Allow TestPkiWorker to be created in an authorized state. (#2198)

* Allow TestPkiWorker to be created in an authorized state.
4 years ago · b3efe0eb3a
parent e379234259
commit b3efe0eb3a
6 changed files with 79 additions and 58 deletions
--- a/internal/daemon/controller/handlers/workers/worker_service_test.go
+++ b/internal/daemon/controller/handlers/workers/worker_service_test.go
@ -95,20 +95,22 @@ func TestGet(t *testing.T) {
 		Type: KmsWorkerType,
 	}

+	var pkiWorkerKeyId string
 	pkiWorker := servers.TestPkiWorker(t, conn, wrap,
 		servers.WithName("test pki worker names"),
-		servers.WithDescription("test pki worker description"))
+		servers.WithDescription("test pki worker description"),
+		servers.WithTestPkiWorkerAuthorizedKeyId(&pkiWorkerKeyId))
 	// Add config tags to the created worker
 	pkiWorker, err = repo.UpsertWorkerStatus(context.Background(),
 		servers.NewWorker(pkiWorker.GetScopeId(),
-			servers.WithName(pkiWorker.GetName()),
 			servers.WithAddress("test kms worker address"),
 			servers.WithWorkerTags(&servers.Tag{
 				Key:   "config",
 				Value: "test",
 			})),
 		servers.WithUpdateTags(true),
-		servers.WithPublicId(pkiWorker.GetPublicId()))
+		servers.WithPublicId(pkiWorker.GetPublicId()),
+		servers.WithKeyId(pkiWorkerKeyId))
 	require.NoError(t, err)

 	wantPkiWorker := &pb.Worker{
@ -407,7 +409,7 @@ func TestUpdate(t *testing.T) {

 	resetWorker := func() {
 		version++
-		_, _, err = repo.UpdateWorker(context.Background(), wkr, version, []string{"Name", "Description", "Address"})
+		_, _, err = repo.UpdateWorker(context.Background(), wkr, version, []string{"Name", "Description"})
 		require.NoError(t, err, "Failed to reset worker.")
 		version++
 	}
@ -430,12 +432,11 @@ func TestUpdate(t *testing.T) {
 			name: "Update an Existing Worker",
 			req: &pbs.UpdateWorkerRequest{
 				UpdateMask: &field_mask.FieldMask{
-					Paths: []string{"name", "description", "address"},
+					Paths: []string{"name", "description"},
 				},
 				Item: &pb.Worker{
 					Name:        wrapperspb.String("name"),
 					Description: wrapperspb.String("desc"),
-					Address:     "address",
 				},
 			},
 			res: &pbs.UpdateWorkerResponse{
@ -445,7 +446,7 @@ func TestUpdate(t *testing.T) {
 					Scope:             expectedScope,
 					Name:              wrapperspb.String("name"),
 					Description:       wrapperspb.String("desc"),
-					Address:           "address",
+					Address:           "default",
 					CreatedTime:       wkr.GetCreateTime().GetTimestamp(),
 					LastStatusTime:    wkr.GetLastStatusTime().GetTimestamp(),
 					AuthorizedActions: testAuthorizedActions,
@ -1156,6 +1157,7 @@ func TestCreateWorkerLed(t *testing.T) {
 					Name:        &wrapperspb.StringValue{Value: "success"},
 					Description: &wrapperspb.StringValue{Value: "success-description"},
 					Version:     1,
+					Type:        PkiWorkerType,
 				},
 			},
 		},
--- a/internal/servers/options.go
+++ b/internal/servers/options.go
@ -36,6 +36,8 @@ type options struct {
 	withNonce                          []byte
 	withNewIdFunc                      func(context.Context) (string, error)
 	withFetchNodeCredentialsRequest    *types.FetchNodeCredentialsRequest
+	withTestPkiWorkerAuthorized        bool
+	withTestPkiWorkerKeyId             *string
 }

