// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 package resource import ( "context" "testing" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "github.com/hashicorp/consul/acl/resolver" "github.com/hashicorp/consul/internal/resource/demo" "github.com/hashicorp/consul/internal/storage" "github.com/hashicorp/consul/proto-public/pbresource" ) func TestDelete_InputValidation(t *testing.T) { server := testServer(t) client := testClient(t, server) demo.Register(server.Registry) testCases := map[string]func(*pbresource.DeleteRequest){ "no id": func(req *pbresource.DeleteRequest) { req.Id = nil }, "no type": func(req *pbresource.DeleteRequest) { req.Id.Type = nil }, "no tenancy": func(req *pbresource.DeleteRequest) { req.Id.Tenancy = nil }, "no name": func(req *pbresource.DeleteRequest) { req.Id.Name = "" }, // clone necessary to not pollute DefaultTenancy "tenancy partition wildcard": func(req *pbresource.DeleteRequest) { req.Id.Tenancy = clone(req.Id.Tenancy) req.Id.Tenancy.Partition = storage.Wildcard }, "tenancy namespace wildcard": func(req *pbresource.DeleteRequest) { req.Id.Tenancy = clone(req.Id.Tenancy) req.Id.Tenancy.Namespace = storage.Wildcard }, "tenancy peername wildcard": func(req *pbresource.DeleteRequest) { req.Id.Tenancy = clone(req.Id.Tenancy) req.Id.Tenancy.PeerName = storage.Wildcard }, } for desc, modFn := range testCases { t.Run(desc, func(t *testing.T) { res, err := demo.GenerateV2Artist() require.NoError(t, err) req := &pbresource.DeleteRequest{Id: res.Id, Version: ""} modFn(req) _, err = client.Delete(testContext(t), req) require.Error(t, err) require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String()) }) } } func TestDelete_TypeNotRegistered(t *testing.T) { t.Parallel() _, client, ctx := testDeps(t) artist, err := demo.GenerateV2Artist() require.NoError(t, err) // delete artist with unregistered type _, err = client.Delete(ctx, &pbresource.DeleteRequest{Id: artist.Id, Version: ""}) require.Error(t, err) require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String()) } func TestDelete_ACLs(t *testing.T) { type testCase struct { authz resolver.Result assertErrFn func(error) } testcases := map[string]testCase{ "delete denied": { authz: AuthorizerFrom(t, demo.ArtistV1WritePolicy), assertErrFn: func(err error) { require.Error(t, err) require.Equal(t, codes.PermissionDenied.String(), status.Code(err).String()) }, }, "delete allowed": { authz: AuthorizerFrom(t, demo.ArtistV2WritePolicy), assertErrFn: func(err error) { require.NoError(t, err) }, }, } for desc, tc := range testcases { t.Run(desc, func(t *testing.T) { server := testServer(t) client := testClient(t, server) mockACLResolver := &MockACLResolver{} mockACLResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything). Return(tc.authz, nil) server.ACLResolver = mockACLResolver demo.Register(server.Registry) artist, err := demo.GenerateV2Artist() require.NoError(t, err) artist, err = server.Backend.WriteCAS(context.Background(), artist) require.NoError(t, err) // exercise ACL _, err = client.Delete(testContext(t), &pbresource.DeleteRequest{Id: artist.Id}) tc.assertErrFn(err) }) } } func TestDelete_Success(t *testing.T) { t.Parallel() for desc, tc := range deleteTestCases() { t.Run(desc, func(t *testing.T) { server, client, ctx := testDeps(t) demo.Register(server.Registry) artist, err := demo.GenerateV2Artist() require.NoError(t, err) rsp, err := client.Write(ctx, &pbresource.WriteRequest{Resource: artist}) require.NoError(t, err) artistId := clone(rsp.Resource.Id) artist = rsp.Resource // delete _, err = client.Delete(ctx, tc.deleteReqFn(artist)) require.NoError(t, err) // verify deleted _, err = server.Backend.Read(ctx, storage.StrongConsistency, artistId) require.Error(t, err) require.ErrorIs(t, err, storage.ErrNotFound) }) } } func TestDelete_NotFound(t *testing.T) { t.Parallel() for desc, tc := range deleteTestCases() { t.Run(desc, func(t *testing.T) { server, client, ctx := testDeps(t) demo.Register(server.Registry) artist, err := demo.GenerateV2Artist() require.NoError(t, err) // verify delete of non-existant or already deleted resource is a no-op _, err = client.Delete(ctx, tc.deleteReqFn(artist)) require.NoError(t, err) }) } } func TestDelete_VersionMismatch(t *testing.T) { t.Parallel() server, client, ctx := testDeps(t) demo.Register(server.Registry) artist, err := demo.GenerateV2Artist() require.NoError(t, err) rsp, err := client.Write(ctx, &pbresource.WriteRequest{Resource: artist}) require.NoError(t, err) // delete with a version that is different from the stored version _, err = client.Delete(ctx, &pbresource.DeleteRequest{Id: rsp.Resource.Id, Version: "non-existent-version"}) require.Error(t, err) require.Equal(t, codes.Aborted.String(), status.Code(err).String()) require.ErrorContains(t, err, "CAS operation failed") } func testDeps(t *testing.T) (*Server, pbresource.ResourceServiceClient, context.Context) { server := testServer(t) client := testClient(t, server) return server, client, context.Background() } type deleteTestCase struct { deleteReqFn func(r *pbresource.Resource) *pbresource.DeleteRequest } func deleteTestCases() map[string]deleteTestCase { return map[string]deleteTestCase{ "version and uid": { deleteReqFn: func(r *pbresource.Resource) *pbresource.DeleteRequest { return &pbresource.DeleteRequest{Id: r.Id, Version: r.Version} }, }, "version only": { deleteReqFn: func(r *pbresource.Resource) *pbresource.DeleteRequest { r.Id.Uid = "" return &pbresource.DeleteRequest{Id: r.Id, Version: r.Version} }, }, "uid only": { deleteReqFn: func(r *pbresource.Resource) *pbresource.DeleteRequest { return &pbresource.DeleteRequest{Id: r.Id, Version: ""} }, }, "no version or uid": { deleteReqFn: func(r *pbresource.Resource) *pbresource.DeleteRequest { r.Id.Uid = "" return &pbresource.DeleteRequest{Id: r.Id, Version: ""} }, }, } }