeUsers){  // Only some principals can run as some users.  ACLs acls;  // ACL for some principals to run as some users.  mesos::ACL::RunTask* acl = acls.add_run_tasks();  acl->mutable_principals()->add_values("foo");  acl->mutable_principals()->add_values("bar");  acl->mutable_users()->add_values("user1");  acl->mutable_users()->add_values("user2");  // ACL for no one else to run as some users.  mesos::ACL::RunTask* acl2 = acls.add_run_tasks();  acl2->mutable_principals()->set_type(mesos::ACL::Entity::NONE);  acl2->mutable_users()->add_values("user1");  acl2->mutable_users()->add_values("user2");  // Create an Authorizer with the ACLs.  Try<Authorizer*> create = TypeParam::create();  ASSERT_SOME(create);  Owned<Authorizer> authorizer(create.get());  Try<Nothing> initialized = authorizer.get()->initialize(acls);  ASSERT_SOME(initialized);  // Principals "foo" and "bar" can run as "user1" and "user2".  mesos::ACL::RunTask request;  request.mutable_principals()->add_values("foo");  request.mutable_principals()->add_values("bar");  request.mutable_users()->add_values("user1");  request.mutable_users()->add_values("user2");  AWAIT_EXPECT_EQ(true, authorizer.get()->authorize(request));  // Principal "baz" cannot run as "user1".  mesos::ACL::RunTask request2;  request2.mutable_principals()->add_values("baz");  request2.mutable_users()->add_values("user1");  AWAIT_EXPECT_EQ(false, authorizer.get()->authorize(request2));  // Principal "baz" cannot run as "user2".  mesos::ACL::RunTask request3;  request3.mutable_principals()->add_values("baz");  request3.mutable_users()->add_values("user1");  AWAIT_EXPECT_EQ(false, authorizer.get()->authorize(request3));}

TEST_F(AuthorizationTest, NoPrincipalRunAsUser){  // No principal can run as "root" user.  ACLs acls;  mesos::ACL::RunTask* acl = acls.add_run_tasks();  acl->mutable_principals()->set_type(mesos::ACL::Entity::NONE);  acl->mutable_users()->add_values("root");  // Create an Authorizer with the ACLs.  Try<Owned<LocalAuthorizer> > authorizer = LocalAuthorizer::create(acls);  ASSERT_SOME(authorizer);  // Principal "foo" cannot run as "root".  mesos::ACL::RunTask request;  request.mutable_principals()->add_values("foo");  request.mutable_users()->add_values("root");  AWAIT_EXPECT_EQ(false, authorizer.get()->authorize(request));}

TYPED_TEST(AuthorizationTest, PrincipalRunAsSomeUserRestrictive){  ACLs acls;  acls.set_permissive(false); // Restrictive.  {    // A principal can run as "user1";    mesos::ACL::RunTask* acl = acls.add_run_tasks();    acl->mutable_principals()->add_values("foo");    acl->mutable_users()->add_values("user1");  }  // Create an `Authorizer` with the ACLs.  Try<Authorizer*> create = TypeParam::create(parameterize(acls));  ASSERT_SOME(create);  Owned<Authorizer> authorizer(create.get());  // Principal "foo" can run as "user1".  {    authorization::Request request;    request.set_action(authorization::RUN_TASK_WITH_USER);    request.mutable_subject()->set_value("foo");    request.mutable_object()->set_value("user1");    AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));  }  // Principal "foo" cannot run as "user2".  {    authorization::Request request;    request.set_action(authorization::RUN_TASK_WITH_USER);    request.mutable_subject()->set_value("foo");    request.mutable_object()->set_value("user2");    AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));  }  // Principal "bar" cannot run as "user2" since no ACL is set.  {    authorization::Request request;    request.set_action(authorization::RUN_TASK_WITH_USER);    request.mutable_subject()->set_value("bar");    request.mutable_object()->set_value("user2");    AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));  }}

TYPED_TEST(AuthorizationTest, SomePrincipalOnlySomeUser){  // Some principal can run as only some user.  ACLs acls;  // ACL for some principal to run as some user.  mesos::ACL::RunTask* acl = acls.add_run_tasks();  acl->mutable_principals()->add_values("foo");  acl->mutable_users()->add_values("user1");  // ACL for some principal to not run as any other user.  mesos::ACL::RunTask* acl2 = acls.add_run_tasks();  acl2->mutable_principals()->add_values("foo");  acl2->mutable_users()->set_type(mesos::ACL::Entity::NONE);  // Create an `Authorizer` with the ACLs.  Try<Authorizer*> create = TypeParam::create();  ASSERT_SOME(create);  Owned<Authorizer> authorizer(create.get());  Try<Nothing> initialized = authorizer.get()->initialize(acls);  ASSERT_SOME(initialized);  // Principal "foo" can run as "user1".  mesos::ACL::RunTask request;  request.mutable_principals()->add_values("foo");  request.mutable_users()->add_values("user1");  AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request));  // Principal "foo" cannot run as "user2".  mesos::ACL::RunTask request2;  request2.mutable_principals()->add_values("foo");  request2.mutable_users()->add_values("user2");  AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request2));  // Principal "bar" can run as "user1" and "user2".  mesos::ACL::RunTask request3;  request3.mutable_principals()->add_values("bar");  request3.mutable_users()->add_values("user1");  request3.mutable_users()->add_values("user2");  AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request3));}

