def test_fetch_x509_context_corrupted_federated_bundle(mocker): federated_bundles = dict() federated_bundles['domain.test'] = _CORRUPTED WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock( return_value=iter( [ workload_pb2.X509SVIDResponse( svids=[ workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service', x509_svid=_CHAIN1, x509_svid_key=_KEY1, bundle=_BUNDLE, ), workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service2', x509_svid=_CHAIN2, x509_svid_key=_KEY2, bundle=_BUNDLE, ), ], federated_bundles=federated_bundles, ) ] ) ) with (pytest.raises(FetchX509BundleError)) as exception: WORKLOAD_API_CLIENT.fetch_x509_context() assert ( str(exception.value) == 'Error fetching X.509 Bundles: Unable to parse DER X.509 certificate.' )
def test_fetch_x509_svid_corrupted_response(mocker): WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock( return_value=iter( [ workload_pb2.X509SVIDResponse( svids=[ workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service', x509_svid=_CORRUPTED, x509_svid_key=_KEY1, ), workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service2', x509_svid=_CHAIN2, x509_svid_key=_KEY2, ), ] ) ] ) ) with (pytest.raises(FetchX509SvidError)) as exception: WORKLOAD_API_CLIENT.fetch_x509_svid() assert ( str(exception.value) == 'Error fetching X.509 SVID: Error parsing certificate: Unable to parse DER X.509 certificate.' )
def test_fetch_x509_svid_success(mocker): WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock( return_value=iter( [ workload_pb2.X509SVIDResponse( svids=[ workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service', x509_svid=_CHAIN1, x509_svid_key=_KEY1, ), workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service2', x509_svid=_CHAIN2, x509_svid_key=_KEY2, ), ] ) ] ) ) svid = WORKLOAD_API_CLIENT.fetch_x509_svid() assert svid.spiffe_id() == SpiffeId.parse('spiffe://example.org/service') assert len(svid.cert_chain()) == 2 assert isinstance(svid.leaf(), Certificate) assert isinstance(svid.private_key(), ec.EllipticCurvePrivateKey)
def test_fetch_x509_context_corrupted_svid(mocker): federated_bundles = dict() federated_bundles['domain.test'] = _FEDERATED_BUNDLE WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock( return_value=iter( [ workload_pb2.X509SVIDResponse( svids=[ workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service', x509_svid=_CHAIN1, x509_svid_key=_CORRUPTED, bundle=_BUNDLE, ), workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service2', x509_svid=_CHAIN2, x509_svid_key=_KEY2, bundle=_BUNDLE, ), ], federated_bundles=federated_bundles, ) ] ) ) with (pytest.raises(FetchX509SvidError)) as exception: WORKLOAD_API_CLIENT.fetch_x509_context() assert 'Error fetching X.509 SVID: Error parsing private key' in str( exception.value )
def yield_grpc_error_and_then_correct_x509_svid_response(): grpc_error = grpc.RpcError() grpc_error.code = lambda: grpc.StatusCode.DEADLINE_EXCEEDED yield grpc_error federated_bundles = {'domain.test': FEDERATED_BUNDLE} response = iter([ workload_pb2.X509SVIDResponse( svids=[ workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service', x509_svid=CHAIN1, x509_svid_key=KEY1, bundle=BUNDLE, ), workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service2', x509_svid=CHAIN2, x509_svid_key=KEY2, bundle=BUNDLE, ), ], federated_bundles=federated_bundles, ) ]) yield response
def test_fetch_x509_svid_empty_response(mocker): WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock( return_value=iter([workload_pb2.X509SVIDResponse(svids=[])])) with (pytest.raises(FetchX509SvidError)) as exception: WORKLOAD_API_CLIENT.fetch_x509_svid() assert (str(exception.value) == 'Error fetching X.509 SVID: X.509 SVID response is empty.')
def test_fetch_x509_context_success(mocker): federated_bundles = dict() federated_bundles['domain.test'] = _FEDERATED_BUNDLE WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock( return_value=iter( [ workload_pb2.X509SVIDResponse( svids=[ workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service', x509_svid=_CHAIN1, x509_svid_key=_KEY1, bundle=_BUNDLE, ), workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service2', x509_svid=_CHAIN2, x509_svid_key=_KEY2, bundle=_BUNDLE, ), ], federated_bundles=federated_bundles, ) ] ) ) x509_context = WORKLOAD_API_CLIENT.fetch_x509_context() svids = x509_context.x509_svids() bundle_set = x509_context.x509_bundle_set() assert len(svids) == 2 svid1 = x509_context.default_svid() assert svid1.spiffe_id() == SpiffeId.parse('spiffe://example.org/service') assert len(svid1.cert_chain()) == 2 assert isinstance(svid1.leaf(), Certificate) assert isinstance(svid1.private_key(), ec.EllipticCurvePrivateKey) svid2 = x509_context.x509_svids()[1] assert svid2.spiffe_id() == SpiffeId.parse('spiffe://example.org/service2') assert len(svid2.cert_chain()) == 1 assert isinstance(svid2.leaf(), Certificate) assert isinstance(svid2.private_key(), ec.EllipticCurvePrivateKey) bundle = bundle_set.get_x509_bundle_for_trust_domain(TrustDomain('example.org')) assert bundle assert len(bundle.x509_authorities()) == 1 federated_bundle = bundle_set.get_x509_bundle_for_trust_domain( TrustDomain('domain.test') ) assert federated_bundle assert len(federated_bundle.x509_authorities()) == 1
def test_watch_x509_context_success(mocker): federated_bundles = {'domain.test': FEDERATED_BUNDLE} WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock( return_value=iter([ workload_pb2.X509SVIDResponse( svids=[ workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service', x509_svid=CHAIN1, x509_svid_key=KEY1, bundle=BUNDLE, ), workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service2', x509_svid=CHAIN2, x509_svid_key=KEY2, bundle=BUNDLE, ), ], federated_bundles=federated_bundles, ) ])) done = threading.Event() response_holder = ResponseHolder() WORKLOAD_API_CLIENT.watch_x509_context( lambda r: handle_success(r, response_holder, done), lambda e: handle_error(e, response_holder, done), retry_connect=True, ) done.wait(5) # add timeout to prevent test from hanging assert not response_holder.error x509_context = response_holder.success svid1 = x509_context.default_svid() assert svid1.spiffe_id() == SpiffeId.parse('spiffe://example.org/service') assert len(svid1.cert_chain()) == 2 assert isinstance(svid1.leaf(), Certificate) assert isinstance(svid1.private_key(), ec.EllipticCurvePrivateKey) svid2 = x509_context.x509_svids()[1] assert svid2.spiffe_id() == SpiffeId.parse('spiffe://example.org/service2') assert len(svid2.cert_chain()) == 1 assert isinstance(svid2.leaf(), Certificate) assert isinstance(svid2.private_key(), ec.EllipticCurvePrivateKey) bundle_set = x509_context.x509_bundle_set() bundle = bundle_set.get_x509_bundle_for_trust_domain( TrustDomain.parse('example.org')) assert bundle assert len(bundle.x509_authorities()) == 1
def mock_client_return_multiple_svids(mocker): federated_bundles = {'domain.test': FEDERATED_BUNDLE} WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock( return_value=iter([ workload_pb2.X509SVIDResponse( svids=[ workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service', x509_svid=CHAIN1, x509_svid_key=KEY1, bundle=BUNDLE, ), workload_pb2.X509SVID( spiffe_id='spiffe://example.org/service2', x509_svid=CHAIN2, x509_svid_key=KEY2, bundle=BUNDLE, ), ], federated_bundles=federated_bundles, ) ]))