2023-08-11 13:12:13 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
|
2023-08-04 18:27:48 +00:00
|
|
|
package http
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2023-08-15 13:11:50 +00:00
|
|
|
"fmt"
|
2023-09-12 13:22:15 +00:00
|
|
|
"io"
|
2023-08-04 18:27:48 +00:00
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
|
|
"github.com/stretchr/testify/mock"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
|
|
|
resourceSvc "github.com/hashicorp/consul/agent/grpc-external/services/resource"
|
|
|
|
svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing"
|
|
|
|
pbdemov1 "github.com/hashicorp/consul/proto/private/pbdemo/v1"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/internal/resource"
|
|
|
|
"github.com/hashicorp/consul/internal/resource/demo"
|
|
|
|
"github.com/hashicorp/consul/proto-public/pbresource"
|
|
|
|
pbdemov2 "github.com/hashicorp/consul/proto/private/pbdemo/v2"
|
|
|
|
"github.com/hashicorp/consul/sdk/testutil"
|
|
|
|
)
|
|
|
|
|
|
|
|
const testACLTokenArtistReadPolicy = "00000000-0000-0000-0000-000000000001"
|
|
|
|
const testACLTokenArtistWritePolicy = "00000000-0000-0000-0000-000000000002"
|
2023-08-15 13:11:50 +00:00
|
|
|
const testACLTokenArtistListPolicy = "00000000-0000-0000-0000-000000000003"
|
2023-08-11 21:11:11 +00:00
|
|
|
const fakeToken = "fake-token"
|
2023-08-04 18:27:48 +00:00
|
|
|
|
|
|
|
func parseToken(req *http.Request, token *string) {
|
2023-08-11 13:22:30 +00:00
|
|
|
*token = req.Header.Get("x-consul-token")
|
2023-08-04 18:27:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestResourceHandler_InputValidation(t *testing.T) {
|
|
|
|
type testCase struct {
|
|
|
|
description string
|
|
|
|
request *http.Request
|
|
|
|
response *httptest.ResponseRecorder
|
|
|
|
expectedResponseCode int
|
2023-10-16 17:55:30 +00:00
|
|
|
responseBodyContains string
|
2023-08-04 18:27:48 +00:00
|
|
|
}
|
|
|
|
client := svctest.RunResourceService(t, demo.RegisterTypes)
|
|
|
|
resourceHandler := resourceHandler{
|
|
|
|
resource.Registration{
|
|
|
|
Type: demo.TypeV2Artist,
|
|
|
|
Proto: &pbdemov2.Artist{},
|
2023-09-01 14:44:53 +00:00
|
|
|
Scope: resource.ScopeNamespace,
|
2023-08-04 18:27:48 +00:00
|
|
|
},
|
|
|
|
client,
|
|
|
|
func(req *http.Request, token *string) { return },
|
|
|
|
hclog.NewNullLogger(),
|
|
|
|
}
|
|
|
|
|
|
|
|
testCases := []testCase{
|
|
|
|
{
|
|
|
|
description: "missing resource name",
|
|
|
|
request: httptest.NewRequest("PUT", "/?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
|
|
{
|
|
|
|
"metadata": {
|
|
|
|
"foo": "bar"
|
|
|
|
},
|
|
|
|
"data": {
|
|
|
|
"name": "Keith Urban",
|
|
|
|
"genre": "GENRE_COUNTRY"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)),
|
|
|
|
response: httptest.NewRecorder(),
|
|
|
|
expectedResponseCode: http.StatusBadRequest,
|
2023-10-16 17:55:30 +00:00
|
|
|
responseBodyContains: "resource.id.name invalid",
|
2023-08-04 18:27:48 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
description: "wrong schema",
|
|
|
|
request: httptest.NewRequest("PUT", "/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
|
|
{
|
|
|
|
"metadata": {
|
|
|
|
"foo": "bar"
|
|
|
|
},
|
|
|
|
"dada": {
|
|
|
|
"name": "Keith Urban",
|
|
|
|
"genre": "GENRE_COUNTRY"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)),
|
|
|
|
response: httptest.NewRecorder(),
|
|
|
|
expectedResponseCode: http.StatusBadRequest,
|
2023-10-16 17:55:30 +00:00
|
|
|
responseBodyContains: "Request body didn't follow the resource schema",
|
2023-09-12 13:22:15 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
description: "invalid request body",
|
|
|
|
request: httptest.NewRequest("PUT", "/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader("bad-input")),
|
|
|
|
response: httptest.NewRecorder(),
