32107571d1
Selectel Cloud DNS v2 requires a project IAM token in X-Auth-Token, not the raw service-user secret; the previous client sent the static secret directly and got 401. The client now parses Credentials.Secret as a Creds JSON blob (username/password/account_id/project_name), exchanges it for a token via the Identity API (POST /identity/v3/auth/tokens), and caches the token in memory per-account until 5 minutes before expiry. ListZones/GetRecords/ ApplyChanges send the cached IAM token instead of the raw secret. provider.Provider gains a Validate(ctx, Credentials) method so a bad account can be rejected via trial login at creation time; all Provider fakes across provider/registry/api/service test packages implement it as a no-op stub for now (Task 2 will make api's mock configurable). Security: the service-user password is folded into the token cache key via SHA-256 (never stored in the clear) so a password change invalidates the cached token; identity errors are generic and never echo the request body. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BwxdSt4reTm7Dj1oxRvpP3
117 lines
3.9 KiB
Go
117 lines
3.9 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/google/uuid"
|
|
|
|
"github.com/vasyakrg/dns-autoresolver/internal/crypto"
|
|
"github.com/vasyakrg/dns-autoresolver/internal/diff"
|
|
"github.com/vasyakrg/dns-autoresolver/internal/model"
|
|
"github.com/vasyakrg/dns-autoresolver/internal/provider"
|
|
"github.com/vasyakrg/dns-autoresolver/internal/provider/registry"
|
|
"github.com/vasyakrg/dns-autoresolver/internal/store/dto"
|
|
)
|
|
|
|
func testCipher(t *testing.T) *crypto.Cipher {
|
|
t.Helper()
|
|
key := make([]byte, 32)
|
|
c, err := crypto.NewCipher(key)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return c
|
|
}
|
|
|
|
// fakeProvider records applied changesets and returns canned zone records.
|
|
type fakeProvider struct {
|
|
actual []model.Record
|
|
applied diff.Changeset
|
|
}
|
|
|
|
func (fakeProvider) Name() string { return "selectel" }
|
|
func (fakeProvider) ListZones(context.Context, provider.Credentials) ([]provider.Zone, error) {
|
|
return nil, nil
|
|
}
|
|
func (f *fakeProvider) GetRecords(context.Context, provider.Credentials, string) ([]model.Record, error) {
|
|
return f.actual, nil
|
|
}
|
|
func (f *fakeProvider) ApplyChanges(_ context.Context, _ provider.Credentials, _ string, cs diff.Changeset) error {
|
|
f.applied = cs
|
|
return nil
|
|
}
|
|
func (fakeProvider) Validate(context.Context, provider.Credentials) error { return nil }
|
|
|
|
type fakeLoader struct{ ref DomainRef }
|
|
|
|
func (l fakeLoader) LoadDomain(context.Context, uuid.UUID, uuid.UUID) (DomainRef, error) {
|
|
return l.ref, nil
|
|
}
|
|
|
|
type nopRecorder struct{}
|
|
|
|
func (nopRecorder) SaveCheckRun(context.Context, uuid.UUID, diff.Changeset) error { return nil }
|
|
|
|
func setup(t *testing.T, actual []model.Record, tmpl dto.TemplateDoc) (*DomainService, *fakeProvider) {
|
|
fp := &fakeProvider{actual: actual}
|
|
reg := registry.New()
|
|
reg.Register(fp)
|
|
cipher := testCipher(t)
|
|
enc, _ := cipher.Encrypt([]byte("secret"))
|
|
loader := fakeLoader{ref: DomainRef{ZoneID: "z1", Provider: "selectel", SecretEnc: enc, Template: tmpl}}
|
|
return New(loader, nopRecorder{}, reg, cipher), fp
|
|
}
|
|
|
|
func TestCheckProducesDiff(t *testing.T) {
|
|
actual := []model.Record{{Type: model.A, Name: "a.example.com.", TTL: 300, Values: []string{"9.9.9.9"}}}
|
|
tmpl := dto.TemplateDoc{Records: []dto.RecordDTO{
|
|
{Type: "A", Name: "a.example.com.", TTL: 300, Values: []string{"1.1.1.1"}}, // update
|
|
}}
|
|
svc, _ := setup(t, actual, tmpl)
|
|
cs, err := svc.Check(context.Background(), uuid.New(), uuid.New())
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if len(cs.Updates()) != 1 || cs.Updates()[0].Kind != diff.Update {
|
|
t.Fatalf("expected 1 update, got %+v", cs.Updates())
|
|
}
|
|
}
|
|
|
|
func TestApplyRespectsPruneGuard(t *testing.T) {
|
|
// зона содержит лишнюю запись b (нет в шаблоне) → Prune-кандидат
|
|
actual := []model.Record{
|
|
{Type: model.A, Name: "a.example.com.", TTL: 300, Values: []string{"1.1.1.1"}},
|
|
{Type: model.A, Name: "b.example.com.", TTL: 300, Values: []string{"2.2.2.2"}},
|
|
}
|
|
tmpl := dto.TemplateDoc{Records: []dto.RecordDTO{
|
|
{Type: "A", Name: "a.example.com.", TTL: 300, Values: []string{"1.1.1.1"}}, // in sync
|
|
}}
|
|
|
|
// applyPrunes=false → удаление b НЕ применяется
|
|
svc, fp := setup(t, actual, tmpl)
|
|
if _, err := svc.Apply(context.Background(), uuid.New(), uuid.New(), ApplyRequest{ApplyUpdates: true, ApplyPrunes: false}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
for _, d := range fp.applied.Diffs {
|
|
if d.Kind == diff.Delete {
|
|
t.Fatalf("prune must be skipped when ApplyPrunes=false, applied: %+v", fp.applied.Diffs)
|
|
}
|
|
}
|
|
|
|
// applyPrunes=true → удаление b применяется
|
|
svc2, fp2 := setup(t, actual, tmpl)
|
|
if _, err := svc2.Apply(context.Background(), uuid.New(), uuid.New(), ApplyRequest{ApplyUpdates: true, ApplyPrunes: true}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
var sawDelete bool
|
|
for _, d := range fp2.applied.Diffs {
|
|
if d.Kind == diff.Delete && d.Name == "b.example.com." {
|
|
sawDelete = true
|
|
}
|
|
}
|
|
if !sawDelete {
|
|
t.Fatalf("prune must be applied when ApplyPrunes=true, applied: %+v", fp2.applied.Diffs)
|
|
}
|
|
}
|