207 lines
6.5 KiB
Go
207 lines
6.5 KiB
Go
package webingress
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestHTTPHandlerRedirectsToHTTPS(t *testing.T) {
|
|
runtime := Runtime{Config: RuntimeConfig{ServiceType: "admin-ingress", Scope: "platform"}}
|
|
req := httptest.NewRequest(http.MethodGet, "http://admin.example.test/cluster-admin/dashboard?x=1", nil)
|
|
rec := httptest.NewRecorder()
|
|
|
|
runtime.HTTPHandler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusPermanentRedirect {
|
|
t.Fatalf("status = %d", rec.Code)
|
|
}
|
|
if rec.Header().Get("Location") != "https://admin.example.test/cluster-admin/dashboard?x=1" {
|
|
t.Fatalf("Location = %q", rec.Header().Get("Location"))
|
|
}
|
|
}
|
|
|
|
func TestHTTPSHandlerBlocksUnknownServiceClass(t *testing.T) {
|
|
runtime := Runtime{
|
|
Config: RuntimeConfig{
|
|
ServiceType: "public-ingress",
|
|
Scope: "organization",
|
|
ServiceClasses: []string{"organization_portal", "user_portal"},
|
|
},
|
|
Now: fixedNow,
|
|
}
|
|
req := httptest.NewRequest(http.MethodGet, "https://org.example.test/platform-admin/root", nil)
|
|
rec := httptest.NewRecorder()
|
|
|
|
runtime.HTTPSHandler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusForbidden {
|
|
t.Fatalf("status = %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
var payload Response
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &payload); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
if payload.Reason != "service_class_not_allowed" || payload.ServiceClass != "platform_admin" || payload.Scope != "organization" {
|
|
t.Fatalf("payload = %+v", payload)
|
|
}
|
|
}
|
|
|
|
func TestHTTPSHandlerRequiresFabricServiceChannelBinding(t *testing.T) {
|
|
runtime := Runtime{
|
|
Config: RuntimeConfig{
|
|
ServiceType: "admin-ingress",
|
|
Scope: "platform",
|
|
ServiceClasses: []string{"platform_admin", "cluster_admin"},
|
|
},
|
|
Now: fixedNow,
|
|
}
|
|
req := httptest.NewRequest(http.MethodPost, "https://admin.example.test/platform-admin/root", nil)
|
|
rec := httptest.NewRecorder()
|
|
|
|
runtime.HTTPSHandler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusNotImplemented {
|
|
t.Fatalf("status = %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
var payload Response
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &payload); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
if payload.Reason != "fabric_service_channel_binding_not_implemented" ||
|
|
payload.ServiceClass != "platform_admin" ||
|
|
payload.ObservedAt != "2026-05-17T00:00:00Z" {
|
|
t.Fatalf("payload = %+v", payload)
|
|
}
|
|
}
|
|
|
|
func TestHTTPSHandlerForwardsAllowedRequestToBinder(t *testing.T) {
|
|
binder := &recordingBinder{
|
|
response: FabricResponse{
|
|
StatusCode: http.StatusAccepted,
|
|
Headers: http.Header{"X-RAP-Result": []string{"accepted"}},
|
|
Body: []byte(`{"ok":true}`),
|
|
},
|
|
}
|
|
runtime := Runtime{
|
|
Config: RuntimeConfig{
|
|
ServiceType: "admin-ingress",
|
|
Scope: "platform",
|
|
ServiceClasses: []string{"platform_admin", "cluster_admin"},
|
|
},
|
|
Binder: binder,
|
|
Now: fixedNow,
|
|
}
|
|
req := httptest.NewRequest(http.MethodPost, "https://admin.example.test/platform-admin/root?tab=nodes", strings.NewReader(`{"hello":"world"}`))
|
|
req.Header.Set("X-RAP-Service-Class", "platform_admin")
|
|
req.Header.Set("Authorization", "Bearer secret")
|
|
req.Header.Set("X-Trace-ID", "trace-1")
|
|
rec := httptest.NewRecorder()
|
|
|
|
runtime.HTTPSHandler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusAccepted {
|
|
t.Fatalf("status = %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if rec.Header().Get("X-RAP-Result") != "accepted" || rec.Body.String() != `{"ok":true}` {
|
|
t.Fatalf("unexpected response headers=%v body=%s", rec.Header(), rec.Body.String())
|
|
}
|
|
if binder.request.ServiceClass != "platform_admin" ||
|
|
binder.request.Scope != "platform" ||
|
|
binder.request.Path != "/platform-admin/root" ||
|
|
binder.request.Query != "tab=nodes" ||
|
|
string(binder.request.Body) != `{"hello":"world"}` {
|
|
t.Fatalf("request = %+v", binder.request)
|
|
}
|
|
if binder.request.Headers.Get("Authorization") != "" || binder.request.Headers.Get("X-Trace-ID") != "trace-1" {
|
|
t.Fatalf("headers = %#v", binder.request.Headers)
|
|
}
|
|
}
|
|
|
|
func TestHTTPSHandlerDerivesFabricScopeFromServiceClass(t *testing.T) {
|
|
binder := &recordingBinder{response: FabricResponse{StatusCode: http.StatusOK}}
|
|
runtime := Runtime{
|
|
Config: RuntimeConfig{
|
|
ServiceType: "admin-ingress",
|
|
Scope: "platform",
|
|
ServiceClasses: []string{"platform_admin", "cluster_admin"},
|
|
},
|
|
Binder: binder,
|
|
Now: fixedNow,
|
|
}
|
|
req := httptest.NewRequest(http.MethodGet, "https://admin.example.test/cluster-admin/ui-manifest", nil)
|
|
rec := httptest.NewRecorder()
|
|
|
|
runtime.HTTPSHandler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
if binder.request.ServiceClass != "cluster_admin" || binder.request.Scope != "cluster" {
|
|
t.Fatalf("request = %+v", binder.request)
|
|
}
|
|
}
|
|
|
|
func TestHTTPSHandlerReportsBinderFailure(t *testing.T) {
|
|
runtime := Runtime{
|
|
Config: RuntimeConfig{ServiceType: "admin-ingress", Scope: "platform", ServiceClasses: []string{"platform_admin"}},
|
|
Binder: failingBinder{},
|
|
Now: fixedNow,
|
|
}
|
|
req := httptest.NewRequest(http.MethodPost, "https://admin.example.test/platform-admin/root", nil)
|
|
rec := httptest.NewRecorder()
|
|
|
|
runtime.HTTPSHandler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusBadGateway {
|
|
t.Fatalf("status = %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
var payload Response
|
|
if err := json.Unmarshal(rec.Body.Bytes(), &payload); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
if payload.Reason != "fabric_service_channel_forward_failed" {
|
|
t.Fatalf("payload = %+v", payload)
|
|
}
|
|
}
|
|
|
|
func TestHTTPSHandlerHealth(t *testing.T) {
|
|
runtime := Runtime{Config: RuntimeConfig{ServiceType: "admin-ingress", Scope: "platform"}, Now: fixedNow}
|
|
req := httptest.NewRequest(http.MethodGet, "https://admin.example.test/healthz", nil)
|
|
rec := httptest.NewRecorder()
|
|
|
|
runtime.HTTPSHandler().ServeHTTP(rec, req)
|
|
|
|
if rec.Code != http.StatusOK {
|
|
t.Fatalf("status = %d body=%s", rec.Code, rec.Body.String())
|
|
}
|
|
}
|
|
|
|
func fixedNow() time.Time {
|
|
return time.Date(2026, 5, 17, 0, 0, 0, 0, time.UTC)
|
|
}
|
|
|
|
type recordingBinder struct {
|
|
request FabricRequest
|
|
response FabricResponse
|
|
}
|
|
|
|
func (b *recordingBinder) Forward(_ context.Context, request FabricRequest) (FabricResponse, error) {
|
|
b.request = request
|
|
return b.response, nil
|
|
}
|
|
|
|
type failingBinder struct{}
|
|
|
|
func (failingBinder) Forward(context.Context, FabricRequest) (FabricResponse, error) {
|
|
return FabricResponse{}, errTestBinderFailure{}
|
|
}
|
|
|
|
type errTestBinderFailure struct{}
|
|
|
|
func (errTestBinderFailure) Error() string { return "binder failed" }
|