backend: Add unit tests for serviceproxyhandler and more

Signed-off-by: Murali Annamneni <[email protected]>

Author: muraliinformal

backend/cmd/headlamp_test.go

@@ -25,12 +25,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"testing"
 	"time"
 
@@ -43,6 +45,8 @@ import (
 	"github.com/kubernetes-sigs/headlamp/backend/pkg/telemetry"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/clientcmd/api"
 )
@@ -1555,3 +1559,123 @@ func TestCacheMiddleware_CacheInvalidation(t *testing.T) {
 	assert.Equal(t, "true", resp1.Header.Get("X-HEADLAMP-CACHE"))
 	assert.Equal(t, http.StatusOK, resp1.StatusCode)
 }
+
+//nolint:funlen
+func TestHandleClusterServiceProxy(t *testing.T) {
+	cfg := &HeadlampConfig{
+		HeadlampCFG:      &headlampconfig.HeadlampCFG{KubeConfigStore: kubeconfig.NewContextStore()},
+		telemetryHandler: &telemetry.RequestHandler{},
+		telemetryConfig:  GetDefaultTestTelemetryConfig(),
+	}
+
+	// Backend service the proxy should call
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/healthz" {
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte("OK"))
+
+			return
+		}
+
+		http.NotFound(w, r)
+	}))
+	t.Cleanup(backend.Close)
+
+	// Extract host:port to feed into the Service external name + port
+	bu, err := url.Parse(backend.URL)
+	require.NoError(t, err)
+	host, portStr, err := net.SplitHostPort(strings.TrimPrefix(bu.Host, "["))
+	require.NoError(t, err)
+	portNum, err := strconv.Atoi(strings.TrimSuffix(portStr, "]"))
+	require.NoError(t, err)
+
+	// Fake k8s API that returns a Service pointing to backend
+	kubeAPI := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == http.MethodGet && r.URL.Path == "/api/v1/namespaces/default/services/my-service" {
+			svc := &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-service",
+					Namespace: "default",
+				},
+				Spec: corev1.ServiceSpec{
+					ExternalName: host,
+					Ports: []corev1.ServicePort{
+						{
+							Name: "http",
+							Port: int32(portNum), //nolint:gosec
+						},
+					},
+				},
+			}
+
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusOK)
+			_ = json.NewEncoder(w).Encode(svc)
+
+			return
+		}
+
+		http.NotFound(w, r)
+	}))
+	t.Cleanup(kubeAPI.Close)
+
+	// Add a context that matches clusterName in URL
+	err = cfg.KubeConfigStore.AddContext(&kubeconfig.Context{
+		Name: "kubernetes",
+		KubeContext: &api.Context{
+			Cluster:  "kubernetes",
+			AuthInfo: "kubernetes",
+		},
+		Cluster:  &api.Cluster{Server: kubeAPI.URL}, // client-go will talk to this
+		AuthInfo: &api.AuthInfo{},
+	})
+	require.NoError(t, err)
+
+	router := mux.NewRouter()
+	handleClusterServiceProxy(cfg, router)
+
+	cluster := "kubernetes"
+	ns := "default"
+	svc := "my-service"
+
+	// Case 1: Missing ?request => route doesn't match => 404, no headers set
+	{
+		req := httptest.NewRequest(http.MethodGet,
+			"/clusters/"+cluster+"/serviceproxy/"+ns+"/"+svc, nil)
+		rr := httptest.NewRecorder()
+		router.ServeHTTP(rr, req)
+		assert.Equal(t, http.StatusNotFound, rr.Code)
+		assert.Empty(t, rr.Header().Get("Cache-Control"))
+	}
+
+	// Case 2: ?request present but missing Authorization => 401, headers set
+	{
+		req := httptest.NewRequest(http.MethodGet,
+			"/clusters/"+cluster+"/serviceproxy/"+ns+"/"+svc+"?request=/healthz", nil)
+		rr := httptest.NewRecorder()
+		router.ServeHTTP(rr, req)
+		assert.Equal(t, http.StatusUnauthorized, rr.Code)
+		assert.Equal(t, "no-cache, private, max-age=0", rr.Header().Get("Cache-Control"))
+		assert.Equal(t, "no-cache", rr.Header().Get("Pragma"))
+		assert.Equal(t, "0", rr.Header().Get("X-Accel-Expires"))
+	}
+
+	// Case 3 (Happy path): ?request present and Authorization provided => proxy reaches backend => 200 OK
+	{
+		req := httptest.NewRequest(http.MethodGet,
+			"/clusters/"+cluster+"/serviceproxy/"+ns+"/"+svc+"?request=/healthz", nil)
+		req.Header.Set("Authorization", "Bearer test-token")
+
+		rr := httptest.NewRecorder()
+		router.ServeHTTP(rr, req)
+
+		// Handler always sets no-cache headers
+		assert.Equal(t, "no-cache, private, max-age=0", rr.Header().Get("Cache-Control"))
+		assert.Equal(t, "no-cache", rr.Header().Get("Pragma"))
+		assert.Equal(t, "0", rr.Header().Get("X-Accel-Expires"))
+
+		// Happy path: backend returns OK
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, "OK", rr.Body.String())
+	}
+}

backend/pkg/helm/release.go

@@ -582,7 +582,7 @@ func (h *Handler) getChart(
 
 // Verify the user has minimal privileges by performing a whoami check.
 // This prevents spurious downloads by ensuring basic authentication before proceeding.
-func verifyUser(h *Handler, req InstallRequest) bool {
+func VerifyUser(h *Handler, req InstallRequest) bool {
 	restConfig, err := h.Configuration.RESTClientGetter.ToRESTConfig()
 	if err != nil {
 		logger.Log(logger.LevelError, map[string]string{"chart": req.Chart, "releaseName": req.Name}, err, "getting chart")
@@ -619,7 +619,7 @@ func (h *Handler) installRelease(req InstallRequest) {
 	installClient.CreateNamespace = req.CreateNamespace
 	installClient.ChartPathOptions.Version = req.Version
 
