diff --git a/internal/target/repository.go b/internal/target/repository.go index bd8b7aa035..475bb85fed 100644 --- a/internal/target/repository.go +++ b/internal/target/repository.go @@ -24,6 +24,7 @@ import ( "github.com/hashicorp/boundary/internal/types/scope" "github.com/hashicorp/boundary/internal/util" "github.com/hashicorp/go-dbw" + wrapping "github.com/hashicorp/go-kms-wrapping/v2" ) // RepositoryFactory enables `target.Repository` object instantiation, @@ -51,6 +52,12 @@ type Repository struct { permissions []perms.Permission } +// getTargetProxyServerCertificateFn can be overridden for testing or extension purposes. +// By default, it returns nil, nil because TCP targets do not currently use a proxy server certificate. +var getTargetProxyServerCertificateFn = func(ctx context.Context, r *Repository, target targetView, databaseWrapper wrapping.Wrapper, opts options) (*ServerCertificate, error) { + return nil, nil +} + // NewRepository creates a new target Repository. // Supports the following options: // - WithLimit: sets a limit on the number of results returned by various repo operations. @@ -140,16 +147,9 @@ func (r *Repository) LookupTargetForSessionAuthorization(ctx context.Context, pu address = targetAddress.GetAddress() } - if opts.WithAlias != nil { - cert, err = fetchTargetAliasProxyServerCertificate(ctx, read, w, target.PublicId, target.ProjectId, opts.WithAlias, databaseWrapper, target.GetSessionMaxSeconds()) - if err != nil && !errors.IsNotFoundError(err) { - return errors.Wrap(ctx, err, op) - } - } else { - cert, err = fetchTargetProxyServerCertificate(ctx, read, w, target.PublicId, target.ProjectId, databaseWrapper, target.GetSessionMaxSeconds()) - if err != nil && !errors.IsNotFoundError(err) { - return errors.Wrap(ctx, err, op) - } + cert, err = getTargetProxyServerCertificateFn(ctx, r, target, databaseWrapper, opts) + if err != nil && !errors.IsNotFoundError(err) { + return errors.Wrap(ctx, err, op) } return nil }, diff --git a/internal/target/repository_proxy_server_certificate_test.go b/internal/target/repository_proxy_server_certificate_test.go index 041106a16b..c2445ee3eb 100644 --- a/internal/target/repository_proxy_server_certificate_test.go +++ b/internal/target/repository_proxy_server_certificate_test.go @@ -302,7 +302,10 @@ func TestFetchTargetAliasProxyServerCertificate(t *testing.T) { } } -func Test_FetchCertsWithinLookupTargetForSessionAuthorization(t *testing.T) { +// Test_LookupTargetForSessionAuthorization tests looking up a target for session both with and without an alias. +// The target used in this test does not have a proxy server certificate because TCP targets do not currently support proxy server certificates. +// Fetching the proxy server certificate is tested in other enterprise tests. +func Test_LookupTargetForSessionAuthorization(t *testing.T) { t.Parallel() ctx := context.Background() conn, _ := db.TestSetup(t, "postgres") @@ -312,74 +315,50 @@ func Test_FetchCertsWithinLookupTargetForSessionAuthorization(t *testing.T) { _, proj := iam.TestScopes(t, iam.TestRepo(t, conn, wrapper)) repo, err := target.NewRepository(context.Background(), rw, rw, testKms) require.NoError(t, err) - databaseWrapper, err := testKms.GetWrapper(ctx, proj.PublicId, kms.KeyPurposeDatabase) - require.NoError(t, err) tar := targettest.TestNewTestTarget(ctx, t, conn, proj.PublicId, "test-target") - tar2 := targettest.TestNewTestTarget(ctx, t, conn, proj.PublicId, "test-target2") // Create an alias aliasValue := "test-alias" alias := talias.TestAlias(t, rw, aliasValue, talias.WithDestinationId(tar.GetPublicId())) - require.NoError(t, err) require.NotNil(t, alias) - // Create our default localhost target cert - cer, err := target.NewTargetProxyCertificate(ctx, target.WithTargetId(tar.GetPublicId())) - require.NoError(t, err) - require.NotNil(t, cer) - id, err := db.NewPublicId(ctx, globals.ProxyServerCertificatePrefix) - require.NoError(t, err) - cer.PublicId = id - err = cer.Encrypt(ctx, databaseWrapper) - require.NoError(t, err) - err = rw.Create(ctx, cer) - require.NoError(t, err) - tests := []struct { name string publicId string opt []target.Option - wantCert bool + wantErr bool }{ { - name: "success-get-target-with-certificate", + name: "success-get-target-no-cert", publicId: tar.GetPublicId(), - wantCert: true, + wantErr: false, }, { - name: "success-get-target-with-alias-certificate", + name: "success-get-target-no-cert-with-alias", publicId: tar.GetPublicId(), opt: []target.Option{ target.WithAlias(alias), }, - wantCert: true, - }, - { - name: "success-get-target-no-cert", - publicId: tar2.GetPublicId(), - wantCert: false, + wantErr: false, }, { - name: "success-get-target-no-cert-with-alias", - publicId: tar2.GetPublicId(), - opt: []target.Option{ - target.WithAlias(alias), - }, - wantCert: false, + name: "fail-missing-target-id", + publicId: "", + wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { assert, require := assert.New(t), require.New(t) got, err := repo.LookupTargetForSessionAuthorization(ctx, tt.publicId, proj.PublicId, tt.opt...) - require.NoError(err) - assert.NotNil(got) - if tt.wantCert { - assert.NotNil(got.GetProxyServerCertificate()) - } else { - assert.Nil(got.GetProxyServerCertificate()) + if tt.wantErr { + require.Error(err) + return } + require.NoError(err) + require.NotNil(got) + assert.Nil(got.GetProxyServerCertificate()) }) } }