456 lines
15 KiB
Go
456 lines
15 KiB
Go
/*
|
|
Copyright 2020 VMware, Inc.
|
|
SPDX-License-Identifier: Apache-2.0
|
|
*/
|
|
|
|
package loginrequest
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509/pkix"
|
|
"errors"
|
|
"fmt"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/golang/mock/gomock"
|
|
"github.com/stretchr/testify/require"
|
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
"k8s.io/apiserver/pkg/authentication/user"
|
|
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
|
|
"k8s.io/apiserver/pkg/registry/rest"
|
|
|
|
placeholderapi "github.com/suzerain-io/placeholder-name-api/pkg/apis/placeholder"
|
|
"github.com/suzerain-io/placeholder-name/internal/mocks/mockcertissuer"
|
|
)
|
|
|
|
type contextKey struct{}
|
|
|
|
type FakeToken struct {
|
|
calledWithToken string
|
|
calledWithContext context.Context
|
|
timeout time.Duration
|
|
reachedTimeout bool
|
|
cancelled bool
|
|
webhookStartedRunningNotificationChan chan bool
|
|
returnResponse *authenticator.Response
|
|
returnUnauthenticated bool
|
|
returnErr error
|
|
}
|
|
|
|
func (f *FakeToken) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {
|
|
f.calledWithToken = token
|
|
f.calledWithContext = ctx
|
|
if f.webhookStartedRunningNotificationChan != nil {
|
|
f.webhookStartedRunningNotificationChan <- true
|
|
}
|
|
afterCh := time.After(f.timeout)
|
|
select {
|
|
case <-afterCh:
|
|
f.reachedTimeout = true
|
|
case <-ctx.Done():
|
|
f.cancelled = true
|
|
}
|
|
return f.returnResponse, !f.returnUnauthenticated, f.returnErr
|
|
}
|
|
|
|
func callCreate(ctx context.Context, storage *REST, loginRequest *placeholderapi.LoginRequest) (runtime.Object, error) {
|
|
return storage.Create(
|
|
ctx,
|
|
loginRequest,
|
|
rest.ValidateAllObjectFunc,
|
|
&metav1.CreateOptions{
|
|
DryRun: []string{},
|
|
})
|
|
}
|
|
|
|
func validLoginRequest() *placeholderapi.LoginRequest {
|
|
return validLoginRequestWithToken("some token")
|
|
}
|
|
|
|
func validLoginRequestWithToken(token string) *placeholderapi.LoginRequest {
|
|
return loginRequest(placeholderapi.LoginRequestSpec{
|
|
Type: placeholderapi.TokenLoginCredentialType,
|
|
Token: &placeholderapi.LoginRequestTokenCredential{Value: token},
|
|
})
|
|
}
|
|
|
|
func loginRequest(spec placeholderapi.LoginRequestSpec) *placeholderapi.LoginRequest {
|
|
return &placeholderapi.LoginRequest{
|
|
TypeMeta: metav1.TypeMeta{},
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "request name",
|
|
},
|
|
Spec: spec,
|
|
}
|
|
}
|
|
|
|
func webhookSuccessResponse() *authenticator.Response {
|
|
return &authenticator.Response{User: &user.DefaultInfo{
|
|
Name: "some-user",
|
|
UID: "",
|
|
Groups: []string{},
|
|
Extra: nil,
|
|
}}
|
|
}
|
|
|
|
func requireAPIError(t *testing.T, response runtime.Object, err error, expectedErrorTypeChecker func(err error) bool, expectedErrorMessage string) {
|
|
t.Helper()
|
|
require.Nil(t, response)
|
|
require.True(t, expectedErrorTypeChecker(err))
|
|
var status apierrors.APIStatus
|
|
errors.As(err, &status)
|
|
require.Contains(t, status.Status().Message, expectedErrorMessage)
|
|
}
|
|
|
|
func requireSuccessfulResponseWithAuthenticationFailureMessage(t *testing.T, err error, response runtime.Object) {
|
|
require.NoError(t, err)
|
|
require.Equal(t, response, &placeholderapi.LoginRequest{
|
|
Status: placeholderapi.LoginRequestStatus{
|
|
Credential: nil,
|
|
Message: "authentication failed",
|
|
},
|
|
})
|
|
}
|
|
|
|
func successfulIssuer(ctrl *gomock.Controller) CertIssuer {
|
|
issuer := mockcertissuer.NewMockCertIssuer(ctrl)
|
|
issuer.EXPECT().
