consul/agent/grpc-external/services/resource/write_status_test.go

599 lines
20 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package resource_test
import (
"fmt"
"strings"
"testing"
"github.com/oklog/ulid/v2"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/hashicorp/consul/acl/resolver"
svc "github.com/hashicorp/consul/agent/grpc-external/services/resource"
svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing"
"github.com/hashicorp/consul/internal/resource"
"github.com/hashicorp/consul/internal/resource/demo"
"github.com/hashicorp/consul/proto-public/pbresource"
)
// TODO: Update all tests to use true/false table test for v2tenancy
func TestWriteStatus_ACL(t *testing.T) {
type testCase struct {
authz resolver.Result
assertErrFn func(error)
}
testcases := map[string]testCase{
"denied": {
authz: AuthorizerFrom(t, demo.ArtistV2ReadPolicy),
assertErrFn: func(err error) {
require.Error(t, err)
require.Equal(t, codes.PermissionDenied.String(), status.Code(err).String())
},
},
"allowed": {
authz: AuthorizerFrom(t, demo.ArtistV2WritePolicy, `operator = "write"`),
assertErrFn: func(err error) {
require.NoError(t, err)
},
},
}
for desc, tc := range testcases {
t.Run(desc, func(t *testing.T) {
builder := svctest.NewResourceServiceBuilder().WithRegisterFns(demo.RegisterTypes)
client := builder.Run(t)
artist, err := demo.GenerateV2Artist()
require.NoError(t, err)
rsp, err := client.Write(testContext(t), &pbresource.WriteRequest{Resource: artist})
require.NoError(t, err)
artist = rsp.Resource
// Defer mocking out authz since above write is necessary to set up the test resource.
mockACLResolver := &svc.MockACLResolver{}
mockACLResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
Return(tc.authz, nil)
builder.ServiceImpl().Config.ACLResolver = mockACLResolver
// exercise ACL
_, err = client.WriteStatus(testContext(t), validWriteStatusRequest(t, artist))
tc.assertErrFn(err)
})
}
}
func TestWriteStatus_InputValidation(t *testing.T) {
client := svctest.NewResourceServiceBuilder().
WithRegisterFns(demo.RegisterTypes).
Run(t)
testCases := map[string]struct {
typ *pbresource.Type
modFn func(req *pbresource.WriteStatusRequest)
errContains string
}{
"no id": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id = nil },
errContains: "id is required",
},
"no type": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Type = nil },
errContains: "id.type is required",
},
"no name": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Name = "" },
errContains: "id.name is required",
},
"no uid": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Uid = "" },
errContains: "id.uid is required",
},
"name mixed case": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Name = "U2" },
errContains: "id.name invalid",
},
"name too long": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Id.Name = strings.Repeat("a", resource.MaxNameLength+1)
},
errContains: "id.name invalid",
},
"partition mixed case": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Partition = "Default" },
errContains: "id.tenancy.partition invalid",
},
"partition too long": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Id.Tenancy.Partition = strings.Repeat("p", resource.MaxNameLength+1)
},
errContains: "id.tenancy.partition invalid",
},
"namespace mixed case": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Namespace = "Default" },
errContains: "id.tenancy.namespace invalid",
},
"namespace too long": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Id.Tenancy.Namespace = strings.Repeat("n", resource.MaxNameLength+1)
},
errContains: "id.tenancy.namespace invalid",
},
"no key": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Key = "" },
errContains: "key is required",
},
"no status": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status = nil },
errContains: "status is required",
},
"no observed generation": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status.ObservedGeneration = "" },
errContains: "status.observed_generation is required",
},
"bad observed generation": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status.ObservedGeneration = "bogus" },
errContains: "status.observed_generation is not valid",
},
"no condition type": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status.Conditions[0].Type = "" },
errContains: "status.conditions[0].type is required",
},
"no reference type": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status.Conditions[0].Resource.Type = nil },
errContains: "status.conditions[0].resource.type is required",
},
"no reference tenancy": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status.Conditions[0].Resource.Tenancy = nil },
errContains: "status.conditions[0].resource.tenancy is required",
},
"no reference name": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status.Conditions[0].Resource.Name = "" },
errContains: "status.conditions[0].resource.name is required",
},
"reference name mixed case": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status.Conditions[0].Resource.Name = "U2" },
errContains: "status.conditions[0].resource.name invalid",
