372 lines
10 KiB
Go
Raw Normal View History

// Copyright (c) HashiCorp, Inc.
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-08-11 09:12:13 -04:00
// SPDX-License-Identifier: BUSL-1.1
package resource
import (
"context"
"fmt"
"testing"
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/grpc-external/testutils"
"github.com/hashicorp/consul/internal/resource"
2023-04-06 10:40:04 +01:00
"github.com/hashicorp/consul/internal/resource/demo"
"github.com/hashicorp/consul/internal/storage"
"github.com/hashicorp/consul/proto-public/pbresource"
"github.com/hashicorp/consul/proto/private/prototest"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
)
func TestList_InputValidation(t *testing.T) {
server := testServer(t)
client := testClient(t, server)
demo.RegisterTypes(server.Registry)
testCases := map[string]func(*pbresource.ListRequest){
"no type": func(req *pbresource.ListRequest) { req.Type = nil },
"no tenancy": func(req *pbresource.ListRequest) { req.Tenancy = nil },
"partitioned resource provides non-empty namespace": func(req *pbresource.ListRequest) {
req.Type = demo.TypeV1RecordLabel
req.Tenancy.Namespace = "bad"
},
}
for desc, modFn := range testCases {
t.Run(desc, func(t *testing.T) {
req := &pbresource.ListRequest{
Type: demo.TypeV2Album,
Tenancy: resource.DefaultNamespacedTenancy(),
}
modFn(req)
_, err := client.List(testContext(t), req)
require.Error(t, err)
require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
})
}
}
func TestList_TypeNotFound(t *testing.T) {
server := testServer(t)
client := testClient(t, server)
_, err := client.List(context.Background(), &pbresource.ListRequest{
2023-04-06 10:40:04 +01:00
Type: demo.TypeV2Artist,
Tenancy: resource.DefaultNamespacedTenancy(),
NamePrefix: "",
})
require.Error(t, err)
require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
require.Contains(t, err.Error(), "resource type demo.v2.Artist not registered")
}
func TestList_Empty(t *testing.T) {
for desc, tc := range listTestCases() {
t.Run(desc, func(t *testing.T) {
server := testServer(t)
2023-04-25 12:52:35 +01:00
demo.RegisterTypes(server.Registry)
client := testClient(t, server)
rsp, err := client.List(tc.ctx, &pbresource.ListRequest{
2023-04-06 10:40:04 +01:00
Type: demo.TypeV1Artist,
Tenancy: resource.DefaultNamespacedTenancy(),
NamePrefix: "",
})
require.NoError(t, err)
require.Empty(t, rsp.Resources)
})
}
}
func TestList_Many(t *testing.T) {
for desc, tc := range listTestCases() {
t.Run(desc, func(t *testing.T) {
server := testServer(t)
2023-04-25 12:52:35 +01:00
demo.RegisterTypes(server.Registry)
client := testClient(t, server)
resources := make([]*pbresource.Resource, 10)
for i := 0; i < len(resources); i++ {
2023-04-06 10:40:04 +01:00
artist, err := demo.GenerateV2Artist()
require.NoError(t, err)
// Prevent test flakes if the generated names collide.
artist.Id.Name = fmt.Sprintf("%s-%d", artist.Id.Name, i)
rsp, err := client.Write(tc.ctx, &pbresource.WriteRequest{Resource: artist})
2023-04-06 10:40:04 +01:00
require.NoError(t, err)
resources[i] = rsp.Resource
}
rsp, err := client.List(tc.ctx, &pbresource.ListRequest{
2023-04-06 10:40:04 +01:00
Type: demo.TypeV2Artist,
Tenancy: resource.DefaultNamespacedTenancy(),
NamePrefix: "",
})
require.NoError(t, err)
prototest.AssertElementsMatch(t, resources, rsp.Resources)
})
}
}
func TestList_Tenancy_Defaults_And_Normalization(t *testing.T) {
// Test units of tenancy get defaulted correctly when empty.
