consul/agent/grpc-external/services/connectca/sign_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package connectca

import (
	"context"
	"errors"
	"testing"

	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"github.com/hashicorp/go-hclog"
	"github.com/stretchr/testify/mock"
	"github.com/stretchr/testify/require"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/acl/resolver"
	"github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/agent/grpc-external/testutils"
	"github.com/hashicorp/consul/agent/structs"
	"github.com/hashicorp/consul/proto-public/pbconnectca"
)

func TestSign_ConnectDisabled(t *testing.T) {
	server := NewServer(Config{ConnectEnabled: false})

	_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{})
	require.Error(t, err)
	require.Equal(t, codes.FailedPrecondition.String(), status.Code(err).String())
	require.Contains(t, status.Convert(err).Message(), "Connect")
}

func TestSign_Validation(t *testing.T) {
	aclResolver := &MockACLResolver{}
	aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
		Return(testutils.ACLsDisabled(t), nil)

	server := NewServer(Config{
		Logger:         hclog.NewNullLogger(),
		ACLResolver:    aclResolver,
		ForwardRPC:     noopForwardRPC,
		ConnectEnabled: true,
	})

	testCases := map[string]struct {
		csr, err string
	}{
		"no csr": {
			csr: "",
			err: "CSR is required",
		},
		"invalid csr": {
			csr: "bogus",
			err: "no PEM-encoded data found",
		},
	}
	for desc, tc := range testCases {
		t.Run(desc, func(t *testing.T) {
			_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
				Csr: tc.csr,
			})
			require.Error(t, err)
			require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
			require.Equal(t, tc.err, status.Convert(err).Message())
		})
	}
}

func TestSign_Unauthenticated(t *testing.T) {
	aclResolver := &MockACLResolver{}
	aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
		Return(resolver.Result{}, acl.ErrNotFound)

	server := NewServer(Config{
		Logger:         hclog.NewNullLogger(),
		ACLResolver:    aclResolver,
		ForwardRPC:     noopForwardRPC,
		ConnectEnabled: true,
	})

	csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))

	_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
		Csr: csr,
	})
	require.Error(t, err)
	require.Equal(t, codes.Unauthenticated.String(), status.Code(err).String())
}

func TestSign_PermissionDenied(t *testing.T) {
	aclResolver := &MockACLResolver{}
	aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
		Return(testutils.ACLsDisabled(t), nil)

	caManager := &MockCAManager{}
	caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
		Return(nil, acl.ErrPermissionDenied)

	server := NewServer(Config{
		Logger:         hclog.NewNullLogger(),
		ACLResolver:    aclResolver,
		CAManager:      caManager,
		ForwardRPC:     noopForwardRPC,
		ConnectEnabled: true,
	})

	csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))

	_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
		Csr: csr,
	})
	require.Error(t, err)
	require.Equal(t, codes.PermissionDenied.String(), status.Code(err).String())
}

func TestSign_InvalidCSR(t *testing.T) {
	aclResolver := &MockACLResolver{}
	aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
		Return(testutils.ACLsDisabled(t), nil)

	caManager := &MockCAManager{}
	caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
		Return(nil, connect.InvalidCSRError("nope"))

	server := NewServer(Config{
		Logger:         hclog.NewNullLogger(),
		ACLResolver:    aclResolver,
		CAManager:      caManager,
		ForwardRPC:     noopForwardRPC,
		ConnectEnabled: true,
	})

	csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))

	_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
		Csr: csr,
	})
	require.Error(t, err)
	require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())
}

func TestSign_RateLimited(t *testing.T) {
	aclResolver := &MockACLResolver{}
	aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
		Return(testutils.ACLsDisabled(t), nil)

	caManager := &MockCAManager{}
	caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
		Return(nil, errors.New("Rate limit reached, try again later"))

	server := NewServer(Config{
		Logger:         hclog.NewNullLogger(),
		ACLResolver:    aclResolver,
		CAManager:      caManager,
		ForwardRPC:     noopForwardRPC,
		ConnectEnabled: true,
	})

	csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))

