mirror of https://github.com/hashicorp/consul
425 lines
12 KiB
Go
425 lines
12 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package resource_test
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"io"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/mock"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/status"
|
|
"google.golang.org/protobuf/proto"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
svc "github.com/hashicorp/consul/agent/grpc-external/services/resource"
|
|
svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing"
|
|
"github.com/hashicorp/consul/agent/grpc-external/testutils"
|
|
"github.com/hashicorp/consul/internal/resource"
|
|
"github.com/hashicorp/consul/internal/resource/demo"
|
|
"github.com/hashicorp/consul/proto-public/pbresource"
|
|
"github.com/hashicorp/consul/proto/private/prototest"
|
|
)
|
|
|
|
// TODO: Update all tests to use true/false table test for v2tenancy
|
|
|
|
func TestWatchList_InputValidation(t *testing.T) {
|
|
client := svctest.NewResourceServiceBuilder().
|
|
WithRegisterFns(demo.RegisterTypes).
|
|
Run(t)
|
|
|
|
type testCase struct {
|
|
modFn func(*pbresource.WatchListRequest)
|
|
errContains string
|
|
}
|
|
|
|
testCases := map[string]testCase{
|
|
"no type": {
|
|
modFn: func(req *pbresource.WatchListRequest) { req.Type = nil },
|
|
errContains: "type is required",
|
|
},
|
|
"partition mixed case": {
|
|
modFn: func(req *pbresource.WatchListRequest) { req.Tenancy.Partition = "Default" },
|
|
errContains: "tenancy.partition invalid",
|
|
},
|
|
"partition too long": {
|
|
modFn: func(req *pbresource.WatchListRequest) {
|
|
req.Tenancy.Partition = strings.Repeat("p", resource.MaxNameLength+1)
|
|
},
|
|
errContains: "tenancy.partition invalid",
|
|
},
|
|
"namespace mixed case": {
|
|
modFn: func(req *pbresource.WatchListRequest) { req.Tenancy.Namespace = "Default" },
|
|
errContains: "tenancy.namespace invalid",
|
|
},
|
|
"namespace too long": {
|
|
modFn: func(req *pbresource.WatchListRequest) {
|
|
req.Tenancy.Namespace = strings.Repeat("n", resource.MaxNameLength+1)
|
|
},
|
|
errContains: "tenancy.namespace invalid",
|
|
},
|
|
"name_prefix mixed case": {
|
|
modFn: func(req *pbresource.WatchListRequest) { req.NamePrefix = "Smashing" },
|
|
errContains: "name_prefix invalid",
|
|
},
|
|
"partitioned type provides non-empty namespace": {
|
|
modFn: func(req *pbresource.WatchListRequest) {
|
|
req.Type = demo.TypeV1RecordLabel
|
|
req.Tenancy.Namespace = "bad"
|
|
},
|
|
errContains: "cannot have a namespace",
|
|
},
|
|
"cluster scope with non-empty partition": {
|
|
modFn: func(req *pbresource.WatchListRequest) {
|
|
req.Type = demo.TypeV1Executive
|
|
req.Tenancy = &pbresource.Tenancy{Partition: "bad"}
|
|
},
|
|
errContains: "cannot have a partition",
|
|
},
|
|
"cluster scope with non-empty namespace": {
|
|
modFn: func(req *pbresource.WatchListRequest) {
|
|
req.Type = demo.TypeV1Executive
|
|
req.Tenancy = &pbresource.Tenancy{Namespace: "bad"}
|
|
},
|
|
errContains: "cannot have a namespace",
|
|
},
|
|
}
|
|
for desc, tc := range testCases {
|
|
t.Run(desc, func(t *testing.T) {
|
|
req := &pbresource.WatchListRequest{
|
|
Type: demo.TypeV2Album,
|
|
Tenancy: resource.DefaultNamespacedTenancy(),
|
|
}
|
|
tc.modFn(req)
|
|
|
|