ctx := context.Background()
testCases := map[string]struct {
typ *pbresource.Type
tenancy *pbresource.Tenancy
}{
"namespaced type with empty partition": {
typ: demo.TypeV2Artist,
tenancy: &pbresource.Tenancy{
Partition: "",
Namespace: resource.DefaultNamespaceName,
PeerName: "local",
},
},
"namespaced type with empty namespace": {
typ: demo.TypeV2Artist,
tenancy: &pbresource.Tenancy{
Partition: resource.DefaultPartitionName,
Namespace: "",
PeerName: "local",
},
},
"namespaced type with empty partition and namespace": {
typ: demo.TypeV2Artist,
tenancy: &pbresource.Tenancy{
Partition: "",
Namespace: "",
PeerName: "local",
},
},
"namespaced type with uppercase partition and namespace": {
typ: demo.TypeV2Artist,
tenancy: &pbresource.Tenancy{
Partition: "DEFAULT",
Namespace: "DEFAULT",
PeerName: "local",
},
},
"namespaced type with wildcard partition and empty namespace": {
typ: demo.TypeV2Artist,
tenancy: &pbresource.Tenancy{
Partition: "*",
Namespace: "",
PeerName: "local",
},
},
"namespaced type with empty partition and wildcard namespace": {
typ: demo.TypeV2Artist,
tenancy: &pbresource.Tenancy{
Partition: "",
Namespace: "*",
PeerName: "local",
},
},
"partitioned type with empty partition": {
typ: demo.TypeV1RecordLabel,
tenancy: &pbresource.Tenancy{
Partition: "",
Namespace: "",
PeerName: "local",
},
},
"partitioned type with uppercase partition": {
typ: demo.TypeV1RecordLabel,
tenancy: &pbresource.Tenancy{
Partition: "DEFAULT",
Namespace: "",
PeerName: "local",
},
},
"partitioned type with wildcard partition": {
typ: demo.TypeV1RecordLabel,
tenancy: &pbresource.Tenancy{
Partition: "*",
PeerName: "local",
},
},
}
for desc, tc := range testCases {
t.Run(desc, func(t *testing.T) {
server := testServer(t)
demo.RegisterTypes(server.Registry)
client := testClient(t, server)
// Write partition scoped record label
recordLabel, err := demo.GenerateV1RecordLabel("LooneyTunes")
require.NoError(t, err)
recordLabelRsp, err := client.Write(ctx, &pbresource.WriteRequest{Resource: recordLabel})
require.NoError(t, err)
// Write namespace scoped artist
artist, err := demo.GenerateV2Artist()
require.NoError(t, err)
artistRsp, err := client.Write(ctx, &pbresource.WriteRequest{Resource: artist})
require.NoError(t, err)
// List and verify correct resource returned for empty tenancy units.
listRsp, err := client.List(ctx, &pbresource.ListRequest{
Type: tc.typ,
Tenancy: tc.tenancy,
})
require.NoError(t, err)
require.Len(t, listRsp.Resources, 1)
if tc.typ == demo.TypeV1RecordLabel {
prototest.AssertDeepEqual(t, recordLabelRsp.Resource, listRsp.Resources[0])
} else {
prototest.AssertDeepEqual(t, artistRsp.Resource, listRsp.Resources[0])
}
})
}
}
func TestList_GroupVersionMismatch(t *testing.T) {
for desc, tc := range listTestCases() {
t.Run(desc, func(t *testing.T) {
server := testServer(t)
2023-04-25 12:52:35 +01:00
demo.RegisterTypes(server.Registry)
client := testClient(t, server)
2023-04-06 10:40:04 +01:00
artist, err := demo.GenerateV2Artist()
require.NoError(t, err)
_, err = server.Backend.WriteCAS(tc.ctx, artist)
require.NoError(t, err)
rsp, err := client.List(tc.ctx, &pbresource.ListRequest{
2023-04-06 10:40:04 +01:00
Type: demo.TypeV1Artist,
Tenancy: artist.Id.Tenancy,
NamePrefix: "",
})
require.NoError(t, err)
require.Empty(t, rsp.Resources)
})
}
}
func TestList_VerifyReadConsistencyArg(t *testing.T) {
// Uses a mockBackend instead of the inmem Backend to verify the ReadConsistency argument is set correctly.
