consul/api/connect_intention_test.go

package api

import (
	"testing"

	"github.com/stretchr/testify/require"
)

func TestAPI_ConnectIntentionCreateListGetUpdateDelete(t *testing.T) {
	t.Parallel()

	require := require.New(t)
	c, s := makeClient(t)
	defer s.Stop()

	connect := c.Connect()

	// Create
	ixn := testIntention()
	id, _, err := connect.IntentionCreate(ixn, nil)
	require.Nil(err)
	require.NotEmpty(id)

	// List it
	list, _, err := connect.Intentions(nil)
	require.Nil(err)
	require.Len(list, 1)

	actual := list[0]
	ixn.ID = id
	ixn.CreatedAt = actual.CreatedAt
	ixn.UpdatedAt = actual.UpdatedAt
	ixn.CreateIndex = actual.CreateIndex
	ixn.ModifyIndex = actual.ModifyIndex
	ixn.Hash = actual.Hash
	require.Equal(ixn, actual)

	// Get it
	actual, _, err = connect.IntentionGet(id, nil)
	require.Nil(err)
	require.Equal(ixn, actual)

	// Update it
	ixn.SourceNS = ixn.SourceNS + "-different"
	_, err = connect.IntentionUpdate(ixn, nil)
	require.NoError(err)

	// Get it
	actual, _, err = connect.IntentionGet(id, nil)
	require.NoError(err)
	ixn.UpdatedAt = actual.UpdatedAt
	ixn.ModifyIndex = actual.ModifyIndex
	ixn.Hash = actual.Hash
	require.Equal(ixn, actual)

	// Delete it
	_, err = connect.IntentionDelete(id, nil)
	require.Nil(err)

	// Get it (should be gone)
	actual, _, err = connect.IntentionGet(id, nil)
	require.Nil(err)
	require.Nil(actual)
}

func TestAPI_ConnectIntentionGet_invalidId(t *testing.T) {
	t.Parallel()

	require := require.New(t)
	c, s := makeClient(t)
	defer s.Stop()

	connect := c.Connect()

	// Get it
	actual, _, err := connect.IntentionGet("hello", nil)
	require.Nil(actual)
	require.Error(err)
	require.Contains(err.Error(), "UUID") // verify it contains the message
}

func TestAPI_ConnectIntentionMatch(t *testing.T) {
	t.Parallel()

	require := require.New(t)
	c, s := makeClient(t)
	defer s.Stop()

	connect := c.Connect()

	// Create
	{
		insert := [][]string{
			{"foo", "*"},
			{"foo", "bar"},
			{"foo", "baz"}, // shouldn't match
			{"bar", "bar"}, // shouldn't match
			{"bar", "*"},   // shouldn't match
			{"*", "*"},
		}

		for _, v := range insert {
			ixn := testIntention()
			ixn.DestinationNS = v[0]
			ixn.DestinationName = v[1]
			id, _, err := connect.IntentionCreate(ixn, nil)
			require.Nil(err)
			require.NotEmpty(id)
		}
	}

	// Match it
	result, _, err := connect.IntentionMatch(&IntentionMatch{
		By:    IntentionMatchDestination,
		Names: []string{"foo/bar"},
	}, nil)
	require.Nil(err)
	require.Len(result, 1)

	var actual [][]string
	expected := [][]string{{"foo", "bar"}, {"foo", "*"}, {"*", "*"}}
	for _, ixn := range result["foo/bar"] {
		actual = append(actual, []string{ixn.DestinationNS, ixn.DestinationName})
	}

	require.Equal(expected, actual)
}

func TestAPI_ConnectIntentionCheck(t *testing.T) {
	t.Parallel()

	require := require.New(t)
	c, s := makeClient(t)
	defer s.Stop()

	connect := c.Connect()

	// Create
	{
		insert := [][]string{
			{"foo", "*", "foo", "bar"},
		}

		for _, v := range insert {
			ixn := testIntention()
			ixn.SourceNS = v[0]
			ixn.SourceName = v[1]
			ixn.DestinationNS = v[2]
			ixn.DestinationName = v[3]
			ixn.Action = IntentionActionDeny
			id, _, err := connect.IntentionCreate(ixn, nil)
			require.Nil(err)
			require.NotEmpty(id)
		}
	}

	// Match it
	{
		result, _, err := connect.IntentionCheck(&IntentionCheck{
			Source:      "foo/qux",
			Destination: "foo/bar",
		}, nil)
		require.Nil(err)
		require.False(result)
	}

	// Match it (non-matching)
	{
		result, _, err := connect.IntentionCheck(&IntentionCheck{
			Source:      "bar/qux",
			Destination: "foo/bar",
		}, nil)
		require.Nil(err)
		require.True(result)
	}
}

func testIntention() *Intention {
	return &Intention{
		SourceNS:        "eng",
		SourceName:      "api",
		DestinationNS:   "eng",
		DestinationName: "db",
		Precedence:      9,
		Action:          IntentionActionAllow,
		SourceType:      IntentionSourceConsul,
		Meta:            map[string]string{},
	}
}