From 4157f5a1aea2958f909951f357363fd285df2458 Mon Sep 17 00:00:00 2001 From: hangaoshuai Date: Thu, 16 Aug 2018 18:13:58 +0800 Subject: [PATCH 1/2] add unit test for Authentication Validate --- pkg/kubeapiserver/options/BUILD | 2 + .../options/authentication_test.go | 90 +++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 pkg/kubeapiserver/options/authentication_test.go diff --git a/pkg/kubeapiserver/options/BUILD b/pkg/kubeapiserver/options/BUILD index 19791fbddd5..c40bff1e049 100644 --- a/pkg/kubeapiserver/options/BUILD +++ b/pkg/kubeapiserver/options/BUILD @@ -91,6 +91,7 @@ go_test( name = "go_default_test", srcs = [ "admission_test.go", + "authentication_test.go", "authorization_test.go", "storage_versions_test.go", ], @@ -98,5 +99,6 @@ go_test( deps = [ "//pkg/kubeapiserver/authorizer/modes:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", ], ) diff --git a/pkg/kubeapiserver/options/authentication_test.go b/pkg/kubeapiserver/options/authentication_test.go new file mode 100644 index 00000000000..e02e7debffa --- /dev/null +++ b/pkg/kubeapiserver/options/authentication_test.go @@ -0,0 +1,90 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package options + +import ( + "strings" + "testing" + + utilerrors "k8s.io/apimachinery/pkg/util/errors" +) + +func TestAuthenticationValidate(t *testing.T) { + testCases := []struct { + name string + testOIDC *OIDCAuthenticationOptions + testSA *ServiceAccountAuthenticationOptions + expectErr string + }{ + { + name: "test when OIDC and ServiceAccounts are nil", + }, + { + name: "test when OIDC and ServiceAccounts are valid", + testOIDC: &OIDCAuthenticationOptions{ + UsernameClaim: "sub", + SigningAlgs: []string{"RS256"}, + IssuerURL: "testIssuerURL", + }, + testSA: &ServiceAccountAuthenticationOptions{ + Issuer: "http://foo.bar.com", + }, + }, + { + name: "test when OIDC is invalid", + testOIDC: &OIDCAuthenticationOptions{ + UsernameClaim: "sub", + SigningAlgs: []string{"RS256"}, + IssuerURL: "testIssuerURL", + }, + testSA: &ServiceAccountAuthenticationOptions{ + Issuer: "http://foo.bar.com", + }, + expectErr: "oidc-issuer-url and oidc-client-id should be specified together", + }, + { + name: "test when ServiceAccount is invalid", + testOIDC: &OIDCAuthenticationOptions{ + UsernameClaim: "sub", + SigningAlgs: []string{"RS256"}, + IssuerURL: "testIssuerURL", + ClientID: "testClientID", + }, + testSA: &ServiceAccountAuthenticationOptions{ + Issuer: "http://[::1]:namedport", + }, + expectErr: "service-account-issuer contained a ':' but was not a valid URL", + }, + } + + for _, testcase := range testCases { + t.Run(testcase.name, func(t *testing.T) { + options := NewBuiltInAuthenticationOptions() + options.OIDC = testcase.testOIDC + options.ServiceAccounts = testcase.testSA + + errs := options.Validate() + if len(errs) > 0 && !strings.Contains(utilerrors.NewAggregate(errs).Error(), testcase.expectErr) { + t.Errorf("Got err: %v, Expected err: %s", errs, testcase.expectErr) + } + + if len(errs) == 0 && len(testcase.expectErr) != 0 { + t.Errorf("Got err nil, Expected err: %s", testcase.expectErr) + } + }) + } +} From cacf18f859207d3ee7d5ee1089072be6a305c18e Mon Sep 17 00:00:00 2001 From: hangaoshuai Date: Thu, 16 Aug 2018 19:24:11 +0800 Subject: [PATCH 2/2] add unit test for func ToAuthenticationConfig --- pkg/kubeapiserver/options/BUILD | 3 + .../options/authentication_test.go | 82 +++++++++++++++++++ 2 files changed, 85 insertions(+) diff --git a/pkg/kubeapiserver/options/BUILD