feat: interact with plugins from service endpoint for least privilege

Kong · Aug 4, 2022 · d2d4231 · d2d4231
1 parent 1ef06ec
commit d2d4231
Show file tree

Hide file tree

Showing 2 changed files with 128 additions and 24 deletions.
diff --git a/kong/plugin_service.go b/kong/plugin_service.go
@@ -12,12 +12,18 @@ import (
 type AbstractPluginService interface {
 	// Create creates a Plugin in Kong.
 	Create(ctx context.Context, plugin *Plugin) (*Plugin, error)
+	// CreateForService creates a Plugin in Kong.
+	CreateForService(ctx context.Context, serviceIDorName *string, plugin *Plugin) (*Plugin, error)
 	// Get fetches a Plugin in Kong.
 	Get(ctx context.Context, usernameOrID *string) (*Plugin, error)
 	// Update updates a Plugin in Kong
 	Update(ctx context.Context, plugin *Plugin) (*Plugin, error)
+	// UpdateForService updates a Plugin in Kong for a service
+	UpdateForService(ctx context.Context, serviceIDorName *string, plugin *Plugin) (*Plugin, error)
 	// Delete deletes a Plugin in Kong
 	Delete(ctx context.Context, usernameOrID *string) error
+	// DeleteForService deletes a Plugin in Kong
+	DeleteForService(ctx context.Context, serviceIDorName *string, pluginID *string) error
 	// List fetches a list of Plugins in Kong.
 	List(ctx context.Context, opt *ListOpt) ([]*Plugin, *ListOpt, error)
 	// ListAll fetches all Plugins in Kong.
@@ -97,17 +103,24 @@ func (s *PluginService) Create(ctx context.Context,
 		queryPath = queryPath + "/" + *plugin.ID
 		method = "PUT"
 	}
-	req, err := s.client.NewRequest(method, queryPath, nil, plugin)
-	if err != nil {
-		return nil, err
-	}
+	return s.sendRequest(ctx, plugin, queryPath, method)
+}
 
-	var createdPlugin Plugin
-	_, err = s.client.Do(ctx, req, &createdPlugin)
-	if err != nil {
-		return nil, err
+// CreateForService creates a Plugin in Kong at Service level.
+// If an ID is specified, it will be used to
+// create a plugin in Kong, otherwise an ID
+// is auto-generated.
+func (s *PluginService) CreateForService(ctx context.Context,
+	serviceIDorName *string, plugin *Plugin,
+) (*Plugin, error) {
+	if isEmptyString(plugin.ID) {
+		return nil, fmt.Errorf("ID cannot be nil for Update operation")
 	}
-	return &createdPlugin, nil
+	if isEmptyString(serviceIDorName) {
+		return nil, fmt.Errorf("serviceIDorName cannot be nil")
+	}
+
+	return s.sendRequest(ctx, plugin, fmt.Sprintf("/services/%v/plugins", *serviceIDorName), "POST")
 }
 
 // Get fetches a Plugin in Kong.
@@ -141,34 +154,56 @@ func (s *PluginService) Update(ctx context.Context,
 	}
 
 	endpoint := fmt.Sprintf("/plugins/%v", *plugin.ID)
-	req, err := s.client.NewRequest("PATCH", endpoint, nil, plugin)
-	if err != nil {
-		return nil, err
-	}
+	return s.sendRequest(ctx, plugin, endpoint, "PATCH")
+}
 
-	var updatedAPI Plugin
-	_, err = s.client.Do(ctx, req, &updatedAPI)
-	if err != nil {
-		return nil, err
+// UpdateForService updates a Plugin in Kong at Service level.
+func (s *PluginService) UpdateForService(ctx context.Context,
+	serviceIDorName *string, plugin *Plugin,
+) (*Plugin, error) {
+	if isEmptyString(plugin.ID) {
+		return nil, fmt.Errorf("ID cannot be nil for Update operation")
+	}
+	if isEmptyString(serviceIDorName) {
+		return nil, fmt.Errorf("serviceIDorName cannot be nil")
 	}
-	return &updatedAPI, nil
+
+	endpoint := fmt.Sprintf("/services/%v/plugins/%v", *serviceIDorName, *plugin.ID)
+	return s.sendRequest(ctx, plugin, endpoint, "PATCH")
 }
 
