test: set AuthToken in tests to match Client code (#24792)

tl;dr - runtime code is fine but tests should match reality The Nomad Client Agent is the only consumer of the `Node.Derive{SI,Vault}Token` RPCs, therefore tests of the RPCs should match Nomad Client behavior. - DeriveVaultToken code: a9ee66a6ef/client/client.go (L2904-L2917) - DeriveSIToken code: a9ee66a6ef/client/client.go (L2988-L2997) Both of those client code paths include the Node SecretID in both the request's SecretID field as well as the embedded `QueryOptions.AuthToken` field. This patch updates server tests to match that behavior. The tests pass either way.
2026-01-01 16:05:42 +03:00 · 2025-01-07 09:28:05 -08:00
parent 024c504a1e
commit 1610f18500
1 changed files with 24 additions and 14 deletions
--- a/nomad/node_endpoint_test.go
+++ b/nomad/node_endpoint_test.go
@@ -4198,13 +4198,15 @@ func TestClientEndpoint_DeriveVaultToken_Bad(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}

+	badSecret := uuid.Generate()
 	req := &structs.DeriveVaultTokenRequest{
 		NodeID:   node.ID,
-		SecretID: uuid.Generate(),
+		SecretID: badSecret,
 		AllocID:  alloc.ID,
 		Tasks:    tasks,
 		QueryOptions: structs.QueryOptions{
-			Region: "global",
+			Region:    "global",
+			AuthToken: badSecret,
 		},
 	}

@@ -4311,7 +4313,8 @@ func TestClientEndpoint_DeriveVaultToken(t *testing.T) {
 		AllocID:  alloc.ID,
 		Tasks:    tasks,
 		QueryOptions: structs.QueryOptions{
-			Region: "global",
+			Region:    "global",
+			AuthToken: node.SecretID,
 		},
 	}

@@ -4395,7 +4398,8 @@ func TestClientEndpoint_DeriveVaultToken_VaultError(t *testing.T) {
 		AllocID:  alloc.ID,
 		Tasks:    tasks,
 		QueryOptions: structs.QueryOptions{
-			Region: "global",
+			Region:    "global",
+			AuthToken: node.SecretID,
 		},
 	}

@@ -4518,11 +4522,14 @@ func TestClientEndpoint_DeriveSIToken(t *testing.T) {
 	r.NoError(err)

 	request := &structs.DeriveSITokenRequest{
-		NodeID:       node.ID,
-		SecretID:     node.SecretID,
-		AllocID:      alloc.ID,
-		Tasks:        []string{sidecarTask.Name},
-		QueryOptions: structs.QueryOptions{Region: "global"},
+		NodeID:   node.ID,
+		SecretID: node.SecretID,
+		AllocID:  alloc.ID,
+		Tasks:    []string{sidecarTask.Name},
+		QueryOptions: structs.QueryOptions{
+			Region:    "global",
+			AuthToken: node.SecretID,
+		},
 	}

 	var response structs.DeriveSITokenResponse
@@ -4576,11 +4583,14 @@ func TestClientEndpoint_DeriveSIToken_ConsulError(t *testing.T) {
 	r.NoError(err)

 	request := &structs.DeriveSITokenRequest{
-		NodeID:       node.ID,
-		SecretID:     node.SecretID,
-		AllocID:      alloc.ID,
-		Tasks:        []string{sidecarTask.Name},
-		QueryOptions: structs.QueryOptions{Region: "global"},
+		NodeID:   node.ID,
+		SecretID: node.SecretID,
+		AllocID:  alloc.ID,
+		Tasks:    []string{sidecarTask.Name},
+		QueryOptions: structs.QueryOptions{
+			Region:    "global",
+			AuthToken: node.SecretID,
+		},
 	}

 	var response structs.DeriveSITokenResponse