387 lines
13 KiB
Go
387 lines
13 KiB
Go
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package execcredcache
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
|
)
|
|
|
|
func TestNew(t *testing.T) {
|
|
t.Parallel()
|
|
tmp := t.TempDir() + "/credentials.yaml"
|
|
c := New(tmp)
|
|
require.NotNil(t, c)
|
|
require.Equal(t, tmp, c.path)
|
|
require.NotNil(t, c.errReporter)
|
|
c.errReporter(fmt.Errorf("some error"))
|
|
}
|
|
|
|
func TestGet(t *testing.T) {
|
|
t.Parallel()
|
|
now := time.Now().Round(1 * time.Second)
|
|
oneHourFromNow := metav1.NewTime(now.Add(1 * time.Hour))
|
|
|
|
type testKey struct{ K1, K2 string }
|
|
|
|
tests := []struct {
|
|
name string
|
|
makeTestFile func(t *testing.T, tmp string)
|
|
trylockFunc func(*testing.T) error
|
|
unlockFunc func(*testing.T) error
|
|
key testKey
|
|
want *clientauthenticationv1beta1.ExecCredential
|
|
wantErrors []string
|
|
wantTestFile func(t *testing.T, tmp string)
|
|
}{
|
|
{
|
|
name: "not found",
|
|
key: testKey{},
|
|
},
|
|
{
|
|
name: "file lock error",
|
|
makeTestFile: func(t *testing.T, tmp string) { require.NoError(t, os.WriteFile(tmp, []byte(""), 0600)) },
|
|
trylockFunc: func(t *testing.T) error { return fmt.Errorf("some lock error") },
|
|
unlockFunc: func(t *testing.T) error { require.Fail(t, "should not be called"); return nil },
|
|
key: testKey{},
|
|
wantErrors: []string{"could not lock cache file: some lock error"},
|
|
},
|
|
{
|
|
name: "invalid file",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
require.NoError(t, os.WriteFile(tmp, []byte("invalid yaml"), 0600))
|
|
},
|
|
key: testKey{},
|
|
wantErrors: []string{
|
|
"failed to read cache, resetting: invalid cache file: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type execcredcache.credCache",
|
|
},
|
|
},
|
|
{
|
|
name: "invalid file, fail to unlock",
|
|
makeTestFile: func(t *testing.T, tmp string) { require.NoError(t, os.WriteFile(tmp, []byte("invalid"), 0600)) },
|
|
trylockFunc: func(t *testing.T) error { return nil },
|
|
unlockFunc: func(t *testing.T) error { return fmt.Errorf("some unlock error") },
|
|
key: testKey{},
|
|
wantErrors: []string{
|
|
"failed to read cache, resetting: invalid cache file: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type execcredcache.credCache",
|
|
"could not unlock cache file: some unlock error",
|
|
},
|
|
},
|
|
{
|
|
name: "unreadable file",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
require.NoError(t, os.Mkdir(tmp, 0700))
|
|
},
|
|
key: testKey{},
|
|
wantErrors: []string{
|
|
"failed to read cache, resetting: could not read cache file: read TEMPFILE: is a directory",
|
|
"could not write cache: open TEMPFILE: is a directory",
|
|
},
|
|
},
|
|
{
|
|
name: "valid file but cache miss",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
validCache := emptyCache()
|
|
validCache.Entries = []entry{{
|
|
Key: jsonSHA256Hex(testKey{K1: "v3", K2: "v4"}),
|
|
CreationTimestamp: metav1.NewTime(now.Add(-2 * time.Minute)),
|
|
LastUsedTimestamp: metav1.NewTime(now.Add(-1 * time.Minute)),
|
|
Credential: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
Token: "test-token",
|
|
ExpirationTimestamp: &oneHourFromNow,
|
|
},
|
|
}}
|
|
require.NoError(t, validCache.writeTo(tmp))
|
|
},
|
|
key: testKey{K1: "v1", K2: "v2"},
|
|
wantErrors: []string{},
|
|
},
|
|
{
|
|
name: "valid file but expired cache hit",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
validCache := emptyCache()
|
|
oneMinuteAgo := metav1.NewTime(now.Add(-1 * time.Minute))
|
|
validCache.Entries = []entry{{
|
|
Key: jsonSHA256Hex(testKey{K1: "v1", K2: "v2"}),
|
|
CreationTimestamp: metav1.NewTime(now.Add(-2 * time.Minute)),
