def mock_client_fetch_jwt_bundles(mocker):
jwt_bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.prod': JWKS_2_EC_1_RSA_KEYS
}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
return_value=[
workload_pb2.JWTBundlesResponse(bundles=jwt_bundles),
workload_pb2.JWTBundlesResponse(bundles=jwt_bundles),
])
def test_watch_jwt_bundle_no_retry_on_grpc_error_no_call(mocker):
grpc_error = grpc.RpcError
jwt_bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.prod': JWKS_2_EC_1_RSA_KEYS
}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
side_effect=[
grpc_error,
delayed_responses(
[workload_pb2.JWTBundlesResponse(bundles=jwt_bundles)]),
])
expected_error = FetchJwtBundleError(
'Cannot process response from Workload API.')
event = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_jwt_bundles(
on_success=lambda r: handle_success(r, response_holder, event),
on_error=lambda e: handle_error(e, response_holder, event),
)
event.wait(3) # add timeout to prevent test from hanging
assert not response_holder.success
assert response_holder.error
assert_error(response_holder.error, expected_error)
def test_watch_jwt_bundle_success(mocker):
jwt_bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.prod': JWKS_2_EC_1_RSA_KEYS
}
jwt_bundles_2 = {'domain.dev': JWKS_1_EC_KEY}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
return_value=delayed_responses([
workload_pb2.JWTBundlesResponse(bundles=jwt_bundles),
workload_pb2.JWTBundlesResponse(bundles=jwt_bundles_2),
]))
event = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_jwt_bundles(
on_success=lambda r: handle_success(r, response_holder, event),
on_error=lambda e: handle_error(e, response_holder, event),
)
event.wait(3) # add timeout to prevent test from hanging
assert not response_holder.error
jwt_bundle_set = response_holder.success
assert jwt_bundle_set
jwt_bundle_1 = jwt_bundle_set.get(TrustDomain.parse('example.org'))
assert jwt_bundle_1
assert len(jwt_bundle_1.jwt_authorities()) == 1
jwt_bundle_2 = jwt_bundle_set.get(TrustDomain.parse('domain.prod'))
assert jwt_bundle_2
assert len(jwt_bundle_2.jwt_authorities()) == 3
# Wait to receive the second response from delayed_responses()
time.sleep(1)
assert not response_holder.error
jwt_bundle_set = response_holder.success
jwt_bundle = jwt_bundle_set.get(TrustDomain.parse('domain.dev'))
assert jwt_bundle
assert len(jwt_bundle.jwt_authorities()) == 1
def test_fetch_jwt_bundles_empty_response(mocker):
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
return_value=iter([
workload_pb2.JWTBundlesResponse(bundles={}, ),
]))
with pytest.raises(FetchJwtBundleError) as exc_info:
WORKLOAD_API_CLIENT.fetch_jwt_bundles()
assert (str(exc_info.value) ==
'Error fetching JWT Bundle: JWT Bundles response is empty.')
def test_fetch_jwt_bundles_error_parsing_jwks(mocker):
bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.test': JWKS_MISSING_KEY_ID
}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
return_value=iter([
workload_pb2.JWTBundlesResponse(bundles=bundles, ),
]))
with pytest.raises(FetchJwtBundleError) as exc_info:
WORKLOAD_API_CLIENT.fetch_jwt_bundles()
assert (
str(exc_info.value) ==
'Error fetching JWT Bundle: Error parsing JWT bundle: Error adding authority from JWKS: keyID cannot be empty.'
)
def test_fetch_jwt_bundles(mocker):
bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.test': JWKS_2_EC_1_RSA_KEYS
}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
return_value=iter([
workload_pb2.JWTBundlesResponse(bundles=bundles, ),
]))
jwt_bundle_set = WORKLOAD_API_CLIENT.fetch_jwt_bundles()
jwt_bundle = jwt_bundle_set.get(TrustDomain.parse('example.org'))
assert jwt_bundle
assert len(jwt_bundle.jwt_authorities()) == 1
federated_jwt_bundle = jwt_bundle_set.get(TrustDomain.parse('domain.test'))
assert federated_jwt_bundle
assert len(federated_jwt_bundle.jwt_authorities()) == 3
def test_get_jwt_bundle_exception(mocker):
jwt_bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.prod': JWKS_2_EC_1_RSA_KEYS
}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
return_value=[
workload_pb2.JWTBundlesResponse(bundles=jwt_bundles),
],
side_effect=Exception('Mocked Error'),
)
jwt_source = DefaultJwtSource(WORKLOAD_API_CLIENT)
with pytest.raises(JwtSourceError) as exception:
_ = jwt_source.get_jwt_bundle(TrustDomain.parse('example.org'))
assert (str(exception.value) ==
'JWT Source error: Cannot get JWT Bundle: source is closed.')
def test_watch_jwt_bundle_retry_on_grpc_error(mocker):
grpc_error = FakeCall()
jwt_bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.prod': JWKS_2_EC_1_RSA_KEYS
}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
side_effect=[
grpc_error,
delayed_responses(
[workload_pb2.JWTBundlesResponse(bundles=jwt_bundles)]),
])
expected_error = FetchJwtBundleError(grpc_error.details())
event = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_jwt_bundles(
on_success=lambda r: handle_success(r, response_holder, event),
on_error=lambda e: assert_error(e, expected_error),
)
event.wait(3) # add timeout to prevent test from hanging
# Wait to receive the response from delayed_responses()
time.sleep(1)
jwt_bundle_set = response_holder.success
assert jwt_bundle_set
jwt_bundle_1 = jwt_bundle_set.get(TrustDomain.parse('example.org'))
assert jwt_bundle_1
assert len(jwt_bundle_1.jwt_authorities()) == 1
jwt_bundle_2 = jwt_bundle_set.get(TrustDomain.parse('domain.prod'))
assert jwt_bundle_2
assert len(jwt_bundle_2.jwt_authorities()) == 3