Add client test for namespace interceptor.

Gerrit91 · Gerrit91 · commit c02760b78190 · 2025-09-03T10:23:39.000+02:00
diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -9,11 +9,12 @@ import (
 	"log/slog"
 	"os"
 
-	"github.com/metal-stack/masterdata-api/pkg/auth"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	grpcinsecure "google.golang.org/grpc/credentials/insecure"
 
 	v1 "github.com/metal-stack/masterdata-api/api/v1"
+	"github.com/metal-stack/masterdata-api/pkg/auth"
 )
 
 // Client defines the client API
@@ -35,7 +36,6 @@ type GRPCClient struct {
 
 // NewClient creates a new client for the services for the given address, with the certificate and hmac.
 func NewClient(ctx context.Context, hostname string, port int, certFile string, keyFile string, caFile string, hmacKey string, insecure bool, logger *slog.Logger, namespace string) (Client, error) {
-
 	address := fmt.Sprintf("%s:%d", hostname, port)
 
 	certPool, err := x509.SystemCertPool()
@@ -55,20 +55,51 @@ func NewClient(ctx context.Context, hostname string, port int, certFile string,
 		}
 	}
 
-	clientCertificate, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, fmt.Errorf("could not load client key pair: %w", err)
+	var (
+		certificates []tls.Certificate
+		opts         []grpc.DialOption
+	)
+
+	if certFile != "" && keyFile != "" {
+		clientCertificate, err := tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			return nil, fmt.Errorf("could not load client key pair: %w", err)
+		}
+
+		certificates = append(certificates, clientCertificate)
+
+		creds := credentials.NewTLS(&tls.Config{
+			ServerName:         hostname,
+			Certificates:       certificates,
+			RootCAs:            certPool,
+			MinVersion:         tls.VersionTLS12,
+			InsecureSkipVerify: insecure, // nolint:gosec
+		})
+
+		opts = append(opts,
+			// oauth.NewOauthAccess requires the configuration of transport
+			// credentials.
+			grpc.WithTransportCredentials(creds),
+		)
+	} else {
+		opts = append(opts,
+			grpc.WithTransportCredentials(grpcinsecure.NewCredentials()),
+		)
 	}
 
-	creds := credentials.NewTLS(&tls.Config{
-		ServerName:         hostname,
-		Certificates:       []tls.Certificate{clientCertificate},
-		RootCAs:            certPool,
-		MinVersion:         tls.VersionTLS12,
-		InsecureSkipVerify: insecure, // nolint:gosec
-	})
+	if hmacKey != "" {
+		// Set up the credentials for the connection.
+		perRPCHMACAuthenticator, err := auth.NewHMACAuther(hmacKey, auth.EditUser)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create hmac-authenticator: %w", err)
+		}
 
-	if hmacKey == "" {
+		opts = append(opts,
+			// In addition to the following grpc.DialOption, callers may also use
+			// the grpc.CallOption grpc.PerRPCCredentials with the RPC invocation
+			// itself.
+			// See: https://godoc.org/google.golang.org/grpc#PerRPCCredentials
+			grpc.WithPerRPCCredentials(perRPCHMACAuthenticator))
 		return nil, errors.New("no hmac-key specified")
 	}
 
@@ -77,45 +108,40 @@ func NewClient(ctx context.Context, hostname string, port int, certFile string,
 		hmacKey: hmacKey,
 	}
 
-	// Set up the credentials for the connection.
-	perRPCHMACAuthenticator, err := auth.NewHMACAuther(hmacKey, auth.EditUser)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create hmac-authenticator: %w", err)
-	}
-
-	namespaceInterceptor := func(ctx context.Context, method string, req, reply any, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
-		switch r := req.(type) {
-		case *v1.TenantMemberCreateRequest:
-			r.TenantMember.Namespace = namespace
-		case *v1.TenantMemberFindRequest:
-			r.Namespace = namespace
-		case *v1.ProjectMemberCreateRequest:
-			r.ProjectMember.Namespace = namespace
-		case *v1.ProjectMemberFindRequest:
-			r.Namespace = namespace
+	if namespace != "" {
+		namespaceInterceptor := func(ctx context.Context, method string, req, reply any, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
+			switch r := req.(type) {
+			case *v1.TenantMemberCreateRequest:
+				if r.TenantMember.Namespace == "" {
+					r.TenantMember.Namespace = namespace
+				}
+			case *v1.TenantMemberFindRequest:
+				if r.Namespace == "" {
+					r.Namespace = namespace
+				}
+			case *v1.ProjectMemberCreateRequest:
+				if r.ProjectMember.Namespace == "" {
+					r.ProjectMember.Namespace = namespace
+				}
+			case *v1.ProjectMemberFindRequest:
+				if r.Namespace == "" {
+					r.Namespace = namespace
+				}
+			}
+			return invoker(ctx, method, req, reply, cc, opts...)
 		}
-		return invoker(ctx, method, req, reply, cc, opts...)
-	}
 
