IntenseWebs/opentofu
3
0
Fork 0
mirror of https://github.com/opentofu/opentofu.git synced 2025-01-02 12:17:39 -06:00
Code Issues Packages Projects Releases Wiki Activity
ef64df950c
opentofu/internal/getproviders/http_mirror_source_test.go
Martin Atkins ef64df950c getproviders: Prepare for having multiple valid hashes per package 
As we continue iterating towards saving valid hashes for a package in a
depsfile lock file after installation and verifying them on future
installation, this prepares getproviders for the possibility of having
multiple valid hashes per package.

This will arise in future commits for two reasons:
- We will need to support both the legacy "zip hash" hashing scheme and
  the new-style content-based hashing scheme because currently the
  registry protocol is only able to produce the legacy scheme, but our
  other installation sources prefer the content-based scheme. Therefore
  packages will typically have a mixture of hashes of both types.
- Installing from an upstream registry will save the hashes for the
  packages across all supported platforms, rather than just the current
  platform, and we'll consider all of those valid for future installation
  if we see both successful matching of the current platform checksum and
  a signature verification for the checksums file as a whole.

This also includes some more preparation for the second case above in that
signatureAuthentication now supports AcceptableHashes and returns all of
the zip-based hashes it can find in the checksums file. This is a bit of
an abstraction leak because previously that authenticator considered its
"document" to just be opaque bytes, but we want to make sure that we can
only end up trusting _all_ of the hashes if we've verified that the
document is signed. Hopefully we'll make this better in a future commit
with some refactoring, but that's deferred for now in order to minimize
disruption to existing codepaths while we work towards a provider locking
MVP.
2020-09-24 14:01:54 -07:00

324 lines
10 KiB
Go
Raw Blame History

package getproviders
import (
"fmt"
"net/http"
"net/http/httptest"
"net/url"
"testing"
"github.com/google/go-cmp/cmp"
svchost "github.com/hashicorp/terraform-svchost"
svcauth "github.com/hashicorp/terraform-svchost/auth"
"github.com/hashicorp/terraform/addrs"
)
func TestHTTPMirrorSource(t *testing.T) {
// For mirrors we require a HTTPS server, so we'll use httptest to create
// one. However, that means we need to instantiate the source in an unusual
// way to force it to use the test client that is configured to trust the
// test server.
httpServer := httptest.NewTLSServer(http.HandlerFunc(testHTTPMirrorSourceHandler))
defer httpServer.Close()
httpClient := httpServer.Client()
baseURL, err := url.Parse(httpServer.URL)
if err != nil {
t.Fatalf("httptest.NewTLSServer returned a server with an invalid URL")
}
creds := svcauth.StaticCredentialsSource(map[svchost.Hostname]map[string]interface{}{
svchost.Hostname(baseURL.Host): {
"token": "placeholder-token",
},
})
source := newHTTPMirrorSourceWithHTTPClient(baseURL, creds, httpClient)
existingProvider := addrs.MustParseProviderSourceString("terraform.io/test/exists")
missingProvider := addrs.MustParseProviderSourceString("terraform.io/test/missing")
failingProvider := addrs.MustParseProviderSourceString("terraform.io/test/fails")
redirectingProvider := addrs.MustParseProviderSourceString("terraform.io/test/redirects")
redirectLoopProvider := addrs.MustParseProviderSourceString("terraform.io/test/redirect-loop")
tosPlatform := Platform{OS: "tos", Arch: "m68k"}
t.Run("AvailableVersions for provider that exists", func(t *testing.T) {
got, _, err := source.AvailableVersions(existingProvider)
if err != nil {
t.Fatalf("unexpected error: %s", err)
}
want := VersionList{
MustParseVersion("1.0.0"),
MustParseVersion("1.0.1"),
MustParseVersion("1.0.2-beta.1"),
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("wrong result\n%s", diff)
}
})
t.Run("AvailableVersions for provider that doesn't exist", func(t *testing.T) {
_, _, err := source.AvailableVersions(missingProvider)
switch err := err.(type) {
case ErrProviderNotFound:
if got, want := err.Provider, missingProvider; got != want {
t.Errorf("wrong provider in error\ngot: %s\nwant: %s", got, want)
}
default:
t.Fatalf("wrong error type %T; want ErrProviderNotFound", err)
