-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API refactor: Add integration tests for admin RPCs #1730
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good!
We may perform some validations of the responses?
760d68b
to
23e93b4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have some suggestions, all minor things.
case err != nil: | ||
return err | ||
case time.Unix(resp.Svid.ExpiresAt, 0).Before(time.Now()): | ||
return errors.New("invalid expiredAt") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return errors.New("invalid expiredAt") | |
return errors.New("invalid ExpiresAt") |
claimsMap := make(map[string]interface{}) | ||
err = token.UnsafeClaimsWithoutVerification(&claimsMap) | ||
if err != nil { | ||
return fmt.Errorf("failed to claims: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("failed to claims: %v", err) | |
return fmt.Errorf("claims verification failed: %v", err) |
case len(r.Bundle.X509Authorities) == 0: | ||
return errors.New("missing X509 authorities") | ||
case !containsX509Certificate(r.Bundle.X509Authorities, blk.Bytes): | ||
return errors.New("no x509 authority") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return errors.New("no x509 authority") | |
return errors.New("no X509 authority") |
case !containsX509Certificate(r.Bundle.X509Authorities, blk.Bytes): | ||
return errors.New("no x509 authority") | ||
case !containsJWTKey(r.Bundle.JwtAuthorities, jwtKey): | ||
return errors.New("no jwt key") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return errors.New("no jwt key") | |
return errors.New("no JWT key") |
case len(r.Bundle.JwtAuthorities) == 0: | ||
return errors.New("missing JWT authorities") | ||
case len(r.Bundle.X509Authorities) != 0: | ||
return errors.New("unexpected x509 authorities") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return errors.New("unexpected x509 authorities") | |
return errors.New("unexpected X509 authorities") |
|
||
for _, e := range resp.Entries { | ||
if !containsFunc(e.SpiffeId) { | ||
return fmt.Errorf("unexpected entry: %v", e.Id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("unexpected entry: %v", e.Id) | |
return fmt.Errorf("unexpected entry: %v", e) |
case r.Status.Code != int32(codes.OK): | ||
return fmt.Errorf("unexpected status: %v", r.Status) | ||
case r.Id != entryID: | ||
return fmt.Errorf("unexpected entryID: %v", r.Id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("unexpected entryID: %v", r.Id) | |
return fmt.Errorf("unexpected entry: %v", r) |
return errors.New("missing token") | ||
} | ||
|
||
// Set agentID that will be used in another tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Set agentID that will be used in another tests | |
// Set agentID that will be used in other tests |
// Create CSR | ||
csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{}, key) | ||
if err != nil { | ||
return fmt.Errorf("fails to create CSR: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("fails to create CSR: %v", err) | |
return fmt.Errorf("failed to create CSR: %v", err) |
|
||
## Description | ||
|
||
This suite validates access to experimental admin endpoints |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we are not validating only access, this does't seem to be completely accurate
This suite validates access to experimental admin endpoints | |
This suite validates the experimental endpoints that require an admin X509-SVID |
|
||
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
|
||
cd "${DIR}" && GOOS=linux go build -o $1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add CGO_ENABLED=0 to this? It makes it easier to do development since you can compile outside Docker and run inside Docker (alpine)
-ttl 0 | ||
check-synced-entry "spire-agent" "spiffe://domain.test/admin" | ||
|
||
log-debug "creating admin registration entry..." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The message seems duplicated from the previous log line. Maybe:
log-debug "creating admin registration entry..." | |
log-debug "creating non admin registration entry..." |
or
log-debug "creating admin registration entry..." | |
log-debug "creating regular registration entry..." |
ca_ttl = "1h" | ||
default_svid_ttl = "10m" | ||
experimental { | ||
enable_api = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just for clarifying... why does the server configuration file has the experimental API enabled and the agent configuration file does not have it? Not sure if it was intended
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we dont use agent to run this test we use it only to fetch svids on client, and using regular workload api that is compatible with go-spiffe
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
0a0ddd4
to
c0479af
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @MarcosDY!
Add integration tests for admin RPCs