|
|
|
|
expectedResponseCode: http.StatusBadRequest,
|
2023-10-16 17:55:30 +00:00
|
|
|
responseBodyContains: "Request body format is invalid",
|
2023-08-04 18:27:48 +00:00
|
|
|
},
|
2023-08-11 13:22:30 +00:00
|
|
|
{
|
|
|
|
description: "no id",
|
|
|
|
request: httptest.NewRequest("DELETE", "/?partition=default&peer_name=local&namespace=default", strings.NewReader("")),
|
|
|
|
response: httptest.NewRecorder(),
|
|
|
|
expectedResponseCode: http.StatusBadRequest,
|
2023-10-16 17:55:30 +00:00
|
|
|
responseBodyContains: "id.name invalid",
|
2023-08-11 13:22:30 +00:00
|
|
|
},
|
2023-08-04 18:27:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
t.Run(tc.description, func(t *testing.T) {
|
|
|
|
resourceHandler.ServeHTTP(tc.response, tc.request)
|
|
|
|
|
2023-09-12 13:22:15 +00:00
|
|
|
response := tc.response.Result()
|
|
|
|
|
|
|
|
defer response.Body.Close()
|
|
|
|
|
|
|
|
b, err := io.ReadAll(tc.response.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2023-08-04 18:27:48 +00:00
|
|
|
require.Equal(t, tc.expectedResponseCode, tc.response.Result().StatusCode)
|
2023-10-16 17:55:30 +00:00
|
|
|
require.Contains(t, string(b), tc.responseBodyContains)
|
2023-08-04 18:27:48 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestResourceWriteHandler(t *testing.T) {
|
|
|
|
aclResolver := &resourceSvc.MockACLResolver{}
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistReadPolicy, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV1ReadPolicy, demo.ArtistV2ReadPolicy), nil)
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistWritePolicy, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV1WritePolicy, demo.ArtistV2WritePolicy), nil)
|
|
|
|
|
2023-10-10 18:30:23 +00:00
|
|
|
client := svctest.RunResourceServiceWithConfig(t, resourceSvc.Config{ACLResolver: aclResolver}, demo.RegisterTypes)
|
2023-08-04 18:27:48 +00:00
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
r := resource.NewRegistry()
|
|
|
|
demo.RegisterTypes(r)
|
|
|
|
handler := NewHandler(client, r, parseToken, hclog.NewNullLogger())
|
2023-08-04 18:27:48 +00:00
|
|
|
|
|
|
|
t.Run("should be blocked if the token is not authorized", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
|
|
{
|
|
|
|
"metadata": {
|
|
|
|
"foo": "bar"
|
|
|
|
},
|
|
|
|
"data": {
|
|
|
|
"name": "Keith Urban",
|
|
|
|
"genre": "GENRE_COUNTRY"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistReadPolicy)
|
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
handler.ServeHTTP(rsp, req)
|
2023-08-04 18:27:48 +00:00
|
|
|
|
|
|
|
require.Equal(t, http.StatusForbidden, rsp.Result().StatusCode)
|
|
|
|
})
|
2023-10-20 18:49:54 +00:00
|
|
|
var readRsp *pbresource.ReadResponse
|
2023-08-04 18:27:48 +00:00
|
|
|
t.Run("should write to the resource backend", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
|
|
{
|
|
|
|
"metadata": {
|
|
|
|
"foo": "bar"
|
|
|
|
},
|
|
|
|
"data": {
|
|
|
|
"name": "Keith Urban",
|
|
|
|
"genre": "GENRE_COUNTRY"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
handler.ServeHTTP(rsp, req)
|
2023-08-04 18:27:48 +00:00
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
require.Equal(t, "Keith Urban", result["data"].(map[string]any)["name"])
|
|
|
|
require.Equal(t, "keith-urban", result["id"].(map[string]any)["name"])
|
|
|
|
|
2023-10-20 18:49:54 +00:00
|
|
|
var err error
|
|
|
|
readRsp, err = client.Read(testutil.TestContext(t), &pbresource.ReadRequest{
|
2023-08-04 18:27:48 +00:00
|
|
|
Id: &pbresource.ID{
|
|
|
|
Type: demo.TypeV2Artist,
|
2023-08-24 15:49:46 +00:00
|
|
|
Tenancy: resource.DefaultNamespacedTenancy(),
|
2023-08-04 18:27:48 +00:00
|
|
|
Name: "keith-urban",
|
|
|
|
},
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, readRsp.Resource)
|
|
|
|
|
|
|
|
var artist pbdemov2.Artist
