WIP: initial integration test for cert issuing

This commit is contained in:
Andrew Keesler 2020-07-24 11:40:08 -04:00
parent 6fe7a4c9dc
commit 6cc8a2f8dd
2 changed files with 55 additions and 7 deletions

View File

@ -8,6 +8,7 @@ package integration
import ( import (
"context" "context"
"encoding/json" "encoding/json"
"net/http"
"os" "os"
"testing" "testing"
"time" "time"
@ -49,14 +50,34 @@ func TestSuccessfulLoginRequest(t *testing.T) {
require.Empty(t, response.Spec) require.Empty(t, response.Spec)
require.NotNil(t, response.Status.Credential) require.NotNil(t, response.Status.Credential)
require.NotEmpty(t, response.Status.Credential.Token) require.Empty(t, response.Status.Credential.Token)
require.Empty(t, response.Status.Credential.ClientCertificateData) require.NotEmpty(t, response.Status.Credential.ClientCertificateData)
require.Empty(t, response.Status.Credential.ClientKeyData) require.NotEmpty(t, response.Status.Credential.ClientKeyData)
require.Nil(t, response.Status.Credential.ExpirationTimestamp) require.Nil(t, response.Status.Credential.ExpirationTimestamp)
require.NotNil(t, response.Status.User) require.NotNil(t, response.Status.User)
require.NotEmpty(t, response.Status.User.Name) require.NotEmpty(t, response.Status.User.Name)
require.Contains(t, response.Status.User.Groups, "tmc:member") require.Contains(t, response.Status.User.Groups, "tmc:member")
clientWithCert := library.NewClientsetWithConfig(
t,
library.NewClientConfigWithCertAndKey(
t,
response.Status.Credential.ClientCertificateData,
response.Status.Credential.ClientKeyData,
),
)
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
_, err = clientWithCert.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
// Response status should be 403 Forbidden because we assume this actor does
// not have any permissions on this cluster.
require.Error(t, err)
statusError, isStatus := err.(*errors.StatusError)
require.True(t, isStatus)
require.Equal(t, http.StatusForbidden, statusError.Status().Code)
} }
func TestFailedLoginRequestWhenTheRequestIsValidButTheTokenDoesNotAuthenticateTheUser(t *testing.T) { func TestFailedLoginRequestWhenTheRequestIsValidButTheTokenDoesNotAuthenticateTheUser(t *testing.T) {
@ -74,7 +95,7 @@ func TestFailedLoginRequestWhenTheRequestIsValidButTheTokenDoesNotAuthenticateTh
} }
func TestLoginRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T) { func TestLoginRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T) {
_, err := makeRequest(t, v1alpha1.LoginRequestSpec{ response, err := makeRequest(t, v1alpha1.LoginRequestSpec{
Type: v1alpha1.TokenLoginCredentialType, Type: v1alpha1.TokenLoginCredentialType,
Token: nil, Token: nil,
}) })
@ -88,6 +109,9 @@ func TestLoginRequest_ShouldFailWhenRequestDoesNotIncludeToken(t *testing.T) {
require.Equal(t, metav1.CauseType("FieldValueRequired"), cause.Type) require.Equal(t, metav1.CauseType("FieldValueRequired"), cause.Type)
require.Equal(t, "Required value: token must be supplied", cause.Message) require.Equal(t, "Required value: token must be supplied", cause.Message)
require.Equal(t, "spec.token.value", cause.Field) require.Equal(t, "spec.token.value", cause.Field)
require.Empty(t, response.Spec)
require.Nil(t, response.Status.Credential)
} }
func TestGetDiscovery(t *testing.T) { func TestGetDiscovery(t *testing.T) {

View File

@ -6,12 +6,14 @@ SPDX-License-Identifier: Apache-2.0
package library package library
import ( import (
"encoding/base64"
"testing" "testing"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
placeholdernameclientset "github.com/suzerain-io/placeholder-name-client-go/pkg/generated/clientset/versioned" placeholdernameclientset "github.com/suzerain-io/placeholder-name-client-go/pkg/generated/clientset/versioned"
) )
@ -19,18 +21,40 @@ import (
func NewClientConfig(t *testing.T) *rest.Config { func NewClientConfig(t *testing.T) *rest.Config {
t.Helper() t.Helper()
return newClientConfigWithOverrides(t, &clientcmd.ConfigOverrides{})
}
func NewClientConfigWithCertAndKey(t *testing.T, cert, key string) *rest.Config {
t.Helper()
return newClientConfigWithOverrides(t, &clientcmd.ConfigOverrides{
AuthInfo: clientcmdapi.AuthInfo{
ClientCertificateData: []byte(base64.StdEncoding.EncodeToString([]byte(cert))),
ClientKeyData: []byte(base64.StdEncoding.EncodeToString([]byte(key))),
},
})
}
func newClientConfigWithOverrides(t *testing.T, overrides *clientcmd.ConfigOverrides) *rest.Config {
t.Helper()
loader := clientcmd.NewDefaultClientConfigLoadingRules() loader := clientcmd.NewDefaultClientConfigLoadingRules()
clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loader, &clientcmd.ConfigOverrides{}) clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loader, overrides)
config, err := clientConfig.ClientConfig() config, err := clientConfig.ClientConfig()
require.NoError(t, err) require.NoError(t, err)
return config return config
} }
func NewClientset(t *testing.T) kubernetes.Interface { func NewClientset(t *testing.T) kubernetes.Interface {
t.Helper() t.Helper()
return kubernetes.NewForConfigOrDie(NewClientConfig(t)) return NewClientsetWithConfig(t, NewClientConfig(t))
}
func NewClientsetWithConfig(t *testing.T, config *rest.Config) kubernetes.Interface {
t.Helper()
return kubernetes.NewForConfigOrDie(config)
} }
func NewPlaceholderNameClientset(t *testing.T) placeholdernameclientset.Interface { func NewPlaceholderNameClientset(t *testing.T) placeholdernameclientset.Interface {