consul/agent/grpc-external/services/peerstream/server_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package peerstream

import (
	"context"
	"testing"

	"github.com/hashicorp/consul/proto/private/pbpeering"
	"github.com/hashicorp/consul/proto/private/pbpeerstream"
	"github.com/hashicorp/consul/sdk/testutil"
	"github.com/stretchr/testify/require"
)

func TestServer_ExchangeSecret(t *testing.T) {
	srv, store := newTestServer(t, nil)
	_ = writePeeringToBeDialed(t, store, 1, "my-peer")

	testutil.RunStep(t, "unknown establishment secret is rejected", func(t *testing.T) {
		resp, err := srv.ExchangeSecret(context.Background(), &pbpeerstream.ExchangeSecretRequest{
			PeerID:              testPeerID,
			EstablishmentSecret: "bad",
		})
		testutil.RequireErrorContains(t, err, `rpc error: code = PermissionDenied desc = invalid peering establishment secret`)
		require.Nil(t, resp)
	})

	var secret string
	testutil.RunStep(t, "known establishment secret is accepted", func(t *testing.T) {
		// First write the establishment secret so that it can be exchanged
		require.NoError(t, store.PeeringSecretsWrite(1, &pbpeering.SecretsWriteRequest{
			PeerID: testPeerID,
			Request: &pbpeering.SecretsWriteRequest_GenerateToken{
				GenerateToken: &pbpeering.SecretsWriteRequest_GenerateTokenRequest{
					EstablishmentSecret: testEstablishmentSecretID,
				},
			},
		}))

		// Exchange the now-valid establishment secret for a stream secret
		resp, err := srv.ExchangeSecret(context.Background(), &pbpeerstream.ExchangeSecretRequest{
			PeerID:              testPeerID,
			EstablishmentSecret: testEstablishmentSecretID,
		})
		require.NoError(t, err)
		require.NotEmpty(t, resp.StreamSecret)

		secret = resp.StreamSecret
	})

	testutil.RunStep(t, "pending secret is persisted to server", func(t *testing.T) {
		s, err := store.PeeringSecretsRead(nil, testPeerID)
		require.NoError(t, err)

		require.Equal(t, secret, s.GetStream().GetPendingSecretID())
	})
}