def test_watch_jwt_bundle_no_retry_on_grpc_error_no_call(mocker):
grpc_error = grpc.RpcError
jwt_bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.prod': JWKS_2_EC_1_RSA_KEYS
}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
side_effect=[
grpc_error,
delayed_responses(
[workload_pb2.JWTBundlesResponse(bundles=jwt_bundles)]),
])
expected_error = FetchJwtBundleError(
'Cannot process response from Workload API.')
event = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_jwt_bundles(
on_success=lambda r: handle_success(r, response_holder, event),
on_error=lambda e: handle_error(e, response_holder, event),
)
event.wait(3) # add timeout to prevent test from hanging
assert not response_holder.success
assert response_holder.error
assert_error(response_holder.error, expected_error)
def test_watch_x509_context_raise_unretryable_grpc_error(mocker):
grpc_error = grpc.RpcError()
grpc_error.code = lambda: grpc.StatusCode.INVALID_ARGUMENT
mock_error_iter = mocker.MagicMock()
mock_error_iter.__iter__.side_effect = grpc_error
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=mock_error_iter)
done = threading.Event()
expected_error = FetchX509SvidError('StatusCode.INVALID_ARGUMENT')
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_x509_context(
lambda r: handle_success(r, response_holder, done),
lambda e: handle_error(e, response_holder, done),
True,
)
done.wait(5) # add timeout to prevent test from hanging
assert not response_holder.success
assert str(response_holder.error) == str(expected_error)
def test_watch_x509_context_success(mocker):
federated_bundles = {'domain.test': FEDERATED_BUNDLE}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchX509SVID = mocker.Mock(
return_value=iter([
workload_pb2.X509SVIDResponse(
svids=[
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service',
x509_svid=CHAIN1,
x509_svid_key=KEY1,
bundle=BUNDLE,
),
workload_pb2.X509SVID(
spiffe_id='spiffe://example.org/service2',
x509_svid=CHAIN2,
x509_svid_key=KEY2,
bundle=BUNDLE,
),
],
federated_bundles=federated_bundles,
)
]))
done = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_x509_context(
lambda r: handle_success(r, response_holder, done),
lambda e: handle_error(e, response_holder, done),
retry_connect=True,
)
done.wait(5) # add timeout to prevent test from hanging
assert not response_holder.error
x509_context = response_holder.success
svid1 = x509_context.default_svid()
assert svid1.spiffe_id() == SpiffeId.parse('spiffe://example.org/service')
assert len(svid1.cert_chain()) == 2
assert isinstance(svid1.leaf(), Certificate)
assert isinstance(svid1.private_key(), ec.EllipticCurvePrivateKey)
svid2 = x509_context.x509_svids()[1]
assert svid2.spiffe_id() == SpiffeId.parse('spiffe://example.org/service2')
assert len(svid2.cert_chain()) == 1
assert isinstance(svid2.leaf(), Certificate)
assert isinstance(svid2.private_key(), ec.EllipticCurvePrivateKey)
bundle_set = x509_context.x509_bundle_set()
bundle = bundle_set.get_x509_bundle_for_trust_domain(
TrustDomain.parse('example.org'))
assert bundle
assert len(bundle.x509_authorities()) == 1
def test_watch_jwt_bundle_success(mocker):
jwt_bundles = {
'example.org': JWKS_1_EC_KEY,
'domain.prod': JWKS_2_EC_1_RSA_KEYS
}
jwt_bundles_2 = {'domain.dev': JWKS_1_EC_KEY}
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
return_value=delayed_responses([
workload_pb2.JWTBundlesResponse(bundles=jwt_bundles),
workload_pb2.JWTBundlesResponse(bundles=jwt_bundles_2),
]))
event = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_jwt_bundles(
on_success=lambda r: handle_success(r, response_holder, event),
on_error=lambda e: handle_error(e, response_holder, event),
)
event.wait(3) # add timeout to prevent test from hanging
assert not response_holder.error
jwt_bundle_set = response_holder.success
assert jwt_bundle_set
jwt_bundle_1 = jwt_bundle_set.get(TrustDomain.parse('example.org'))
assert jwt_bundle_1
assert len(jwt_bundle_1.jwt_authorities()) == 1
jwt_bundle_2 = jwt_bundle_set.get(TrustDomain.parse('domain.prod'))
assert jwt_bundle_2
assert len(jwt_bundle_2.jwt_authorities()) == 3
# Wait to receive the second response from delayed_responses()
time.sleep(1)
assert not response_holder.error
jwt_bundle_set = response_holder.success
jwt_bundle = jwt_bundle_set.get(TrustDomain.parse('domain.dev'))
assert jwt_bundle
assert len(jwt_bundle.jwt_authorities()) == 1
def test_watch_jwt_bundle_no_retry_on_error(mocker):
some_error = Exception('Some Error')
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
side_effect=some_error, )
expected_error = FetchJwtBundleError(str(some_error))
event = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_jwt_bundles(
on_success=lambda r: handle_success(r, response_holder, event),
on_error=lambda e: handle_error(e, response_holder, event),
)
event.wait(3) # add timeout to prevent test from hanging
assert not response_holder.success
assert response_holder.error
assert_error(response_holder.error, expected_error)
def test_watch_jwt_bundle_no_retry_on_grpc_error(mocker):
grpc_error = FakeCall()
grpc_error._code = grpc.StatusCode.INVALID_ARGUMENT
WORKLOAD_API_CLIENT._spiffe_workload_api_stub.FetchJWTBundles = mocker.Mock(
side_effect=[
grpc_error,
])
expected_error = FetchJwtBundleError(grpc_error.details())
event = threading.Event()
response_holder = ResponseHolder()
WORKLOAD_API_CLIENT.watch_jwt_bundles(
on_success=lambda r: handle_success(r, response_holder, event),
on_error=lambda e: handle_error(e, response_holder, event),
)
event.wait(3) # add timeout to prevent test from hanging
assert not response_holder.success
assert response_holder.error
assert_error(response_holder.error, expected_error)