consul/agent/token/store_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package token

import (
	"testing"

	"github.com/stretchr/testify/require"
)

func TestStore_RegularTokens(t *testing.T) {
	type tokens struct {
		userSource         TokenSource
		user               string
		agent              string
		agentSource        TokenSource
		recovery           string
		recoverySource     TokenSource
		repl               string
		replSource         TokenSource
		registration       string
		registrationSource TokenSource
		dns                string
		dnsSource          TokenSource
	}

	tests := []struct {
		name      string
		set       tokens
		raw       tokens
		effective tokens
	}{
		{
			name:      "set user - config",
			set:       tokens{user: "U", userSource: TokenSourceConfig},
			raw:       tokens{user: "U", userSource: TokenSourceConfig},
			effective: tokens{user: "U", agent: "U"},
		},
		{
			name:      "set user - api",
			set:       tokens{user: "U", userSource: TokenSourceAPI},
			raw:       tokens{user: "U", userSource: TokenSourceAPI},
			effective: tokens{user: "U", agent: "U"},
		},
		{
			name:      "set agent - config",
			set:       tokens{agent: "A", agentSource: TokenSourceConfig},
			raw:       tokens{agent: "A", agentSource: TokenSourceConfig},
			effective: tokens{agent: "A"},
		},
		{
			name:      "set agent - api",
			set:       tokens{agent: "A", agentSource: TokenSourceAPI},
			raw:       tokens{agent: "A", agentSource: TokenSourceAPI},
			effective: tokens{agent: "A"},
		},
		{
			name:      "set user and agent",
			set:       tokens{agent: "A", user: "U"},
			raw:       tokens{agent: "A", user: "U"},
			effective: tokens{agent: "A", user: "U"},
		},
		{
			name:      "set repl - config",
			set:       tokens{repl: "R", replSource: TokenSourceConfig},
			raw:       tokens{repl: "R", replSource: TokenSourceConfig},
			effective: tokens{repl: "R"},
		},
		{
			name:      "set repl - api",
			set:       tokens{repl: "R", replSource: TokenSourceAPI},
			raw:       tokens{repl: "R", replSource: TokenSourceAPI},
			effective: tokens{repl: "R"},
		},
		{
			name:      "set recovery - config",
			set:       tokens{recovery: "M", recoverySource: TokenSourceConfig},
			raw:       tokens{recovery: "M", recoverySource: TokenSourceConfig},
			effective: tokens{recovery: "M"},
		},
		{
			name:      "set recovery - api",
			set:       tokens{recovery: "M", recoverySource: TokenSourceAPI},
			raw:       tokens{recovery: "M", recoverySource: TokenSourceAPI},
			effective: tokens{recovery: "M"},
		},
		{
			name:      "set registration - config",
			set:       tokens{registration: "G", registrationSource: TokenSourceConfig},
			raw:       tokens{registration: "G", registrationSource: TokenSourceConfig},
			effective: tokens{registration: "G"},
		},
		{
			name:      "set registration - api",
			set:       tokens{registration: "G", registrationSource: TokenSourceAPI},
			raw:       tokens{registration: "G", registrationSource: TokenSourceAPI},
			effective: tokens{registration: "G"},
		},
		{
			name:      "set dns - config",
			set:       tokens{dns: "D", dnsSource: TokenSourceConfig},
			raw:       tokens{dns: "D", dnsSource: TokenSourceConfig},
			effective: tokens{dns: "D"},
		},
		{
			name:      "set dns - api",
			set:       tokens{dns: "D", dnsSource: TokenSourceAPI},
			raw:       tokens{dns: "D", dnsSource: TokenSourceAPI},
			effective: tokens{dns: "D"},
		},
		{
			name:      "set all",
			set:       tokens{user: "U", agent: "A", repl: "R", recovery: "M", registration: "G", dns: "D"},
			raw:       tokens{user: "U", agent: "A", repl: "R", recovery: "M", registration: "G", dns: "D"},
			effective: tokens{user: "U", agent: "A", repl: "R", recovery: "M", registration: "G", dns: "D"},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			s := new(Store)
			if tt.set.user != "" {
				require.True(t, s.UpdateUserToken(tt.set.user, tt.set.userSource))
			}

			if tt.set.agent != "" {
				require.True(t, s.UpdateAgentToken(tt.set.agent, tt.set.agentSource))
			}

			if tt.set.repl != "" {
				require.True(t, s.UpdateReplicationToken(tt.set.repl, tt.set.replSource))
			}

			if tt.set.recovery != "" {
				require.True(t, s.UpdateAgentRecoveryToken(tt.set.recovery, tt.set.recoverySource))
			}

			if tt.set.registration != "" {
				require.True(t, s.UpdateConfigFileRegistrationToken(tt.set.registration, tt.set.registrationSource))
			}

			if tt.set.dns != "" {
				require.True(t, s.UpdateDNSToken(tt.set.dns, tt.set.dnsSource))
			}

			// If they don't change then they return false.
			require.False(t, s.UpdateUserToken(tt.set.user, tt.set.userSource))
			require.False(t, s.UpdateAgentToken(tt.set.agent, tt.set.agentSource))
			require.False(t, s.UpdateReplicationToken(tt.set.repl, tt.set.replSource))
			require.False(t, s.UpdateAgentRecoveryToken(tt.set.recovery, tt.set.recoverySource))
			require.False(t, s.UpdateConfigFileRegistrationToken(tt.set.registration, tt.set.registrationSource))
			require.False(t, s.UpdateDNSToken(tt.set.dns, tt.set.dnsSource))

			require.Equal(t, tt.effective.user, s.UserToken())
			require.Equal(t, tt.effective.agent, s.AgentToken())
			require.Equal(t, tt.effective.recovery, s.AgentRecoveryToken())
			require.Equal(t, tt.effective.repl, s.ReplicationToken())
			require.Equal(t, tt.effective.registration, s.ConfigFileRegistrationToken())
			require.Equal(t, tt.effective.dns, s.DNSToken())

			tok, src := s.UserTokenAndSource()
			require.Equal(t, tt.raw.user, tok)
			require.Equal(t, tt.raw.userSource, src)

			tok, src = s.AgentTokenAndSource()
			require.Equal(t, tt.raw.agent, tok)
			require.Equal(t, tt.raw.agentSource, src)

			tok, src = s.AgentRecoveryTokenAndSource()
			require.Equal(t, tt.raw.recovery, tok)
			require.Equal(t, tt.raw.recoverySource, src)

			tok, src = s.ReplicationTokenAndSource()
			require.Equal(t, tt.raw.repl, tok)
			require.Equal(t, tt.raw.replSource, src)

			tok, src = s.ConfigFileRegistrationTokenAndSource()
			require.Equal(t, tt.raw.registration, tok)
			require.Equal(t, tt.raw.registrationSource, src)

			tok, src = s.DNSTokenAndSource()
			require.Equal(t, tt.raw.dns, tok)
			require.Equal(t, tt.raw.dnsSource, src)
		})
	}
}

func TestStore_AgentRecoveryToken(t *testing.T) {
	s := new(Store)

	verify := func(want bool, toks ...string) {
		for _, tok := range toks {
			require.Equal(t, want, s.IsAgentRecoveryToken(tok))
		}
	}

	verify(false, "", "nope")

	s.UpdateAgentRecoveryToken("recovery", TokenSourceConfig)
	verify(true, "recovery")
	verify(false, "", "nope")

	s.UpdateAgentRecoveryToken("another", TokenSourceConfig)
	verify(true, "another")
	verify(false, "", "nope", "recovery")

	s.UpdateAgentRecoveryToken("", TokenSourceConfig)
	verify(false, "", "nope", "recovery", "another")
}

func TestStore_Notify(t *testing.T) {
	s := new(Store)

	newNotification := func(t *testing.T, s *Store, kind TokenKind) Notifier {
		n := s.Notify(kind)
		require.NotNil(t, n.Ch)
		return n
	}

	requireNotNotified := func(t *testing.T, ch <-chan struct{}) {
		require.Empty(t, ch)
	}

	requireNotifiedOnce := func(t *testing.T, ch <-chan struct{}) {
		require.Len(t, ch, 1)
		// drain the channel
		<-ch
		// just to be safe
		require.Empty(t, ch)
	}

	agentNotifier := newNotification(t, s, TokenKindAgent)
	userNotifier := newNotification(t, s, TokenKindUser)
	agentRecoveryNotifier := newNotification(t, s, TokenKindAgentRecovery)
	replicationNotifier := newNotification(t, s, TokenKindReplication)
	replicationNotifier2 := newNotification(t, s, TokenKindReplication)
	registrationNotifier := newNotification(t, s, TokenKindConfigFileRegistration)
	dnsNotifier := newNotification(t, s, TokenKindDNS)

	// perform an update of the user token
	require.True(t, s.UpdateUserToken("edcae2a2-3b51-4864-b412-c7a568f49cb1", TokenSourceConfig))
	// do it again to ensure it doesn't block even though nothing has read from the 1 buffered chan yet
	require.True(t, s.UpdateUserToken("47788919-f944-476a-bda5-446d64be1df8", TokenSourceAPI))

	// ensure notifications were sent to the user notifier and all other notifiers were not notified.
	requireNotNotified(t, agentNotifier.Ch)
	requireNotifiedOnce(t, userNotifier.Ch)
	requireNotNotified(t, replicationNotifier.Ch)
	requireNotNotified(t, agentRecoveryNotifier.Ch)
	requireNotNotified(t, replicationNotifier2.Ch)
	requireNotNotified(t, registrationNotifier.Ch)
	requireNotNotified(t, dnsNotifier.Ch)

	// update the agent token which should send a notification to the agent notifier.
	require.True(t, s.UpdateAgentToken("5d748ec2-d536-461f-8e2a-1f7eae98d559", TokenSourceAPI))

	requireNotifiedOnce(t, agentNotifier.Ch)
	requireNotNotified(t, userNotifier.Ch)
	requireNotNotified(t, replicationNotifier.Ch)
	requireNotNotified(t, agentRecoveryNotifier.Ch)
	requireNotNotified(t, replicationNotifier2.Ch)
	requireNotNotified(t, registrationNotifier.Ch)
	requireNotNotified(t, dnsNotifier.Ch)

	// update the agent recovery token which should send a notification to the agent recovery notifier.
	require.True(t, s.UpdateAgentRecoveryToken("789badc8-f850-43e1-8742-9b9f484957cc", TokenSourceAPI))

	requireNotNotified(t, agentNotifier.Ch)
	requireNotNotified(t, userNotifier.Ch)
	requireNotNotified(t, replicationNotifier.Ch)
	requireNotifiedOnce(t, agentRecoveryNotifier.Ch)
	requireNotNotified(t, replicationNotifier2.Ch)
	requireNotNotified(t, registrationNotifier.Ch)
	requireNotNotified(t, dnsNotifier.Ch)

	// update the replication token which should send a notification to the replication notifier.
	require.True(t, s.UpdateReplicationToken("789badc8-f850-43e1-8742-9b9f484957cc", TokenSourceAPI))

	requireNotNotified(t, agentNotifier.Ch)
	requireNotNotified(t, userNotifier.Ch)
	requireNotifiedOnce(t, replicationNotifier.Ch)
	requireNotNotified(t, agentRecoveryNotifier.Ch)
	requireNotifiedOnce(t, replicationNotifier2.Ch)
	requireNotNotified(t, registrationNotifier.Ch)
	requireNotNotified(t, dnsNotifier.Ch)

	s.StopNotify(replicationNotifier2)

	// update the replication token which should send a notification to the replication notifier.
	require.True(t, s.UpdateReplicationToken("eb0b56b9-fa65-4ae1-902a-c64457c62ac6", TokenSourceAPI))

	requireNotNotified(t, agentNotifier.Ch)
	requireNotNotified(t, userNotifier.Ch)
	requireNotifiedOnce(t, replicationNotifier.Ch)
	requireNotNotified(t, agentRecoveryNotifier.Ch)
	requireNotNotified(t, replicationNotifier2.Ch)
	requireNotNotified(t, registrationNotifier.Ch)
	requireNotNotified(t, dnsNotifier.Ch)

	// update the config file registration token which should send a notification to the replication notifier.
	require.True(t, s.UpdateConfigFileRegistrationToken("82fe7362-7d83-4f43-bb27-c35f1f15083c", TokenSourceAPI))

	requireNotNotified(t, agentNotifier.Ch)
	requireNotNotified(t, userNotifier.Ch)
	requireNotNotified(t, replicationNotifier.Ch)
	requireNotNotified(t, agentRecoveryNotifier.Ch)
	requireNotNotified(t, replicationNotifier2.Ch)
	requireNotifiedOnce(t, registrationNotifier.Ch)
	requireNotNotified(t, dnsNotifier.Ch)

	// update the dns token which should send a notification to the replication notifier.
	require.True(t, s.UpdateDNSToken("ce8e829f-dc45-4ba7-9dd3-1dbbe070f573", TokenSourceAPI))

	requireNotNotified(t, agentNotifier.Ch)
	requireNotNotified(t, userNotifier.Ch)
	requireNotNotified(t, replicationNotifier.Ch)
	requireNotNotified(t, agentRecoveryNotifier.Ch)
	requireNotNotified(t, replicationNotifier2.Ch)
	requireNotNotified(t, registrationNotifier.Ch)
	requireNotifiedOnce(t, dnsNotifier.Ch)

	// request updates that are not changes
	require.False(t, s.UpdateAgentToken("5d748ec2-d536-461f-8e2a-1f7eae98d559", TokenSourceAPI))
	require.False(t, s.UpdateAgentRecoveryToken("789badc8-f850-43e1-8742-9b9f484957cc", TokenSourceAPI))
	require.False(t, s.UpdateUserToken("47788919-f944-476a-bda5-446d64be1df8", TokenSourceAPI))
	require.False(t, s.UpdateReplicationToken("eb0b56b9-fa65-4ae1-902a-c64457c62ac6", TokenSourceAPI))
	require.False(t, s.UpdateConfigFileRegistrationToken("82fe7362-7d83-4f43-bb27-c35f1f15083c", TokenSourceAPI))
	require.False(t, s.UpdateDNSToken("ce8e829f-dc45-4ba7-9dd3-1dbbe070f573", TokenSourceAPI))

	// ensure that notifications were not sent
	requireNotNotified(t, agentNotifier.Ch)
	requireNotNotified(t, userNotifier.Ch)
	requireNotNotified(t, replicationNotifier.Ch)
	requireNotNotified(t, agentRecoveryNotifier.Ch)
	requireNotNotified(t, registrationNotifier.Ch)
	requireNotNotified(t, dnsNotifier.Ch)
}