// This test verifies that only authorized principals// can access the '/flags' endpoint.TYPED_TEST(SlaveAuthorizerTest, AuthorizeFlagsEndpoint){  const string endpoint = "flags";  // Setup ACLs so that only the default principal  // can access the '/flags' endpoint.  ACLs acls;  acls.set_permissive(false);  mesos::ACL::GetEndpoint* acl = acls.add_get_endpoints();  acl->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());  acl->mutable_paths()->add_values("/" + endpoint);  // Create an `Authorizer` with the ACLs.  Try<Authorizer*> create = TypeParam::create(parameterize(acls));  ASSERT_SOME(create);  Owned<Authorizer> authorizer(create.get());  StandaloneMasterDetector detector;  Try<Owned<cluster::Slave>> agent =    this->StartSlave(&detector, authorizer.get());  ASSERT_SOME(agent);  Future<Response> response = http::get(      agent.get()->pid,      endpoint,      None(),      createBasicAuthHeaders(DEFAULT_CREDENTIAL));  AWAIT_EXPECT_RESPONSE_STATUS_EQ(OK().status, response)    << response.get().body;  response = http::get(      agent.get()->pid,      endpoint,      None(),      createBasicAuthHeaders(DEFAULT_CREDENTIAL_2));  AWAIT_EXPECT_RESPONSE_STATUS_EQ(Forbidden().status, response)    << response.get().body;}

// Testing route with bad ACLs.TEST_F(TeardownTest, BadACLs){  // Setup ACLs so that no principal can teardown the framework.  ACLs acls;  mesos::ACL::TeardownFramework* acl = acls.add_teardown_frameworks();  acl->mutable_principals()->set_type(mesos::ACL::Entity::NONE);  acl->mutable_framework_principals()->add_values(      DEFAULT_CREDENTIAL.principal());  master::Flags flags = CreateMasterFlags();  flags.acls = acls;  Try<Owned<cluster::Master>> master = StartMaster(flags);  ASSERT_SOME(master);  MockScheduler sched;  MesosSchedulerDriver driver(      &sched, DEFAULT_FRAMEWORK_INFO, master.get()->pid, DEFAULT_CREDENTIAL);  Future<FrameworkID> frameworkId;  EXPECT_CALL(sched, registered(&driver, _, _))    .WillOnce(FutureArg<1>(&frameworkId));  ASSERT_EQ(DRIVER_RUNNING, driver.start());  AWAIT_READY(frameworkId);  Future<Response> response = process::http::post(      master.get()->pid,      "teardown",      createBasicAuthHeaders(DEFAULT_CREDENTIAL),      "frameworkId=" + frameworkId.get().value());  AWAIT_READY(response);  AWAIT_EXPECT_RESPONSE_STATUS_EQ(Forbidden().status, response);  driver.stop();  driver.join();}

// This test verifies that a framework registration with unauthorized// role is denied.TEST_F(MasterAuthorizationTest, UnauthorizedRole){  // Setup ACLs so that no framework can receive offers for role  // "foo".  ACLs acls;  mesos::ACL::ReceiveOffers* acl = acls.add_receive_offers();  acl->mutable_principals()->set_type(mesos::ACL::Entity::NONE);  acl->mutable_roles()->add_values("foo");  master::Flags flags = CreateMasterFlags();  flags.roles = "foo";  flags.acls = acls;  Try<PID<Master> > master = StartMaster(flags);  ASSERT_SOME(master);  FrameworkInfo frameworkInfo; // Bug in gcc 4.1.*, must assign on next line.  frameworkInfo = DEFAULT_FRAMEWORK_INFO;  frameworkInfo.set_role("foo");  MockScheduler sched;  MesosSchedulerDriver driver(      &sched, frameworkInfo, master.get(), DEFAULT_CREDENTIAL);  Future<Nothing> error;  EXPECT_CALL(sched, error(&driver, _))    .WillOnce(FutureSatisfy(&error));  driver.start();  // Framework should get error message from the master.  AWAIT_READY(error);  driver.stop();  driver.join();  Shutdown();}

