Adds ability to configure certificate-filters on a namespace via the CLI (#43)

Adds new namespace sub-command called certificate-filters ("cf"). This sub-commands has 3 sub-commands:

import/imp --> imports certificate filter configuration from either a file or from input on the CLI
export/exp --> takes the existing certificate filter configuration and writes it to the output (and also optionally to a file)
clear --> removes all certificate filters on the namespace.

import/clear will print out the before/after of the certificate-filter configuration to make it more obvious to the user what is being changed.

Author: mastermanu

Makefile

@@ -19,7 +19,7 @@ TEST_ARG ?= -race -timeout=5m -cover -count=1
 tcld:
 	@go build -ldflags "$(LINKER_FLAGS)" -o tcld ./cmd/tcld/*.go
 
-bins: tcld
+bins: clean tcld
 
 test:
 	@$(foreach TEST_DIR,$(TEST_DIRS),\

api/temporalcloudapi/namespace/v1/message.pb.go

@@ -0,0 +1,90 @@
+package app
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/temporalio/tcld/api/temporalcloudapi/namespace/v1"
+)
+
+type certificateFilter struct {
+	CommonName             string `json:"commonName"`
+	Organization           string `json:"organization"`
+	OrganizationalUnit     string `json:"organizationalUnit"`
+	SubjectAlternativeName string `json:"subjectAlternativeName"`
+}
+
+type certificateFiltersConfig struct {
+	Filters []certificateFilter `json:"filters,omitempty"`
+}
+
+func parseCertificateFilters(configJson []byte) (certificateFiltersConfig, error) {
+	if len(configJson) == 0 {
+		return certificateFiltersConfig{}, nil
+	}
+
+	var filters certificateFiltersConfig
+	if err := json.Unmarshal(configJson, &filters); err != nil {
+		return certificateFiltersConfig{}, err
+	}
+
+	if err := filters.validate(); err != nil {
+		return certificateFiltersConfig{}, err
+	}
+
+	return filters, nil
+}
+
+func (config certificateFiltersConfig) validate() error {
+	seenSet := make(map[certificateFilter]struct{})
+
+	for _, filter := range config.Filters {
+		if !isFieldSet(filter.CommonName) && !isFieldSet(filter.Organization) && !isFieldSet(filter.OrganizationalUnit) && !isFieldSet(filter.SubjectAlternativeName) {
+			return errors.New("certificate filter must have at least one field set")
+		}
+
+		if _, ok := seenSet[filter]; ok {
+			return fmt.Errorf("supplied certificate filters contain at least one duplicate entry: '%+v'", filter)
+		}
+
+		seenSet[filter] = struct{}{}
+	}
+
+	return nil
+}
+
+func (config certificateFiltersConfig) toSpec() []*namespace.CertificateFilterSpec {
+	var results []*namespace.CertificateFilterSpec
+
+	for _, filter := range config.Filters {
+		results = append(results, &namespace.CertificateFilterSpec{
+			CommonName:             filter.CommonName,
+			Organization:           filter.Organization,
+			OrganizationalUnit:     filter.OrganizationalUnit,
+			SubjectAlternativeName: filter.SubjectAlternativeName,
+		})
+	}
+
+	return results
+}
+
+func fromSpec(filters []*namespace.CertificateFilterSpec) certificateFiltersConfig {
+	var result certificateFiltersConfig
+
+	for _, filter := range filters {
+		result.Filters = append(result.Filters, certificateFilter{
+			CommonName:             filter.CommonName,
+			Organization:           filter.Organization,
+			OrganizationalUnit:     filter.OrganizationalUnit,
+			SubjectAlternativeName: filter.SubjectAlternativeName,
+		})
+	}
+
+	return result
+}
+
+func isFieldSet(fieldValue string) bool {
+	return len(strings.TrimSpace(fieldValue)) > 0
+}

app/cafilters.go

@@ -0,0 +1,126 @@
+package app
+
+import (
+	"reflect"
+	"testing"
+)
+
+func Test_certificateFilters_validate(t *testing.T) {
+	tests := []struct {
+		name    string
+		filters certificateFiltersConfig
+		wantErr bool
+	}{
+		{
+			"no filters specified",
+			certificateFiltersConfig{},
+			false,
+		},
+		{
+			"empty filter specified",
+			certificateFiltersConfig{
+				[]certificateFilter{{}},
+			},
+			true,
+		},
+		{
+			"duplicate filter specified",
+			certificateFiltersConfig{
+				Filters: []certificateFilter{
+					{CommonName: "testCN"},
+					{CommonName: "testCN"},
+				},
+			},
+			true,
+		},
+		{
+			"two separate filters specified",
+			certificateFiltersConfig{
+				Filters: []certificateFilter{
+					{CommonName: "testCN"},
+					{CommonName: "testCN2"},
+				},
+			},
+			false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := tt.filters.validate(); (err != nil) != tt.wantErr {
+				t.Errorf("certificateFilters.validate() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func Test_parseCertificateFilters(t *testing.T) {
+	type args struct {
+		jsonFilters string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    certificateFiltersConfig
+		wantErr bool
+	}{
+		{
+			"empty contents",
+			args{},
+			certificateFiltersConfig{},
+			false,
+		},
+		{
+			"empty array",
+			args{`{ "filters": [] }`},
+			certificateFiltersConfig{
+				Filters: []certificateFilter{},
+			},
+			false,
+		},
+		{
+			"bad json",
+			args{`[`},
+			certificateFiltersConfig{},
+			true,
+		},
+		{
+			"simple json",
+			args{`{"filters": [{"commonName": "test1"}]}`},
+			certificateFiltersConfig{
+				Filters: []certificateFilter{{CommonName: "test1"}},
+			},
+			false,
+		},
+		{
+			"complex json",
+			args{`{ "filters": [ { "commonName": "test1" }, { "commonName": "test2" } ] }`},
+			certificateFiltersConfig{
+				Filters: []certificateFilter{
+					{CommonName: "test1"},
+					{CommonName: "test2"},
+				},
+			},
+			false,
+		},
+		{
+			"fail validation",
+			args{`{"filters": [{}]}`},
+			certificateFiltersConfig{},
+			true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := parseCertificateFilters([]byte(tt.args.jsonFilters))
+			if (err != nil) != tt.wantErr {
+				t.Errorf("parseCertificateFilters() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("parseCertificateFilters() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}