github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 05:03:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #105582 from caesarxuchao/add-aggragator-user-header-test

Browse Source 
Verifying the auth headers are set for upgraded aggregated API requests
This commit is contained in:
Kubernetes Prow Robot 2021-10-11 06:24:39 -07:00 committed by GitHub
commit 1ae4af402e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go
View File

@ -165,10 +165,9 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
proxyRoundTripper = transport.NewAuthProxyRoundTripper(user.GetName(), user.GetGroups(), user.GetExtra(), proxyRoundTripper) proxyRoundTripper = transport.NewAuthProxyRoundTripper(user.GetName(), user.GetGroups(), user.GetExtra(), proxyRoundTripper)
// if we are upgrading, then the upgrade path tries to use this request with the TLS config we provide, but it does // If we are upgrading, then the upgrade path tries to use this request with the TLS config we provide, but it does
// NOT use the roundtripper. Its a direct call that bypasses the round tripper. This means that we have to // NOT use the proxyRoundTripper. It's a direct dial that bypasses the proxyRoundTripper. This means that we have to
// attach the "correct" user headers to the request ahead of time. After the initial upgrade, we'll be back // attach the "correct" user headers to the request ahead of time.
// at the roundtripper flow, so we only have to muck with this request, but we do have to do it.
if upgrade { if upgrade {
transport.SetAuthProxyHeaders(newReq, user.GetName(), user.GetGroups(), user.GetExtra()) transport.SetAuthProxyHeaders(newReq, user.GetName(), user.GetGroups(), user.GetExtra())
} }

8
staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go
View File

@ -414,6 +414,7 @@ func newBrokenDialerAndSelector() (*mockEgressDialer, *egressselector.EgressSele
} }
func TestProxyUpgrade(t *testing.T) { func TestProxyUpgrade(t *testing.T) {
upgradeUser := "upgradeUser"
testcases := map[string]struct { testcases := map[string]struct {
APIService *apiregistration.APIService APIService *apiregistration.APIService
NewEgressSelector func() (*mockEgressDialer, *egressselector.EgressSelector) NewEgressSelector func() (*mockEgressDialer, *egressselector.EgressSelector)
@ -518,6 +519,11 @@ func TestProxyUpgrade(t *testing.T) {
backendHandler.Handle(path, websocket.Handler(func(ws *websocket.Conn) { backendHandler.Handle(path, websocket.Handler(func(ws *websocket.Conn) {
atomic.AddInt32(&timesCalled, 1) atomic.AddInt32(&timesCalled, 1)
defer ws.Close() defer ws.Close()
req := ws.Request()
user := req.Header.Get("X-Remote-User")
if user != upgradeUser {
t.Errorf("expected user %q, got %q", upgradeUser, user)
}
body := make([]byte, 5) body := make([]byte, 5)
ws.Read(body) ws.Read(body)
ws.Write([]byte("hello " + string(body))) ws.Write([]byte("hello " + string(body)))
@ -554,7 +560,7 @@ func TestProxyUpgrade(t *testing.T) {
} }
proxyHandler.updateAPIService(tc.APIService) proxyHandler.updateAPIService(tc.APIService)
aggregator := httptest.NewServer(contextHandler(proxyHandler, &user.DefaultInfo{Name: "username"})) aggregator := httptest.NewServer(contextHandler(proxyHandler, &user.DefaultInfo{Name: upgradeUser}))
defer aggregator.Close() defer aggregator.Close()
ws, err := websocket.Dial("ws://"+aggregator.Listener.Addr().String()+path, "", "http://127.0.0.1/") ws, err := websocket.Dial("ws://"+aggregator.Listener.Addr().String()+path, "", "http://127.0.0.1/")