Ensure Non-Empty JWT Bundles Before Adding to FetchJWTBundles Response (

#5031) * Handle empty JWT bundle in FetchJWTBundles handler Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
spiffe · Apr 16, 2024 · 9ec534a · 9ec534a
1 parent 57f3cac
commit 9ec534a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 3 deletions.
diff --git a/pkg/agent/endpoints/workload/handler_test.go b/pkg/agent/endpoints/workload/handler_test.go
@@ -888,6 +888,8 @@ func TestFetchJWTBundles(t *testing.T) {
 	require.NoError(t, err)
 	bundleJWKS = indent(bundleJWKS)
 
+	emptyJWKSBytes := indent([]byte(`{"keys": []}`))
+
 	federatedBundle := testca.New(t, spiffeid.RequireTrustDomainFromString("domain2.test")).Bundle()
 	federatedBundleJWKS, err := federatedBundle.JWTBundle().Marshal()
 	require.NoError(t, err)
@@ -1018,6 +1020,27 @@ func TestFetchJWTBundles(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "federated bundle with JWKS empty keys array",
+			updates: []*cache.WorkloadUpdate{
+				{
+					Identities: []cache.Identity{
+						identityFromX509SVID(x509SVID, "id1"),
+					},
+					Bundle: bundle,
+					FederatedBundles: map[spiffeid.TrustDomain]*spiffebundle.Bundle{
+						federatedBundle.TrustDomain(): spiffebundle.New(federatedBundle.TrustDomain()),
+					},
+				},
+			},
+			expectCode: codes.OK,
+			expectResp: &workloadPB.JWTBundlesResponse{
+				Bundles: map[string][]byte{
+					bundle.TrustDomain().IDString():          bundleJWKS,
+					federatedBundle.TrustDomain().IDString(): emptyJWKSBytes,
+				},
+			},
+		},
 	} {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/pkg/common/bundleutil/marshal.go b/pkg/common/bundleutil/marshal.go
@@ -89,6 +89,8 @@ func Marshal(bundle *spiffebundle.Bundle, opts ...MarshalOption) ([]byte, error)
 	}
 
 	var jwks jose.JSONWebKeySet
+	jwks.Keys = make([]jose.JSONWebKey, 0)
+
 	maybeUse := func(use string) string {
 		if !c.standardJWKS {
 			return use

diff --git a/pkg/common/bundleutil/marshal_test.go b/pkg/common/bundleutil/marshal_test.go
@@ -22,23 +22,23 @@ func TestMarshal(t *testing.T) {
 		{
 			name:  "empty bundle",
 			empty: true,
-			out:   `{"keys":null, "spiffe_refresh_hint": 60, "spiffe_sequence": 42}`,
+			out:   `{"keys":[], "spiffe_refresh_hint": 60, "spiffe_sequence": 42}`,
 		},
 		{
 			name:  "with refresh hint override",
 			empty: true,
 			opts: []MarshalOption{
 				OverrideRefreshHint(time.Second * 10),
 			},
-			out: `{"keys":null, "spiffe_refresh_hint": 10, "spiffe_sequence": 42}`,
+			out: `{"keys":[], "spiffe_refresh_hint": 10, "spiffe_sequence": 42}`,
 		},
 		{
 			name:  "with sequence number override",
 			empty: true,
 			opts: []MarshalOption{
 				OverrideSequenceNumber(1),
 			},
-			out: `{"keys":null, "spiffe_refresh_hint": 60, "spiffe_sequence": 1}`,
+			out: `{"keys":[], "spiffe_refresh_hint": 60, "spiffe_sequence": 1}`,
 		},
 		{
 			name: "without X509 SVID keys",