Fix some test typos.
This commit is contained in:
R.B. Boyer
parent
da71aa9043
commit
b771c32361
|
|
@ -364,12 +364,12 @@ func (s *Server) Check(ctx context.Context, r *envoyauthz.CheckRequest) (*envoya
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// Treat this as an auth error since Envoy has sent something it considers
|
// Treat this as an auth error since Envoy has sent something it considers
|
||||||
// valid, it's just not an identity we trust.
|
// valid, it's just not an identity we trust.
|
||||||
return deniedResponse("Destination Principal is not a valid Connect identitiy")
|
return deniedResponse("Destination Principal is not a valid Connect identity")
|
||||||
}
|
}
|
||||||
|
|
||||||
destID, ok := dest.(*connect.SpiffeIDService)
|
destID, ok := dest.(*connect.SpiffeIDService)
|
||||||
if !ok {
|
if !ok {
|
||||||
return deniedResponse("Destination Principal is not a valid Service identitiy")
|
return deniedResponse("Destination Principal is not a valid Service identity")
|
||||||
}
|
}
|
||||||
|
|
||||||
// For now we don't validate the trust domain of the _destination_ at all -
|
// For now we don't validate the trust domain of the _destination_ at all -
|
||||||
|
|
|
||||||
|
|
@ -82,7 +82,7 @@ func (m *testManager) Watch(proxyID string) (<-chan *proxycfg.ConfigSnapshot, pr
|
||||||
// AssertWatchCancelled checks that the most recent call to a Watch cancel func
|
// AssertWatchCancelled checks that the most recent call to a Watch cancel func
|
||||||
// was from the specified proxyID and that one is made in a short time. This
|
// was from the specified proxyID and that one is made in a short time. This
|
||||||
// probably won't work if you are running multiple Watches in parallel on
|
// probably won't work if you are running multiple Watches in parallel on
|
||||||
// multiple proxyIDS due to timing/ordering issues but I dont think we need to
|
// multiple proxyIDS due to timing/ordering issues but I don't think we need to
|
||||||
// do that.
|
// do that.
|
||||||
func (m *testManager) AssertWatchCancelled(t *testing.T, proxyID string) {
|
func (m *testManager) AssertWatchCancelled(t *testing.T, proxyID string) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
@ -162,11 +162,11 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
||||||
// And should get a response immediately.
|
// And should get a response immediately.
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 1, 3))
|
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 1, 3))
|
||||||
|
|
||||||
// Now send Route request along with next listner one
|
// Now send Route request along with next listener one
|
||||||
envoy.SendReq(t, RouteType, 0, 0)
|
envoy.SendReq(t, RouteType, 0, 0)
|
||||||
envoy.SendReq(t, ListenerType, 1, 3)
|
envoy.SendReq(t, ListenerType, 1, 3)
|
||||||
|
|
||||||
// We don't serve routes yet so this shoould block with no response
|
// We don't serve routes yet so this should block with no response
|
||||||
assertChanBlocked(t, envoy.stream.sendCh)
|
assertChanBlocked(t, envoy.stream.sendCh)
|
||||||
|
|
||||||
// WOOP! Envoy now has full connect config. Lets verify that if we update it,
|
// WOOP! Envoy now has full connect config. Lets verify that if we update it,
|
||||||
|
|
@ -179,7 +179,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
||||||
mgr.DeliverConfig(t, "web-sidecar-proxy", snap)
|
mgr.DeliverConfig(t, "web-sidecar-proxy", snap)
|
||||||
|
|
||||||
// All 3 response that have something to return should return with new version
|
// All 3 response that have something to return should return with new version
|
||||||
// note that the ordering is not determinisic in general. Trying to make this
|
// note that the ordering is not deterministic in general. Trying to make this
|
||||||
// test order-agnostic though is a massive pain since we are comparing
|
// test order-agnostic though is a massive pain since we are comparing
|
||||||
// non-identical JSON strings (so can simply sort by anything) and because we
|
// non-identical JSON strings (so can simply sort by anything) and because we
|
||||||
// don't know the order the nonces will be assigned. For now we rely and
|
// don't know the order the nonces will be assigned. For now we rely and
|
||||||
|
|
@ -189,21 +189,21 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) {
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(t, snap, "", 2, 5))
|
assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(t, snap, "", 2, 5))
|
||||||
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 2, 6))
|
assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 2, 6))
|
||||||
|
|
||||||
// Let's pretent that Envoy doesn't like that new listener config. It will ACK
|
// Let's pretend that Envoy doesn't like that new listener config. It will ACK
|
||||||
// all the others (same version) but NACK the listener. This is the most
|
// all the others (same version) but NACK the listener. This is the most
|
||||||
// subtle part of xDS and the server implementation so I'll elaborate. A full
|
// subtle part of xDS and the server implementation so I'll elaborate. A full
|
||||||
// description of the protocol can be found at
|
// description of the protocol can be found at
|
||||||
// https://github.com/envoyproxy/data-plane-api/blob/master/XDS_PROTOCOL.md.
|
// https://github.com/envoyproxy/data-plane-api/blob/master/XDS_PROTOCOL.md.
