Add integration tests and broken example (#197)

* Add integration tests and broken example

* Update test name to run correctly

* Add missing build tag

* Fix sub group duplicates

* Fill out test

* Add broken test for controls

* Implement fix for controls

* Ensure to not query across catalogs for controls also

Author: Chris Vermeulen

.github/workflows/ci.yml

@@ -116,3 +116,39 @@ jobs:
       - name: Run Unit Tests
         run: |
           make test
+
+  integration-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Fetch History
+        run: git fetch --prune --unshallow
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: "go.mod"
+
+      - name: Find the Go Cache
+        id: go
+        run: |
+          echo "::set-output name=build-cache::$(go env GOCACHE)"
+          echo "::set-output name=mod-cache::$(go env GOMODCACHE)"
+
+      - name: Cache the Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go.outputs.build-cache }}
+          key: ${{ runner.os }}-build-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
+
+      - name: Cache Go Dependencies
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go.outputs.mod-cache }}
+          key: ${{ runner.os }}-mod-${{ github.sha }}-${{ hashFiles('**/go.sum') }}
+
+      - name: Run Unit Tests
+        run: |
+          make test-integration

internal/api/handler/oscal/catalogs.go

@@ -333,7 +333,7 @@ func (h *CatalogHandler) GetGroupSubGroups(ctx echo.Context) error {
 	groupID := ctx.Param("group")
 	var group relational.Group
 	if err := h.db.
-		Preload("Groups").
+		Preload("Groups", "catalog_id = ?", id).
 		Where("id = ? AND catalog_id = ?", groupID, id).
 		First(&group).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -372,7 +372,7 @@ func (h *CatalogHandler) GetGroupControls(ctx echo.Context) error {
 	groupID := ctx.Param("group")
 	var group relational.Group
 	if err := h.db.
-		Preload("Controls").
+		Preload("Controls", "catalog_id = ?", id).
 		Where("id = ? AND catalog_id = ?", groupID, id).
 		First(&group).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -674,7 +674,7 @@ func (h *CatalogHandler) GetControlSubControls(ctx echo.Context) error {
 	controlID := ctx.Param("control")
 	var control relational.Control
 	if err := h.db.
-		Preload("Controls").
+		Preload("Controls", "catalog_id = ?", id).
 		Where("id = ? AND catalog_id = ?", controlID, id).
 		First(&control).Error; err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {

internal/api/handler/oscal/catalogs_integration_test.go

@@ -0,0 +1,302 @@
+//go:build integration
+
+package oscal
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"github.com/compliance-framework/configuration-service/internal/api"
+	"github.com/compliance-framework/configuration-service/internal/api/handler"
+	"github.com/compliance-framework/configuration-service/internal/tests"
+	oscaltypes "github.com/defenseunicorns/go-oscal/src/types/oscal-1-1-3"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/zap"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+)
+
+func TestOscalCatalogApi(t *testing.T) {
+	suite.Run(t, new(CatalogApiIntegrationSuite))
+}
+
+type CatalogApiIntegrationSuite struct {
+	tests.IntegrationTestSuite
+}
+
+// TestDuplicateCatalogGroupID ensures that when multiple catalogs have group children with the same ID,
+// their children endpoints only returned the relevant groups.
+// This is to prevent a future regression where searching for child groups in a catalog, would return all the groups
+// with a matching ID, rather than only the ones which belong to a catalog.
+func (suite *CatalogApiIntegrationSuite) TestDuplicateCatalogGroupID() {
+	logger, _ := zap.NewDevelopment()
+
+	err := suite.Migrator.Refresh()
+	suite.Require().NoError(err)
+
+	server := api.NewServer(context.Background(), logger.Sugar())
+	RegisterHandlers(server, logger.Sugar(), suite.DB)
+
+	// Create two catalogs with the same group ID structure
+	catalogs := []oscaltypes.Catalog{
+		{
+			UUID: "D20DB907-B87D-4D12-8760-D36FDB7A1B31",
+			Metadata: oscaltypes.Metadata{
+				Title: "Catalog 1",
+			},
+			Groups: &[]oscaltypes.Group{
+				{
+					ID:    "G-1",
+					Title: "Group 1",
+					Groups: &[]oscaltypes.Group{
+						{
+							ID:    "G-1.1",
+							Title: "Group 1.1",
+						},
+					},
+				},
+			},
+		},
+		{
+			UUID: "D20DB907-B87D-4D12-8760-D36FDB7A1B32",
+			Metadata: oscaltypes.Metadata{
+				Title: "Catalog 2",
+			},
+			Groups: &[]oscaltypes.Group{
+				{
+					ID:    "G-1",
+					Title: "Group 2",
+					Groups: &[]oscaltypes.Group{
+						{
+							ID:    "G-1.1",
+							Title: "Group 2.1",
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, catalog := range catalogs {
+		rec := httptest.NewRecorder()
+		reqBody, _ := json.Marshal(catalog)
+		req := httptest.NewRequest(http.MethodPost, "/api/oscal/catalogs", bytes.NewReader(reqBody))
+		req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+		server.E().ServeHTTP(rec, req)
+		assert.Equal(suite.T(), http.StatusCreated, rec.Code)
+		response := &handler.GenericDataResponse[oscaltypes.Catalog]{}
+		err = json.Unmarshal(rec.Body.Bytes(), response)
+		suite.Require().NoError(err)
+	}
+
+	// Now if we call to check the children for each catalogs' first group, we should only see 1 item
+
+	// The first catalog's group should have the Title Group 1
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/api/oscal/catalogs/D20DB907-B87D-4D12-8760-D36FDB7A1B31/groups/G-1/groups", bytes.NewReader([]byte{}))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	server.E().ServeHTTP(rec, req)
+	assert.Equal(suite.T(), http.StatusOK, rec.Code)
+	response := &handler.GenericDataListResponse[oscaltypes.Group]{}
+	err = json.Unmarshal(rec.Body.Bytes(), response)
+	suite.Require().NoError(err)
+	suite.Len(response.Data, 1)
+	suite.Equal(response.Data[0].Title, "Group 1.1")
+
+	// The second catalog's group should have the Title Group 1
+	rec = httptest.NewRecorder()
+	req = httptest.NewRequest(http.MethodGet, "/api/oscal/catalogs/D20DB907-B87D-4D12-8760-D36FDB7A1B32/groups/G-1/groups", bytes.NewReader([]byte{}))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	server.E().ServeHTTP(rec, req)
+	assert.Equal(suite.T(), http.StatusOK, rec.Code)
+	response = &handler.GenericDataListResponse[oscaltypes.Group]{}
+	err = json.Unmarshal(rec.Body.Bytes(), response)
+	suite.Require().NoError(err)
+	suite.Len(response.Data, 1)
+	suite.Equal(response.Data[0].Title, "Group 2.1")
+}
+
+// TestDuplicateCatalogControlID ensures that when multiple catalogs have control children with the same ID,
+// their children endpoints only returned the relevant controls.
+// This is to prevent a future regression where searching for child controls in a catalog, would return all the controls
+// with a matching ID, rather than only the ones which belong to a catalog.
+func (suite *CatalogApiIntegrationSuite) TestDuplicateCatalogControlID() {
+	logger, _ := zap.NewDevelopment()
+
+	err := suite.Migrator.Refresh()
+	suite.Require().NoError(err)
+
+	server := api.NewServer(context.Background(), logger.Sugar())
+	RegisterHandlers(server, logger.Sugar(), suite.DB)
+
+	// Create two catalogs with the same group ID structure
+	catalogs := []oscaltypes.Catalog{
+		{
+			UUID: "D20DB907-B87D-4D12-8760-D36FDB7A1B31",
+			Metadata: oscaltypes.Metadata{
+				Title: "Catalog 1",
+			},
+			Groups: &[]oscaltypes.Group{
+				{
+					ID:    "G-1",
+					Title: "Group 1",
+					Controls: &[]oscaltypes.Control{
+						{
+							ID:    "G-1.1",
+							Title: "Control 1.1",
+						},
+					},
+				},
+			},
+		},
+		{
+			UUID: "D20DB907-B87D-4D12-8760-D36FDB7A1B32",
+			Metadata: oscaltypes.Metadata{
+				Title: "Catalog 2",
+			},
+			Groups: &[]oscaltypes.Group{
+				{
+					ID:    "G-1",
