Test get key entry function (spiffe#5058)

Signed-off-by: Matteo Kamm <[email protected]>

Author: InverseIntegral

pkg/server/plugin/keymanager/hashicorpvault/vault_client.go

@@ -465,7 +465,6 @@ func (c *Client) GetKeys(ctx context.Context) ([]*keyEntry, error) {
 	return keyEntries, nil
 }
 
-// TODO: Test this function
 // getKeyEntry gets the transit engine key with the specified spire key id and converts it into a key entry.
 func (c *Client) getKeyEntry(ctx context.Context, spireKeyID string) (*keyEntry, error) {
 	keyData, err := c.getKey(ctx, spireKeyID)

pkg/server/plugin/keymanager/hashicorpvault/vault_client_test.go

@@ -5,8 +5,10 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
 	vapi "github.com/hashicorp/vault/api"
+	keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/keymanager/v1"
 	"net/http"
 	"os"
 	"testing"
@@ -743,6 +745,76 @@ func TestGetKeyErrorFromEndpoint(t *testing.T) {
 	require.Empty(t, resp)
 }
 
+func TestGetKeyEntry(t *testing.T) {
+	fakeVaultServer := newFakeVaultServer()
+	fakeVaultServer.CertAuthResponseCode = 200
+	fakeVaultServer.CertAuthResponse = []byte(testCertAuthResponse)
+	fakeVaultServer.GetKeyResponseCode = 200
+	fakeVaultServer.GetKeyResponse = []byte(testGetKeyResponseP256)
+
+	s, addr, err := fakeVaultServer.NewTLSServer()
+	require.NoError(t, err)
+
+	s.Start()
+	defer s.Close()
+
+	cp := &ClientParams{
+		VaultAddr:      fmt.Sprintf("https://%v/", addr),
+		CACertPath:     testRootCert,
+		ClientCertPath: testClientCert,
+		ClientKeyPath:  testClientKey,
+	}
+
+	cc, err := NewClientConfig(cp, hclog.Default())
+	require.NoError(t, err)
+
+	renewCh := make(chan struct{})
+	client, err := cc.NewAuthenticatedClient(CERT, renewCh)
+	require.NoError(t, err)
+
+	resp, err := client.getKeyEntry(context.Background(), "x509-CA-A")
+	require.NoError(t, err)
+
+	block, _ := pem.Decode([]byte("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV57LFbIQZzyZ2YcKZfB9mGWkUhJv\niRzIZOqV4wRHoUOZjMuhBMR2WviEsy65TYpcBjreAc6pbneiyhlTwPvgmw==\n-----END PUBLIC KEY-----\n"))
+
+	require.Equal(t, "x509-CA-A", resp.PublicKey.Id)
+	require.Equal(t, keymanagerv1.KeyType_EC_P256, resp.PublicKey.Type)
+	require.Equal(t, block.Bytes, resp.PublicKey.PkixData)
+	require.Equal(t, "afd4e26c151ce5c1069414bdb08fe5f7a7fdb271d40d077aa1f77a82e8ac5870", resp.PublicKey.Fingerprint)
+}
+
+func TestGetKeyEntryErrorFromEndpoint(t *testing.T) {
+	fakeVaultServer := newFakeVaultServer()
+	fakeVaultServer.CertAuthResponseCode = 200
+	fakeVaultServer.CertAuthResponse = []byte(testCertAuthResponse)
+	fakeVaultServer.GetKeyResponseCode = 500
+	fakeVaultServer.GetKeyResponse = []byte("some error")
+
+	s, addr, err := fakeVaultServer.NewTLSServer()
+	require.NoError(t, err)
+
+	s.Start()
+	defer s.Close()
+
+	cp := &ClientParams{
+		VaultAddr:      fmt.Sprintf("https://%v/", addr),
+		CACertPath:     testRootCert,
+		ClientCertPath: testClientCert,
+		ClientKeyPath:  testClientKey,
+	}
+
+	cc, err := NewClientConfig(cp, hclog.Default())
+	require.NoError(t, err)
+
+	renewCh := make(chan struct{})
+	client, err := cc.NewAuthenticatedClient(CERT, renewCh)
+	require.NoError(t, err)
+
+	resp, err := client.getKeyEntry(context.Background(), "x509-CA-A")
+	spiretest.RequireGRPCStatusHasPrefix(t, err, codes.Internal, "failed to get transit engine key: Error making API request.")
+	require.Empty(t, resp)
+}
+
 func TestSignData(t *testing.T) {
 	fakeVaultServer := newFakeVaultServer()
 	fakeVaultServer.CertAuthResponseCode = 200