Test new /v3/service_instances/:guid/permissions

will-gant · ctlong · commit 2408d64a28a6 · 2022-09-15T09:37:34.000-07:00
Also update the CATS service broker to retrieve the value of the HTTP_X_API_INFO_LOCATION header from calls from the Cloud Controller, store it in memory, and then serve it on a new endpoint. This is a slightly more realistic way to test the SSO lifecycle, as the old helper function used by these tests hardcoded the API info endpoint as `/info`. That worked because, like `/v2/info`, its response object also had the authorization_endpoint at the top level.
diff --git a/assets/service_broker/service_broker.rb b/assets/service_broker/service_broker.rb
@@ -6,6 +6,7 @@
 require 'pp'
 require 'logger'
 require 'rainbow/ext/string'
+require 'uri'
 
 require 'bundler'
 Bundler.require :default, ENV['RACK_ENV'].to_sym
@@ -132,6 +133,7 @@ def behavior_for_type(type, plan_id)
 
 class ServiceBroker < Sinatra::Base
   set :logging, true
+  set :cf_api_info_location, ''
 
   configure :production, :development, :test do
     $datasource = DataSource.new
@@ -160,6 +162,11 @@ def log_response(status, body)
     body
   end
 
+  def get_info_endpoint(request)
+    api_info_location_header = request.env['HTTP_X_API_INFO_LOCATION']
+    settings.cf_api_info_location = api_info_location_header
+  end
+
   def respond_with_behavior(behavior, accepts_incomplete=false)
     sleep behavior['sleep_seconds']
 
@@ -187,8 +194,23 @@ def respond_from_config(behavior)
     end
   end
 
+  def cf_respond_with_api_info_location(cf_api_info_location)
+    if cf_api_info_location.empty?
+      status 503
+      log_response(status, JSON.pretty_generate({
+        error: true,
+        message: "CF API info URL not known - either the cloud controller has not called the broker API yet, or it has failed to include a X-Api-Info-Location header that was a valid URL",
+        path: request.url,
+        type: '503'
+      }))
+    else
+      log_response(status, cf_api_info_location)
+    end
+  end
+
   before do
     log(request)
+    get_info_endpoint(request) if request.path.start_with?("/v2/")
   end
 
   # fetch catalog
@@ -319,6 +341,10 @@ def respond_from_config(behavior)
     log_response(status, JSON.pretty_generate($datasource.without_instances_or_bindings))
   end
 
+  get '/cf_api_info_url' do
+    cf_respond_with_api_info_location(settings.cf_api_info_location)
+  end
+
   error do
     status 500
     e = env['sinatra.error']
diff --git a/assets/service_broker/spec/service_broker_spec.rb b/assets/service_broker/spec/service_broker_spec.rb
@@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'json'
+require 'timeout'
 
 describe ServiceBroker do
   before do
@@ -200,6 +201,33 @@
     end
   end
 
+  describe 'cf api info location' do
+    api_not_known_error = JSON.pretty_generate({
+      "error" => true,
+      "message" => "CF API info URL not known - either the cloud controller has not called the broker API yet, or it has failed to include a X-Api-Info-Location header that was a valid URL",
+      "path" => "http://example.org/cf_api_info_url",
+      "type" => '503'
+    })
+
+    context "no request to a /v2 endpoint has been made yet" do
+      it 'responds with internal server error' do
+        get '/cf_api_info_url'
+        expect(last_response.status).to eq(503)
+        expect(last_response.body).to eq(api_not_known_error)
+      end
+    end
+
+    context "a /v2 request from the cloud controller had the X-Api-Info-Location header set to a valid url" do
+      it 'receives a url in response' do
+        info_endpoint = 'system-domain.com/v2/info'
+        get '/v2/catalog', nil, { 'HTTP_X_API_INFO_LOCATION' => info_endpoint }
+        get '/cf_api_info_url'
+        expect(last_response.body).to eq(info_endpoint)
+        expect(last_response.status).to eq(200)
+      end
+    end
+  end
+
   describe 'configuration management' do
     before do
       post '/config/reset'
diff --git a/helpers/services/broker.go b/helpers/services/broker.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"net/http"
 	"strings"
 
 	. "github.com/onsi/gomega"
@@ -123,6 +124,18 @@ func (b ServiceBroker) PushWithBuildpackAndManifest(config cats_config.CatsConfi
 	).Wait(Config.BrokerStartTimeoutDuration())).To(Exit(0))
 }
 
+func (b ServiceBroker) GetApiInfoUrl() string {
+	brokerURL := helpers.AppUri(b.Name, "/cf_api_info_url", Config)
+	resp, err := http.Get(brokerURL)
+	Expect(err == nil)
+	Expect(resp.StatusCode == 200)
+
+	respData, err := ioutil.ReadAll(resp.Body)
+	Expect(err == nil)
+	resp.Body.Close()
+	return string(respData)
+}
+
 func (b ServiceBroker) Configure() {
 	Expect(helpers.Curl(Config, helpers.AppUri(b.Name, "/config", Config), "-d", b.ToJSON()).Wait()).To(Exit(0))
 }
diff --git a/helpers/services/sso.go b/helpers/services/sso.go
@@ -36,20 +36,19 @@ func ParseJsonResponse(response []byte) (resultMap map[string]interface{}) {
 	return
 }
 
