fix(target): Skip fetching proxy server cert (#6055)

AprilMay0 · web-flow · commit 3dd238a6cfde · 2025-09-17T14:48:14.000-07:00
diff --git a/internal/target/repository.go b/internal/target/repository.go
@@ -24,6 +24,7 @@ import (
 	"github.com/hashicorp/boundary/internal/types/scope"
 	"github.com/hashicorp/boundary/internal/util"
 	"github.com/hashicorp/go-dbw"
+	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 )
 
 // RepositoryFactory enables `target.Repository` object instantiation,
@@ -51,6 +52,12 @@ type Repository struct {
 	permissions []perms.Permission
 }
 
+// getTargetProxyServerCertificateFn can be overridden for testing or extension purposes.
+// By default, it returns nil, nil because TCP targets do not currently use a proxy server certificate.
+var getTargetProxyServerCertificateFn = func(ctx context.Context, r *Repository, target targetView, databaseWrapper wrapping.Wrapper, opts options) (*ServerCertificate, error) {
+	return nil, nil
+}
+
 // NewRepository creates a new target Repository.
 // Supports the following options:
 // - WithLimit: sets a limit on the number of results returned by various repo operations.
@@ -140,16 +147,9 @@ func (r *Repository) LookupTargetForSessionAuthorization(ctx context.Context, pu
 				address = targetAddress.GetAddress()
 			}
 
-			if opts.WithAlias != nil {
-				cert, err = fetchTargetAliasProxyServerCertificate(ctx, read, w, target.PublicId, target.ProjectId, opts.WithAlias, databaseWrapper, target.GetSessionMaxSeconds())
-				if err != nil && !errors.IsNotFoundError(err) {
-					return errors.Wrap(ctx, err, op)
-				}
-			} else {
-				cert, err = fetchTargetProxyServerCertificate(ctx, read, w, target.PublicId, target.ProjectId, databaseWrapper, target.GetSessionMaxSeconds())
-				if err != nil && !errors.IsNotFoundError(err) {
-					return errors.Wrap(ctx, err, op)
-				}
+			cert, err = getTargetProxyServerCertificateFn(ctx, r, target, databaseWrapper, opts)
+			if err != nil && !errors.IsNotFoundError(err) {
+				return errors.Wrap(ctx, err, op)
 			}
 			return nil
 		},
diff --git a/internal/target/repository_proxy_server_certificate_test.go b/internal/target/repository_proxy_server_certificate_test.go
@@ -302,7 +302,10 @@ func TestFetchTargetAliasProxyServerCertificate(t *testing.T) {
 	}
 }
 
-func Test_FetchCertsWithinLookupTargetForSessionAuthorization(t *testing.T) {
+// Test_LookupTargetForSessionAuthorization tests looking up a target for session both with and without an alias.
+// The target used in this test does not have a proxy server certificate because TCP targets do not currently support proxy server certificates.
+// Fetching the proxy server certificate is tested in other enterprise tests.
+func Test_LookupTargetForSessionAuthorization(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 	conn, _ := db.TestSetup(t, "postgres")
@@ -312,74 +315,50 @@ func Test_FetchCertsWithinLookupTargetForSessionAuthorization(t *testing.T) {
 	_, proj := iam.TestScopes(t, iam.TestRepo(t, conn, wrapper))
 	repo, err := target.NewRepository(context.Background(), rw, rw, testKms)
 	require.NoError(t, err)
-	databaseWrapper, err := testKms.GetWrapper(ctx, proj.PublicId, kms.KeyPurposeDatabase)
-	require.NoError(t, err)
 
 	tar := targettest.TestNewTestTarget(ctx, t, conn, proj.PublicId, "test-target")
-	tar2 := targettest.TestNewTestTarget(ctx, t, conn, proj.PublicId, "test-target2")
 
 	// Create an alias
 	aliasValue := "test-alias"
 	alias := talias.TestAlias(t, rw, aliasValue, talias.WithDestinationId(tar.GetPublicId()))
-	require.NoError(t, err)
 	require.NotNil(t, alias)
 
-	// Create our default localhost target cert
-	cer, err := target.NewTargetProxyCertificate(ctx, target.WithTargetId(tar.GetPublicId()))
-	require.NoError(t, err)
-	require.NotNil(t, cer)
-	id, err := db.NewPublicId(ctx, globals.ProxyServerCertificatePrefix)
-	require.NoError(t, err)
-	cer.PublicId = id
-	err = cer.Encrypt(ctx, databaseWrapper)
-	require.NoError(t, err)
-	err = rw.Create(ctx, cer)
-	require.NoError(t, err)
-
 	tests := []struct {
 		name     string
 		publicId string
 		opt      []target.Option
-		wantCert bool
+		wantErr  bool
 	}{
 		{
-			name:     "success-get-target-with-certificate",
+			name:     "success-get-target-no-cert",
 			publicId: tar.GetPublicId(),
-			wantCert: true,
+			wantErr:  false,
 		},
 		{
-			name:     "success-get-target-with-alias-certificate",
+			name:     "success-get-target-no-cert-with-alias",
 			publicId: tar.GetPublicId(),
 			opt: []target.Option{
 				target.WithAlias(alias),
 			},
-			wantCert: true,
-		},
-		{
-			name:     "success-get-target-no-cert",
-			publicId: tar2.GetPublicId(),
-			wantCert: false,
+			wantErr: false,
 		},
 		{
-			name:     "success-get-target-no-cert-with-alias",
-			publicId: tar2.GetPublicId(),
-			opt: []target.Option{
-				target.WithAlias(alias),
-			},
-			wantCert: false,
+			name:     "fail-missing-target-id",
+			publicId: "",
+			wantErr:  true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert, require := assert.New(t), require.New(t)
 			got, err := repo.LookupTargetForSessionAuthorization(ctx, tt.publicId, proj.PublicId, tt.opt...)
-			require.NoError(err)
-			assert.NotNil(got)
-			if tt.wantCert {
-				assert.NotNil(got.GetProxyServerCertificate())
-			} else {
-				assert.Nil(got.GetProxyServerCertificate())
+			if tt.wantErr {
+				require.Error(err)
+				return
 			}
+			require.NoError(err)
+			require.NotNil(got)
+			assert.Nil(got.GetProxyServerCertificate())
 		})
 	}
 }
