From e6cb2f8220c19246184f59ecbdc8a060a58707a7 Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Thu, 10 Sep 2020 17:10:27 -0700 Subject: [PATCH] Assert on specific expected username and groups in integration tests Signed-off-by: Ryan Richard --- hack/prepare-for-integration-tests.sh | 57 +++++----------------- test/integration/client_test.go | 2 +- test/integration/credentialrequest_test.go | 18 ++++--- 3 files changed, 24 insertions(+), 53 deletions(-) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index d7f2c777..35ef1c20 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -12,34 +12,6 @@ set -euo pipefail -function print_or_redact_doc() { - doc_kind=$(echo "$1" | awk '/^kind: / {print $2}') - if [[ -z "$doc_kind" ]]; then - echo "warning: " - elif [[ $doc_kind == "Secret" || $doc_kind == "secret" ]]; then - echo - echo "---" - echo "" - else - printf "%s\n" "$1" - fi -} - -function print_redacted_manifest() { - doc="" - while IFS="" read -r line || [ -n "$line" ]; do - if [[ $line == "---" ]]; then - if [[ -n "$doc" ]]; then - print_or_redact_doc "$doc" - fi - doc="" - fi - doc=$(printf "%s\n%s" "$doc" "$line") - done <"$1" - - print_or_redact_doc "$doc" -} - function log_note() { GREEN='\033[0;32m' NC='\033[0m' @@ -221,23 +193,21 @@ else --data-value "image_repo=$registry_repo" \ --data-value "image_tag=$tag" >"$manifest" - echo - log_note "Full local-user-authenticator app manifest with Secrets redacted..." - echo "--------------------------------------------------------------------------------" - print_redacted_manifest $manifest - echo "--------------------------------------------------------------------------------" - echo - kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest" popd >/dev/null - log_note "Creating test user 'test-username'..." test_username="test-username" - # TODO AUTO-GENERATE PASSWORD - test_password="test-password" test_groups="test-group-0,test-group-1" + set +o pipefail + test_password="$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-z0-9' | fold -w 32 | head -n 1)" + set -o pipefail + if [[ ${#test_password} -ne 32 ]]; then + log_error "Could not create random test user password" + exit 1 + fi + echo "Creating test user '$test_username'..." kubectl create secret generic "$test_username" \ --namespace local-user-authenticator \ --from-literal=groups="$test_groups" \ @@ -267,13 +237,6 @@ else --data-value "webhook_ca_bundle=$webhook_ca_bundle" \ --data-value "discovery_url=$discovery_url" >"$manifest" - echo - log_note "Full Pinniped app manifest with Secrets redacted..." - echo "--------------------------------------------------------------------------------" - print_redacted_manifest $manifest - echo "--------------------------------------------------------------------------------" - echo - kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest" @@ -286,7 +249,9 @@ else # The following env vars should be set before running 'cd test && go test ./...' export PINNIPED_NAMESPACE=${namespace} export PINNIPED_APP_NAME=${app_name} -export PINNIPED_CREDENTIAL_REQUEST_TOKEN=${test_username}:${test_password} +export PINNIPED_TEST_USER_USERNAME=${test_username} +export PINNIPED_TEST_USER_GROUPS=${test_groups} +export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password} read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true ${pinniped_cluster_capability_file_content} diff --git a/test/integration/client_test.go b/test/integration/client_test.go index da8e202a..ad480d1a 100644 --- a/test/integration/client_test.go +++ b/test/integration/client_test.go @@ -57,7 +57,7 @@ var maskKey = func(s string) string { return strings.ReplaceAll(s, "TESTING KEY" func TestClient(t *testing.T) { library.SkipUnlessIntegration(t) library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) - token := library.GetEnv(t, "PINNIPED_CREDENTIAL_REQUEST_TOKEN") + token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN") ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() diff --git a/test/integration/credentialrequest_test.go b/test/integration/credentialrequest_test.go index 5dce437b..e3e3ff50 100644 --- a/test/integration/credentialrequest_test.go +++ b/test/integration/credentialrequest_test.go @@ -10,6 +10,7 @@ import ( "crypto/x509" "encoding/pem" "net/http" + "strings" "testing" "time" @@ -28,6 +29,10 @@ import ( func TestSuccessfulCredentialRequest(t *testing.T) { library.SkipUnlessIntegration(t) library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) + testUsername := library.GetEnv(t, "PINNIPED_TEST_USER_USERNAME") + expectedTestUserGroups := strings.Split( + strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",", + ) response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t)) require.NoError(t, err) @@ -39,6 +44,8 @@ func TestSuccessfulCredentialRequest(t *testing.T) { require.NotNil(t, response.Status.Credential) require.Empty(t, response.Status.Credential.Token) require.NotEmpty(t, response.Status.Credential.ClientCertificateData) + require.Equal(t, testUsername, getCommonName(t, response.Status.Credential.ClientCertificateData)) + require.ElementsMatch(t, expectedTestUserGroups, getOrganizations(t, response.Status.Credential.ClientCertificateData)) require.NotEmpty(t, response.Status.Credential.ClientKeyData) require.NotNil(t, response.Status.Credential.ExpirationTimestamp) require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute)) @@ -65,7 +72,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) { Subjects: []rbacv1.Subject{{ Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, - Name: getCommonName(t, response.Status.Credential.ClientCertificateData), + Name: testUsername, }}, RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole", @@ -85,7 +92,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) { require.NotEmpty(t, listNamespaceResponse.Items) }) - for _, group := range getOrganizationalUnits(t, response.Status.Credential.ClientCertificateData) { + for _, group := range expectedTestUserGroups { t.Run("access as group "+group, func(t *testing.T) { addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ TypeMeta: metav1.TypeMeta{}, @@ -185,8 +192,7 @@ func makeRequest(t *testing.T, spec v1alpha1.CredentialRequestSpec) (*v1alpha1.C } func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.CredentialRequestSpec { - token := library.GetEnv(t, "PINNIPED_CREDENTIAL_REQUEST_TOKEN") - + token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN") return v1alpha1.CredentialRequestSpec{ Type: v1alpha1.TokenCredentialType, Token: &v1alpha1.CredentialRequestTokenCredential{Value: token}, @@ -227,12 +233,12 @@ func getCommonName(t *testing.T, certPEM string) string { return cert.Subject.CommonName } -func getOrganizationalUnits(t *testing.T, certPEM string) []string { +func getOrganizations(t *testing.T, certPEM string) []string { t.Helper() pemBlock, _ := pem.Decode([]byte(certPEM)) cert, err := x509.ParseCertificate(pemBlock.Bytes) require.NoError(t, err) - return cert.Subject.OrganizationalUnit + return cert.Subject.Organization }