@@ -1258,18 +1258,15 @@ async fn provider_refresh_configure_reads_secret_material_from_env_off_argv() {
12581258 . await
12591259 . expect ( "provider create" ) ;
12601260
1261- // The env value overrides the `--material` duplicate and is auto-marked secret.
1261+ // The env value reaches the request and is auto-marked secret.
12621262 let guard = EnvVarGuard :: set ( & [ ( "OPENSHELL_ITEST_SME_PRIVATE_KEY" , "pem-from-env" ) ] ) ;
12631263 run:: provider_refresh_config (
12641264 & ts. endpoint ,
12651265 run:: ProviderRefreshConfigInput {
12661266 name : "gc-bridge" ,
12671267 credential_key : "GOOGLE_CHAT_ACCESS_TOKEN" ,
12681268 strategy : "google_service_account_jwt" ,
1269- material : & [
1270- "client_email=bot@p.iam.gserviceaccount.com" . to_string ( ) ,
1271- "private_key=argv-value-must-be-overridden" . to_string ( ) ,
1272- ] ,
1269+ material : & [ "client_email=bot@p.iam.gserviceaccount.com" . to_string ( ) ] ,
12731270 secret_material_env : & [ "private_key=OPENSHELL_ITEST_SME_PRIVATE_KEY" . to_string ( ) ] ,
12741271 secret_material_keys : & [ ] ,
12751272 credential_expires_at_ms : None ,
@@ -1299,6 +1296,36 @@ async fn provider_refresh_configure_reads_secret_material_from_env_off_argv() {
12991296 ) ;
13001297}
13011298
1299+ #[ tokio:: test]
1300+ async fn provider_refresh_configure_rejects_key_supplied_via_both_material_and_env ( ) {
1301+ let ts = run_server ( ) . await ;
1302+
1303+ let guard = EnvVarGuard :: set ( & [ ( "OPENSHELL_ITEST_SME_DUP_KEY" , "pem-from-env" ) ] ) ;
1304+ let err = run:: provider_refresh_config (
1305+ & ts. endpoint ,
1306+ run:: ProviderRefreshConfigInput {
1307+ name : "gc-bridge" ,
1308+ credential_key : "GOOGLE_CHAT_ACCESS_TOKEN" ,
1309+ strategy : "google_service_account_jwt" ,
1310+ material : & [ "private_key=argv-value" . to_string ( ) ] ,
1311+ secret_material_env : & [ "private_key=OPENSHELL_ITEST_SME_DUP_KEY" . to_string ( ) ] ,
1312+ secret_material_keys : & [ ] ,
1313+ credential_expires_at_ms : None ,
1314+ } ,
1315+ & ts. tls ,
1316+ )
1317+ . await
1318+ . expect_err ( "duplicate key across --material and --secret-material-env should fail" ) ;
1319+ drop ( guard) ;
1320+
1321+ assert ! (
1322+ err. to_string( )
1323+ . contains( "duplicate material key 'private_key'" )
1324+ ) ;
1325+ // Rejected client-side: nothing reached the gateway.
1326+ assert ! ( ts. state. refresh_requests. lock( ) . await . is_empty( ) ) ;
1327+ }
1328+
13021329#[ tokio:: test]
13031330async fn provider_refresh_configure_fails_closed_when_secret_material_env_is_unset ( ) {
13041331 let ts = run_server ( ) . await ;
0 commit comments