}
})
t.Run("AvailableVersions without required credentials", func(t *testing.T) {
unauthSource := newHTTPMirrorSourceWithHTTPClient(baseURL, nil, httpClient)
_, _, err := unauthSource.AvailableVersions(existingProvider)
switch err := err.(type) {
case ErrUnauthorized:
if got, want := string(err.Hostname), baseURL.Host; got != want {
t.Errorf("wrong hostname in error\ngot: %s\nwant: %s", got, want)
}
default:
t.Fatalf("wrong error type %T; want ErrUnauthorized", err)
}
})
t.Run("AvailableVersions when the response is a server error", func(t *testing.T) {
_, _, err := source.AvailableVersions(failingProvider)
switch err := err.(type) {
case ErrQueryFailed:
if got, want := err.Provider, failingProvider; got != want {
t.Errorf("wrong provider in error\ngot: %s\nwant: %s", got, want)
}
if err.MirrorURL != source.baseURL {
t.Errorf("error does not refer to the mirror URL")
}
default:
t.Fatalf("wrong error type %T; want ErrQueryFailed", err)
}
})
t.Run("AvailableVersions for provider that redirects", func(t *testing.T) {
got, _, err := source.AvailableVersions(redirectingProvider)
if err != nil {
t.Fatalf("unexpected error: %s", err)
}
want := VersionList{
MustParseVersion("1.0.0"),
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("wrong result\n%s", diff)
}
})
t.Run("AvailableVersions for provider that redirects too much", func(t *testing.T) {
_, _, err := source.AvailableVersions(redirectLoopProvider)
if err == nil {
t.Fatalf("succeeded; expected error")
}
})
t.Run("PackageMeta for a version that exists and has a hash", func(t *testing.T) {
version := MustParseVersion("1.0.0")
got, err := source.PackageMeta(existingProvider, version, tosPlatform)
if err != nil {
t.Fatalf("unexpected error: %s", err)
}
want := PackageMeta{
Provider: existingProvider,
Version: version,
TargetPlatform: tosPlatform,
Filename: "terraform-provider-test_v1.0.0_tos_m68k.zip",
Location: PackageHTTPURL(httpServer.URL + "/terraform.io/test/exists/terraform-provider-test_v1.0.0_tos_m68k.zip"),
Authentication: packageHashAuthentication{
RequiredHashes: []Hash{"h1:placeholder-hash"},
AllHashes: []Hash{"h1:placeholder-hash", "h0:unacceptable-hash"},
Platform: Platform{"tos", "m68k"},
},
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("wrong result\n%s", diff)
}
gotHashes := got.AcceptableHashes()
wantHashes := []Hash{"h1:placeholder-hash", "h0:unacceptable-hash"}
if diff := cmp.Diff(wantHashes, gotHashes); diff != "" {
t.Errorf("wrong acceptable hashes\n%s", diff)
}
})
t.Run("PackageMeta for a version that exists and has no hash", func(t *testing.T) {
version := MustParseVersion("1.0.1")
got, err := source.PackageMeta(existingProvider, version, tosPlatform)
if err != nil {
t.Fatalf("unexpected error: %s", err)
}
want := PackageMeta{
Provider: existingProvider,
Version: version,
TargetPlatform: tosPlatform,
Filename: "terraform-provider-test_v1.0.1_tos_m68k.zip",
Location: PackageHTTPURL(httpServer.URL + "/terraform.io/test/exists/terraform-provider-test_v1.0.1_tos_m68k.zip"),
Authentication: nil,
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("wrong result\n%s", diff)
}
})
t.Run("PackageMeta for a version that exists but has no archives", func(t *testing.T) {
version := MustParseVersion("1.0.2-beta.1")
_, err := source.PackageMeta(existingProvider, version, tosPlatform)
switch err := err.(type) {
case ErrPlatformNotSupported:
if got, want := err.Provider, existingProvider; got != want {
t.Errorf("wrong provider in error\ngot: %s\nwant: %s", got, want)
}
if got, want := err.Platform, tosPlatform; got != want {
t.Errorf("wrong platform in error\ngot: %s\nwant: %s", got, want)
}
if err.MirrorURL != source.baseURL {
t.Errorf("error does not contain the mirror URL")
}
default:
t.Fatalf("wrong error type %T; want ErrPlatformNotSupported", err)
}
})
t.Run("PackageMeta with redirect to a version that exists", func(t *testing.T) {
version := MustParseVersion("1.0.0")
got, err := source.PackageMeta(redirectingProvider, version, tosPlatform)
if err != nil {
t.Fatalf("unexpected error: %s", err)
}
want := PackageMeta{
Provider: redirectingProvider,
Version: version,
TargetPlatform: tosPlatform,
Filename: "terraform-provider-test.zip",
// NOTE: The final URL is interpreted relative to the redirect
// target, not relative to what we originally requested.
