Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TT-12710]deleting All Partitioned Policies a Key is linked to does not delete the Key #6473

Merged
merged 15 commits into from
Dec 11, 2024
Merged

[TT-12710]deleting All Partitioned Policies a Key is linked to does not delete the Key #6473

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
5fb8937
TT-12710, fixed case in which trying to apply a non-existing policy e…
andrei-tyk Aug 28, 2024
4fa3653
TT-12710, fixed case in which trying to apply a non-existing policy e…
andrei-tyk Aug 30, 2024
02988ee
TT-12710, fixed order of logging
andrei-tyk Aug 30, 2024
177b5f8
TT-12710, fix error message and made condition more resilient
andrei-tyk Aug 30, 2024
625f64d
Merge branch 'master' into TT-12710-deleting-all-partitioned-policies…
andrei-tyk Dec 3, 2024
59b38a2
TT-12710, removed overwriting safeguard that was preventing a correct…
andrei-tyk Dec 4, 2024
c69f7cb
Merge branch 'master' into TT-12710-deleting-all-partitioned-policies…
andrei-tyk Dec 4, 2024
6df6759
TT-12710, fixed failing unit tests that were using incorrect direct a…
andrei-tyk Dec 9, 2024
32d6da7
Merge branch 'master' into TT-12710-deleting-all-partitioned-policies…
andrei-tyk Dec 9, 2024
7299709
TT-12710, added unit test for the previously failing case
andrei-tyk Dec 9, 2024
042076e
Merge branch 'TT-12710-deleting-all-partitioned-policies-a-key-is-lin…
andrei-tyk Dec 9, 2024
968786a
TT-12710, fixed more failing unit tests
andrei-tyk Dec 9, 2024
092bbe1
TT-12710, fixed failing unit tests on jwt tokens and policies
andrei-tyk Dec 9, 2024
677d54d
TT-12710,fixed failing unit tests
andrei-tyk Dec 9, 2024
af0b42d
Merge branch 'master' into TT-12710-deleting-all-partitioned-policies…
andrei-tyk Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 102 additions & 26 deletions gateway/api_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -457,16 +457,24 @@ func TestKeyHandler_UpdateKey(t *testing.T) {
}
})

pIdAccess := ts.CreatePolicy(func(p *user.Policy) {
titpetric marked this conversation as resolved.
Show resolved Hide resolved
p.Partitions.Acl = true
p.AccessRights = map[string]user.AccessDefinition{testAPIID: {
APIID: testAPIID, Versions: []string{"v1"},
}}
p.Tags = []string{"p3-tag"}
p.MetaData = map[string]interface{}{
"p3-meta": "p3-value",
}
})

session, key := ts.CreateSession(func(s *user.SessionState) {
s.ApplyPolicies = []string{pID}
s.ApplyPolicies = []string{pIdAccess, pID}
s.Tags = []string{"key-tag1", "key-tag2"}
s.MetaData = map[string]interface{}{
"key-meta1": "key-value1",
"key-meta2": "key-value2",
}
s.AccessRights = map[string]user.AccessDefinition{testAPIID: {
APIID: testAPIID, Versions: []string{"v1"},
}}
})

t.Run("Add policy not enforcing acl", func(t *testing.T) {
Expand All @@ -479,8 +487,8 @@ func TestKeyHandler_UpdateKey(t *testing.T) {
}...)

sessionState, found := ts.Gw.GlobalSessionManager.SessionDetail("default", key, false)
if !found || sessionState.AccessRights[testAPIID].APIID != testAPIID || len(sessionState.ApplyPolicies) != 2 {

_, exists := sessionState.AccessRights[testAPIID]
if !found || !exists || len(sessionState.ApplyPolicies) != 3 {
t.Fatal("Adding policy to the list failed")
}
})
Expand All @@ -495,7 +503,8 @@ func TestKeyHandler_UpdateKey(t *testing.T) {
}...)

