mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 00:45:19 +00:00
3757aace08
#8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
180 lines
6.6 KiB
Go
180 lines
6.6 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"io"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/authz"
|
|
"github.com/fleetdm/fleet/v4/server/config"
|
|
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/mock"
|
|
"github.com/fleetdm/fleet/v4/server/test"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func setup(t *testing.T) (context.Context, *mock.Store, *mock.InstallerStore, fleet.Service) {
|
|
ds := new(mock.Store)
|
|
is := new(mock.InstallerStore)
|
|
cfg := config.TestConfig()
|
|
cfg.Server.SandboxEnabled = true
|
|
svc, ctx := newTestServiceWithConfig(t, ds, cfg, nil, nil, &TestServerOpts{Is: is, FleetConfig: &cfg})
|
|
ctx = test.UserContext(ctx, test.UserAdmin)
|
|
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
|
|
return &fleet.EnrollSecret{Secret: "xyz"}, nil
|
|
|
|
}
|
|
return ctx, ds, is, svc
|
|
}
|
|
|
|
func TestGetInstaller(t *testing.T) {
|
|
t.Run("unauthorized access is not allowed", func(t *testing.T) {
|
|
_, _, _, svc := setup(t)
|
|
_, _, err := svc.GetInstaller(context.Background(), fleet.Installer{})
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), authz.ForbiddenErrorMessage)
|
|
})
|
|
|
|
t.Run("errors if store is not configured", func(t *testing.T) {
|
|
ctx, ds, _, _ := setup(t)
|
|
cfg := config.TestConfig()
|
|
cfg.Server.SandboxEnabled = true
|
|
svc, _ := newTestServiceWithConfig(t, ds, cfg, nil, nil, &TestServerOpts{Is: nil, FleetConfig: &cfg})
|
|
_, _, err := svc.GetInstaller(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
require.ErrorContains(t, err, "installer storage has not been configured")
|
|
})
|
|
|
|
t.Run("errors if the provided enroll secret cannot be found", func(t *testing.T) {
|
|
ctx, ds, _, svc := setup(t)
|
|
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
|
|
return nil, newNotFoundError()
|
|
}
|
|
_, _, err := svc.GetInstaller(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
var nfe *notFoundError
|
|
require.ErrorAs(t, err, &nfe)
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
})
|
|
|
|
t.Run("errors if there's a problem verifying the enroll secret", func(t *testing.T) {
|
|
ctx, ds, _, svc := setup(t)
|
|
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
|
|
return nil, ctxerr.New(ctx, "test error")
|
|
}
|
|
_, _, err := svc.GetInstaller(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
require.ErrorContains(t, err, "test error")
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
})
|
|
|
|
t.Run("errors if there's a problem checking the blob storage", func(t *testing.T) {
|
|
ctx, ds, is, svc := setup(t)
|
|
is.GetFunc = func(ctx context.Context, installer fleet.Installer) (io.ReadCloser, int64, error) {
|
|
return nil, int64(0), ctxerr.New(ctx, "test error")
|
|
}
|
|
_, _, err := svc.GetInstaller(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
require.ErrorContains(t, err, "test error")
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
require.True(t, is.GetFuncInvoked)
|
|
})
|
|
|
|
t.Run("returns binary data with the installer", func(t *testing.T) {
|
|
ctx, ds, is, svc := setup(t)
|
|
is.GetFunc = func(ctx context.Context, installer fleet.Installer) (io.ReadCloser, int64, error) {
|
|
str := "test"
|
|
length := int64(len(str))
|
|
reader := io.NopCloser(strings.NewReader(str))
|
|
return reader, length, nil
|
|
}
|
|
blob, length, err := svc.GetInstaller(ctx, fleet.Installer{})
|
|
require.NoError(t, err)
|
|
body, err := io.ReadAll(blob)
|
|
require.Equal(t, "test", string(body))
|
|
require.EqualValues(t, length, len(body))
|
|
require.NoError(t, err)
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
require.True(t, is.GetFuncInvoked)
|
|
})
|
|
}
|
|
func TestCheckInstallerExistence(t *testing.T) {
|
|
t.Run("unauthorized access is not allowed", func(t *testing.T) {
|
|
_, _, _, svc := setup(t)
|
|
err := svc.CheckInstallerExistence(context.Background(), fleet.Installer{})
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), authz.ForbiddenErrorMessage)
|
|
})
|
|
|
|
t.Run("errors if store is not configured", func(t *testing.T) {
|
|
ctx, ds, _, _ := setup(t)
|
|
cfg := config.TestConfig()
|
|
cfg.Server.SandboxEnabled = true
|
|
svc, _ := newTestServiceWithConfig(t, ds, cfg, nil, nil, &TestServerOpts{Is: nil, FleetConfig: &cfg})
|
|
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
require.ErrorContains(t, err, "installer storage has not been configured")
|
|
})
|
|
|
|
t.Run("errors if the provided enroll secret cannot be found", func(t *testing.T) {
|
|
ctx, ds, _, svc := setup(t)
|
|
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
|
|
return nil, newNotFoundError()
|
|
}
|
|
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
var nfe *notFoundError
|
|
require.ErrorAs(t, err, &nfe)
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
})
|
|
|
|
t.Run("errors if there's a problem verifying the enroll secret", func(t *testing.T) {
|
|
ctx, ds, _, svc := setup(t)
|
|
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
|
|
return nil, ctxerr.New(ctx, "test error")
|
|
}
|
|
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
require.ErrorContains(t, err, "test error")
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
})
|
|
|
|
t.Run("errors if there's a problem checking the blob storage", func(t *testing.T) {
|
|
ctx, ds, is, svc := setup(t)
|
|
is.ExistsFunc = func(ctx context.Context, installer fleet.Installer) (bool, error) {
|
|
return false, ctxerr.New(ctx, "test error")
|
|
}
|
|
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
require.ErrorContains(t, err, "test error")
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
require.True(t, is.ExistsFuncInvoked)
|
|
})
|
|
|
|
t.Run("errors with not found if the installer is not in the storage", func(t *testing.T) {
|
|
ctx, ds, is, svc := setup(t)
|
|
is.ExistsFunc = func(ctx context.Context, installer fleet.Installer) (bool, error) {
|
|
return false, nil
|
|
}
|
|
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
|
|
require.Error(t, err)
|
|
var nfe *notFoundError
|
|
require.ErrorAs(t, err, &nfe)
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
require.True(t, is.ExistsFuncInvoked)
|
|
})
|
|
|
|
t.Run("returns no errors if the installer exists", func(t *testing.T) {
|
|
ctx, ds, is, svc := setup(t)
|
|
is.ExistsFunc = func(ctx context.Context, installer fleet.Installer) (bool, error) {
|
|
return true, nil
|
|
}
|
|
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
|
|
require.NoError(t, err)
|
|
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
|
|
require.True(t, is.ExistsFuncInvoked)
|
|
})
|
|
}
|