for desc, tc := range listTestCases() {
t.Run(desc, func(t *testing.T) {
mockBackend := NewMockBackend(t)
server := testServer(t)
server.Backend = mockBackend
2023-04-25 12:52:35 +01:00
demo.RegisterTypes(server.Registry)
2023-04-06 10:40:04 +01:00
artist, err := demo.GenerateV2Artist()
require.NoError(t, err)
mockBackend.On("List", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
2023-04-06 10:40:04 +01:00
Return([]*pbresource.Resource{artist}, nil)
client := testClient(t, server)
2023-04-06 10:40:04 +01:00
rsp, err := client.List(tc.ctx, &pbresource.ListRequest{Type: artist.Id.Type, Tenancy: artist.Id.Tenancy, NamePrefix: ""})
require.NoError(t, err)
2023-04-06 10:40:04 +01:00
prototest.AssertDeepEqual(t, artist, rsp.Resources[0])
mockBackend.AssertCalled(t, "List", mock.Anything, tc.consistency, mock.Anything, mock.Anything, mock.Anything)
})
}
}
2023-04-25 12:52:35 +01:00
// N.B. Uses key ACLs for now. See demo.RegisterTypes()
func TestList_ACL_ListDenied(t *testing.T) {
t.Parallel()
// deny all
_, _, err := roundTripList(t, testutils.ACLNoPermissions(t))
// verify key:list denied
require.Error(t, err)
require.Equal(t, codes.PermissionDenied.String(), status.Code(err).String())
require.Contains(t, err.Error(), "lacks permission 'key:list'")
}
2023-04-25 12:52:35 +01:00
// N.B. Uses key ACLs for now. See demo.RegisterTypes()
func TestList_ACL_ListAllowed_ReadDenied(t *testing.T) {
t.Parallel()
// allow list, deny read
authz := AuthorizerFrom(t, demo.ArtistV2ListPolicy,
`key_prefix "resource/demo.v2.Artist/" { policy = "deny" }`)
_, rsp, err := roundTripList(t, authz)
// verify resource filtered out by key:read denied hence no results
require.NoError(t, err)
require.Empty(t, rsp.Resources)
}
2023-04-25 12:52:35 +01:00
// N.B. Uses key ACLs for now. See demo.RegisterTypes()
func TestList_ACL_ListAllowed_ReadAllowed(t *testing.T) {
t.Parallel()
// allow list, allow read
authz := AuthorizerFrom(t, demo.ArtistV2ListPolicy, demo.ArtistV2ReadPolicy)
artist, rsp, err := roundTripList(t, authz)
// verify resource not filtered out by acl
require.NoError(t, err)
require.Len(t, rsp.Resources, 1)
prototest.AssertDeepEqual(t, artist, rsp.Resources[0])
}
// roundtrip a List which attempts to return a single resource
func roundTripList(t *testing.T, authz acl.Authorizer) (*pbresource.Resource, *pbresource.ListResponse, error) {
server := testServer(t)
client := testClient(t, server)
ctx := testContext(t)
mockACLResolver := &MockACLResolver{}
mockACLResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
Return(authz, nil)
server.ACLResolver = mockACLResolver
2023-04-25 12:52:35 +01:00
demo.RegisterTypes(server.Registry)
artist, err := demo.GenerateV2Artist()
require.NoError(t, err)
artist, err = server.Backend.WriteCAS(ctx, artist)
require.NoError(t, err)
rsp, err := client.List(
ctx,
&pbresource.ListRequest{
Type: artist.Id.Type,
Tenancy: artist.Id.Tenancy,
NamePrefix: "",
},
)
return artist, rsp, err
}
type listTestCase struct {
consistency storage.ReadConsistency
ctx context.Context
}
func listTestCases() map[string]listTestCase {
return map[string]listTestCase{
"eventually consistent read": {
consistency: storage.EventualConsistency,
ctx: context.Background(),
},
"strongly consistent read": {
consistency: storage.StrongConsistency,
ctx: metadata.NewOutgoingContext(
context.Background(),
metadata.New(map[string]string{"x-consul-consistency-mode": "consistent"}),
),
},
}
}