openapi: Fix logic for labeling unauthenticated/sudo paths (#19600)

2025-10-30 18:17:55 +00:00 · 2023-03-20 13:25:09 -04:00
parent 116a6a49dc
commit 09d58d1858
3 changed files with 162 additions and 37 deletions
--- a/sdk/framework/openapi_test.go
+++ b/sdk/framework/openapi_test.go
@@ -226,42 +226,123 @@ func TestOpenAPI_SplitFields(t *testing.T) {
 }

 func TestOpenAPI_SpecialPaths(t *testing.T) {
-	tests := []struct {
-		pattern     string
-		rootPaths   []string
-		root        bool
-		unauthPaths []string
-		unauth      bool
+	tests := map[string]struct {
+		pattern                 string
+		rootPaths               []string
+		rootExpected            bool
+		unauthenticatedPaths    []string
+		unauthenticatedExpected bool
 	}{
-		{"foo", []string{}, false, []string{"foo"}, true},
-		{"foo", []string{"foo"}, true, []string{"bar"}, false},
-		{"foo/bar", []string{"foo"}, false, []string{"foo/*"}, true},
-		{"foo/bar", []string{"foo/*"}, true, []string{"foo"}, false},
-		{"foo/", []string{"foo/*"}, true, []string{"a", "b", "foo/"}, true},
-		{"foo", []string{"foo*"}, true, []string{"a", "fo*"}, true},
-		{"foo/bar", []string{"a", "b", "foo/*"}, true, []string{"foo/baz/*"}, false},
+		"empty": {
+			pattern:                 "foo",
+			rootPaths:               []string{},
+			rootExpected:            false,
+			unauthenticatedPaths:    []string{},
+			unauthenticatedExpected: false,
+		},
+		"exact-match-unauthenticated": {
+			pattern:                 "foo",
+			rootPaths:               []string{},
+			rootExpected:            false,
+			unauthenticatedPaths:    []string{"foo"},
+			unauthenticatedExpected: true,
+		},
+		"exact-match-root": {
+			pattern:                 "foo",
+			rootPaths:               []string{"foo"},
+			rootExpected:            true,
+			unauthenticatedPaths:    []string{"bar"},
+			unauthenticatedExpected: false,
+		},
+		"asterisk-match-unauthenticated": {
+			pattern:                 "foo/bar",
+			rootPaths:               []string{"foo"},
+			rootExpected:            false,
+			unauthenticatedPaths:    []string{"foo/*"},
+			unauthenticatedExpected: true,
+		},
+		"asterisk-match-root": {
+			pattern:                 "foo/bar",
+			rootPaths:               []string{"foo/*"},
+			rootExpected:            true,
+			unauthenticatedPaths:    []string{"foo"},
+			unauthenticatedExpected: false,
+		},
+		"path-ends-with-slash": {
+			pattern:                 "foo/",
+			rootPaths:               []string{"foo/*"},
+			rootExpected:            true,
+			unauthenticatedPaths:    []string{"a", "b", "foo*"},
+			unauthenticatedExpected: true,
+		},
+		"asterisk-match-no-slash": {
+			pattern:                 "foo",
+			rootPaths:               []string{"foo*"},
+			rootExpected:            true,
+			unauthenticatedPaths:    []string{"a", "fo*"},
+			unauthenticatedExpected: true,
+		},
+		"multiple-root-paths": {
+			pattern:                 "foo/bar",
+			rootPaths:               []string{"a", "b", "foo/*"},
+			rootExpected:            true,
+			unauthenticatedPaths:    []string{"foo/baz/*"},
+			unauthenticatedExpected: false,
+		},
+		"plus-match-unauthenticated": {
+			pattern:                 "foo/bar/baz",
+			rootPaths:               []string{"foo/bar"},
+			rootExpected:            false,
+			unauthenticatedPaths:    []string{"foo/+/baz"},
+			unauthenticatedExpected: true,
+		},
+		"plus-match-root": {
+			pattern:                 "foo/bar/baz",
+			rootPaths:               []string{"foo/+/baz"},
+			rootExpected:            true,
+			unauthenticatedPaths:    []string{"foo/bar"},
+			unauthenticatedExpected: false,
+		},
+		"plus-and-asterisk": {
+			pattern:                 "foo/bar/baz/something",
+			rootPaths:               []string{"foo/+/baz/*"},
+			rootExpected:            true,
+			unauthenticatedPaths:    []string{"foo/+/baz*"},
+			unauthenticatedExpected: true,
+		},
+		"double-plus-good": {
+			pattern:                 "foo/bar/baz",
+			rootPaths:               []string{"foo/+/+"},
+			rootExpected:            true,
+			unauthenticatedPaths:    []string{"foo/bar"},
+			unauthenticatedExpected: false,
+		},
 	}
-	for i, test := range tests {
-		doc := NewOASDocument("version")
-		path := Path{
-			Pattern: test.pattern,
-		}
-		sp := &logical.Paths{
-			Root:            test.rootPaths,
-			Unauthenticated: test.unauthPaths,
-		}
-		err := documentPath(&path, sp, "kv", logical.TypeLogical, doc)
-		if err != nil {
-			t.Fatal(err)
-		}
-		result := test.root
-		if doc.Paths["/"+test.pattern].Sudo != result {
-			t.Fatalf("Test (root) %d: Expected %v got %v", i, test.root, result)
-		}
-		result = test.unauth
-		if doc.Paths["/"+test.pattern].Unauthenticated != result {
-			t.Fatalf("Test (unauth) %d: Expected %v got %v", i, test.unauth, result)
-		}
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			doc := NewOASDocument("version")
+			path := Path{
+				Pattern: test.pattern,
+			}
+			specialPaths := &logical.Paths{
+				Root:            test.rootPaths,
+				Unauthenticated: test.unauthenticatedPaths,
+			}
+
+			if err := documentPath(&path, specialPaths, "kv", logical.TypeLogical, doc); err != nil {
+				t.Fatal(err)
+			}
+
+			actual := doc.Paths["/"+test.pattern].Sudo
+			if actual != test.rootExpected {
+				t.Fatalf("Test (root): expected: %v; got: %v", test.rootExpected, actual)
+			}
+
+			actual = doc.Paths["/"+test.pattern].Unauthenticated
+			if actual != test.unauthenticatedExpected {
+				t.Fatalf("Test (unauth): expected: %v; got: %v", test.unauthenticatedExpected, actual)
+			}
+		})
 	}
 }