|
|
|
|
require.NoError(t, readRsp.Resource.Data.UnmarshalTo(&artist))
|
|
|
|
require.Equal(t, "Keith Urban", artist.Name)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should update the record with version parameter", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
2023-10-20 18:49:54 +00:00
|
|
|
req := httptest.NewRequest("PUT", fmt.Sprintf("/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&version=%s", readRsp.Resource.Version), strings.NewReader(`
|
2023-08-04 18:27:48 +00:00
|
|
|
{
|
|
|
|
"metadata": {
|
|
|
|
"foo": "bar"
|
|
|
|
},
|
|
|
|
"data": {
|
|
|
|
"name": "Keith Urban Two",
|
|
|
|
"genre": "GENRE_COUNTRY"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
handler.ServeHTTP(rsp, req)
|
2023-08-04 18:27:48 +00:00
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
require.Equal(t, "Keith Urban Two", result["data"].(map[string]any)["name"])
|
|
|
|
require.Equal(t, "keith-urban", result["id"].(map[string]any)["name"])
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should fail the update if the resource's version doesn't match the version of the existing resource", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&version=1", strings.NewReader(`
|
|
|
|
{
|
|
|
|
"metadata": {
|
|
|
|
"foo": "bar"
|
|
|
|
},
|
|
|
|
"data": {
|
|
|
|
"name": "Keith Urban",
|
|
|
|
"genre": "GENRE_COUNTRY"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
handler.ServeHTTP(rsp, req)
|
2023-08-04 18:27:48 +00:00
|
|
|
|
|
|
|
require.Equal(t, http.StatusConflict, rsp.Result().StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should write to the resource backend with owner", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("PUT", "/demo/v1/artist/keith-urban-v1?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
|
|
{
|
|
|
|
"metadata": {
|
|
|
|
"foo": "bar"
|
|
|
|
},
|
|
|
|
"data": {
|
|
|
|
"name": "Keith Urban V1",
|
|
|
|
"genre": "GENRE_COUNTRY"
|
|
|
|
},
|
|
|
|
"owner": {
|
|
|
|
"name": "keith-urban",
|
|
|
|
"type": {
|
|
|
|
"group": "demo",
|
|
|
|
"group_version": "v2",
|
|
|
|
"kind": "Artist"
|
|
|
|
},
|
|
|
|
"tenancy": {
|
|
|
|
"partition": "default",
|
|
|
|
"peer_name": "local",
|
|
|
|
"namespace": "default"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
handler.ServeHTTP(rsp, req)
|
2023-08-04 18:27:48 +00:00
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
require.Equal(t, "Keith Urban V1", result["data"].(map[string]any)["name"])
|
|
|
|
require.Equal(t, "keith-urban-v1", result["id"].(map[string]any)["name"])
|
|
|
|
|
|
|
|
readRsp, err := client.Read(testutil.TestContext(t), &pbresource.ReadRequest{
|
|
|
|
Id: &pbresource.ID{
|
|
|
|
Type: demo.TypeV1Artist,
|
2023-08-24 15:49:46 +00:00
|
|
|
Tenancy: resource.DefaultNamespacedTenancy(),
|
2023-08-04 18:27:48 +00:00
|
|
|
Name: "keith-urban-v1",
|
|
|
|
},
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, readRsp.Resource)
|
|
|
|
require.Equal(t, "keith-urban", readRsp.Resource.Owner.Name)
|
|
|
|
|
|
|
|
var artist pbdemov1.Artist
|
|
|
|
require.NoError(t, readRsp.Resource.Data.UnmarshalTo(&artist))
|
|
|
|
require.Equal(t, "Keith Urban V1", artist.Name)
|
|
|
|
})
|
|
|
|
}
|
2023-08-11 13:22:30 +00:00
|
|
|
|
2023-08-15 13:11:50 +00:00
|
|
|
type ResourceUri struct {
|
|
|
|
group string
|
|
|
|
version string
|
|
|
|
kind string
|
|
|
|
resourceName string
|
|
|
|
}
|
|
|
|
|
|
|
|
func createResource(t *testing.T, artistHandler http.Handler, resourceUri *ResourceUri) map[string]any {
|
2023-08-11 13:22:30 +00:00
|
|
|
rsp := httptest.NewRecorder()
|
2023-08-15 13:11:50 +00:00
|
|
|
|
|
|
|
if resourceUri == nil {
|
|
|
|
resourceUri = &ResourceUri{group: "demo", version: "v2", kind: "artist", resourceName: "keith-urban"}
|
|
|
|
}
|
|
|
|
|
|
|
|
