Add test for empty federated bundle

sorindumitru · sorindumitru · commit f3ecfcf3882c · 2024-06-16T06:37:52.000+01:00
This causes the workload to be unable to fetch X509-SVIDs, even though its own trust domain still has a valid trust bundle
diff --git a/v2/bundle/x509bundle/bundle_test.go b/v2/bundle/x509bundle/bundle_test.go
@@ -96,20 +96,15 @@ func TestParse(t *testing.T) {
 			expNumAuthorities: 1,
 		},
 		{
-			name:           "Parse empty bytes should fail",
-			path:           "testdata/empty.pem",
-			expErrContains: "x509bundle: cannot parse certificate: no PEM blocks found",
+			name:              "Parse empty bytes should result in empty bundle",
+			path:              "testdata/empty.pem",
+			expNumAuthorities: 0,
 		},
 		{
 			name:           "Parse non-PEM bytes should fail",
 			path:           "testdata/not-pem.pem",
 			expErrContains: "x509bundle: cannot parse certificate: no PEM blocks found",
 		},
-		{
-			name:           "Parse should fail if no certificate block is is found",
-			path:           "testdata/key.pem",
-			expErrContains: "x509bundle: no certificates found",
-		},
 		{
 			name:           "Parse a corrupted certificate should fail",
 			path:           "testdata/corrupted.pem",
@@ -155,9 +150,9 @@ func TestParseRaw(t *testing.T) {
 			expNumAuthorities: 1,
 		},
 		{
-			name:           "Parse should fail if no certificate block is is found",
-			path:           "testdata/key.pem",
-			expErrContains: "x509bundle: no certificates found",
+			name:              "Parse should not fail if no certificate block is is found",
+			path:              "testdata/empty.pem",
+			expNumAuthorities: 0,
 		},
 	}
 
@@ -322,6 +317,10 @@ func loadRawCertificates(t *testing.T, path string) []byte {
 	certsBytes, err := os.ReadFile(path)
 	require.NoError(t, err)
 
+	if len(certsBytes) == 0 {
+		return []byte{}
+	}
+
 	certs, err := pemutil.ParseCertificates(certsBytes)
 	require.NoError(t, err)
 
diff --git a/v2/workloadapi/client_test.go b/v2/workloadapi/client_test.go
@@ -190,16 +190,22 @@ func TestFetchX509Context(t *testing.T) {
 	assertX509Bundle(t, x509Ctx.Bundles, td, ca.X509Bundle())
 	assertX509Bundle(t, x509Ctx.Bundles, federatedTD, federatedCA.X509Bundle())
 
-	// Now set the next response without any bundles and assert that the call
-	// fails since the bundle cannot be empty.
+	// Now set the next response with an empty federated bundles and assert that the call
+	// still succeeds.
 	wl.SetX509SVIDResponse(&fakeworkloadapi.X509SVIDResponse{
-		SVIDs: svids,
+		Bundle:           ca.X509Bundle(),
+		SVIDs:            svids,
+		FederatedBundles: []*x509bundle.Bundle{x509bundle.FromX509Authorities(federatedCA.Bundle().TrustDomain(), nil)},
 	})
 
 	x509Ctx, err = c.FetchX509Context(context.Background())
-
-	require.EqualError(t, err, `empty X.509 bundle for trust domain "example.org"`)
-	require.Nil(t, x509Ctx)
+	require.NoError(t, err)
+	// inspect svids
+	require.Len(t, x509Ctx.SVIDs, 4)
+	assertX509SVID(t, x509Ctx.SVIDs[0], fooID, resp.SVIDs[0].Certificates, hintInternal)
+	assertX509SVID(t, x509Ctx.SVIDs[1], barID, resp.SVIDs[1].Certificates, hintExternal)
+	assertX509SVID(t, x509Ctx.SVIDs[2], emptyHintSVID1.ID, resp.SVIDs[3].Certificates, "")
+	assertX509SVID(t, x509Ctx.SVIDs[3], emptyHintSVID2.ID, resp.SVIDs[4].Certificates, "")
 }
 
 func TestWatchX509Context(t *testing.T) {
