fix: marshall and unmarshall actions on endpoint permissions

[GGabriele]

For endpoint permissions's actions, Kong returns a list with GET requests, but it expects a
comma-separated string with POST/PUT requests.

This fixes the marshalling for this entity (reverting #131)

Sample script attempting to configure actions as a list:

$ echo '
id: 82bfb84b-d659-4ac1-ab29-94576f838753
name: workspace-super-admin
comment: "Full access to all endpoints in the workspace"
' | y2j |  http PUT ":8001/workspace1/rbac/roles/82bfb84b-d659-4ac1-ab29-94576f838753"

$ echo '
workspace: workspace1
endpoint: /rbac/*/*/*
actions:
    - delete
    - create
    - read
    - update
negative: true
' | y2j | http POST ":8001/workspace1/rbac/roles/82bfb84b-d659-4ac1-ab29-94576f838753/endpoints"

HTTP/1.1 200 OK
{
    "comment": "Full access to all endpoints in the workspace",
    "created_at": 1647520491,
    "id": "82bfb84b-d659-4ac1-ab29-94576f838753",
    "is_default": false,
    "name": "workspace-super-admin"
}


HTTP/1.1 201 Created
{
    "actions": [],
    "created_at": 1647520491,
    "endpoint": "/rbac/*/*/*",
    "negative": true,
    "role": {
        "id": "82bfb84b-d659-4ac1-ab29-94576f838753"
    },
    "workspace": "workspace1"
}

The actions field is ignored. While it works if the actions field is a string:

$ echo '
workspace: workspace1
endpoint: /rbac/*/*/*
actions: delete,create,read,update
negative: true
' | y2j | http POST ":8001/workspace1/rbac/roles/82bfb84b-d659-4ac1-ab29-94576f838753/endpoints"
HTTP/1.1 201 Created
{
    "actions": [
        "read",
        "delete",
        "create",
        "update"
    ],
    "created_at": 1647520694,
    "endpoint": "/rbac/*/*/*",
    "negative": true,
    "role": {
        "id": "82bfb84b-d659-4ac1-ab29-94576f838753"
    },
    "workspace": "workspace1"
}

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 66.66667% with 13 lines in your changes missing coverage. Please review.

Project coverage is 54.14%. Comparing base (bd63e50) to head (6ae5da8).
Report is 292 commits behind head on main.

Files with missing lines	Patch %	Lines
kong/endpoint_permission_service.go	41.66%	4 Missing and 3 partials ⚠️
kong/test_utils.go	60.00%	4 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #148      +/-   ##
==========================================
+ Coverage   45.38%   54.14%   +8.76%     
==========================================
  Files          44       44              
  Lines        3962     3991      +29     
==========================================
+ Hits         1798     2161     +363     
+ Misses       1827     1374     -453     
- Partials      337      456     +119     

Flag	Coverage Δ
2.0.5	39.51% <12.82%> (-0.17%)	⬇️
2.1.4	39.33% <12.82%> (-0.17%)	⬇️
2.2.2	39.33% <12.82%> (-0.17%)	⬇️
2.3.3	39.33% <12.82%> (-0.17%)	⬇️
2.4.0	39.33% <12.82%> (-0.17%)	⬇️
2.5.1	39.33% <12.82%> (-0.17%)	⬇️
2.6.0	39.33% <12.82%> (-0.17%)	⬇️
2.7.0	39.33% <12.82%> (-0.17%)	⬇️
2.8.0	39.33% <12.82%> (-0.17%)	⬇️
community	39.51% <12.82%> (-0.17%)	⬇️
enterprise	52.79% <66.66%> (+7.84%)	⬆️
enterprise-1.5.0.11	52.79% <66.66%> (+7.84%)	⬆️
enterprise-2.1.4.6	51.71% <66.66%> (+7.84%)	⬆️
enterprise-2.2.1.3	51.71% <66.66%> (+7.84%)	⬆️
enterprise-2.3.3.4	51.71% <66.66%> (+7.84%)	⬆️
enterprise-2.4.1.3	51.71% <66.66%> (+7.84%)	⬆️
enterprise-2.5.1.2	51.71% <66.66%> (+7.84%)	⬆️
enterprise-2.6.0.2	51.71% <66.66%> (+7.84%)	⬆️
enterprise-2.7.0.0	51.71% <66.66%> (+7.84%)	⬆️
enterprise-2.8.0.0	51.71% <66.66%> (+7.84%)	⬆️
integration	54.14% <66.66%> (+8.76%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[shaneutt]

Looks good overall, but given the context that we're fixing something we broke before it seems like we should be updating or adding tests which will protect this against future regressions. What are your thoughts?

[GGabriele]

Totally! Not sure why, but it seems that we are skipping tests on RBAC here.

Since now we have a "proper" testing pipeline in decK, what I plan to do is to keep adding more and more test cases to give us a good coverage. Like, this.

[rainest]

It skips them if RBAC is not available, which we expect for community. It should be on for Enterprise, but for some reason

go-kong/.ci/setup_kong.sh

Lines 63 to 66 in bd63e50

	export KONG_LICENSE_PATH=/tmp/license.json
	export KONG_PASSWORD=kong
	export KONG_ENFORCE_RBAC=on
	export KONG_PORTAL=on

is apparently having no effect, despite not being under any conditional.

Dunno when/why that stopped working, but I suppose there's no reason to not just set them in the Action environment instead; they're all static anyway... Except that doesn't appear to work either.

If it did,

go-kong/kong/rbac_user_service_test.go

Lines 120 to 123 in bd63e50

	Actions: []*string{
	String("create"),
	String("read"),
	},

would test at least part of this.

[rainest]

IDK why those variables are getting ignored (they do show up in env output run before the Kong commands), but setting them on the invocation line instead of exporting them works, so whatever.

However fixing this exposes that there were several (mostly) unrelated broken tests lurking around: /~https://github.com/Kong/go-kong/runs/5636336474?check_suite_focus=true

[GGabriele]

Also, those variable were set even before your commit: /~https://github.com/Kong/go-kong/blob/main/.ci/setup_kong.sh#L65-L66

How do we want to proceed here? Add these vars directly in the invocation and fix those failing tests?

[rainest]

How do we want to proceed here? Add these vars directly in the invocation and fix those failing tests?

Yeah--I don't really much care what the setup script looks like so long as it works, and inline does. I'm curious why that's the case (sudo would be my first guess, but sudo does inherit the environment of its caller by default, which a run of env confirms, so not sure what's up there), but not to the extent that I'll dig into it given a working alternative.

With that and a bunch of new changes unrelated to the original PR, tests pass, add (and actually run) a regression test for this, and fixes any tests that were broken.

430956c tests the original fix condition, as I understand it.

The rest of the changes fix broken tests that were hidden by Enterprise tests not actually running for the most part. Other than c35a1dd, they do not change library code, only test code.

Most fixes are unremarkable; 6ae5da8 is the exception. The implementation of admin consumers and credentials is weird, and apparently changes the way those resources paginate even though the created resources don't exist from the perspective of the admin API. We had acknowledged as much before but apparently didn't actually fix it there and didn't notice because of the skips.

Checking for specific pagination behavior isn't something anyone should need to do in practice--all you should care about as a library user is that you can pass in a next value and get the expected page. We should consider reworking our tests to not require specific pagination behavior, but IMO it's fairly low-value: this endpoint exists in community doesn't change its behavior on Enterprise, so there's no pressing reason to test it on Enterprise. The specific pages change depending on your consumer set, but that's expected--right now our test requires a specific consumer set, and it arguably shouldn't.