initserver: add client verification

2025-08-10 16:00:19 -04:00 · 2022-11-26 19:44:34 +01:00 · 2022-11-26 19:44:34 +01:00 · 3b6bc3b28f
commit 3b6bc3b28f
parent bffa5c580c
39 changed files with 704 additions and 175 deletions
--- a/internal/cloud/gcp/cloud_test.go
+++ b/internal/cloud/gcp/cloud_test.go
@ -36,8 +36,17 @@ func TestGetInstance(t *testing.T) {
 		Name: proto.String("someInstance"),
 		Zone: proto.String("someZone-west3-b"),
 		Labels: map[string]string{
-			cloud.TagUID:  "1234",
-			cloud.TagRole: role.ControlPlane.String(),
+			cloud.TagUID:            "1234",
+			cloud.TagRole:           role.ControlPlane.String(),
+			cloud.TagInitSecretHash: "initSecretHash",
+		},
+		Metadata: &computepb.Metadata{
+			Items: []*computepb.Items{
+				{
+					Key:   proto.String(cloud.TagInitSecretHash),
+					Value: proto.String("initSecretHash"),
+				},
+			},
 		},
 		NetworkInterfaces: []*computepb.NetworkInterface{
 			{
@ -748,6 +757,110 @@ func TestUID(t *testing.T) {
 	}
 }

+func TestInitSecretHash(t *testing.T) {
+	someErr := errors.New("failed")
+
+	testCases := map[string]struct {
+		imds               stubIMDS
+		instanceAPI        stubInstanceAPI
+		wantInitSecretHash string
+		wantErr            bool
+	}{
+		"success": {
+			imds: stubIMDS{
+				projectID:    "someProject",
+				zone:         "someZone-west3-b",
+				instanceName: "someInstance",
+			},
+			instanceAPI: stubInstanceAPI{
+				instance: &computepb.Instance{
+					Name: proto.String("someInstance"),
+					Zone: proto.String("someZone-west3-b"),
+					Labels: map[string]string{
+						cloud.TagRole: role.ControlPlane.String(),
+					},
+					Metadata: &computepb.Metadata{
+						Items: []*computepb.Items{
+							{
+								Key:   proto.String(cloud.TagInitSecretHash),
+								Value: proto.String("initSecretHash"),
+							},
+						},
+					},
+				},
+			},
+			wantInitSecretHash: "initSecretHash",
+		},
+		"imds error": {
+			imds: stubIMDS{
+				projectIDErr: someErr,
+				zone:         "someZone-west3-b",
+				instanceName: "someInstance",
+			},
+			instanceAPI: stubInstanceAPI{
+				instance: &computepb.Instance{
+					Name: proto.String("someInstance"),
+					Zone: proto.String("someZone-west3-b"),
+					Labels: map[string]string{
+						cloud.TagInitSecretHash: "initSecretHash",
+						cloud.TagRole:           role.ControlPlane.String(),
+					},
+					Metadata: &computepb.Metadata{
+						Items: []*computepb.Items{
+							{
+								Key:   proto.String(cloud.TagInitSecretHash),
+								Value: proto.String("initSecretHash"),
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		"instance error": {
+			imds: stubIMDS{
+				projectID:    "someProject",
+				zone:         "someZone-west3-b",
+				instanceName: "someInstance",
+			},
+			instanceAPI: stubInstanceAPI{
+				instanceErr: someErr,
+			},
+			wantErr: true,
+		},
+		"invalid instance": {
+			imds: stubIMDS{
+				projectID:    "someProject",
+				zone:         "someZone-west3-b",
+				instanceName: "someInstance",
+			},
+			instanceAPI: stubInstanceAPI{
+				instance: nil,
+			},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			cloud := &Cloud{
+				imds:        &tc.imds,
+				instanceAPI: &tc.instanceAPI,
+			}
+
+			initSecretHash, err := cloud.InitSecretHash(context.Background())
+			if tc.wantErr {
+				assert.Error(err)
+				return
+			}
+			assert.NoError(err)
+			assert.Equal([]byte(tc.wantInitSecretHash), initSecretHash)
+		})
+	}
+}
+
 type stubForwardingRulesAPI struct {
 	iterator forwardingRuleIterator
 }