MCPcopy
hub / github.com/grpc/grpc-go / Test_MTLS_SPIFFE_Failure

Method Test_MTLS_SPIFFE_Failure

internal/xds/bootstrap/tlscreds/bundle_ext_test.go:445–520  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

443}
444
445func (s) Test_MTLS_SPIFFE_Failure(t *testing.T) {
446 testutils.SetEnvConfig(t, &envconfig.XDSSPIFFEEnabled, true)
447 tests := []struct {
448 name string
449 certFile string
450 keyFile string
451 spiffeBundleFile string
452 serverOption grpc.ServerOption
453 wantErrContains string
454 wantErrCode codes.Code
455 }{
456 {
457 name: "No matching trust domain in bundle",
458 certFile: "spiffe_end2end/client_spiffe.pem",
459 keyFile: "spiffe_end2end/client.key",
460 spiffeBundleFile: "spiffe_end2end/server_spiffebundle.json",
461 serverOption: grpc.Creds(testutils.CreateServerTLSCredentialsCompatibleWithSPIFFE(t, tls.RequireAndVerifyClientCert)),
462 wantErrContains: "spiffe: no bundle found for peer certificates",
463 wantErrCode: codes.Unavailable,
464 },
465 {
466 name: "Server cert has no valid SPIFFE URIs",
467 certFile: "spiffe_end2end/client_spiffe.pem",
468 keyFile: "spiffe_end2end/client.key",
469 spiffeBundleFile: "spiffe_end2end/client_spiffebundle.json",
470 serverOption: grpc.Creds(testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert)),
471 wantErrContains: "spiffe: could not get spiffe ID from peer leaf cert",
472 wantErrCode: codes.Unavailable,
473 },
474 {
475 name: "Server cert has valid spiffe ID but doesn't chain to the root CA",
476 certFile: "spiffe_end2end/client_spiffe.pem",
477 keyFile: "spiffe_end2end/client.key",
478 spiffeBundleFile: "spiffe_end2end/client_spiffebundle.json",
479 serverOption: grpc.Creds(testutils.CreateServerTLSCredentialsValidSPIFFEButWrongCA(t, tls.RequireAndVerifyClientCert)),
480 wantErrContains: "spiffe: x509 certificate Verify failed: x509: certificate signed by unknown authority",
481 wantErrCode: codes.Unavailable,
482 },
483 }
484 for _, tc := range tests {
485 t.Run(tc.name, func(t *testing.T) {
486 s := stubserver.StartTestService(t, nil, tc.serverOption)
487 defer s.Stop()
488 cfg := fmt.Sprintf(`{
489"certificate_file": "%s",
490"private_key_file": "%s",
491"spiffe_trust_bundle_map_file": "%s"
492}`,
493 testdata.Path(tc.certFile),
494 testdata.Path(tc.keyFile),
495 testdata.Path(tc.spiffeBundleFile))
496 tlsBundle, stop, err := tlscreds.NewBundle([]byte(cfg))
497 if err != nil {
498 t.Fatalf("Failed to create TLS bundle: %v", err)
499 }
500 defer stop()
501 conn, err := grpc.NewClient(s.Address, grpc.WithCredentialsBundle(tlsBundle), grpc.WithAuthority("x.test.example.com"))
502 if err != nil {

Callers

nothing calls this directly

Calls 15

EmptyCallMethod · 0.95
SetEnvConfigFunction · 0.92
CredsFunction · 0.92
StartTestServiceFunction · 0.92
PathFunction · 0.92
NewBundleFunction · 0.92
NewClientFunction · 0.92
WithCredentialsBundleFunction · 0.92
WithAuthorityFunction · 0.92

Tested by

no test coverage detected