temp

Author: fheinecke

integrations/operator/controllers/resources/database_test.go

@@ -0,0 +1,124 @@
+/*
+ * Teleport
+ * Copyright (C) 2023  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package resources
+
+import (
+	"context"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/integration/helpers"
+	"github.com/gravitational/teleport/lib/auth"
+	"github.com/gravitational/teleport/lib/defaults"
+	"github.com/gravitational/teleport/lib/modules"
+	"github.com/gravitational/teleport/lib/service/servicecfg"
+	"github.com/gravitational/teleport/lib/services"
+	"github.com/gravitational/teleport/lib/srv/db/common"
+	"github.com/gravitational/teleport/lib/srv/db/postgres"
+)
+
+func startPostgresTestServer(t *testing.T, authServer *auth.Server) *postgres.TestServer {
+	postgresTestServer, err := postgres.NewTestServer(common.TestServerConfig{
+		AuthClient: authServer,
+	})
+	require.NoError(t, err)
+
+	go func() {
+		t.Logf("Postgres Fake server running at %s port", postgresTestServer.Port())
+		assert.NoError(t, postgresTestServer.Serve())
+	}()
+	t.Cleanup(func() {
+		postgresTestServer.Close()
+	})
+
+	return postgresTestServer
+}
+
+func TestDiagnoseConnectionForPostgresDatabases(t *testing.T) {
+	modules.SetInsecureTestMode(true)
+
+	ctx := context.Background()
+
+	// Start Teleport Auth and Proxy services
+	authProcess, proxyProcess, provisionToken := helpers.MakeTestServers(t)
+	authServer := authProcess.GetAuthServer()
+	proxyAddr, err := proxyProcess.ProxyWebAddr()
+	require.NoError(t, err)
+
+	// Start Fake Postgres Database
+	postgresTestServer := startPostgresTestServer(t, authServer)
+
+	// Start Teleport Database Service
+	databaseResourceName := "mypsqldb"
+	databaseDBName := "dbname"
+	databaseDBUser := "dbuser"
+	helpers.MakeTestDatabaseServer(t, *proxyAddr, provisionToken, nil /* resource matchers */, servicecfg.Database{
+		Name:     databaseResourceName,
+		Protocol: defaults.ProtocolPostgres,
+		URI:      net.JoinHostPort("localhost", postgresTestServer.Port()),
+	})
+	// Wait for the Database Server to be registered
+	waitForDatabases(t, func(ctx context.Context, name string) ([]types.DatabaseServer, error) {
+		return authServer.GetDatabaseServers(ctx, name)
+	}, databaseResourceName)
+
+	roleWithFullAccess, err := types.NewRole("fullaccess", types.RoleSpecV6{
+		Allow: types.RoleConditions{
+			Namespaces:     []string{"default"},
+			DatabaseLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
+			Rules: []types.Rule{
+				types.NewRule(types.KindConnectionDiagnostic, services.RW()),
+			},
+			DatabaseUsers: []string{databaseDBUser},
+			DatabaseNames: []string{databaseDBName},
+		},
+	})
+	require.NoError(t, err)
+	roleWithFullAccess, err = authServer.UpsertRole(ctx, roleWithFullAccess)
+	require.NoError(t, err)
+}
+
+func waitForDatabases(t *testing.T, GetDatabaseServers func(ctx context.Context, name string) ([]types.DatabaseServer, error), dbNames ...string) {
+	ctx := context.Background()
+
+	require.Eventually(t, func() bool {
+		all, err := GetDatabaseServers(ctx, "default")
+		assert.NoError(t, err)
+
+		if len(dbNames) > len(all) {
+			return false
+		}
+
+		registered := 0
+		for _, db := range dbNames {
+			for _, a := range all {
+				if a.GetName() == db {
+					registered++
+					break
+				}
+			}
+		}
+		return registered == len(dbNames)
+	}, 30*time.Second, 100*time.Millisecond)
+}

integrations/operator/controllers/resources/testlib/env.go

@@ -29,8 +29,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/google/uuid"
-	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/zap/zapcore"
@@ -50,17 +48,18 @@ import (
 
