TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-06 16:22:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
794ab407a232866d0c5737e28656c6a725c92c61
zitadel/internal/api/http/middleware/instance_interceptor_test.go
Tim Möhlmann 2727fa719d perf(actionsv2): execution target router (#10564) 
# Which Problems Are Solved

The event execution system currently uses a projection handler that
subscribes to and processes all events for all instances. This creates a
high static cost because the system over-fetches event data, handling
many events that are not needed by most instances. This inefficiency is
also reflected in high "rows returned" metrics in the database.

# How the Problems Are Solved

Eliminate the use of a project handler. Instead, events for which
"execution targets" are defined, are directly pushed to the queue by the
eventstore. A Router is populated in the Instance object in the authz
middleware.

- By joining the execution targets to the instance, no additional
queries are needed anymore.
- As part of the instance object, execution targets are now cached as
well.
- Events are queued within the same transaction, giving transactional
guarantees on delivery.
- Uses the "insert many fast` variant of River. Multiple jobs are queued
in a single round-trip to the database.
- Fix compatibility with PostgreSQL 15

# Additional Changes

- The signing key was stored as plain-text in the river job payload in
the DB. This violated our [Secrets
Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage)
principle. This change removed the field and only uses the encrypted
version of the signing key.
- Fixed the target ordering from descending to ascending.
- Some minor linter warnings on the use of `io.WriteString()`.

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/9249
- Closes https://github.com/zitadel/zitadel/issues/10553
- Closes https://github.com/zitadel/zitadel/issues/9832
- Closes https://github.com/zitadel/zitadel/issues/10372
- Closes https://github.com/zitadel/zitadel/issues/10492

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a9ebc06c77)
2025-09-01 08:16:52 +02:00