	_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
		Csr: csr,
	})
	require.Error(t, err)
	require.Equal(t, codes.ResourceExhausted.String(), status.Code(err).String())
}

func TestSign_InternalError(t *testing.T) {
	aclResolver := &MockACLResolver{}
	aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
		Return(testutils.ACLsDisabled(t), nil)

	caManager := &MockCAManager{}
	caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
		Return(nil, errors.New("something went very wrong"))

	server := NewServer(Config{
		Logger:         hclog.NewNullLogger(),
		ACLResolver:    aclResolver,
		CAManager:      caManager,
		ForwardRPC:     noopForwardRPC,
		ConnectEnabled: true,
	})

	csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))

	_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
		Csr: csr,
	})
	require.Error(t, err)
	require.Equal(t, codes.Internal.String(), status.Code(err).String())
}

func TestSign_Success(t *testing.T) {
	aclResolver := &MockACLResolver{}
	aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
		Return(testutils.ACLsDisabled(t), nil)

	caManager := &MockCAManager{}
	caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
		Return(&structs.IssuedCert{CertPEM: "this is the PEM"}, nil)

	server := NewServer(Config{
		Logger:         hclog.NewNullLogger(),
		ACLResolver:    aclResolver,
		CAManager:      caManager,
		ForwardRPC:     noopForwardRPC,
		ConnectEnabled: true,
	})

	csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))

	rsp, err := server.Sign(context.Background(), &pbconnectca.SignRequest{
		Csr: csr,
	})
	require.NoError(t, err)
	require.Equal(t, "this is the PEM", rsp.CertPem)
}

func TestSign_RPCForwarding(t *testing.T) {
	aclResolver := &MockACLResolver{}
	aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).
		Return(testutils.ACLsDisabled(t), nil)

	caManager := &MockCAManager{}
	caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).
		Return(&structs.IssuedCert{CertPEM: "leader response"}, nil)

	leader := NewServer(Config{
		Logger:         hclog.NewNullLogger(),
		ACLResolver:    aclResolver,
		CAManager:      caManager,
		ForwardRPC:     noopForwardRPC,
		ConnectEnabled: true,
	})
	//nolint:staticcheck
	leaderConn, err := grpc.Dial(testutils.RunTestServer(t, leader).String(), grpc.WithInsecure())
	require.NoError(t, err)

	follower := NewServer(Config{
		Logger: hclog.NewNullLogger(),
		ForwardRPC: func(_ structs.RPCInfo, fn func(*grpc.ClientConn) error) (bool, error) {
			return true, fn(leaderConn)
		},
		ConnectEnabled: true,
	})

	csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))

	rsp, err := follower.Sign(context.Background(), &pbconnectca.SignRequest{
		Csr: csr,
	})
	require.NoError(t, err)
	require.Equal(t, "leader response", rsp.CertPem)
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00			`package connectca`

			`import (`
			`"context"`
			`"errors"`
			`"testing"`

			`"google.golang.org/grpc"`
			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/status"`

			`"github.com/hashicorp/go-hclog"`
			`"github.com/stretchr/testify/mock"`
			`"github.com/stretchr/testify/require"`

Update hcp-scada-provider to fix diamond dependency problem with go-msgpack (#15185) 2022-11-07 16:34:30 +00:00			`"github.com/hashicorp/consul/acl"`
			`"github.com/hashicorp/consul/acl/resolver"`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00			`"github.com/hashicorp/consul/agent/connect"`
grpc: rename public/private directories to external/internal (#13721) Previously, public referred to gRPC services that are both exposed on the dedicated gRPC port and have their definitions in the proto-public directory (so were considered usable by 3rd parties). Whereas private referred to services on the multiplexed server port that are only usable by agents and other servers. Now, we're splitting these definitions, such that external/internal refers to the port and public/private refers to whether they can be used by 3rd parties. This is necessary because the peering replication API needs to be exposed on the dedicated port, but is not (yet) suitable for use by 3rd parties. 2022-07-13 15:33:48 +00:00			`"github.com/hashicorp/consul/agent/grpc-external/testutils"`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00			`"github.com/hashicorp/consul/agent/structs"`
			`"github.com/hashicorp/consul/proto-public/pbconnectca"`
			`)`

			`func TestSign_ConnectDisabled(t *testing.T) {`
			`server := NewServer(Config{ConnectEnabled: false})`

