Enable skipping of LDAP int tests when a firewall will block them

2021-05-28 16:12:57 -07:00 · 2021-05-28 16:12:57 -07:00 · b8205006ca
commit b8205006ca
parent 854903c4ed
8 changed files with 42 additions and 7 deletions
--- a/test/cluster_capabilities/aks.yaml
+++ b/test/cluster_capabilities/aks.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: false
  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
  canReachInternetLDAPPorts: true
--- a/test/cluster_capabilities/eks.yaml
+++ b/test/cluster_capabilities/eks.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: true
  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
  canReachInternetLDAPPorts: true
--- a/test/cluster_capabilities/gke.yaml
+++ b/test/cluster_capabilities/gke.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: true
  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
  canReachInternetLDAPPorts: true
--- a/test/cluster_capabilities/kind.yaml
+++ b/test/cluster_capabilities/kind.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: true
  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
  canReachInternetLDAPPorts: true
--- a/test/cluster_capabilities/tkgs.yaml
+++ b/test/cluster_capabilities/tkgs.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: true
  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
  canReachInternetLDAPPorts: false
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@ -277,6 +277,10 @@ func TestE2EFullIntegration(t *testing.T) {
 	// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands.
 	t.Run("with Supervisor LDAP upstream IDP", func(t *testing.T) {
 		if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
 			t.Skip("LDAP integration test requires connectivity to an LDAP server")
 		}
 		expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
 		expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@ -41,6 +41,7 @@ func TestSupervisorLogin(t *testing.T) {
 	tests := []struct {
 		name                                 string
 		maybeSkip                            func(t *testing.T)
 		createIDP                            func(t *testing.T)
 		requestAuthorization                 func(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string, httpClient *http.Client)
 		wantDownstreamIDTokenSubjectToMatch  string
@ -95,6 +96,12 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 		{
 			name: "ldap with email as username and groups names as DNs and using an LDAP provider which supports TLS",
 			maybeSkip: func(t *testing.T) {
 				t.Helper()
 				if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
 					t.Skip("LDAP integration test requires connectivity to an LDAP server")
 				}
 			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
 				secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
@ -154,6 +161,12 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 		{
 			name: "ldap with CN as username and group names as CNs and using an LDAP provider which only supports StartTLS", // try another variation of configuration options
 			maybeSkip: func(t *testing.T) {
 				t.Helper()
 				if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
 					t.Skip("LDAP integration test requires connectivity to an LDAP server")
 				}
 			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
 				secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
@ -213,14 +226,16 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 	}
 	for _, test := range tests {
-		test := test
+		tt := test
-		t.Run(test.name, func(t *testing.T) {
+		t.Run(tt.name, func(t *testing.T) {
 			tt.maybeSkip(t)
 			testSupervisorLogin(t,
-				test.createIDP,
+				tt.createIDP,
-				test.requestAuthorization,
+				tt.requestAuthorization,
-				test.wantDownstreamIDTokenSubjectToMatch,
+				tt.wantDownstreamIDTokenSubjectToMatch,
-				test.wantDownstreamIDTokenUsernameToMatch,
+				tt.wantDownstreamIDTokenUsernameToMatch,
-				test.wantDownstreamIDTokenGroups,
+				tt.wantDownstreamIDTokenGroups,
 			)
 		})
 	}
--- a/test/library/env.go
+++ b/test/library/env.go
@ -24,6 +24,7 @@ const (
 	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
 	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
 	HasExternalLoadBalancerProvider  Capability = "hasExternalLoadBalancerProvider"
 	CanReachInternetLDAPPorts        Capability = "canReachInternetLDAPPorts"
 )
 // TestEnv captures all the external parameters consumed by our integration tests.