mirror of https://github.com/status-im/consul.git
resource: Allow nil tenancy (#18618)
This commit is contained in:
parent
f8d77f027a
commit
7b9e243297
|
@ -16,7 +16,6 @@ import (
|
||||||
"github.com/hashicorp/consul/acl/resolver"
|
"github.com/hashicorp/consul/acl/resolver"
|
||||||
"github.com/hashicorp/consul/internal/resource"
|
"github.com/hashicorp/consul/internal/resource"
|
||||||
"github.com/hashicorp/consul/internal/resource/demo"
|
"github.com/hashicorp/consul/internal/resource/demo"
|
||||||
"github.com/hashicorp/consul/internal/storage"
|
|
||||||
"github.com/hashicorp/consul/proto-public/pbresource"
|
"github.com/hashicorp/consul/proto-public/pbresource"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -34,10 +33,6 @@ func TestDelete_InputValidation(t *testing.T) {
|
||||||
artistId.Type = nil
|
artistId.Type = nil
|
||||||
return artistId
|
return artistId
|
||||||
},
|
},
|
||||||
"no tenancy": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
|
||||||
artistId.Tenancy = nil
|
|
||||||
return artistId
|
|
||||||
},
|
|
||||||
"no name": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
"no name": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
||||||
artistId.Name = ""
|
artistId.Name = ""
|
||||||
return artistId
|
return artistId
|
||||||
|
@ -102,21 +97,23 @@ func TestDelete_ACLs(t *testing.T) {
|
||||||
t.Run(desc, func(t *testing.T) {
|
t.Run(desc, func(t *testing.T) {
|
||||||
server := testServer(t)
|
server := testServer(t)
|
||||||
client := testClient(t, server)
|
client := testClient(t, server)
|
||||||
|
|
||||||
mockACLResolver := &MockACLResolver{}
|
|
||||||
mockACLResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
|
||||||
Return(tc.authz, nil)
|
|
||||||
server.ACLResolver = mockACLResolver
|
|
||||||
demo.RegisterTypes(server.Registry)
|
demo.RegisterTypes(server.Registry)
|
||||||
|
|
||||||
artist, err := demo.GenerateV2Artist()
|
artist, err := demo.GenerateV2Artist()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
artist, err = server.Backend.WriteCAS(context.Background(), artist)
|
// Write test resource to delete.
|
||||||
|
rsp, err := client.Write(context.Background(), &pbresource.WriteRequest{Resource: artist})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// exercise ACL
|
// Mock is put in place after the above "write" since the "write" must also pass the ACL check.
|
||||||
_, err = client.Delete(testContext(t), &pbresource.DeleteRequest{Id: artist.Id})
|
mockACLResolver := &MockACLResolver{}
|
||||||
|
mockACLResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
||||||
|
Return(tc.authz, nil)
|
||||||
|
server.ACLResolver = mockACLResolver
|
||||||
|
|
||||||
|
// Exercise ACL.
|
||||||
|
_, err = client.Delete(testContext(t), &pbresource.DeleteRequest{Id: rsp.Resource.Id})
|
||||||
tc.assertErrFn(err)
|
tc.assertErrFn(err)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -134,15 +131,20 @@ func TestDelete_Success(t *testing.T) {
|
||||||
|
|
||||||
recordLabel, err := demo.GenerateV1RecordLabel("LoonyTunes")
|
recordLabel, err := demo.GenerateV1RecordLabel("LoonyTunes")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
recordLabel, err = server.Backend.WriteCAS(ctx, recordLabel)
|
writeRsp, err := client.Write(ctx, &pbresource.WriteRequest{Resource: recordLabel})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
recordLabel = writeRsp.Resource
|
||||||
|
originalRecordLabelId := clone(recordLabel.Id)
|
||||||
|
|
||||||
artist, err := demo.GenerateV2Artist()
|
artist, err := demo.GenerateV2Artist()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
artist, err = server.Backend.WriteCAS(ctx, artist)
|
writeRsp, err = client.Write(ctx, &pbresource.WriteRequest{Resource: artist})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
artist = writeRsp.Resource
|
||||||
|
originalArtistId := clone(artist.Id)
|
||||||
|
|
||||||
// Pick the resource to be deleted based on type's scope
|
// Pick the resource to be deleted based on type's scope and mod tenancy
|
||||||
|
// based on the tenancy test case.
