consul/api/config_entry_intentions_tes...

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package api

import (
	"testing"

	"github.com/stretchr/testify/require"
)

func TestAPI_ConfigEntries_ServiceIntentions(t *testing.T) {
	t.Parallel()
	c, s := makeClient(t)
	defer s.Stop()

	s.WaitForServiceIntentions(t)

	config_entries := c.ConfigEntries()

	// Allow L7 for all services.
	_, _, err := config_entries.Set(&ProxyConfigEntry{
		Kind: ProxyDefaults,
		Name: ProxyConfigGlobal,
		Config: map[string]interface{}{
			"protocol": "http",
		},
	}, nil)
	require.NoError(t, err)

	entries := []*ServiceIntentionsConfigEntry{
		{
			Kind: ServiceIntentions,
			Name: "foo",
			Sources: []*SourceIntention{
				{
					Name:   "one",
					Action: IntentionActionAllow,
				},
				{
					Name:   "two",
					Action: IntentionActionDeny,
				},
			},
		},
		{
			Kind: ServiceIntentions,
			Name: "bar",
			Sources: []*SourceIntention{
				{
					Name:   "three",
					Action: IntentionActionAllow,
				},
			},
		},
	}

	// set them
	for _, entry := range entries {
		_, wm, err := config_entries.Set(entry, nil)
		require.NoError(t, err)
		require.NotNil(t, wm)
		require.NotEqual(t, 0, wm.RequestTime)
	}

	// get one
	entry, qm, err := config_entries.Get(ServiceIntentions, "foo", nil)
	require.NoError(t, err)
	require.NotNil(t, qm)
	require.NotEqual(t, 0, qm.RequestTime)

	// verify it
	readIxn, ok := entry.(*ServiceIntentionsConfigEntry)
	require.True(t, ok)
	require.Equal(t, "service-intentions", readIxn.Kind)
	require.Equal(t, "foo", readIxn.Name)
	require.Len(t, readIxn.Sources, 2)

	// update it
	entries[0].Meta = map[string]string{"a": "b"}

	// CAS fail
	written, _, err := config_entries.CAS(entries[0], 0, nil)
	require.NoError(t, err)
	require.False(t, written)

	// CAS success
	written, wm, err := config_entries.CAS(entries[0], readIxn.ModifyIndex, nil)
	require.NoError(t, err)
	require.NotNil(t, wm)
	require.NotEqual(t, 0, wm.RequestTime)
	require.True(t, written)

	// update no cas
	entries[0].Meta = map[string]string{"x": "y"}

	_, wm, err = config_entries.Set(entries[0], nil)
	require.NoError(t, err)
	require.NotNil(t, wm)
	require.NotEqual(t, 0, wm.RequestTime)

	// list them
	gotEntries, qm, err := config_entries.List(ServiceIntentions, nil)
	require.NoError(t, err)
	require.NotNil(t, qm)
	require.NotEqual(t, 0, qm.RequestTime)
	require.Len(t, gotEntries, 2)

	for _, entry = range gotEntries {
		switch entry.GetName() {
		case "foo":
			// this also verifies that the update value was persisted and
			// the updated values are seen
			readIxn, ok = entry.(*ServiceIntentionsConfigEntry)
			require.True(t, ok)
			require.Equal(t, "service-intentions", readIxn.Kind)
			require.Equal(t, "foo", readIxn.Name)
			require.Len(t, readIxn.Sources, 2)
			require.Equal(t, map[string]string{"x": "y"}, readIxn.Meta)
		case "bar":
			readIxn, ok = entry.(*ServiceIntentionsConfigEntry)
			require.True(t, ok)
			require.Equal(t, "service-intentions", readIxn.Kind)
			require.Equal(t, "bar", readIxn.Name)
			require.Len(t, readIxn.Sources, 1)
			require.Empty(t, readIxn.Meta)
		}
	}

	// delete one
	wm, err = config_entries.Delete(ServiceIntentions, "foo", nil)
	require.NoError(t, err)
	require.NotNil(t, wm)
	require.NotEqual(t, 0, wm.RequestTime)

	// verify deletion
	_, _, err = config_entries.Get(ServiceIntentions, "foo", nil)
	require.Error(t, err)
}
Add copyright headers for acl, api and bench folders (#16706) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files * copyright headers for agent folder * fix merge conflicts * copyright headers for agent folder * Ignore test data files * fix proto files * ignore agent/uiserver folder for now * copyright headers for agent folder * Add copyright headers for acl, api and bench folders 2 years ago			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. 4 years ago			`package api`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`)`

