ContainerImage.Pinniped/internal/tokenclient/tokenclient_test.go

// Copyright 2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package tokenclient

import (
	"bytes"
	"errors"
	"testing"
	"time"

	"github.com/stretchr/testify/require"
	authenticationv1 "k8s.io/api/authentication/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/utils/clock"
	clocktesting "k8s.io/utils/clock/testing"

	"go.pinniped.dev/internal/plog"
)

func TestNew(t *testing.T) {
	mockWhatToDoWithTokenFunc := *new(WhatToDoWithTokenFunc)
	mockClient := new(kubernetes.Clientset)
	mockTime := time.Now()
	mockClock := clocktesting.NewFakeClock(mockTime)
	var log bytes.Buffer
	testLogger := plog.TestLogger(t, &log)

	type args struct {
		namespace          string
		serviceAccountName string
		k8sClient          *kubernetes.Clientset
		whatToDoWithToken  WhatToDoWithTokenFunc
		logger             plog.Logger
		opts               []Opt
	}

	tests := []struct {
		name     string
		args     args
		expected *TokenClient
	}{
		{
			name: "defaults",
			args: args{
				namespace:          "namespace",
				serviceAccountName: "serviceAccountName",
				k8sClient:          mockClient,
				whatToDoWithToken:  mockWhatToDoWithTokenFunc,
				logger:             testLogger,
			},
			expected: &TokenClient{
				namespace:          "namespace",
				serviceAccountName: "serviceAccountName",
				k8sClient:          mockClient,
				whatToDoWithToken:  mockWhatToDoWithTokenFunc,
				expirationSeconds:  600,
				clock:              clock.RealClock{},
				logger:             testLogger,
			},
		},
		{
			name: "with all opts",
			args: args{
				namespace:          "custom-namespace",
				serviceAccountName: "custom-serviceAccountName",
				k8sClient:          mockClient,
				whatToDoWithToken:  mockWhatToDoWithTokenFunc,
				logger:             testLogger,
				opts: []Opt{
					WithExpirationSeconds(777),
					withClock(mockClock),
				},
			},
			expected: &TokenClient{
				namespace:          "custom-namespace",
				serviceAccountName: "custom-serviceAccountName",
				k8sClient:          mockClient,
				whatToDoWithToken:  mockWhatToDoWithTokenFunc,
				expirationSeconds:  777,
				clock:              mockClock,
				logger:             testLogger,
			},
		},
	}
	for _, tt := range tests {
		tt := tt
		t.Run(tt.name, func(t *testing.T) {
			actual := New(
				tt.args.namespace,
				tt.args.serviceAccountName,
				tt.args.k8sClient,
				tt.args.whatToDoWithToken,
				tt.args.logger,
				tt.args.opts...,
			)

			require.Equal(t, tt.expected, actual)
		})
	}
}

// withClock should only be used for testing.
func withClock(clock clock.Clock) Opt {
	return func(client *TokenClient) {
		client.clock = clock
	}
}

func TestFetchToken(t *testing.T) {
	mockTime := metav1.Now()

	type expected struct {
		tokenRequestStatus authenticationv1.TokenRequestStatus
		ttl                metav1.Duration
		errMessage         string
	}

	tests := []struct {
		name                         string
		expirationSeconds            int64
		howToFetchTokenFromAPIServer howToFetchTokenFromAPIServer
		expected                     expected
	}{
		{
			name:              "happy path",
			expirationSeconds: 555,
			howToFetchTokenFromAPIServer: func(_ *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
				tokenRequest := authenticationv1.TokenRequest{
					Status: authenticationv1.TokenRequestStatus{
						Token:               "token value",
						ExpirationTimestamp: metav1.NewTime(mockTime.Add(25 * time.Minute)),
					},
				}
				return &tokenRequest, nil
			},
			expected: expected{
				tokenRequestStatus: authenticationv1.TokenRequestStatus{
					Token:               "token value",
					ExpirationTimestamp: metav1.NewTime(mockTime.Add(25 * time.Minute)),
				},
				ttl: metav1.Duration{
					Duration: 25 * time.Minute,
				},
			},
		},
		{
			name:              "returns errors from howToFetchTokenFromAPIServer",
			expirationSeconds: 444,
			howToFetchTokenFromAPIServer: func(_ *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
				return nil, errors.New("has an error")
			},
			expected: expected{
				errMessage: "error creating token: has an error",
			},
		},
		{
			name:              "errors when howToFetchTokenFromAPIServer returns nil",
			expirationSeconds: 333,
			howToFetchTokenFromAPIServer: func(_ *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
				return nil, nil
			},
			expected: expected{
				errMessage: "tokenRequest is nil after request",
			},
		},
	}