req := httptest.NewRequest("PUT", fmt.Sprintf("/%s/%s/%s/%s?partition=default&peer_name=local&namespace=default", resourceUri.group, resourceUri.version, resourceUri.kind, resourceUri.resourceName), strings.NewReader(`
|
2023-08-11 13:22:30 +00:00
|
|
|
{
|
|
|
|
"metadata": {
|
|
|
|
"foo": "bar"
|
|
|
|
},
|
|
|
|
"data": {
|
2023-08-15 13:11:50 +00:00
|
|
|
"name": "test",
|
2023-08-11 13:22:30 +00:00
|
|
|
"genre": "GENRE_COUNTRY"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
|
|
|
|
artistHandler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
2023-08-11 21:11:11 +00:00
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
2023-08-15 13:11:50 +00:00
|
|
|
func deleteResource(t *testing.T, artistHandler http.Handler, resourceUri *ResourceUri) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
|
|
|
|
if resourceUri == nil {
|
|
|
|
resourceUri = &ResourceUri{group: "demo", version: "v2", kind: "artist", resourceName: "keith-urban"}
|
|
|
|
}
|
|
|
|
|
|
|
|
req := httptest.NewRequest("DELETE", fmt.Sprintf("/%s/%s/%s/%s?partition=default&peer_name=local&namespace=default", resourceUri.group, resourceUri.version, resourceUri.kind, resourceUri.resourceName), strings.NewReader(""))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
|
|
|
|
artistHandler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusNoContent, rsp.Result().StatusCode)
|
|
|
|
}
|
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
func TestResourceReadHandler(t *testing.T) {
|
|
|
|
aclResolver := &resourceSvc.MockACLResolver{}
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistReadPolicy, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV1ReadPolicy, demo.ArtistV2ReadPolicy), nil)
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistWritePolicy, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV1WritePolicy, demo.ArtistV2WritePolicy), nil)
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", fakeToken, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, ""), nil)
|
|
|
|
|
2023-10-10 18:30:23 +00:00
|
|
|
client := svctest.RunResourceServiceWithConfig(t, resourceSvc.Config{ACLResolver: aclResolver}, demo.RegisterTypes)
|
2023-08-11 21:11:11 +00:00
|
|
|
|
|
|
|
r := resource.NewRegistry()
|
|
|
|
demo.RegisterTypes(r)
|
|
|
|
handler := NewHandler(client, r, parseToken, hclog.NewNullLogger())
|
|
|
|
|
2023-08-15 13:11:50 +00:00
|
|
|
createdResource := createResource(t, handler, nil)
|
2023-08-11 21:11:11 +00:00
|
|
|
|
|
|
|
t.Run("Read resource", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&consistent", nil)
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistReadPolicy)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
require.Equal(t, result, createdResource)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should not be found if resource not exist", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist/keith-not-exist?partition=default&peer_name=local&namespace=default&consistent", nil)
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistReadPolicy)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusNotFound, rsp.Result().StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should be blocked if the token is not authorized", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&consistent", nil)
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", fakeToken)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusForbidden, rsp.Result().StatusCode)
|
|
|
|
})
|
2023-08-11 13:22:30 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestResourceDeleteHandler(t *testing.T) {
|
|
|
|
aclResolver := &resourceSvc.MockACLResolver{}
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistReadPolicy, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV2ReadPolicy), nil)
