Unit testing

Author: lucian-tosa

api/v1/mdb/mongodbbuilder.go

@@ -146,6 +146,22 @@ func (b *MongoDBBuilder) SetSecurityTLSEnabled() *MongoDBBuilder {
 	return b
 }
 
+func (b *MongoDBBuilder) SetRoles(roles []MongoDBRole) *MongoDBBuilder {
+	if b.mdb.Spec.Security == nil {
+		b.mdb.Spec.Security = &Security{}
+	}
+	b.mdb.Spec.Security.Roles = roles
+	return b
+}
+
+func (b *MongoDBBuilder) SetRoleRefs(roleRefs []MongoDBRoleRef) *MongoDBBuilder {
+	if b.mdb.Spec.Security == nil {
+		b.mdb.Spec.Security = &Security{}
+	}
+	b.mdb.Spec.Security.RoleRefs = roleRefs
+	return b
+}
+
 func (b *MongoDBBuilder) SetLabels(labels map[string]string) *MongoDBBuilder {
 	b.mdb.Labels = labels
 	return b

controllers/operator/clustermongodbrole_controller_test.go

@@ -0,0 +1,202 @@
+package operator
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	apiErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
+	"github.com/mongodb/mongodb-kubernetes/api/v1/mdbmulti"
+	rolev1 "github.com/mongodb/mongodb-kubernetes/api/v1/role"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/mock"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/workflow"
+	"github.com/mongodb/mongodb-kubernetes/pkg/util"
+)
+
+func TestReconcileClusterMongoDBRole(t *testing.T) {
+	ctx := context.Background()
+	role := DefaultClusterMongoDBRoleBuilder().Build()
+	reconciler, _ := defaultRoleReconciler(ctx, role)
+
+	actual, err := reconciler.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: role.Name}})
+	if err != nil {
+		return
+	}
+
+	expected, _ := workflow.OK().ReconcileResult()
+
+	assert.Nil(t, err, "there should be no error on successful reconciliation")
+	assert.Equal(t, expected, actual, "there should be a successful reconciliation if the password is a valid reference")
+}
+
+func TestEnsureFinalizer(t *testing.T) {
+	ctx := context.Background()
+	role := DefaultClusterMongoDBRoleBuilder().Build()
+	reconciler, fakeClient := defaultRoleReconciler(ctx, role)
+
+	_, err := reconciler.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: role.Name}})
+	assert.NoError(t, err)
+
+	err = fakeClient.Get(ctx, types.NamespacedName{Name: role.Name}, role)
+	assert.NoError(t, err)
+
+	assert.Contains(t, role.GetFinalizers(), util.RoleFinalizer, "the finalizer should be present")
+}
+
+func TestRoleIsRemovedWhenNoReferences(t *testing.T) {
+	ctx := context.Background()
+	role := DefaultClusterMongoDBRoleBuilder().Build()
+	reconciler, fakeClient := defaultRoleReconciler(ctx, role)
+
+	_, err := reconciler.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: role.Name}})
+	assert.NoError(t, err)
+
+	err = fakeClient.Delete(ctx, role)
+	assert.NoError(t, err)
+
+	newResult, err := reconciler.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: role.Name}})
+
+	newExpected, _ := workflow.OK().ReconcileResult()
+
+	assert.Nil(t, err, "there should be no error on successful reconciliation")
+	assert.Equal(t, newExpected, newResult, "there should be a successful reconciliation if the password is a valid reference")
+
+	err = fakeClient.Get(ctx, types.NamespacedName{Name: role.Name}, role)
+	assert.True(t, apiErrors.IsNotFound(err), "the role should not exist")
+}
+
+func TestRoleIsNotRemovedWhenReferenced(t *testing.T) {
+	ctx := context.Background()
+	role := DefaultClusterMongoDBRoleBuilder().Build()
+
+	roleRefs := []mdb.MongoDBRoleRef{
+		{
+			Name: role.Name,
+			Kind: util.ClusterMongoDBRoleKind,
+		},
+	}
+	cases := []struct {
+		name     string
+		resource client.Object
+	}{
+		{
+			name:     "Replicaset",
+			resource: mdb.NewDefaultReplicaSetBuilder().SetRoleRefs(roleRefs).Build(),