			`_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{})`
			`require.Error(t, err)`
			`require.Equal(t, codes.FailedPrecondition.String(), status.Code(err).String())`
			`require.Contains(t, status.Convert(err).Message(), "Connect")`
			`}`

			`func TestSign_Validation(t *testing.T) {`
			`aclResolver := &MockACLResolver{}`
			`aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).`
grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`Return(testutils.ACLsDisabled(t), nil)`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`server := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ACLResolver: aclResolver,`
			`ForwardRPC: noopForwardRPC,`
			`ConnectEnabled: true,`
			`})`

			`testCases := map[string]struct {`
			`csr, err string`
			`}{`
			`"no csr": {`
			`csr: "",`
			`err: "CSR is required",`
			`},`
			`"invalid csr": {`
			`csr: "bogus",`
			`err: "no PEM-encoded data found",`
			`},`
			`}`
			`for desc, tc := range testCases {`
			`t.Run(desc, func(t *testing.T) {`
			`_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{`
			`Csr: tc.csr,`
			`})`
			`require.Error(t, err)`
			`require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())`
			`require.Equal(t, tc.err, status.Convert(err).Message())`
			`})`
			`}`
			`}`

			`func TestSign_Unauthenticated(t *testing.T) {`
			`aclResolver := &MockACLResolver{}`
			`aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).`
Move ACLResolveResult into acl/resolver package (#13467) Having this type live in the agent/consul package makes it difficult to put anything that relies on token resolution (e.g. the new gRPC services) in separate packages without introducing import cycles. For example, if package foo imports agent/consul for the ACLResolveResult type it means that agent/consul cannot import foo to register its service. We've previously worked around this by wrapping the ACLResolver to "downgrade" its return type to an acl.Authorizer - aside from the added complexity, this also loses the resolved identity information. In the future, we may want to move the whole ACLResolver into the acl/resolver package. For now, putting the result type there at least, fixes the immediate import cycle issues. 2022-06-17 09:24:43 +00:00			`Return(resolver.Result{}, acl.ErrNotFound)`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`server := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ACLResolver: aclResolver,`
			`ForwardRPC: noopForwardRPC,`
			`ConnectEnabled: true,`
			`})`

			`csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))`

			`_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{`
			`Csr: csr,`
			`})`
			`require.Error(t, err)`
			`require.Equal(t, codes.Unauthenticated.String(), status.Code(err).String())`
			`}`

			`func TestSign_PermissionDenied(t *testing.T) {`
			`aclResolver := &MockACLResolver{}`
			`aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).`
grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`Return(testutils.ACLsDisabled(t), nil)`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`caManager := &MockCAManager{}`
			`caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).`
			`Return(nil, acl.ErrPermissionDenied)`

			`server := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ACLResolver: aclResolver,`
			`CAManager: caManager,`
			`ForwardRPC: noopForwardRPC,`
			`ConnectEnabled: true,`
			`})`

			`csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))`

			`_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{`
			`Csr: csr,`
			`})`
			`require.Error(t, err)`
			`require.Equal(t, codes.PermissionDenied.String(), status.Code(err).String())`
			`}`

			`func TestSign_InvalidCSR(t *testing.T) {`
			`aclResolver := &MockACLResolver{}`
			`aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).`
grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`Return(testutils.ACLsDisabled(t), nil)`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`caManager := &MockCAManager{}`
			`caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).`
			`Return(nil, connect.InvalidCSRError("nope"))`

			`server := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ACLResolver: aclResolver,`
			`CAManager: caManager,`
			`ForwardRPC: noopForwardRPC,`
			`ConnectEnabled: true,`
			`})`

			`csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))`

			`_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{`
			`Csr: csr,`
			`})`
			`require.Error(t, err)`
			`require.Equal(t, codes.InvalidArgument.String(), status.Code(err).String())`
			`}`

			`func TestSign_RateLimited(t *testing.T) {`
			`aclResolver := &MockACLResolver{}`
			`aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).`
grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`Return(testutils.ACLsDisabled(t), nil)`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`caManager := &MockCAManager{}`
			`caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).`
			`Return(nil, errors.New("Rate limit reached, try again later"))`

