More config exception testing.

Signed-off-by: Brian Sonnenberg <[email protected]>
envoyproxy · Dec 11, 2024 · ed26529 · ed26529
1 parent cb2c9d5
commit ed26529
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 1 deletion.
diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc
@@ -63,7 +63,8 @@ SPIFFEValidator::parseTrustBundles(const std::string& trust_bundle_mapping_str)
           ->iterate([&spiffe_data, &success](const std::string& domain_name,
                                              const Envoy::Json::Object& domain_object) -> bool {
             if (spiffe_data->trust_bundle_stores.contains(domain_name)) {
-              ENVOY_LOG(warn, "Duplicate domain '{}' in SPIFFE bundle map", domain_name);
+              ENVOY_LOG(error, "Duplicate domain '{}' in SPIFFE bundle map", domain_name);
+              return (success = false);
             } else {
               spiffe_data->trust_bundle_stores[domain_name] = X509StorePtr(X509_STORE_new());
             }

diff --git a/test/common/tls/test_data/trust_bundles_dupe_domains.json b/test/common/tls/test_data/trust_bundles_dupe_domains.json
@@ -0,0 +1,32 @@
+{
+  "trust_domains": {
+    "example.com": {
+      "sequence_number": 12035488,
+      "keys": [
+            {
+              "kty": "RSA",
+              "use": "x509-svid",
+              "x5c": [
+                "MIID3TCCAsWgAwIBAgIUNKrDZYyTSTWgLuOgEc3KS3ygqDkwDQYJKoZIhvcNAQELBQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwODIxMTkxNDAyWhcNMjYwODIxMTkxNDAyWjB2MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEQMA4GA1UEAwwHVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI93/9Eb8ZunwMRAsFRS+NZr/yDdkRx20rtJaYqDUGEQ/YqWyqP8SjvVKzIscuh+c8ZtpTg6rq+gevxYttlZONCBNnibSXRizLVUFWDQhRmjhv3VknCGPvxN1pqurV28xqKtyRnHovRY2nt8vZOjxiQOwJNxzFWYQ5aEAYnwvMbTQwf3rmnvZIiFZ3OX/pGyHt3S+vHneZTZXinNiq7YaP46chyhINsfLTDPJLNvfAyHC5T1D6aSADl/mQykluV/fB60jvu3vcAwoSrsSFFXgqfwkqpdFF/73+Qrh5QTTiFHBmdSS+t4kFw4hHU9Gmky9M/R1YO/Wc1KkwgxwjhiDbUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA+gzyW9WBd+CB52mGXJQ68fT4VWMB8GA1UdIwQYMBaAFA+gzyW9WBd+CB52mGXJQ68fT4VWMA0GCSqGSIb3DQEBCwUAA4IBAQBt4YqiHnUgcuF23ZV8tmtPZKSUWwJSpiQU31UICCveVau9Ib7JyL4DpLboGnEluQPGiRdctKTBTC+vTNfA93/TzRSKfvK6jPQML2njc5yT3hFr8sYkyGsz2olwaizItGbUpl1PPUuZ46owSO9mSV5kgN7+oHvG2yxFbpsBxZsIAWxkBL9/+9P9pneAI1guWjclh/GANXm8p6aRBtXuskKb78xHQLSrv5lDIg3RGwzR0FpigcT9u5I3JRRcgUrP1TT2cC5w47UxoHr+xfL2eDEJ4/Ws3sdstn0rvciVNZ3VLroqaYTk2HjHno+Xw7KnGFOnlx0lK1pfYg7RCAUGQqdv"
+              ],
+              "n": "j3f_0Rvxm6fAxECwVFL41mv_IN2RHHbSu0lpioNQYRD9ipbKo_xKO9UrMixy6H5zxm2lODqur6B6_Fi22Vk40IE2eJtJdGLMtVQVYNCFGaOG_dWScIY-_E3Wmq6tXbzGoq3JGcei9Fjae3y9k6PGJA7Ak3HMVZhDloQBifC8xtNDB_euae9kiIVnc5f-kbIe3dL68ed5lNleKc2Krtho_jpyHKEg2x8tMM8ks298DIcLlPUPppIAOX-ZDKSW5X98HrSO-7e9wDChKuxIUVeCp_CSql0UX_vf5CuHlBNOIUcGZ1JL63iQXDiEdT0aaTL0z9HVg79ZzUqTCDHCOGINtQ",
+              "e": "AQAB"
+            }
+      ]
+    },
+    "example.com": {
+      "sequence_number": 12035489,
+      "keys": [
+            {
+              "kty": "RSA",
+              "use": "x509-svid",
+              "x5c": [
