test/integration: add integration test for pinniped cli

2020-09-15 11:00:38 -04:00 · 2020-09-15 11:00:38 -04:00 · 831df90c93
commit 831df90c93
parent 82ef9e4806
4 changed files with 217 additions and 59 deletions
--- a/test/integration/cli_test.go
+++ b/test/integration/cli_test.go
@ -0,0 +1,91 @@
 /*
 Copyright 2020 VMware, Inc.
 SPDX-License-Identifier: Apache-2.0
 */
 package integration
 import (
 	"context"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/require"
 	"github.com/suzerain-io/pinniped/test/library"
 )
 func TestCLI(t *testing.T) {
 	library.SkipUnlessIntegration(t)
 	library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
 	token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")
 	namespaceName := library.GetEnv(t, "PINNIPED_NAMESPACE")
 	testUsername := library.GetEnv(t, "PINNIPED_TEST_USER_USERNAME")
 	expectedTestUserGroups := strings.Split(
 		strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
 	)
 	// Build pinniped CLI.
 	pinnipedExe, cleanupFunc := buildPinnipedCLI(t)
 	defer cleanupFunc()
 	// Run pinniped CLI to get kubeconfig.
 	kubeConfig := runPinnipedCLI(t, pinnipedExe, token, namespaceName)
 	// Create Kubernetes client with kubeconfig from pinniped CLI.
 	kubeClient := library.NewClientsetForKubeConfig(t, kubeConfig)
 	// Validate that we can auth to the API via our user.
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Second*3)
 	defer cancelFunc()
 	adminClient := library.NewClientset(t)
 	t.Run("access as user", accessAsUserTest(ctx, adminClient, testUsername, kubeClient))
 	for _, group := range expectedTestUserGroups {
 		group := group
 		t.Run(
 			"access as group "+group,
 			accessAsGroupTest(ctx, adminClient, group, kubeClient),
 		)
 	}
 }
 func buildPinnipedCLI(t *testing.T) (string, func()) {
 	t.Helper()
 	pinnipedExeDir, err := ioutil.TempDir("", "pinniped-cli-test-*")
 	require.NoError(t, err)
 	pinnipedExe := filepath.Join(pinnipedExeDir, "pinniped")
 	output, err := exec.Command(
 		"go",
 		"build",
 		"-o",
 		pinnipedExe,
 		"github.com/suzerain-io/pinniped/cmd/pinniped",
 	).CombinedOutput()
 	require.NoError(t, err, string(output))
 	return pinnipedExe, func() {
 		require.NoError(t, os.RemoveAll(pinnipedExeDir))
 	}
 }
 func runPinnipedCLI(t *testing.T, pinnipedExe, token, namespaceName string) string {
 	t.Helper()
 	output, err := exec.Command(
 		pinnipedExe,
 		"get-kubeconfig",
 		"--token", token,
 		"--pinniped-namespace", namespaceName,
 	).CombinedOutput()
 	require.NoError(t, err, string(output))
 	return string(output)
 }
--- a/test/integration/common_test.go
+++ b/test/integration/common_test.go
@ -0,0 +1,102 @@
 /*
 Copyright 2020 VMware, Inc.
 SPDX-License-Identifier: Apache-2.0
 */
 package integration
 import (
 	"context"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 )
 // accessAsUserTest runs a generic test in which a clientUnderTest operating with username
 // testUsername tries to auth to the kube API (i.e., list namespaces).
 //
 // Use this function if you want to simply validate that a user can auth to the kube API after
 // performing a Pinniped credential exchange.
 func accessAsUserTest(
 	ctx context.Context,
 	adminClient kubernetes.Interface,
 	testUsername string,
 	clientUnderTest kubernetes.Interface,
 ) func(t *testing.T) {
 	return func(t *testing.T) {
 		addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
 			TypeMeta: metav1.TypeMeta{},
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "integration-test-user-readonly-role-binding",
 			},
 			Subjects: []rbacv1.Subject{{
 				Kind:     rbacv1.UserKind,
 				APIGroup: rbacv1.GroupName,
 				Name:     testUsername,
 			}},
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
 				APIGroup: rbacv1.GroupName,
 				Name:     "view",
 			},
 		})
 		// Use the client which is authenticated as the test user to list namespaces
 		var listNamespaceResponse *v1.NamespaceList
 		var err error
 		var canListNamespaces = func() bool {
 			listNamespaceResponse, err = clientUnderTest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
 			return err == nil
 		}
 		assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond)
 		require.NoError(t, err) // prints out the error and stops the test in case of failure
 		require.NotEmpty(t, listNamespaceResponse.Items)
 	}
 }
 // accessAsGroupTest runs a generic test in which a clientUnderTest with membership in group
 // testGroup tries to auth to the kube API (i.e., list namespaces).
