mirror of
https://github.com/status-im/consul.git
synced 2025-01-09 21:35:52 +00:00
cda884ac81
implement http read endpoint to expose resource grpc service read method
433 lines
14 KiB
Go
433 lines
14 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package http
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
"github.com/stretchr/testify/mock"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
resourceSvc "github.com/hashicorp/consul/agent/grpc-external/services/resource"
|
|
svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing"
|
|
pbdemov1 "github.com/hashicorp/consul/proto/private/pbdemo/v1"
|
|
|
|
"github.com/hashicorp/consul/internal/resource"
|
|
"github.com/hashicorp/consul/internal/resource/demo"
|
|
"github.com/hashicorp/consul/proto-public/pbresource"
|
|
pbdemov2 "github.com/hashicorp/consul/proto/private/pbdemo/v2"
|
|
"github.com/hashicorp/consul/sdk/testutil"
|
|
)
|
|
|
|
const testACLTokenArtistReadPolicy = "00000000-0000-0000-0000-000000000001"
|
|
const testACLTokenArtistWritePolicy = "00000000-0000-0000-0000-000000000002"
|
|
const fakeToken = "fake-token"
|
|
|
|
func parseToken(req *http.Request, token *string) {
|
|
*token = req.Header.Get("x-consul-token")
|
|
}
|
|
|
|
func TestResourceHandler_InputValidation(t *testing.T) {
|
|
type testCase struct {
|
|
description string
|
|
request *http.Request
|
|
response *httptest.ResponseRecorder
|
|
expectedResponseCode int
|
|
}
|
|
client := svctest.RunResourceService(t, demo.RegisterTypes)
|
|
resourceHandler := resourceHandler{
|
|
resource.Registration{
|
|
Type: demo.TypeV2Artist,
|
|
Proto: &pbdemov2.Artist{},
|
|
},
|
|
client,
|
|
func(req *http.Request, token *string) { return },
|
|
hclog.NewNullLogger(),
|
|
}
|
|
|
|
testCases := []testCase{
|
|
{
|
|
description: "missing resource name",
|
|
request: httptest.NewRequest("PUT", "/?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
{
|
|
"metadata": {
|
|
"foo": "bar"
|
|
},
|
|
"data": {
|
|
"name": "Keith Urban",
|
|
"genre": "GENRE_COUNTRY"
|
|
}
|
|
}
|
|
`)),
|
|
response: httptest.NewRecorder(),
|
|
expectedResponseCode: http.StatusBadRequest,
|
|
},
|
|
{
|
|
description: "wrong schema",
|
|
request: httptest.NewRequest("PUT", "/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
{
|
|
"metadata": {
|
|
"foo": "bar"
|
|
},
|
|
"dada": {
|
|
"name": "Keith Urban",
|
|
"genre": "GENRE_COUNTRY"
|
|
}
|
|
}
|
|
`)),
|
|
response: httptest.NewRecorder(),
|
|
expectedResponseCode: http.StatusBadRequest,
|
|
},
|
|
{
|
|
description: "no id",
|
|
request: httptest.NewRequest("DELETE", "/?partition=default&peer_name=local&namespace=default", strings.NewReader("")),
|
|
response: httptest.NewRecorder(),
|
|
expectedResponseCode: http.StatusBadRequest,
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.description, func(t *testing.T) {
|
|
resourceHandler.ServeHTTP(tc.response, tc.request)
|
|
|
|
require.Equal(t, tc.expectedResponseCode, tc.response.Result().StatusCode)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestResourceWriteHandler(t *testing.T) {
|
|
aclResolver := &resourceSvc.MockACLResolver{}
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistReadPolicy, mock.Anything, mock.Anything).
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV1ReadPolicy, demo.ArtistV2ReadPolicy), nil)
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistWritePolicy, mock.Anything, mock.Anything).
