From 745351dde7018040c211c8651d4882c76a73f2a0 Mon Sep 17 00:00:00 2001 From: Marcos Yacob Date: Sat, 12 Oct 2024 10:07:35 -0300 Subject: [PATCH] Some improvements Signed-off-by: Marcos Yacob --- .../05-prepare-jwt-authority | 8 ++++---- .../force-rotation-jwt-authority/06-fetch-jwt-svid | 11 +++++------ .../09-verify-svid-rotation | 1 - .../11-verify-revoked-jwt-authority | 2 +- 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/test/integration/suites/force-rotation-jwt-authority/05-prepare-jwt-authority b/test/integration/suites/force-rotation-jwt-authority/05-prepare-jwt-authority index 2433ed519e..8bcc43958f 100755 --- a/test/integration/suites/force-rotation-jwt-authority/05-prepare-jwt-authority +++ b/test/integration/suites/force-rotation-jwt-authority/05-prepare-jwt-authority @@ -20,17 +20,17 @@ searching="JWT key prepared|local_authority_id=${prepared_authority_id}" check-log-line spire-server "$searching" # Check for updated x509 authorities in spire-server +# Check for updated JWT authorities in spire-server jwt_authorities=$(docker compose exec -T spire-server \ /opt/spire/bin/spire-server bundle show -output json | jq '.jwt_authorities' -c) amount_authorities=$(echo "$jwt_authorities" | jq length) -# Ensure two bundles are present after preparation +# Ensure two JWT authorities are present after preparation if [[ $amount_authorities -ne 2 ]]; then - fail-now "Two bundles expected after prepare" + fail-now "Two JWT authorities expected after prepare" fi # Ensure the prepared authority is present -if [[ $(echo "$jwt_authorities" | jq -r ".[] | select(.key_id == \"$prepared_authority_id\")") == "" ]]; then +if ! echo "$jwt_authorities" | jq -e ".[] | select(.key_id == \"$prepared_authority_id\")" > /dev/null; then fail-now "Prepared authority not found" fi - diff --git a/test/integration/suites/force-rotation-jwt-authority/06-fetch-jwt-svid b/test/integration/suites/force-rotation-jwt-authority/06-fetch-jwt-svid index 555bb9c116..42c3a82b13 100755 --- a/test/integration/suites/force-rotation-jwt-authority/06-fetch-jwt-svid +++ b/test/integration/suites/force-rotation-jwt-authority/06-fetch-jwt-svid @@ -5,9 +5,9 @@ prepared_authority=$(docker compose exec -t -e SPIRE_SERVER_FFLAGS=forced_rotati localauthority jwt show -output json | jq -r .active.authority_id) || fail-now "Failed to fetch prepared JWT authority ID" svid_json=$(docker compose exec spire-agent ./bin/spire-agent \ - api fetch jwt -audience aud -output json) + api fetch jwt -audience aud -output json) || fail-now "Failed to fetch JWT SVID" -jwt_svid=$(echo $svid_json | jq -c '.[0].svids.[0].svid') || fail-now "Failed to fetch JWT SVID" +jwt_svid=$(echo $svid_json | jq -c '.[0].svids[0].svid') || fail-now "Failed to parse JWT SVID" # Store JWT SVID for the next steps echo $jwt_svid > conf/agent/jwt_svid @@ -20,7 +20,7 @@ if [[ $skid != $prepared_authority ]]; then fail-now "JWT SVID key ID does not match the prepared authority ID, got $skid, expected $prepared_authority" fi -keys=$(echo $svid_json | jq -c '.[1].bundles.["spiffe://domain.test"] | @base64d | fromjson') +keys=$(echo $svid_json | jq -c '.[1].bundles["spiffe://domain.test"] | @base64d | fromjson') retry_count=0 max_retries=20 @@ -37,8 +37,8 @@ while [[ $retry_count -lt $max_retries ]]; do sleep 2 # Re-fetch the JWT SVID and keys svid_json=$(docker compose exec spire-agent ./bin/spire-agent \ - api fetch jwt -audience aud -output json) - jwt_svid=$(echo $svid_json | jq -c '.[0].svids[0].svid') + api fetch jwt -audience aud -output json) || fail-now "Failed to re-fetch JWT SVID" + jwt_svid=$(echo $svid_json | jq -c '.[0].svids[0].svid') || fail-now "Failed to parse re-fetched JWT SVID" keys=$(echo $svid_json | jq -c '.[1].bundles["spiffe://domain.test"] | @base64d | fromjson') fi done @@ -48,4 +48,3 @@ if [[ $success == false ]]; then fi echo $keys | jq --arg kid $prepared_authority -e '.keys[] | select(.kid == $kid)' > /dev/null || fail-now "Prepared authority not found in JWT SVID bundle" - diff --git a/test/integration/suites/force-rotation-jwt-authority/09-verify-svid-rotation b/test/integration/suites/force-rotation-jwt-authority/09-verify-svid-rotation index 3399997a1f..4250152bfe 100755 --- a/test/integration/suites/force-rotation-jwt-authority/09-verify-svid-rotation +++ b/test/integration/suites/force-rotation-jwt-authority/09-verify-svid-rotation @@ -19,4 +19,3 @@ skid=$(echo "$jwt_svid" | jq -r 'split(".") | .[0] | @base64d | fromjson | .kid' if [[ $skid != $active_authority ]]; then fail-now "JWT SVID key ID does not match the active authority ID, got $skid, expected $active_authority" fi - diff --git a/test/integration/suites/force-rotation-jwt-authority/11-verify-revoked-jwt-authority b/test/integration/suites/force-rotation-jwt-authority/11-verify-revoked-jwt-authority index 24867a5d04..2d7ef4ca35 100755 --- a/test/integration/suites/force-rotation-jwt-authority/11-verify-revoked-jwt-authority +++ b/test/integration/suites/force-rotation-jwt-authority/11-verify-revoked-jwt-authority @@ -10,7 +10,7 @@ for i in {1..20}; do svid_json=$(docker compose exec spire-agent ./bin/spire-agent \ api fetch jwt -audience aud -output json) - keys=$(echo $svid_json | jq -c '.[1].bundles.["spiffe://domain.test"] | @base64d | fromjson') + keys=$(echo $svid_json | jq -c '.[1].bundles["spiffe://domain.test"] | @base64d | fromjson') keysLen=$(echo $keys | jq -c '.keys | length') if [[ $keysLen -eq 1 ]]; then