|
||||||
// Envoy delays making a followup reqeest for a type until after it has
|
// Envoy delays making a followup request for a type until after it has
|
||||||
// processed and applied the last response. The next request then will include
|
// processed and applied the last response. The next request then will include
|
||||||
// the nonce in the last response which acknowledges _recieving_ and handling
|
// the nonce in the last response which acknowledges _receiving_ and handling
|
||||||
// that response. It also includes the currently applied version. If all is
|
// that response. It also includes the currently applied version. If all is
|
||||||
// good and it successfully applies the config, then the version in the next
|
// good and it successfully applies the config, then the version in the next
|
||||||
// response will be the same version just sent. This is considered to be an
|
// response will be the same version just sent. This is considered to be an
|
||||||
// ACK of that version for that type. If envoy fails to apply the config for
|
// ACK of that version for that type. If envoy fails to apply the config for
|
||||||
// some reason, it will still acknowledge that it received it (still return
|
// some reason, it will still acknowledge that it received it (still return
|
||||||
// the responses nonce), but will show the previous version it's still using.
|
// the responses nonce), but will show the previous version it's still using.
|
||||||
// This is considered a NACK. It's impotant that the server pay attention to
|
// This is considered a NACK. It's important that the server pay attention to
|
||||||
// the _nonce_ and not the version when deciding what to send otherwise a bad
|
// the _nonce_ and not the version when deciding what to send otherwise a bad
|
||||||
// version that can't be applied in Envoy will cause a busy loop.
|
// version that can't be applied in Envoy will cause a busy loop.
|
||||||
//
|
//
|
||||||
|
|
@ -489,7 +489,7 @@ func assertChanBlocked(t *testing.T, ch chan *envoy.DiscoveryResponse) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
select {
|
select {
|
||||||
case r := <-ch:
|
case r := <-ch:
|
||||||
t.Fatalf("chan should block but recieved: %v", r)
|
t.Fatalf("chan should block but received: %v", r)
|
||||||
case <-time.After(10 * time.Millisecond):
|
case <-time.After(10 * time.Millisecond):
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
@ -501,12 +501,12 @@ func assertResponseSent(t *testing.T, ch chan *envoy.DiscoveryResponse, wantJSON
|
||||||
case r := <-ch:
|
case r := <-ch:
|
||||||
assertResponse(t, r, wantJSON)
|
assertResponse(t, r, wantJSON)
|
||||||
case <-time.After(50 * time.Millisecond):
|
case <-time.After(50 * time.Millisecond):
|
||||||
t.Fatalf("no response recieved after 50ms")
|
t.Fatalf("no response received after 50ms")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// assertResponse is a helper to test a envoy.DiscoveryResponse matches the
|
// assertResponse is a helper to test a envoy.DiscoveryResponse matches the
|
||||||
// JSON representaion we expect. We use JSON because the responses use protobuf
|
// JSON representation we expect. We use JSON because the responses use protobuf
|
||||||
// Any type which includes binary protobuf encoding and would make creating
|
// Any type which includes binary protobuf encoding and would make creating
|
||||||
// expected structs require the same code that is under test!
|
// expected structs require the same code that is under test!
|
||||||
func assertResponse(t *testing.T, r *envoy.DiscoveryResponse, wantJSON string) {
|
func assertResponse(t *testing.T, r *envoy.DiscoveryResponse, wantJSON string) {
|
||||||
|
|
@ -519,7 +519,7 @@ func assertResponse(t *testing.T, r *envoy.DiscoveryResponse, wantJSON string) {
|
||||||
require.JSONEqf(t, wantJSON, gotJSON, "got:\n%s", gotJSON)
|
require.JSONEqf(t, wantJSON, gotJSON, "got:\n%s", gotJSON)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestServer_StreamAggregatedResources_ACLEnforcment(t *testing.T) {
|
func TestServer_StreamAggregatedResources_ACLEnforcement(t *testing.T) {
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
|
|
@ -529,7 +529,7 @@ func TestServer_StreamAggregatedResources_ACLEnforcment(t *testing.T) {
|
||||||
wantDenied bool
|
wantDenied bool
|
||||||
}{
|
}{
|
||||||
// Note that although we've stubbed actual ACL checks in the testManager
|
// Note that although we've stubbed actual ACL checks in the testManager
|
||||||
// ConnectAuthorize mock, by asserting against specifc reason strings here
|
// ConnectAuthorize mock, by asserting against specific reason strings here
|
||||||
// even in the happy case which can't match the default one returned by the
|
// even in the happy case which can't match the default one returned by the
|
||||||
// mock we are implicitly validating that the implementation used the
|
// mock we are implicitly validating that the implementation used the
|
||||||
// correct token from the context.
|
// correct token from the context.
|
||||||
|
|
@ -685,7 +685,7 @@ func TestServer_Check(t *testing.T) {
|
||||||
destPrincipal: "not-a-spiffe-id",
|
destPrincipal: "not-a-spiffe-id",
|
||||||
// Should never make it to authz call.
|
// Should never make it to authz call.
|
||||||
wantDenied: true,
|
wantDenied: true,
|
||||||
wantReason: "Destination Principal is not a valid Connect identitiy",
|
wantReason: "Destination Principal is not a valid Connect identity",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "dest not a service URI",
|
name: "dest not a service URI",
|
||||||
|
|
@ -693,7 +693,7 @@ func TestServer_Check(t *testing.T) {
|
||||||
destPrincipal: "spiffe://trust-domain.consul",
|
destPrincipal: "spiffe://trust-domain.consul",
|
||||||
// Should never make it to authz call.
|
// Should never make it to authz call.
|
||||||
wantDenied: true,
|
wantDenied: true,
|
||||||
wantReason: "Destination Principal is not a valid Service identitiy",
|
wantReason: "Destination Principal is not a valid Service identity",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "ACL not got permission for authz call",
|
name: "ACL not got permission for authz call",
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue