Add Get and GetCredentials for CFServiceInstances #3610
Conversation
api/handlers/service_instance.go
Outdated
|
|
||
| serviceInstance, err := h.serviceInstanceRepo.GetServiceInstance(r.Context(), authInfo, serviceInstanceGUID) | ||
| if err != nil { | ||
| return nil, apierrors.LogAndReturn(logger, err, "failed to get service instance") |
There was a problem hiding this comment.
We should "mask" the forbidden error as "not found" in order not to leak information. See here for example
| }) | ||
|
|
||
| It("returns 404 Not Found", func() { | ||
| expectNotAuthorizedError() |
There was a problem hiding this comment.
the It says "returns 404" (correct), but it verifies for not authorised error (not correct :))
There was a problem hiding this comment.
The api should mask forbidden error as not found. Therefore the test should expect a not found error rather then unauthorised. I think you did it the other way round :)
tools/credentials_test.go
Outdated
| } | ||
| }`), | ||
| })) | ||
| When("ToCredentialsSecretData", func() { |
There was a problem hiding this comment.
This When should be a Describe as it describes a function under test
tools/credentials_test.go
Outdated
|
|
||
| JustBeforeEach(func() { | ||
| var err error | ||
| secretData, err = tools.ToCredentialsSecretData(credsObject) |
There was a problem hiding this comment.
Invoking the method under test should be performed within the describe for that function. It should not be invoked in the global describe
tools/credentials_test.go
Outdated
| credsObject any | ||
| secretData map[string][]byte | ||
| credsObject any | ||
| secretData map[string][]byte |
There was a problem hiding this comment.
secretData can be local to the ToCredentialsSecretData describe
tools/credentials_test.go
Outdated
| secretData map[string][]byte | ||
| credsObject any | ||
| secretData map[string][]byte | ||
| decodedCredentials map[string]any |
There was a problem hiding this comment.
decodedCredentials should be pushed down to ToDecodedSecretDataCredentials describe
|
Also, e2e tests would be nice for the two new endpoints |
|
@danail-branekov Did some changes, could you take a look. |
klapkov
force-pushed
the
get_service_is_credentials
branch
from
612645d to
76ed317
Compare
| return nil, apierrors.LogAndReturn(logger, apierrors.ForbiddenAsNotFound(err), "failed to get service instance", "GUID", serviceInstanceGUID) | ||
| } | ||
|
|
||
| if serviceInstance.Type != korifiv1alpha1.UserProvidedType { |
There was a problem hiding this comment.
I think it would be better to push this check to the repository (reasoning below). The repository looks up the service instance anyway, so it could return a not found error in case the service instance type is not upsi.
From API point of view, instance credentials are just another resource. We strive to keep api handlers simple and only take care to process the request parameters, delegate to a repository and present the result. Business logic on aspects of getting and processing resources should be "outsourced" to repositories.
There was a problem hiding this comment.
Forget about it, after a short discussion, having that decision in the handler is probably ok. Apologies for the noise
api/handlers/service_instance.go
Outdated
|
|
||
| serviceInstance, err := h.serviceInstanceRepo.GetServiceInstance(r.Context(), authInfo, serviceInstanceGUID) | ||
| if err != nil { | ||
| return nil, apierrors.LogAndReturn(logger, err, "failed to get service instance") |
There was a problem hiding this comment.
This is still not resolved, the api should mask forbidden errors as not found
| }) | ||
|
|
||
| It("returns 404 Not Found", func() { | ||
| expectNotAuthorizedError() |
There was a problem hiding this comment.
The api should mask forbidden error as not found. Therefore the test should expect a not found error rather then unauthorised. I think you did it the other way round :)
| }) | ||
|
|
||
| It("returns 404 Not Found", func() { | ||
| _, actualAuthInfo, actualInstanceGUID := serviceInstanceRepo.GetServiceInstanceCredentialsArgsForCall(0) |
There was a problem hiding this comment.
From my point of view, checking GetServiceInstanceCredentials invocation and its parameter duplicates the checks in the default case. I think expecting a not found error is enough for this test.
| }) | ||
| }) | ||
|
|
||
| When("getting the service instance fails with not found", func() { |
There was a problem hiding this comment.
the handler should only interpret the "forbidden" error and present it as not found. Any other sort of errors (regiardless not found, general error, whatever) should be just returned.
Having said that, I would alter this When to verify that when the repository returns a generic error, it results into an unexpected error (HTTP 500). In other words, as the handler does not handle the not found error in any particular way, I would go for the least specific test case.
| }) | ||
| }) | ||
|
|
||
| When("the unmarshaling of the secret fails", func() { |
There was a problem hiding this comment.
See the comment on the "not found" error above. The handler does not handle unprocessable entity error in any particular way, it simply returns it. Another context with this particular error does not bring any more value. Therefore I would propose deleting at in order to keep the test simple
| }) | ||
| }) | ||
| }) | ||
| }) |
There was a problem hiding this comment.
Could you also add a When to verify that the repository returns unprocessiable entity error when the secret data is invalid json?
There was a problem hiding this comment.
@danail-branekov Maybe this is a stupid question, but how would I achieve that ? I would have to create a secret with an invalid json format, how would I marshal it ?
There was a problem hiding this comment.
secret = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
Namespace: space.Name,
},
Data: map[string][]byte{korifiv1alpha1.CredentialSecretKey, []byte{"not-json"}},
}
Expect(k8sClient.Create(ctx, secret)).To(Succeed())
How about that?
Is there a related GitHub Issue?
#3609
#3608
What is this change about?
Here we expose GET /v3/service_instances/:guid and we also add GET /v3/service_instances/:guid/credentials
Does this PR introduce a breaking change?
No
Acceptance Steps
Tag your pair, your PM, and/or team