Assert on specific expected username and groups in integration tests

Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-09-10 17:10:27 -07:00 · 2020-09-10 17:10:27 -07:00 · e6cb2f8220
commit e6cb2f8220
parent b7bdb7f3b1
3 changed files with 24 additions and 53 deletions
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@ -12,34 +12,6 @@

 set -euo pipefail

-function print_or_redact_doc() {
-  doc_kind=$(echo "$1" | awk '/^kind: / {print $2}')
-  if [[ -z "$doc_kind" ]]; then
-    echo "warning: <empty kind>"
-  elif [[ $doc_kind == "Secret" || $doc_kind == "secret" ]]; then
-    echo
-    echo "---"
-    echo "<SECRET REDACTED>"
-  else
-    printf "%s\n" "$1"
-  fi
-}
-
-function print_redacted_manifest() {
-  doc=""
-  while IFS="" read -r line || [ -n "$line" ]; do
-    if [[ $line == "---" ]]; then
-      if [[ -n "$doc" ]]; then
-        print_or_redact_doc "$doc"
-      fi
-      doc=""
-    fi
-    doc=$(printf "%s\n%s" "$doc" "$line")
-  done <"$1"
-
-  print_or_redact_doc "$doc"
-}
-
 function log_note() {
  GREEN='\033[0;32m'
  NC='\033[0m'
@ -221,23 +193,21 @@ else
    --data-value "image_repo=$registry_repo" \
    --data-value "image_tag=$tag" >"$manifest"

-  echo
-  log_note "Full local-user-authenticator app manifest with Secrets redacted..."
-  echo "--------------------------------------------------------------------------------"
-  print_redacted_manifest $manifest
-  echo "--------------------------------------------------------------------------------"
-  echo
-
  kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
  kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"

  popd >/dev/null

-  log_note "Creating test user 'test-username'..."
  test_username="test-username"
-  # TODO AUTO-GENERATE PASSWORD
-  test_password="test-password"
  test_groups="test-group-0,test-group-1"
+  set +o pipefail
+  test_password="$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-z0-9' | fold -w 32 | head -n 1)"
+  set -o pipefail
+  if [[ ${#test_password} -ne 32 ]]; then
+    log_error "Could not create random test user password"
+    exit 1
+  fi
+  echo "Creating test user '$test_username'..."
  kubectl create secret generic "$test_username" \
    --namespace local-user-authenticator \
    --from-literal=groups="$test_groups" \
@ -267,13 +237,6 @@ else
    --data-value "webhook_ca_bundle=$webhook_ca_bundle" \
    --data-value "discovery_url=$discovery_url" >"$manifest"

-  echo
-  log_note "Full Pinniped app manifest with Secrets redacted..."
-  echo "--------------------------------------------------------------------------------"
-  print_redacted_manifest $manifest
-  echo "--------------------------------------------------------------------------------"
-  echo
-
  kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
  kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"

@ -286,7 +249,9 @@ else
 # The following env vars should be set before running 'cd test && go test ./...'
 export PINNIPED_NAMESPACE=${namespace}
 export PINNIPED_APP_NAME=${app_name}
-export PINNIPED_CREDENTIAL_REQUEST_TOKEN=${test_username}:${test_password}
+export PINNIPED_TEST_USER_USERNAME=${test_username}
+export PINNIPED_TEST_USER_GROUPS=${test_groups}
+export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}

 read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true
 ${pinniped_cluster_capability_file_content}
--- a/test/integration/client_test.go
+++ b/test/integration/client_test.go
@ -57,7 +57,7 @@ var maskKey = func(s string) string { return strings.ReplaceAll(s, "TESTING KEY"
 func TestClient(t *testing.T) {
 	library.SkipUnlessIntegration(t)
 	library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
-	token := library.GetEnv(t, "PINNIPED_CREDENTIAL_REQUEST_TOKEN")
+	token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")

 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
--- a/test/integration/credentialrequest_test.go
+++ b/test/integration/credentialrequest_test.go
@ -10,6 +10,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"net/http"
+	"strings"
 	"testing"
 	"time"

@ -28,6 +29,10 @@ import (
 func TestSuccessfulCredentialRequest(t *testing.T) {
 	library.SkipUnlessIntegration(t)
 	library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
+	testUsername := library.GetEnv(t, "PINNIPED_TEST_USER_USERNAME")
+	expectedTestUserGroups := strings.Split(
+		strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
+	)

 	response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
 	require.NoError(t, err)
@ -39,6 +44,8 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 	require.NotNil(t, response.Status.Credential)
 	require.Empty(t, response.Status.Credential.Token)
 	require.NotEmpty(t, response.Status.Credential.ClientCertificateData)
+	require.Equal(t, testUsername, getCommonName(t, response.Status.Credential.ClientCertificateData))
+	require.ElementsMatch(t, expectedTestUserGroups, getOrganizations(t, response.Status.Credential.ClientCertificateData))
 	require.NotEmpty(t, response.Status.Credential.ClientKeyData)
 	require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
 	require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
@ -65,7 +72,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 			Subjects: []rbacv1.Subject{{
 				Kind:     rbacv1.UserKind,
 				APIGroup: rbacv1.GroupName,
-				Name:     getCommonName(t, response.Status.Credential.ClientCertificateData),
+				Name:     testUsername,
 			}},
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
@ -85,7 +92,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 		require.NotEmpty(t, listNamespaceResponse.Items)
 	})

-	for _, group := range getOrganizationalUnits(t, response.Status.Credential.ClientCertificateData) {
+	for _, group := range expectedTestUserGroups {
 		t.Run("access as group "+group, func(t *testing.T) {
 			addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
 				TypeMeta: metav1.TypeMeta{},
@ -185,8 +192,7 @@ func makeRequest(t *testing.T, spec v1alpha1.CredentialRequestSpec) (*v1alpha1.C
 }

 func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.CredentialRequestSpec {
-	token := library.GetEnv(t, "PINNIPED_CREDENTIAL_REQUEST_TOKEN")
-
+	token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")
 	return v1alpha1.CredentialRequestSpec{
 		Type:  v1alpha1.TokenCredentialType,
 		Token: &v1alpha1.CredentialRequestTokenCredential{Value: token},
@ -227,12 +233,12 @@ func getCommonName(t *testing.T, certPEM string) string {
 	return cert.Subject.CommonName
 }

-func getOrganizationalUnits(t *testing.T, certPEM string) []string {
+func getOrganizations(t *testing.T, certPEM string) []string {
 	t.Helper()

 	pemBlock, _ := pem.Decode([]byte(certPEM))
 	cert, err := x509.ParseCertificate(pemBlock.Bytes)
 	require.NoError(t, err)

-	return cert.Subject.OrganizationalUnit
+	return cert.Subject.Organization
 }