|
|
IssuePEM(gomock.Any(), gomock.Any(), gomock.Any()).
|
|
Return([]byte("test-cert"), []byte("test-key"), nil)
|
|
return issuer
|
|
}
|
|
|
|
func TestCreateSucceedsWhenGivenATokenAndTheWebhookAuthenticatesTheToken(t *testing.T) {
|
|
ctrl := gomock.NewController(t)
|
|
defer ctrl.Finish()
|
|
|
|
webhook := FakeToken{
|
|
returnResponse: &authenticator.Response{
|
|
User: &user.DefaultInfo{
|
|
Name: "test-user",
|
|
Groups: []string{"test-group-1", "test-group-2"},
|
|
},
|
|
},
|
|
returnUnauthenticated: false,
|
|
}
|
|
|
|
issuer := mockcertissuer.NewMockCertIssuer(ctrl)
|
|
issuer.EXPECT().IssuePEM(
|
|
pkix.Name{
|
|
CommonName: "test-user",
|
|
OrganizationalUnit: []string{"test-group-1", "test-group-2"}},
|
|
[]string{},
|
|
1*time.Hour,
|
|
).Return([]byte("test-cert"), []byte("test-key"), nil)
|
|
|
|
storage := NewREST(&webhook, issuer)
|
|
requestToken := "a token"
|
|
|
|
response, err := callCreate(context.Background(), storage, validLoginRequestWithToken(requestToken))
|
|
|
|
require.NoError(t, err)
|
|
require.Equal(t, response, &placeholderapi.LoginRequest{
|
|
Status: placeholderapi.LoginRequestStatus{
|
|
User: &placeholderapi.User{
|
|
Name: "test-user",
|
|
Groups: []string{"test-group-1", "test-group-2"},
|
|
},
|
|
Credential: &placeholderapi.LoginRequestCredential{
|
|
ExpirationTimestamp: nil,
|
|
ClientCertificateData: "test-cert",
|
|
ClientKeyData: "test-key",
|
|
},
|
|
Message: "",
|
|
},
|
|
})
|
|
require.Equal(t, requestToken, webhook.calledWithToken)
|
|
}
|
|
|
|
func TestCreateFailsWithValidTokenWhenCertIssuerFails(t *testing.T) {
|
|
ctrl := gomock.NewController(t)
|
|
defer ctrl.Finish()
|
|
|
|
webhook := FakeToken{
|
|
returnResponse: &authenticator.Response{
|
|
User: &user.DefaultInfo{
|
|
Name: "test-user",
|
|
Groups: []string{"test-group-1", "test-group-2"},
|
|
},
|
|
},
|
|
returnUnauthenticated: false,
|
|
}
|
|
|
|
issuer := mockcertissuer.NewMockCertIssuer(ctrl)
|
|
issuer.EXPECT().
|
|
IssuePEM(gomock.Any(), gomock.Any(), gomock.Any()).