stream, err := client.WatchList(testContext(t), req)
|
|
require.NoError(t, err)
|
|
|
|
_, err = stream.Recv()
|
|
require.Error(t, err)
|
|
require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
|
|
require.ErrorContains(t, err, tc.errContains)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestWatchList_TypeNotFound(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client := svctest.NewResourceServiceBuilder().Run(t)
|
|
|
|
stream, err := client.WatchList(context.Background(), &pbresource.WatchListRequest{
|
|
Type: demo.TypeV2Artist,
|
|
Tenancy: resource.DefaultNamespacedTenancy(),
|
|
NamePrefix: "",
|
|
})
|
|
require.NoError(t, err)
|
|
rspCh := handleResourceStream(t, stream)
|
|
|
|
err = mustGetError(t, rspCh)
|
|
require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
|
|
require.Contains(t, err.Error(), "resource type demo.v2.Artist not registered")
|
|
}
|
|
|
|
func TestWatchList_GroupVersionMatches(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
server := testServer(t)
|
|
client := testClient(t, server)
|
|
demo.RegisterTypes(server.Registry)
|
|
ctx := context.Background()
|
|
|
|
// create a watch
|
|
stream, err := client.WatchList(ctx, &pbresource.WatchListRequest{
|
|
Type: demo.TypeV2Artist,
|
|
Tenancy: resource.DefaultNamespacedTenancy(),
|
|
NamePrefix: "",
|
|
})
|
|
require.NoError(t, err)
|
|
rspCh := handleResourceStream(t, stream)
|
|
|
|
artist, err := demo.GenerateV2Artist()
|
|
require.NoError(t, err)
|
|
|
|
// insert and verify upsert event received
|
|
r1, err := server.Backend.WriteCAS(ctx, artist)
|
|
require.NoError(t, err)
|
|
rsp := mustGetResource(t, rspCh)
|
|
require.Equal(t, pbresource.WatchEvent_OPERATION_UPSERT, rsp.Operation)
|
|
prototest.AssertDeepEqual(t, r1, rsp.Resource)
|
|
|
|
// update and verify upsert event received
|
|
r2 := modifyArtist(t, r1)
|
|
r2, err = server.Backend.WriteCAS(ctx, r2)
|
|
require.NoError(t, err)
|
|
rsp = mustGetResource(t, rspCh)
|
|
require.Equal(t, pbresource.WatchEvent_OPERATION_UPSERT, rsp.Operation)
|
|
prototest.AssertDeepEqual(t, r2, rsp.Resource)
|
|
|
|
// delete and verify delete event received
|
|
err = server.Backend.DeleteCAS(ctx, r2.Id, r2.Version)
|
|
require.NoError(t, err)
|
|
rsp = mustGetResource(t, rspCh)
|
|
require.Equal(t, pbresource.WatchEvent_OPERATION_DELETE, rsp.Operation)
|
|
}
|
|
|
|
func TestWatchList_Tenancy_Defaults_And_Normalization(t *testing.T) {
|
|
// Test units of tenancy get lowercased and defaulted correctly when empty.
|
|
for desc, tc := range wildcardTenancyCases() {
|
|
t.Run(desc, func(t *testing.T) {
|
|
ctx := context.Background()
|
|
client := svctest.NewResourceServiceBuilder().
|
|
WithRegisterFns(demo.RegisterTypes).
|
|
Run(t)
|
|
|
|
// Create a watch.
|
|
stream, err := client.WatchList(ctx, &pbresource.WatchListRequest{
|
|
Type: tc.typ,
|
|
Tenancy: tc.tenancy,
|
|
NamePrefix: "",
|
|
})
|
|
require.NoError(t, err)
|
|
rspCh := handleResourceStream(t, stream)
|
|
|
|
// Testcase will pick one of recordLabel or artist based on scope of type.
|
|
recordLabel, err := demo.GenerateV1RecordLabel("looney-tunes")
|
|
require.NoError(t, err)
|
|
artist, err := demo.GenerateV2Artist()
|
|
require.NoError(t, err)
|
|
|
|
// Create and verify upsert event received.