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistWritePolicy, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV2WritePolicy), nil)
|
|
|
|
|
2023-10-10 18:30:23 +00:00
|
|
|
client := svctest.RunResourceServiceWithConfig(t, resourceSvc.Config{ACLResolver: aclResolver}, demo.RegisterTypes)
|
2023-08-11 13:22:30 +00:00
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
r := resource.NewRegistry()
|
|
|
|
demo.RegisterTypes(r)
|
|
|
|
|
|
|
|
handler := NewHandler(client, r, parseToken, hclog.NewNullLogger())
|
2023-08-11 13:22:30 +00:00
|
|
|
|
|
|
|
t.Run("should surface PermissionDenied error from resource service", func(t *testing.T) {
|
2023-08-15 13:11:50 +00:00
|
|
|
createResource(t, handler, nil)
|
2023-08-11 13:22:30 +00:00
|
|
|
|
|
|
|
deleteRsp := httptest.NewRecorder()
|
|
|
|
deletReq := httptest.NewRequest("DELETE", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(""))
|
|
|
|
|
|
|
|
deletReq.Header.Add("x-consul-token", testACLTokenArtistReadPolicy)
|
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
handler.ServeHTTP(deleteRsp, deletReq)
|
2023-08-11 13:22:30 +00:00
|
|
|
|
|
|
|
require.Equal(t, http.StatusForbidden, deleteRsp.Result().StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should delete a resource without version", func(t *testing.T) {
|
2023-08-15 13:11:50 +00:00
|
|
|
createResource(t, handler, nil)
|
2023-08-11 13:22:30 +00:00
|
|
|
|
|
|
|
deleteRsp := httptest.NewRecorder()
|
|
|
|
deletReq := httptest.NewRequest("DELETE", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(""))
|
|
|
|
|
|
|
|
deletReq.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
handler.ServeHTTP(deleteRsp, deletReq)
|
2023-08-11 13:22:30 +00:00
|
|
|
|
|
|
|
require.Equal(t, http.StatusNoContent, deleteRsp.Result().StatusCode)
|
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(deleteRsp.Body).Decode(&result))
|
|
|
|
require.Empty(t, result)
|
|
|
|
|
|
|
|
_, err := client.Read(testutil.TestContext(t), &pbresource.ReadRequest{
|
|
|
|
Id: &pbresource.ID{
|
|
|
|
Type: demo.TypeV2Artist,
|
2023-08-24 15:49:46 +00:00
|
|
|
Tenancy: resource.DefaultNamespacedTenancy(),
|
2023-08-11 13:22:30 +00:00
|
|
|
Name: "keith-urban",
|
|
|
|
},
|
|
|
|
})
|
|
|
|
require.ErrorContains(t, err, "resource not found")
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should delete a resource with version", func(t *testing.T) {
|
2023-08-15 13:11:50 +00:00
|
|
|
createResource(t, handler, nil)
|
2023-08-11 13:22:30 +00:00
|
|
|
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("DELETE", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&version=1", strings.NewReader(""))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
2023-08-15 13:11:50 +00:00
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistListPolicy)
|
2023-08-11 13:22:30 +00:00
|
|
|
|
2023-08-11 21:11:11 +00:00
|
|
|
handler.ServeHTTP(rsp, req)
|
2023-08-11 13:22:30 +00:00
|
|
|
|
|
|
|
require.Equal(t, http.StatusNoContent, rsp.Result().StatusCode)
|
|
|
|
|
|
|
|
_, err := client.Read(testutil.TestContext(t), &pbresource.ReadRequest{
|
|
|
|
Id: &pbresource.ID{
|
|
|
|
Type: demo.TypeV2Artist,
|
2023-08-24 15:49:46 +00:00
|
|
|
Tenancy: resource.DefaultNamespacedTenancy(),
|
2023-08-11 13:22:30 +00:00
|
|
|
Name: "keith-urban",
|
|
|
|
},
|
|
|
|
})
|
|
|
|
require.ErrorContains(t, err, "resource not found")
|
|
|
|
})
|
|
|
|
}
|
2023-08-15 13:11:50 +00:00
|
|
|
|
|
|
|
func TestResourceListHandler(t *testing.T) {
|
|
|
|
aclResolver := &resourceSvc.MockACLResolver{}
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistListPolicy, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV2ListPolicy), nil)
|
|
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistWritePolicy, mock.Anything, mock.Anything).
