djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Assert on specific expected username and groups in integration tests

Browse Source 
Signed-off-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Andrew Keesler 2020-09-10 17:10:27 -07:00 committed by Ryan Richard
parent b7bdb7f3b1
commit e6cb2f8220
3 changed files with 24 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
hack/prepare-for-integration-tests.sh
View File

@ -12,34 +12,6 @@
set -euo pipefail set -euo pipefail
function print_or_redact_doc() {
doc_kind=$(echo "$1" | awk '/^kind: / {print $2}')
if [[ -z "$doc_kind" ]]; then
echo "warning: <empty kind>"
elif [[ $doc_kind == "Secret" || $doc_kind == "secret" ]]; then
echo
echo "---"
echo "<SECRET REDACTED>"
else
printf "%s\n" "$1"
fi
}
function print_redacted_manifest() {
doc=""
while IFS="" read -r line || [ -n "$line" ]; do
if [[ $line == "---" ]]; then
if [[ -n "$doc" ]]; then
print_or_redact_doc "$doc"
fi
doc=""
fi
doc=$(printf "%s\n%s" "$doc" "$line")
done <"$1"
print_or_redact_doc "$doc"
}
function log_note() { function log_note() {
GREEN='\033[0;32m' GREEN='\033[0;32m'
NC='\033[0m' NC='\033[0m'
@ -221,23 +193,21 @@ else
--data-value "image_repo=$registry_repo" \ --data-value "image_repo=$registry_repo" \
--data-value "image_tag=$tag" >"$manifest" --data-value "image_tag=$tag" >"$manifest"
echo
log_note "Full local-user-authenticator app manifest with Secrets redacted..."
echo "--------------------------------------------------------------------------------"
print_redacted_manifest $manifest
echo "--------------------------------------------------------------------------------"
echo
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest" kapp deploy --yes --app local-user-authenticator --diff-changes --file "$manifest"
popd >/dev/null popd >/dev/null
log_note "Creating test user 'test-username'..."
test_username="test-username" test_username="test-username"
# TODO AUTO-GENERATE PASSWORD
test_password="test-password"
test_groups="test-group-0,test-group-1" test_groups="test-group-0,test-group-1"
set +o pipefail
test_password="$(cat /dev/urandom | env LC_CTYPE=C tr -dc 'a-z0-9' | fold -w 32 | head -n 1)"
set -o pipefail
if [[ ${#test_password} -ne 32 ]]; then
log_error "Could not create random test user password"
exit 1
fi
echo "Creating test user '$test_username'..."
kubectl create secret generic "$test_username" \ kubectl create secret generic "$test_username" \
--namespace local-user-authenticator \ --namespace local-user-authenticator \
--from-literal=groups="$test_groups" \ --from-literal=groups="$test_groups" \
@ -267,13 +237,6 @@ else
--data-value "webhook_ca_bundle=$webhook_ca_bundle" \ --data-value "webhook_ca_bundle=$webhook_ca_bundle" \
--data-value "discovery_url=$discovery_url" >"$manifest" --data-value "discovery_url=$discovery_url" >"$manifest"
echo
log_note "Full Pinniped app manifest with Secrets redacted..."
echo "--------------------------------------------------------------------------------"
print_redacted_manifest $manifest
echo "--------------------------------------------------------------------------------"
echo
kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest" kapp deploy --yes --app "$app_name" --diff-changes --file "$manifest"
@ -286,7 +249,9 @@ else
# The following env vars should be set before running 'cd test && go test ./...' # The following env vars should be set before running 'cd test && go test ./...'
export PINNIPED_NAMESPACE=${namespace} export PINNIPED_NAMESPACE=${namespace}
export PINNIPED_APP_NAME=${app_name} export PINNIPED_APP_NAME=${app_name}
export PINNIPED_CREDENTIAL_REQUEST_TOKEN=${test_username}:${test_password} export PINNIPED_TEST_USER_USERNAME=${test_username}
export PINNIPED_TEST_USER_GROUPS=${test_groups}
export PINNIPED_TEST_USER_TOKEN=${test_username}:${test_password}
read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true read -r -d '' PINNIPED_CLUSTER_CAPABILITY_YAML << PINNIPED_CLUSTER_CAPABILITY_YAML_EOF || true
${pinniped_cluster_capability_file_content} ${pinniped_cluster_capability_file_content}