 func getDefaultOptions() options {
@ -151,3 +153,13 @@ func WithFetchNodeCredentialsRequest(req *types.FetchNodeCredentialsRequest) Opt
 		o.withFetchNodeCredentialsRequest = req
 	}
 }
+
+// WithTestPkiWorkerAuthorizedKeyId should only be used in tests.
+// It specifies that the test worker should be authorized when returned and
+// assigns the key id for that worker to the string pointer in this option.
+func WithTestPkiWorkerAuthorizedKeyId(id *string) Option {
+	return func(o *options) {
+		o.withTestPkiWorkerAuthorized = true
+		o.withTestPkiWorkerKeyId = id
+	}
+}
--- a/internal/servers/options_test.go
+++ b/internal/servers/options_test.go
@ -145,4 +145,17 @@ func Test_GetOpts(t *testing.T) {
 			runtime.FuncForPC(reflect.ValueOf(testOpts.withNewIdFunc).Pointer()).Name(),
 		)
 	})
+	t.Run("WithTestPkiWorkerAuthorizedKeyId", func(t *testing.T) {
+		assert := assert.New(t)
+		testOpts := getDefaultOptions()
+
+		var keyId string
+		opts := getOpts(WithTestPkiWorkerAuthorizedKeyId(&keyId))
+		testOpts = getDefaultOptions()
+		testOpts.withTestPkiWorkerAuthorized = true
+		testOpts.withTestPkiWorkerKeyId = &keyId
+		testOpts.withNewIdFunc = nil
+		opts.withNewIdFunc = nil
+		assert.Equal(opts, testOpts)
+	})
 }
--- a/internal/servers/repository_worker_test.go
+++ b/internal/servers/repository_worker_test.go
@ -21,8 +21,6 @@ import (
 	"github.com/hashicorp/boundary/internal/types/scope"
 	"github.com/hashicorp/go-dbw"
 	"github.com/hashicorp/go-kms-wrapping/extras/kms/v2/migrations"
-	"github.com/hashicorp/nodeenrollment"
-	"github.com/hashicorp/nodeenrollment/registration"
 	"github.com/hashicorp/nodeenrollment/rotation"
 	"github.com/hashicorp/nodeenrollment/storage/file"
 	"github.com/hashicorp/nodeenrollment/types"
@ -153,30 +151,10 @@ func TestLookupWorkerIdByKeyId(t *testing.T) {
 	err = kmsCache.CreateKeys(context.Background(), scope.Global.String(), kms.WithRandomReader(rand.Reader))
 	require.NoError(t, err)

-	w := servers.TestPkiWorker(t, conn, wrapper)
-
-	rootStorage, err := servers.NewRepositoryStorage(ctx, rw, rw, kmsCache)
-	require.NoError(t, err)
-	_, err = rotation.RotateRootCertificates(ctx, rootStorage)
-	require.NoError(t, err)
-	// Create struct to pass in with workerId that will be passed along to storage
-	state, err := servers.AttachWorkerIdToState(ctx, w.PublicId)
-	require.NoError(t, err)
-
-	// This happens on the worker
-	fileStorage, err := file.New(ctx)
-	require.NoError(t, err)
-	nodeCreds, err := types.NewNodeCredentials(ctx, fileStorage)
-	require.NoError(t, err)
-	// Create request using worker id
-	fetchReq, err := nodeCreds.CreateFetchNodeCredentialsRequest(ctx)
-	require.NoError(t, err)
-
-	// The AuthorizeNode request will result in a WorkerAuth record being stored
-	registeredNode, err := registration.AuthorizeNode(ctx, rootStorage, fetchReq, nodeenrollment.WithState(state))
-	require.NoError(t, err)
+	var workerKeyId string
+	w := servers.TestPkiWorker(t, conn, wrapper, servers.WithTestPkiWorkerAuthorizedKeyId(&workerKeyId))
 	t.Run("success", func(t *testing.T) {
-		got, err := repo.LookupWorkerIdByKeyId(ctx, registeredNode.Id)
+		got, err := repo.LookupWorkerIdByKeyId(ctx, workerKeyId)
 		require.NoError(t, err)
 		assert.Equal(t, w.PublicId, got)
 	})
@ -308,27 +286,8 @@ func TestUpsertWorkerStatus(t *testing.T) {
 	})

 	// Setup and use a pki worker
-	pkiWorker := servers.TestPkiWorker(t, conn, wrapper, servers.WithName("pki"))
-	rootStorage, err := servers.NewRepositoryStorage(ctx, rw, rw, kmsCache)
-	require.NoError(t, err)
-	_, err = rotation.RotateRootCertificates(ctx, rootStorage)
-	require.NoError(t, err)
-	// Create struct to pass in with workerId that will be passed along to storage
-	state, err := servers.AttachWorkerIdToState(ctx, pkiWorker.GetPublicId())
-	require.NoError(t, err)
-
-	// This happens on the worker
-	fileStorage, err := file.New(ctx)
-	require.NoError(t, err)
-	nodeCreds, err := types.NewNodeCredentials(ctx, fileStorage)
-	require.NoError(t, err)
-	// Create request using worker id
-	fetchReq, err := nodeCreds.CreateFetchNodeCredentialsRequest(ctx)
-	require.NoError(t, err)
-
-	registeredNode, err := registration.AuthorizeNode(ctx, rootStorage, fetchReq, nodeenrollment.WithState(state))
-	require.NoError(t, err)
-	pkiWorkerKeyId := registeredNode.GetId()
+	var pkiWorkerKeyId string
+	pkiWorker := servers.TestPkiWorker(t, conn, wrapper, servers.WithName("pki"), servers.WithTestPkiWorkerAuthorizedKeyId(&pkiWorkerKeyId))