+		},
+		{
+			name:     "Standalone",
+			resource: mdb.NewStandaloneBuilder().SetRoleRefs(roleRefs).Build(),
+		},
+		{
+			name:     "Sharded cluster",
+			resource: mdb.NewDefaultShardedClusterBuilder().SetRoleRefs(roleRefs).Build(),
+		},
+		{
+			name:     "Multi cluster sharded",
+			resource: mdb.NewDefaultMultiShardedClusterBuilder().SetRoleRefs(roleRefs).Build(),
+		},
+		{
+			name:     "Multi cluster replicaset",
+			resource: mdbmulti.DefaultMultiReplicaSetBuilder().SetRoleRefs(roleRefs).Build(),
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			role = DefaultClusterMongoDBRoleBuilder().Build()
+			reconciler, fakeClient := defaultRoleReconciler(ctx, role, c.resource)
+
+			// Add finalizer
+			_, err := reconciler.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: role.Name}})
+			assert.NoError(t, err)
+
+			// Delete resource, should fail since it is still referenced
+			err = fakeClient.Delete(ctx, role)
+			assert.NoError(t, err)
+
+			// Should not remove the finalizer
+			_, _ = reconciler.Reconcile(ctx, reconcile.Request{NamespacedName: types.NamespacedName{Name: role.Name}})
+
+			err = fakeClient.Get(ctx, types.NamespacedName{Name: role.Name}, role)
+			assert.NoError(t, err, "the role should still exist")
+			assert.NotEmpty(t, role.GetFinalizers(), "the finalizer should still be present")
+		})
+	}
+}
+
+func defaultRoleReconciler(ctx context.Context, objects ...client.Object) (*ClusterMongoDBRoleReconciler, client.Client) {
+	kubeClient := mock.NewEmptyFakeClientBuilder().
+		WithObjects(objects...).
+		WithIndex(&mdb.MongoDB{}, ClusterMongoDBRoleIndexForMdb, findRolesForMongoDB).
+		WithIndex(&mdbmulti.MongoDBMultiCluster{}, ClusterMongoDBRoleIndexForMdbMulti, findRolesForMongoDBMultiCluster).
+		Build()
+
+	return newClusterMongoDBRoleReconciler(ctx, kubeClient), kubeClient
+}
+
+type ClusterMongoDBRoleBuilder struct {
+	name        string
+	finalizers  []string
+	annotations map[string]string
+	mongoDBRole mdb.MongoDBRole
+}
+
+func DefaultClusterMongoDBRoleBuilder() *ClusterMongoDBRoleBuilder {
+	return &ClusterMongoDBRoleBuilder{
+		name:       "default-role",
+		finalizers: []string{},
+		mongoDBRole: mdb.MongoDBRole{
+			Role:                       "default-role",
+			AuthenticationRestrictions: nil,
+			Db:                         "admin",
+			Privileges:                 nil,
+			Roles: []mdb.InheritedRole{
+				{
+					Role: "readWrite",
+					Db:   "admin",
+				},
+			},
+		},
+		annotations: map[string]string{},
+	}
+}
+
+func (b *ClusterMongoDBRoleBuilder) SetName(name string) *ClusterMongoDBRoleBuilder {
+	b.name = name
+	return b
+}
+
+func (b *ClusterMongoDBRoleBuilder) AddFinalizer(finalizer string) *ClusterMongoDBRoleBuilder {
+	b.finalizers = append(b.finalizers, finalizer)
+	return b
+}
+
+func (b *ClusterMongoDBRoleBuilder) SetMongoDBRole(role mdb.MongoDBRole) *ClusterMongoDBRoleBuilder {
+	b.mongoDBRole = role
+	return b
+}
+
+func (b *ClusterMongoDBRoleBuilder) AddAnnotation(key, value string) *ClusterMongoDBRoleBuilder {
+	b.annotations[key] = value
+	return b
+}
+
+func (b *ClusterMongoDBRoleBuilder) Build() *rolev1.ClusterMongoDBRole {
+	return &rolev1.ClusterMongoDBRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        b.name,
+			Finalizers:  b.finalizers,
+			Annotations: b.annotations,
+		},
+		Spec: rolev1.ClusterMongoDBRoleSpec{
+			MongoDBRole: b.mongoDBRole,
+		},
+	}
+}

controllers/operator/common_controller_test.go

@@ -265,6 +265,121 @@ func TestReadSubjectNoCertificate(t *testing.T) {
 	assertSubjectFromFileFails(t, "testdata/certificates/just_key")
 }
 
