bloomberg · pawalt · Jan 2, 2020 · Jan 2, 2020 · Jan 3, 2020 · Jan 3, 2020
diff --git a/internal/common/spiretrustsource.go b/internal/common/spiretrustsource.go
@@ -5,6 +5,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
@@ -42,10 +43,7 @@ type SpireTrustSource struct {
 	updateTimeout time.Duration
 
 	domainCertificates map[string][]*x509.Certificate
-}
-
-type certMap struct {
-	Certs map[string][]string `json:"certs"`
+	testing            bool
 }
 
 type workloadWatcher struct {
@@ -81,7 +79,7 @@ func NewSpireTrustSource(spireEndpointURLs map[string]string, localBackupDir str
 			if strings.Contains(domain, "/") {
 				return nil, fmt.Errorf("expected domain without slash but got %s", domain)
 			}
-			localStoragePath = localBackupDir + "/" + domain + ".pem"
+			localStoragePath = filepath.Join(localBackupDir, domain+".pem")
 		}
 
 		client, err := workload.NewX509SVIDClient(
@@ -113,6 +111,16 @@ func NewSpireTrustSource(spireEndpointURLs map[string]string, localBackupDir str
 	return source, nil
 }
 
+// NewSpireTestSource creates a new spire trust source with the test flag on.
+func NewSpireTestSource(spireEndpointURLs map[string]string, localBackupDir string) (*SpireTrustSource, error) {
+	ts, err := NewSpireTrustSource(spireEndpointURLs, localBackupDir)
+	if err != nil {
+		return nil, err
+	}
+	ts.testing = true
+	return ts, nil
+}
+
 // Stop stops all spire clients
 func (s *SpireTrustSource) Stop() error {
 	errs := make([]string, 0)
@@ -155,9 +163,11 @@ func (w *workloadWatcher) UpdateX509SVIDs(svids *workload.X509SVIDs) {
 		}
 	}
 
-	select {
-	case w.source.updateChan <- struct{}{}:
-	case <-time.After(w.source.updateTimeout):
+	if w.source.testing {
+		select {
+		case w.source.updateChan <- struct{}{}:
+		case <-time.After(w.source.updateTimeout):
+		}
 	}
 }
 
@@ -182,11 +192,12 @@ func (w *workloadWatcher) OnError(err error) {
 		}
 	} else {
 		// if the state was already Loaded, LoadedFromBackup, or Failed then don't do anything
-		w.source.spireEndpoints[w.domain].loadState = Failed
 	}
 
-	select {
-	case w.source.updateChan <- struct{}{}:
-	case <-time.After(w.source.updateTimeout):
+	if w.source.testing {
+		select {
+		case w.source.updateChan <- struct{}{}:
+		case <-time.After(w.source.updateTimeout):
+		}
 	}
 }
diff --git a/internal/common/spiretrustsource_test.go b/internal/common/spiretrustsource_test.go
@@ -30,15 +30,15 @@ func setX509SVIDResponse(api *spiffetest.WorkloadAPI, ca *spiffetest.CA, svid []
 	api.SetX509SVIDResponse(response)
 }
 
-func TestInitalLoad(t *testing.T) {
+func TestInitialLoad(t *testing.T) {
 	appFS = afero.NewMemMapFs()
 
 	afero.WriteFile(appFS, "certs/example.org.pem", []byte(leafCert), 600)
 
 	workloadAPI := spiffetest.NewWorkloadAPI(t, nil)
 	defer workloadAPI.Stop()
 
-	source, err := NewSpireTrustSource(map[string]string{
+	source, err := NewSpireTestSource(map[string]string{
 		"spiffe://example.org": workloadAPI.Addr(),
 	}, "certs/")
 	require.NoError(t, err)
@@ -54,14 +54,14 @@ func TestInitalLoad(t *testing.T) {
 }
 
 func TestInvalidURI(t *testing.T) {
-	_, err := NewSpireTrustSource(map[string]string{
+	_, err := NewSpireTestSource(map[string]string{
 		"spirffe://example.org": "",
 	}, "certs/")
 	require.Error(t, err)
 }
 
 func TestInvalidDomain(t *testing.T) {
-	_, err := NewSpireTrustSource(map[string]string{
+	_, err := NewSpireTestSource(map[string]string{
 		"spiffe://example.org/test": "",
 	}, "certs/")
 	require.Error(t, err)
@@ -78,7 +78,7 @@ func TestWriteCerts(t *testing.T) {
 
 	setX509SVIDResponse(workloadAPI, ca, svidFoo, keyFoo)
 
-	source, err := NewSpireTrustSource(map[string]string{
+	source, err := NewSpireTestSource(map[string]string{
 		"spiffe://example.org": workloadAPI.Addr(),
 	}, "certs/")
 	require.NoError(t, err)
@@ -89,7 +89,7 @@ func TestWriteCerts(t *testing.T) {
 	dummyWorkloadAPI := spiffetest.NewWorkloadAPI(t, nil)
 	defer dummyWorkloadAPI.Stop()
 
-	newSource, err := NewSpireTrustSource(map[string]string{
+	newSource, err := NewSpireTestSource(map[string]string{
 		"spiffe://example.org": dummyWorkloadAPI.Addr(),
 	}, "certs/")
 	newSource.waitForUpdate(t)
@@ -109,7 +109,7 @@ func TestSpireOverwrite(t *testing.T) {
 
 	setX509SVIDResponse(workloadAPI, ca, svidFoo, keyFoo)
 
-	source, err := NewSpireTrustSource(map[string]string{
+	source, err := NewSpireTestSource(map[string]string{
 		"spiffe://example.org": workloadAPI.Addr(),
 	}, "certs/")
 	require.NoError(t, err)
@@ -119,7 +119,7 @@ func TestSpireOverwrite(t *testing.T) {
 	assert.Equal(t, ca.Roots(), source.TrustedCertificates()["spiffe://example.org"])
 }
 
-func TestSpireReload(t *testing.T) {
+func TestSpireRotation(t *testing.T) {
 	appFS = afero.NewMemMapFs()
 
 	workloadAPI := spiffetest.NewWorkloadAPI(t, nil)
@@ -129,7 +129,7 @@ func TestSpireReload(t *testing.T) {
 	svidFoo, keyFoo := ca.CreateX509SVID("spiffe://example.org/foo")
 	setX509SVIDResponse(workloadAPI, ca, svidFoo, keyFoo)
 
-	source, err := NewSpireTrustSource(map[string]string{
+	source, err := NewSpireTestSource(map[string]string{
 		"spiffe://example.org": workloadAPI.Addr(),
 	}, "")
 	require.NoError(t, err)