|
|
rlRsp, err := client.Write(ctx, &pbresource.WriteRequest{Resource: recordLabel})
|
|
require.NoError(t, err)
|
|
artistRsp, err := client.Write(ctx, &pbresource.WriteRequest{Resource: artist})
|
|
require.NoError(t, err)
|
|
|
|
var expected *pbresource.Resource
|
|
switch {
|
|
case proto.Equal(tc.typ, demo.TypeV1RecordLabel):
|
|
expected = rlRsp.Resource
|
|
case proto.Equal(tc.typ, demo.TypeV2Artist):
|
|
expected = artistRsp.Resource
|
|
default:
|
|
require.Fail(t, "unsupported type", tc.typ)
|
|
}
|
|
|
|
rsp := mustGetResource(t, rspCh)
|
|
require.Equal(t, pbresource.WatchEvent_OPERATION_UPSERT, rsp.Operation)
|
|
prototest.AssertDeepEqual(t, expected, rsp.Resource)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestWatchList_GroupVersionMismatch(t *testing.T) {
|
|
// Given a watch on TypeArtistV1 that only differs from TypeArtistV2 by GroupVersion
|
|
// When a resource of TypeArtistV2 is created/updated/deleted
|
|
// Then no watch events should be emitted
|
|
t.Parallel()
|
|
|
|
server := testServer(t)
|
|
demo.RegisterTypes(server.Registry)
|
|
client := testClient(t, server)
|
|
ctx := context.Background()
|
|
|
|
// create a watch for TypeArtistV1
|
|
stream, err := client.WatchList(ctx, &pbresource.WatchListRequest{
|
|
Type: demo.TypeV1Artist,
|
|
Tenancy: resource.DefaultNamespacedTenancy(),
|
|
NamePrefix: "",
|
|
})
|
|
require.NoError(t, err)
|
|
rspCh := handleResourceStream(t, stream)
|
|
|
|
artist, err := demo.GenerateV2Artist()
|
|
require.NoError(t, err)
|
|
|
|
// insert
|
|
r1, err := server.Backend.WriteCAS(ctx, artist)
|
|
require.NoError(t, err)
|
|
|
|
// update
|
|
r2 := clone(r1)
|
|
r2, err = server.Backend.WriteCAS(ctx, r2)
|
|
require.NoError(t, err)
|
|
|
|
// delete
|
|
err = server.Backend.DeleteCAS(ctx, r2.Id, r2.Version)
|
|
require.NoError(t, err)
|
|
|
|
// verify no events received
|
|
mustGetNoResource(t, rspCh)
|
|
}
|
|
|
|
// N.B. Uses key ACLs for now. See demo.RegisterTypes()
|
|
func TestWatchList_ACL_ListDenied(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// deny all
|
|
rspCh, _ := roundTripACL(t, testutils.ACLNoPermissions(t))
|
|
|
|
// verify key:list denied
|
|
err := mustGetError(t, rspCh)
|
|
require.Error(t, err)
|
|
require.Equal(t, codes.PermissionDenied.String(), status.Code(err).String())
|
|
require.Contains(t, err.Error(), "lacks permission 'key:list'")
|
|
}
|
|
|
|
// N.B. Uses key ACLs for now. See demo.RegisterTypes()
|
|
func TestWatchList_ACL_ListAllowed_ReadDenied(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// allow list, deny read
|
|
authz := AuthorizerFrom(t, `
|
|
key_prefix "resource/" { policy = "list" }
|
|
key_prefix "resource/demo.v2.Artist/" { policy = "deny" }
|
|
`)
|
|
rspCh, _ := roundTripACL(t, authz)
|
|
|
|
// verify resource filtered out by key:read denied, hence no events
|
|
mustGetNoResource(t, rspCh)
|
|
}
|
|
|
|
// N.B. Uses key ACLs for now. See demo.RegisterTypes()
|
|
func TestWatchList_ACL_ListAllowed_ReadAllowed(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// allow list, allow read
|
|
authz := AuthorizerFrom(t, `
|
|
key_prefix "resource/" { policy = "list" }
|
|
key_prefix "resource/demo.v2.Artist/" { policy = "read" }
|
|
`)
|
|
rspCh, artist := roundTripACL(t, authz)
|
|
|
|
// verify resource not filtered out by acl
|
|
event := mustGetResource(t, rspCh)
|
|
prototest.AssertDeepEqual(t, artist, event.Resource)
|
|
}