|
|
Return(nil, nil, fmt.Errorf("some certificate authority error"))
|
|
|
|
storage := NewREST(&webhook, issuer)
|
|
requestToken := "a token"
|
|
|
|
response, err := callCreate(context.Background(), storage, validLoginRequestWithToken(requestToken))
|
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
|
require.Equal(t, requestToken, webhook.calledWithToken)
|
|
}
|
|
|
|
func TestCreateSucceedsWithAnUnauthenticatedStatusWhenGivenATokenAndTheWebhookDoesNotAuthenticateTheToken(t *testing.T) {
|
|
webhook := FakeToken{
|
|
returnUnauthenticated: true,
|
|
}
|
|
storage := NewREST(&webhook, nil)
|
|
requestToken := "a token"
|
|
|
|
response, err := callCreate(context.Background(), storage, validLoginRequestWithToken(requestToken))
|
|
|
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
|
require.Equal(t, requestToken, webhook.calledWithToken)
|
|
}
|
|
|
|
func TestCreateSucceedsWithAnUnauthenticatedStatusWhenWebhookFails(t *testing.T) {
|
|
webhook := FakeToken{
|
|
returnErr: errors.New("some webhook error"),
|
|
}
|
|
storage := NewREST(&webhook, nil)
|
|
|
|
response, err := callCreate(context.Background(), storage, validLoginRequest())
|
|
|
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
|
}
|
|
|
|
func TestCreateSucceedsWithAnUnauthenticatedStatusWhenWebhookDoesNotReturnAnyUserInfo(t *testing.T) {
|
|
webhook := FakeToken{
|
|
returnResponse: &authenticator.Response{},
|
|
}
|
|
storage := NewREST(&webhook, nil)
|
|
|
|
response, err := callCreate(context.Background(), storage, validLoginRequest())
|
|
|
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
|
}
|
|
|
|
func TestCreateSucceedsWithAnUnauthenticatedStatusWhenWebhookReturnsAnEmptyUsername(t *testing.T) {
|
|
webhook := FakeToken{
|
|
returnResponse: &authenticator.Response{
|
|
User: &user.DefaultInfo{
|
|
Name: "",
|
|
},
|
|
},
|
|
}
|
|
storage := NewREST(&webhook, nil)
|
|
|
|
response, err := callCreate(context.Background(), storage, validLoginRequest())
|
|
|
|
requireSuccessfulResponseWithAuthenticationFailureMessage(t, err, response)
|
|
}
|
|
|
|
func TestCreateDoesNotPassAdditionalContextInfoToTheWebhook(t *testing.T) {
|
|
ctrl := gomock.NewController(t)
|
|
defer ctrl.Finish()
|
|
|
|
webhook := FakeToken{
|
|
returnResponse: webhookSuccessResponse(),
|
|
}
|
|
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
|
ctx := context.WithValue(context.Background(), contextKey{}, "context-value")
|
|
|
|
_, err := callCreate(ctx, storage, validLoginRequest())
|
|
|
|
require.NoError(t, err)
|
|
require.Nil(t, webhook.calledWithContext.Value("context-key"))
|
|
}
|
|
|
|
func TestCreateFailsWhenGivenTheWrongInputType(t *testing.T) {
|
|
notALoginRequest := runtime.Unknown{}
|
|
response, err := NewREST(&FakeToken{}, nil).Create(
|
|
genericapirequest.NewContext(),
|
|
¬ALoginRequest,
|
|
rest.ValidateAllObjectFunc,
|
|
&metav1.CreateOptions{})
|
|
|
|
requireAPIError(t, response, err, apierrors.IsBadRequest, "not a LoginRequest")
|
|
}
|
|
|
|
func TestCreateFailsWhenTokenIsNilInRequest(t *testing.T) {
|
|
storage := NewREST(&FakeToken{}, nil)
|
|
response, err := callCreate(context.Background(), storage, loginRequest(placeholderapi.LoginRequestSpec{
|
|
Type: placeholderapi.TokenLoginCredentialType,
|
|
Token: nil,
|
|
}))
|
|
|
|
requireAPIError(t, response, err, apierrors.IsInvalid,