},
"reference name too long": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Status.Conditions[0].Resource.Name = strings.Repeat("r", resource.MaxNameLength+1)
},
errContains: "status.conditions[0].resource.name invalid",
},
"reference partition mixed case": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Status.Conditions[0].Resource.Tenancy.Partition = "Default"
},
errContains: "status.conditions[0].resource.tenancy.partition invalid",
},
"reference partition too long": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Status.Conditions[0].Resource.Tenancy.Partition = strings.Repeat("p", resource.MaxNameLength+1)
},
errContains: "status.conditions[0].resource.tenancy.partition invalid",
},
"reference namespace mixed case": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Status.Conditions[0].Resource.Tenancy.Namespace = "Default"
},
errContains: "status.conditions[0].resource.tenancy.namespace invalid",
},
"reference namespace too long": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Status.Conditions[0].Resource.Tenancy.Namespace = strings.Repeat("n", resource.MaxNameLength+1)
},
errContains: "status.conditions[0].resource.tenancy.namespace invalid",
},
"updated at provided": {
typ: demo.TypeV2Artist,
modFn: func(req *pbresource.WriteStatusRequest) { req.Status.UpdatedAt = timestamppb.Now() },
errContains: "status.updated_at is automatically set and cannot be provided",
},
"partition scoped type provides namespace in tenancy": {
typ: demo.TypeV1RecordLabel,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Namespace = "bad" },
errContains: "cannot have a namespace",
},
}
for desc, tc := range testCases {
t.Run(desc, func(t *testing.T) {
var res *pbresource.Resource
var err error
switch {
case resource.EqualType(demo.TypeV2Artist, tc.typ):
res, err = demo.GenerateV2Artist()
case resource.EqualType(demo.TypeV1RecordLabel, tc.typ):
res, err = demo.GenerateV1RecordLabel("looney-tunes")
default:
t.Fatal("unsupported type", tc.typ)
}
require.NoError(t, err)
res.Id.Uid = ulid.Make().String()
res.Generation = ulid.Make().String()
req := validWriteStatusRequest(t, res)
tc.modFn(req)
_, err = client.WriteStatus(testContext(t), req)
require.Error(t, err)
require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
require.ErrorContains(t, err, tc.errContains)
})
}
}
func TestWriteStatus_Success(t *testing.T) {
for desc, fn := range map[string]func(*pbresource.WriteStatusRequest){
"CAS": func(*pbresource.WriteStatusRequest) {},
"Non CAS": func(req *pbresource.WriteStatusRequest) { req.Version = "" },
} {
t.Run(desc, func(t *testing.T) {
client := svctest.NewResourceServiceBuilder().
WithRegisterFns(demo.RegisterTypes).
Run(t)
res, err := demo.GenerateV2Artist()
require.NoError(t, err)
writeRsp, err := client.Write(testContext(t), &pbresource.WriteRequest{Resource: res})
require.NoError(t, err)
res = writeRsp.Resource
req := validWriteStatusRequest(t, res)
fn(req)
rsp, err := client.WriteStatus(testContext(t), req)
require.NoError(t, err)
res = rsp.Resource
req = validWriteStatusRequest(t, res)
req.Key = "consul.io/other-controller"
fn(req)
rsp, err = client.WriteStatus(testContext(t), req)
require.NoError(t, err)
require.Equal(t, rsp.Resource.Generation, res.Generation, "generation should not have changed")
require.NotEqual(t, rsp.Resource.Version, res.Version, "version should have changed")
require.Contains(t, rsp.Resource.Status, "consul.io/other-controller")
require.Contains(t, rsp.Resource.Status, "consul.io/artist-controller")
require.NotNil(t, rsp.Resource.Status["consul.io/artist-controller"].UpdatedAt)
})
}
}
func TestWriteStatus_Tenancy_Defaults(t *testing.T) {
for desc, tc := range map[string]struct {
scope resource.Scope
modFn func(req *pbresource.WriteStatusRequest)
}{
"namespaced resource provides nonempty partition and namespace": {
scope: resource.ScopeNamespace,
modFn: func(req *pbresource.WriteStatusRequest) {},
},
"namespaced resource inherits tokens partition when empty": {
scope: resource.ScopeNamespace,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Partition = "" },
},
"namespaced resource inherits tokens namespace when empty": {
scope: resource.ScopeNamespace,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Namespace = "" },
},
"namespaced resource inherits tokens partition and namespace when empty": {
scope: resource.ScopeNamespace,
modFn: func(req *pbresource.WriteStatusRequest) {
req.Id.Tenancy.Partition = ""
req.Id.Tenancy.Namespace = ""
},
},
"namespaced resource inherits tokens partition and namespace when tenancy nil": {
scope: resource.ScopeNamespace,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy = nil },
},
"partitioned resource provides nonempty partition": {
scope: resource.ScopePartition,
modFn: func(req *pbresource.WriteStatusRequest) {},
},
"partitioned resource inherits tokens partition when empty": {
scope: resource.ScopePartition,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Partition = "" },
},
} {
t.Run(desc, func(t *testing.T) {
client := svctest.NewResourceServiceBuilder().
