[A2-802] CreateRule projects API

[srenatus]

🔩 Description

Adds the CreateRule GRPC method to authz-service, wrapping its storage's CreateRule.

Items on Note

• This includes some property-based tests in rules_property_test.go, where we encode what we want the system to do, and what "random inputs" look like. Then, the gopter library takes care of generating 100 inputs, and asserting the property. If it fails to hold, the library will attempt to shrink the input into a manageable test case (as anything random can be unwieldy).

👍 Definition of Done

• you can create a rule from chef-automate dev grpcurl authz-service
• the authz-service method is exposed via automate-gateway
• expose operator (it's currently only "member-of" but it should be in the API) -- ❓ need input there, I'm missing context on the decision

👟 Demo Script / Repro Steps

• start_all_services
• rebuild components/authz-service, rebuild components/automate-gateway
• create a rule: (hab pkg install -b core/jq-static for jq)

[121][default:/src:130]# curl -kH "api-token: $TOK" https://localhost/apis/iam/v2beta/rules -d "$(jq -n '{ id: "foo-rule", name: "my foo rule", type: "NODE", project_id: "foo-project", conditions: [{ type: "CHEF_SERVERS", values: ["prod", "staging"]}]}')"
{"error":"error creating rule with ID \"foo-rule\": foreign key violation","message":"error creating rule with ID \"foo-rule\": foreign key violation","code":13,"details":[]}[122][default:/src:0]#

• note that this naive attempt failed -- the project doesn't exist -- and the error messaging could be better ⚠️
• try again, creating the project first:

[122][default:/src:0]# curl -kH "api-token: $TOK" https://localhost/apis/iam/v2beta/projects -d "$(jq -n '{ id: "foo-project", name: "my foo project" }')"
{"project":{"name":"my foo project","id":"foo-project","type":"CUSTOM","projects":["foo-project"]}}
[123][default:/src:0]# curl -kH "api-token: $TOK" https://localhost/apis/iam/v2beta/rules -d "$(jq -n '{ id: "foo-rule", name: "my foo rule", type: "NODE", project_id: "foo-project", conditions: [{ type: "CHEF_SERVERS", values: ["prod", "staging"]}]}')" | jq .
{
  "rule": {
    "id": "foo3-rule",
    "project_id": "foo-project",
    "name": "my foo rule",
    "type": "NODE",
    "conditions": [
      {
        "type": "CHEF_SERVERS",
        "values": [
          "prod",
          "staging"
        ]
      }
    ]
  }
}

• check the database that it was properly created:

[129][default:/src:113]# chef-automate dev psql chef_authz_service
psql (9.6.11)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

chef_authz_service=# select * from iam_project_rules where id='foo-rule';
 db_id |    id    | project_id  |    name     | type
-------+----------+-------------+-------------+------
     3 | foo-rule | foo-project | my foo rule | node
(1 row)
chef_authz_service=# select * from iam_rule_conditions where rule_db_id=3;
 db_id | rule_db_id |     value      |  attribute  | operator
-------+------------+----------------+-------------+-----------
     1 |          3 | {prod,staging} | chef-server | member-of
(1 row)

⛓️ Related Resources

• A2-650
  • A2-802 👈

✅ Checklist

• Necessary tests added/updated?
• Necessary docs added/updated?
• Code actually executed?
• Vetting performed (unit tests, lint, etc.)?

[bcmdarroch]

Had a few questions, looks good!

[bcmdarroch]

what does sync.Once do?

[tylercloke]

https://golang.org/pkg/sync/#Once It's being used to populate the map apiToStorageConditionAttributes into memory exactly one time. Once will ensure it's only populated once instead of on every call so it's just cached.

[srenatus]

Exactly! It's the lazy way for not having to maintain both mappings manually. Only A -> B is hardcoded, B -> A is initialized once in the way @tylercloke described.

[bcmdarroch]

what does gopter do for us?