|
|
`.placeholder.suzerain-io.github.io "request name" is invalid: spec.token.value: Required value: token must be supplied`)
|
|
}
|
|
|
|
func TestCreateFailsWhenTypeInRequestIsMissing(t *testing.T) {
|
|
storage := NewREST(&FakeToken{}, nil)
|
|
response, err := callCreate(context.Background(), storage, loginRequest(placeholderapi.LoginRequestSpec{
|
|
Type: "",
|
|
Token: &placeholderapi.LoginRequestTokenCredential{Value: "a token"},
|
|
}))
|
|
|
|
requireAPIError(t, response, err, apierrors.IsInvalid,
|
|
`.placeholder.suzerain-io.github.io "request name" is invalid: spec.type: Required value: type must be supplied`)
|
|
}
|
|
|
|
func TestCreateFailsWhenTypeInRequestIsNotLegal(t *testing.T) {
|
|
storage := NewREST(&FakeToken{}, nil)
|
|
response, err := callCreate(context.Background(), storage, loginRequest(placeholderapi.LoginRequestSpec{
|
|
Type: "this in an invalid type",
|
|
Token: &placeholderapi.LoginRequestTokenCredential{Value: "a token"},
|
|
}))
|
|
|
|
requireAPIError(t, response, err, apierrors.IsInvalid,
|
|
`.placeholder.suzerain-io.github.io "request name" is invalid: spec.type: Invalid value: "this in an invalid type": unrecognized type`)
|
|
}
|
|
|
|
func TestCreateFailsWhenTokenValueIsEmptyInRequest(t *testing.T) {
|
|
storage := NewREST(&FakeToken{}, nil)
|
|
response, err := callCreate(context.Background(), storage, loginRequest(placeholderapi.LoginRequestSpec{
|
|
Type: placeholderapi.TokenLoginCredentialType,
|
|
Token: &placeholderapi.LoginRequestTokenCredential{Value: ""},
|
|
}))
|
|
|
|
requireAPIError(t, response, err, apierrors.IsInvalid,
|
|
`.placeholder.suzerain-io.github.io "request name" is invalid: spec.token.value: Required value: token must be supplied`)
|
|
}
|
|
|
|
func TestCreateFailsWhenValidationFails(t *testing.T) {
|
|
storage := NewREST(&FakeToken{}, nil)
|
|
response, err := storage.Create(
|
|
context.Background(),
|
|
validLoginRequest(),
|
|
func(ctx context.Context, obj runtime.Object) error {
|
|
return fmt.Errorf("some validation error")
|
|
},
|
|
&metav1.CreateOptions{})
|
|
require.Nil(t, response)
|
|
require.EqualError(t, err, "some validation error")
|
|
}
|
|
|
|
func TestCreateDoesNotAllowValidationFunctionToMutateRequest(t *testing.T) {
|
|
ctrl := gomock.NewController(t)
|
|
defer ctrl.Finish()
|
|
|
|
webhook := FakeToken{
|
|
returnResponse: webhookSuccessResponse(),
|
|
}
|
|
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
|
requestToken := "a token"
|
|
response, err := storage.Create(
|
|
context.Background(),
|
|
validLoginRequestWithToken(requestToken),
|
|
func(ctx context.Context, obj runtime.Object) error {
|
|
loginRequest, _ := obj.(*placeholderapi.LoginRequest)
|
|
loginRequest.Spec.Token.Value = "foobaz"
|
|
return nil
|
|
},
|
|
&metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, response)
|
|
require.Equal(t, requestToken, webhook.calledWithToken) // i.e. not called with foobaz
|
|
}
|
|
|
|
func TestCreateDoesNotAllowValidationFunctionToSeeTheActualRequestToken(t *testing.T) {
|
|
ctrl := gomock.NewController(t)
|
|
defer ctrl.Finish()
|
|
|
|
webhook := FakeToken{
|
|
returnResponse: webhookSuccessResponse(),
|
|
}
|
|
|
|
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
|
validationFunctionWasCalled := false
|
|
var validationFunctionSawTokenValue string
|
|
