Write some cache tests and remove store dependency for RBAC handler (encapsulate in service)

Author: speza

handlers/handler.go

@@ -30,7 +30,7 @@ func (s *GaiaHandler) InitHandlers(e *echo.Echo) error {
 	// --- Register handlers at echo instance ---
 	storeService, _ := services.StorageService()
 
-	rbacSvc := rbac.NewService(storeService, rbac.NewCache(time.Minute*30))
+	rbacSvc := rbac.NewService(storeService, rbac.NewCache(time.Minute*30, time.Minute*5))
 	rbacEnforcer := rbac.NewPolicyEnforcer(rbacSvc)
 	policyEnforcer := newPolicyEnforcerMiddleware(rbacEnforcer)
 
@@ -52,7 +52,7 @@ func (s *GaiaHandler) InitHandlers(e *echo.Echo) error {
 		perms.GET("", PermissionGetAll)
 
 		// RBAC
-		rbacHandler := newRBACHandler(storeService, rbacSvc, resourcehelper.NewMarshaller())
+		rbacHandler := newRBACHandler(rbacSvc, resourcehelper.NewMarshaller())
 		e.GET(p+"rbac/policy/:name", rbacHandler.RBACPolicyResourceGet)
 		e.POST(p+"rbac/policy", rbacHandler.RBACPolicyResourcePut)
 		e.PUT(p+"rbac/policy/:name/bind/:username", rbacHandler.RBACPolicyBindingPut)

handlers/rbac.go

@@ -9,17 +9,15 @@ import (
 	"github.com/gaia-pipeline/gaia"
 	"github.com/gaia-pipeline/gaia/helper/resourcehelper"
 	"github.com/gaia-pipeline/gaia/security/rbac"
-	gStore "github.com/gaia-pipeline/gaia/store"
 )
 
 type rbacHandler struct {
-	store          gStore.RBACStore
 	svc            rbac.Service
 	rbacMarshaller resourcehelper.Marshaller
 }
 
-func newRBACHandler(store gStore.RBACStore, svc rbac.Service, rbacMarshaller resourcehelper.Marshaller) *rbacHandler {
-	return &rbacHandler{store: store, svc: svc, rbacMarshaller: rbacMarshaller}
+func newRBACHandler(svc rbac.Service, rbacMarshaller resourcehelper.Marshaller) *rbacHandler {
+	return &rbacHandler{svc: svc, rbacMarshaller: rbacMarshaller}
 }
 
 // RBACPolicyResourcePut creates or updates a new authorization.policy resource.
@@ -67,9 +65,9 @@ func (h rbacHandler) RBACPolicyBindingPut(c echo.Context) error {
 	name := c.Param("name")
 	username := c.Param("username")
 
-	if err := h.store.RBACPolicyBindingPut(username, name); err != nil {
-		gaia.Cfg.Logger.Error("failed to put auth assignment: " + err.Error())
-		return c.String(http.StatusBadRequest, "Error getting policy.")
+	if err := h.svc.PutUserBinding(username, name); err != nil {
+		gaia.Cfg.Logger.Error("failed to put policy binding: " + err.Error())
+		return c.String(http.StatusBadRequest, "Error saving policy binding.")
 	}
 
 	return c.String(http.StatusOK, "Successfully assignment role")

security/rbac/cache.go

@@ -27,12 +27,24 @@ type cache struct {
 }
 
 // NewCache creates a new cache. This cache works using expiration based eviction.
-func NewCache(expiration time.Duration) Cache {
-	return &cache{
+func NewCache(expiration time.Duration, interval time.Duration) Cache {
+	c := &cache{
 		items:      make(map[string]cacheItem),
 		expiration: expiration,
 		mu:         sync.Mutex{},
 	}
+
+	ticker := time.NewTicker(interval)
+	go func() {
+		for {
+			select {
+			case <-ticker.C:
+				c.EvictExpired()
+			}
+		}
+	}()
+
+	return c
 }
 
 // Put creates or updates an item. This uses the default expiration time.
@@ -78,7 +90,7 @@ func (c *cache) EvictExpired() {
 	}
 }
 
-// Clear and invalidate the whole cache
+// Clear and invalidate the whole cache.
 func (c *cache) Clear() {
 	defer c.mu.Unlock()
 	c.mu.Lock()