// This test verifies that a framework registration with authorized// role is successful.TEST_F(MasterAuthorizationTest, AuthorizedRole){  // Setup ACLs so that the framework can receive offers for role  // "foo".  ACLs acls;  mesos::ACL::RegisterFramework* acl = acls.add_register_frameworks();  acl->mutable_principals()->add_values(DEFAULT_FRAMEWORK_INFO.principal());  acl->mutable_roles()->add_values("foo");  master::Flags flags = CreateMasterFlags();  flags.roles = "foo";  flags.acls = acls;  Try<PID<Master> > master = StartMaster(flags);  ASSERT_SOME(master);  FrameworkInfo frameworkInfo; // Bug in gcc 4.1.*, must assign on next line.  frameworkInfo = DEFAULT_FRAMEWORK_INFO;  frameworkInfo.set_role("foo");  MockScheduler sched;  MesosSchedulerDriver driver(      &sched, frameworkInfo, master.get(), DEFAULT_CREDENTIAL);  Future<Nothing> registered;  EXPECT_CALL(sched, registered(&driver, _, _))    .WillOnce(FutureSatisfy(&registered));  driver.start();  AWAIT_READY(registered);  driver.stop();  driver.join();  Shutdown();}

void execute(const string& script){  // Create a temporary directory for the test.  Try<string> directory = environment->mkdtemp();  CHECK_SOME(directory) << "Failed to create temporary directory";  if (flags.verbose) {    std::cerr << "Using temporary directory '"              << directory.get() << "'" << std::endl;  }  // Determine the path for the script.  Result<string> path =    os::realpath(path::join(flags.source_dir, "src", "tests", script));  if (!path.isSome()) {    FAIL() << "Failed to locate script: "           << (path.isError() ? path.error() : "No such file or directory");  }  // Fork a process to change directory and run the test.  pid_t pid;  if ((pid = fork()) == -1) {    FAIL() << "Failed to fork to launch script";  }  if (pid > 0) {    // In parent process.    int status;    while (wait(&status) != pid || WIFSTOPPED(status));    CHECK(WIFEXITED(status) || WIFSIGNALED(status));    if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {      FAIL() << script << " " << WSTRINGIFY(status);    }  } else {    // In child process. DO NOT USE GLOG!    // Start by cd'ing into the temporary directory.    Try<Nothing> chdir = os::chdir(directory.get());    if (chdir.isError()) {      std::cerr << "Failed to chdir to '" << directory.get() << "': "                << chdir.error() << std::endl;      abort();    }    // Redirect output to /dev/null unless the test is verbose.    if (!flags.verbose) {      if (freopen("/dev/null", "w", stdout) == NULL ||          freopen("/dev/null", "w", stderr) == NULL) {        std::cerr << "Failed to redirect stdout/stderr to /dev/null:"                  << os::strerror(errno) << std::endl;        abort();      }    }    // Set up the environment for executing the script.    os::setenv("MESOS_SOURCE_DIR", flags.source_dir);    os::setenv("MESOS_BUILD_DIR", flags.build_dir);    os::setenv("MESOS_WEBUI_DIR", path::join(flags.source_dir, "src", "webui"));    os::setenv("MESOS_LAUNCHER_DIR", path::join(flags.build_dir, "src"));    // Enable replicated log based registry.    os::setenv("MESOS_REGISTRY", "replicated_log");    // Enable authentication.    os::setenv("MESOS_AUTHENTICATE", "true");    // Create test credentials.    const string& credentials =      DEFAULT_CREDENTIAL.principal() + " " + DEFAULT_CREDENTIAL.secret();    const string& credentialsPath =      path::join(directory.get(), "credentials");    CHECK_SOME(os::write(credentialsPath, credentials))      << "Failed to write credentials to '" << credentialsPath << "'";    os::setenv("MESOS_CREDENTIALS", "file://" + credentialsPath);    // We set test credentials here for example frameworks to use.    os::setenv("DEFAULT_PRINCIPAL", DEFAULT_CREDENTIAL.principal());    os::setenv("DEFAULT_SECRET", DEFAULT_CREDENTIAL.secret());    // TODO(bmahler): Update the example frameworks to use flags and    // remove the special DEFAULT_* environment variables above.    os::setenv("MESOS_PRINCIPAL", DEFAULT_CREDENTIAL.principal());    os::setenv("MESOS_SECRET", DEFAULT_CREDENTIAL.secret());    // Create test ACLs.    ACLs acls;    acls.set_permissive(false);    mesos::ACL::RunTask* run = acls.add_run_tasks();    run->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());    Result<string> user = os::user();    CHECK_SOME(user) << "Failed to get current user name";    run->mutable_users()->add_values(user.get());//.........这里部分代码省略.........