def test_fetch_x509_context_corrupted_federated_bundle(mocker):
federated_bundles = dict()
federated_bundles['domain.test'] = _CORRUPTED
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter(
[
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=_CHAIN1,
x509_svid_key=_KEY1,
bundle=_BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=_CHAIN2,
x509_svid_key=_KEY2,
bundle=_BUNDLE,
),
],
federated_bundles=federated_bundles,
)
]
)
)
with (pytest.raises(FetchX509BundleError)) as exception:
WORKLOAD_API_CLIENT.fetch_x509_context()
assert (
str(exception.value)
== 'Error fetching X.509 Bundles: Unable to parse DER X.509 certificate.'
)
def test_fetch_x509_svid_corrupted_response(mocker):
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter(
[
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=_CORRUPTED,
x509_svid_key=_KEY1,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=_CHAIN2,
x509_svid_key=_KEY2,
),
]
)
]
)
)
with (pytest.raises(FetchX509SvidError)) as exception:
WORKLOAD_API_CLIENT.fetch_x509_svid()
assert (
str(exception.value)
== 'Error fetching X.509 SVID: Error parsing certificate: Unable to parse DER X.509 certificate.'
)
def test_fetch_x509_svid_success(mocker):
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter(
[
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=_CHAIN1,
x509_svid_key=_KEY1,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=_CHAIN2,
x509_svid_key=_KEY2,
),
]
)
]
)
)
svid = WORKLOAD_API_CLIENT.fetch_x509_svid()
assert svid.spiffe_id() == SpiffeId.parse('spiffe://example.org/service')
assert len(svid.cert_chain()) == 2
assert isinstance(svid.leaf(), Certificate)
assert isinstance(svid.private_key(), ec.EllipticCurvePrivateKey)
def test_fetch_x509_context_corrupted_svid(mocker):
federated_bundles = dict()
federated_bundles['domain.test'] = _FEDERATED_BUNDLE
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter(
[
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=_CHAIN1,
x509_svid_key=_CORRUPTED,
bundle=_BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=_CHAIN2,
x509_svid_key=_KEY2,
bundle=_BUNDLE,
),
],
federated_bundles=federated_bundles,
)
]
)
)
with (pytest.raises(FetchX509SvidError)) as exception:
WORKLOAD_API_CLIENT.fetch_x509_context()
assert 'Error fetching X.509 SVID: Error parsing private key' in str(
exception.value
)
def yield_grpc_error_and_then_correct_x509_svid_response():
grpc_error = grpc.RpcError()
grpc_error.code = lambda: grpc.StatusCode.DEADLINE_EXCEEDED
yield grpc_error
federated_bundles = {'domain.test': FEDERATED_BUNDLE}
response = iter([
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=CHAIN1,
x509_svid_key=KEY1,
bundle=BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=CHAIN2,
x509_svid_key=KEY2,
bundle=BUNDLE,
),
],
federated_bundles=federated_bundles,
)
])
yield response
def test_fetch_x509_svid_empty_response(mocker):
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter([workload_pb2.X509SVIDResponse(svids=[])]))
with (pytest.raises(FetchX509SvidError)) as exception:
WORKLOAD_API_CLIENT.fetch_x509_svid()
assert (str(exception.value) ==
'Error fetching X.509 SVID: X.509 SVID response is empty.')
def test_fetch_x509_context_success(mocker):
federated_bundles = dict()
federated_bundles['domain.test'] = _FEDERATED_BUNDLE
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter(
[
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=_CHAIN1,
x509_svid_key=_KEY1,
bundle=_BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=_CHAIN2,
x509_svid_key=_KEY2,
bundle=_BUNDLE,
),
],
federated_bundles=federated_bundles,
)
]
)
)
x509_context = WORKLOAD_API_CLIENT.fetch_x509_context()
svids = x509_context.x509_svids()
bundle_set = x509_context.x509_bundle_set()
assert len(svids) == 2
svid1 = x509_context.default_svid()
assert svid1.spiffe_id() == SpiffeId.parse('spiffe://example.org/service')
assert len(svid1.cert_chain()) == 2
assert isinstance(svid1.leaf(), Certificate)
assert isinstance(svid1.private_key(), ec.EllipticCurvePrivateKey)
svid2 = x509_context.x509_svids()[1]
assert svid2.spiffe_id() == SpiffeId.parse('spiffe://example.org/service2')
assert len(svid2.cert_chain()) == 1
assert isinstance(svid2.leaf(), Certificate)
assert isinstance(svid2.private_key(), ec.EllipticCurvePrivateKey)
bundle = bundle_set.get_x509_bundle_for_trust_domain(TrustDomain('example.org'))
assert bundle
assert len(bundle.x509_authorities()) == 1
federated_bundle = bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain('domain.test')
)
assert federated_bundle
assert len(federated_bundle.x509_authorities()) == 1
def test_watch_x509_context_success(mocker):
federated_bundles = {'domain.test': FEDERATED_BUNDLE}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter([
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=CHAIN1,
x509_svid_key=KEY1,
bundle=BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=CHAIN2,
x509_svid_key=KEY2,
bundle=BUNDLE,
),
],
federated_bundles=federated_bundles,
)
]))
done = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_x509_context(
lambda r: handle_success(r, response_holder, done),
lambda e: handle_error(e, response_holder, done),
retry_connect=True,
)
done.wait(5) # add timeout to prevent test from hanging
assert not response_holder.error
x509_context = response_holder.success
svid1 = x509_context.default_svid()
assert svid1.spiffe_id() == SpiffeId.parse('spiffe://example.org/service')
assert len(svid1.cert_chain()) == 2
assert isinstance(svid1.leaf(), Certificate)
assert isinstance(svid1.private_key(), ec.EllipticCurvePrivateKey)
svid2 = x509_context.x509_svids()[1]
assert svid2.spiffe_id() == SpiffeId.parse('spiffe://example.org/service2')
assert len(svid2.cert_chain()) == 1
assert isinstance(svid2.leaf(), Certificate)
assert isinstance(svid2.private_key(), ec.EllipticCurvePrivateKey)
bundle_set = x509_context.x509_bundle_set()
bundle = bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain.parse('example.org'))
assert bundle
assert len(bundle.x509_authorities()) == 1
def mock_client_return_multiple_svids(mocker):
federated_bundles = {'domain.test': FEDERATED_BUNDLE}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter([
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=CHAIN1,
x509_svid_key=KEY1,
bundle=BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=CHAIN2,
x509_svid_key=KEY2,
bundle=BUNDLE,
),
],
federated_bundles=federated_bundles,
)
]))