 	"github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/api/types"
-	"github.com/gravitational/teleport/entitlements"
 	"github.com/gravitational/teleport/integration/helpers"
 	resourcesv1 "github.com/gravitational/teleport/integrations/operator/apis/resources/v1"
 	resourcesv2 "github.com/gravitational/teleport/integrations/operator/apis/resources/v2"
 	resourcesv3 "github.com/gravitational/teleport/integrations/operator/apis/resources/v3"
 	resourcesv5 "github.com/gravitational/teleport/integrations/operator/apis/resources/v5"
 	"github.com/gravitational/teleport/integrations/operator/controllers"
 	"github.com/gravitational/teleport/integrations/operator/controllers/resources"
+	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
+	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/srv/db/common"
 	"github.com/gravitational/teleport/lib/srv/db/postgres"
 	"github.com/gravitational/teleport/lib/utils"
@@ -103,73 +102,138 @@ func ValidRandomResourceName(prefix string) string {
 	return prefix + string(b)
 }
 
-func defaultTeleportServiceConfig(t *testing.T) (*helpers.TeleInstance, string) {
-	modules.SetTestModules(t, &modules.TestModules{
-		TestBuildType: modules.BuildEnterprise,
-		TestFeatures: modules.Features{
-			Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-				entitlements.OIDC: {Enabled: true},
-				entitlements.SAML: {Enabled: true},
-			},
-		},
+func startPostgresTestServer(t *testing.T, authServer *auth.Server) *postgres.TestServer {
+	postgresTestServer, err := postgres.NewTestServer(common.TestServerConfig{
+		AuthClient: authServer,
 	})
+	require.NoError(t, err)
 
-	teleportServer := helpers.NewInstance(t, helpers.InstanceConfig{
-		ClusterName: "root.example.com",
-		HostID:      uuid.New().String(),
-		NodeName:    helpers.Loopback,
-		Log:         logrus.StandardLogger(),
+	go func() {
+		t.Logf("Postgres Fake server running at %s port", postgresTestServer.Port())
+		assert.NoError(t, postgresTestServer.Serve())
+	}()
+	t.Cleanup(func() {
+		postgresTestServer.Close()
 	})
 
-	rcConf := servicecfg.MakeDefaultConfig()
-	rcConf.DataDir = t.TempDir()
-	rcConf.Auth.Enabled = true
-	rcConf.Proxy.Enabled = true
-	rcConf.Proxy.DisableWebInterface = true
-	rcConf.SSH.Enabled = true
-	rcConf.Version = "v2"
-
-	rcConf.Auth.StaticTokens, _ = types.NewStaticTokens(types.StaticTokensSpecV2{
-		StaticTokens: []types.ProvisionTokenV1{{
-			Roles:   []types.SystemRole{types.RoleDatabase},
-			Expires: time.Now().Add(time.Hour),
-			Token:   "token",
-		}},
+	return postgresTestServer
+}
+func doCopyPastedTest(t *testing.T) {
+	modules.SetInsecureTestMode(true)
+
+	ctx := context.Background()
+
+	// Start Teleport Auth and Proxy services
+	authProcess, proxyProcess, provisionToken := helpers.MakeTestServers(t)
+	authServer := authProcess.GetAuthServer()
+	proxyAddr, err := proxyProcess.ProxyWebAddr()
+	require.NoError(t, err)
+
+	// Start Fake Postgres Database
+	postgresTestServer := startPostgresTestServer(t, authServer)
+
+	// Start Teleport Database Service
+	databaseResourceName := "mypsqldb"
+	databaseDBName := "dbname"
+	databaseDBUser := "dbuser"
+	helpers.MakeTestDatabaseServer(t, *proxyAddr, provisionToken, nil /* resource matchers */, servicecfg.Database{
+		Name:     databaseResourceName,
+		Protocol: defaults.ProtocolPostgres,
+		URI:      net.JoinHostPort("localhost", postgresTestServer.Port()),
 	})
+	// Wait for the Database Server to be registered
+	waitForDatabases(t, func(ctx context.Context, name string) ([]types.DatabaseServer, error) {
+		return authServer.GetDatabaseServers(ctx, name)
+	}, databaseResourceName)
 
