mirror of
				https://github.com/k3s-io/kubernetes.git
				synced 2025-10-25 10:00:53 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			188 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			188 lines
		
	
	
		
			5.3 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| /*
 | |
| Copyright 2016 The Kubernetes Authors.
 | |
| 
 | |
| Licensed under the Apache License, Version 2.0 (the "License");
 | |
| you may not use this file except in compliance with the License.
 | |
| You may obtain a copy of the License at
 | |
| 
 | |
|     http://www.apache.org/licenses/LICENSE-2.0
 | |
| 
 | |
| Unless required by applicable law or agreed to in writing, software
 | |
| distributed under the License is distributed on an "AS IS" BASIS,
 | |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| See the License for the specific language governing permissions and
 | |
| limitations under the License.
 | |
| */
 | |
| 
 | |
| package bootstrap
 | |
| 
 | |
| import (
 | |
| 	"testing"
 | |
| 	"time"
 | |
| 
 | |
| 	"k8s.io/api/core/v1"
 | |
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 | |
| 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
 | |
| 	"k8s.io/klog/v2/ktesting"
 | |
| )
 | |
| 
 | |
| const (
 | |
| 	givenTokenID     = "abc123"
 | |
| 	givenTokenID2    = "def456"
 | |
| 	givenTokenSecret = "tokenSecret"
 | |
| )
 | |
| 
 | |
| func timeString(delta time.Duration) string {
 | |
| 	return time.Now().Add(delta).Format(time.RFC3339)
 | |
| }
 | |
| 
 | |
| func TestValidateSecretForSigning(t *testing.T) {
 | |
| 	cases := []struct {
 | |
| 		description string
 | |
| 		tokenID     string
 | |
| 		tokenSecret string
 | |
| 		okToSign    string
 | |
| 		expiration  string
 | |
| 		valid       bool
 | |
| 	}{
 | |
| 		{
 | |
| 			"Signing token with no exp",
 | |
| 			givenTokenID, givenTokenSecret, "true", "", true,
 | |
| 		},
 | |
| 		{
 | |
| 			"Signing token with valid exp",
 | |
| 			givenTokenID, givenTokenSecret, "true", timeString(time.Hour), true,
 | |
| 		},
 | |
| 		{
 | |
| 			"Expired signing token",
 | |
| 			givenTokenID, givenTokenSecret, "true", timeString(-time.Hour), false,
 | |
| 		},
 | |
| 		{
 | |
| 			"Signing token with bad exp",
 | |
| 			givenTokenID, givenTokenSecret, "true", "garbage", false,
 | |
| 		},
 | |
| 		{
 | |
| 			"Signing token without signing bit",
 | |
| 			givenTokenID, givenTokenSecret, "", "garbage", false,
 | |
| 		},
 | |
| 		{
 | |
| 			"Signing token with bad signing bit",
 | |
| 			givenTokenID, givenTokenSecret, "", "", false,
 | |
| 		},
 | |
| 		{
 | |
| 			"Signing token with no ID",
 | |
| 			"", givenTokenSecret, "true", "", false,
 | |
| 		},
 | |
| 		{
 | |
| 			"Signing token with no secret",
 | |
| 			givenTokenID, "", "true", "", false,
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	for _, tc := range cases {
 | |
| 		t.Run(tc.description, func(t *testing.T) {
 | |
| 			_, ctx := ktesting.NewTestContext(t)
 | |
| 			secret := &v1.Secret{
 | |
| 				ObjectMeta: metav1.ObjectMeta{
 | |
| 					Namespace:       metav1.NamespaceSystem,
 | |
| 					Name:            bootstrapapi.BootstrapTokenSecretPrefix + givenTokenID,
 | |
| 					ResourceVersion: "1",
 | |
| 				},
 | |
| 				Type: bootstrapapi.SecretTypeBootstrapToken,
 | |
| 				Data: map[string][]byte{
 | |
| 					bootstrapapi.BootstrapTokenIDKey:           []byte(tc.tokenID),
 | |
| 					bootstrapapi.BootstrapTokenSecretKey:       []byte(tc.tokenSecret),
 | |
| 					bootstrapapi.BootstrapTokenUsageSigningKey: []byte(tc.okToSign),
 | |