+func TestFailWhenRoleAndRoleRefsAreConfigured(t *testing.T) {
+	ctx := context.Background()
+	customRole := mdbv1.MongoDBRole{
+		Role:                       "foo",
+		AuthenticationRestrictions: []mdbv1.AuthenticationRestriction{},
+		Db:                         "admin",
+		Roles: []mdbv1.InheritedRole{{
+			Db:   "admin",
+			Role: "readWriteAnyDatabase",
+		}},
+	}
+	roleResource := DefaultClusterMongoDBRoleBuilder().Build()
+	roleRef := mdbv1.MongoDBRoleRef{
+		Name: roleResource.Name,
+		Kind: util.ClusterMongoDBRoleKind,
+	}
+	assert.Nil(t, customRole.Privileges)
+	rs := mdbv1.NewDefaultReplicaSetBuilder().SetRoles([]mdbv1.MongoDBRole{customRole}).SetRoleRefs([]mdbv1.MongoDBRoleRef{roleRef}).Build()
+
+	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient()
+	controller := NewReconcileCommonController(ctx, kubeClient)
+	mockOm, _ := prepareConnection(ctx, controller, omConnectionFactory.GetConnectionFunc, t)
+
+	result := controller.ensureRoles(ctx, rs.Spec.Security.Roles, rs.Spec.Security.RoleRefs, mockOm, kube.ObjectKeyFromApiObject(rs), &zap.SugaredLogger{})
+	assert.False(t, result.IsOK())
+	assert.Equal(t, status.PhaseFailed, result.Phase())
+
+	ac, err := mockOm.ReadAutomationConfig()
+	assert.NoError(t, err)
+	roles, ok := ac.Deployment["roles"].([]mdbv1.MongoDBRole)
+	assert.False(t, ok)
+	assert.Empty(t, roles)
+}
+
+func TestRoleRefsAreAdded(t *testing.T) {
+	ctx := context.Background()
+	roleResource := DefaultClusterMongoDBRoleBuilder().Build()
+	roleRefs := []mdbv1.MongoDBRoleRef{
+		{
+			Name: roleResource.Name,
+			Kind: util.ClusterMongoDBRoleKind,
+		},
+	}
+	rs := mdbv1.NewDefaultReplicaSetBuilder().SetRoleRefs(roleRefs).Build()
+
+	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient()
+	controller := NewReconcileCommonController(ctx, kubeClient)
+	mockOm, _ := prepareConnection(ctx, controller, omConnectionFactory.GetConnectionFunc, t)
+
+	_ = kubeClient.Create(ctx, roleResource)
+
+	controller.ensureRoles(ctx, rs.Spec.Security.Roles, rs.Spec.Security.RoleRefs, mockOm, kube.ObjectKeyFromApiObject(rs), &zap.SugaredLogger{})
+
+	ac, err := mockOm.ReadAutomationConfig()
+	assert.NoError(t, err)
+	roles, ok := ac.Deployment["roles"].([]mdbv1.MongoDBRole)
+	assert.True(t, ok)
+	assert.NotNil(t, roles[0].Privileges)
+	assert.Len(t, roles, 1)
+}
+
+func TestErrorWhenRoleDoesNotExist(t *testing.T) {
+	ctx := context.Background()
+	roleResource := mdbv1.NewDefaultReplicaSetBuilder().Build()
+	roleRefs := []mdbv1.MongoDBRoleRef{
+		{
+			Name: roleResource.Name,
+			Kind: "WrongMongoDBRoleReference",
+		},
+	}
+	rs := mdbv1.NewDefaultReplicaSetBuilder().SetRoleRefs(roleRefs).Build()
+
+	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient()
+	controller := NewReconcileCommonController(ctx, kubeClient)
+	mockOm, _ := prepareConnection(ctx, controller, omConnectionFactory.GetConnectionFunc, t)
+
+	_ = kubeClient.Create(ctx, roleResource)
+
+	result := controller.ensureRoles(ctx, rs.Spec.Security.Roles, rs.Spec.Security.RoleRefs, mockOm, kube.ObjectKeyFromApiObject(rs), &zap.SugaredLogger{})
+	assert.False(t, result.IsOK())
+	assert.Equal(t, status.PhaseFailed, result.Phase())
+
+	ac, err := mockOm.ReadAutomationConfig()
+	assert.NoError(t, err)
+	roles, ok := ac.Deployment["roles"].([]mdbv1.MongoDBRole)
+	assert.False(t, ok)
+	assert.Empty(t, roles)
+}
+
+func TestErrorWhenRoleRefIsWrong(t *testing.T) {
+	ctx := context.Background()
+	roleResource := DefaultClusterMongoDBRoleBuilder().Build()
+	roleRefs := []mdbv1.MongoDBRoleRef{
+		{
+			Name: roleResource.Name,
+			Kind: util.ClusterMongoDBRoleKind,
+		},
+	}
+	rs := mdbv1.NewDefaultReplicaSetBuilder().SetRoleRefs(roleRefs).Build()
+
+	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient()
+	controller := NewReconcileCommonController(ctx, kubeClient)
+	mockOm, _ := prepareConnection(ctx, controller, omConnectionFactory.GetConnectionFunc, t)
+
+	result := controller.ensureRoles(ctx, rs.Spec.Security.Roles, rs.Spec.Security.RoleRefs, mockOm, kube.ObjectKeyFromApiObject(rs), &zap.SugaredLogger{})
+	assert.False(t, result.IsOK())
+	assert.Equal(t, status.PhaseFailed, result.Phase())
+
+	ac, err := mockOm.ReadAutomationConfig()
+	assert.NoError(t, err)
+	roles, ok := ac.Deployment["roles"].([]mdbv1.MongoDBRole)
+	assert.False(t, ok)
+	assert.Empty(t, roles)
+}
+
 func TestDontSendNilPrivileges(t *testing.T) {
 	ctx := context.Background()
 	customRole := mdbv1.MongoDBRole{
@@ -281,7 +396,7 @@ func TestDontSendNilPrivileges(t *testing.T) {
 	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient()
 	controller := NewReconcileCommonController(ctx, kubeClient)
 	mockOm, _ := prepareConnection(ctx, controller, omConnectionFactory.GetConnectionFunc, t)
-	ensureRoles(rs.Spec.Security.Roles, mockOm, &zap.SugaredLogger{})
+	controller.ensureRoles(ctx, rs.Spec.Security.Roles, rs.Spec.Security.RoleRefs, mockOm, kube.ObjectKeyFromApiObject(rs), &zap.SugaredLogger{})
 	ac, err := mockOm.ReadAutomationConfig()
 	assert.NoError(t, err)
 	roles, ok := ac.Deployment["roles"].([]mdbv1.MongoDBRole)