			`server := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ACLResolver: aclResolver,`
			`CAManager: caManager,`
			`ForwardRPC: noopForwardRPC,`
			`ConnectEnabled: true,`
			`})`

			`csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))`

			`_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{`
			`Csr: csr,`
			`})`
			`require.Error(t, err)`
			`require.Equal(t, codes.ResourceExhausted.String(), status.Code(err).String())`
			`}`

			`func TestSign_InternalError(t *testing.T) {`
			`aclResolver := &MockACLResolver{}`
			`aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).`
grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`Return(testutils.ACLsDisabled(t), nil)`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`caManager := &MockCAManager{}`
			`caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).`
			`Return(nil, errors.New("something went very wrong"))`

			`server := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ACLResolver: aclResolver,`
			`CAManager: caManager,`
			`ForwardRPC: noopForwardRPC,`
			`ConnectEnabled: true,`
			`})`

			`csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))`

			`_, err := server.Sign(context.Background(), &pbconnectca.SignRequest{`
			`Csr: csr,`
			`})`
			`require.Error(t, err)`
			`require.Equal(t, codes.Internal.String(), status.Code(err).String())`
			`}`

			`func TestSign_Success(t *testing.T) {`
			`aclResolver := &MockACLResolver{}`
			`aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).`
grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`Return(testutils.ACLsDisabled(t), nil)`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`caManager := &MockCAManager{}`
			`caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).`
			`Return(&structs.IssuedCert{CertPEM: "this is the PEM"}, nil)`

			`server := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ACLResolver: aclResolver,`
			`CAManager: caManager,`
			`ForwardRPC: noopForwardRPC,`
			`ConnectEnabled: true,`
			`})`

			`csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))`

			`rsp, err := server.Sign(context.Background(), &pbconnectca.SignRequest{`
			`Csr: csr,`
			`})`
			`require.NoError(t, err)`
			`require.Equal(t, "this is the PEM", rsp.CertPem)`
			`}`

			`func TestSign_RPCForwarding(t *testing.T) {`
			`aclResolver := &MockACLResolver{}`
			`aclResolver.On("ResolveTokenAndDefaultMeta", mock.Anything, mock.Anything, mock.Anything).`
grpc/acl: fix bug where ACL token was required even if disabled (#15904) Fixes a bug introduced by #15346 where we'd always require an ACL token even if ACLs were disabled because we were erroneously treating `nil` identity as anonymous. 2023-01-05 16:31:18 +00:00			`Return(testutils.ACLsDisabled(t), nil)`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`caManager := &MockCAManager{}`
			`caManager.On("AuthorizeAndSignCertificate", mock.Anything, mock.Anything).`
			`Return(&structs.IssuedCert{CertPEM: "leader response"}, nil)`

			`leader := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ACLResolver: aclResolver,`
			`CAManager: caManager,`
			`ForwardRPC: noopForwardRPC,`
			`ConnectEnabled: true,`
			`})`
Update hcp-scada-provider to fix diamond dependency problem with go-msgpack (#15185) 2022-11-07 16:34:30 +00:00			`//nolint:staticcheck`
Implement the ServerDiscovery.WatchServers gRPC endpoint (#12819) * Implement the ServerDiscovery.WatchServers gRPC endpoint * Fix the ConnectCA.Sign gRPC endpoints metadata forwarding. * Unify public gRPC endpoints around the public.TraceID function for request_id logging 2022-04-21 16:56:18 +00:00			`leaderConn, err := grpc.Dial(testutils.RunTestServer(t, leader).String(), grpc.WithInsecure())`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00			`require.NoError(t, err)`

			`follower := NewServer(Config{`
			`Logger: hclog.NewNullLogger(),`
			`ForwardRPC: func(_ structs.RPCInfo, fn func(*grpc.ClientConn) error) (bool, error) {`
			`return true, fn(leaderConn)`
			`},`
			`ConnectEnabled: true,`
			`})`

			`csr, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))`

			`rsp, err := follower.Sign(context.Background(), &pbconnectca.SignRequest{`
			`Csr: csr,`
			`})`
			`require.NoError(t, err)`
			`require.Equal(t, "leader response", rsp.CertPem)`
			`}`