WithRegisterFns(demo.RegisterTypes).
Run(t)
// Pick resource based on scope of type in testcase.
var res *pbresource.Resource
var err error
switch tc.scope {
case resource.ScopeNamespace:
res, err = demo.GenerateV2Artist()
case resource.ScopePartition:
res, err = demo.GenerateV1RecordLabel("looney-tunes")
}
require.NoError(t, err)
// Write resource so we can update status later.
writeRsp, err := client.Write(testContext(t), &pbresource.WriteRequest{Resource: res})
require.NoError(t, err)
res = writeRsp.Resource
require.Nil(t, res.Status)
// Write status with tenancy modded by testcase.
req := validWriteStatusRequest(t, res)
tc.modFn(req)
rsp, err := client.WriteStatus(testContext(t), req)
require.NoError(t, err)
res = rsp.Resource
// Re-read resource and verify status successfully written (not nil)
_, err = client.Read(testContext(t), &pbresource.ReadRequest{Id: res.Id})
require.NoError(t, err)
res = rsp.Resource
require.NotNil(t, res.Status)
})
}
}
func TestWriteStatus_Tenancy_NotFound(t *testing.T) {
for desc, tc := range map[string]struct {
scope resource.Scope
modFn func(req *pbresource.WriteStatusRequest)
errCode codes.Code
errContains string
}{
"namespaced resource provides nonexistant partition": {
scope: resource.ScopeNamespace,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Partition = "bad" },
errCode: codes.InvalidArgument,
errContains: "partition",
},
"namespaced resource provides nonexistant namespace": {
scope: resource.ScopeNamespace,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Namespace = "bad" },
errCode: codes.InvalidArgument,
errContains: "namespace",
},
"partitioned resource provides nonexistant partition": {
scope: resource.ScopePartition,
modFn: func(req *pbresource.WriteStatusRequest) { req.Id.Tenancy.Partition = "bad" },
errCode: codes.InvalidArgument,
errContains: "partition",
},
} {
t.Run(desc, func(t *testing.T) {
client := svctest.NewResourceServiceBuilder().
WithV2Tenancy(true).
WithRegisterFns(demo.RegisterTypes).
Run(t)
// Pick resource based on scope of type in testcase.
var res *pbresource.Resource
var err error
switch tc.scope {
case resource.ScopeNamespace:
res, err = demo.GenerateV2Artist()
case resource.ScopePartition:
res, err = demo.GenerateV1RecordLabel("looney-tunes")
}
require.NoError(t, err)
// Fill in required fields so validation continues until tenancy is checked
req := validWriteStatusRequest(t, res)
req.Id.Uid = ulid.Make().String()
req.Status.ObservedGeneration = ulid.Make().String()
// Write status with tenancy modded by testcase.
tc.modFn(req)
_, err = client.WriteStatus(testContext(t), req)
// Verify non-existant tenancy field is the cause of the error.
require.Error(t, err)
require.Equal(t, tc.errCode.String(), status.Code(err).String())
require.Contains(t, err.Error(), tc.errContains)
})
}
}
func TestWriteStatus_CASFailure(t *testing.T) {
client := svctest.NewResourceServiceBuilder().
WithRegisterFns(demo.RegisterTypes).
Run(t)
res, err := demo.GenerateV2Artist()
require.NoError(t, err)
rsp, err := client.Write(testContext(t), &pbresource.WriteRequest{Resource: res})
require.NoError(t, err)
res = rsp.Resource
req := validWriteStatusRequest(t, res)
req.Version = "nope"
_, err = client.WriteStatus(testContext(t), req)
require.Error(t, err)
require.Equal(t, codes.Aborted.String(), status.Code(err).String())
}
func TestWriteStatus_TypeNotFound(t *testing.T) {
client := svctest.NewResourceServiceBuilder().Run(t)
res, err := demo.GenerateV2Artist()
require.NoError(t, err)
res.Id.Uid = ulid.Make().String()
res.Generation = ulid.Make().String()
_, err = client.WriteStatus(testContext(t), validWriteStatusRequest(t, res))
require.Error(t, err)
require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
require.Contains(t, err.Error(), "resource type demo.v2.Artist not registered")
}
func TestWriteStatus_ResourceNotFound(t *testing.T) {
client := svctest.NewResourceServiceBuilder().