[tylercloke]

The readme isn't the best, but it looks like it can be used to generate a bunch of random structs for tested based on possible values for the structs. What it looks like we are using it for here is having it generate lots of different combinations of all the conditions possibilities (since we have a lot of different condition types) so we can test CreateRule against many possible different condition inputs without manually managing how they are generated.

[bcmdarroch]

thanks for splitting this out! we probably should do the same for roles one of these days

[tylercloke]

Use of gopter looks cool for cases where we have a large set of possible inputs to our APIs!

[tylercloke]

https://golang.org/pkg/sync/#Once It's being used to populate the map apiToStorageConditionAttributes into memory exactly one time. Once will ensure it's only populated once instead of on every call so it's just cached.

[tylercloke]

The readme isn't the best, but it looks like it can be used to generate a bunch of random structs for tested based on possible values for the structs. What it looks like we are using it for here is having it generate lots of different combinations of all the conditions possibilities (since we have a lot of different condition types) so we can test CreateRule against many possible different condition inputs without manually managing how they are generated.

[msorens]

Nice work; some comments and questions below.

[msorens]

Maybe it did, but looks like it is now an out-of-date comment. Perhaps "CreateRuleReq mirrors ProjectRule, adding validation" ?

[msorens]

Add blank line after this

[msorens]

Odd place to break the line; consider:

func setupProjectsAndRules(t *testing.T) (
api.ProjectsClient, *cache.Cache, *cache.Cache, *mockEventServiceClient, int64) {

[msorens]

Why the seeding change?

[srenatus]

because it's controlling randomness in gopter

[msorens]

Why does setupProjectsAndRules return arguments that are never used?

[srenatus]

Not used for setupProjects. They are used for setupRules. 🤷‍♂ We could clean this up, I suppose. But I don't find it that terrible.

[msorens]

Ah, still used to thinking about private to namespace means private to file, but not true in Go. 👍

[msorens]

What needs fixing?

[msorens]

Was curious whether this reduced form would work, but it fails. Any thoughts on why?

			ruleReq := &api.CreateRuleReq{
				Id:        "any-name",
				Name:      "any name",
				ProjectId: "foo",
				Type:      api.ProjectRuleTypes_NODE,
				Conditions: []*api.Condition{
					{
						Type:   api.ProjectRuleConditionTypes_CHEF_ORGS,
						Values: []string{"chef"},
					},
				},
			}
			resp, err := cl.CreateRule(ctx, ruleReq)
			assert.NoError(t, err)
			rule := api.ProjectRule(*ruleReq)
			assert.Equal(t, &api.CreateRuleResp{
				Rule: &rule,
			}, resp)

[srenatus]

Didn't dive in deeper, but with this:

diff --git a/components/authz-service/server/v2/rules_test.go b/components/authz-service/server/v2/rules_test.go
index 08a82b6c..c1be18cf 100644
--- a/components/authz-service/server/v2/rules_test.go
+++ b/components/authz-service/server/v2/rules_test.go
@@ -5,6 +5,7 @@ import (
 	"math/rand"
 	"testing"
 
+	"github.com/kylelemons/godebug/pretty"
 	cache "github.com/patrickmn/go-cache"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc/codes"
@@ -103,7 +104,8 @@ func TestCreateRule(t *testing.T) {
 		}},
 		// happy path
 		{"with valid rule data, returns no error and creates the rule in storage", func(t *testing.T) {
-			resp, err := cl.CreateRule(ctx, &api.CreateRuleReq{
+
+			ruleReq := &api.CreateRuleReq{
 				Id:        "any-name",
 				Name:      "any name",
 				ProjectId: "foo",
@@ -114,22 +116,16 @@ func TestCreateRule(t *testing.T) {
 						Values: []string{"chef"},
 					},
 				},
-			})
+			}
+			actual, err := cl.CreateRule(ctx, ruleReq)
 			assert.NoError(t, err)
-			assert.Equal(t, &api.CreateRuleResp{
-				Rule: &api.ProjectRule{
-					Id:        "any-name",
-					Name:      "any name",
-					ProjectId: "foo",
-					Type:      api.ProjectRuleTypes_NODE,
-					Conditions: []*api.Condition{
-						{
-							Type:   api.ProjectRuleConditionTypes_CHEF_ORGS,
-							Values: []string{"chef"},
-						},
-					},
-				},
-			}, resp)
+			rule := api.ProjectRule(*ruleReq)
+			expected := &api.CreateRuleResp{
+				Rule: &rule,
+			}
+			if !assert.Equal(t, expected, actual) {
+				t.Log(pretty.Compare(expected, actual))
+			}
 		}},
 	}