 // Delete deletes a Plugin in Kong
 func (s *PluginService) Delete(ctx context.Context,
-	usernameOrID *string,
+	pluginID *string,
 ) error {
-	if isEmptyString(usernameOrID) {
-		return fmt.Errorf("usernameOrID cannot be nil for Delete operation")
+	if isEmptyString(pluginID) {
+		return fmt.Errorf("pluginID cannot be nil for Delete operation")
 	}
 
-	endpoint := fmt.Sprintf("/plugins/%v", *usernameOrID)
-	req, err := s.client.NewRequest("DELETE", endpoint, nil, nil)
+	endpoint := fmt.Sprintf("/plugins/%v", *pluginID)
+	_, err := s.sendRequest(ctx, nil, endpoint, "DELETE")
 	if err != nil {
 		return err
 	}
+	return err
+}
+
+// DeleteForService deletes a Plugin in Kong at Service level.
+func (s *PluginService) DeleteForService(ctx context.Context,
+	serviceIDorName *string, pluginID *string,
+) error {
+	if isEmptyString(pluginID) {
+		return fmt.Errorf("plugin ID cannot be nil for Delete operation")
+	}
+	if isEmptyString(serviceIDorName) {
+		return fmt.Errorf("serviceIDorName cannot be nil")
+	}
 
-	_, err = s.client.Do(ctx, req, nil)
+	endpoint := fmt.Sprintf("/services/%v/plugins/%v", *serviceIDorName, *pluginID)
+	_, err := s.sendRequest(ctx, nil, endpoint, "DELETE")
+	if err != nil {
+		return err
+	}
 	return err
 }
 
@@ -294,3 +329,32 @@ func (s *PluginService) ListAllForRoute(ctx context.Context,
 	}
 	return s.listAllByPath(ctx, "/routes/"+*routeID+"/plugins")
 }
+
+func (s *PluginService) sendRequest(ctx context.Context, plugin *Plugin, endpoint, method string) (*Plugin, error) {
+	var req *http.Request
+	var err error
+	if method == "DELETE" {
+		req, err = s.client.NewRequest(method, endpoint, nil, nil)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		req, err = s.client.NewRequest(method, endpoint, nil, plugin)
+		if err != nil {
+			return nil, err
+		}
+	}
+	var createdPlugin Plugin
+	if method == "DELETE" {
+		_, err = s.client.Do(ctx, req, nil)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		_, err = s.client.Do(ctx, req, &createdPlugin)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &createdPlugin, nil
+}
diff --git a/kong/plugin_service_test.go b/kong/plugin_service_test.go
@@ -83,6 +83,46 @@ func TestPluginsService(T *testing.T) {
 
 	err = client.Plugins.Delete(defaultCtx, createdPlugin.ID)
 	assert.NoError(err)
+
+	service := &Service{
+		Name: String("fooWithPlugin"),
+		Host: String("upstream"),
+		Port: Int(42),
+		Path: String("/path"),
+	}
+	// Clean Data
+	err = client.Services.Delete(defaultCtx, service.Name)
+	assert.NoError(err)
+	// Test to create plugin from service endpoint
+	createdService, err := client.Services.Create(defaultCtx, service)
+	assert.NoError(err)
+
+	id = uuid.NewString()
+	pluginForService := &Plugin{
+		Name: String("key-auth"),
+		ID:   String(id),
+		Config: Configuration{
+			"anonymous": "true",
+		},
+	}
+
+	createdPlugin, err = client.Plugins.CreateForService(defaultCtx, createdService.Name, pluginForService)
+	assert.NoError(err)
+	assert.NotNil(createdPlugin)
+	assert.Equal(id, *createdPlugin.ID)
+	assert.Equal("true", createdPlugin.Config["anonymous"])
+
+	createdPlugin.Config["anonymous"] = "false"
+	updatedPlugin, err := client.Plugins.UpdateForService(defaultCtx, createdService.Name, createdPlugin)
+	assert.NoError(err)
+	assert.NotNil(createdPlugin)
+	assert.Equal(id, *createdPlugin.ID)
+	assert.Equal("false", updatedPlugin.Config["anonymous"])
+
+	err = client.Plugins.DeleteForService(defaultCtx, createdService.Name, updatedPlugin.ID)
+	assert.NoError(err)
+
+	assert.NoError(client.Services.Delete(defaultCtx, createdService.ID))
 }
 
 func TestPluginWithTags(T *testing.T) {