 //
 // Use this function if you want to simply validate that a user can auth to the kube API (via
 // a group membership) after performing a Pinniped credential exchange.
 func accessAsGroupTest(
 	ctx context.Context,
 	adminClient kubernetes.Interface,
 	testGroup string,
 	clientUnderTest kubernetes.Interface,
 ) func(t *testing.T) {
 	return func(t *testing.T) {
 		addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
 			TypeMeta: metav1.TypeMeta{},
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "integration-test-group-readonly-role-binding",
 			},
 			Subjects: []rbacv1.Subject{{
 				Kind:     rbacv1.GroupKind,
 				APIGroup: rbacv1.GroupName,
 				Name:     testGroup,
 			}},
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
 				APIGroup: rbacv1.GroupName,
 				Name:     "view",
 			},
 		})
 		// Use the client which is authenticated as the test user to list namespaces
 		var listNamespaceResponse *v1.NamespaceList
 		var err error
 		var canListNamespaces = func() bool {
 			listNamespaceResponse, err = clientUnderTest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
 			return err == nil
 		}
 		assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond)
 		require.NoError(t, err) // prints out the error and stops the test in case of failure
 		require.NotEmpty(t, listNamespaceResponse.Items)
 	}
 }
--- a/test/integration/credentialrequest_test.go
+++ b/test/integration/credentialrequest_test.go
@ -14,9 +14,7 @@ import (
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -61,65 +59,16 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 		response.Status.Credential.ClientKeyData,
 	)
-	t.Run("access as user", func(t *testing.T) {
+	t.Run(
-		addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
+		"access as user",
-			TypeMeta: metav1.TypeMeta{},
+		accessAsUserTest(ctx, adminClient, testUsername, clientWithCertFromCredentialRequest),
-			ObjectMeta: metav1.ObjectMeta{
+	)
 				Name: "integration-test-user-readonly-role-binding",
 			},
 			Subjects: []rbacv1.Subject{{
 				Kind:     rbacv1.UserKind,
 				APIGroup: rbacv1.GroupName,
 				Name:     testUsername,
 			}},
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
 				APIGroup: rbacv1.GroupName,
 				Name:     "view",
 			},
 		})
 		// Use the client which is authenticated as the test user to list namespaces
 		var listNamespaceResponse *v1.NamespaceList
 		var canListNamespaces = func() bool {
 			listNamespaceResponse, err = clientWithCertFromCredentialRequest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
 			return err == nil
 		}
 		assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond)
 		require.NoError(t, err) // prints out the error and stops the test in case of failure
 		require.NotEmpty(t, listNamespaceResponse.Items)
 	})
 	for _, group := range expectedTestUserGroups {
 		group := group
-		t.Run("access as group "+group, func(t *testing.T) {
+		t.Run(
-			addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
+			"access as group "+group,
-				TypeMeta: metav1.TypeMeta{},
+			accessAsGroupTest(ctx, adminClient, group, clientWithCertFromCredentialRequest),
-				ObjectMeta: metav1.ObjectMeta{
+		)
 					Name: "integration-test-group-readonly-role-binding",
 				},
 				Subjects: []rbacv1.Subject{{
 					Kind:     rbacv1.GroupKind,
 					APIGroup: rbacv1.GroupName,
 					Name:     group,
 				}},
 				RoleRef: rbacv1.RoleRef{
 					Kind:     "ClusterRole",
 					APIGroup: rbacv1.GroupName,
 					Name:     "view",
 				},
 			})
 			// Use the client which is authenticated as the test user to list namespaces
 			var listNamespaceResponse *v1.NamespaceList
 			var canListNamespaces = func() bool {
 				listNamespaceResponse, err = clientWithCertFromCredentialRequest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
 				return err == nil
 			}
 			assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond)
 			require.NoError(t, err) // prints out the error and stops the test in case of failure
 			require.NotEmpty(t, listNamespaceResponse.Items)
 		})
 	}
 }
--- a/test/library/client.go
+++ b/test/library/client.go
@ -36,6 +36,22 @@ func NewClientset(t *testing.T) kubernetes.Interface {
 	return newClientsetWithConfig(t, NewClientConfig(t))
 }
 func NewClientsetForKubeConfig(t *testing.T, kubeConfig string) kubernetes.Interface {
 	t.Helper()
 	kubeConfigFile, err := ioutil.TempFile("", "pinniped-cli-test-*")
 	require.NoError(t, err)
 	defer os.Remove(kubeConfigFile.Name())
 	_, err = kubeConfigFile.Write([]byte(kubeConfig))
 	require.NoError(t, err)
 	restConfig, err := clientcmd.BuildConfigFromFlags("", kubeConfigFile.Name())
 	require.NoError(t, err)
 	return newClientsetWithConfig(t, restConfig)
 }
 func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface {
 	t.Helper()