|
||||||
deleteId := modFn(artist.Id, recordLabel.Id)
|
deleteId := modFn(artist.Id, recordLabel.Id)
|
||||||
deleteReq := tc.deleteReqFn(recordLabel)
|
deleteReq := tc.deleteReqFn(recordLabel)
|
||||||
if proto.Equal(deleteId.Type, demo.TypeV2Artist) {
|
if proto.Equal(deleteId.Type, demo.TypeV2Artist) {
|
||||||
|
@ -154,19 +156,25 @@ func TestDelete_Success(t *testing.T) {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// Verify deleted
|
// Verify deleted
|
||||||
_, err = server.Backend.Read(ctx, storage.StrongConsistency, deleteId)
|
_, err = client.Read(ctx, &pbresource.ReadRequest{Id: deleteId})
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
require.ErrorIs(t, err, storage.ErrNotFound)
|
require.Equal(t, codes.NotFound.String(), status.Code(err).String())
|
||||||
|
|
||||||
|
// Derive tombstone name from resource that was deleted.
|
||||||
|
tname := tombstoneName(originalRecordLabelId)
|
||||||
|
if proto.Equal(deleteId.Type, demo.TypeV2Artist) {
|
||||||
|
tname = tombstoneName(originalArtistId)
|
||||||
|
}
|
||||||
|
|
||||||
// Verify tombstone created
|
// Verify tombstone created
|
||||||
_, err = client.Read(ctx, &pbresource.ReadRequest{
|
_, err = client.Read(ctx, &pbresource.ReadRequest{
|
||||||
Id: &pbresource.ID{
|
Id: &pbresource.ID{
|
||||||
Name: tombstoneName(deleteReq.Id),
|
Name: tname,
|
||||||
Type: resource.TypeV1Tombstone,
|
Type: resource.TypeV1Tombstone,
|
||||||
Tenancy: deleteReq.Id.Tenancy,
|
Tenancy: deleteReq.Id.Tenancy,
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
require.NoError(t, err, "expected tombstome to be found")
|
require.NoError(t, err, "expected tombstone to be found")
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
@ -34,10 +34,6 @@ func TestListByOwner_InputValidation(t *testing.T) {
|
||||||
artistId.Type = nil
|
artistId.Type = nil
|
||||||
return artistId
|
return artistId
|
||||||
},
|
},
|
||||||
"no tenancy": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
|
||||||
artistId.Tenancy = nil
|
|
||||||
return artistId
|
|
||||||
},
|
|
||||||
"no name": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
"no name": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
||||||
artistId.Name = ""
|
artistId.Name = ""
|
||||||
return artistId
|
return artistId
|
||||||
|
|
|
@ -33,10 +33,6 @@ func TestRead_InputValidation(t *testing.T) {
|
||||||
artistId.Type = nil
|
artistId.Type = nil
|
||||||
return artistId
|
return artistId
|
||||||
},
|
},
|
||||||
"no tenancy": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
|
||||||
artistId.Tenancy = nil
|
|
||||||
return artistId
|
|
||||||
},
|
|
||||||
"no name": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
"no name": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
||||||
artistId.Name = ""
|
artistId.Name = ""
|
||||||
return artistId
|
return artistId
|
||||||
|
|
|
@ -133,8 +133,6 @@ func validateId(id *pbresource.ID, errorPrefix string) error {
|
||||||
switch {
|
switch {
|
||||||
case id.Type == nil:
|
case id.Type == nil:
|
||||||
field = "type"
|
field = "type"
|
||||||
case id.Tenancy == nil:
|
|
||||||
field = "tenancy"
|
|
||||||
case id.Name == "":
|
case id.Name == "":
|
||||||
field = "name"
|
field = "name"
|
||||||
}
|
}
|
||||||
|
@ -142,6 +140,18 @@ func validateId(id *pbresource.ID, errorPrefix string) error {
|
||||||
if field != "" {
|
if field != "" {
|
||||||
return status.Errorf(codes.InvalidArgument, "%s.%s is required", errorPrefix, field)
|
return status.Errorf(codes.InvalidArgument, "%s.%s is required", errorPrefix, field)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Better UX: Allow callers to pass in nil tenancy. Defaulting and inheritance of tenancy
|
||||||
|
// from the request token will take place further down in the call flow.
|
||||||
|
if id.Tenancy == nil {
|
||||||
|
id.Tenancy = &pbresource.Tenancy{
|
||||||
|
Partition: "",
|
||||||
|
Namespace: "",
|
||||||
|
// TODO(spatel): Remove when peerTenancy introduced.