|
|
LastUsedTimestamp: metav1.NewTime(now.Add(-1 * time.Minute)),
|
|
Credential: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
Token: "test-token",
|
|
ExpirationTimestamp: &oneMinuteAgo,
|
|
},
|
|
}}
|
|
require.NoError(t, validCache.writeTo(tmp))
|
|
},
|
|
key: testKey{K1: "v1", K2: "v2"},
|
|
wantErrors: []string{},
|
|
},
|
|
{
|
|
name: "valid file with cache hit",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
validCache := emptyCache()
|
|
|
|
validCache.Entries = []entry{{
|
|
Key: jsonSHA256Hex(testKey{K1: "v1", K2: "v2"}),
|
|
CreationTimestamp: metav1.NewTime(now.Add(-2 * time.Minute)),
|
|
LastUsedTimestamp: metav1.NewTime(now.Add(-1 * time.Minute)),
|
|
Credential: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
Token: "test-token",
|
|
ExpirationTimestamp: &oneHourFromNow,
|
|
},
|
|
}}
|
|
require.NoError(t, validCache.writeTo(tmp))
|
|
},
|
|
key: testKey{K1: "v1", K2: "v2"},
|
|
wantErrors: []string{},
|
|
want: &clientauthenticationv1beta1.ExecCredential{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "ExecCredential",
|
|
APIVersion: "client.authentication.k8s.io/v1beta1",
|
|
},
|
|
Spec: clientauthenticationv1beta1.ExecCredentialSpec{},
|
|
Status: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
Token: "test-token",
|
|
ExpirationTimestamp: &oneHourFromNow,
|
|
},
|
|
},
|
|
wantTestFile: func(t *testing.T, tmp string) {
|
|
cache, err := readCache(tmp)
|
|
require.NoError(t, err)
|
|
require.Len(t, cache.Entries, 1)
|
|
require.Less(t, time.Since(cache.Entries[0].LastUsedTimestamp.Time).Nanoseconds(), (5 * time.Second).Nanoseconds())
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
tt := tt
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
tmp := t.TempDir() + "/sessions.yaml"
|
|
if tt.makeTestFile != nil {
|
|
tt.makeTestFile(t, tmp)
|
|
}
|
|
|
|
// Initialize a cache with a reporter that collects errors
|
|
errors := errorCollector{t: t}
|
|
c := New(tmp)
|
|
c.errReporter = errors.report
|
|
if tt.trylockFunc != nil {
|
|
c.trylockFunc = func() error { return tt.trylockFunc(t) }
|
|
}
|
|
if tt.unlockFunc != nil {
|
|
c.unlockFunc = func() error { return tt.unlockFunc(t) }
|
|
}
|
|
|
|
got := c.Get(tt.key)
|
|
require.Equal(t, tt.want, got)
|
|
errors.require(tt.wantErrors, "TEMPFILE", tmp)
|
|
if tt.wantTestFile != nil {
|
|
tt.wantTestFile(t, tmp)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestPutToken(t *testing.T) {
|
|
t.Parallel()
|
|
now := time.Now().Round(1 * time.Second)
|
|
|
|
type testKey struct{ K1, K2 string }
|
|
|
|
tests := []struct {
|
|
name string
|
|
makeTestFile func(t *testing.T, tmp string)
|
|
key testKey
|
|
cred *clientauthenticationv1beta1.ExecCredential
|
|
wantErrors []string
|
|
wantTestFile func(t *testing.T, tmp string)
|
|
}{
|
|
{
|
|
name: "fail to create directory",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
require.NoError(t, os.WriteFile(filepath.Dir(tmp), []byte{}, 0600))
|
|
},
|
|
wantErrors: []string{
|
|
"could not create credential cache directory: mkdir TEMPDIR: not a directory",
|
|
},
|
|
},
|
|
{
|
|
name: "update to existing entry",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
validCache := emptyCache()
|
|
validCache.Entries = []entry{
|
|
{
|
|
Key: jsonSHA256Hex(testKey{K1: "v1", K2: "v2"}),
|
|
CreationTimestamp: metav1.NewTime(now.Add(-2 * time.Minute)),
|
|
LastUsedTimestamp: metav1.NewTime(now.Add(-1 * time.Minute)),
|
|
Credential: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
ExpirationTimestamp: timePtr(now.Add(1 * time.Hour)),
|
|
Token: "token-one",
|
|
},
|
|
},
|
|
|
|
// A second entry that was created over a day ago.
