From 28941860c7d1b6995de0b254b89b689d27f407c6 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Wed, 17 Jan 2024 12:41:56 +0000 Subject: [PATCH] Add test to show node aliases don't work upon refresh from cache Signed-off-by: Sorin Dumitru --- .../endpoints/authorized_entryfetcher_test.go | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/pkg/server/endpoints/authorized_entryfetcher_test.go b/pkg/server/endpoints/authorized_entryfetcher_test.go index 18b18e81cef..244abb11839 100644 --- a/pkg/server/endpoints/authorized_entryfetcher_test.go +++ b/pkg/server/endpoints/authorized_entryfetcher_test.go @@ -6,6 +6,8 @@ import ( "testing" "github.com/sirupsen/logrus/hooks/test" + "github.com/spiffe/go-spiffe/v2/spiffeid" + "github.com/spiffe/spire/proto/spire/common" "github.com/spiffe/spire/test/clock" "github.com/spiffe/spire/test/fakes/fakedatastore" "github.com/stretchr/testify/assert" @@ -20,6 +22,73 @@ func TestNewAuthorizedEntryFetcherWithEventsBasedCache(t *testing.T) { ef, err := NewAuthorizedEntryFetcherWithEventsBasedCache(ctx, log, clk, ds, defaultCacheReloadInterval, defaultPruneEventsOlderThan) assert.NoError(t, err) assert.NotNil(t, ef) + + agentId, err := spiffeid.FromString("spiffe://example.org/myagent") + assert.NoError(t, err) + + _, err = ds.CreateAttestedNode(ctx, &common.AttestedNode{ + SpiffeId: agentId.String(), + CertNotAfter: 99999999999, + }) + assert.NoError(t, err) + + // Also set the node selectors, since this isn't done by CreateAttestedNode + err = ds.SetNodeSelectors(ctx, agentId.String(), []*common.Selector{ + { + Type: "test", + Value: "alias", + }, + { + Type: "test", + Value: "cluster", + }, + }) + assert.NoError(t, err) + + // Create node alias for the agent + _, err = ds.CreateRegistrationEntry(ctx, &common.RegistrationEntry{ + SpiffeId: "spiffe://example.org/alias", + ParentId: "spiffe://example.org/spire/server", + Selectors: []*common.Selector{ + { + Type: "test", + Value: "alias", + }, + }, + }) + assert.NoError(t, err) + + // Create one registration entry parented to the agent directly + _, err = ds.CreateRegistrationEntry(ctx, &common.RegistrationEntry{ + SpiffeId: "spiffe://example.org/viaagent", + ParentId: agentId.String(), + Selectors: []*common.Selector{ + { + Type: "workload", + Value: "one", + }, + }, + }) + + // Create one registration entry parented to the alias + _, err = ds.CreateRegistrationEntry(ctx, &common.RegistrationEntry{ + SpiffeId: "spiffe://example.org/viaalias", + ParentId: "spiffe://example.org/alias", + Selectors: []*common.Selector{ + { + Type: "workload", + Value: "two", + }, + }, + }) + assert.NoError(t, err) + + err = ef.updateCache(ctx) + assert.NoError(t, err) + + entries, err := ef.FetchAuthorizedEntries(ctx, agentId) + assert.NoError(t, err) + assert.Equal(t, 2, len(entries)) } func TestNewAuthorizedEntryFetcherWithEventsBasedCacheErrorBuildingCache(t *testing.T) {