-	if !verifyUser(h, req) {
+	if !VerifyUser(h, req) {
 		return
 	}
 

backend/pkg/helm/release_test.go

@@ -33,6 +33,10 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"helm.sh/helm/v3/pkg/action"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 )
 
@@ -251,3 +255,65 @@ func TestUninstallRelease(t *testing.T) {
 
 	pingStatusTillSuccess(t, "uninstall", "helm-test-asdf", helmHandler.Cache)
 }
+
+type staticRESTGetter struct{ cfg *rest.Config }
+
+var _ genericclioptions.RESTClientGetter = (*staticRESTGetter)(nil)
+
+func (s *staticRESTGetter) ToRESTConfig() (*rest.Config, error) {
+	return s.cfg, nil
+}
+
+func (s *staticRESTGetter) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	return nil, nil
+}
+
+func (s *staticRESTGetter) ToRESTMapper() (meta.RESTMapper, error) {
+	return nil, nil
+}
+
+func (s *staticRESTGetter) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	return nil
+}
+
+func TestVerifyUser(t *testing.T) {
+	helmHandler := newHelmHandler(t)
+
+	tests := []struct {
+		name       string
+		req        helm.InstallRequest
+		wantResult bool
+	}{
+		{
+			name: "valid user",
+			req: helm.InstallRequest{
+				CommonInstallUpdateRequest: helm.CommonInstallUpdateRequest{
+					Name: "test-release",
+				},
+			},
+			wantResult: true,
+		},
+		{
+			name: "invalid user",
+			req: helm.InstallRequest{
+				CommonInstallUpdateRequest: helm.CommonInstallUpdateRequest{
+					Name: "test-release",
+				},
+			},
+			wantResult: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if !tt.wantResult {
+				helmHandler.Configuration.RESTClientGetter = &staticRESTGetter{
+					cfg: &rest.Config{Host: ""}, // invalid/empty host triggers failure
+				}
+			}
+
+			result := helm.VerifyUser(helmHandler, tt.req)
+			assert.Equal(t, result, tt.wantResult)
+		})
+	}
+}

backend/pkg/serviceproxy/connection_test.go

@@ -1,6 +1,7 @@
 package serviceproxy //nolint
 
 import (
+	"bytes"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -41,23 +42,74 @@ func TestNewConnection(t *testing.T) {
 }
 
 func TestGet(t *testing.T) {
+	tests := []struct {
+		name       string
+		uri        string
+		requestURI string
+		wantBody   []byte
+		wantErr    bool
+	}{
+		{
+			name:       "valid request",
+			uri:        "http://example.com",
+			requestURI: "/test",
+			wantBody:   []byte("Hello, World!"),
+			wantErr:    false,
+		},
+		{
+			name:       "invalid URI",
+			uri:        " invalid-uri",
+			requestURI: "/test",
+			wantBody:   nil,
+			wantErr:    true,
+		},
+		{
+			name:       "invalid request URI",
+			uri:        "http://example.com",
+			requestURI: " invalid-request-uri",
+			wantBody:   nil,
+			wantErr:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			conn := &Connection{URI: tt.uri}
+
+			if tt.wantBody != nil {
+				ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					_, err := w.Write(tt.wantBody)
+					if err != nil {
+						t.Fatal(err)
+					}
+				}))
+				defer ts.Close()
+
+				conn.URI = ts.URL
+			}
+
+			body, err := conn.Get(tt.requestURI)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Get() error = %v, wantErr %v", err, tt.wantErr)
+			}
+
+			if !tt.wantErr && !bytes.Equal(body, tt.wantBody) {
+				t.Errorf("Get() body = %s, want %s", body, tt.wantBody)
+			}
+		})
+	}
+}
+
+func TestGetNonOKStatusCode(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if _, err := w.Write([]byte("Hello, World!")); err != nil {
-			t.Fatalf("write test: %v", err)
-		}
+		w.WriteHeader(http.StatusInternalServerError)
 	}))
 	defer ts.Close()
 
-	// Create a connection to the test server
-	conn := NewConnection(&proxyService{URIPrefix: ts.URL})
-
-	// Test Get()
-	resp, err := conn.Get("/test")
-	if err != nil {
-		t.Errorf("Get() error = %v", err)
-	}
+	conn := &Connection{URI: ts.URL}
 
-	if string(resp) != "Hello, World!" {
-		t.Errorf("Get() response = %s, want Hello, World!", resp)
+	_, err := conn.Get("/test")
+	if err == nil {
+		t.Errorf("Get() error = nil, want error")
 	}
 }