|
|
{
|
|
Key: jsonSHA256Hex(testKey{K1: "v3", K2: "v4"}),
|
|
CreationTimestamp: metav1.NewTime(now.Add(-2 * time.Hour)),
|
|
LastUsedTimestamp: metav1.NewTime(now.Add(-1 * time.Hour)),
|
|
Credential: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
ExpirationTimestamp: timePtr(now.Add(1 * time.Hour)),
|
|
Token: "token-two",
|
|
},
|
|
},
|
|
}
|
|
require.NoError(t, os.MkdirAll(filepath.Dir(tmp), 0700))
|
|
require.NoError(t, validCache.writeTo(tmp))
|
|
},
|
|
key: testKey{K1: "v1", K2: "v2"},
|
|
cred: &clientauthenticationv1beta1.ExecCredential{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "ExecCredential",
|
|
APIVersion: "client.authentication.k8s.io/v1beta1",
|
|
},
|
|
Status: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
ExpirationTimestamp: timePtr(now.Add(1 * time.Hour)),
|
|
Token: "token-one",
|
|
},
|
|
},
|
|
wantTestFile: func(t *testing.T, tmp string) {
|
|
cache, err := readCache(tmp)
|
|
require.NoError(t, err)
|
|
require.Len(t, cache.Entries, 1)
|
|
require.Less(t, time.Since(cache.Entries[0].LastUsedTimestamp.Time).Nanoseconds(), (5 * time.Second).Nanoseconds())
|
|
require.Equal(t, &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
ExpirationTimestamp: timePtr(now.Add(1 * time.Hour).Local()),
|
|
Token: "token-one",
|
|
}, cache.Entries[0].Credential)
|
|
},
|
|
},
|
|
{
|
|
name: "new entry",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
validCache := emptyCache()
|
|
validCache.Entries = []entry{
|
|
{
|
|
Key: jsonSHA256Hex(testKey{K1: "v3", K2: "v4"}),
|
|
CreationTimestamp: metav1.NewTime(now.Add(-2 * time.Minute)),
|
|
LastUsedTimestamp: metav1.NewTime(now.Add(-1 * time.Minute)),
|
|
Credential: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
ExpirationTimestamp: timePtr(now.Add(1 * time.Hour)),
|
|
Token: "other-token",
|
|
},
|
|
},
|
|
}
|
|
require.NoError(t, os.MkdirAll(filepath.Dir(tmp), 0700))
|
|
require.NoError(t, validCache.writeTo(tmp))
|
|
},
|
|
key: testKey{K1: "v1", K2: "v2"},
|
|
cred: &clientauthenticationv1beta1.ExecCredential{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "ExecCredential",
|
|
APIVersion: "client.authentication.k8s.io/v1beta1",
|
|
},
|
|
Status: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
ExpirationTimestamp: timePtr(now.Add(1 * time.Hour)),
|
|
Token: "token-one",
|
|
},
|
|
},
|
|
wantTestFile: func(t *testing.T, tmp string) {
|
|
cache, err := readCache(tmp)
|
|
require.NoError(t, err)
|
|
require.Len(t, cache.Entries, 2)
|
|
require.Less(t, time.Since(cache.Entries[1].LastUsedTimestamp.Time).Nanoseconds(), (5 * time.Second).Nanoseconds())
|
|
require.Equal(t, &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
ExpirationTimestamp: timePtr(now.Add(1 * time.Hour).Local()),