-	roleName := ValidRandomResourceName("role-")
-	unrestricted := []string{"list", "create", "read", "update", "delete"}
-	role, err := types.NewRole(roleName, types.RoleSpecV6{
+	roleWithFullAccess, err := types.NewRole("fullaccess", types.RoleSpecV6{
 		Allow: types.RoleConditions{
-			// the operator has wildcard node labs to be able to see them
-			// but has no login allowed, so it cannot SSH into them
-			NodeLabels: types.Labels{"*": []string{"*"}},
+			Namespaces:     []string{"default"},
+			DatabaseLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
 			Rules: []types.Rule{
-				types.NewRule(types.KindRole, unrestricted),
-				types.NewRule(types.KindUser, unrestricted),
-				types.NewRule(types.KindAuthConnector, unrestricted),
-				types.NewRule(types.KindLoginRule, unrestricted),
-				types.NewRule(types.KindToken, unrestricted),
-				types.NewRule(types.KindOktaImportRule, unrestricted),
-				types.NewRule(types.KindAccessList, unrestricted),
-				types.NewRule(types.KindNode, unrestricted),
-				types.NewRule(types.KindDatabase, unrestricted),
-			},
-			Impersonate: &types.ImpersonateConditions{
-				Users: []string{"Db"},
-				Roles: []string{"Db"},
+				types.NewRule(types.KindConnectionDiagnostic, services.RW()),
 			},
+			DatabaseUsers: []string{databaseDBUser},
+			DatabaseNames: []string{databaseDBName},
 		},
 	})
 	require.NoError(t, err)
+	roleWithFullAccess, err = authServer.UpsertRole(ctx, roleWithFullAccess)
+	require.NoError(t, err)
+}
+
+func defaultTeleportServiceConfig(t *testing.T) (*helpers.TeleInstance, string) {
+	// modules.SetTestModules(t, &modules.TestModules{
+	// 	TestBuildType: modules.BuildEnterprise,
+	// 	TestFeatures: modules.Features{
+	// 		Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
+	// 			entitlements.OIDC: {Enabled: true},
+	// 			entitlements.SAML: {Enabled: true},
+	// 		},
+	// 	},
+	// })
+
+	// teleportServer := helpers.NewInstance(t, helpers.InstanceConfig{
+	// 	ClusterName: "root.example.com",
+	// 	HostID:      uuid.New().String(),
+	// 	NodeName:    helpers.Loopback,
+	// 	Log:         logrus.StandardLogger(),
+	// })
+
+	// rcConf := servicecfg.MakeDefaultConfig()
+	// rcConf.DataDir = t.TempDir()
+	// rcConf.Auth.Enabled = true
+	// rcConf.Proxy.Enabled = true
+	// rcConf.Proxy.DisableWebInterface = true
+	// rcConf.SSH.Enabled = true
+	// rcConf.Version = "v2"
+
+	// rcConf.Auth.StaticTokens, _ = types.NewStaticTokens(types.StaticTokensSpecV2{
+	// 	StaticTokens: []types.ProvisionTokenV1{{
+	// 		Roles:   []types.SystemRole{types.RoleDatabase},
+	// 		Expires: time.Now().Add(time.Hour),
+	// 		Token:   "token",
+	// 	}},
+	// })
+
+	// roleName := ValidRandomResourceName("role-")
+	// unrestricted := []string{"list", "create", "read", "update", "delete"}
+	// role, err := types.NewRole(roleName, types.RoleSpecV6{
+	// 	Allow: types.RoleConditions{
+	// 		// the operator has wildcard node labs to be able to see them
+	// 		// but has no login allowed, so it cannot SSH into them
+	// 		NodeLabels: types.Labels{"*": []string{"*"}},
+	// 		Rules: []types.Rule{
+	// 			types.NewRule(types.KindRole, unrestricted),
+	// 			types.NewRule(types.KindUser, unrestricted),
+	// 			types.NewRule(types.KindAuthConnector, unrestricted),
+	// 			types.NewRule(types.KindLoginRule, unrestricted),
+	// 			types.NewRule(types.KindToken, unrestricted),
+	// 			types.NewRule(types.KindOktaImportRule, unrestricted),
+	// 			types.NewRule(types.KindAccessList, unrestricted),
+	// 			types.NewRule(types.KindNode, unrestricted),
+	// 			types.NewRule(types.KindDatabase, unrestricted),
+	// 		},
+	// 		Impersonate: &types.ImpersonateConditions{
+	// 			Users: []string{"Db"},
+	// 			Roles: []string{"Db"},
+	// 		},
+	// 	},
+	// })
+	// require.NoError(t, err)
 
