empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
58d882b684
fleet/server/service/installer_test.go
Lucas Manuel Rodriguez 3757aace08
Add UUID to Fleet errors and clean up error msgs (#10411) 
#8129 

Apart from fixing the issue in #8129, this change also introduces UUIDs
to Fleet errors. To be able to match a returned error from the API to a
error in the Fleet logs. See
https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for
more context.

Samples with the changes in this PR:
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d ''
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "Expected JSON Body"
    }
  ],
  "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0"
}
```
```
curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd'
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "json decoder error"
    }
  ],
  "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d"
}
```
```
curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams"
{
  "message": "Authentication required",
  "errors": [
    {
      "name": "base",
      "reason": "Authentication required"
    }
  ],
  "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Authorization header required",
  "errors": [
    {
      "name": "base",
      "reason": "Authorization header required"
    }
  ],
  "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3"
}
```
```
curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}'
{
  "message": "Permission Denied",
  "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06"
}
```

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 13:44:06 -03:00

180 lines
6.6 KiB
Go
Raw Blame History

package service
import (
"context"
"io"
"strings"
"testing"
"github.com/fleetdm/fleet/v4/server/authz"
"github.com/fleetdm/fleet/v4/server/config"
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/mock"
"github.com/fleetdm/fleet/v4/server/test"
"github.com/stretchr/testify/require"
)
func setup(t *testing.T) (context.Context, *mock.Store, *mock.InstallerStore, fleet.Service) {
ds := new(mock.Store)
is := new(mock.InstallerStore)
cfg := config.TestConfig()
cfg.Server.SandboxEnabled = true
svc, ctx := newTestServiceWithConfig(t, ds, cfg, nil, nil, &TestServerOpts{Is: is, FleetConfig: &cfg})
ctx = test.UserContext(ctx, test.UserAdmin)
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
return &fleet.EnrollSecret{Secret: "xyz"}, nil
}
return ctx, ds, is, svc
}
func TestGetInstaller(t *testing.T) {
t.Run("unauthorized access is not allowed", func(t *testing.T) {
_, _, _, svc := setup(t)
_, _, err := svc.GetInstaller(context.Background(), fleet.Installer{})
require.Error(t, err)
require.Contains(t, err.Error(), authz.ForbiddenErrorMessage)
})
t.Run("errors if store is not configured", func(t *testing.T) {
ctx, ds, _, _ := setup(t)
cfg := config.TestConfig()
cfg.Server.SandboxEnabled = true
svc, _ := newTestServiceWithConfig(t, ds, cfg, nil, nil, &TestServerOpts{Is: nil, FleetConfig: &cfg})
_, _, err := svc.GetInstaller(ctx, fleet.Installer{})
require.Error(t, err)
require.ErrorContains(t, err, "installer storage has not been configured")
})
t.Run("errors if the provided enroll secret cannot be found", func(t *testing.T) {
ctx, ds, _, svc := setup(t)
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
return nil, newNotFoundError()
}
_, _, err := svc.GetInstaller(ctx, fleet.Installer{})
require.Error(t, err)
var nfe *notFoundError
require.ErrorAs(t, err, &nfe)
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
})
t.Run("errors if there's a problem verifying the enroll secret", func(t *testing.T) {
ctx, ds, _, svc := setup(t)
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
return nil, ctxerr.New(ctx, "test error")
}
_, _, err := svc.GetInstaller(ctx, fleet.Installer{})
require.Error(t, err)
require.ErrorContains(t, err, "test error")
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
})
t.Run("errors if there's a problem checking the blob storage", func(t *testing.T) {
ctx, ds, is, svc := setup(t)
is.GetFunc = func(ctx context.Context, installer fleet.Installer) (io.ReadCloser, int64, error) {
return nil, int64(0), ctxerr.New(ctx, "test error")
}
_, _, err := svc.GetInstaller(ctx, fleet.Installer{})
require.Error(t, err)
require.ErrorContains(t, err, "test error")
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
require.True(t, is.GetFuncInvoked)
})
t.Run("returns binary data with the installer", func(t *testing.T) {
ctx, ds, is, svc := setup(t)
is.GetFunc = func(ctx context.Context, installer fleet.Installer) (io.ReadCloser, int64, error) {
str := "test"
length := int64(len(str))
reader := io.NopCloser(strings.NewReader(str))
return reader, length, nil
}
blob, length, err := svc.GetInstaller(ctx, fleet.Installer{})
require.NoError(t, err)
body, err := io.ReadAll(blob)
require.Equal(t, "test", string(body))
require.EqualValues(t, length, len(body))
require.NoError(t, err)
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
require.True(t, is.GetFuncInvoked)
})
}
func TestCheckInstallerExistence(t *testing.T) {
t.Run("unauthorized access is not allowed", func(t *testing.T) {
_, _, _, svc := setup(t)
err := svc.CheckInstallerExistence(context.Background(), fleet.Installer{})
require.Error(t, err)
require.Contains(t, err.Error(), authz.ForbiddenErrorMessage)
})
t.Run("errors if store is not configured", func(t *testing.T) {
ctx, ds, _, _ := setup(t)
cfg := config.TestConfig()
cfg.Server.SandboxEnabled = true
svc, _ := newTestServiceWithConfig(t, ds, cfg, nil, nil, &TestServerOpts{Is: nil, FleetConfig: &cfg})
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
require.Error(t, err)
require.ErrorContains(t, err, "installer storage has not been configured")
})
t.Run("errors if the provided enroll secret cannot be found", func(t *testing.T) {
ctx, ds, _, svc := setup(t)
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
return nil, newNotFoundError()
}
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
require.Error(t, err)
var nfe *notFoundError
require.ErrorAs(t, err, &nfe)
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
})
t.Run("errors if there's a problem verifying the enroll secret", func(t *testing.T) {
ctx, ds, _, svc := setup(t)
ds.VerifyEnrollSecretFunc = func(ctx context.Context, enrollSecret string) (*fleet.EnrollSecret, error) {
return nil, ctxerr.New(ctx, "test error")
}
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
require.Error(t, err)
require.ErrorContains(t, err, "test error")
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
})
t.Run("errors if there's a problem checking the blob storage", func(t *testing.T) {
ctx, ds, is, svc := setup(t)
is.ExistsFunc = func(ctx context.Context, installer fleet.Installer) (bool, error) {
return false, ctxerr.New(ctx, "test error")
}
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
require.Error(t, err)
require.ErrorContains(t, err, "test error")
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
require.True(t, is.ExistsFuncInvoked)
})
t.Run("errors with not found if the installer is not in the storage", func(t *testing.T) {
ctx, ds, is, svc := setup(t)
is.ExistsFunc = func(ctx context.Context, installer fleet.Installer) (bool, error) {
return false, nil
}
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
require.Error(t, err)
var nfe *notFoundError
require.ErrorAs(t, err, &nfe)
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
require.True(t, is.ExistsFuncInvoked)
})
t.Run("returns no errors if the installer exists", func(t *testing.T) {
ctx, ds, is, svc := setup(t)
is.ExistsFunc = func(ctx context.Context, installer fleet.Installer) (bool, error) {
return true, nil
}
err := svc.CheckInstallerExistence(ctx, fleet.Installer{})
require.NoError(t, err)
require.True(t, ds.VerifyEnrollSecretFuncInvoked)
require.True(t, is.ExistsFuncInvoked)
})
}
Reference in New Issue View Git Blame Copy Permalink