-	opts := []grpc.DialOption{
-		// In addition to the following grpc.DialOption, callers may also use
-		// the grpc.CallOption grpc.PerRPCCredentials with the RPC invocation
-		// itself.
-		// See: https://godoc.org/google.golang.org/grpc#PerRPCCredentials
-		grpc.WithPerRPCCredentials(perRPCHMACAuthenticator),
-		// oauth.NewOauthAccess requires the configuration of transport
-		// credentials.
-		grpc.WithTransportCredentials(creds),
-
-		grpc.WithChainUnaryInterceptor(namespaceInterceptor),
-
-		// grpc.WithInsecure(),
+		opts = append(opts,
+			grpc.WithChainUnaryInterceptor(namespaceInterceptor),
+		)
 	}
+
 	// Set up a connection to the server.
 	conn, err := grpc.NewClient(address, opts...)
 	if err != nil {
 		return nil, err
 	}
+
 	client.conn = conn
 
 	return client, nil
diff --git a/pkg/client/client_test.go b/pkg/client/client_test.go
@@ -0,0 +1,205 @@
+package client
+
+import (
+	"context"
+	"log/slog"
+	"net"
+	"strconv"
+	"testing"
+
+	v1 "github.com/metal-stack/masterdata-api/api/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/reflection"
+)
+
+func Test_Client(t *testing.T) {
+	const (
+		namespace = "a"
+	)
+
+	var (
+		log                 = slog.Default()
+		grpcServer          = grpc.NewServer()
+		projectMemberServer = &projectMemberServer{}
+		tenantMemberServer  = &tenantMemberServer{}
+	)
+
+	v1.RegisterProjectMemberServiceServer(grpcServer, projectMemberServer)
+	v1.RegisterTenantMemberServiceServer(grpcServer, tenantMemberServer)
+
+	reflection.Register(grpcServer)
+
+	lis, err := net.Listen("tcp", "")
+	require.NoError(t, err)
+
+	go func() {
+		err = grpcServer.Serve(lis)
+		require.NoError(t, err)
+	}()
+	defer func() {
+		grpcServer.Stop()
+	}()
+
+	_, portString, err := net.SplitHostPort(lis.Addr().String())
+	require.NoError(t, err)
+
+	port, err := strconv.Atoi(portString)
+	require.NoError(t, err)
+
+	client, err := NewClient(t.Context(), "localhost", port, "", "", "", "", true, log, namespace)
+	require.NoError(t, err)
+
+	t.Run("check namespace interceptor sets missing namespace", func(t *testing.T) {
+		t.Run("project member", func(t *testing.T) {
+			projectMemberServer.create = func(ctx context.Context, pmcr *v1.ProjectMemberCreateRequest) (*v1.ProjectMemberResponse, error) {
+				assert.Equal(t, "project-a", pmcr.ProjectMember.ProjectId)
+				assert.Equal(t, "tenant-a", pmcr.ProjectMember.TenantId)
+				assert.Equal(t, namespace, pmcr.ProjectMember.Namespace)
+				return &v1.ProjectMemberResponse{}, nil
+			}
+			projectMemberServer.find = func(ctx context.Context, pmfr *v1.ProjectMemberFindRequest) (*v1.ProjectMemberListResponse, error) {
+				assert.Equal(t, namespace, pmfr.Namespace)
+				return &v1.ProjectMemberListResponse{}, nil
+			}
+
+			_, err = client.ProjectMember().Create(t.Context(), &v1.ProjectMemberCreateRequest{
+				ProjectMember: &v1.ProjectMember{
+					ProjectId: "project-a",
+					TenantId:  "tenant-a",
+				},
+			})
+			require.NoError(t, err)
+
+			_, err = client.ProjectMember().Find(t.Context(), &v1.ProjectMemberFindRequest{})
+			require.NoError(t, err)
+		})
+
+		t.Run("tenant member", func(t *testing.T) {
+			tenantMemberServer.create = func(ctx context.Context, tmcr *v1.TenantMemberCreateRequest) (*v1.TenantMemberResponse, error) {
+				assert.Equal(t, "tenant-a", tmcr.TenantMember.TenantId)
+				assert.Equal(t, namespace, tmcr.TenantMember.Namespace)
+				return &v1.TenantMemberResponse{}, nil
+			}
+			tenantMemberServer.find = func(ctx context.Context, tmfr *v1.TenantMemberFindRequest) (*v1.TenantMemberListResponse, error) {
+				assert.Equal(t, namespace, tmfr.Namespace)
+				return &v1.TenantMemberListResponse{}, nil
+			}
+
+			_, err = client.TenantMember().Create(t.Context(), &v1.TenantMemberCreateRequest{
+				TenantMember: &v1.TenantMember{
+					TenantId: "tenant-a",
+				},
+			})
+			require.NoError(t, err)
+
+			_, err = client.TenantMember().Find(t.Context(), &v1.TenantMemberFindRequest{})
+			require.NoError(t, err)
+		})
+	})
+
+	t.Run("check explicit namespace can be set anyway", func(t *testing.T) {
+		t.Run("project member", func(t *testing.T) {
+			projectMemberServer.create = func(ctx context.Context, pmcr *v1.ProjectMemberCreateRequest) (*v1.ProjectMemberResponse, error) {
+				assert.Equal(t, "project-a", pmcr.ProjectMember.ProjectId)
+				assert.Equal(t, "tenant-a", pmcr.ProjectMember.TenantId)
+				assert.Equal(t, "b", pmcr.ProjectMember.Namespace)
+				return &v1.ProjectMemberResponse{}, nil
+			}
+			projectMemberServer.find = func(ctx context.Context, pmfr *v1.ProjectMemberFindRequest) (*v1.ProjectMemberListResponse, error) {
+				assert.Equal(t, "b", pmfr.Namespace)
+				return &v1.ProjectMemberListResponse{}, nil
+			}
+
+			_, err = client.ProjectMember().Create(t.Context(), &v1.ProjectMemberCreateRequest{
+				ProjectMember: &v1.ProjectMember{
+					ProjectId: "project-a",
+					TenantId:  "tenant-a",
+					Namespace: "b",
+				},
+			})
+			require.NoError(t, err)
+
+			_, err = client.ProjectMember().Find(t.Context(), &v1.ProjectMemberFindRequest{
+				Namespace: "b",
+			})
+			require.NoError(t, err)
+		})
+
+		t.Run("tenant member", func(t *testing.T) {
+			tenantMemberServer.create = func(ctx context.Context, tmcr *v1.TenantMemberCreateRequest) (*v1.TenantMemberResponse, error) {
+				assert.Equal(t, "tenant-a", tmcr.TenantMember.TenantId)
+				assert.Equal(t, "b", tmcr.TenantMember.Namespace)
+				return &v1.TenantMemberResponse{}, nil
+			}
+			tenantMemberServer.find = func(ctx context.Context, tmfr *v1.TenantMemberFindRequest) (*v1.TenantMemberListResponse, error) {
+				assert.Equal(t, "b", tmfr.Namespace)
+				return &v1.TenantMemberListResponse{}, nil
+			}
+
+			_, err = client.TenantMember().Create(t.Context(), &v1.TenantMemberCreateRequest{
+				TenantMember: &v1.TenantMember{
+					TenantId:  "tenant-a",
+					Namespace: "b",
+				},
+			})
+			require.NoError(t, err)
+
+			_, err = client.TenantMember().Find(t.Context(), &v1.TenantMemberFindRequest{
+				Namespace: "b",
+			})
+			require.NoError(t, err)
+		})
+	})
+}
+
+type projectMemberServer struct {
+	create func(context.Context, *v1.ProjectMemberCreateRequest) (*v1.ProjectMemberResponse, error)
+	find   func(context.Context, *v1.ProjectMemberFindRequest) (*v1.ProjectMemberListResponse, error)
+}
+
+func (t *projectMemberServer) Create(ctx context.Context, r *v1.ProjectMemberCreateRequest) (*v1.ProjectMemberResponse, error) {
+	return t.create(ctx, r)
+}
+
+func (t *projectMemberServer) Delete(context.Context, *v1.ProjectMemberDeleteRequest) (*v1.ProjectMemberResponse, error) {
+	panic("unimplemented")
+}
+
+func (t *projectMemberServer) Find(ctx context.Context, r *v1.ProjectMemberFindRequest) (*v1.ProjectMemberListResponse, error) {
+	return t.find(ctx, r)
+}
+
+func (t *projectMemberServer) Get(context.Context, *v1.ProjectMemberGetRequest) (*v1.ProjectMemberResponse, error) {
+	panic("unimplemented")
+}
+
+func (t *projectMemberServer) Update(context.Context, *v1.ProjectMemberUpdateRequest) (*v1.ProjectMemberResponse, error) {
+	panic("unimplemented")
+}
+
+type tenantMemberServer struct {
+	create func(context.Context, *v1.TenantMemberCreateRequest) (*v1.TenantMemberResponse, error)
+	find   func(context.Context, *v1.TenantMemberFindRequest) (*v1.TenantMemberListResponse, error)
+}
+
+func (t *tenantMemberServer) Create(ctx context.Context, r *v1.TenantMemberCreateRequest) (*v1.TenantMemberResponse, error) {
+	return t.create(ctx, r)
+}
+
+func (t *tenantMemberServer) Delete(context.Context, *v1.TenantMemberDeleteRequest) (*v1.TenantMemberResponse, error) {
+	panic("unimplemented")
+}
+
+func (t *tenantMemberServer) Find(ctx context.Context, r *v1.TenantMemberFindRequest) (*v1.TenantMemberListResponse, error) {
+	return t.find(ctx, r)
+}
+
+func (t *tenantMemberServer) Get(context.Context, *v1.TenantMemberGetRequest) (*v1.TenantMemberResponse, error) {
+	panic("unimplemented")
+}
+
+func (t *tenantMemberServer) Update(context.Context, *v1.TenantMemberUpdateRequest) (*v1.TenantMemberResponse, error) {
+	panic("unimplemented")
+}