			`func TestAPI_ConfigEntries_ServiceIntentions(t *testing.T) {`
			`t.Parallel()`
			`c, s := makeClient(t)`
			`defer s.Stop()`

			`s.WaitForServiceIntentions(t)`

			`config_entries := c.ConfigEntries()`

			`// Allow L7 for all services.`
			`_, _, err := config_entries.Set(&ProxyConfigEntry{`
			`Kind: ProxyDefaults,`
			`Name: ProxyConfigGlobal,`
			`Config: map[string]interface{}{`
			`"protocol": "http",`
			`},`
			`}, nil)`
			`require.NoError(t, err)`

			`entries := []*ServiceIntentionsConfigEntry{`
			`{`
			`Kind: ServiceIntentions,`
			`Name: "foo",`
			`Sources: []*SourceIntention{`
			`{`
			`Name: "one",`
			`Action: IntentionActionAllow,`
			`},`
			`{`
			`Name: "two",`
			`Action: IntentionActionDeny,`
			`},`
			`},`
			`},`
			`{`
			`Kind: ServiceIntentions,`
			`Name: "bar",`
			`Sources: []*SourceIntention{`
			`{`
			`Name: "three",`
			`Action: IntentionActionAllow,`
			`},`
			`},`
			`},`
			`}`

			`// set them`
			`for _, entry := range entries {`
			`_, wm, err := config_entries.Set(entry, nil)`
			`require.NoError(t, err)`
			`require.NotNil(t, wm)`
			`require.NotEqual(t, 0, wm.RequestTime)`
			`}`

			`// get one`
			`entry, qm, err := config_entries.Get(ServiceIntentions, "foo", nil)`
			`require.NoError(t, err)`
			`require.NotNil(t, qm)`
			`require.NotEqual(t, 0, qm.RequestTime)`

			`// verify it`
			`readIxn, ok := entry.(*ServiceIntentionsConfigEntry)`
			`require.True(t, ok)`
			`require.Equal(t, "service-intentions", readIxn.Kind)`
			`require.Equal(t, "foo", readIxn.Name)`
			`require.Len(t, readIxn.Sources, 2)`

			`// update it`
			`entries[0].Meta = map[string]string{"a": "b"}`

			`// CAS fail`
			`written, _, err := config_entries.CAS(entries[0], 0, nil)`
			`require.NoError(t, err)`
			`require.False(t, written)`

			`// CAS success`
			`written, wm, err := config_entries.CAS(entries[0], readIxn.ModifyIndex, nil)`
			`require.NoError(t, err)`
			`require.NotNil(t, wm)`
			`require.NotEqual(t, 0, wm.RequestTime)`
			`require.True(t, written)`

			`// update no cas`
			`entries[0].Meta = map[string]string{"x": "y"}`

			`_, wm, err = config_entries.Set(entries[0], nil)`
			`require.NoError(t, err)`
			`require.NotNil(t, wm)`
			`require.NotEqual(t, 0, wm.RequestTime)`

			`// list them`
			`gotEntries, qm, err := config_entries.List(ServiceIntentions, nil)`
			`require.NoError(t, err)`
			`require.NotNil(t, qm)`
			`require.NotEqual(t, 0, qm.RequestTime)`
			`require.Len(t, gotEntries, 2)`

			`for _, entry = range gotEntries {`
			`switch entry.GetName() {`
			`case "foo":`
			`// this also verifies that the update value was persisted and`
			`// the updated values are seen`
			`readIxn, ok = entry.(*ServiceIntentionsConfigEntry)`
			`require.True(t, ok)`
			`require.Equal(t, "service-intentions", readIxn.Kind)`
			`require.Equal(t, "foo", readIxn.Name)`
			`require.Len(t, readIxn.Sources, 2)`
			`require.Equal(t, map[string]string{"x": "y"}, readIxn.Meta)`
			`case "bar":`
			`readIxn, ok = entry.(*ServiceIntentionsConfigEntry)`
			`require.True(t, ok)`
			`require.Equal(t, "service-intentions", readIxn.Kind)`
			`require.Equal(t, "bar", readIxn.Name)`
			`require.Len(t, readIxn.Sources, 1)`
			`require.Empty(t, readIxn.Meta)`
			`}`
			`}`

			`// delete one`
			`wm, err = config_entries.Delete(ServiceIntentions, "foo", nil)`
			`require.NoError(t, err)`
			`require.NotNil(t, wm)`
			`require.NotEqual(t, 0, wm.RequestTime)`

			`// verify deletion`
			`_, _, err = config_entries.Get(ServiceIntentions, "foo", nil)`
			`require.Error(t, err)`
			`}`