+					Title: "Group 1",
+					Controls: &[]oscaltypes.Control{
+						{
+							ID:    "G-1.1",
+							Title: "Control 2.1",
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, catalog := range catalogs {
+		rec := httptest.NewRecorder()
+		reqBody, _ := json.Marshal(catalog)
+		req := httptest.NewRequest(http.MethodPost, "/api/oscal/catalogs", bytes.NewReader(reqBody))
+		req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+		server.E().ServeHTTP(rec, req)
+		assert.Equal(suite.T(), http.StatusCreated, rec.Code)
+		response := &handler.GenericDataResponse[oscaltypes.Catalog]{}
+		err = json.Unmarshal(rec.Body.Bytes(), response)
+		suite.Require().NoError(err)
+	}
+
+	// Now if we call to check the children for each catalogs' first group, we should only see 1 item
+
+	// The first catalog's group should have the Title Group 1
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/api/oscal/catalogs/D20DB907-B87D-4D12-8760-D36FDB7A1B31/groups/G-1/controls", bytes.NewReader([]byte{}))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	server.E().ServeHTTP(rec, req)
+	assert.Equal(suite.T(), http.StatusOK, rec.Code)
+	response := &handler.GenericDataListResponse[oscaltypes.Control]{}
+	err = json.Unmarshal(rec.Body.Bytes(), response)
+	suite.Require().NoError(err)
+	suite.Len(response.Data, 1)
+	suite.Equal(response.Data[0].Title, "Control 1.1")
+
+	// The second catalog's group should have the Title Group 1
+	rec = httptest.NewRecorder()
+	req = httptest.NewRequest(http.MethodGet, "/api/oscal/catalogs/D20DB907-B87D-4D12-8760-D36FDB7A1B32/groups/G-1/controls", bytes.NewReader([]byte{}))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	server.E().ServeHTTP(rec, req)
+	assert.Equal(suite.T(), http.StatusOK, rec.Code)
+	response = &handler.GenericDataListResponse[oscaltypes.Control]{}
+	err = json.Unmarshal(rec.Body.Bytes(), response)
+	suite.Require().NoError(err)
+	suite.Len(response.Data, 1)
+	suite.Equal(response.Data[0].Title, "Control 2.1")
+}
+
+// TestDuplicateCatalogChildControlID ensures that when multiple catalogs have control children with the same ID,
+// their children endpoints only returned the relevant controls.
+// This is to prevent a future regression where searching for child controls in a catalog, would return all the controls
+// with a matching ID, rather than only the ones which belong to a catalog.
+func (suite *CatalogApiIntegrationSuite) TestDuplicateCatalogChildControlID() {
+	logger, _ := zap.NewDevelopment()
+
+	err := suite.Migrator.Refresh()
+	suite.Require().NoError(err)
+
+	server := api.NewServer(context.Background(), logger.Sugar())
+	RegisterHandlers(server, logger.Sugar(), suite.DB)
+
+	// Create two catalogs with the same group ID structure
+	catalogs := []oscaltypes.Catalog{
+		{
+			UUID: "D20DB907-B87D-4D12-8760-D36FDB7A1B31",
+			Metadata: oscaltypes.Metadata{
+				Title: "Catalog 1",
+			},
+			Controls: &[]oscaltypes.Control{
+				{
+					ID:    "G-1",
+					Title: "Group 1",
+					Controls: &[]oscaltypes.Control{
+						{
+							ID:    "G-1.1",
+							Title: "Control 1.1",
+						},
+					},
+				},
+			},
+		},
+		{
+			UUID: "D20DB907-B87D-4D12-8760-D36FDB7A1B32",
+			Metadata: oscaltypes.Metadata{
+				Title: "Catalog 2",
+			},
+			Controls: &[]oscaltypes.Control{
+				{
+					ID:    "G-1",
+					Title: "Group 1",
+					Controls: &[]oscaltypes.Control{
+						{
+							ID:    "G-1.1",
+							Title: "Control 2.1",
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, catalog := range catalogs {
+		rec := httptest.NewRecorder()
+		reqBody, _ := json.Marshal(catalog)
+		req := httptest.NewRequest(http.MethodPost, "/api/oscal/catalogs", bytes.NewReader(reqBody))
+		req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+		server.E().ServeHTTP(rec, req)
+		assert.Equal(suite.T(), http.StatusCreated, rec.Code)
+		response := &handler.GenericDataResponse[oscaltypes.Catalog]{}
+		err = json.Unmarshal(rec.Body.Bytes(), response)
+		suite.Require().NoError(err)
+	}
+
+	// Now if we call to check the children for each catalogs' first group, we should only see 1 item
+
+	// The first catalog's group should have the Title Group 1
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/api/oscal/catalogs/D20DB907-B87D-4D12-8760-D36FDB7A1B31/controls/G-1/controls", bytes.NewReader([]byte{}))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	server.E().ServeHTTP(rec, req)
+	assert.Equal(suite.T(), http.StatusOK, rec.Code)
+	response := &handler.GenericDataListResponse[oscaltypes.Control]{}
+	err = json.Unmarshal(rec.Body.Bytes(), response)
+	suite.Require().NoError(err)
+	suite.Len(response.Data, 1)
+	suite.Equal(response.Data[0].Title, "Control 1.1")
+
+	// The second catalog's group should have the Title Group 1
+	rec = httptest.NewRecorder()
+	req = httptest.NewRequest(http.MethodGet, "/api/oscal/catalogs/D20DB907-B87D-4D12-8760-D36FDB7A1B32/controls/G-1/controls", bytes.NewReader([]byte{}))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	server.E().ServeHTTP(rec, req)
+	assert.Equal(suite.T(), http.StatusOK, rec.Code)
+	response = &handler.GenericDataListResponse[oscaltypes.Control]{}
+	err = json.Unmarshal(rec.Body.Bytes(), response)
+	suite.Require().NoError(err)
+	suite.Len(response.Data, 1)
+	suite.Equal(response.Data[0].Title, "Control 2.1")
+}