|
|
|
|
// roundtrip a WatchList which attempts to stream back a single write event
|
|
func roundTripACL(t *testing.T, authz acl.Authorizer) (<-chan resourceOrError, *pbresource.Resource) {
|
|
server := testServer(t)
|
|
client := testClient(t, server)
|
|
|
|
mockACLResolver := &svc.MockACLResolver{}
|
|
mockACLResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
|
|
Return(authz, nil)
|
|
server.ACLResolver = mockACLResolver
|
|
demo.RegisterTypes(server.Registry)
|
|
|
|
artist, err := demo.GenerateV2Artist()
|
|
require.NoError(t, err)
|
|
|
|
stream, err := client.WatchList(testContext(t), &pbresource.WatchListRequest{
|
|
Type: artist.Id.Type,
|
|
Tenancy: artist.Id.Tenancy,
|
|
NamePrefix: "",
|
|
})
|
|
require.NoError(t, err)
|
|
rspCh := handleResourceStream(t, stream)
|
|
|
|
// induce single watch event
|
|
artist, err = server.Backend.WriteCAS(context.Background(), artist)
|
|
require.NoError(t, err)
|
|
|
|
// caller to make assertions on the rspCh and written artist
|
|
return rspCh, artist
|
|
}
|
|
|
|
func mustGetNoResource(t *testing.T, ch <-chan resourceOrError) {
|
|
t.Helper()
|
|
|
|
select {
|
|
case rsp := <-ch:
|
|
require.NoError(t, rsp.err)
|
|
require.Nil(t, rsp.rsp, "expected nil response with no error")
|
|
case <-time.After(250 * time.Millisecond):
|
|
return
|
|
}
|
|
}
|
|
|
|
func mustGetResource(t *testing.T, ch <-chan resourceOrError) *pbresource.WatchEvent {
|
|
t.Helper()
|
|
|
|
select {
|
|
case rsp := <-ch:
|
|
require.NoError(t, rsp.err)
|
|
return rsp.rsp
|
|
case <-time.After(1 * time.Second):
|
|
t.Fatal("timeout waiting for WatchListResponse")
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func mustGetError(t *testing.T, ch <-chan resourceOrError) error {
|
|
t.Helper()
|
|
|
|
select {
|
|
case rsp := <-ch:
|
|
require.Error(t, rsp.err)
|
|
return rsp.err
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("timeout waiting for WatchListResponse")
|
|
return nil
|
|
}
|
|
}
|
|
|
|
func handleResourceStream(t *testing.T, stream pbresource.ResourceService_WatchListClient) <-chan resourceOrError {
|
|
t.Helper()
|
|
|
|
rspCh := make(chan resourceOrError)
|
|
go func() {
|
|
for {
|
|
rsp, err := stream.Recv()
|
|
if errors.Is(err, io.EOF) ||
|
|
errors.Is(err, context.Canceled) ||
|
|
errors.Is(err, context.DeadlineExceeded) {
|
|
return
|
|
}
|
|
rspCh <- resourceOrError{
|
|
rsp: rsp,
|
|
err: err,
|
|
}
|
|
}
|
|
}()
|
|
return rspCh
|
|
}
|
|
|
|
type resourceOrError struct {
|
|
rsp *pbresource.WatchEvent
|
|
err error
|
|
}
|
|
|
|
func TestWatchList_NoTenancy(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx := context.Background()
|
|
client := svctest.NewResourceServiceBuilder().
|
|
WithRegisterFns(demo.RegisterTypes).
|
|
Run(t)
|
|
|
|
// Create a watch.
|
|
stream, err := client.WatchList(ctx, &pbresource.WatchListRequest{
|
|
Type: demo.TypeV1RecordLabel,
|
|
})
|
|
require.NoError(t, err)
|
|
rspCh := handleResourceStream(t, stream)
|
|
|
|
recordLabel, err := demo.GenerateV1RecordLabel("looney-tunes")
|
|
require.NoError(t, err)
|
|
|
|
// Create and verify upsert event received.
|
|
rsp1, err := client.Write(ctx, &pbresource.WriteRequest{Resource: recordLabel})
|
|
require.NoError(t, err)
|
|
|
|
rsp2 := mustGetResource(t, rspCh)
|
|
|
|
require.Equal(t, pbresource.WatchEvent_OPERATION_UPSERT, rsp2.Operation)
|
|
prototest.AssertDeepEqual(t, rsp1.Resource, rsp2.Resource)
|
|
}
|