Location: PackageHTTPURL(httpServer.URL + "/redirect-target/terraform-provider-test.zip"),
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("wrong result\n%s", diff)
}
})
t.Run("PackageMeta when the response is a server error", func(t *testing.T) {
version := MustParseVersion("1.0.0")
_, err := source.PackageMeta(failingProvider, version, tosPlatform)
switch err := err.(type) {
case ErrQueryFailed:
if got, want := err.Provider, failingProvider; got != want {
t.Errorf("wrong provider in error\ngot: %s\nwant: %s", got, want)
}
if err.MirrorURL != source.baseURL {
t.Errorf("error does not contain the mirror URL")
}
default:
t.Fatalf("wrong error type %T; want ErrQueryFailed", err)
}
})
}
func testHTTPMirrorSourceHandler(resp http.ResponseWriter, req *http.Request) {
if auth := req.Header.Get("authorization"); auth != "Bearer placeholder-token" {
resp.WriteHeader(401)
fmt.Fprintln(resp, "incorrect auth token")
}
switch req.URL.Path {
case "/terraform.io/test/exists/index.json":
resp.Header().Add("Content-Type", "application/json; ignored=yes")
resp.WriteHeader(200)
fmt.Fprint(resp, `
{
"versions": {
"1.0.0": {},
"1.0.1": {},
"1.0.2-beta.1": {}
}
}
`)
case "/terraform.io/test/fails/index.json", "/terraform.io/test/fails/1.0.0.json":
resp.WriteHeader(500)
fmt.Fprint(resp, "server error")
case "/terraform.io/test/exists/1.0.0.json":
resp.Header().Add("Content-Type", "application/json; ignored=yes")
resp.WriteHeader(200)
fmt.Fprint(resp, `
{
"archives": {
"tos_m68k": {
"url": "terraform-provider-test_v1.0.0_tos_m68k.zip",
"hashes": [
"h1:placeholder-hash",
"h0:unacceptable-hash"
]
}
}
}
`)
case "/terraform.io/test/exists/1.0.1.json":
resp.Header().Add("Content-Type", "application/json; ignored=yes")
resp.WriteHeader(200)
fmt.Fprint(resp, `
{
"archives": {
"tos_m68k": {
"url": "terraform-provider-test_v1.0.1_tos_m68k.zip"
}
}
}
`)
case "/terraform.io/test/exists/1.0.2-beta.1.json":
resp.Header().Add("Content-Type", "application/json; ignored=yes")
resp.WriteHeader(200)
fmt.Fprint(resp, `
{
"archives": {}
}
`)
case "/terraform.io/test/redirects/index.json":
resp.Header().Add("location", "/redirect-target/index.json")
resp.WriteHeader(301)
fmt.Fprint(resp, "redirect")
case "/redirect-target/index.json":
resp.Header().Add("Content-Type", "application/json")
resp.WriteHeader(200)
fmt.Fprint(resp, `
{
"versions": {
"1.0.0": {}
}
}
`)
case "/terraform.io/test/redirects/1.0.0.json":
resp.Header().Add("location", "/redirect-target/1.0.0.json")
resp.WriteHeader(301)
fmt.Fprint(resp, "redirect")
case "/redirect-target/1.0.0.json":
resp.Header().Add("Content-Type", "application/json")
resp.WriteHeader(200)
fmt.Fprint(resp, `
{
"archives": {
"tos_m68k": {
"url": "terraform-provider-test.zip"
}
}
}
`)
case "/terraform.io/test/redirect-loop/index.json":
// This is intentionally redirecting to itself, to create a loop.
resp.Header().Add("location", req.URL.Path)
resp.WriteHeader(301)
fmt.Fprint(resp, "redirect loop")
default:
resp.WriteHeader(404)
fmt.Fprintln(resp, "not found")
}
}
Reference in New Issue View Git Blame Copy Permalink