security/rbac/cache_test.go

@@ -0,0 +1,130 @@
+package rbac
+
+import (
+	"github.com/gaia-pipeline/gaia"
+	"gotest.tools/assert"
+	"gotest.tools/assert/cmp"
+	"sync"
+	"testing"
+	"time"
+)
+
+var testItem = gaia.RBACEvaluatedPermissions{
+	PipelineNamespace: {
+		GetAction: map[gaia.RBACPolicyResource]string{
+			"*": "allow",
+		},
+	},
+}
+
+var testMap = map[string]cacheItem{
+	"item": {
+		value:      testItem,
+		expiration: time.Now().Add(1 * time.Minute).UnixNano(),
+	},
+	"item_expired": {
+		value:      testItem,
+		expiration: time.Now().Add(-1 * time.Minute).UnixNano(),
+	},
+}
+
+func TestCache_Get_ValidItem_ReturnsValue(t *testing.T) {
+	cache := cache{
+		expiration: time.Millisecond * 10,
+		items:      testMap,
+		mu:         sync.Mutex{},
+	}
+
+	value, ok := cache.Get("item")
+
+	assert.Check(t, cmp.DeepEqual(value, testMap["item"].value))
+	assert.Check(t, cmp.Equal(ok, true))
+}
+
+func TestCache_Get_MissingItem_ReturnsEmptyStructAndFalse(t *testing.T) {
+	cache := cache{
+		expiration: time.Millisecond * 10,
+		items:      map[string]cacheItem{},
+		mu:         sync.Mutex{},
+	}
+
+	value, ok := cache.Get("missing")
+
+	assert.Check(t, cmp.DeepEqual(value, gaia.RBACEvaluatedPermissions{}))
+	assert.Check(t, cmp.Equal(ok, false))
+}
+
+func TestCache_Get_ExpiredItem_ReturnsEmptyStructAndFalse(t *testing.T) {
+	cache := cache{
+		expiration: time.Millisecond * 10,
+		items:      testMap,
+		mu:         sync.Mutex{},
+	}
+
+	value, ok := cache.Get("item_expired")
+
+	assert.Check(t, cmp.DeepEqual(value, gaia.RBACEvaluatedPermissions{}))
+	assert.Check(t, cmp.Equal(ok, false))
+}
+
+func TestCache_Put_Item_ReturnsItem(t *testing.T) {
+	cache := cache{
+		expiration: time.Minute * 1,
+		items:      map[string]cacheItem{},
+		mu:         sync.Mutex{},
+	}
+
+	value := cache.Put("item", testItem)
+
+	assert.Check(t, cmp.DeepEqual(value, testItem))
+}
+
+func TestCache_EvictExpired(t *testing.T) {
+	cache := cache{
+		expiration: time.Minute * 1,
+		items: map[string]cacheItem{
+			"expired_01": {
+				value:      testItem,
+				expiration: time.Now().Add(-2 * time.Minute).UnixNano(),
+			},
+			"valid_01": {
+				value:      testItem,
+				expiration: time.Now().Add(2 * time.Minute).UnixNano(),
+			},
+			"expired_02": {
+				value:      testItem,
+				expiration: time.Now().Add(-2 * time.Minute).UnixNano(),
+			},
+		},
+		mu: sync.Mutex{},
+	}
+
+	cache.EvictExpired()
+
+	_, p1 := cache.items["expired_01"]
+	assert.Check(t, cmp.Equal(p1, false))
+	_, p2 := cache.items["valid_01"]
+	assert.Check(t, cmp.Equal(p2, true))
+	_, p3 := cache.items["expired_01"]
+	assert.Check(t, cmp.Equal(p3, false))
+}
+
+func TestCache_ClearCache(t *testing.T) {
+	cache := cache{
+		expiration: time.Minute * 1,
+		items: map[string]cacheItem{
+			"expired_01": {
+				value:      testItem,
+				expiration: time.Now().Add(-2 * time.Minute).UnixNano(),
+			},
+			"valid_01": {
+				value:      testItem,
+				expiration: time.Now().Add(2 * time.Minute).UnixNano(),
+			},
+		},
+		mu: sync.Mutex{},
+	}
+
+	cache.Clear()
+	assert.Check(t, cmp.Len(cache.items, 0))
+}

security/rbac/enforcer_test.go

@@ -70,11 +70,11 @@ func (s mockSvc) PutPolicy(policy gaia.RBACPolicyResourceV1) error {
 }
 
 func (s mockSvc) GetUserEvaluatedPolicies(username string) (gaia.RBACEvaluatedPermissions, bool) {
-	panic("implement me")
+	return make(gaia.RBACEvaluatedPermissions), false
 }
 
 func (s mockSvc) PutUserEvaluatedPolicies(username string, perms gaia.RBACEvaluatedPermissions) error {
-	panic("implement me")
+	return nil
 }
 
 func TestPolicyEnforcer_Enforce_WithMissingPolicyStatement_ReturnsError(t *testing.T) {

security/rbac/service.go

@@ -2,7 +2,7 @@ package rbac
 
 import (
 	"fmt"
-	
+
 	"github.com/gaia-pipeline/gaia"
 	"github.com/gaia-pipeline/gaia/store"
 )
@@ -13,6 +13,7 @@ type Service interface {
 	PutPolicy(policy gaia.RBACPolicyResourceV1) error
 	GetUserEvaluatedPolicies(username string) (gaia.RBACEvaluatedPermissions, bool)
 	PutUserEvaluatedPolicies(username string, perms gaia.RBACEvaluatedPermissions) error
+	PutUserBinding(username string, policy string) error
 }
 
 type service struct {
@@ -58,3 +59,8 @@ func (s *service) PutUserEvaluatedPolicies(username string, perms gaia.RBACEvalu
 	s.evaluatedPermsCache.Put(username, perms)
 	return nil
 }
+
+// PutUserBinding saves a user policy binding into the store.
+func (s *service) PutUserBinding(username string, policy string) error {
+	return s.store.RBACPolicyBindingPut(username, policy)
+}