Test_SPIFFE_Reloading sets up a client and server. The client is configured to use a SPIFFE bundle map, and the server is configured to use TLS creds compatible with this bundle. A handshake is performed and connection is expected to be successful. Then we change the client's SPIFFE Bundle Map file
(t *testing.T)
| 238 | // is performed and checked for failure, ensuring that gRPC is correctly using |
| 239 | // the changed-on-disk bundle map. |
| 240 | func (s) Test_SPIFFE_Reloading(t *testing.T) { |
| 241 | testutils.SetEnvConfig(t, &envconfig.XDSSPIFFEEnabled, true) |
| 242 | clientSPIFFEBundle, err := os.ReadFile(testdata.Path("spiffe_end2end/client_spiffebundle.json")) |
| 243 | if err != nil { |
| 244 | t.Fatalf("Failed to read test SPIFFE bundle: %v", err) |
| 245 | } |
| 246 | |
| 247 | // Write CA certs to a temporary file so that we can modify it later. |
| 248 | spiffePath := t.TempDir() + "/client_spiffe.json" |
| 249 | if err = os.WriteFile(spiffePath, clientSPIFFEBundle, 0644); err != nil { |
| 250 | t.Fatalf("Failed to write test SPIFFE Bundle %v: %v", clientSPIFFEBundle, err) |
| 251 | } |
| 252 | cfg := fmt.Sprintf(`{ |
| 253 | "spiffe_trust_bundle_map_file": "%s", |
| 254 | "refresh_interval": ".01s" |
| 255 | }`, spiffePath) |
| 256 | tlsBundle, stop, err := tlscreds.NewBundle([]byte(cfg)) |
| 257 | if err != nil { |
| 258 | t.Fatalf("Failed to create TLS bundle: %v", err) |
| 259 | } |
| 260 | defer stop() |
| 261 | |
| 262 | l, err := testutils.LocalTCPListener() |
| 263 | if err != nil { |
| 264 | t.Fatalf("testutils.LocalTCPListener() failed: %v", err) |
| 265 | } |
| 266 | lis := testutils.NewRestartableListener(l) |
| 267 | defer lis.Close() |
| 268 | ss := stubserver.StubServer{ |
| 269 | Listener: lis, |
| 270 | EmptyCallF: func(context.Context, *testpb.Empty) (*testpb.Empty, error) { return &testpb.Empty{}, nil }, |
| 271 | } |
| 272 | |
| 273 | serverCredentials := grpc.Creds(testutils.CreateServerTLSCredentialsCompatibleWithSPIFFE(t, tls.NoClientCert)) |
| 274 | server := stubserver.StartTestService(t, &ss, serverCredentials) |
| 275 | |
| 276 | defer server.Stop() |
| 277 | |
| 278 | conn, err := grpc.NewClient( |
| 279 | server.Address, |
| 280 | grpc.WithCredentialsBundle(tlsBundle), |
| 281 | grpc.WithAuthority("x.test.example.com"), |
| 282 | ) |
| 283 | if err != nil { |
| 284 | t.Fatalf("grpc.NewClient(%q) failed: %v", server.Address, err) |
| 285 | } |
| 286 | defer conn.Close() |
| 287 | |
| 288 | ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) |
| 289 | defer cancel() |
| 290 | |
| 291 | client := testgrpc.NewTestServiceClient(conn) |
| 292 | if _, err = client.EmptyCall(ctx, &testpb.Empty{}); err != nil { |
| 293 | t.Errorf("Error calling EmptyCall: %v", err) |
| 294 | } |
| 295 | |
| 296 | // Setup the wrong bundle to be reloaded |
| 297 | wrongBundle, err := os.ReadFile(testdata.Path("spiffe_end2end/server_spiffebundle.json")) |
nothing calls this directly
no test coverage detected