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV1WritePolicy, demo.ArtistV2WritePolicy), nil)
|
|
|
|
client := svctest.RunResourceServiceWithACL(t, aclResolver, demo.RegisterTypes)
|
|
|
|
r := resource.NewRegistry()
|
|
demo.RegisterTypes(r)
|
|
handler := NewHandler(client, r, parseToken, hclog.NewNullLogger())
|
|
|
|
t.Run("should be blocked if the token is not authorized", func(t *testing.T) {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
{
|
|
"metadata": {
|
|
"foo": "bar"
|
|
},
|
|
"data": {
|
|
"name": "Keith Urban",
|
|
"genre": "GENRE_COUNTRY"
|
|
}
|
|
}
|
|
`))
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistReadPolicy)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusForbidden, rsp.Result().StatusCode)
|
|
})
|
|
|
|
t.Run("should write to the resource backend", func(t *testing.T) {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
{
|
|
"metadata": {
|
|
"foo": "bar"
|
|
},
|
|
"data": {
|
|
"name": "Keith Urban",
|
|
"genre": "GENRE_COUNTRY"
|
|
}
|
|
}
|
|
`))
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
var result map[string]any
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
require.Equal(t, "Keith Urban", result["data"].(map[string]any)["name"])
|
|
require.Equal(t, "keith-urban", result["id"].(map[string]any)["name"])
|
|
|
|
readRsp, err := client.Read(testutil.TestContext(t), &pbresource.ReadRequest{
|
|
Id: &pbresource.ID{
|
|
Type: demo.TypeV2Artist,
|
|
Tenancy: demo.TenancyDefault,
|
|
Name: "keith-urban",
|
|
},
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, readRsp.Resource)
|
|
|
|
var artist pbdemov2.Artist
|
|
require.NoError(t, readRsp.Resource.Data.UnmarshalTo(&artist))
|
|
require.Equal(t, "Keith Urban", artist.Name)
|
|
})
|
|
|
|
t.Run("should update the record with version parameter", func(t *testing.T) {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&version=1", strings.NewReader(`
|
|
{
|
|
"metadata": {
|
|
"foo": "bar"
|
|
},
|
|
"data": {
|
|
"name": "Keith Urban Two",
|
|
"genre": "GENRE_COUNTRY"
|
|
}
|
|
}
|
|
`))
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
var result map[string]any
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
require.Equal(t, "Keith Urban Two", result["data"].(map[string]any)["name"])
|
|
require.Equal(t, "keith-urban", result["id"].(map[string]any)["name"])
|
|
})
|
|
|
|
t.Run("should fail the update if the resource's version doesn't match the version of the existing resource", func(t *testing.T) {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&version=1", strings.NewReader(`
|
|
{
|
|
"metadata": {
|
|
"foo": "bar"
|
|
},
|
|
"data": {
|
|
"name": "Keith Urban",
|
|
"genre": "GENRE_COUNTRY"
|
|
}
|
|
}
|
|
`))
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusConflict, rsp.Result().StatusCode)
|
|
})
|
|
|
|
t.Run("should write to the resource backend with owner", func(t *testing.T) {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("PUT", "/demo/v1/artist/keith-urban-v1?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
{
|
|
"metadata": {
|
|
"foo": "bar"
|
|
},
|
|
"data": {
|
|
"name": "Keith Urban V1",
|
|
"genre": "GENRE_COUNTRY"
|
|
},
|
|
"owner": {
|
|
"name": "keith-urban",
|
|
"type": {
|
|
"group": "demo",
|
|
"group_version": "v2",
|
|
"kind": "Artist"
|
|
},
|
|
"tenancy": {
|
|
"partition": "default",
|
|
"peer_name": "local",
|
|
"namespace": "default"
|
|
}
|
|
}
|
|
}
|
|
`))
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
var result map[string]any
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
require.Equal(t, "Keith Urban V1", result["data"].(map[string]any)["name"])
|
|
require.Equal(t, "keith-urban-v1", result["id"].(map[string]any)["name"])
|
|
|
|
readRsp, err := client.Read(testutil.TestContext(t), &pbresource.ReadRequest{
|
|
Id: &pbresource.ID{
|
|
Type: demo.TypeV1Artist,
|
|
Tenancy: demo.TenancyDefault,
|
|
Name: "keith-urban-v1",
|
|
},
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, readRsp.Resource)
|
|
require.Equal(t, "keith-urban", readRsp.Resource.Owner.Name)
|
|
|
|
var artist pbdemov1.Artist
|
|
require.NoError(t, readRsp.Resource.Data.UnmarshalTo(&artist))
|
|
require.Equal(t, "Keith Urban V1", artist.Name)
|
|
})
|
|
}
|
|
|
|
func createResource(t *testing.T, artistHandler http.Handler) map[string]any {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("PUT", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(`
|
|
{
|
|
"metadata": {
|
|
"foo": "bar"
|
|
},
|
|
"data": {
|
|
"name": "Keith Urban",
|
|
"genre": "GENRE_COUNTRY"
|
|
}
|
|
}
|
|
`))
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
artistHandler.ServeHTTP(rsp, req)
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
var result map[string]any
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
return result
|
|
}
|
|
|
|
func TestResourceReadHandler(t *testing.T) {
|
|
aclResolver := &resourceSvc.MockACLResolver{}
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistReadPolicy, mock.Anything, mock.Anything).
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV1ReadPolicy, demo.ArtistV2ReadPolicy), nil)
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistWritePolicy, mock.Anything, mock.Anything).
