[v13] GenerateToken should call CreateToken not UpsertToken (#2…

…9391) * GenerateToken should call CreateToken not UpsertToken * Add test for issue * Improved test name Co-authored-by: Alan Parra <alan.parra@goteleport.com> --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com>
gravitational · Jul 24, 2023 · ccc1d93 · ccc1d93
1 parent a43beed
commit ccc1d93
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -3393,7 +3393,7 @@ func (a *Server) GenerateToken(ctx context.Context, req *proto.GenerateTokenRequ
 		token.SetMetadata(meta)
 	}
 
-	if err := a.UpsertToken(ctx, token); err != nil {
+	if err := a.CreateToken(ctx, token); err != nil {
 		return "", trace.Wrap(err)
 	}
 

diff --git a/lib/auth/tls_test.go b/lib/auth/tls_test.go
@@ -4234,9 +4234,10 @@ func TestGRPCServer_GenerateToken(t *testing.T) {
 	require.NoError(t, ac.server.Auth().CreateToken(ctx, alreadyExistsToken))
 
 	tests := []struct {
-		name     string
-		identity TestIdentity
-		roles    types.SystemRoles
+		name              string
+		identity          TestIdentity
+		roles             types.SystemRoles
+		overrideTokenName string
 
 		requireTokenCreated bool
 		requireError        require.ErrorAssertionFunc
@@ -4292,6 +4293,15 @@ func TestGRPCServer_GenerateToken(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:              "can't override existing token",
+			identity:          TestUser(privilegedUser.GetName()),
+			overrideTokenName: alreadyExistsToken.GetName(),
+			roles:             types.SystemRoles{types.RoleTrustedCluster},
+			requireError: func(t require.TestingT, err error, i ...interface{}) {
+				require.Equal(t, codes.AlreadyExists, status.Code(err))
+			},
+		},
 		{
 			name:     "access denied",
 			identity: TestNop(),
@@ -4312,7 +4322,11 @@ func TestGRPCServer_GenerateToken(t *testing.T) {
 			rawAuthSvcClient := proto.NewAuthServiceClient(client.APIClient.GetConnection())
 
 			mockEmitter.Reset()
-			tokenResp, err := rawAuthSvcClient.GenerateToken(ctx, &proto.GenerateTokenRequest{Roles: tt.roles})
+			req := &proto.GenerateTokenRequest{Roles: tt.roles}
+			if tt.overrideTokenName != "" {
+				req.Token = tt.overrideTokenName
+			}
+			tokenResp, err := rawAuthSvcClient.GenerateToken(ctx, req)
 			tt.requireError(t, err)
 
 			require.Empty(t, cmp.Diff(