|
||||||
|
PeerName: "local",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource.Normalize(id.Tenancy)
|
resource.Normalize(id.Tenancy)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
|
|
@ -246,6 +246,11 @@ func tenancyCases() map[string]func(artistId, recordlabelId *pbresource.ID) *pbr
|
||||||
id.Tenancy.Namespace = ""
|
id.Tenancy.Namespace = ""
|
||||||
return id
|
return id
|
||||||
},
|
},
|
||||||
|
"namespaced resource inherits tokens partition and namespace when tenacy nil": func(artistId, _ *pbresource.ID) *pbresource.ID {
|
||||||
|
id := clone(artistId)
|
||||||
|
id.Tenancy = nil
|
||||||
|
return id
|
||||||
|
},
|
||||||
"partitioned resource provides nonempty partition": func(_, recordLabelId *pbresource.ID) *pbresource.ID {
|
"partitioned resource provides nonempty partition": func(_, recordLabelId *pbresource.ID) *pbresource.ID {
|
||||||
return recordLabelId
|
return recordLabelId
|
||||||
},
|
},
|
||||||
|
@ -259,6 +264,11 @@ func tenancyCases() map[string]func(artistId, recordlabelId *pbresource.ID) *pbr
|
||||||
id.Tenancy.Partition = ""
|
id.Tenancy.Partition = ""
|
||||||
return id
|
return id
|
||||||
},
|
},
|
||||||
|
"partitioned resource inherits tokens partition when tenancy nil": func(_, recordLabelId *pbresource.ID) *pbresource.ID {
|
||||||
|
id := clone(recordLabelId)
|
||||||
|
id.Tenancy = nil
|
||||||
|
return id
|
||||||
|
},
|
||||||
}
|
}
|
||||||
return tenancyCases
|
return tenancyCases
|
||||||
}
|
}
|
||||||
|
|
|
@ -120,8 +120,6 @@ func (s *Server) validateWriteStatusRequest(req *pbresource.WriteStatusRequest)
|
||||||
field = "id"
|
field = "id"
|
||||||
case req.Id.Type == nil:
|
case req.Id.Type == nil:
|
||||||
field = "id.type"
|
field = "id.type"
|
||||||
case req.Id.Tenancy == nil:
|
|
||||||
field = "id.tenancy"
|
|
||||||
case req.Id.Name == "":
|
case req.Id.Name == "":
|
||||||
field = "id.name"
|
field = "id.name"
|
||||||
case req.Id.Uid == "":
|
case req.Id.Uid == "":
|
||||||
|
@ -169,6 +167,17 @@ func (s *Server) validateWriteStatusRequest(req *pbresource.WriteStatusRequest)
|
||||||
return nil, status.Error(codes.InvalidArgument, "status.observed_generation is not valid")
|
return nil, status.Error(codes.InvalidArgument, "status.observed_generation is not valid")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Better UX: Allow callers to pass in nil tenancy. Defaulting and inheritance of tenancy
|
||||||
|
// from the request token will take place further down in the call flow.
|
||||||
|
if req.Id.Tenancy == nil {
|
||||||
|
req.Id.Tenancy = &pbresource.Tenancy{
|
||||||
|
Partition: "",
|
||||||
|
Namespace: "",
|
||||||
|
// TODO(spatel): Remove when peerTenancy introduced.
