def test_watch_x509_context_raise_unretryable_grpc_error(mocker):
grpc_error = grpc.RpcError()
grpc_error.code = lambda: grpc.StatusCode.INVALID_ARGUMENT
mock_error_iter = mocker.MagicMock()
mock_error_iter.__iter__.side_effect = grpc_error
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=mock_error_iter)
done = threading.Event()
expected_error = FetchX509SvidError('StatusCode.INVALID_ARGUMENT')
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_x509_context(
lambda r: handle_success(r, response_holder, done),
lambda e: handle_error(e, response_holder, done),
True,
)
done.wait(5) # add timeout to prevent test from hanging
assert not response_holder.success
assert str(response_holder.error) == str(expected_error)
def test_watch_x509_context_success(mocker):
federated_bundles = {'domain.test': FEDERATED_BUNDLE}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter([
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=CHAIN1,
x509_svid_key=KEY1,
bundle=BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=CHAIN2,
x509_svid_key=KEY2,
bundle=BUNDLE,
),
],
federated_bundles=federated_bundles,
)
]))
done = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_x509_context(
lambda r: handle_success(r, response_holder, done),
lambda e: handle_error(e, response_holder, done),
retry_connect=True,
)
done.wait(5) # add timeout to prevent test from hanging
assert not response_holder.error
x509_context = response_holder.success
svid1 = x509_context.default_svid()
assert svid1.spiffe_id() == SpiffeId.parse('spiffe://example.org/service')
assert len(svid1.cert_chain()) == 2
assert isinstance(svid1.leaf(), Certificate)
assert isinstance(svid1.private_key(), ec.EllipticCurvePrivateKey)
svid2 = x509_context.x509_svids()[1]
assert svid2.spiffe_id() == SpiffeId.parse('spiffe://example.org/service2')
assert len(svid2.cert_chain()) == 1
assert isinstance(svid2.leaf(), Certificate)
assert isinstance(svid2.private_key(), ec.EllipticCurvePrivateKey)
bundle_set = x509_context.x509_bundle_set()
bundle = bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain.parse('example.org'))
assert bundle
assert len(bundle.x509_authorities()) == 1
def test_watch_x509_context_raise_retryable_grpc_error_and_then_ok_response(
mocker):
mock_error_iter = mocker.MagicMock()
mock_error_iter.__iter__.side_effect = (
yield_grpc_error_and_then_correct_x509_svid_response())
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=mock_error_iter)
expected_error = FetchX509SvidError('StatusCode.DEADLINE_EXCEEDED')
done = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_x509_context(
lambda r: handle_success(r, response_holder, done),
lambda e: assert_error(e, expected_error),
True,
)
done.wait(5) # add timeout to prevent test from hanging
x509_context = response_holder.success
svid1 = x509_context.default_svid()
assert svid1.spiffe_id() == SpiffeId.parse('spiffe://example.org/service')
assert len(svid1.cert_chain()) == 2
assert isinstance(svid1.leaf(), Certificate)
assert isinstance(svid1.private_key(), ec.EllipticCurvePrivateKey)
svid2 = x509_context.x509_svids()[1]
assert svid2.spiffe_id() == SpiffeId.parse('spiffe://example.org/service2')
assert len(svid2.cert_chain()) == 1
assert isinstance(svid2.leaf(), Certificate)
assert isinstance(svid2.private_key(), ec.EllipticCurvePrivateKey)
bundle_set = x509_context.x509_bundle_set()
bundle = bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain.parse('example.org'))
assert bundle
assert len(bundle.x509_authorities()) == 1