kds-cache/test: branch coverage testing of CRL and VCEK caches

edgelesssys · Dec 3, 2024 · bfc6d2c · bfc6d2c
1 parent 65bae63
commit bfc6d2c
Showing 1 changed file with 62 additions and 48 deletions.
diff --git a/internal/attestation/certcache/cached_client_test.go b/internal/attestation/certcache/cached_client_test.go
@@ -20,25 +20,25 @@ func TestMain(m *testing.M) {
 }
 
 func TestMemcachedHTTPSGetter(t *testing.T) {
-	t.Run("Get", func(t *testing.T) {
+	fakeGetter := &fakeHTTPSGetter{
+		content: map[string][]byte{
+			"foo": []byte("bar"),
+			"https://kdsintf.amd.com/vcek/v1/test/crl": []byte("bar"),
+		},
+		hits: map[string]int{},
+	}
+	stepTime := 5 * time.Minute
+	testClock := testingclock.NewFakeClock(time.Now())
+	ticker := testClock.NewTicker(stepTime)
+	client := &CachedHTTPSGetter{
+		HTTPSGetter: fakeGetter,
+		gcTicker:    ticker,
+		cache:       memstore.New[string, []byte](),
+		logger:      slog.Default(),
+	}
+	t.Run("Get VCEK by request and from cache", func(t *testing.T) {
 		assert := assert.New(t)
 
-		fakeGetter := &fakeHTTPSGetter{
-			content: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			hits: map[string]int{},
-		}
-		stepTime := 5 * time.Minute
-		testClock := testingclock.NewFakeClock(time.Now())
-		ticker := testClock.NewTicker(stepTime)
-		client := &CachedHTTPSGetter{
-			HTTPSGetter: fakeGetter,
-			gcTicker:    ticker,
-			cache:       memstore.New[string, []byte](),
-			logger:      slog.Default(),
-		}
-
 		res, err := client.Get("foo")
 		assert.NoError(err)
 		assert.Equal([]byte("bar"), res)
@@ -57,46 +57,60 @@ func TestMemcachedHTTPSGetter(t *testing.T) {
 		assert.Equal([]byte("bar"), res)
 		assert.Equal(2, fakeGetter.hits["foo"])
 	})
-	t.Run("Get error", func(t *testing.T) {
-		fakeGetter := &fakeHTTPSGetter{
-			getErr:  assert.AnError,
-			content: map[string][]byte{},
-			hits:    map[string]int{},
-		}
-		testClock := testingclock.NewFakeClock(time.Now())
-		ticker := testClock.NewTicker(5 * time.Minute)
-		client := &CachedHTTPSGetter{
-			HTTPSGetter: fakeGetter,
-			gcTicker:    ticker,
-			cache:       memstore.New[string, []byte](),
-			logger:      slog.Default(),
-		}
 
+	t.Run("VCEK request fails and VCEK not in cache", func(t *testing.T) {
+		testClock.Step(stepTime)
+		fakeGetter.getErr = assert.AnError
 		assert := assert.New(t)
 
 		_, err := client.Get("foo")
 		assert.Error(err)
-		assert.Equal(1, fakeGetter.hits["foo"])
+		assert.Equal(3, fakeGetter.hits["foo"])
 	})
-	t.Run("Concurrent access", func(t *testing.T) {
+
+	t.Run("Check CRLs are still requested after caching", func(t *testing.T) {
+		fakeGetter.getErr = nil
 		assert := assert.New(t)
 
-		fakeGetter := &fakeHTTPSGetter{
-			content: map[string][]byte{
-				"foo": []byte("bar"),
-			},
-			hits: map[string]int{},
-		}
+		res, err := client.Get("https://kdsintf.amd.com/vcek/v1/test/crl")
+		assert.NoError(err)
+		assert.Equal([]byte("bar"), res)
+		assert.Equal(1, fakeGetter.hits["https://kdsintf.amd.com/vcek/v1/test/crl"])
+
+		// Even after the CRL is cached, the CRL should be requested(hit counter increase).
+		res, err = client.Get("https://kdsintf.amd.com/vcek/v1/test/crl")
+		assert.NoError(err)
+		assert.Equal([]byte("bar"), res)
+		assert.Equal(2, fakeGetter.hits["https://kdsintf.amd.com/vcek/v1/test/crl"])
+	})
+
+	t.Run("Check CRLs can be loaded by cache when request fails", func(t *testing.T) {
+		// Simulate a request failure by returning an error
+		fakeGetter.getErr = assert.AnError
+		assert := assert.New(t)
+
+		// The CRL should be loaded from the cache and client.Get() won't result in an error
+		res, err := client.Get("https://kdsintf.amd.com/vcek/v1/test/crl")
+		assert.NoError(err)
+		assert.Equal([]byte("bar"), res)
+		assert.Equal(3, fakeGetter.hits["https://kdsintf.amd.com/vcek/v1/test/crl"])
+		testClock.Step(stepTime)
+	})
+
+	t.Run("CRL request fails and CRL not in cache", func(t *testing.T) {
+		assert := assert.New(t)
+		testClock.Step(stepTime)
+		// No CRL cache and request failure results in error
+		_, err := client.Get("https://kdsintf.amd.com/vcek/v1/test/crl")
+		assert.Error(err)
+		assert.Equal(4, fakeGetter.hits["https://kdsintf.amd.com/vcek/v1/test/crl"])
+		testClock.Step(stepTime)
+	})
+
+	t.Run("Concurrent access", func(t *testing.T) {
+		fakeGetter.getErr = nil
+		assert := assert.New(t)
 		numGets := 5
-		stepTime := 5 * time.Minute
-		testClock := testingclock.NewFakeClock(time.Now())
-		ticker := testClock.NewTicker(stepTime)
-		client := &CachedHTTPSGetter{
-			HTTPSGetter: fakeGetter,
-			gcTicker:    ticker,
-			cache:       memstore.New[string, []byte](),
-			logger:      slog.Default(),
-		}
 
 		var wg sync.WaitGroup
 		getFunc := func() {