|
||||||
|
PeerName: "local",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Lowercase
|
// Lowercase
|
||||||
resource.Normalize(req.Id.Tenancy)
|
resource.Normalize(req.Id.Tenancy)
|
||||||
|
|
||||||
|
|
|
@ -85,10 +85,6 @@ func TestWriteStatus_InputValidation(t *testing.T) {
|
||||||
typ: demo.TypeV2Artist,
|
typ: demo.TypeV2Artist,
|
||||||
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Type = nil },
|
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Type = nil },
|
||||||
},
|
},
|
||||||
"no tenancy": {
|
|
||||||
typ: demo.TypeV2Artist,
|
|
||||||
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy = nil },
|
|
||||||
},
|
|
||||||
"no name": {
|
"no name": {
|
||||||
typ: demo.TypeV2Artist,
|
typ: demo.TypeV2Artist,
|
||||||
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Name = "" },
|
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Name = "" },
|
||||||
|
@ -236,6 +232,10 @@ func TestWriteStatus_Tenancy_Defaults(t *testing.T) {
|
||||||
req.Id.Tenancy.Namespace = ""
|
req.Id.Tenancy.Namespace = ""
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
"namespaced resource inherits tokens partition and namespace when tenancy nil": {
|
||||||
|
scope: resource.ScopeNamespace,
|
||||||
|
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy = nil },
|
||||||
|
},
|
||||||
"partitioned resource provides nonempty partition": {
|
"partitioned resource provides nonempty partition": {
|
||||||
scope: resource.ScopePartition,
|
scope: resource.ScopePartition,
|
||||||
modFn: func(req *pbresource.WriteStatusRequest) {},
|
modFn: func(req *pbresource.WriteStatusRequest) {},
|
||||||
|
|
|
@ -42,10 +42,6 @@ func TestWrite_InputValidation(t *testing.T) {
|
||||||
artist.Id.Type = nil
|
artist.Id.Type = nil
|
||||||
return artist
|
return artist
|
||||||
},
|
},
|
||||||
"no tenancy": func(artist, _ *pbresource.Resource) *pbresource.Resource {
|
|
||||||
artist.Id.Tenancy = nil
|
|
||||||
return artist
|
|
||||||
},
|
|
||||||
"no name": func(artist, _ *pbresource.Resource) *pbresource.Resource {
|
"no name": func(artist, _ *pbresource.Resource) *pbresource.Resource {
|
||||||
artist.Id.Name = ""
|
artist.Id.Name = ""
|
||||||
return artist
|
return artist
|
||||||
|
@ -106,7 +102,7 @@ func TestWrite_OwnerValidation(t *testing.T) {
|
||||||
},
|
},
|
||||||
"no owner tenancy": {
|
"no owner tenancy": {
|
||||||
modReqFn: func(req *pbresource.WriteRequest) { req.Resource.Owner.Tenancy = nil },
|
modReqFn: func(req *pbresource.WriteRequest) { req.Resource.Owner.Tenancy = nil },
|
||||||
errorContains: "resource.owner.tenancy",
|
errorContains: "resource.owner",
|
||||||
},
|
},
|
||||||
"no owner name": {
|
"no owner name": {
|
||||||
modReqFn: func(req *pbresource.WriteRequest) { req.Resource.Owner.Name = "" },
|
modReqFn: func(req *pbresource.WriteRequest) { req.Resource.Owner.Name = "" },
|
||||||
|
@ -253,6 +249,13 @@ func TestWrite_Create_Success(t *testing.T) {
|
||||||
},
|
},
|
||||||
expectedTenancy: resource.DefaultNamespacedTenancy(),
|
expectedTenancy: resource.DefaultNamespacedTenancy(),
|
||||||
},
|
},
|
||||||
|
"namespaced resource inherits tokens partition and namespace when tenancy nil": {
|
||||||
|
modFn: func(artist, _ *pbresource.Resource) *pbresource.Resource {
|
||||||
|
artist.Id.Tenancy = nil
|
||||||
|
return artist
|
||||||
|
},
|
||||||
|
expectedTenancy: resource.DefaultNamespacedTenancy(),
|
||||||
|
},
|
||||||
"partitioned resource provides nonempty partition": {
|
"partitioned resource provides nonempty partition": {
|
||||||
modFn: func(_, recordLabel *pbresource.Resource) *pbresource.Resource {
|
modFn: func(_, recordLabel *pbresource.Resource) *pbresource.Resource {
|
||||||
return recordLabel
|
return recordLabel
|
||||||
|
@ -273,6 +276,13 @@ func TestWrite_Create_Success(t *testing.T) {
|
||||||
},
|
},
|
||||||
expectedTenancy: resource.DefaultPartitionedTenancy(),
|
expectedTenancy: resource.DefaultPartitionedTenancy(),
|
||||||
},
|
},
|
||||||
|
"partitioned resource inherits tokens partition when tenancy nil": {
|
||||||
|
modFn: func(_, recordLabel *pbresource.Resource) *pbresource.Resource {
|
||||||
|
recordLabel.Id.Tenancy = nil
|
||||||
|
return recordLabel
|
||||||
|
},
|
||||||
|
expectedTenancy: resource.DefaultPartitionedTenancy(),
|
||||||
|
},
|
||||||
// TODO(spatel): Add cluster scope tests when we have an actual cluster scoped resource (e.g. partition)
|
// TODO(spatel): Add cluster scope tests when we have an actual cluster scoped resource (e.g. partition)
|
||||||
}
|
}
|
||||||
for desc, tc := range testCases {
|
for desc, tc := range testCases {
|
||||||
|
|
Loading…
Reference in New Issue