...we get:

    --- FAIL: TestCreateRule/with_valid_rule_data,_returns_no_error_and_creates_the_rule_in_storage (0.00s)
        Error Trace:    rules_test.go:126
        Error:          Not equal:
                        expected: &v2.CreateRuleResp{Rule:(*v2.ProjectRule)(0xc000192690), XXX_NoUnkeyedLiteral:struct {}{}, XXX_unrecognized:[]uint8(nil), XXX_sizecache:0}
                        actual  : &v2.CreateRuleResp{Rule:(*v2.ProjectRule)(0xc000192230), XXX_NoUnkeyedLiteral:struct {}{}, XXX_unrecognized:[]uint8(nil), XXX_sizecache:0}

                        Diff:
        Test:           TestCreateRule/with_valid_rule_data,_returns_no_error_and_creates_the_rule_in_storage
        rules_test.go:127:  {
              Rule: {
               Id: "any-name",
               ProjectId: "foo",
               Name: "any name",
               Type: 0,
               Conditions: [
                {
                 Type: 1,
                 Values: [
                  "chef",
                 ],
                 XXX_NoUnkeyedLiteral: {
                 },
                 XXX_unrecognized: [
                 ],
            -    XXX_sizecache: 8,
            +    XXX_sizecache: 0,
                },
               ],
               XXX_NoUnkeyedLiteral: {
               },
               XXX_unrecognized: [
               ],
            -  XXX_sizecache: 35,
            +  XXX_sizecache: 0,
              },
              XXX_NoUnkeyedLiteral: {
              },
              XXX_unrecognized: [
              ],
              XXX_sizecache: 0,
             }

So, the trivial answer is: the XXX_sizecache fields don't match. 😉

[msorens]

Hmm... I did not see the expanded diff when I ran it, just this. Any idea why my output is different?

expected: &v2.CreateRuleResp{Rule:(*v2.ProjectRule)(0xc0001930a0), XXX_NoUnkeyedLiteral:struct {}{}, XXX_unrecognized:[]uint8(nil), XXX_sizecache:0}
            
actual  : &v2.CreateRuleResp{Rule:(*v2.ProjectRule)(0xc000192bd0), XXX_NoUnkeyedLiteral:struct {}{}, XXX_unrecognized:[]uint8(nil), XXX_sizecache:0}
                        
Diff:

[srenatus]

For more information please reread -- my comment includes the diff of what I had to do to see that, too ☝️

[msorens]

🤔 Except it does not include the actual command; "diff --git..." is output... Am I missing something...?

[srenatus]

Sorry that was the output of git diff.

[msorens]

We have used one data generator in our code base already, https://github.com/jaswdr/faker. Is gopter more useful?

[srenatus]

Is gopter more useful?

100 times yes -- since it's not just a data generator. Back when we've introduced faker, you might remember our conversations (also with @phiggins, https://github.com/chef/a2/pull/4294 and previous gopter usage introduced earlier: https://github.com/chef/a2/pull/4369): fake data is nice for tests, but the icing on the cake is property based tests. This is what gopter gives us: a way to state properties, and assert them using a large battery of random inputs.

I.e. instead of

generate one random policy, see that it can be created

we formulate a property

when CreateRule is called with some input, it will lead to a rule in storage

and have the framework try that a hundred times with different inputs.

Also, any decent PBT framework gives you shrinking: when it finds an input such that the property not holds, it attempts to find the smallest input that does the same thing. It's vital for dealing with random inputs.

Now, this doesn't mean what we don't need unit tests. And it also doesn't mean that the way we're using it here is the one and only correct way.