	for _, tt := range tests {
		tt := tt
		t.Run(tt.name, func(t *testing.T) {
			wrappedFunc := func(tokenRequest *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
				require.NotNil(t, tokenRequest)
				require.Equal(t, tt.expirationSeconds, *tokenRequest.Spec.ExpirationSeconds)
				require.Empty(t, tokenRequest.Spec.Audiences)
				require.Empty(t, tokenRequest.Spec.BoundObjectRef)
				return tt.howToFetchTokenFromAPIServer(tokenRequest)
			}

			mockClock := clocktesting.NewFakeClock(mockTime.Time)
			var log bytes.Buffer

			tokenClient := TokenClient{
				expirationSeconds: tt.expirationSeconds,
				clock:             mockClock,
				logger:            plog.TestLogger(t, &log),
			}

			tokenRequestStatus, ttl, err := tokenClient.fetchToken(
				wrappedFunc,
			)

			if tt.expected.errMessage != "" {
				require.ErrorContains(t, err, tt.expected.errMessage)
			} else {
				require.Equal(t, tt.expected.tokenRequestStatus, tokenRequestStatus)
				require.Equal(t, tt.expected.ttl, ttl)
			}
		})
	}
}
Do not use long-lived service account tokens in secrets 2023-10-20 20:28:53 +00:00			`// Copyright 2023 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package tokenclient`

			`import (`
			`"bytes"`
			`"errors"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/require"`
			`authenticationv1 "k8s.io/api/authentication/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/client-go/kubernetes"`
			`"k8s.io/utils/clock"`
			`clocktesting "k8s.io/utils/clock/testing"`

			`"go.pinniped.dev/internal/plog"`
			`)`

			`func TestNew(t *testing.T) {`
			`mockWhatToDoWithTokenFunc := *new(WhatToDoWithTokenFunc)`
			`mockClient := new(kubernetes.Clientset)`
			`mockTime := time.Now()`
			`mockClock := clocktesting.NewFakeClock(mockTime)`
			`var log bytes.Buffer`
			`testLogger := plog.TestLogger(t, &log)`

			`type args struct {`
			`namespace string`
			`serviceAccountName string`
			`k8sClient *kubernetes.Clientset`
			`whatToDoWithToken WhatToDoWithTokenFunc`
			`logger plog.Logger`
			`opts []Opt`
			`}`

			`tests := []struct {`
			`name string`
			`args args`
			`expected *TokenClient`
			`}{`
			`{`
			`name: "defaults",`
			`args: args{`
			`namespace: "namespace",`
			`serviceAccountName: "serviceAccountName",`
			`k8sClient: mockClient,`
			`whatToDoWithToken: mockWhatToDoWithTokenFunc,`
			`logger: testLogger,`
			`},`
			`expected: &TokenClient{`
			`namespace: "namespace",`
			`serviceAccountName: "serviceAccountName",`
			`k8sClient: mockClient,`
			`whatToDoWithToken: mockWhatToDoWithTokenFunc,`
			`expirationSeconds: 600,`
			`clock: clock.RealClock{},`
			`logger: testLogger,`
			`},`
			`},`
			`{`
			`name: "with all opts",`
			`args: args{`
			`namespace: "custom-namespace",`
			`serviceAccountName: "custom-serviceAccountName",`
			`k8sClient: mockClient,`
			`whatToDoWithToken: mockWhatToDoWithTokenFunc,`
			`logger: testLogger,`
			`opts: []Opt{`
			`WithExpirationSeconds(777),`
			`withClock(mockClock),`
			`},`
			`},`
			`expected: &TokenClient{`
			`namespace: "custom-namespace",`
			`serviceAccountName: "custom-serviceAccountName",`
			`k8sClient: mockClient,`
			`whatToDoWithToken: mockWhatToDoWithTokenFunc,`
			`expirationSeconds: 777,`
			`clock: mockClock,`
			`logger: testLogger,`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`tt := tt`
			`t.Run(tt.name, func(t *testing.T) {`
			`actual := New(`
			`tt.args.namespace,`
			`tt.args.serviceAccountName,`
			`tt.args.k8sClient,`
			`tt.args.whatToDoWithToken,`
			`tt.args.logger,`
			`tt.args.opts...,`
			`)`