 	t.Run("update status for pki worker", func(t *testing.T) {
 		wStatus1 := servers.NewWorker(scope.Global.String(),
--- a/internal/servers/testing.go
+++ b/internal/servers/testing.go
@ -14,6 +14,11 @@ import (
 	"github.com/hashicorp/boundary/internal/servers/store"
 	"github.com/hashicorp/boundary/internal/types/scope"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
+	"github.com/hashicorp/nodeenrollment"
+	"github.com/hashicorp/nodeenrollment/registration"
+	"github.com/hashicorp/nodeenrollment/rotation"
+	"github.com/hashicorp/nodeenrollment/storage/file"
+	"github.com/hashicorp/nodeenrollment/types"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
@ -83,9 +88,8 @@ func TestWorkerAuth(t *testing.T, conn *db.DB, worker *Worker, kmsKey string) *W
 }

 // TestKmsWorker inserts a worker into the db to satisfy foreign key constraints.
-// The worker provided fields are auto generated. WithName and WithDescription,
-// are applied to the resource name, description and address if
-// present.
+// The worker provided fields are auto generated. if WithName is not present a
+// random name will be generated and assigned to the worker.
 func TestKmsWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...Option) *Worker {
 	t.Helper()
 	rw := db.New(conn)
@ -143,8 +147,9 @@ func TestKmsWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...O

 // TestPkiWorker inserts a worker into the db to satisfy foreign key constraints.
 // The worker provided fields are auto generated. WithName and WithDescription,
-// are applied to the resource name, description and address if
-// present.
+// are applied to the resource name, description if present.  WithTestPkiWorkerAuthorizedKeyId
+// can be used to make the PkiWorker authorized in which case the string pointer
+// passed to WithTestPkiWorkerAuthorizedKeyId is set to the key id.
 func TestPkiWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...Option) *Worker {
 	t.Helper()
 	rw := db.New(conn)
@ -173,6 +178,30 @@ func TestPkiWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...O
 		}
 		require.NoError(t, rw.CreateItems(ctx, tags))
 	}
+	if opts.withTestPkiWorkerAuthorized {
+		rootStorage, err := NewRepositoryStorage(ctx, rw, rw, kms)
+		require.NoError(t, err)
+		_, err = rotation.RotateRootCertificates(ctx, rootStorage)
+		require.NoError(t, err)
+		// Create struct to pass in with workerId that will be passed along to storage
+		state, err := AttachWorkerIdToState(ctx, wrk.PublicId)
+		require.NoError(t, err)
+
+		// This happens on the worker
+		fileStorage, err := file.New(ctx)
+		require.NoError(t, err)
+		nodeCreds, err := types.NewNodeCredentials(ctx, fileStorage)
+		require.NoError(t, err)
+		// Create request using worker id
+		fetchReq, err := nodeCreds.CreateFetchNodeCredentialsRequest(ctx)
+		require.NoError(t, err)
+		registeredNode, err := registration.AuthorizeNode(ctx, rootStorage, fetchReq, nodeenrollment.WithState(state))
+		require.NoError(t, err)
+
+		if opts.withTestPkiWorkerKeyId != nil {
+			*opts.withTestPkiWorkerKeyId = registeredNode.Id
+		}
+	}
 	wrk, err = serversRepo.LookupWorker(ctx, wrk.GetPublicId())
 	require.NoError(t, err)
 	return wrk
--- a/internal/servers/testing_test.go
+++ b/internal/servers/testing_test.go
@ -55,4 +55,10 @@ func TestTestPkiWorker(t *testing.T) {
 	assert.Equal(t, name, lkpWorker.GetName())
 	assert.Equal(t, description, lkpWorker.GetDescription())
 	assert.Nil(t, lkpWorker.GetLastStatusTime())
+
+	var keyId string
+	authorizedWorker := TestPkiWorker(t, conn, wrapper, WithTestPkiWorkerAuthorizedKeyId(&keyId))
+	assert.NotNil(t, authorizedWorker)
+	assert.True(t, strings.HasPrefix(authorizedWorker.GetPublicId(), WorkerPrefix))
+	assert.NotEmpty(t, keyId)
 }