b/pkg/kubeapiserver/options/BUILD index c40bff1e049..df6c28129d6 100644 --- a/pkg/kubeapiserver/options/BUILD +++ b/pkg/kubeapiserver/options/BUILD @@ -97,8 +97,11 @@ go_test( ], embed = [":go_default_library"], deps = [ + "//pkg/kubeapiserver/authenticator:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", ], ) diff --git a/pkg/kubeapiserver/options/authentication_test.go b/pkg/kubeapiserver/options/authentication_test.go index e02e7debffa..0de54c79c1c 100644 --- a/pkg/kubeapiserver/options/authentication_test.go +++ b/pkg/kubeapiserver/options/authentication_test.go @@ -17,10 +17,15 @@ limitations under the License. package options import ( + "reflect" "strings" "testing" + "time" utilerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apiserver/pkg/authentication/authenticatorfactory" + apiserveroptions "k8s.io/apiserver/pkg/server/options" + "k8s.io/kubernetes/pkg/kubeapiserver/authenticator" ) func TestAuthenticationValidate(t *testing.T) { @@ -88,3 +93,80 @@ func TestAuthenticationValidate(t *testing.T) { }) } } + +func TestToAuthenticationConfig(t *testing.T) { + testOptions := &BuiltInAuthenticationOptions{ + Anonymous: &AnonymousAuthenticationOptions{ + Allow: false, + }, + ClientCert: &apiserveroptions.ClientCertAuthenticationOptions{ + ClientCA: "/client-ca", + }, + WebHook: &WebHookAuthenticationOptions{ + CacheTTL: 180000000000, + ConfigFile: "/token-webhook-config", + }, + BootstrapToken: &BootstrapTokenAuthenticationOptions{ + Enable: false, + }, + OIDC: &OIDCAuthenticationOptions{ + CAFile: "/testCAFile", + UsernameClaim: "sub", + SigningAlgs: []string{"RS256"}, + IssuerURL: "testIssuerURL", + ClientID: "testClientID", + }, + PasswordFile: &PasswordFileAuthenticationOptions{ + BasicAuthFile: "/testBasicAuthFile", + }, + RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{ + UsernameHeaders: []string{"x-remote-user"}, + GroupHeaders: []string{"x-remote-group"}, + ExtraHeaderPrefixes: []string{"x-remote-extra-"}, + ClientCAFile: "/testClientCAFile", + AllowedNames: []string{"kube-aggregator"}, + }, + ServiceAccounts: &ServiceAccountAuthenticationOptions{ + Lookup: true, + Issuer: "http://foo.bar.com", + }, + TokenFile: &TokenFileAuthenticationOptions{ + TokenFile: "/testTokenFile", + }, + TokenSuccessCacheTTL: 10 * time.Second, + TokenFailureCacheTTL: 0, + } + + expectConfig := authenticator.AuthenticatorConfig{ + Anonymous: false, + BasicAuthFile: "/testBasicAuthFile", + BootstrapToken: false, + ClientCAFile: "/client-ca", + TokenAuthFile: "/testTokenFile", + OIDCIssuerURL: "testIssuerURL", + OIDCClientID: "testClientID", + OIDCCAFile: "/testCAFile", + OIDCUsernameClaim: "sub", + OIDCSigningAlgs: []string{"RS256"}, + ServiceAccountLookup: true, + ServiceAccountIssuer: "http://foo.bar.com", + WebhookTokenAuthnConfigFile: "/token-webhook-config", + WebhookTokenAuthnCacheTTL: 180000000000, + + TokenSuccessCacheTTL: 10 * time.Second, + TokenFailureCacheTTL: 0, + + RequestHeaderConfig: &authenticatorfactory.RequestHeaderConfig{ + UsernameHeaders: []string{"x-remote-user"}, + GroupHeaders: []string{"x-remote-group"}, + ExtraHeaderPrefixes: []string{"x-remote-extra-"}, + ClientCA: "/testClientCAFile", + AllowedClientNames: []string{"kube-aggregator"}, + }, + } + + resultConfig := testOptions.ToAuthenticationConfig() + if !reflect.DeepEqual(resultConfig, expectConfig) { + t.Errorf("Got AuthenticationConfig: %v, Expected AuthenticationConfig: %v", resultConfig, expectConfig) + } +}