start adding sandbox test for registry authorize

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>
networkservicemesh · Oct 12, 2022 · 654a02d · 654a02d
1 parent 81c4faf
commit 654a02d
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 3 deletions.
diff --git a/pkg/networkservice/chains/nsmgr/single_test.go b/pkg/networkservice/chains/nsmgr/single_test.go
@@ -468,3 +468,26 @@ func Test_RemoteUsecase_Point2MultiPoint(t *testing.T) {
 	require.Equal(t, "p2p forwarder-0", conn.GetPath().GetPathSegments()[2].Name)
 	require.Equal(t, "p2p forwarder-1", conn.GetPath().GetPathSegments()[4].Name)
 }
+
+func Test_FailedRegistryAuthorization(t *testing.T) {
+	t.Cleanup(func() { goleak.VerifyNone(t) })
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+
+	domain := sandbox.NewBuilder(ctx, t).
+		SetNodesCount(1).
+		SetNSMgrProxySupplier(nil).
+		SetRegistryProxySupplier(nil).
+		Build()
+
+	nsRegistryClient1 := domain.NewNSRegistryClient(ctx, sandbox.GenerateTestToken)
+	ns1 := defaultRegistryService("ns-1")
+	_, err := nsRegistryClient1.Register(ctx, ns1)
+	require.NoError(t, err)
+
+	nsRegistryClient2 := domain.NewNSRegistryClient(ctx, sandbox.GenerateTestToken)
+	ns2 := defaultRegistryService("ns-1")
+	_, err = nsRegistryClient2.Register(ctx, ns2)
+	require.Error(t, err)
+}
diff --git a/pkg/registry/common/authorize/common.go b/pkg/registry/common/authorize/common.go
@@ -85,7 +85,11 @@ func getRawMap(m *spiffeIDResourcesMap) map[string][]string {
 func getSpiffeIDFromPath(path *registry.Path) (spiffeid.ID, error) {
 	tokenString := path.PathSegments[0].Token
 
-	b, err := jwt.DecodeSegment(strings.Split(tokenString, ".")[1])
+	tokenSegments := strings.Split(tokenString, ".")
+	if len(tokenSegments) < 3 {
+		return spiffeid.ID{}, errors.New("token is invalid. Should have 3 segments separated by dot")
+	}
+	b, err := jwt.DecodeSegment(tokenSegments[1])
 	if err != nil {
 		return spiffeid.ID{}, errors.Errorf("failed to decode payload from jwt token: %s", err.Error())
 	}

diff --git a/pkg/registry/common/authorize/ns_server.go b/pkg/registry/common/authorize/ns_server.go
@@ -60,8 +60,7 @@ func NewNetworkServiceRegistryServer(opts ...Option) registry.NetworkServiceRegi
 
 func (s *authorizeNSServer) Register(ctx context.Context, ns *registry.NetworkService) (*registry.NetworkService, error) {
 	if len(s.policies) == 0 {
-		resp, err := next.NetworkServiceRegistryServer(ctx).Register(ctx, ns)
-		return resp, err
+		return next.NetworkServiceRegistryServer(ctx).Register(ctx, ns)
 	}
 
 	spiffeID, err := getSpiffeIDFromPath(ns.Path)