(t *testing.T)
| 443 | } |
| 444 | |
| 445 | func (s) Test_MTLS_SPIFFE_Failure(t *testing.T) { |
| 446 | testutils.SetEnvConfig(t, &envconfig.XDSSPIFFEEnabled, true) |
| 447 | tests := []struct { |
| 448 | name string |
| 449 | certFile string |
| 450 | keyFile string |
| 451 | spiffeBundleFile string |
| 452 | serverOption grpc.ServerOption |
| 453 | wantErrContains string |
| 454 | wantErrCode codes.Code |
| 455 | }{ |
| 456 | { |
| 457 | name: "No matching trust domain in bundle", |
| 458 | certFile: "spiffe_end2end/client_spiffe.pem", |
| 459 | keyFile: "spiffe_end2end/client.key", |
| 460 | spiffeBundleFile: "spiffe_end2end/server_spiffebundle.json", |
| 461 | serverOption: grpc.Creds(testutils.CreateServerTLSCredentialsCompatibleWithSPIFFE(t, tls.RequireAndVerifyClientCert)), |
| 462 | wantErrContains: "spiffe: no bundle found for peer certificates", |
| 463 | wantErrCode: codes.Unavailable, |
| 464 | }, |
| 465 | { |
| 466 | name: "Server cert has no valid SPIFFE URIs", |
| 467 | certFile: "spiffe_end2end/client_spiffe.pem", |
| 468 | keyFile: "spiffe_end2end/client.key", |
| 469 | spiffeBundleFile: "spiffe_end2end/client_spiffebundle.json", |
| 470 | serverOption: grpc.Creds(testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert)), |
| 471 | wantErrContains: "spiffe: could not get spiffe ID from peer leaf cert", |
| 472 | wantErrCode: codes.Unavailable, |
| 473 | }, |
| 474 | { |
| 475 | name: "Server cert has valid spiffe ID but doesn't chain to the root CA", |
| 476 | certFile: "spiffe_end2end/client_spiffe.pem", |
| 477 | keyFile: "spiffe_end2end/client.key", |
| 478 | spiffeBundleFile: "spiffe_end2end/client_spiffebundle.json", |
| 479 | serverOption: grpc.Creds(testutils.CreateServerTLSCredentialsValidSPIFFEButWrongCA(t, tls.RequireAndVerifyClientCert)), |
| 480 | wantErrContains: "spiffe: x509 certificate Verify failed: x509: certificate signed by unknown authority", |
| 481 | wantErrCode: codes.Unavailable, |
| 482 | }, |
| 483 | } |
| 484 | for _, tc := range tests { |
| 485 | t.Run(tc.name, func(t *testing.T) { |
| 486 | s := stubserver.StartTestService(t, nil, tc.serverOption) |
| 487 | defer s.Stop() |
| 488 | cfg := fmt.Sprintf(`{ |
| 489 | "certificate_file": "%s", |
| 490 | "private_key_file": "%s", |
| 491 | "spiffe_trust_bundle_map_file": "%s" |
| 492 | }`, |
| 493 | testdata.Path(tc.certFile), |
| 494 | testdata.Path(tc.keyFile), |
| 495 | testdata.Path(tc.spiffeBundleFile)) |
| 496 | tlsBundle, stop, err := tlscreds.NewBundle([]byte(cfg)) |
| 497 | if err != nil { |
| 498 | t.Fatalf("Failed to create TLS bundle: %v", err) |
| 499 | } |
| 500 | defer stop() |
| 501 | conn, err := grpc.NewClient(s.Address, grpc.WithCredentialsBundle(tlsBundle), grpc.WithAuthority("x.test.example.com")) |
| 502 | if err != nil { |
nothing calls this directly
no test coverage detected