controllers/operator/mongodbuser_controller_test.go

@@ -12,6 +12,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	corev1 "k8s.io/api/core/v1"
+	apiErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
@@ -402,7 +403,7 @@ func TestFinalizerIsAdded_WhenUserIsCreated(t *testing.T) {
 
 	_ = client.Get(ctx, kube.ObjectKey(user.Namespace, user.Name), user)
 
-	assert.Contains(t, user.GetFinalizers(), util.Finalizer)
+	assert.Contains(t, user.GetFinalizers(), util.UserFinalizer)
 }
 
 func TestUserReconciler_SavesConnectionStringForMultiShardedCluster(t *testing.T) {
@@ -497,7 +498,8 @@ func TestFinalizerIsRemoved_WhenUserIsDeleted(t *testing.T) {
 	assert.Nil(t, err, "there should be no error on successful reconciliation")
 	assert.Equal(t, newExpected, newResult, "there should be a successful reconciliation if the password is a valid reference")
 
-	assert.Empty(t, user.GetFinalizers())
+	err = client.Get(ctx, kube.ObjectKey(user.Namespace, user.Name), user)
+	assert.True(t, apiErrors.IsNotFound(err), "the user should not exist")
 }
 
 // BuildAuthenticationEnabledReplicaSet returns a AutomationConfig after creating a Replica Set with a set of