From 2b264b1ac241ab7b27a0c3c37749daaad16c0c8e Mon Sep 17 00:00:00 2001
From: Morten Tokle <mortent@vespa.ai>
Date: Wed, 17 Apr 2024 22:53:16 +0200
Subject: Check for duplicate clients

---
 .../xml/CloudTokenDataPlaneFilterTest.java         | 30 ++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'config-model/src/test/java/com/yahoo')

diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.java
index 1c5eb16be80..fa09d3c1890 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.java
@@ -162,6 +162,36 @@ public class CloudTokenDataPlaneFilterTest extends ContainerModelBuilderTestBase
         assertEquals("Invalid permission 'unknown-permission'. Valid values are 'read' and 'write'.", exception.getMessage());
     }
 
+    @Test
+    void fails_on_duplicate_clients() throws IOException {
+        var certFile = securityFolder.resolve("foo.pem");
+        var servicesXml = """
+                    <container version="1.0">
+                        <clients>
+                            <client id="mtls" permissions="read,write">
+                              <certificate file="%1$s"/>
+                            </client>
+                            <client id="mtls" permissions="read,write">
+                              <certificate file="%1$s"/>
+                            </client>
+                            <client id="token1" permissions="read">
+                                <token id="my-token"/>
+                            </client>
+                            <client id="token2" permissions="read">
+                                <token id="my-token"/>
+                            </client>
+                            <client id="token1" permissions="read">
+                                <token id="my-token"/>
+                            </client>
+                        </clients>
+                    </container>
+                """.formatted(applicationFolder.toPath().relativize(certFile).toString());
+        var clusterElem = DomBuilderTest.parse(servicesXml);
+        createCertificate(certFile);
+        var exception = assertThrows(IllegalArgumentException.class, () -> buildModel(Set.of(mtlsEndpoint), defaultTokens, clusterElem));
+        assertEquals("Duplicate client ids: [mtls, token1]", exception.getMessage());
+    }
+
     private static CloudTokenDataPlaneFilterConfig.Clients.Tokens tokenConfig(
             String id, Collection<String> fingerprints, Collection<String> accessCheckHashes, Collection<String> expirations) {
         return new CloudTokenDataPlaneFilterConfig.Clients.Tokens.Builder()
-- 
cgit v1.2.3