|
|
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV2WritePolicy), nil)
|
|
|
|
|
2023-10-10 18:30:23 +00:00
|
|
|
client := svctest.RunResourceServiceWithConfig(t, resourceSvc.Config{ACLResolver: aclResolver}, demo.RegisterTypes)
|
2023-08-15 13:11:50 +00:00
|
|
|
|
|
|
|
r := resource.NewRegistry()
|
|
|
|
demo.RegisterTypes(r)
|
|
|
|
|
|
|
|
handler := NewHandler(client, r, parseToken, hclog.NewNullLogger())
|
|
|
|
|
|
|
|
t.Run("should return MethodNotAllowed", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist?partition=default&peer_name=local&namespace=default", strings.NewReader(""))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistListPolicy)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusMethodNotAllowed, rsp.Result().StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should be blocked if the token is not authorized", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist?partition=default&peer_name=local&namespace=default", strings.NewReader(""))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusForbidden, rsp.Result().StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should return list of resources", func(t *testing.T) {
|
|
|
|
resourceUri1 := &ResourceUri{group: "demo", version: "v2", kind: "artist", resourceName: "steve"}
|
|
|
|
resource1 := createResource(t, handler, resourceUri1)
|
|
|
|
resourceUri2 := &ResourceUri{group: "demo", version: "v2", kind: "artist", resourceName: "elvis"}
|
|
|
|
resource2 := createResource(t, handler, resourceUri2)
|
|
|
|
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist?partition=default&peer_name=local&namespace=default", strings.NewReader(""))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistListPolicy)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
|
|
|
|
resources, _ := result["resources"].([]any)
|
|
|
|
require.Len(t, resources, 2)
|
|
|
|
|
|
|
|
expected := []map[string]any{resource1, resource2}
|
|
|
|
require.Contains(t, expected, resources[0])
|
|
|
|
require.Contains(t, expected, resources[1])
|
|
|
|
|
|
|
|
// clean up
|
|
|
|
deleteResource(t, handler, resourceUri1)
|
|
|
|
deleteResource(t, handler, resourceUri2)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should return empty list when no resources are found", func(t *testing.T) {
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist?partition=default&peer_name=local&namespace=default", strings.NewReader(""))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistListPolicy)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
|
|
|
|
resources, _ := result["resources"].([]any)
|
|
|
|
require.Len(t, resources, 0)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should return empty list when name prefix matches don't match", func(t *testing.T) {
|
|
|
|
createResource(t, handler, nil)
|
|
|
|
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist?partition=default&peer_name=local&namespace=default&name_prefix=noname", strings.NewReader(""))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistListPolicy)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
|
|
|
|
resources, _ := result["resources"].([]any)
|
|
|
|
require.Len(t, resources, 0)
|
|
|
|
|
|
|
|
// clean up
|
|
|
|
deleteResource(t, handler, nil)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("should return list of resources matching name prefix", func(t *testing.T) {
|
|
|
|
resourceUri1 := &ResourceUri{group: "demo", version: "v2", kind: "artist", resourceName: "steve"}
|
|
|
|
resource1 := createResource(t, handler, resourceUri1)
|
|
|
|
resourceUri2 := &ResourceUri{group: "demo", version: "v2", kind: "artist", resourceName: "elvis"}
|
|
|
|
createResource(t, handler, resourceUri2)
|
|
|
|
|
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist?partition=default&peer_name=local&namespace=default&name_prefix=steve", strings.NewReader(""))
|
|
|
|
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistListPolicy)
|
|
|
|
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
|
|
|
|
var result map[string]any
|
|
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
|
|
|
|
|
|
resources, _ := result["resources"].([]any)
|
|
|
|
require.Len(t, resources, 1)
|
|
|
|
|
|
|
|
require.Equal(t, resource1, resources[0])
|
|
|
|
|
|
|
|
// clean up
|
|
|
|
deleteResource(t, handler, resourceUri1)
|
|
|
|
deleteResource(t, handler, resourceUri2)
|
|
|
|
})
|
|
|
|
}
|