making changes to API/RPC structure and adding tests

* removed some unnecessary compiler output
* remove configurability of OverprovisioningFactor

Author: rboyer

agent/cache-types/discovery_chain_test.go

@@ -16,7 +16,6 @@ func TestCompiledDiscoveryChain(t *testing.T) {
 	typ := &CompiledDiscoveryChain{RPC: rpc}
 
 	// just do the default chain
-	entries := structs.NewDiscoveryChainConfigEntries()
 	chain := discoverychain.TestCompileConfigEntries(t, "web", "default", "dc1", nil)
 
 	// Expect the proper RPC call. This also sets the expected value
@@ -31,7 +30,6 @@ func TestCompiledDiscoveryChain(t *testing.T) {
 
 			reply := args.Get(2).(*structs.DiscoveryChainResponse)
 			reply.Chain = chain
-			reply.Entries = entries.Flatten()
 			reply.QueryMeta.Index = 48
 			resp = reply
 		})

agent/consul/acl_endpoint_test.go

@@ -5255,6 +5255,22 @@ func upsertTestToken(codec rpc.ClientCodec, masterToken string, datacenter strin
 	return &out, nil
 }
 
+func upsertTestTokenWithPolicyRules(codec rpc.ClientCodec, masterToken string, datacenter string, rules string) (*structs.ACLToken, error) {
+	policy, err := upsertTestPolicyWithRules(codec, masterToken, datacenter, rules)
+	if err != nil {
+		return nil, err
+	}
+
+	token, err := upsertTestToken(codec, masterToken, datacenter, func(token *structs.ACLToken) {
+		token.Policies = []structs.ACLTokenPolicyLink{{ID: policy.ID}}
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return token, nil
+}
+
 func retrieveTestTokenAccessorForSecret(codec rpc.ClientCodec, masterToken string, datacenter string, id string) (string, error) {
 	arg := structs.ACLTokenGetRequest{
 		TokenID:      "root",
@@ -5312,6 +5328,10 @@ func deleteTestPolicy(codec rpc.ClientCodec, masterToken string, datacenter stri
 
 // upsertTestPolicy creates a policy for testing purposes
 func upsertTestPolicy(codec rpc.ClientCodec, masterToken string, datacenter string) (*structs.ACLPolicy, error) {
+	return upsertTestPolicyWithRules(codec, masterToken, datacenter, "")
+}
+
+func upsertTestPolicyWithRules(codec rpc.ClientCodec, masterToken string, datacenter string, rules string) (*structs.ACLPolicy, error) {
 	// Make sure test policies can't collide
 	policyUnq, err := uuid.GenerateUUID()
 	if err != nil {
@@ -5321,7 +5341,8 @@ func upsertTestPolicy(codec rpc.ClientCodec, masterToken string, datacenter stri
 	arg := structs.ACLPolicySetRequest{
 		Datacenter: datacenter,
 		Policy: structs.ACLPolicy{
-			Name: fmt.Sprintf("test-policy-%s", policyUnq),
+			Name:  fmt.Sprintf("test-policy-%s", policyUnq),
+			Rules: rules,
 		},
 		WriteRequest: structs.WriteRequest{Token: masterToken},
 	}

agent/consul/discovery_chain_endpoint.go

@@ -20,7 +20,7 @@ func (c *DiscoveryChain) Get(args *structs.DiscoveryChainRequest, reply *structs
 	if done, err := c.srv.forward("DiscoveryChain.Get", args, args, reply); done {
 		return err
 	}
-	defer metrics.MeasureSince([]string{"discoverychain", "get"}, time.Now())
+	defer metrics.MeasureSince([]string{"discovery_chain", "get"}, time.Now())
 