			`require.Equal(t, tt.expected, actual)`
			`})`
			`}`
			`}`

			`// withClock should only be used for testing.`
			`func withClock(clock clock.Clock) Opt {`
			`return func(client *TokenClient) {`
			`client.clock = clock`
			`}`
			`}`

			`func TestFetchToken(t *testing.T) {`
			`mockTime := metav1.Now()`

			`type expected struct {`
			`tokenRequestStatus authenticationv1.TokenRequestStatus`
			`ttl metav1.Duration`
			`errMessage string`
			`}`

			`tests := []struct {`
			`name string`
			`expirationSeconds int64`
			`howToFetchTokenFromAPIServer howToFetchTokenFromAPIServer`
			`expected expected`
			`}{`
			`{`
			`name: "happy path",`
			`expirationSeconds: 555,`
			`howToFetchTokenFromAPIServer: func(_ authenticationv1.TokenRequest) (authenticationv1.TokenRequest, error) {`
			`tokenRequest := authenticationv1.TokenRequest{`
			`Status: authenticationv1.TokenRequestStatus{`
			`Token: "token value",`
			`ExpirationTimestamp: metav1.NewTime(mockTime.Add(25 * time.Minute)),`
			`},`
			`}`
			`return &tokenRequest, nil`
			`},`
			`expected: expected{`
			`tokenRequestStatus: authenticationv1.TokenRequestStatus{`
			`Token: "token value",`
			`ExpirationTimestamp: metav1.NewTime(mockTime.Add(25 * time.Minute)),`
			`},`
			`ttl: metav1.Duration{`
			`Duration: 25 * time.Minute,`
			`},`
			`},`
			`},`
			`{`
			`name: "returns errors from howToFetchTokenFromAPIServer",`
			`expirationSeconds: 444,`
			`howToFetchTokenFromAPIServer: func(_ authenticationv1.TokenRequest) (authenticationv1.TokenRequest, error) {`
			`return nil, errors.New("has an error")`
			`},`
			`expected: expected{`
			`errMessage: "error creating token: has an error",`
			`},`
			`},`
			`{`
			`name: "errors when howToFetchTokenFromAPIServer returns nil",`
			`expirationSeconds: 333,`
			`howToFetchTokenFromAPIServer: func(_ authenticationv1.TokenRequest) (authenticationv1.TokenRequest, error) {`
			`return nil, nil`
			`},`
			`expected: expected{`
			`errMessage: "tokenRequest is nil after request",`
			`},`
			`},`
			`}`

			`for _, tt := range tests {`
			`tt := tt`
			`t.Run(tt.name, func(t *testing.T) {`
			`wrappedFunc := func(tokenRequest authenticationv1.TokenRequest) (authenticationv1.TokenRequest, error) {`
			`require.NotNil(t, tokenRequest)`
			`require.Equal(t, tt.expirationSeconds, *tokenRequest.Spec.ExpirationSeconds)`
			`require.Empty(t, tokenRequest.Spec.Audiences)`
			`require.Empty(t, tokenRequest.Spec.BoundObjectRef)`
			`return tt.howToFetchTokenFromAPIServer(tokenRequest)`
			`}`

			`mockClock := clocktesting.NewFakeClock(mockTime.Time)`
			`var log bytes.Buffer`

			`tokenClient := TokenClient{`
			`expirationSeconds: tt.expirationSeconds,`
			`clock: mockClock,`
			`logger: plog.TestLogger(t, &log),`
			`}`

			`tokenRequestStatus, ttl, err := tokenClient.fetchToken(`
			`wrappedFunc,`
			`)`

			`if tt.expected.errMessage != "" {`
			`require.ErrorContains(t, err, tt.expected.errMessage)`
			`} else {`
			`require.Equal(t, tt.expected.tokenRequestStatus, tokenRequestStatus)`
			`require.Equal(t, tt.expected.ttl, ttl)`
			`}`
			`})`
			`}`
			`}`