|
|
Token: "token-one",
|
|
}, cache.Entries[1].Credential)
|
|
},
|
|
},
|
|
{
|
|
name: "error writing cache",
|
|
makeTestFile: func(t *testing.T, tmp string) {
|
|
require.NoError(t, os.MkdirAll(tmp, 0700))
|
|
},
|
|
key: testKey{K1: "v1", K2: "v2"},
|
|
cred: &clientauthenticationv1beta1.ExecCredential{
|
|
TypeMeta: metav1.TypeMeta{
|
|
Kind: "ExecCredential",
|
|
APIVersion: "client.authentication.k8s.io/v1beta1",
|
|
},
|
|
Status: &clientauthenticationv1beta1.ExecCredentialStatus{
|
|
ExpirationTimestamp: timePtr(now.Add(1 * time.Hour)),
|
|
Token: "token-one",
|
|
},
|
|
},
|
|
wantErrors: []string{
|
|
"failed to read cache, resetting: could not read cache file: read TEMPFILE: is a directory",
|
|
"could not write cache: open TEMPFILE: is a directory",
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
tt := tt
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
tmp := t.TempDir() + "/cachedir/credentials.yaml"
|
|
if tt.makeTestFile != nil {
|
|
tt.makeTestFile(t, tmp)
|
|
}
|
|
// Initialize a cache with a reporter that collects errors
|
|
errors := errorCollector{t: t}
|
|
c := New(tmp)
|
|
c.errReporter = errors.report
|
|
c.Put(tt.key, tt.cred)
|
|
errors.require(tt.wantErrors, "TEMPFILE", tmp, "TEMPDIR", filepath.Dir(tmp))
|
|
if tt.wantTestFile != nil {
|
|
tt.wantTestFile(t, tmp)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestHashing(t *testing.T) {
|
|
type testKey struct{ K1, K2 string }
|
|
require.Equal(t, "38e0b9de817f645c4bec37c0d4a3e58baecccb040f5718dc069a72c7385a0bed", jsonSHA256Hex(nil))
|
|
require.Equal(t, "625bb1f93dc90a1bda400fdaceb8c96328e567a0c6aaf81e7fccc68958b4565d", jsonSHA256Hex([]string{"k1", "k2"}))
|
|
require.Equal(t, "8fb659f5dd266ffd8d0c96116db1d96fe10e3879f9cb6f7e9ace016696ff69f6", jsonSHA256Hex(testKey{K1: "v1", K2: "v2"}))
|
|
require.Equal(t, "42c783a2c29f91127b064df368bda61788181d2dd1709b417f9506102ea8da67", jsonSHA256Hex(testKey{K1: "v3", K2: "v4"}))
|
|
require.Panics(t, func() { jsonSHA256Hex(&unmarshalable{}) })
|
|
}
|
|
|
|
type errorCollector struct {
|
|
t *testing.T
|
|
saw []error
|
|
}
|
|
|
|
func (e *errorCollector) report(err error) {
|
|
e.saw = append(e.saw, err)
|
|
}
|
|
|
|
func (e *errorCollector) require(want []string, subs ...string) {
|
|
require.Len(e.t, e.saw, len(want))
|
|
for i, w := range want {
|
|
for i := 0; i < len(subs); i += 2 {
|
|
w = strings.ReplaceAll(w, subs[i], subs[i+1])
|
|
}
|
|
require.EqualError(e.t, e.saw[i], w)
|
|
}
|
|
}
|
|
|
|
func timePtr(from time.Time) *metav1.Time {
|
|
t := metav1.NewTime(from)
|
|
return &t
|
|
}
|
|
|
|
type unmarshalable struct{}
|
|
|
|
func (*unmarshalable) MarshalJSON() ([]byte, error) { return nil, fmt.Errorf("some MarshalJSON error") }
|