From 1610f18500fc6a52648f70bc04e9abe425a0e6cf Mon Sep 17 00:00:00 2001 From: Michael Schurter Date: Tue, 7 Jan 2025 09:28:05 -0800 Subject: [PATCH] test: set AuthToken in tests to match Client code (#24792) tl;dr - runtime code is fine but tests should match reality The Nomad Client Agent is the only consumer of the `Node.Derive{SI,Vault}Token` RPCs, therefore tests of the RPCs should match Nomad Client behavior. - DeriveVaultToken code: https://github.com/hashicorp/nomad/blob/a9ee66a6ef358097783d1bf745051124cc0f14f2/client/client.go#L2904-L2917 - DeriveSIToken code: https://github.com/hashicorp/nomad/blob/a9ee66a6ef358097783d1bf745051124cc0f14f2/client/client.go#L2988-L2997 Both of those client code paths include the Node SecretID in both the request's SecretID field as well as the embedded `QueryOptions.AuthToken` field. This patch updates server tests to match that behavior. The tests pass either way. --- nomad/node_endpoint_test.go | 38 +++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/nomad/node_endpoint_test.go b/nomad/node_endpoint_test.go index 3a3d3acc250..8de03e22be7 100644 --- a/nomad/node_endpoint_test.go +++ b/nomad/node_endpoint_test.go @@ -4198,13 +4198,15 @@ func TestClientEndpoint_DeriveVaultToken_Bad(t *testing.T) { t.Fatalf("err: %v", err) } + badSecret := uuid.Generate() req := &structs.DeriveVaultTokenRequest{ NodeID: node.ID, - SecretID: uuid.Generate(), + SecretID: badSecret, AllocID: alloc.ID, Tasks: tasks, QueryOptions: structs.QueryOptions{ - Region: "global", + Region: "global", + AuthToken: badSecret, }, } @@ -4311,7 +4313,8 @@ func TestClientEndpoint_DeriveVaultToken(t *testing.T) { AllocID: alloc.ID, Tasks: tasks, QueryOptions: structs.QueryOptions{ - Region: "global", + Region: "global", + AuthToken: node.SecretID, }, } @@ -4395,7 +4398,8 @@ func TestClientEndpoint_DeriveVaultToken_VaultError(t *testing.T) { AllocID: alloc.ID, Tasks: tasks, QueryOptions: structs.QueryOptions{ - Region: "global", + Region: "global", + AuthToken: node.SecretID, }, } @@ -4518,11 +4522,14 @@ func TestClientEndpoint_DeriveSIToken(t *testing.T) { r.NoError(err) request := &structs.DeriveSITokenRequest{ - NodeID: node.ID, - SecretID: node.SecretID, - AllocID: alloc.ID, - Tasks: []string{sidecarTask.Name}, - QueryOptions: structs.QueryOptions{Region: "global"}, + NodeID: node.ID, + SecretID: node.SecretID, + AllocID: alloc.ID, + Tasks: []string{sidecarTask.Name}, + QueryOptions: structs.QueryOptions{ + Region: "global", + AuthToken: node.SecretID, + }, } var response structs.DeriveSITokenResponse @@ -4576,11 +4583,14 @@ func TestClientEndpoint_DeriveSIToken_ConsulError(t *testing.T) { r.NoError(err) request := &structs.DeriveSITokenRequest{ - NodeID: node.ID, - SecretID: node.SecretID, - AllocID: alloc.ID, - Tasks: []string{sidecarTask.Name}, - QueryOptions: structs.QueryOptions{Region: "global"}, + NodeID: node.ID, + SecretID: node.SecretID, + AllocID: alloc.ID, + Tasks: []string{sidecarTask.Name}, + QueryOptions: structs.QueryOptions{ + Region: "global", + AuthToken: node.SecretID, + }, } var response structs.DeriveSITokenResponse