Skip to content

Commit

Permalink
Fetch agent selectors when refreshing event based cache (spiffe#4803)
Browse files Browse the repository at this point in the history 
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
  • Loading branch information
@sorindumitru @sriyer
sorindumitru authored and sriyer committed Feb 23, 2024
1 parent 490ce49 commit 6376baa
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 1 deletion.
6 changes: 6 additions & 0 deletions pkg/server/endpoints/authorized_entryfetcher.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,12 @@ func (a *AuthorizedEntryFetcherWithEventsBasedCache) updateAttestedNodesCache(ct
continue
}

selectors, err := a.ds.GetNodeSelectors(ctx, event.SpiffeID, datastore.RequireCurrent)
if err != nil {
return err
}
node.Selectors = selectors

agentExpiresAt := time.Unix(node.CertNotAfter, 0)
if agentExpiresAt.Before(a.clk.Now()) {
a.cache.RemoveAgent(event.SpiffeID)
Expand Down
71 changes: 71 additions & 0 deletions pkg/server/endpoints/authorized_entryfetcher_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,11 @@ import (
"context"
"errors"
"testing"
"time"

"github.com/sirupsen/logrus/hooks/test"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/proto/spire/common"
"github.com/spiffe/spire/test/clock"
"github.com/spiffe/spire/test/fakes/fakedatastore"
"github.com/stretchr/testify/assert"
Expand All @@ -20,6 +23,74 @@ func TestNewAuthorizedEntryFetcherWithEventsBasedCache(t *testing.T) {
ef, err := NewAuthorizedEntryFetcherWithEventsBasedCache(ctx, log, clk, ds, defaultCacheReloadInterval, defaultPruneEventsOlderThan)
assert.NoError(t, err)
assert.NotNil(t, ef)

agentID, err := spiffeid.FromString("spiffe://example.org/myagent")
assert.NoError(t, err)

_, err = ds.CreateAttestedNode(ctx, &common.AttestedNode{
SpiffeId: agentID.String(),
CertNotAfter: time.Now().Add(5 * time.Hour).Unix(),
})
assert.NoError(t, err)

// Also set the node selectors, since this isn't done by CreateAttestedNode
err = ds.SetNodeSelectors(ctx, agentID.String(), []*common.Selector{
{
Type: "test",
Value: "alias",
},
{
Type: "test",
Value: "cluster",
},
})
assert.NoError(t, err)

// Create node alias for the agent
_, err = ds.CreateRegistrationEntry(ctx, &common.RegistrationEntry{
SpiffeId: "spiffe://example.org/alias",
ParentId: "spiffe://example.org/spire/server",
Selectors: []*common.Selector{
{
Type: "test",
Value: "alias",
},
},
})
assert.NoError(t, err)

// Create one registration entry parented to the agent directly
_, err = ds.CreateRegistrationEntry(ctx, &common.RegistrationEntry{
SpiffeId: "spiffe://example.org/viaagent",
ParentId: agentID.String(),
Selectors: []*common.Selector{
{
Type: "workload",
Value: "one",
},
},
})
assert.NoError(t, err)

// Create one registration entry parented to the alias
_, err = ds.CreateRegistrationEntry(ctx, &common.RegistrationEntry{
SpiffeId: "spiffe://example.org/viaalias",
ParentId: "spiffe://example.org/alias",
Selectors: []*common.Selector{
{
Type: "workload",
Value: "two",
},
},
})
assert.NoError(t, err)

err = ef.updateCache(ctx)
assert.NoError(t, err)

entries, err := ef.FetchAuthorizedEntries(ctx, agentID)
assert.NoError(t, err)
assert.Equal(t, 2, len(entries))
}

func TestNewAuthorizedEntryFetcherWithEventsBasedCacheErrorBuildingCache(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion test/fakes/fakedatastore/fakedatastore.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ var _ datastore.DataStore = (*DataStore)(nil)
func New(tb testing.TB) *DataStore {
log, _ := test.NewNullLogger()

ds := sql.New(log, false)
ds := sql.New(log, true)
ds.SetUseServerTimestamps(true)

err := ds.Configure(ctx, fmt.Sprintf(`
Expand Down

0 comments on commit 6376baa

Please sign in to comment.