diff --git a/internal/daemon/controller/handlers/workers/worker_service_test.go b/internal/daemon/controller/handlers/workers/worker_service_test.go index 5705e4d467..2d29c473f8 100644 --- a/internal/daemon/controller/handlers/workers/worker_service_test.go +++ b/internal/daemon/controller/handlers/workers/worker_service_test.go @@ -95,20 +95,22 @@ func TestGet(t *testing.T) { Type: KmsWorkerType, } + var pkiWorkerKeyId string pkiWorker := servers.TestPkiWorker(t, conn, wrap, servers.WithName("test pki worker names"), - servers.WithDescription("test pki worker description")) + servers.WithDescription("test pki worker description"), + servers.WithTestPkiWorkerAuthorizedKeyId(&pkiWorkerKeyId)) // Add config tags to the created worker pkiWorker, err = repo.UpsertWorkerStatus(context.Background(), servers.NewWorker(pkiWorker.GetScopeId(), - servers.WithName(pkiWorker.GetName()), servers.WithAddress("test kms worker address"), servers.WithWorkerTags(&servers.Tag{ Key: "config", Value: "test", })), servers.WithUpdateTags(true), - servers.WithPublicId(pkiWorker.GetPublicId())) + servers.WithPublicId(pkiWorker.GetPublicId()), + servers.WithKeyId(pkiWorkerKeyId)) require.NoError(t, err) wantPkiWorker := &pb.Worker{ @@ -407,7 +409,7 @@ func TestUpdate(t *testing.T) { resetWorker := func() { version++ - _, _, err = repo.UpdateWorker(context.Background(), wkr, version, []string{"Name", "Description", "Address"}) + _, _, err = repo.UpdateWorker(context.Background(), wkr, version, []string{"Name", "Description"}) require.NoError(t, err, "Failed to reset worker.") version++ } @@ -430,12 +432,11 @@ func TestUpdate(t *testing.T) { name: "Update an Existing Worker", req: &pbs.UpdateWorkerRequest{ UpdateMask: &field_mask.FieldMask{ - Paths: []string{"name", "description", "address"}, + Paths: []string{"name", "description"}, }, Item: &pb.Worker{ Name: wrapperspb.String("name"), Description: wrapperspb.String("desc"), - Address: "address", }, }, res: &pbs.UpdateWorkerResponse{ @@ -445,7 +446,7 @@ func TestUpdate(t *testing.T) { Scope: expectedScope, Name: wrapperspb.String("name"), Description: wrapperspb.String("desc"), - Address: "address", + Address: "default", CreatedTime: wkr.GetCreateTime().GetTimestamp(), LastStatusTime: wkr.GetLastStatusTime().GetTimestamp(), AuthorizedActions: testAuthorizedActions, @@ -1156,6 +1157,7 @@ func TestCreateWorkerLed(t *testing.T) { Name: &wrapperspb.StringValue{Value: "success"}, Description: &wrapperspb.StringValue{Value: "success-description"}, Version: 1, + Type: PkiWorkerType, }, }, }, diff --git a/internal/servers/options.go b/internal/servers/options.go index 052ed55f5d..b2a8836241 100644 --- a/internal/servers/options.go +++ b/internal/servers/options.go @@ -36,6 +36,8 @@ type options struct { withNonce []byte withNewIdFunc func(context.Context) (string, error) withFetchNodeCredentialsRequest *types.FetchNodeCredentialsRequest + withTestPkiWorkerAuthorized bool + withTestPkiWorkerKeyId *string } func getDefaultOptions() options { @@ -151,3 +153,13 @@ func WithFetchNodeCredentialsRequest(req *types.FetchNodeCredentialsRequest) Opt o.withFetchNodeCredentialsRequest = req } } + +// WithTestPkiWorkerAuthorizedKeyId should only be used in tests. +// It specifies that the test worker should be authorized when returned and +// assigns the key id for that worker to the string pointer in this option. +func WithTestPkiWorkerAuthorizedKeyId(id *string) Option { + return func(o *options) { + o.withTestPkiWorkerAuthorized = true + o.withTestPkiWorkerKeyId = id + } +} diff --git a/internal/servers/options_test.go b/internal/servers/options_test.go index a1ef9ad8e7..d5839c21d6 100644 --- a/internal/servers/options_test.go +++ b/internal/servers/options_test.go @@ -145,4 +145,17 @@ func Test_GetOpts(t *testing.T) { runtime.FuncForPC(reflect.ValueOf(testOpts.withNewIdFunc).Pointer()).Name(), ) }) + t.Run("WithTestPkiWorkerAuthorizedKeyId", func(t *testing.T) { + assert := assert.New(t) + testOpts := getDefaultOptions() + + var keyId string + opts := getOpts(WithTestPkiWorkerAuthorizedKeyId(&keyId)) + testOpts = getDefaultOptions() + testOpts.withTestPkiWorkerAuthorized = true + testOpts.withTestPkiWorkerKeyId = &keyId + testOpts.withNewIdFunc = nil + opts.withNewIdFunc = nil + assert.Equal(opts, testOpts) + }) } diff --git a/internal/servers/repository_worker_test.go b/internal/servers/repository_worker_test.go index 2dd49af609..4bcfe14687 100644 --- a/internal/servers/repository_worker_test.go +++ b/internal/servers/repository_worker_test.go @@ -21,8 +21,6 @@ import ( "github.com/hashicorp/boundary/internal/types/scope" "github.com/hashicorp/go-dbw" "github.com/hashicorp/go-kms-wrapping/extras/kms/v2/migrations" - "github.com/hashicorp/nodeenrollment" - "github.com/hashicorp/nodeenrollment/registration" "github.com/hashicorp/nodeenrollment/rotation" "github.com/hashicorp/nodeenrollment/storage/file" "github.com/hashicorp/nodeenrollment/types" @@ -153,30 +151,10 @@ func TestLookupWorkerIdByKeyId(t *testing.T) { err = kmsCache.CreateKeys(context.Background(), scope.Global.String(), kms.WithRandomReader(rand.Reader)) require.NoError(t, err) - w := servers.TestPkiWorker(t, conn, wrapper) - - rootStorage, err := servers.NewRepositoryStorage(ctx, rw, rw, kmsCache) - require.NoError(t, err) - _, err = rotation.RotateRootCertificates(ctx, rootStorage) - require.NoError(t, err) - // Create struct to pass in with workerId that will be passed along to storage - state, err := servers.AttachWorkerIdToState(ctx, w.PublicId) - require.NoError(t, err) - - // This happens on the worker - fileStorage, err := file.New(ctx) - require.NoError(t, err) - nodeCreds, err := types.NewNodeCredentials(ctx, fileStorage) - require.NoError(t, err) - // Create request using worker id - fetchReq, err := nodeCreds.CreateFetchNodeCredentialsRequest(ctx) - require.NoError(t, err) - - // The AuthorizeNode request will result in a WorkerAuth record being stored - registeredNode, err := registration.AuthorizeNode(ctx, rootStorage, fetchReq, nodeenrollment.WithState(state)) - require.NoError(t, err) + var workerKeyId string + w := servers.TestPkiWorker(t, conn, wrapper, servers.WithTestPkiWorkerAuthorizedKeyId(&workerKeyId)) t.Run("success", func(t *testing.T) { - got, err := repo.LookupWorkerIdByKeyId(ctx, registeredNode.Id) + got, err := repo.LookupWorkerIdByKeyId(ctx, workerKeyId) require.NoError(t, err) assert.Equal(t, w.PublicId, got) }) @@ -308,27 +286,8 @@ func TestUpsertWorkerStatus(t *testing.T) { }) // Setup and use a pki worker - pkiWorker := servers.TestPkiWorker(t, conn, wrapper, servers.WithName("pki")) - rootStorage, err := servers.NewRepositoryStorage(ctx, rw, rw, kmsCache) - require.NoError(t, err) - _, err = rotation.RotateRootCertificates(ctx, rootStorage) - require.NoError(t, err) - // Create struct to pass in with workerId that will be passed along to storage - state, err := servers.AttachWorkerIdToState(ctx, pkiWorker.GetPublicId()) - require.NoError(t, err) - - // This happens on the worker - fileStorage, err := file.New(ctx) - require.NoError(t, err) - nodeCreds, err := types.NewNodeCredentials(ctx, fileStorage) - require.NoError(t, err) - // Create request using worker id - fetchReq, err := nodeCreds.CreateFetchNodeCredentialsRequest(ctx) - require.NoError(t, err) - - registeredNode, err := registration.AuthorizeNode(ctx, rootStorage, fetchReq, nodeenrollment.WithState(state)) - require.NoError(t, err) - pkiWorkerKeyId := registeredNode.GetId() + var pkiWorkerKeyId string + pkiWorker := servers.TestPkiWorker(t, conn, wrapper, servers.WithName("pki"), servers.WithTestPkiWorkerAuthorizedKeyId(&pkiWorkerKeyId)) t.Run("update status for pki worker", func(t *testing.T) { wStatus1 := servers.NewWorker(scope.Global.String(), diff --git a/internal/servers/testing.go b/internal/servers/testing.go index 9645afdea4..1e79cad958 100644 --- a/internal/servers/testing.go +++ b/internal/servers/testing.go @@ -14,6 +14,11 @@ import ( "github.com/hashicorp/boundary/internal/servers/store" "github.com/hashicorp/boundary/internal/types/scope" wrapping "github.com/hashicorp/go-kms-wrapping/v2" + "github.com/hashicorp/nodeenrollment" + "github.com/hashicorp/nodeenrollment/registration" + "github.com/hashicorp/nodeenrollment/rotation" + "github.com/hashicorp/nodeenrollment/storage/file" + "github.com/hashicorp/nodeenrollment/types" "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/timestamppb" ) @@ -83,9 +88,8 @@ func TestWorkerAuth(t *testing.T, conn *db.DB, worker *Worker, kmsKey string) *W } // TestKmsWorker inserts a worker into the db to satisfy foreign key constraints. -// The worker provided fields are auto generated. WithName and WithDescription, -// are applied to the resource name, description and address if -// present. +// The worker provided fields are auto generated. if WithName is not present a +// random name will be generated and assigned to the worker. func TestKmsWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...Option) *Worker { t.Helper() rw := db.New(conn) @@ -143,8 +147,9 @@ func TestKmsWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...O // TestPkiWorker inserts a worker into the db to satisfy foreign key constraints. // The worker provided fields are auto generated. WithName and WithDescription, -// are applied to the resource name, description and address if -// present. +// are applied to the resource name, description if present. WithTestPkiWorkerAuthorizedKeyId +// can be used to make the PkiWorker authorized in which case the string pointer +// passed to WithTestPkiWorkerAuthorizedKeyId is set to the key id. func TestPkiWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...Option) *Worker { t.Helper() rw := db.New(conn) @@ -173,6 +178,30 @@ func TestPkiWorker(t *testing.T, conn *db.DB, wrapper wrapping.Wrapper, opt ...O } require.NoError(t, rw.CreateItems(ctx, tags)) } + if opts.withTestPkiWorkerAuthorized { + rootStorage, err := NewRepositoryStorage(ctx, rw, rw, kms) + require.NoError(t, err) + _, err = rotation.RotateRootCertificates(ctx, rootStorage) + require.NoError(t, err) + // Create struct to pass in with workerId that will be passed along to storage + state, err := AttachWorkerIdToState(ctx, wrk.PublicId) + require.NoError(t, err) + + // This happens on the worker + fileStorage, err := file.New(ctx) + require.NoError(t, err) + nodeCreds, err := types.NewNodeCredentials(ctx, fileStorage) + require.NoError(t, err) + // Create request using worker id + fetchReq, err := nodeCreds.CreateFetchNodeCredentialsRequest(ctx) + require.NoError(t, err) + registeredNode, err := registration.AuthorizeNode(ctx, rootStorage, fetchReq, nodeenrollment.WithState(state)) + require.NoError(t, err) + + if opts.withTestPkiWorkerKeyId != nil { + *opts.withTestPkiWorkerKeyId = registeredNode.Id + } + } wrk, err = serversRepo.LookupWorker(ctx, wrk.GetPublicId()) require.NoError(t, err) return wrk diff --git a/internal/servers/testing_test.go b/internal/servers/testing_test.go index 26f84a2f1f..bcbcb73646 100644 --- a/internal/servers/testing_test.go +++ b/internal/servers/testing_test.go @@ -55,4 +55,10 @@ func TestTestPkiWorker(t *testing.T) { assert.Equal(t, name, lkpWorker.GetName()) assert.Equal(t, description, lkpWorker.GetDescription()) assert.Nil(t, lkpWorker.GetLastStatusTime()) + + var keyId string + authorizedWorker := TestPkiWorker(t, conn, wrapper, WithTestPkiWorkerAuthorizedKeyId(&keyId)) + assert.NotNil(t, authorizedWorker) + assert.True(t, strings.HasPrefix(authorizedWorker.GetPublicId(), WorkerPrefix)) + assert.NotEmpty(t, keyId) }