minor fixes and include unit test

spiffe · Jan 10, 2024 · 9cecfa1 · 9cecfa1
1 parent f59edb1
commit 9cecfa1
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f
  | `jwt_audience`                | JWT SVID audience.                                                                                             | `"your-audience"`                                                                                                                                                    |
  | `jwt_svid_file_name`          | File name to be used to store JWT SVID in Base64-encoded string.                                               | `"jwt_svid.token"`                                                                                                                                                   |
  | `jwt_bundle_file_name`        | File name to be used to store JWT Bundle in JSON format.                                                       | `"jwt_bundle.json"`                                                                                                                                                  |
- | `federated_trust_domains`        | Include trust domains from federated servers in the CA bundle.                                                      | `true`                                                                                                                                                  |
+ | `include_federated_domains`   | Include trust domains from federated servers in the CA bundle.                                                 | `true`                                                                                                                                                               |
 
 
 ### Configuration example

diff --git a/pkg/sidecar/config.go b/pkg/sidecar/config.go
@@ -31,7 +31,7 @@ type Config struct {
 	SvidBundleFileNameDeprecated       string `hcl:"svidBundleFileName"`
 	RenewSignal                        string `hcl:"renew_signal"`
 	RenewSignalDeprecated              string `hcl:"renewSignal"`
-	FederatedTrustDomains              bool   `hcl:"federated_trust_domains"`
+	IncludeFederatedDomains            bool   `hcl:"include_federated_domains"`
 
 	// JWT configuration
 	JWTAudience       string `hcl:"jwt_audience"`
@@ -122,7 +122,6 @@ func ValidateConfig(c *Config) error {
 		c.RenewSignal = c.RenewSignalDeprecated
 	}
 
-
 	x509EmptyCount := countEmpty(c.SvidFileName, c.SvidBundleFileName, c.SvidKeyFileName)
 	jwtSVIDEmptyCount := countEmpty(c.JWTSvidFilename, c.JWTAudience)
 	jwtBundleEmptyCount := countEmpty(c.SvidBundleFileName)

diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go
@@ -232,18 +232,16 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error {
 	}
 
 	// If using federated domains, add them to the CA bundle
-	if s.config.FederatedTrustDomains {
+	if s.config.IncludeFederatedDomains {
 		bundleSets := svidResponse.Bundles.Bundles()
 		for _,bundle := range bundleSets {
 			//The bundle corresponding to svid.ID.TrustDomain is already stored
-			if bundle.TrustDomain().String() != svid.ID.TrustDomain().String() {
+			if bundle.TrustDomain().Name() != svid.ID.TrustDomain().Name() {
 				bundles = append(bundles, bundle.X509Authorities()...)
 			}
 		}
 	}
 
-
-
 	if err := writeCerts(svidFile, certs); err != nil {
 		return err
 	}

diff --git a/pkg/sidecar/sidecar_test.go b/pkg/sidecar/sidecar_test.go
@@ -29,6 +29,10 @@ func TestSidecar_RunDaemon(t *testing.T) {
 	// Create an intermediate certificate
 	domain1Inter := domain1CA.CreateCA()
 	domain1Bundle := domain1CA.Roots()
+
+	//Used for testing federated trust domains
+	domain2CA := spiffetest.NewCA(t)
+	domain2Bundle := domain2CA.Roots()
 
 	// Svid with intermediate
 	spiffeIDWithIntermediate, err := spiffeid.FromString("spiffe://example.test/workloadWithIntermediate")
@@ -62,6 +66,11 @@ func TestSidecar_RunDaemon(t *testing.T) {
 		},
 	}
 
+	bundleWithFederatedDomains := append(domain1Bundle, domain2Bundle[0:]...)
+	//Used to create an additional bundle when testing federated trust domains
+	federatedSpiffeID, err := spiffeid.FromString("spiffe://foo.test/server")
+	require.NoError(t, err)
+
 	tmpdir := t.TempDir()
 
 	log, _ := test.NewNullLogger()
@@ -90,6 +99,7 @@ func TestSidecar_RunDaemon(t *testing.T) {
 		bundle               []*x509.Certificate
 		renewSignal          string
 		intermediateInBundle bool
+		federatedDomains     bool
 	}{
 		{
 			name: "svid with intermediate",
@@ -147,6 +157,17 @@ func TestSidecar_RunDaemon(t *testing.T) {
 			bundle:      domain1Bundle,
 			renewSignal: "SIGHUP",
 		},
+		{
+			name: "svid with federated trust domains",
+			response: &workloadapi.X509Context{
+				Bundles: x509bundle.NewSet(x509bundle.FromX509Authorities(spiffeID.TrustDomain(), domain1CA.Roots()), x509bundle.FromX509Authorities(federatedSpiffeID.TrustDomain(), domain2CA.Roots())),
+				SVIDs:   svid,
+			},
+			certs:       svidChain,
+			key:         svidKey,
+			bundle:      bundleWithFederatedDomains,
+			federatedDomains: true,
+		},
 	}
 
 	svidFile := path.Join(tmpdir, config.SvidFileName)
@@ -160,6 +181,7 @@ func TestSidecar_RunDaemon(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			sidecar.config.AddIntermediatesToBundle = testCase.intermediateInBundle
 			sidecar.config.RenewSignal = testCase.renewSignal
+			sidecar.config.IncludeFederatedDomains = testCase.federatedDomains
 			// Push response to start updating process
 			// updateMockChan <- testCase.response.ToProto(t)
 			w.OnX509ContextUpdate(testCase.response)