 	// Fetch the ACL token, if any.
 	rule, err := c.srv.ResolveToken(args.Token)
@@ -70,7 +70,6 @@ func (c *DiscoveryChain) Get(args *structs.DiscoveryChainRequest, reply *structs
 			}
 
 			reply.Index = index
-			reply.Entries = entries.Flatten()
 			reply.Chain = chain
 
 			return nil

agent/consul/discovery_chain_endpoint_test.go

@@ -0,0 +1,212 @@
+package consul
+
+import (
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/consul/acl"
+	"github.com/hashicorp/consul/agent/structs"
+	"github.com/hashicorp/consul/testrpc"
+	msgpackrpc "github.com/hashicorp/net-rpc-msgpackrpc"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDiscoveryChainEndpoint_Get(t *testing.T) {
+	t.Parallel()
+
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.PrimaryDatacenter = "dc1"
+		c.ACLDatacenter = "dc1"
+		c.ACLsEnabled = true
+		c.ACLMasterToken = "root"
+		c.ACLDefaultPolicy = "deny"
+	})
+	defer os.RemoveAll(dir1)
+	defer s1.Shutdown()
+	codec := rpcClient(t, s1)
+	defer codec.Close()
+
+	testrpc.WaitForTestAgent(t, s1.RPC, "dc1")
+	testrpc.WaitForLeader(t, s1.RPC, "dc1")
+
+	denyToken, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", "")
+	require.NoError(t, err)
+
+	allowToken, err := upsertTestTokenWithPolicyRules(codec, "root", "dc1", `service "web" { policy = "read" }`)
+	require.NoError(t, err)
+
+	getChain := func(args *structs.DiscoveryChainRequest) (*structs.DiscoveryChainResponse, error) {
+		resp := structs.DiscoveryChainResponse{}
+		err := msgpackrpc.CallWithCodec(codec, "DiscoveryChain.Get", &args, &resp)
+		if err != nil {
+			return nil, err
+		}
+		// clear fields that we don't care about
+		resp.QueryMeta = structs.QueryMeta{}
+		return &resp, nil
+	}
+
+	// ==== compiling the default chain (no config entries)
+
+	{ // no token
+		_, err := getChain(&structs.DiscoveryChainRequest{
+			Name:                 "web",
+			EvaluateInDatacenter: "dc1",
+			EvaluateInNamespace:  "default",
+			Datacenter:           "dc1",
+		})
+		if !acl.IsErrPermissionDenied(err) {
+			t.Fatalf("err: %v", err)
+		}
+	}
+
+	{ // wrong token
+		_, err := getChain(&structs.DiscoveryChainRequest{
+			Name:                 "web",
+			EvaluateInDatacenter: "dc1",
+			EvaluateInNamespace:  "default",
+			Datacenter:           "dc1",
+			QueryOptions:         structs.QueryOptions{Token: denyToken.SecretID},
+		})
+		if !acl.IsErrPermissionDenied(err) {
+			t.Fatalf("err: %v", err)
+		}
+	}
+
+	expectDefaultResponse_DC1_Default := &structs.DiscoveryChainResponse{
+		Chain: &structs.CompiledDiscoveryChain{
+			ServiceName: "web",
+			Namespace:   "default",
+			Datacenter:  "dc1",
+			Protocol:    "tcp",
+			StartNode:   "resolver:web,,,dc1",
+			Nodes: map[string]*structs.DiscoveryGraphNode{
+				"resolver:web,,,dc1": &structs.DiscoveryGraphNode{
+					Type: structs.DiscoveryGraphNodeTypeResolver,
+					Name: "web,,,dc1",
+					Resolver: &structs.DiscoveryResolver{
+						Default:        true,
+						ConnectTimeout: 5 * time.Second,
+						Target: structs.DiscoveryTarget{
+							Service:    "web",
+							Namespace:  "default",
+							Datacenter: "dc1",
+						},
+					},
+				},
+			},
+			Targets: map[structs.DiscoveryTarget]structs.DiscoveryTargetConfig{
+				structs.DiscoveryTarget{
+					Service:    "web",
+					Namespace:  "default",
+					Datacenter: "dc1",
+				}: {},
+			},
+		},
+	}
+
+	// various ways with good token
+	for _, tc := range []struct {
