From 2ac7639016d50d29c5c929cb05ae2add26aeb80b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stanislav=20L=C3=A1zni=C4=8Dka?= Date: Tue, 23 Jul 2024 15:12:57 +0200 Subject: [PATCH] integration: add a test where UID is not passed in Request Headers --- test/integration/examples/apiserver_test.go | 48 ++++++++++++++------- 1 file changed, 33 insertions(+), 15 deletions(-) diff --git a/test/integration/examples/apiserver_test.go b/test/integration/examples/apiserver_test.go index a2e652221a7..e5caa54dd4d 100644 --- a/test/integration/examples/apiserver_test.go +++ b/test/integration/examples/apiserver_test.go @@ -255,20 +255,34 @@ func TestAggregatedAPIServer(t *testing.T) { }) } +func TestFrontProxyConfig(t *testing.T) { + t.Run("WithoutUID", func(t *testing.T) { + testFrontProxyConfig(t, false) + }) + t.Run("WithUID", func(t *testing.T) { + testFrontProxyConfig(t, true) + }) +} + // TestFrontProxyConfig tests that the RequestHeader configuration is consumed // correctly by the aggregated API servers. -func TestFrontProxyConfig(t *testing.T) { +func testFrontProxyConfig(t *testing.T, withUID bool) { const testNamespace = "integration-test-front-proxy-config" const wardleBinaryVersion = "1.1" ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) t.Cleanup(cancel) + var extraKASFlags []string + if withUID { + extraKASFlags = []string{"--requestheader-uid-headers=x-remote-uid"} + } + // each wardle binary is bundled with a specific kube binary. kubeBinaryVersion := sampleserver.WardleVersionToKubeVersion(version.MustParse(wardleBinaryVersion)).String() // start up the KAS and prepare the options for the wardle API server - testKAS, wardleOptions, wardlePort := prepareAggregatedWardleAPIServer(ctx, t, testNamespace, kubeBinaryVersion, wardleBinaryVersion, []string{"--requestheader-uid-headers=x-remote-uid"}) + testKAS, wardleOptions, wardlePort := prepareAggregatedWardleAPIServer(ctx, t, testNamespace, kubeBinaryVersion, wardleBinaryVersion, extraKASFlags) kubeConfig := getKubeConfig(testKAS) // create the SA that we will use to query the aggregated API @@ -300,13 +314,20 @@ func TestFrontProxyConfig(t *testing.T) { t.Fatalf("failed to retrieve details about the SA: %v", err) } - expectedSAUserInfo := serviceaccount.UserInfo(expectedSA.Namespace, expectedSA.Name, string(expectedSA.UID)) - expectedRealSAGroups := append(expectedSAUserInfo.GetGroups(), user.AllAuthenticated) - expectedExtra := expectedSAUserInfo.GetExtra() - if expectedExtra == nil { - expectedExtra = map[string][]string{} + saUserInfo := serviceaccount.UserInfo(expectedSA.Namespace, expectedSA.Name, string(expectedSA.UID)) + expectedSAUserInfo := user.DefaultInfo{ + Name: saUserInfo.GetName(), + Groups: append(saUserInfo.GetGroups(), user.AllAuthenticated), + Extra: saUserInfo.GetExtra(), } - expectedExtra[user.CredentialIDKey] = saDetails.Status.UserInfo.Extra[user.CredentialIDKey] + if withUID { + expectedSAUserInfo.UID = saUserInfo.GetUID() + } + + if expectedSAUserInfo.Extra == nil { + expectedSAUserInfo.Extra = map[string][]string{} + } + expectedSAUserInfo.Extra[user.CredentialIDKey] = saDetails.Status.UserInfo.Extra[user.CredentialIDKey] var checksProcessed atomic.Uint32 @@ -325,20 +346,17 @@ func TestFrontProxyConfig(t *testing.T) { return rt.RoundTrip(req) } - if len(gotUser.GetUID()) == 0 { - t.Errorf("expected UID to be non-empty for user %q", gotUser.GetName()) - } if got, expected := gotUser.GetUID(), expectedSAUserInfo.GetUID(); expected != got { t.Errorf("expected UID: %q, got: %q", expected, got) } if got, expected := gotUser.GetName(), expectedSAUserInfo.GetName(); expected != got { t.Errorf("expected name: %q, got: %q", expected, got) } - if got := gotUser.GetGroups(); !reflect.DeepEqual(expectedRealSAGroups, got) { - t.Errorf("expected groups: %v, got: %v", expectedRealSAGroups, got) + if got, expected := gotUser.GetGroups(), expectedSAUserInfo.GetGroups(); !reflect.DeepEqual(expected, got) { + t.Errorf("expected groups: %v, got: %v", expected, got) } - if got := gotUser.GetExtra(); !apiequality.Semantic.DeepEqual(expectedExtra, got) { - t.Errorf("expected extra to be %v, but got %v", expectedExtra, got) + if got, expected := gotUser.GetExtra(), expectedSAUserInfo.GetExtra(); !apiequality.Semantic.DeepEqual(expected, got) { + t.Errorf("expected extra to be %v, but got %v", expected, got) } checksProcessed.Add(1)