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV1WritePolicy, demo.ArtistV2WritePolicy), nil)
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", fakeToken, mock.Anything, mock.Anything).
|
|
Return(svctest.AuthorizerFrom(t, ""), nil)
|
|
|
|
client := svctest.RunResourceServiceWithACL(t, aclResolver, demo.RegisterTypes)
|
|
|
|
r := resource.NewRegistry()
|
|
demo.RegisterTypes(r)
|
|
handler := NewHandler(client, r, parseToken, hclog.NewNullLogger())
|
|
|
|
createdResource := createResource(t, handler)
|
|
|
|
t.Run("Read resource", func(t *testing.T) {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&consistent", nil)
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistReadPolicy)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusOK, rsp.Result().StatusCode)
|
|
|
|
var result map[string]any
|
|
require.NoError(t, json.NewDecoder(rsp.Body).Decode(&result))
|
|
require.Equal(t, result, createdResource)
|
|
})
|
|
|
|
t.Run("should not be found if resource not exist", func(t *testing.T) {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist/keith-not-exist?partition=default&peer_name=local&namespace=default&consistent", nil)
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistReadPolicy)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusNotFound, rsp.Result().StatusCode)
|
|
})
|
|
|
|
t.Run("should be blocked if the token is not authorized", func(t *testing.T) {
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("GET", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&consistent", nil)
|
|
|
|
req.Header.Add("x-consul-token", fakeToken)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusForbidden, rsp.Result().StatusCode)
|
|
})
|
|
}
|
|
|
|
func TestResourceDeleteHandler(t *testing.T) {
|
|
aclResolver := &resourceSvc.MockACLResolver{}
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistReadPolicy, mock.Anything, mock.Anything).
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV2ReadPolicy), nil)
|
|
aclResolver.On("ResolveTokenAndDefaultMeta", testACLTokenArtistWritePolicy, mock.Anything, mock.Anything).
|
|
Return(svctest.AuthorizerFrom(t, demo.ArtistV2WritePolicy), nil)
|
|
|
|
client := svctest.RunResourceServiceWithACL(t, aclResolver, demo.RegisterTypes)
|
|
|
|
r := resource.NewRegistry()
|
|
demo.RegisterTypes(r)
|
|
|
|
handler := NewHandler(client, r, parseToken, hclog.NewNullLogger())
|
|
|
|
t.Run("should surface PermissionDenied error from resource service", func(t *testing.T) {
|
|
createResource(t, handler)
|
|
|
|
deleteRsp := httptest.NewRecorder()
|
|
deletReq := httptest.NewRequest("DELETE", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(""))
|
|
|
|
deletReq.Header.Add("x-consul-token", testACLTokenArtistReadPolicy)
|
|
|
|
handler.ServeHTTP(deleteRsp, deletReq)
|
|
|
|
require.Equal(t, http.StatusForbidden, deleteRsp.Result().StatusCode)
|
|
})
|
|
|
|
t.Run("should delete a resource without version", func(t *testing.T) {
|
|
createResource(t, handler)
|
|
|
|
deleteRsp := httptest.NewRecorder()
|
|
deletReq := httptest.NewRequest("DELETE", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default", strings.NewReader(""))
|
|
|
|
deletReq.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
handler.ServeHTTP(deleteRsp, deletReq)
|
|
|
|
require.Equal(t, http.StatusNoContent, deleteRsp.Result().StatusCode)
|
|
|
|
var result map[string]any
|
|
require.NoError(t, json.NewDecoder(deleteRsp.Body).Decode(&result))
|
|
require.Empty(t, result)
|
|
|
|
_, err := client.Read(testutil.TestContext(t), &pbresource.ReadRequest{
|
|
Id: &pbresource.ID{
|
|
Type: demo.TypeV2Artist,
|
|
Tenancy: demo.TenancyDefault,
|
|
Name: "keith-urban",
|
|
},
|
|
})
|
|
require.ErrorContains(t, err, "resource not found")
|
|
})
|
|
|
|
t.Run("should delete a resource with version", func(t *testing.T) {
|
|
createResource(t, handler)
|
|
|
|
rsp := httptest.NewRecorder()
|
|
req := httptest.NewRequest("DELETE", "/demo/v2/artist/keith-urban?partition=default&peer_name=local&namespace=default&version=1", strings.NewReader(""))
|
|
|
|
req.Header.Add("x-consul-token", testACLTokenArtistWritePolicy)
|
|
|
|
handler.ServeHTTP(rsp, req)
|
|
|
|
require.Equal(t, http.StatusNoContent, rsp.Result().StatusCode)
|
|
|
|
_, err := client.Read(testutil.TestContext(t), &pbresource.ReadRequest{
|
|
Id: &pbresource.ID{
|
|
Type: demo.TypeV2Artist,
|
|
Tenancy: demo.TenancyDefault,
|
|
Name: "keith-urban",
|
|
},
|
|
})
|
|
require.ErrorContains(t, err, "resource not found")
|
|
})
|
|
}
|