+		evalDC string
+		evalNS string
+		expect *structs.DiscoveryChainResponse
+	}{
+		{
+			evalDC: "dc1",
+			evalNS: "default",
+			expect: expectDefaultResponse_DC1_Default,
+		},
+		{
+			evalDC: "",
+			evalNS: "default",
+			expect: expectDefaultResponse_DC1_Default,
+		},
+		{
+			evalDC: "dc1",
+			evalNS: "",
+			expect: expectDefaultResponse_DC1_Default,
+		},
+		{
+			evalDC: "",
+			evalNS: "",
+			expect: expectDefaultResponse_DC1_Default,
+		},
+	} {
+		tc := tc
+		name := fmt.Sprintf("dc=%q ns=%q", tc.evalDC, tc.evalNS)
+		require.True(t, t.Run(name, func(t *testing.T) {
+			resp, err := getChain(&structs.DiscoveryChainRequest{
+				Name:                 "web",
+				EvaluateInDatacenter: tc.evalDC,
+				EvaluateInNamespace:  tc.evalNS,
+				Datacenter:           "dc1",
+				QueryOptions:         structs.QueryOptions{Token: allowToken.SecretID},
+			})
+			require.NoError(t, err)
+
+			require.Equal(t, tc.expect, resp)
+		}))
+	}
+
+	{ // Now create one config entry.
+		out := false
+		require.NoError(t, msgpackrpc.CallWithCodec(codec, "ConfigEntry.Apply",
+			&structs.ConfigEntryRequest{
+				Datacenter: "dc1",
+				Entry: &structs.ServiceResolverConfigEntry{
+					Kind:           structs.ServiceResolver,
+					Name:           "web",
+					ConnectTimeout: 33 * time.Second,
+				},
+				WriteRequest: structs.WriteRequest{Token: "root"},
+			}, &out))
+		require.True(t, out)
+	}
+
+	// ==== compiling a chain with config entries
+
+	{ // good token
+		resp, err := getChain(&structs.DiscoveryChainRequest{
+			Name:                 "web",
+			EvaluateInDatacenter: "dc1",
+			EvaluateInNamespace:  "default",
+			Datacenter:           "dc1",
+			QueryOptions:         structs.QueryOptions{Token: allowToken.SecretID},
+		})
+		require.NoError(t, err)
+
+		expect := &structs.DiscoveryChainResponse{
+			Chain: &structs.CompiledDiscoveryChain{
+				ServiceName: "web",
+				Namespace:   "default",
+				Datacenter:  "dc1",
+				Protocol:    "tcp",
+				StartNode:   "resolver:web,,,dc1",
+				Nodes: map[string]*structs.DiscoveryGraphNode{
+					"resolver:web,,,dc1": &structs.DiscoveryGraphNode{
+						Type: structs.DiscoveryGraphNodeTypeResolver,
+						Name: "web,,,dc1",
+						Resolver: &structs.DiscoveryResolver{
+							ConnectTimeout: 33 * time.Second,
+							Target: structs.DiscoveryTarget{
+								Service:    "web",
+								Namespace:  "default",
+								Datacenter: "dc1",
+							},
+						},
+					},
+				},
+				Targets: map[structs.DiscoveryTarget]structs.DiscoveryTargetConfig{
+					structs.DiscoveryTarget{
+						Service:    "web",
+						Namespace:  "default",
+						Datacenter: "dc1",
+					}: {},
+				},
+			},
+		}
+		require.Equal(t, expect, resp)
+	}
+}

agent/consul/discoverychain/compile.go

@@ -755,7 +755,6 @@ RESOLVE_AGAIN:
 		Type: structs.DiscoveryGraphNodeTypeResolver,
 		Name: target.Identifier(),
 		Resolver: &structs.DiscoveryResolver{
-			Definition:     resolver,
 			Default:        resolver.IsDefault(),
 			Target:         target,
 			ConnectTimeout: connectTimeout,
@@ -837,9 +836,7 @@ RESOLVE_AGAIN:
 
 			// If we filtered everything out then no point in having a failover.
 			if len(failoverTargets) > 0 {
-				df := &structs.DiscoveryFailover{
-					Definition: &failover,
-				}
+				df := &structs.DiscoveryFailover{}
 				node.Resolver.Failover = df
 
 				// Convert the targets into targets by cheating a bit and