359 lines
8.0 KiB
Go
Raw Blame History

package middleware
import (
"context"
"fmt"
"net/http"
"net/http/httptest"
"reflect"
"testing"
"time"
"github.com/stretchr/testify/assert"
"golang.org/x/text/language"
"github.com/zitadel/zitadel/internal/api/authz"
zitadel_http "github.com/zitadel/zitadel/internal/api/http"
"github.com/zitadel/zitadel/internal/execution/target"
"github.com/zitadel/zitadel/internal/feature"
)
func Test_instanceInterceptor_Handler(t *testing.T) {
type fields struct {
verifier authz.InstanceVerifier
}
type args struct {
request *http.Request
}
type res struct {
statusCode int
context context.Context
}
tests := []struct {
name string
fields fields
args args
res res
}{
{
"setInstance error",
fields{
verifier: &mockInstanceVerifier{},
},
args{
request: httptest.NewRequest("", "/url", nil),
},
res{
statusCode: 404,
context: nil,
},
},
{
"setInstance ok",
fields{
verifier: &mockInstanceVerifier{instanceHost: "host"},
},
args{
request: func() *http.Request {
r := httptest.NewRequest("", "/url", nil)
r = r.WithContext(zitadel_http.WithDomainContext(r.Context(), &zitadel_http.DomainCtx{InstanceHost: "host"}))
return r
}(),
},
res{
statusCode: 200,
context: authz.WithInstance(zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "host"}), &mockInstance{}),
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a := &instanceInterceptor{
verifier: tt.fields.verifier,
translator: newZitadelTranslator(),
}
next := &testHandler{}
got := a.HandlerFunc(next)
rr := httptest.NewRecorder()
got.ServeHTTP(rr, tt.args.request)
assert.Equal(t, tt.res.statusCode, rr.Code)
assert.Equal(t, tt.res.context, next.context)
})
}
}
func Test_instanceInterceptor_HandlerFunc(t *testing.T) {
type fields struct {
verifier authz.InstanceVerifier
}
type args struct {
request *http.Request
}
type res struct {
statusCode int
context context.Context
}
tests := []struct {
name string
fields fields
args args
res res
}{
{
"setInstance error",
fields{
verifier: &mockInstanceVerifier{},
},
args{
request: httptest.NewRequest("", "/url", nil),
},
res{
statusCode: 404,
context: nil,
},
},
{
"setInstance ok",
fields{
verifier: &mockInstanceVerifier{instanceHost: "host"},
},
args{
request: func() *http.Request {
r := httptest.NewRequest("", "/url", nil)
r = r.WithContext(zitadel_http.WithDomainContext(r.Context(), &zitadel_http.DomainCtx{InstanceHost: "host"}))
return r
}(),
},
res{
statusCode: 200,
context: authz.WithInstance(zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "host"}), &mockInstance{}),
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a := &instanceInterceptor{
verifier: tt.fields.verifier,
translator: newZitadelTranslator(),
}
next := &testHandler{}
got := a.HandlerFunc(next)
rr := httptest.NewRecorder()
got.ServeHTTP(rr, tt.args.request)
assert.Equal(t, tt.res.statusCode, rr.Code)
assert.Equal(t, tt.res.context, next.context)
})
}
}
func Test_instanceInterceptor_HandlerFuncWithError(t *testing.T) {
type fields struct {
verifier authz.InstanceVerifier
}
type args struct {
request *http.Request
}
type res struct {
wantErr bool
context context.Context
}
tests := []struct {
name string
fields fields
args args
res res
}{
{
"setInstance error",
fields{
verifier: &mockInstanceVerifier{},
},
args{
request: httptest.NewRequest("", "/url", nil),
},
res{
wantErr: true,
context: nil,
},
},
{
"setInstance ok",
fields{
verifier: &mockInstanceVerifier{instanceHost: "host"},
},
args{
request: func() *http.Request {
r := httptest.NewRequest("", "/url", nil)
r = r.WithContext(zitadel_http.WithDomainContext(r.Context(), &zitadel_http.DomainCtx{InstanceHost: "host"}))
return r
}(),
},
res{
context: authz.WithInstance(zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "host"}), &mockInstance{}),
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a := &instanceInterceptor{
verifier: tt.fields.verifier,
translator: newZitadelTranslator(),
}
var ctx context.Context
got := a.HandlerFuncWithError(func(w http.ResponseWriter, r *http.Request) error {
ctx = r.Context()
return nil
})
rr := httptest.NewRecorder()
err := got(rr, tt.args.request)
if (err != nil) != tt.res.wantErr {
t.Errorf("got error %v, want %v", err, tt.res.wantErr)
}
assert.Equal(t, tt.res.context, ctx)
})
}
}
func Test_setInstance(t *testing.T) {
type args struct {
ctx context.Context
verifier authz.InstanceVerifier
}
type res struct {
want context.Context
err bool
}
tests := []struct {
name string
args args
res res
}{
{
"no domain context, not found error",
args{
ctx: context.Background(),
verifier: &mockInstanceVerifier{},
},
res{
want: nil,
err: true,
},
},
{
"instanceHost found, ok",
args{
ctx: zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "host", Protocol: "https"}),
verifier: &mockInstanceVerifier{instanceHost: "host"},
},
res{
want: authz.WithInstance(zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "host", Protocol: "https"}), &mockInstance{}),
err: false,
},
},
{
"instanceHost not found, error",
args{
ctx: zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "fromorigin:9999", Protocol: "https"}),
verifier: &mockInstanceVerifier{instanceHost: "unknowndomain"},
},
res{
want: nil,
err: true,
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := setInstance(tt.args.ctx, tt.args.verifier)
if (err != nil) != tt.res.err {
t.Errorf("setInstance() error = %v, wantErr %v", err, tt.res.err)
return
}
if !reflect.DeepEqual(got, tt.res.want) {
t.Errorf("setInstance() got = %v, want %v", got, tt.res.want)
}
})
}
}
type testHandler struct {
context context.Context
}
func (t *testHandler) ServeHTTP(_ http.ResponseWriter, r *http.Request) {
t.context = r.Context()
}
type mockInstanceVerifier struct {
instanceHost string
publicHost string
}
func (m *mockInstanceVerifier) InstanceByHost(_ context.Context, instanceHost, publicHost string) (authz.Instance, error) {
if instanceHost != m.instanceHost {
return nil, fmt.Errorf("invalid host")
}
if publicHost == "" {
return &mockInstance{}, nil
}
if publicHost != instanceHost && publicHost != m.publicHost {
return nil, fmt.Errorf("invalid host")
}
return &mockInstance{}, nil
}
func (m *mockInstanceVerifier) InstanceByID(context.Context, string) (authz.Instance, error) {
return nil, nil
}
type mockInstance struct{}
func (m *mockInstance) Block() *bool {
panic("shouldn't be called here")
}
func (m *mockInstance) AuditLogRetention() *time.Duration {
panic("shouldn't be called here")
}
func (m *mockInstance) InstanceID() string {
return "instanceID"
}
func (m *mockInstance) ProjectID() string {
return "projectID"
}
func (m *mockInstance) ConsoleClientID() string {
return "consoleClientID"
}
func (m *mockInstance) ConsoleApplicationID() string {
return "consoleApplicationID"
}
func (m *mockInstance) DefaultLanguage() language.Tag {
return language.English
}
func (m *mockInstance) DefaultOrganisationID() string {
return "orgID"
}
func (m *mockInstance) SecurityPolicyAllowedOrigins() []string {
return nil
}
func (m *mockInstance) EnableImpersonation() bool {
return false
}
func (m *mockInstance) Features() feature.Features {
return feature.Features{}
}
func (m *mockInstance) ExecutionRouter() target.Router {
return target.NewRouter(nil)
}
Reference in New Issue View Git Blame Copy Permalink