| 					bootstrapapi.BootstrapTokenExpirationKey:   []byte(tc.expiration),
 | |
| 				},
 | |
| 			}
 | |
| 
 | |
| 			tokenID, tokenSecret, ok := validateSecretForSigning(ctx, secret)
 | |
| 			if ok != tc.valid {
 | |
| 				t.Errorf("Unexpected validation failure. Expected %v, got %v", tc.valid, ok)
 | |
| 			}
 | |
| 			if ok {
 | |
| 				if tokenID != tc.tokenID {
 | |
| 					t.Errorf("Unexpected Token ID. Expected %q, got %q", givenTokenID, tokenID)
 | |
| 				}
 | |
| 				if tokenSecret != tc.tokenSecret {
 | |
| 					t.Errorf("Unexpected Token Secret. Expected %q, got %q", givenTokenSecret, tokenSecret)
 | |
| 				}
 | |
| 			}
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| }
 | |
| 
 | |
| func TestValidateSecret(t *testing.T) {
 | |
| 	_, ctx := ktesting.NewTestContext(t)
 | |
| 	secret := &v1.Secret{
 | |
| 		ObjectMeta: metav1.ObjectMeta{
 | |
| 			Namespace:       metav1.NamespaceSystem,
 | |
| 			Name:            bootstrapapi.BootstrapTokenSecretPrefix + givenTokenID,
 | |
| 			ResourceVersion: "1",
 | |
| 		},
 | |
| 		Type: bootstrapapi.SecretTypeBootstrapToken,
 | |
| 		Data: map[string][]byte{
 | |
| 			bootstrapapi.BootstrapTokenIDKey:           []byte(givenTokenID),
 | |
| 			bootstrapapi.BootstrapTokenSecretKey:       []byte(givenTokenSecret),
 | |
| 			bootstrapapi.BootstrapTokenUsageSigningKey: []byte("true"),
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	tokenID, tokenSecret, ok := validateSecretForSigning(ctx, secret)
 | |
| 	if !ok {
 | |
| 		t.Errorf("Unexpected validation failure.")
 | |
| 	}
 | |
| 	if tokenID != givenTokenID {
 | |
| 		t.Errorf("Unexpected Token ID. Expected %q, got %q", givenTokenID, tokenID)
 | |
| 	}
 | |
| 	if tokenSecret != givenTokenSecret {
 | |
| 		t.Errorf("Unexpected Token Secret. Expected %q, got %q", givenTokenSecret, tokenSecret)
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestBadSecretName(t *testing.T) {
 | |
| 	_, ctx := ktesting.NewTestContext(t)
 | |
| 	secret := &v1.Secret{
 | |
| 		ObjectMeta: metav1.ObjectMeta{
 | |
| 			Namespace:       metav1.NamespaceSystem,
 | |
| 			Name:            givenTokenID,
 | |
| 			ResourceVersion: "1",
 | |
| 		},
 | |
| 		Type: bootstrapapi.SecretTypeBootstrapToken,
 | |
| 		Data: map[string][]byte{
 | |
| 			bootstrapapi.BootstrapTokenIDKey:           []byte(givenTokenID),
 | |
| 			bootstrapapi.BootstrapTokenSecretKey:       []byte(givenTokenSecret),
 | |
| 			bootstrapapi.BootstrapTokenUsageSigningKey: []byte("true"),
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	_, _, ok := validateSecretForSigning(ctx, secret)
 | |
| 	if ok {
 | |
| 		t.Errorf("Token validation should fail with bad name")
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestMismatchSecretName(t *testing.T) {
 | |
| 	_, ctx := ktesting.NewTestContext(t)
 | |
| 	secret := &v1.Secret{
 | |
| 		ObjectMeta: metav1.ObjectMeta{
 | |
| 			Namespace:       metav1.NamespaceSystem,
 | |
| 			Name:            bootstrapapi.BootstrapTokenSecretPrefix + givenTokenID2,
 | |
| 			ResourceVersion: "1",
 | |
| 		},
 | |
| 		Type: bootstrapapi.SecretTypeBootstrapToken,
 | |
| 		Data: map[string][]byte{
 | |
| 			bootstrapapi.BootstrapTokenIDKey:           []byte(givenTokenID),
 | |
| 			bootstrapapi.BootstrapTokenSecretKey:       []byte(givenTokenSecret),
 | |
| 			bootstrapapi.BootstrapTokenUsageSigningKey: []byte("true"),
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	_, _, ok := validateSecretForSigning(ctx, secret)
 | |
| 	if ok {
 | |
| 		t.Errorf("Token validation should fail with mismatched name")
 | |
| 	}
 | |
| }
 |