2
test/integration/client_test.go
View File

@ -57,7 +57,7 @@ var maskKey = func(s string) string { return strings.ReplaceAll(s, "TESTING KEY"
func TestClient(t *testing.T) { func TestClient(t *testing.T) {
library.SkipUnlessIntegration(t) library.SkipUnlessIntegration(t)
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
token := library.GetEnv(t, "PINNIPED_CREDENTIAL_REQUEST_TOKEN") token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel() defer cancel()

18
test/integration/credentialrequest_test.go
View File

@ -10,6 +10,7 @@ import (
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"net/http" "net/http"
"strings"
"testing" "testing"
"time" "time"
@ -28,6 +29,10 @@ import (
func TestSuccessfulCredentialRequest(t *testing.T) { func TestSuccessfulCredentialRequest(t *testing.T) {
library.SkipUnlessIntegration(t) library.SkipUnlessIntegration(t)
library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable) library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
testUsername := library.GetEnv(t, "PINNIPED_TEST_USER_USERNAME")
expectedTestUserGroups := strings.Split(
strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
)
response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t)) response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
require.NoError(t, err) require.NoError(t, err)
@ -39,6 +44,8 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
require.NotNil(t, response.Status.Credential) require.NotNil(t, response.Status.Credential)
require.Empty(t, response.Status.Credential.Token) require.Empty(t, response.Status.Credential.Token)
require.NotEmpty(t, response.Status.Credential.ClientCertificateData) require.NotEmpty(t, response.Status.Credential.ClientCertificateData)
require.Equal(t, testUsername, getCommonName(t, response.Status.Credential.ClientCertificateData))
require.ElementsMatch(t, expectedTestUserGroups, getOrganizations(t, response.Status.Credential.ClientCertificateData))
require.NotEmpty(t, response.Status.Credential.ClientKeyData) require.NotEmpty(t, response.Status.Credential.ClientKeyData)
require.NotNil(t, response.Status.Credential.ExpirationTimestamp) require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute)) require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
@ -65,7 +72,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
Subjects: []rbacv1.Subject{{ Subjects: []rbacv1.Subject{{
Kind: rbacv1.UserKind, Kind: rbacv1.UserKind,
APIGroup: rbacv1.GroupName, APIGroup: rbacv1.GroupName,
Name: getCommonName(t, response.Status.Credential.ClientCertificateData), Name: testUsername,
}}, }},
RoleRef: rbacv1.RoleRef{ RoleRef: rbacv1.RoleRef{
Kind: "ClusterRole", Kind: "ClusterRole",
@ -85,7 +92,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
require.NotEmpty(t, listNamespaceResponse.Items) require.NotEmpty(t, listNamespaceResponse.Items)
}) })
for _, group := range getOrganizationalUnits(t, response.Status.Credential.ClientCertificateData) { for _, group := range expectedTestUserGroups {
t.Run("access as group "+group, func(t *testing.T) { t.Run("access as group "+group, func(t *testing.T) {
addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{ addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
TypeMeta: metav1.TypeMeta{}, TypeMeta: metav1.TypeMeta{},
@ -185,8 +192,7 @@ func makeRequest(t *testing.T, spec v1alpha1.CredentialRequestSpec) (*v1alpha1.C
} }
func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.CredentialRequestSpec { func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.CredentialRequestSpec {
token := library.GetEnv(t, "PINNIPED_CREDENTIAL_REQUEST_TOKEN") token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")
return v1alpha1.CredentialRequestSpec{ return v1alpha1.CredentialRequestSpec{
Type: v1alpha1.TokenCredentialType, Type: v1alpha1.TokenCredentialType,
Token: &v1alpha1.CredentialRequestTokenCredential{Value: token}, Token: &v1alpha1.CredentialRequestTokenCredential{Value: token},
@ -227,12 +233,12 @@ func getCommonName(t *testing.T, certPEM string) string {
return cert.Subject.CommonName return cert.Subject.CommonName
} }
func getOrganizationalUnits(t *testing.T, certPEM string) []string { func getOrganizations(t *testing.T, certPEM string) []string {
t.Helper() t.Helper()
pemBlock, _ := pem.Decode([]byte(certPEM)) pemBlock, _ := pem.Decode([]byte(certPEM))
cert, err := x509.ParseCertificate(pemBlock.Bytes) cert, err := x509.ParseCertificate(pemBlock.Bytes)
require.NoError(t, err) require.NoError(t, err)
return cert.Subject.OrganizationalUnit return cert.Subject.Organization
} }