Skip to content

Commit

Permalink
add ttl validation tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@schmichael
schmichael committed Aug 28, 2023
1 parent 3de6a2f commit 85937b5
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
2 changes: 1 addition & 1 deletion nomad/structs/workload_id.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ func (wi *WorkloadIdentity) Warnings() error {
mErr.Errors = append(mErr.Errors, fmt.Errorf("while multiple audiences is allowed, it is more secure to use 1 audience per identity"))
}

if wi.Name != "" || wi.Name != WorkloadIdentityDefaultName {
if wi.Name != "" && wi.Name != WorkloadIdentityDefaultName {
if wi.TTL == 0 {
mErr.Errors = append(mErr.Errors, fmt.Errorf("identities without an expiration are insecure"))
}
Expand Down
29 changes: 29 additions & 0 deletions nomad/structs/workload_id_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package structs
import (
"strings"
"testing"
"time"

"github.com/hashicorp/nomad/ci"
"github.com/shoenig/test/must"
Expand Down Expand Up @@ -45,6 +46,12 @@ func TestWorkloadIdentity_Equal(t *testing.T) {

newWI.Audience = []string{"foo"}
must.NotEqual(t, orig, newWI)

newWI.Audience = orig.Audience
must.Equal(t, orig, newWI)

newWI.TTL = 123 * time.Hour
must.NotEqual(t, orig, newWI)
}

// TestWorkloadIdentity_Validate asserts that canonicalized workload identities
Expand Down Expand Up @@ -84,12 +91,14 @@ func TestWorkloadIdentity_Validate(t *testing.T) {
Audience: []string{"http://nomadproject.io/"},
Env: true,
File: true,
TTL: time.Hour,
},
Exp: WorkloadIdentity{
Name: "foo-id",
Audience: []string{"http://nomadproject.io/"},
Env: true,
File: true,
TTL: time.Hour,
},
},
{
Expand Down Expand Up @@ -143,6 +152,26 @@ func TestWorkloadIdentity_Validate(t *testing.T) {
},
Warn: "while multiple audiences is allowed, it is more secure to use 1 audience per identity",
},
{
Desc: "Bad TTL",
In: WorkloadIdentity{
Name: "foo",
TTL: -1 * time.Hour,
},
Err: "ttl must be >= 0",
},
{
Desc: "No TTL",
In: WorkloadIdentity{
Name: "foo",
Audience: []string{"foo"},
},
Exp: WorkloadIdentity{
Name: "foo",
Audience: []string{"foo"},
},
Warn: "identities without an expiration are insecure",
},
}

for _, tc := range cases {
Expand Down

0 comments on commit 85937b5

Please sign in to comment.