feat: test config validation in config change handler

aws-greengrass · Feb 20, 2024 · 853c9a2 · 853c9a2
1 parent 0e9d8fd
commit 853c9a2
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 3 deletions.
diff --git a/src/integrationtests/java/com/aws/greengrass/integrationtests/policy/PolicyTest.java b/src/integrationtests/java/com/aws/greengrass/integrationtests/policy/PolicyTest.java
@@ -141,6 +141,31 @@ void GIVEN_cda_with_client_policy_WHEN_resource_removed_from_policy_THEN_resourc
                 .build()));
     }
 
+    @Test
+    void GIVEN_cda_running_WHEN_policy_updated_with_invalid_policy_variable_THEN_cda_broken(ExtensionContext context) throws Exception {
+        ignoreExceptionOfType(context, PolicyException.class);
+        startNucleus("empty-config.yaml");
+        //CDA is RUNNING
+
+        Runnable mainRunning = createServiceStateChangeWaiter(kernel,
+                ClientDevicesAuthService.CLIENT_DEVICES_AUTH_SERVICE_NAME, 30, State.BROKEN);
+
+        // merge bad policy config
+        replacePolicy(GroupConfiguration.builder()
+                .definitions(Utils.immutableMap("group1", GroupDefinition.builder()
+                        .policyName("policyA")
+                        .selectionRule("thingName: myThing")
+                        .build()))
+                .policies(Utils.immutableMap("policyA", Utils.immutableMap("statement1", AuthorizationPolicyStatement.builder()
+                        .statementDescription("invalid policy variable")
+                        .operations(Stream.of("mqtt:publish").collect(Collectors.toSet()))
+                        .resources(Stream.of("mqtt:topic:${iot:Connection.Thing.Unknown}").collect(Collectors.toSet()))
+                        .effect(AuthorizationPolicyStatement.Effect.ALLOW)
+                        .build())))
+                .build());
+        mainRunning.run();
+    }
+
     @ParameterizedTest
     @ValueSource(strings = {
             "malformed-variable.yaml",

diff --git a/src/main/java/com/aws/greengrass/clientdevices/auth/ClientDevicesAuthService.java b/src/main/java/com/aws/greengrass/clientdevices/auth/ClientDevicesAuthService.java
@@ -216,7 +216,8 @@ protected void startup() throws InterruptedException {
         context.get(CertificateManager.class).startMonitors();
         try {
             subscribeToConfigChanges();
-            validateConfig();
+            // Validate CDA policy to force CDA to break on bad config policies before CDA reaches RUNNING
+            lookupAndValidateDeviceGroups();
         } catch (IllegalArgumentException | PolicyException e) {
             serviceErrored(e);
             return;
@@ -270,7 +271,8 @@ private void updateDeviceGroups() {
         GroupConfiguration groupConfiguration;
 
         try {
-            groupConfiguration = validateConfig();
+            // Lookup and validate DeviceGroups to ensure CDA errors on bad CDA policy changes
+            groupConfiguration = lookupAndValidateDeviceGroups();
         } catch (IllegalArgumentException | PolicyException e) {
             serviceErrored(e);
             return;
@@ -279,7 +281,7 @@ private void updateDeviceGroups() {
         context.get(GroupManager.class).setGroupConfiguration(groupConfiguration);
     }
 
-    private GroupConfiguration validateConfig() throws IllegalArgumentException, PolicyException {
+    private GroupConfiguration lookupAndValidateDeviceGroups() throws IllegalArgumentException, PolicyException {
         GroupConfiguration groupConfiguration;
         Topics deviceGroupTopics = this.config.lookupTopics(CONFIGURATION_CONFIG_KEY, DEVICE_GROUPS_TOPICS);
         groupConfiguration = MAPPER.convertValue(deviceGroupTopics.toPOJO(), GroupConfiguration.class);