Revert "fix(target): Skip fetching proxy server cert (#6055)" (#6066)

This reverts commit 3dd238a.

Author: AprilMay0

internal/target/repository.go

@@ -24,7 +24,6 @@ import (
 	"github.com/hashicorp/boundary/internal/types/scope"
 	"github.com/hashicorp/boundary/internal/util"
 	"github.com/hashicorp/go-dbw"
-	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 )
 
 // RepositoryFactory enables `target.Repository` object instantiation,
@@ -52,12 +51,6 @@ type Repository struct {
 	permissions []perms.Permission
 }
 
-// getTargetProxyServerCertificateFn can be overridden for testing or extension purposes.
-// By default, it returns nil, nil because TCP targets do not currently use a proxy server certificate.
-var getTargetProxyServerCertificateFn = func(ctx context.Context, r *Repository, target targetView, databaseWrapper wrapping.Wrapper, opts options) (*ServerCertificate, error) {
-	return nil, nil
-}
-
 // NewRepository creates a new target Repository.
 // Supports the following options:
 // - WithLimit: sets a limit on the number of results returned by various repo operations.
@@ -147,9 +140,16 @@ func (r *Repository) LookupTargetForSessionAuthorization(ctx context.Context, pu
 				address = targetAddress.GetAddress()
 			}
 
-			cert, err = getTargetProxyServerCertificateFn(ctx, r, target, databaseWrapper, opts)
-			if err != nil && !errors.IsNotFoundError(err) {
-				return errors.Wrap(ctx, err, op)
+			if opts.WithAlias != nil {
+				cert, err = fetchTargetAliasProxyServerCertificate(ctx, read, w, target.PublicId, target.ProjectId, opts.WithAlias, databaseWrapper, target.GetSessionMaxSeconds())
+				if err != nil && !errors.IsNotFoundError(err) {
+					return errors.Wrap(ctx, err, op)
+				}
+			} else {
+				cert, err = fetchTargetProxyServerCertificate(ctx, read, w, target.PublicId, target.ProjectId, databaseWrapper, target.GetSessionMaxSeconds())
+				if err != nil && !errors.IsNotFoundError(err) {
+					return errors.Wrap(ctx, err, op)
+				}
 			}
 			return nil
 		},

internal/target/repository_proxy_server_certificate_test.go

@@ -302,10 +302,7 @@ func TestFetchTargetAliasProxyServerCertificate(t *testing.T) {
 	}
 }
 
-// Test_LookupTargetForSessionAuthorization tests looking up a target for session both with and without an alias.
-// The target used in this test does not have a proxy server certificate because TCP targets do not currently support proxy server certificates.
-// Fetching the proxy server certificate is tested in other enterprise tests.
-func Test_LookupTargetForSessionAuthorization(t *testing.T) {
+func Test_FetchCertsWithinLookupTargetForSessionAuthorization(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 	conn, _ := db.TestSetup(t, "postgres")
@@ -315,50 +312,74 @@ func Test_LookupTargetForSessionAuthorization(t *testing.T) {
 	_, proj := iam.TestScopes(t, iam.TestRepo(t, conn, wrapper))
 	repo, err := target.NewRepository(context.Background(), rw, rw, testKms)
 	require.NoError(t, err)
+	databaseWrapper, err := testKms.GetWrapper(ctx, proj.PublicId, kms.KeyPurposeDatabase)
+	require.NoError(t, err)
 
 	tar := targettest.TestNewTestTarget(ctx, t, conn, proj.PublicId, "test-target")
+	tar2 := targettest.TestNewTestTarget(ctx, t, conn, proj.PublicId, "test-target2")
 
 	// Create an alias
 	aliasValue := "test-alias"
 	alias := talias.TestAlias(t, rw, aliasValue, talias.WithDestinationId(tar.GetPublicId()))
+	require.NoError(t, err)
 	require.NotNil(t, alias)
 
+	// Create our default localhost target cert
+	cer, err := target.NewTargetProxyCertificate(ctx, target.WithTargetId(tar.GetPublicId()))
+	require.NoError(t, err)
+	require.NotNil(t, cer)
+	id, err := db.NewPublicId(ctx, globals.ProxyServerCertificatePrefix)
+	require.NoError(t, err)
+	cer.PublicId = id
+	err = cer.Encrypt(ctx, databaseWrapper)
+	require.NoError(t, err)
+	err = rw.Create(ctx, cer)
+	require.NoError(t, err)
+
 	tests := []struct {
 		name     string
 		publicId string
 		opt      []target.Option
-		wantErr  bool
+		wantCert bool
 	}{
 		{
-			name:     "success-get-target-no-cert",
+			name:     "success-get-target-with-certificate",
 			publicId: tar.GetPublicId(),
-			wantErr:  false,
+			wantCert: true,
 		},
 		{
-			name:     "success-get-target-no-cert-with-alias",
+			name:     "success-get-target-with-alias-certificate",
 			publicId: tar.GetPublicId(),
 			opt: []target.Option{
 				target.WithAlias(alias),
 			},
-			wantErr: false,
+			wantCert: true,
+		},
+		{
+			name:     "success-get-target-no-cert",
+			publicId: tar2.GetPublicId(),
+			wantCert: false,
 		},
 		{
-			name:     "fail-missing-target-id",
-			publicId: "",
-			wantErr:  true,
+			name:     "success-get-target-no-cert-with-alias",
+			publicId: tar2.GetPublicId(),
+			opt: []target.Option{
+				target.WithAlias(alias),
+			},
+			wantCert: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert, require := assert.New(t), require.New(t)
 			got, err := repo.LookupTargetForSessionAuthorization(ctx, tt.publicId, proj.PublicId, tt.opt...)
-			if tt.wantErr {
-				require.Error(err)
-				return
-			}
 			require.NoError(err)
-			require.NotNil(got)
-			assert.Nil(got.GetProxyServerCertificate())
+			assert.NotNil(got)
+			if tt.wantCert {
+				assert.NotNil(got.GetProxyServerCertificate())
+			} else {
+				assert.Nil(got.GetProxyServerCertificate())
+			}
 		})
 	}
 }