From b8205006ca4f14fb03e5db442488d167ab715453 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Fri, 28 May 2021 16:12:57 -0700
Subject: [PATCH] Enable skipping of LDAP int tests when a firewall will block
 them

---
 test/cluster_capabilities/aks.yaml        |  3 +++
 test/cluster_capabilities/eks.yaml        |  3 +++
 test/cluster_capabilities/gke.yaml        |  3 +++
 test/cluster_capabilities/kind.yaml       |  3 +++
 test/cluster_capabilities/tkgs.yaml       |  3 +++
 test/integration/e2e_test.go              |  4 ++++
 test/integration/supervisor_login_test.go | 29 +++++++++++++++++------
 test/library/env.go                       |  1 +
 8 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/test/cluster_capabilities/aks.yaml b/test/cluster_capabilities/aks.yaml
index cc3f68ed..2a944bda 100644
--- a/test/cluster_capabilities/aks.yaml
+++ b/test/cluster_capabilities/aks.yaml
@@ -13,3 +13,6 @@ capabilities:
   # Does the cluster allow requests without authentication?
   # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
   anonymousAuthenticationSupported: false
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: true
diff --git a/test/cluster_capabilities/eks.yaml b/test/cluster_capabilities/eks.yaml
index 6d545f2f..9bce553d 100644
--- a/test/cluster_capabilities/eks.yaml
+++ b/test/cluster_capabilities/eks.yaml
@@ -13,3 +13,6 @@ capabilities:
   # Does the cluster allow requests without authentication?
   # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
   anonymousAuthenticationSupported: true
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: true
diff --git a/test/cluster_capabilities/gke.yaml b/test/cluster_capabilities/gke.yaml
index 8bba8b8d..080cec4a 100644
--- a/test/cluster_capabilities/gke.yaml
+++ b/test/cluster_capabilities/gke.yaml
@@ -13,3 +13,6 @@ capabilities:
   # Does the cluster allow requests without authentication?
   # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
   anonymousAuthenticationSupported: true
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: true
diff --git a/test/cluster_capabilities/kind.yaml b/test/cluster_capabilities/kind.yaml
index 0724edb9..92759ed9 100644
--- a/test/cluster_capabilities/kind.yaml
+++ b/test/cluster_capabilities/kind.yaml
@@ -13,3 +13,6 @@ capabilities:
   # Does the cluster allow requests without authentication?
   # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
   anonymousAuthenticationSupported: true
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: true
diff --git a/test/cluster_capabilities/tkgs.yaml b/test/cluster_capabilities/tkgs.yaml
index 2ea82b1e..4c7d05ba 100644
--- a/test/cluster_capabilities/tkgs.yaml
+++ b/test/cluster_capabilities/tkgs.yaml
@@ -13,3 +13,6 @@ capabilities:
   # Does the cluster allow requests without authentication?
   # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
   anonymousAuthenticationSupported: true
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: false
diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go
index e2a1be60..fd9b450a 100644
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@@ -277,6 +277,10 @@ func TestE2EFullIntegration(t *testing.T) {
 
 	// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands.
 	t.Run("with Supervisor LDAP upstream IDP", func(t *testing.T) {
+		if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+			t.Skip("LDAP integration test requires connectivity to an LDAP server")
+		}
+
 		expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
 		expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
 
diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go
index b47c82e0..692b0db8 100644
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -41,6 +41,7 @@ func TestSupervisorLogin(t *testing.T) {
 
 	tests := []struct {
 		name                                 string
+		maybeSkip                            func(t *testing.T)
 		createIDP                            func(t *testing.T)
 		requestAuthorization                 func(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string, httpClient *http.Client)
 		wantDownstreamIDTokenSubjectToMatch  string
@@ -95,6 +96,12 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 		{
 			name: "ldap with email as username and groups names as DNs and using an LDAP provider which supports TLS",
+			maybeSkip: func(t *testing.T) {
+				t.Helper()
+				if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+					t.Skip("LDAP integration test requires connectivity to an LDAP server")
+				}
+			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
 				secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
@@ -154,6 +161,12 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 		{
 			name: "ldap with CN as username and group names as CNs and using an LDAP provider which only supports StartTLS", // try another variation of configuration options
+			maybeSkip: func(t *testing.T) {
+				t.Helper()
+				if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+					t.Skip("LDAP integration test requires connectivity to an LDAP server")
+				}
+			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
 				secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
@@ -213,14 +226,16 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 	}
 	for _, test := range tests {
-		test := test
-		t.Run(test.name, func(t *testing.T) {
+		tt := test
+		t.Run(tt.name, func(t *testing.T) {
+			tt.maybeSkip(t)
+
 			testSupervisorLogin(t,
-				test.createIDP,
-				test.requestAuthorization,
-				test.wantDownstreamIDTokenSubjectToMatch,
-				test.wantDownstreamIDTokenUsernameToMatch,
-				test.wantDownstreamIDTokenGroups,
+				tt.createIDP,
+				tt.requestAuthorization,
+				tt.wantDownstreamIDTokenSubjectToMatch,
+				tt.wantDownstreamIDTokenUsernameToMatch,
+				tt.wantDownstreamIDTokenGroups,
 			)
 		})
 	}
diff --git a/test/library/env.go b/test/library/env.go
index d8e7b44c..00a8c1e4 100644
--- a/test/library/env.go
+++ b/test/library/env.go
@@ -24,6 +24,7 @@ const (
 	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
 	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
 	HasExternalLoadBalancerProvider  Capability = "hasExternalLoadBalancerProvider"
+	CanReachInternetLDAPPorts        Capability = "canReachInternetLDAPPorts"
 )
 
 // TestEnv captures all the external parameters consumed by our integration tests.