response, err := storage.Create(
|
|
context.Background(),
|
|
validLoginRequest(),
|
|
func(ctx context.Context, obj runtime.Object) error {
|
|
loginRequest, _ := obj.(*placeholderapi.LoginRequest)
|
|
validationFunctionWasCalled = true
|
|
validationFunctionSawTokenValue = loginRequest.Spec.Token.Value
|
|
return nil
|
|
},
|
|
&metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, response)
|
|
require.True(t, validationFunctionWasCalled)
|
|
require.Empty(t, validationFunctionSawTokenValue)
|
|
}
|
|
|
|
func TestCreateFailsWhenRequestOptionsDryRunIsNotEmpty(t *testing.T) {
|
|
response, err := NewREST(&FakeToken{}, nil).Create(
|
|
genericapirequest.NewContext(),
|
|
validLoginRequest(),
|
|
rest.ValidateAllObjectFunc,
|
|
&metav1.CreateOptions{
|
|
DryRun: []string{"some dry run flag"},
|
|
})
|
|
|
|
requireAPIError(t, response, err, apierrors.IsInvalid,
|
|
`.placeholder.suzerain-io.github.io "request name" is invalid: dryRun: Unsupported value: []string{"some dry run flag"}`)
|
|
}
|
|
|
|
func TestCreateCancelsTheWebhookInvocationWhenTheCallToCreateIsCancelledItself(t *testing.T) {
|
|
ctrl := gomock.NewController(t)
|
|
defer ctrl.Finish()
|
|
|
|
webhookStartedRunningNotificationChan := make(chan bool)
|
|
webhook := FakeToken{
|
|
timeout: time.Second * 2,
|
|
webhookStartedRunningNotificationChan: webhookStartedRunningNotificationChan,
|
|
returnResponse: webhookSuccessResponse(),
|
|
}
|
|
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
|
|
c := make(chan bool)
|
|
go func() {
|
|
_, err := callCreate(ctx, storage, validLoginRequest())
|
|
c <- true
|
|
require.NoError(t, err)
|
|
}()
|
|
|
|
require.False(t, webhook.cancelled)
|
|
require.False(t, webhook.reachedTimeout)
|
|
<-webhookStartedRunningNotificationChan // wait long enough to make sure that the webhook has started
|
|
cancel() // cancel the context that was passed to storage.Create() above
|
|
<-c // wait for the above call to storage.Create() to be finished
|
|
require.True(t, webhook.cancelled)
|
|
require.False(t, webhook.reachedTimeout)
|
|
require.Equal(t, context.Canceled, webhook.calledWithContext.Err()) // the inner context is cancelled
|
|
}
|
|
|
|
func TestCreateAllowsTheWebhookInvocationToFinishWhenTheCallToCreateIsNotCancelledItself(t *testing.T) {
|
|
ctrl := gomock.NewController(t)
|
|
defer ctrl.Finish()
|
|
|
|
webhookStartedRunningNotificationChan := make(chan bool)
|
|
webhook := FakeToken{
|
|
timeout: 0,
|
|
webhookStartedRunningNotificationChan: webhookStartedRunningNotificationChan,
|
|
returnResponse: webhookSuccessResponse(),
|
|
}
|
|
storage := NewREST(&webhook, successfulIssuer(ctrl))
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
c := make(chan bool)
|
|
go func() {
|
|
_, err := callCreate(ctx, storage, validLoginRequest())
|
|
c <- true
|
|
require.NoError(t, err)
|
|
}()
|
|
|
|
require.False(t, webhook.cancelled)
|
|
require.False(t, webhook.reachedTimeout)
|
|
<-webhookStartedRunningNotificationChan // wait long enough to make sure that the webhook has started
|
|
<-c // wait for the above call to storage.Create() to be finished
|
|
require.False(t, webhook.cancelled)
|
|
require.True(t, webhook.reachedTimeout)
|
|
require.Equal(t, context.Canceled, webhook.calledWithContext.Err()) // the inner context is cancelled (in this case by the "defer")
|
|
}
|