+                "MIID3TCCAsWgAwIBAgIUNKrDZYyTSTWgLuOgEc3KS3ygqDkwDQYJKoZIhvcNAQELBQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQwODIxMTkxNDAyWhcNMjYwODIxMTkxNDAyWjB2MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEQMA4GA1UEAwwHVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI93/9Eb8ZunwMRAsFRS+NZr/yDdkRx20rtJaYqDUGEQ/YqWyqP8SjvVKzIscuh+c8ZtpTg6rq+gevxYttlZONCBNnibSXRizLVUFWDQhRmjhv3VknCGPvxN1pqurV28xqKtyRnHovRY2nt8vZOjxiQOwJNxzFWYQ5aEAYnwvMbTQwf3rmnvZIiFZ3OX/pGyHt3S+vHneZTZXinNiq7YaP46chyhINsfLTDPJLNvfAyHC5T1D6aSADl/mQykluV/fB60jvu3vcAwoSrsSFFXgqfwkqpdFF/73+Qrh5QTTiFHBmdSS+t4kFw4hHU9Gmky9M/R1YO/Wc1KkwgxwjhiDbUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA+gzyW9WBd+CB52mGXJQ68fT4VWMB8GA1UdIwQYMBaAFA+gzyW9WBd+CB52mGXJQ68fT4VWMA0GCSqGSIb3DQEBCwUAA4IBAQBt4YqiHnUgcuF23ZV8tmtPZKSUWwJSpiQU31UICCveVau9Ib7JyL4DpLboGnEluQPGiRdctKTBTC+vTNfA93/TzRSKfvK6jPQML2njc5yT3hFr8sYkyGsz2olwaizItGbUpl1PPUuZ46owSO9mSV5kgN7+oHvG2yxFbpsBxZsIAWxkBL9/+9P9pneAI1guWjclh/GANXm8p6aRBtXuskKb78xHQLSrv5lDIg3RGwzR0FpigcT9u5I3JRRcgUrP1TT2cC5w47UxoHr+xfL2eDEJ4/Ws3sdstn0rvciVNZ3VLroqaYTk2HjHno+Xw7KnGFOnlx0lK1pfYg7RCAUGQqdv"
+              ],
+              "n": "j3f_0Rvxm6fAxECwVFL41mv_IN2RHHbSu0lpioNQYRD9ipbKo_xKO9UrMixy6H5zxm2lODqur6B6_Fi22Vk40IE2eJtJdGLMtVQVYNCFGaOG_dWScIY-_E3Wmq6tXbzGoq3JGcei9Fjae3y9k6PGJA7Ak3HMVZhDloQBifC8xtNDB_euae9kiIVnc5f-kbIe3dL68ed5lNleKc2Krtho_jpyHKEg2x8tMM8ks298DIcLlPUPppIAOX-ZDKSW5X98HrSO-7e9wDChKuxIUVeCp_CSql0UX_vf5CuHlBNOIUcGZ1JL63iQXDiEdT0aaTL0z9HVg79ZzUqTCDHCOGINtQ",
+              "e": "AQAB"
+            }
+      ]
+    }
+  }
+}
diff --git a/test/common/tls/test_data/trust_bundles_invalid_json.json b/test/common/tls/test_data/trust_bundles_invalid_json.json
@@ -0,0 +1,6 @@
+  "trust_domains": {
+    "example.com": {
+      "sequence_number": 12035488,
+      "keys": []
+  }
+}
diff --git a/test/common/tls/test_data/trust_bundles_zero_domains.json b/test/common/tls/test_data/trust_bundles_zero_domains.json
@@ -0,0 +1,3 @@
+{
+  "trust_domains": {}
+}
diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc
@@ -807,6 +807,36 @@ name: envoy.tls.cert_validator.spiffe
   )EOF")),
                               EnvoyException, "Failed to load SPIFFE Bundle map");
   }
+  {
+    EXPECT_THROW_WITH_MESSAGE(initialize(TestEnvironment::substitute(R"EOF(
+name: envoy.tls.cert_validator.spiffe
+typed_config:
+  "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
+  trust_bundles:
+    filename: "{{ test_rundir }}/test/common/tls/test_data/trust_bundles_invalid_json.json"
+  )EOF")),
+                              EnvoyException, "Failed to load SPIFFE Bundle map");
+  }
+  {
+    EXPECT_THROW_WITH_MESSAGE(initialize(TestEnvironment::substitute(R"EOF(
+name: envoy.tls.cert_validator.spiffe
+typed_config:
+  "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
+  trust_bundles:
+    filename: "{{ test_rundir }}/test/common/tls/test_data/trust_bundles_zero_domains.json"
+  )EOF")),
+                              EnvoyException, "Failed to load SPIFFE Bundle map");
+  }
+  {
+    EXPECT_THROW_WITH_MESSAGE(initialize(TestEnvironment::substitute(R"EOF(
+name: envoy.tls.cert_validator.spiffe
+typed_config:
+  "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
+  trust_bundles:
+    filename: "{{ test_rundir }}/test/common/tls/test_data/trust_bundles_dupe_domains.json"
+  )EOF")),
+                              EnvoyException, "Failed to load SPIFFE Bundle map");
+  }
 }
 
 TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainMultipleTrustDomainBundleMappingInline) {