diff --git a/.circleci/config.yml b/.circleci/config.yml index 989a55a695..3388471ea0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -102,8 +102,8 @@ jobs: steps: - setup_remote_docker: {} - checkout - - run: make images - - run: docker save spire-server:latest-local spire-agent:latest-local k8s-workload-registrar:latest-local oidc-discovery-provider:latest-local | gzip > images.tar.gz + - run: make images scratch-images + - run: docker save spire-server:latest-local spire-agent:latest-local k8s-workload-registrar:latest-local oidc-discovery-provider:latest-local spire-server-scratch:latest-local spire-agent-scratch:latest-local k8s-workload-registrar-scratch:latest-local | gzip > images.tar.gz - persist_to_workspace: root: ./ paths: @@ -113,7 +113,8 @@ jobs: integration-test: # Run in the machine executor since we have to execute a bunch of # docker containers to do the tests - machine: true + machine: + image: ubuntu-2004:202010-01 parallelism: 4 resource_class: medium environment: diff --git a/pkg/agent/endpoints/sdsv2/handler.go b/pkg/agent/endpoints/sdsv2/handler.go index 4f603032be..99a19386f5 100644 --- a/pkg/agent/endpoints/sdsv2/handler.go +++ b/pkg/agent/endpoints/sdsv2/handler.go @@ -243,52 +243,62 @@ func (h *Handler) buildResponse(versionInfo string, req *api_v2.DiscoveryRequest names[name] = true } } + returnAllEntries := len(names) == 0 // TODO: verify the type url if upd.Bundle != nil { switch { - case len(names) == 0 || names[upd.Bundle.TrustDomainID()]: + case returnAllEntries || names[upd.Bundle.TrustDomainID()]: validationContext, err := buildValidationContext(upd.Bundle, "") if err != nil { return nil, err } + delete(names, upd.Bundle.TrustDomainID()) resp.Resources = append(resp.Resources, validationContext) case names[h.c.DefaultBundleName]: validationContext, err := buildValidationContext(upd.Bundle, h.c.DefaultBundleName) if err != nil { return nil, err } + delete(names, h.c.DefaultBundleName) resp.Resources = append(resp.Resources, validationContext) } } for _, federatedBundle := range upd.FederatedBundles { - if len(names) == 0 || names[federatedBundle.TrustDomainID()] { + if returnAllEntries || names[federatedBundle.TrustDomainID()] { validationContext, err := buildValidationContext(federatedBundle, "") if err != nil { return nil, err } + delete(names, federatedBundle.TrustDomainID()) resp.Resources = append(resp.Resources, validationContext) } } for i, identity := range upd.Identities { switch { - case len(names) == 0 || names[identity.Entry.SpiffeId]: + case returnAllEntries || names[identity.Entry.SpiffeId]: tlsCertificate, err := buildTLSCertificate(identity, "") if err != nil { return nil, err } + delete(names, identity.Entry.SpiffeId) resp.Resources = append(resp.Resources, tlsCertificate) case i == 0 && names[h.c.DefaultSVIDName]: tlsCertificate, err := buildTLSCertificate(identity, h.c.DefaultSVIDName) if err != nil { return nil, err } + delete(names, h.c.DefaultSVIDName) resp.Resources = append(resp.Resources, tlsCertificate) } } + if len(names) > 0 { + return nil, errs.New("unable to retrieve all requested identities, missing %v", names) + } + return resp, nil } diff --git a/pkg/agent/endpoints/sdsv2/handler_test.go b/pkg/agent/endpoints/sdsv2/handler_test.go index e3e618e416..95b5804602 100644 --- a/pkg/agent/endpoints/sdsv2/handler_test.go +++ b/pkg/agent/endpoints/sdsv2/handler_test.go @@ -287,9 +287,8 @@ func (s *HandlerSuite) TestStreamSecretsUnknownResource() { s.sendAndWait(stream, &api_v2.DiscoveryRequest{ ResourceNames: []string{"spiffe://domain.test/WHATEVER"}, }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp) + _, err = stream.Recv() + s.Require().Error(err) } func (s *HandlerSuite) TestStreamSecretsStreaming() { @@ -479,14 +478,10 @@ func (s *HandlerSuite) TestFetchSecrets() { s.requireSecrets(resp, workloadTLSCertificate1) // Fetch non-existent resource - resp, err = s.handler.FetchSecrets(context.Background(), &api_v2.DiscoveryRequest{ + _, err = s.handler.FetchSecrets(context.Background(), &api_v2.DiscoveryRequest{ ResourceNames: []string{"spiffe://domain.test/other"}, }) - s.Require().NoError(err) - s.Require().NotNil(resp) - s.Require().Empty(resp.VersionInfo) - s.Require().Empty(resp.Nonce) - s.requireSecrets(resp) + s.Require().Error(err) } func (s *HandlerSuite) setWorkloadUpdate(workloadCert *x509.Certificate) { diff --git a/pkg/agent/endpoints/sdsv3/handler.go b/pkg/agent/endpoints/sdsv3/handler.go index ae0dedbc39..dc947ce9cf 100644 --- a/pkg/agent/endpoints/sdsv3/handler.go +++ b/pkg/agent/endpoints/sdsv3/handler.go @@ -241,52 +241,62 @@ func (h *Handler) buildResponse(versionInfo string, req *discovery_v3.DiscoveryR names[name] = true } } + returnAllEntries := len(names) == 0 // TODO: verify the type url if upd.Bundle != nil { switch { - case len(names) == 0 || names[upd.Bundle.TrustDomainID()]: + case returnAllEntries || names[upd.Bundle.TrustDomainID()]: validationContext, err := buildValidationContext(upd.Bundle, "") if err != nil { return nil, err } + delete(names, upd.Bundle.TrustDomainID()) resp.Resources = append(resp.Resources, validationContext) case names[h.c.DefaultBundleName]: validationContext, err := buildValidationContext(upd.Bundle, h.c.DefaultBundleName) if err != nil { return nil, err } + delete(names, h.c.DefaultBundleName) resp.Resources = append(resp.Resources, validationContext) } } for _, federatedBundle := range upd.FederatedBundles { - if len(names) == 0 || names[federatedBundle.TrustDomainID()] { + if returnAllEntries || names[federatedBundle.TrustDomainID()] { validationContext, err := buildValidationContext(federatedBundle, "") if err != nil { return nil, err } + delete(names, federatedBundle.TrustDomainID()) resp.Resources = append(resp.Resources, validationContext) } } for i, identity := range upd.Identities { switch { - case len(names) == 0 || names[identity.Entry.SpiffeId]: + case returnAllEntries || names[identity.Entry.SpiffeId]: tlsCertificate, err := buildTLSCertificate(identity, "") if err != nil { return nil, err } + delete(names, identity.Entry.SpiffeId) resp.Resources = append(resp.Resources, tlsCertificate) case i == 0 && names[h.c.DefaultSVIDName]: tlsCertificate, err := buildTLSCertificate(identity, h.c.DefaultSVIDName) if err != nil { return nil, err } + delete(names, h.c.DefaultSVIDName) resp.Resources = append(resp.Resources, tlsCertificate) } } + if len(names) > 0 { + return nil, errs.New("unable to retrieve all requested identities, missing %v", names) + } + return resp, nil } diff --git a/pkg/agent/endpoints/sdsv3/handler_test.go b/pkg/agent/endpoints/sdsv3/handler_test.go index 805a6cdf5b..60410005a3 100644 --- a/pkg/agent/endpoints/sdsv3/handler_test.go +++ b/pkg/agent/endpoints/sdsv3/handler_test.go @@ -287,9 +287,8 @@ func (s *HandlerSuite) TestStreamSecretsUnknownResource() { s.sendAndWait(stream, &discovery_v3.DiscoveryRequest{ ResourceNames: []string{"spiffe://domain.test/WHATEVER"}, }) - resp, err := stream.Recv() - s.Require().NoError(err) - s.requireSecrets(resp) + _, err = stream.Recv() + s.Require().Error(err) } func (s *HandlerSuite) TestStreamSecretsStreaming() { @@ -479,14 +478,10 @@ func (s *HandlerSuite) TestFetchSecrets() { s.requireSecrets(resp, workloadTLSCertificate1) // Fetch non-existent resource - resp, err = s.handler.FetchSecrets(context.Background(), &discovery_v3.DiscoveryRequest{ + _, err = s.handler.FetchSecrets(context.Background(), &discovery_v3.DiscoveryRequest{ ResourceNames: []string{"spiffe://domain.test/other"}, }) - s.Require().NoError(err) - s.Require().NotNil(resp) - s.Require().Empty(resp.VersionInfo) - s.Require().Empty(resp.Nonce) - s.requireSecrets(resp) + s.Require().Error(err) } func (s *HandlerSuite) setWorkloadUpdate(workloadCert *x509.Certificate) {