From c32c81dc4e12b6c7a8151d02201c851e1979516a Mon Sep 17 00:00:00 2001 From: "Madhusudan.C.S" Date: Wed, 10 Aug 2016 13:45:15 -0700 Subject: [PATCH] Implement federation API server authentication e2e tests. --- test/e2e/federation-authn.go | 116 +++++++++++++++++++++++++++++++++++ test/e2e/framework/util.go | 8 +-- 2 files changed, 120 insertions(+), 4 deletions(-) create mode 100644 test/e2e/federation-authn.go diff --git a/test/e2e/federation-authn.go b/test/e2e/federation-authn.go new file mode 100644 index 00000000000..1d22e88bd81 --- /dev/null +++ b/test/e2e/federation-authn.go @@ -0,0 +1,116 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package e2e + +import ( + "fmt" + + "k8s.io/kubernetes/federation/client/clientset_generated/federation_release_1_4" + "k8s.io/kubernetes/pkg/api/errors" + "k8s.io/kubernetes/pkg/client/unversioned/clientcmd" + clientcmdapi "k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api" + "k8s.io/kubernetes/test/e2e/framework" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +var _ = framework.KubeDescribe("[Feature:Federation]", func() { + f := framework.NewDefaultFederatedFramework("federation-apiserver-authn") + + var _ = Describe("Federation API server authentication", func() { + BeforeEach(func() { + framework.SkipUnlessFederated(f.Client) + }) + + It("should accept cluster resources when the client has right authentication credentials", func() { + framework.SkipUnlessFederated(f.Client) + + svc := createServiceOrFail(f.FederationClientset_1_4, f.Namespace.Name) + deleteServiceOrFail(f.FederationClientset_1_4, f.Namespace.Name, svc.Name) + }) + + It("should not accept cluster resources when the client has invalid authentication credentials", func() { + framework.SkipUnlessFederated(f.Client) + + contexts := f.GetUnderlyingFederatedContexts() + + // `contexts` is obtained by calling + // `f.GetUnderlyingFederatedContexts()`. This function in turn + // checks that the contexts it returns does not include the + // federation API server context. So `contexts` is guaranteed to + // contain only the underlying Kubernetes cluster contexts. + fcs, err := invalidAuthFederationClientSet(contexts[0].User) + framework.ExpectNoError(err) + + svc, err := createService(fcs, f.Namespace.Name) + Expect(errors.IsUnauthorized(err)).To(BeTrue()) + if err == nil && svc != nil { + deleteServiceOrFail(fcs, f.Namespace.Name, svc.Name) + } + }) + + It("should not accept cluster resources when the client has no authentication credentials", func() { + framework.SkipUnlessFederated(f.Client) + + fcs, err := invalidAuthFederationClientSet(nil) + ExpectNoError(err) + + svc, err := createService(fcs, f.Namespace.Name) + Expect(errors.IsUnauthorized(err)).To(BeTrue()) + if err == nil && svc != nil { + deleteServiceOrFail(fcs, f.Namespace.Name, svc.Name) + } + }) + }) +}) + +func invalidAuthFederationClientSet(user *framework.KubeUser) (*federation_release_1_4.Clientset, error) { + overrides := &clientcmd.ConfigOverrides{} + if user != nil { + overrides = &clientcmd.ConfigOverrides{ + AuthInfo: clientcmdapi.AuthInfo{ + Token: user.User.Token, + Username: user.User.Username, + Password: user.User.Password, + }, + } + } + + config, err := framework.LoadFederatedConfig(overrides) + if err != nil { + return nil, err + } + + if user == nil { + config.Password = "" + config.BearerToken = "" + config.Username = "" + } + + c, err := federation_release_1_4.NewForConfig(config) + if err != nil { + return nil, fmt.Errorf("error creating federation clientset: %v", err) + } + // Set timeout for each client in the set. + c.DiscoveryClient.Client.Timeout = framework.SingleCallTimeout + c.FederationClient.Client.Timeout = framework.SingleCallTimeout + c.CoreClient.Client.Timeout = framework.SingleCallTimeout + c.ExtensionsClient.Client.Timeout = framework.SingleCallTimeout + + return c, nil +} diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go index 6dc37d74ef6..a438fe902aa 100644 --- a/test/e2e/framework/util.go +++ b/test/e2e/framework/util.go @@ -1722,12 +1722,12 @@ func LoadConfig() (*restclient.Config, error) { return clientcmd.NewDefaultClientConfig(*c, &clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: TestContext.Host}}).ClientConfig() } -func LoadFederatedConfig() (*restclient.Config, error) { +func LoadFederatedConfig(overrides *clientcmd.ConfigOverrides) (*restclient.Config, error) { c, err := restclientConfig(federatedKubeContext) if err != nil { return nil, fmt.Errorf("error creating federation client config: %v", err.Error()) } - cfg, err := clientcmd.NewDefaultClientConfig(*c, &clientcmd.ConfigOverrides{}).ClientConfig() + cfg, err := clientcmd.NewDefaultClientConfig(*c, overrides).ClientConfig() if cfg != nil { //TODO(colhom): this is only here because https://github.com/kubernetes/kubernetes/issues/25422 cfg.NegotiatedSerializer = api.Codecs @@ -1758,7 +1758,7 @@ func setTimeouts(cs ...*http.Client) { } func LoadFederationClientset_1_4() (*federation_release_1_4.Clientset, error) { - config, err := LoadFederatedConfig() + config, err := LoadFederatedConfig(&clientcmd.ConfigOverrides{}) if err != nil { return nil, err } @@ -1768,7 +1768,7 @@ func LoadFederationClientset_1_4() (*federation_release_1_4.Clientset, error) { return nil, fmt.Errorf("error creating federation clientset: %v", err.Error()) } // Set timeout for each client in the set. - setTimeouts(c.DiscoveryClient.Client, c.FederationClient.Client, c.CoreClient.Client) + setTimeouts(c.DiscoveryClient.Client, c.FederationClient.Client, c.CoreClient.Client, c.ExtensionsClient.Client) return c, nil }