sessionState, found := ts.Gw.GlobalSessionManager.SessionDetail("default", key, false)
if !found || sessionState.AccessRights[testAPIID].APIID != testAPIID || len(sessionState.ApplyPolicies) != 0 {
_, exists := sessionState.AccessRights[testAPIID]
if !found || !exists || len(sessionState.ApplyPolicies) != 0 {
t.Fatal("Removing policy from the list failed")
}
})
Expand All @@ -520,21 +529,21 @@ func TestKeyHandler_UpdateKey(t *testing.T) {
}

t.Run("Add", func(t *testing.T) {
expected := []string{"p1-tag", "p2-tag", "key-tag1", "key-tag2"}
session.ApplyPolicies = []string{pID, pID2}
expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag1", "key-tag2"}
session.ApplyPolicies = []string{pID, pID2, pIdAccess}
assertTags(session, expected)
})

t.Run("Make unique", func(t *testing.T) {
expected := []string{"p1-tag", "p2-tag", "key-tag1", "key-tag2"}
session.ApplyPolicies = []string{pID, pID2}
expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag1", "key-tag2"}
session.ApplyPolicies = []string{pID, pID2, pIdAccess}
session.Tags = append(session.Tags, "p1-tag", "key-tag1")
assertTags(session, expected)
})

t.Run("Remove", func(t *testing.T) {
expected := []string{"p1-tag", "p2-tag", "key-tag2"}
session.ApplyPolicies = []string{pID, pID2}
expected := []string{"p1-tag", "p2-tag", "p3-tag", "key-tag2"}
session.ApplyPolicies = []string{pID, pID2, pIdAccess}
session.Tags = []string{"key-tag2"}
assertTags(session, expected)
})
Expand All @@ -561,31 +570,34 @@ func TestKeyHandler_UpdateKey(t *testing.T) {
expected := map[string]interface{}{
"p1-meta": "p1-value",
"p2-meta": "p2-value",
"p3-meta": "p3-value",
"key-meta1": "key-value1",
"key-meta2": "key-value2",
}
session.ApplyPolicies = []string{pID, pID2}
session.ApplyPolicies = []string{pID, pID2, pIdAccess}
assertMetaData(session, expected)
})

t.Run("Make unique", func(t *testing.T) {
expected := map[string]interface{}{
"p1-meta": "p1-value",
"p2-meta": "p2-value",
"p3-meta": "p3-value",
"key-meta1": "key-value1",
"key-meta2": "key-value2",
}
session.ApplyPolicies = []string{pID, pID2}
session.ApplyPolicies = []string{pID, pID2, pIdAccess}
assertMetaData(session, expected)
})

t.Run("Remove", func(t *testing.T) {
expected := map[string]interface{}{
"p1-meta": "p1-value",
"p2-meta": "p2-value",
"p3-meta": "p3-value",
"key-meta2": "key-value2",
}
session.ApplyPolicies = []string{pID, pID2}
session.ApplyPolicies = []string{pID, pID2, pIdAccess}
session.MetaData = map[string]interface{}{
"key-meta2": "key-value2",
}
Expand Down Expand Up @@ -701,13 +713,14 @@ func TestKeyHandler_DeleteKeyWithQuota(t *testing.T) {

pID := ts.CreatePolicy(func(p *user.Policy) {
p.QuotaMax = 1
p.AccessRights = map[string]user.AccessDefinition{testAPIID: {
APIID: testAPIID,
}}
})

_, key := ts.CreateSession(func(s *user.SessionState) {
s.ApplyPolicies = []string{pID}
s.AccessRights = map[string]user.AccessDefinition{testAPIID: {
APIID: testAPIID,
}}

})

authHeaders := map[string]string{
Expand Down Expand Up @@ -741,7 +754,11 @@ func TestUpdateKeyWithCert(t *testing.T) {
defer ts.Close()

apiId := "MTLSApi"
pID := ts.CreatePolicy(func(p *user.Policy) {})
pID := ts.CreatePolicy(func(p *user.Policy) {
p.AccessRights = map[string]user.AccessDefinition{apiId: {
APIID: apiId, Versions: []string{"v1"},
}}
})

ts.Gw.BuildAndLoadAPI(func(spec *APISpec) {
spec.APIID = apiId
Expand All @@ -768,9 +785,6 @@ func TestUpdateKeyWithCert(t *testing.T) {
// create session base and set cert
session, key := ts.CreateSession(func(s *user.SessionState) {
s.ApplyPolicies = []string{pID}
s.AccessRights = map[string]user.AccessDefinition{apiId: {
APIID: apiId, Versions: []string{"v1"},
}}
s.Certificate = certID
})

Expand Down Expand Up @@ -813,9 +827,6 @@ func TestUpdateKeyWithCert(t *testing.T) {
// create session base and set cert
session, key := ts.CreateSession(func(s *user.SessionState) {
s.ApplyPolicies = []string{pID}
s.AccessRights = map[string]user.AccessDefinition{apiId: {
APIID: apiId, Versions: []string{"v1"},
}}
s.Certificate = certID
})

Expand Down Expand Up @@ -3902,6 +3913,71 @@ func TestOrgKeyHandler_LastUpdated(t *testing.T) {
}...)
}

func TestDeletionOfPoliciesThatFromAKeyDoesNotMakeTheAPIKeyless(t *testing.T) {
const testAPIID = "testAPIID"

ts := StartTest(nil)
defer ts.Close()

apiID1 := testAPIID + "1"
apiID2 := testAPIID + "2"

ts.Gw.BuildAndLoadAPI(func(spec *APISpec) {
spec.APIID = apiID1
spec.UseKeylessAccess = false
spec.OrgID = "default"
spec.Proxy.ListenPath = "/api1"
}, func(spec *APISpec) {
spec.APIID = apiID2
spec.UseKeylessAccess = false
spec.OrgID = "default"
spec.Proxy.ListenPath = "/api2"
})

policyForApi1 := ts.CreatePolicy(func(p *user.Policy) {
p.AccessRights = map[string]user.AccessDefinition{apiID1: {
APIID: apiID1,
}}
})

policyForApi2 := ts.CreatePolicy(func(p *user.Policy) {
p.AccessRights = map[string]user.AccessDefinition{apiID2: {
APIID: apiID2,
}}
})

_, key := ts.CreateSession(func(s *user.SessionState) {
s.ApplyPolicies = []string{policyForApi1, policyForApi2}
})

authHeaders := map[string]string{
"authorization": key,
}

res, err := ts.Run(t, []test.TestCase{
{Method: "GET", Path: "/api1", Headers: authHeaders, Code: 200},
{Method: "GET", Path: "/api2", Headers: authHeaders, Code: 200},
}...)
assert.NotNil(t, res)
assert.Nil(t, err)

ts.DeletePolicy(policyForApi2)
res, err = ts.Run(t, []test.TestCase{
{Method: "GET", Path: "/api1", Headers: authHeaders, Code: 200},
{Method: "GET", Path: "/api2", Headers: authHeaders, Code: 403},
}...)
assert.NotNil(t, res)
assert.Nil(t, err)

ts.DeletePolicy(policyForApi1)
res, err = ts.Run(t, []test.TestCase{
{Method: "GET", Path: "/api1", Headers: authHeaders, Code: 403},
{Method: "GET", Path: "/api2", Headers: authHeaders, Code: 403},
}...)
assert.NotNil(t, res)
assert.Nil(t, err)
}

func TestPurgeOAuthClientTokensEndpoint(t *testing.T) {
conf := func(globalConf *config.Config) {
// set tokens to be expired after 1 second
Expand Down
9 changes: 7 additions & 2 deletions gateway/multiauth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,11 +304,16 @@ func TestJWTAuthKeyMultiAuth(t *testing.T) {
ts := StartTest(nil)
defer ts.Close()

pID := ts.CreatePolicy()
const testAPIID = "test-api-id"
pID := ts.CreatePolicy(func(p *user.Policy) {
p.AccessRights = map[string]user.AccessDefinition{
testAPIID: {APIID: testAPIID, APIName: "test-api"},
}
})

spec := ts.Gw.BuildAndLoadAPI(func(spec *APISpec) {
spec.UseKeylessAccess = false

spec.APIID = testAPIID
spec.AuthConfigs = make(map[string]apidef.AuthConfig)

spec.UseStandardAuth = true
Expand Down
Loading
Loading