(t *testing.T)
| 17 | ) |
| 18 | |
| 19 | func Test_rotateKeys(t *testing.T) { |
| 20 | t.Parallel() |
| 21 | |
| 22 | t.Run("RotatesKeysNearExpiration", func(t *testing.T) { |
| 23 | t.Parallel() |
| 24 | |
| 25 | var ( |
| 26 | db, _ = dbtestutil.NewDB(t) |
| 27 | clock = quartz.NewMock(t) |
| 28 | keyDuration = time.Hour * 24 * 7 |
| 29 | logger = testutil.Logger(t) |
| 30 | ctx = testutil.Context(t, testutil.WaitShort) |
| 31 | ) |
| 32 | |
| 33 | kr := &rotator{ |
| 34 | db: db, |
| 35 | keyDuration: keyDuration, |
| 36 | clock: clock, |
| 37 | logger: logger, |
| 38 | features: []database.CryptoKeyFeature{ |
| 39 | database.CryptoKeyFeatureWorkspaceAppsAPIKey, |
| 40 | }, |
| 41 | } |
| 42 | |
| 43 | now := dbnow(clock) |
| 44 | |
| 45 | // Seed the database with an existing key. |
| 46 | oldKey := dbgen.CryptoKey(t, db, database.CryptoKey{ |
| 47 | Feature: database.CryptoKeyFeatureWorkspaceAppsAPIKey, |
| 48 | StartsAt: now, |
| 49 | Sequence: 15, |
| 50 | }) |
| 51 | |
| 52 | // Advance the window to just inside rotation time. |
| 53 | _ = clock.Advance(keyDuration - time.Minute*59) |
| 54 | err := kr.rotateKeys(ctx) |
| 55 | require.NoError(t, err) |
| 56 | |
| 57 | now = dbnow(clock) |
| 58 | expectedDeletesAt := oldKey.ExpiresAt(keyDuration).Add(WorkspaceAppsTokenDuration + time.Hour) |
| 59 | |
| 60 | // Fetch the old key, it should have an deletes_at now. |
| 61 | oldKey, err = db.GetCryptoKeyByFeatureAndSequence(ctx, database.GetCryptoKeyByFeatureAndSequenceParams{ |
| 62 | Feature: oldKey.Feature, |
| 63 | Sequence: oldKey.Sequence, |
| 64 | }) |
| 65 | require.NoError(t, err) |
| 66 | require.Equal(t, oldKey.DeletesAt.Time.UTC(), expectedDeletesAt) |
| 67 | |
| 68 | // The new key should be created and have a starts_at of the old key's expires_at. |
| 69 | newKey, err := db.GetCryptoKeyByFeatureAndSequence(ctx, database.GetCryptoKeyByFeatureAndSequenceParams{ |
| 70 | Feature: database.CryptoKeyFeatureWorkspaceAppsAPIKey, |
| 71 | Sequence: oldKey.Sequence + 1, |
| 72 | }) |
| 73 | require.NoError(t, err) |
| 74 | requireKey(t, newKey, database.CryptoKeyFeatureWorkspaceAppsAPIKey, oldKey.ExpiresAt(keyDuration), nullTime, oldKey.Sequence+1) |
| 75 | |
| 76 | // Advance the clock just before the keys delete time. |
nothing calls this directly
no test coverage detected