test: set AuthToken in tests to match Client code (#24792)

tl;dr - runtime code is fine but tests should match reality The Nomad Client Agent is the only consumer of the `Node.Derive{SI,Vault}Token` RPCs, therefore tests of the RPCs should match Nomad Client behavior. - DeriveVaultToken code: https://github.com/hashicorp/nomad/blob/a9ee66a6ef358097783d1bf745051124cc0f14f2/client/client.go#L2904-L2917 - DeriveSIToken code: https://github.com/hashicorp/nomad/blob/a9ee66a6ef358097783d1bf745051124cc0f14f2/client/client.go#L2988-L2997 Both of those client code paths include the Node SecretID in both the request's SecretID field as well as the embedded `QueryOptions.AuthToken` field. This patch updates server tests to match that behavior. The tests pass either way.
hashicorp · Jan 7, 2025 · 1610f18 · 1610f18
1 parent 024c504
commit 1610f18
Showing 1 changed file with 24 additions and 14 deletions.
diff --git a/nomad/node_endpoint_test.go b/nomad/node_endpoint_test.go
@@ -4198,13 +4198,15 @@ func TestClientEndpoint_DeriveVaultToken_Bad(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}
 
+	badSecret := uuid.Generate()
 	req := &structs.DeriveVaultTokenRequest{
 		NodeID:   node.ID,
-		SecretID: uuid.Generate(),
+		SecretID: badSecret,
 		AllocID:  alloc.ID,
 		Tasks:    tasks,
 		QueryOptions: structs.QueryOptions{
-			Region: "global",
+			Region:    "global",
+			AuthToken: badSecret,
 		},
 	}
 
@@ -4311,7 +4313,8 @@ func TestClientEndpoint_DeriveVaultToken(t *testing.T) {
 		AllocID:  alloc.ID,
 		Tasks:    tasks,
 		QueryOptions: structs.QueryOptions{
-			Region: "global",
+			Region:    "global",
+			AuthToken: node.SecretID,
 		},
 	}
 
@@ -4395,7 +4398,8 @@ func TestClientEndpoint_DeriveVaultToken_VaultError(t *testing.T) {
 		AllocID:  alloc.ID,
 		Tasks:    tasks,
 		QueryOptions: structs.QueryOptions{
-			Region: "global",
+			Region:    "global",
+			AuthToken: node.SecretID,
 		},
 	}
 
@@ -4518,11 +4522,14 @@ func TestClientEndpoint_DeriveSIToken(t *testing.T) {
 	r.NoError(err)
 
 	request := &structs.DeriveSITokenRequest{
-		NodeID:       node.ID,
-		SecretID:     node.SecretID,
-		AllocID:      alloc.ID,
-		Tasks:        []string{sidecarTask.Name},
-		QueryOptions: structs.QueryOptions{Region: "global"},
+		NodeID:   node.ID,
+		SecretID: node.SecretID,
+		AllocID:  alloc.ID,
+		Tasks:    []string{sidecarTask.Name},
+		QueryOptions: structs.QueryOptions{
+			Region:    "global",
+			AuthToken: node.SecretID,
+		},
 	}
 
 	var response structs.DeriveSITokenResponse
@@ -4576,11 +4583,14 @@ func TestClientEndpoint_DeriveSIToken_ConsulError(t *testing.T) {
 	r.NoError(err)
 
 	request := &structs.DeriveSITokenRequest{
-		NodeID:       node.ID,
-		SecretID:     node.SecretID,
-		AllocID:      alloc.ID,
-		Tasks:        []string{sidecarTask.Name},
-		QueryOptions: structs.QueryOptions{Region: "global"},
+		NodeID:   node.ID,
+		SecretID: node.SecretID,
+		AllocID:  alloc.ID,
+		Tasks:    []string{sidecarTask.Name},
+		QueryOptions: structs.QueryOptions{
+			Region:    "global",
+			AuthToken: node.SecretID,
+		},
 	}
 
 	var response structs.DeriveSITokenResponse