-	operatorName := ValidRandomResourceName("operator-")
-	_ = teleportServer.AddUserWithRole(operatorName, role)
+	// operatorName := ValidRandomResourceName("operator-")
+	// _ = teleportServer.AddUserWithRole(operatorName, role)
 
-	err = teleportServer.CreateEx(t, nil, rcConf)
+	// err = teleportServer.CreateEx(t, nil, rcConf)
+	// require.NoError(t, err)
+
+	authProcess, proxyProcess, provisionToken := helpers.MakeTestServers(t)
+	authServer := authProcess.GetAuthServer()
+	proxyAddr, err := proxyProcess.ProxyWebAddr()
 	require.NoError(t, err)
 
-	return teleportServer, operatorName
+	return teleportServer, ValidRandomResourceName("operator-")
 }
 
 func FastEventually(t *testing.T, condition func() bool) {
@@ -280,7 +344,7 @@ func setupMockPostgresServer(t *testing.T, setup *TestSetup) {
 		URI:      net.JoinHostPort("localhost", postgresTestServer.Port()),
 	})
 
-	waitForDatabases(t, setup, databaseResourceName)
+	waitForDatabases(t, setup.TeleportClient.GetDatabaseServers, databaseResourceName)
 
 	// server, err := clickhouse.NewTestServer(common.TestServerConfig{
 	// 	AuthClient: setup.TeleportClient,
@@ -296,11 +360,11 @@ func setupMockPostgresServer(t *testing.T, setup *TestSetup) {
 	// }
 }
 
-func waitForDatabases(t *testing.T, setup *TestSetup, dbNames ...string) {
+func waitForDatabases(t *testing.T, GetDatabaseServers func(ctx context.Context, name string) ([]types.DatabaseServer, error), dbNames ...string) {
 	ctx := context.Background()
 
 	require.Eventually(t, func() bool {
-		all, err := setup.TeleportClient.GetDatabaseServers(ctx, "default")
+		all, err := GetDatabaseServers(ctx, "default")
 		assert.NoError(t, err)
 
 		if len(dbNames) > len(all) {
@@ -311,7 +375,6 @@ func waitForDatabases(t *testing.T, setup *TestSetup, dbNames ...string) {
 		for _, db := range dbNames {
 			for _, a := range all {
 				if a.GetName() == db {
-					require.FailNow(t, "Got db: %#v", a)
 					registered++
 					break
 				}
@@ -368,6 +431,8 @@ func StepByStep(setup *TestSetup) {
 
 // SetupTestEnv creates a Kubernetes server, a teleport server and starts the operator
 func SetupTestEnv(t *testing.T, opts ...TestOption) *TestSetup {
+	doCopyPastedTest(t)
+
 	// Hack to get the path of this file in order to find the crd path no matter
 	// where this is called from.
 	_, thisFileName, _, _ := runtime.Caller(0)

lib/client/conntest/database.go

@@ -102,7 +102,6 @@ func NewDatabaseConnectionTester(cfg DatabaseConnectionTesterConfig) (*DatabaseC
 // - the database is accessible and accepting connections from the database server
 // - the database has the database user and database name that was requested
 func (s *DatabaseConnectionTester) TestConnection(ctx context.Context, req TestConnectionRequest) (types.ConnectionDiagnostic, error) {
-	fmt.Printf("HERE TESTCONNECTION *******************************")
 	if req.ResourceKind != types.KindDatabase {
 		return nil, trace.BadParameter("invalid value for ResourceKind, expected %q got %q", types.KindDatabase, req.ResourceKind)
 	}
@@ -127,7 +126,6 @@ func (s *DatabaseConnectionTester) TestConnection(ctx context.Context, req TestC
 		return nil, trace.Wrap(err)
 	}
 
-	return s.handlePingSuccess(ctx, connectionDiagnosticID)
 	databaseServers, err := s.getDatabaseServers(ctx, req.ResourceName)
 	if err != nil {
 		return nil, trace.Wrap(err)