diff options
Diffstat (limited to 'athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java')
-rw-r--r-- | athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java index 2014b74a3e6..fbaa57d9694 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidatorTest.java @@ -10,6 +10,7 @@ import com.yahoo.config.model.api.SuperModel; import com.yahoo.config.model.api.SuperModelProvider; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.ClusterMembership; +import com.yahoo.config.provision.ClusterSpec; import com.yahoo.config.provision.NodeResources; import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.athenz.api.AthenzService; @@ -59,6 +60,7 @@ public class InstanceValidatorTest { private final String service = "service"; private final AthenzService vespaTenantDomain = new AthenzService("vespa.vespa.tenant"); + private final AutoGeneratedKeyProvider keyProvider = new AutoGeneratedKeyProvider(); @Test void application_does_not_exist() { @@ -133,6 +135,17 @@ public class InstanceValidatorTest { } @Test + void rejects_invalid_cluster_type_in_csr() { + var props = Map.of(SERVICE_PROPERTIES_DOMAIN_KEY, domain, SERVICE_PROPERTIES_SERVICE_KEY, service); + var info = new ServiceInfo("serviceName", "type", List.of(), props, "confId", "hostName"); + var provider = mockSuperModelProvider(mockApplicationInfo(applicationId, 5, List.of(info))); + var instanceValidator = new InstanceValidator(keyProvider, provider, mockNodeRepo(), new IdentityDocumentSigner(), vespaTenantDomain); + var instanceConfirmation = createRegisterInstanceConfirmation(applicationId, domain, service); + instanceConfirmation.set("sanURI", "vespa://cluster-type/content"); + assertFalse(instanceValidator.isValidInstance(instanceConfirmation)); + } + + @Test void accepts_valid_refresh_requests() { NodeRepository nodeRepository = mock(NodeRepository.class); Nodes nodes = mock(Nodes.class); @@ -188,8 +201,6 @@ public class InstanceValidatorTest { NodeRepository nodeRepository = mock(NodeRepository.class); Nodes nodes = mock(Nodes.class); when(nodeRepository.nodes()).thenReturn(nodes); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); - List<Node> nodeList = createNodes(10); Node node = nodeList.get(0); nodeList = allocateNode(nodeList, node, applicationId); @@ -197,11 +208,19 @@ public class InstanceValidatorTest { return nodeRepository; } - private InstanceConfirmation createRegisterInstanceConfirmation(ApplicationId applicationId, String domain, String service) { + private InstanceConfirmation createRegisterInstanceConfirmation( + ApplicationId applicationId, String domain, String service) { VespaUniqueInstanceId vespaUniqueInstanceId = new VespaUniqueInstanceId(0, "default", applicationId.instance().value(), applicationId.application().value(), applicationId.tenant().value(), "us-north-1", "dev", IdentityType.NODE); + var domainService = new AthenzService(domain, service); + var clock = Instant.now(); + var clusterType = ClusterSpec.Type.container; + var signature = new IdentityDocumentSigner() + .generateSignature( + vespaUniqueInstanceId, domainService, "localhost", "localhost", clock, Set.of(), + IdentityType.NODE, clusterType, keyProvider.getPrivateKey(0)); SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument( - null, 0, vespaUniqueInstanceId, new AthenzService(domain, service), 0, "localhost", "localhost", - Instant.now(), Collections.emptySet(), IdentityType.NODE, "container"); + signature, 0, vespaUniqueInstanceId, domainService, 0, "localhost", "localhost", + clock, Collections.emptySet(), IdentityType.NODE, clusterType); return createInstanceConfirmation(vespaUniqueInstanceId, domain, service, signedIdentityDocument); } @@ -221,6 +240,7 @@ public class InstanceValidatorTest { .map(EntityBindingsMapper::toSignedIdentityDocumentEntity) .orElse(null)); instanceConfirmation.set("sanDNS", vespaUniqueInstanceId.asDottedString() + ".instanceid.athenz.dev-us-north-1.vespa.yahoo.cloud"); + instanceConfirmation.set("sanURI", "vespa://cluster-type/container"); return instanceConfirmation; } |