staticcheck:test/integration/auth/

This commit is contained in:
tanjunchen 2020-01-07 15:18:47 +08:00
parent 0c77e3a58a
commit 264a1cf5f6
6 changed files with 21 additions and 44 deletions

View File

@ -53,7 +53,6 @@ test/e2e/apps
test/e2e/autoscaling
test/e2e/instrumentation/logging/stackdriver
test/e2e/instrumentation/monitoring
test/integration/auth
test/integration/deployment
test/integration/etcd
test/integration/examples

View File

@ -53,13 +53,10 @@ go_test(
"//staging/src/k8s.io/api/policy/v1beta1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
"//staging/src/k8s.io/api/storage/v1:go_default_library",
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1:go_default_library",
"//staging/src/k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/resource:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
@ -79,7 +76,6 @@ go_test(
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest:go_default_library",
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/scheme:go_default_library",
"//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
"//staging/src/k8s.io/client-go/rest:go_default_library",
"//staging/src/k8s.io/client-go/tools/cache:go_default_library",

View File

@ -460,11 +460,11 @@ func TestAuthModeAlwaysAllow(t *testing.T) {
}
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
b, _ := ioutil.ReadAll(resp.Body)
if _, ok := r.statusCodes[resp.StatusCode]; !ok {
t.Logf("case %v", r)
@ -541,11 +541,11 @@ func TestAuthModeAlwaysDeny(t *testing.T) {
}
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusForbidden {
t.Logf("case %v", r)
t.Errorf("Expected status Forbidden but got status %v", resp.Status)
@ -610,11 +610,11 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
b, _ := ioutil.ReadAll(resp.Body)
if _, ok := r.statusCodes[resp.StatusCode]; !ok {
t.Logf("case %v", r)
@ -662,11 +662,11 @@ func TestBobIsForbidden(t *testing.T) {
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
// Expect all of bob's actions to return Forbidden
if resp.StatusCode != http.StatusForbidden {
t.Logf("case %v", r)
@ -705,11 +705,11 @@ func TestUnknownUserIsUnauthorized(t *testing.T) {
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
// Expect all of unauthenticated user's request to be "Unauthorized"
if resp.StatusCode != http.StatusUnauthorized {
t.Logf("case %v", r)
@ -769,11 +769,11 @@ func TestImpersonateIsForbidden(t *testing.T) {
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
// Expect all of bob's actions to return Forbidden
if resp.StatusCode != http.StatusForbidden {
t.Logf("case %v", r)
@ -794,11 +794,11 @@ func TestImpersonateIsForbidden(t *testing.T) {
req.Header.Set("Impersonate-User", "alice")
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
// Expect all the requests to be allowed, don't care what they actually do
if resp.StatusCode == http.StatusForbidden {
t.Logf("case %v", r)
@ -820,11 +820,11 @@ func TestImpersonateIsForbidden(t *testing.T) {
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
// Expect all of bob's actions to return Forbidden
if resp.StatusCode != http.StatusForbidden {
t.Logf("case %v", r)
@ -845,11 +845,11 @@ func TestImpersonateIsForbidden(t *testing.T) {
req.Header.Set("Impersonate-User", serviceaccount.MakeUsername("default", "default"))
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
// Expect all the requests to be allowed, don't care what they actually do
if resp.StatusCode == http.StatusForbidden {
t.Logf("case %v", r)
@ -926,11 +926,11 @@ func TestAuthorizationAttributeDetermination(t *testing.T) {
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
found := false
for i := currentAuthorizationAttributesIndex; i < len(trackingAuthorizer.requestAttributes); i++ {
@ -1024,11 +1024,11 @@ func TestNamespaceAuthorization(t *testing.T) {
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
b, _ := ioutil.ReadAll(resp.Body)
if _, ok := r.statusCodes[resp.StatusCode]; !ok {
t.Logf("case %v", r)
@ -1109,11 +1109,11 @@ func TestKindAuthorization(t *testing.T) {
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
{
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
b, _ := ioutil.ReadAll(resp.Body)
if _, ok := r.statusCodes[resp.StatusCode]; !ok {
t.Logf("case %v", r)
@ -1173,11 +1173,11 @@ func TestReadOnlyAuthorization(t *testing.T) {
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
if _, ok := r.statusCodes[resp.StatusCode]; !ok {
t.Logf("case %v", r)
t.Errorf("Expected status one of %v, but got %v", r.statusCodes, resp.StatusCode)
@ -1223,11 +1223,11 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
// Expect all of Bob's actions to return Forbidden
if resp.StatusCode != http.StatusForbidden {
t.Logf("case %v", r)

View File

@ -160,11 +160,11 @@ func TestBootstrapTokenAuth(t *testing.T) {
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", test.name)
t.Fatalf("unexpected error: %v", err)
}
defer resp.Body.Close()
b, _ := ioutil.ReadAll(resp.Body)
if _, ok := test.request.statusCodes[resp.StatusCode]; !ok {
t.Logf("case %v", test.name)

View File

@ -27,16 +27,13 @@ import (
corev1 "k8s.io/api/core/v1"
policy "k8s.io/api/policy/v1beta1"
storagev1 "k8s.io/api/storage/v1"
apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/wait"
utilfeature "k8s.io/apiserver/pkg/util/feature"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/scheme"
featuregatetesting "k8s.io/component-base/featuregate/testing"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
"k8s.io/kubernetes/pkg/features"
@ -656,17 +653,3 @@ func expectAllowed(t *testing.T, f func() error) {
t.Errorf("Expected no error, got %v", err)
}
}
// crdFromManifest reads a .json/yaml file and returns the CRD in it.
func crdFromManifest(filename string) (*apiextensionsv1beta1.CustomResourceDefinition, error) {
var crd apiextensionsv1beta1.CustomResourceDefinition
data, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
}
if err := runtime.DecodeInto(scheme.Codecs.UniversalDecoder(), data, &crd); err != nil {
return nil, err
}
return &crd, nil
}

View File

@ -30,7 +30,6 @@ import (
"time"
rbacapi "k8s.io/api/rbac/v1"
apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
@ -78,12 +77,6 @@ func clientsetForToken(user string, config *restclient.Config) (clientset.Interf
return clientset.NewForConfigOrDie(&configCopy), clientset.NewForConfigOrDie(&configCopy)
}
func crdClientsetForToken(user string, config *restclient.Config) apiextensionsclient.Interface {
configCopy := *config
configCopy.BearerToken = user
return apiextensionsclient.NewForConfigOrDie(&configCopy)
}
type testRESTOptionsGetter struct {
config *master.Config
}
@ -723,6 +716,9 @@ func TestDiscoveryUpgradeBootstrapping(t *testing.T) {
// existed prior to v1.14, but with user modifications.
t.Logf("Modifying default `system:discovery` ClusterRoleBinding")
discRoleBinding, err := client.RbacV1().ClusterRoleBindings().Get("system:discovery", metav1.GetOptions{})
if err != nil {
t.Fatalf("Failed to get `system:discovery` ClusterRoleBinding: %v", err)
}
discRoleBinding.Annotations["rbac.authorization.kubernetes.io/autoupdate"] = "false"
discRoleBinding.Annotations["rbac-discovery-upgrade-test"] = "pass"
discRoleBinding.Subjects = []rbacapi.Subject{
@ -737,6 +733,9 @@ func TestDiscoveryUpgradeBootstrapping(t *testing.T) {
}
t.Logf("Modifying default `system:basic-user` ClusterRoleBinding")
basicUserRoleBinding, err := client.RbacV1().ClusterRoleBindings().Get("system:basic-user", metav1.GetOptions{})
if err != nil {
t.Fatalf("Failed to get `system:basic-user` ClusterRoleBinding: %v", err)
}
basicUserRoleBinding.Annotations["rbac.authorization.kubernetes.io/autoupdate"] = "false"
basicUserRoleBinding.Annotations["rbac-discovery-upgrade-test"] = "pass"
if basicUserRoleBinding, err = client.RbacV1().ClusterRoleBindings().Update(basicUserRoleBinding); err != nil {