-func SetOauthEndpoints(apiEndpoint string, oAuthConfig *OAuthConfig, config cats_config.CatsConfig) {
+func SetOauthEndpoints(apiInfoEndpoint string, oAuthConfig *OAuthConfig, config cats_config.CatsConfig) {
 	args := []string{}
 	if config.GetSkipSSLValidation() {
 		args = append(args, "--insecure")
 	}
-	args = append(args, fmt.Sprintf("%v/info", apiEndpoint))
+	args = append(args, apiInfoEndpoint)
 	curl := helpers.Curl(Config, args...).Wait()
 	Expect(curl).To(Exit(0))
 	apiResponse := curl.Out.Contents()
 	jsonResult := ParseJsonResponse(apiResponse)
 
 	oAuthConfig.TokenEndpoint = fmt.Sprintf("%v", jsonResult[`token_endpoint`])
 	oAuthConfig.AuthorizationEndpoint = fmt.Sprintf("%v", jsonResult[`authorization_endpoint`])
-	return
 }
 
 func AuthenticateUser(authorizationEndpoint string, username string, password string) (cookie string) {
@@ -148,10 +147,9 @@ func GetAccessToken(authCode string, config OAuthConfig) (accessToken string) {
 	return
 }
 
-func QueryServiceInstancePermissionEndpoint(apiEndpoint string, accessToken string, serviceInstanceGuid string) (canManage string, httpCode string) {
-	canManage = `not populated`
+func QueryServiceInstancePermissionEndpoint(apiEndpoint string, accessToken string, serviceInstanceGuid string) (canRead string, canManage string, httpCode string) {
 	authHeader := fmt.Sprintf("Authorization: bearer %v", accessToken)
-	permissionsUri := fmt.Sprintf("%v/v2/service_instances/%v/permissions", apiEndpoint, serviceInstanceGuid)
+	permissionsUri := fmt.Sprintf("%v/v3/service_instances/%v/permissions", apiEndpoint, serviceInstanceGuid)
 
 	curl := helpers.Curl(Config, permissionsUri, `-H`, authHeader, `-w`, `:TestReponseCode:%{http_code}`, `--insecure`, `-v`).Wait()
 	Expect(curl).To(Exit(0))
@@ -164,6 +162,7 @@ func QueryServiceInstancePermissionEndpoint(apiEndpoint string, accessToken stri
 	if httpCode == `200` {
 		jsonResult := ParseJsonResponse([]byte(resultText))
 		canManage = fmt.Sprintf("%v", jsonResult[`manage`])
+		canRead = fmt.Sprintf("%v", jsonResult[`read`])
 	}
 
 	return
diff --git a/services/sso_lifecycle.go b/services/sso_lifecycle.go
@@ -25,6 +25,7 @@ var _ = ServicesDescribe("SSO Lifecycle", func() {
 		if !Config.GetIncludeSSO() {
 			Skip(skip_messages.SkipSSOMessage)
 		}
+		apiEndpoint = Config.Protocol() + Config.GetApiEndpoint()
 		broker = NewServiceBroker(
 			random_name.CATSRandomName("BRKR"),
 			assets.NewAssets().ServiceBroker,
@@ -40,10 +41,10 @@ var _ = ServicesDescribe("SSO Lifecycle", func() {
 		oauthConfig.RedirectUri = redirectUri
 		oauthConfig.RequestedScopes = `openid,cloud_controller_service_permissions.read`
 
-		apiEndpoint = Config.Protocol() + Config.GetApiEndpoint()
-		SetOauthEndpoints(apiEndpoint, &oauthConfig, Config)
-
 		broker.Create()
+
+		apiInfoEndpoint := Config.Protocol() + broker.GetApiInfoUrl() // the CF API must have already called the broker for the first time with its HTTP_X_API_INFO_LOCATION header
+		SetOauthEndpoints(apiInfoEndpoint, &oauthConfig, Config)
 	})
 
 	AfterEach(func() {
@@ -75,10 +76,11 @@ var _ = ServicesDescribe("SSO Lifecycle", func() {
 			accessToken := GetAccessToken(authCode, oauthConfig)
 
 			// use the access token to perform an operation on the user's behalf
-			canManage, httpCode := QueryServiceInstancePermissionEndpoint(apiEndpoint, accessToken, serviceInstanceGuid)
+			canRead, canManage, httpCode := QueryServiceInstancePermissionEndpoint(apiEndpoint, accessToken, serviceInstanceGuid)
 
 			Expect(httpCode).To(Equal(`200`), `The provided access token was not valid.`)
 			Expect(canManage).To(Equal(`true`))
+			Expect(canRead).To(Equal(`true`))
 		})
 	})
 
@@ -111,10 +113,11 @@ var _ = ServicesDescribe("SSO Lifecycle", func() {
 			accessToken := GetAccessToken(authCode, oauthConfig)
 
 			// use the access token to perform an operation on the user's behalf
-			canManage, httpCode := QueryServiceInstancePermissionEndpoint(apiEndpoint, accessToken, serviceInstanceGuid)
+			canRead, canManage, httpCode := QueryServiceInstancePermissionEndpoint(apiEndpoint, accessToken, serviceInstanceGuid)
 
 			Expect(httpCode).To(Equal(`200`), `The provided access token was not valid.`)
 			Expect(canManage).To(Equal(`true`))
+			Expect(canRead).To(Equal(`true`))
 		})
 	})
 
