ContainerImage.Pinniped/test/integration/client_test.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package integration

import (
	"context"
	"strings"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"

	"go.pinniped.dev/internal/client"
	"go.pinniped.dev/internal/here"
	"go.pinniped.dev/test/library"
)

// Test certificate and private key that should get an authentication error. Generated with cfssl [1], like this:
//
// 	$ brew install cfssl
// 	$ cfssl print-defaults csr | cfssl genkey -initca - | cfssljson -bare ca
// 	$ cfssl print-defaults csr | cfssl gencert -ca ca.pem -ca-key ca-key.pem -hostname=testuser - | cfssljson -bare client
// 	$ cat client.pem client-key.pem
//
// [1]: https://github.com/cloudflare/cfssl
var (
	testCert = here.Doc(`
		-----BEGIN CERTIFICATE-----
		MIICBDCCAaugAwIBAgIUeidKWlZQuoKfBGydObI1hMwzt9cwCgYIKoZIzj0EAwIw
		SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
		c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDA3MjgxOTI3MDBaFw0yMTA3
		MjgxOTI3MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
		U2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB
		BggqhkjOPQMBBwNCAARk7XBC+OjYmrXOhm7RaJiHW4Q5VsE+iMV90Bzq7ansqAhb
		04RI63Y7YPwu1aExutjLvnkWCrgf2ze8KB+8djUBo3MwcTAOBgNVHQ8BAf8EBAMC
		BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
		HQYDVR0OBBYEFG0oZxV+LHUKfE4gQ67xfHJuGQ/4MBMGA1UdEQQMMAqCCHRlc3R1
		c2VyMAoGCCqGSM49BAMCA0cAMEQCIEwPZhPpYhYHndfTEsWOxnxzJkmhAcYIMCeJ
		d9kyq/fPAiBNCJw1MCLT8LjNlyUZCfwI2zuI3e0w6vuau89oj2zvVA==
		-----END CERTIFICATE-----
	`)

	testKey = maskKey(here.Doc(`
		-----BEGIN EC TESTING KEY-----
		MHcCAQEEIAqkBGGKTH5GzLx8XZLAHEFW2E8jT+jpy0p6w6MMR7DkoAoGCCqGSM49
		AwEHoUQDQgAEZO1wQvjo2Jq1zoZu0WiYh1uEOVbBPojFfdAc6u2p7KgIW9OESOt2
		O2D8LtWhMbrYy755Fgq4H9s3vCgfvHY1AQ==
		-----END EC TESTING KEY-----
	`))
)

var maskKey = func(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }

func TestClient(t *testing.T) {
	env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)

	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer cancel()

	webhook := library.CreateTestWebhookAuthenticator(ctx, t)

	// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
	invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)
	_, err := invalidClient.Discovery().ServerVersion()
	require.EqualError(t, err, "the server has asked for the client to provide credentials")

	// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
	clientConfig := library.NewClientConfig(t)

	var resp *clientauthenticationv1beta1.ExecCredential
	assert.Eventually(t, func() bool {
		resp, err = client.ExchangeToken(ctx, env.ConciergeNamespace, webhook, env.TestUser.Token, string(clientConfig.CAData), clientConfig.Host)
		return err == nil
	}, 10*time.Second, 500*time.Millisecond)
	require.NoError(t, err)

	require.NotNil(t, resp.Status.ExpirationTimestamp)
	require.InDelta(t, time.Until(resp.Status.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))

	// Create a client using the certificate and key returned by the token exchange.
	validClient := library.NewClientsetWithCertAndKey(t, resp.Status.ClientCertificateData, resp.Status.ClientKeyData)

	// Make a version request, which should succeed even without any authorization.
	_, err = validClient.Discovery().ServerVersion()
	require.NoError(t, err)
}
Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-16 14:19:51 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00
			`package integration`

			`import (`
			`"context"`
			`"strings"`
			`"testing"`
			`"time"`

Harden some tests against slow IDP controllers using `Eventually()`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 16:50:00 +00:00			`"github.com/stretchr/testify/assert"`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`"github.com/stretchr/testify/require"`
Harden some tests against slow IDP controllers using `Eventually()`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 16:50:00 +00:00			`clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00
Add Go vanity import paths. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-18 19:56:24 +00:00			`"go.pinniped.dev/internal/client"`
			`"go.pinniped.dev/internal/here"`
			`"go.pinniped.dev/test/library"`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`)`

Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-16 14:19:51 +00:00			`// Test certificate and private key that should get an authentication error. Generated with cfssl [1], like this:`
			`//`
			`// $ brew install cfssl`
			`// $ cfssl print-defaults csr \| cfssl genkey -initca - \| cfssljson -bare ca`
			`// $ cfssl print-defaults csr \| cfssl gencert -ca ca.pem -ca-key ca-key.pem -hostname=testuser - \| cfssljson -bare client`
			`// $ cat client.pem client-key.pem`
			`//`
			`// [1]: https://github.com/cloudflare/cfssl`
Clean up some lint errors that we missed before. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-08-05 01:45:03 +00:00			`var (`
Use here.Doc() in a few more places that were begging for it 2020-09-12 01:15:24 +00:00			testCert = here.Doc(`
			`-----BEGIN CERTIFICATE-----`
			`MIICBDCCAaugAwIBAgIUeidKWlZQuoKfBGydObI1hMwzt9cwCgYIKoZIzj0EAwIw`
			`SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp`
			`c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMDA3MjgxOTI3MDBaFw0yMTA3`
			`MjgxOTI3MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN`
			`U2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB`
			`BggqhkjOPQMBBwNCAARk7XBC+OjYmrXOhm7RaJiHW4Q5VsE+iMV90Bzq7ansqAhb`
			`04RI63Y7YPwu1aExutjLvnkWCrgf2ze8KB+8djUBo3MwcTAOBgNVHQ8BAf8EBAMC`
			`BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw`
			`HQYDVR0OBBYEFG0oZxV+LHUKfE4gQ67xfHJuGQ/4MBMGA1UdEQQMMAqCCHRlc3R1`
			`c2VyMAoGCCqGSM49BAMCA0cAMEQCIEwPZhPpYhYHndfTEsWOxnxzJkmhAcYIMCeJ`
			`d9kyq/fPAiBNCJw1MCLT8LjNlyUZCfwI2zuI3e0w6vuau89oj2zvVA==`
			`-----END CERTIFICATE-----`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`)
Use here.Doc() in a few more places that were begging for it 2020-09-12 01:15:24 +00:00
			testKey = maskKey(here.Doc(`
			`-----BEGIN EC TESTING KEY-----`
			`MHcCAQEEIAqkBGGKTH5GzLx8XZLAHEFW2E8jT+jpy0p6w6MMR7DkoAoGCCqGSM49`
			`AwEHoUQDQgAEZO1wQvjo2Jq1zoZu0WiYh1uEOVbBPojFfdAc6u2p7KgIW9OESOt2`
			`O2D8LtWhMbrYy755Fgq4H9s3vCgfvHY1AQ==`
			`-----END EC TESTING KEY-----`
Mask this testing-only private key so we don't alert on it. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-08-14 19:42:22 +00:00			`))
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`)`

Mask this testing-only private key so we don't alert on it. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-08-14 19:42:22 +00:00			`var maskKey = func(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }`

Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`func TestClient(t *testing.T) {`
Refactor integration test environment helpers to be more structured. This change replaces our previous test helpers for checking cluster capabilities and passing external test parameters. Prior to this change, we always used `$PINNIPED_*` environment variables and these variables were accessed throughout the test code. The new code introduces a more strongly-typed `TestEnv` structure and helpers which load and expose the parameters. Tests can now call `env := library.IntegrationEnv(t)`, then access parameters such as `env.Namespace` or `env.TestUser.Token`. This should make this data dependency easier to manage and refactor in the future. In many ways this is just an extended version of the previous cluster capabilities YAML. Tests can also check for cluster capabilities easily by using `env := library.IntegrationEnv(t).WithCapability(xyz)`. The actual parameters are still loaded from OS environment variables by default (for compatibility), but the code now also tries to load the data from a Kubernetes Secret (`integration/pinniped-test-env` by default). I'm hoping this will be a more convenient way to pass data between various scripts than the local `/tmp` directory. I hope to remove the OS environment code in a future commit. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-24 22:51:43 +00:00			`env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00
Increase test timeout to avoid CI flakes 2020-08-05 00:28:16 +00:00			`ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`defer cancel()`

Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`webhook := library.CreateTestWebhookAuthenticator(ctx, t)`
Create webhooks per-test and explicitly in `demo.md` instead of with ytt in `./deploy`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 00:55:04 +00:00
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.`
Update how integration tests which use LoginRequest make their clients - When we call the LoginRequest endpoint in loginrequest_test.go, do it with an unauthenticated client, to make sure that endpoint works with unauthenticated clients. - For tests which want to test using certs returned by LoginRequest to make API calls back to kube to check if those certs are working, make sure they start with a bare client and then add only those certs. Avoid accidentally picking up other kubeconfig configuration like tokens, etc. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-12 21:29:46 +00:00			`invalidClient := library.NewClientsetWithCertAndKey(t, testCert, testKey)`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`_, err := invalidClient.Discovery().ServerVersion()`
			`require.EqualError(t, err, "the server has asked for the client to provide credentials")`

			`// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.`
			`clientConfig := library.NewClientConfig(t)`
Add IDP selector support in client code. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-17 22:11:47 +00:00
Harden some tests against slow IDP controllers using `Eventually()`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 16:50:00 +00:00			`var resp *clientauthenticationv1beta1.ExecCredential`
			`assert.Eventually(t, func() bool {`
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`resp, err = client.ExchangeToken(ctx, env.ConciergeNamespace, webhook, env.TestUser.Token, string(clientConfig.CAData), clientConfig.Host)`
Harden some tests against slow IDP controllers using `Eventually()`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 16:50:00 +00:00			`return err == nil`
			`}, 10time.Second, 500time.Millisecond)`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00			`require.NoError(t, err)`
Harden some tests against slow IDP controllers using `Eventually()`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-22 16:50:00 +00:00
Make `./pkg/client` into an internal package using the native k8s client. This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-08-25 15:48:14 +00:00			`require.NotNil(t, resp.Status.ExpirationTimestamp)`
			`require.InDelta(t, time.Until(resp.Status.ExpirationTimestamp.Time), 1time.Hour, float64(3time.Minute))`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00
			`// Create a client using the certificate and key returned by the token exchange.`
Make `./pkg/client` into an internal package using the native k8s client. This should simplify our build/test setup quite a bit, since it means we have only a single module (at the top level) with all hand-written code. I'll leave `module.sh` alone for now but we may be able to simplify that a bit more. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-08-25 15:48:14 +00:00			`validClient := library.NewClientsetWithCertAndKey(t, resp.Status.ClientCertificateData, resp.Status.ClientKeyData)`
Add integration tests for the client package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-07-28 19:50:49 +00:00
			`// Make a version request, which should succeed even without any authorization.`
			`_, err = validClient.Discovery().ServerVersion()`
			`require.NoError(t, err)`
			`}`