WithRegisterFns(demo.RegisterTypes).
Run(t)
res, err := demo.GenerateV2Artist()
require.NoError(t, err)
res.Id.Uid = ulid.Make().String()
res.Generation = ulid.Make().String()
_, err = client.WriteStatus(testContext(t), validWriteStatusRequest(t, res))
require.Error(t, err)
require.Equal(t, codes.NotFound.String(), status.Code(err).String())
}
func TestWriteStatus_WrongUid(t *testing.T) {
client := svctest.NewResourceServiceBuilder().
WithRegisterFns(demo.RegisterTypes).
Run(t)
res, err := demo.GenerateV2Artist()
require.NoError(t, err)
rsp, err := client.Write(testContext(t), &pbresource.WriteRequest{Resource: res})
require.NoError(t, err)
res = rsp.Resource
req := validWriteStatusRequest(t, res)
req.Id.Uid = ulid.Make().String()
_, err = client.WriteStatus(testContext(t), req)
require.Error(t, err)
require.Equal(t, codes.NotFound.String(), status.Code(err).String())
}
func TestWriteStatus_NonCASUpdate_Retry(t *testing.T) {
server := testServer(t)
client := testClient(t, server)
demo.RegisterTypes(server.Registry)
res, err := demo.GenerateV2Artist()
require.NoError(t, err)
rsp, err := client.Write(testContext(t), &pbresource.WriteRequest{Resource: res})
require.NoError(t, err)
res = rsp.Resource
// Simulate conflicting writes by blocking the RPC after it has read the
// current version of the resource, but before it tries to make a write.
backend := &blockOnceBackend{
Backend: server.Backend,
readCh: make(chan struct{}),
blockCh: make(chan struct{}),
}
server.Backend = backend
errCh := make(chan error)
go func() {
req := validWriteStatusRequest(t, res)
req.Version = ""
_, err := client.WriteStatus(testContext(t), req)
errCh <- err
}()
// Wait for the read, to ensure the Write in the goroutine above has read the
// current version of the resource.
<-backend.readCh
// Update the resource.
_, err = client.Write(testContext(t), &pbresource.WriteRequest{Resource: modifyArtist(t, res)})
require.NoError(t, err)
// Unblock the read.
close(backend.blockCh)
// Check that the write succeeded anyway because of a retry.
require.NoError(t, <-errCh)
}
func validWriteStatusRequest(t *testing.T, res *pbresource.Resource) *pbresource.WriteStatusRequest {
t.Helper()
switch {
case resource.EqualType(res.Id.Type, demo.TypeV2Artist):
album, err := demo.GenerateV2Album(res.Id)
require.NoError(t, err)
return &pbresource.WriteStatusRequest{
Id: res.Id,
Version: res.Version,
Key: "consul.io/artist-controller",
Status: &pbresource.Status{
ObservedGeneration: res.Generation,
Conditions: []*pbresource.Condition{
{
Type: "AlbumCreated",
State: pbresource.Condition_STATE_TRUE,
Reason: "AlbumCreated",
Message: fmt.Sprintf("Album '%s' created", album.Id.Name),
Resource: resource.Reference(album.Id, ""),
},
},
},
}
case resource.EqualType(res.Id.Type, demo.TypeV1RecordLabel):
artist, err := demo.GenerateV2Artist()
require.NoError(t, err)
return &pbresource.WriteStatusRequest{
Id: res.Id,
Version: res.Version,
Key: "consul.io/recordlabel-controller",
Status: &pbresource.Status{
ObservedGeneration: res.Generation,
Conditions: []*pbresource.Condition{
{
Type: "ArtistCreated",
State: pbresource.Condition_STATE_TRUE,
Reason: "ArtistCreated",
Message: fmt.Sprintf("Artist '%s' created", artist.Id.Name),
Resource: resource.Reference(artist.Id, ""),
},
},
},
}
default:
t.Fatal("unsupported type", res.Id.Type)
}
return nil
}