Documentation ¶
Overview ¶
Copyright 2022 the Pinniped contributors. All Rights Reserved. SPDX-License-Identifier: Apache-2.0
Index ¶
- Constants
- func AccessAsGroupTest(ctx context.Context, testGroup string, clientUnderTest kubernetes.Interface) func(t *testing.T)
- func AccessAsGroupWithKubectlTest(testKubeConfigYAML string, testGroup string, expectedNamespace string) func(t *testing.T)
- func AccessAsUserTest(ctx context.Context, testUsername string, clientUnderTest kubernetes.Interface) func(t *testing.T)
- func AccessAsUserWithKubectlTest(testKubeConfigYAML string, testUsername string, expectedNamespace string) func(t *testing.T)
- func AddTestUserToGroup(t *testing.T, env *TestEnv, testGroupName, testUserName string)
- func ChangeADTestUserPassword(t *testing.T, env *TestEnv, testUserName string)
- func CreateClientCredsSecret(t *testing.T, clientID string, clientSecret string) *corev1.Secret
- func CreateFreshADTestGroup(t *testing.T, env *TestEnv) string
- func CreateFreshADTestUser(t *testing.T, env *TestEnv) (string, string)
- func CreateNamespace(ctx context.Context, t *testing.T, name string) *corev1.Namespace
- func CreatePod(ctx context.Context, t *testing.T, name, namespace string, spec corev1.PodSpec) *corev1.Pod
- func CreateTestActiveDirectoryIdentityProvider(t *testing.T, spec idpv1alpha1.ActiveDirectoryIdentityProviderSpec, ...) *idpv1alpha1.ActiveDirectoryIdentityProvider
- func CreateTestClusterRoleBinding(t *testing.T, subject rbacv1.Subject, roleRef rbacv1.RoleRef) *rbacv1.ClusterRoleBinding
- func CreateTestFederationDomain(ctx context.Context, t *testing.T, issuer string, certSecretName string, ...) *configv1alpha1.FederationDomain
- func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec) corev1.TypedLocalObjectReference
- func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference
- func CreateTestLDAPIdentityProvider(t *testing.T, spec idpv1alpha1.LDAPIdentityProviderSpec, ...) *idpv1alpha1.LDAPIdentityProvider
- func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityProviderSpec, ...) *idpv1alpha1.OIDCIdentityProvider
- func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType corev1.SecretType, ...) *corev1.Secret
- func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference
- func CreateTokenCredentialRequest(ctx context.Context, t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error)
- func DeactivateADTestUser(t *testing.T, env *TestEnv, testUserName string)
- func DeleteTestADUser(t *testing.T, env *TestEnv, testUserName string)
- func GetExpectedCiphers(config *tls.Config) string
- func LockADTestUser(t *testing.T, env *TestEnv, testUserName string)
- func LookupIP(ctx context.Context, hostname string) ([]net.IP, error)
- func MaskTokens(in string) string
- func NewAPIExtensionsV1Client(t *testing.T) apiextensionsv1.ApiextensionsV1Interface
- func NewAggregatedClientset(t *testing.T) aggregatorclient.Interface
- func NewAnonymousClientRestConfig(t *testing.T) *rest.Config
- func NewAnonymousConciergeClientset(t *testing.T) conciergeclientset.Interface
- func NewClientConfig(t *testing.T) *rest.Config
- func NewClientsetForKubeConfig(t *testing.T, kubeConfig string) kubernetes.Interface
- func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface
- func NewConciergeClientset(t *testing.T) conciergeclientset.Interface
- func NewKubeclient(t *testing.T, config *rest.Config) *kubeclient.Client
- func NewKubeclientOptions(t *testing.T, config *rest.Config) []kubeclient.Option
- func NewKubernetesClientset(t *testing.T) kubernetes.Interface
- func NewLoggerReader(t *testing.T, name string, reader io.Reader) io.Reader
- func NewRestConfigFromKubeconfig(t *testing.T, kubeConfig string) *rest.Config
- func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface
- func PinnipedCLIPath(t *testing.T) string
- func RandBytes(t *testing.T, numBytes int) []byte
- func RandHex(t *testing.T, numBytes int) string
- func RedactURLParams(fullURL *url.URL) string
- func RequireEventually(t *testing.T, f func(requireEventually *require.Assertions), ...)
- func RequireEventuallyWithoutError(t *testing.T, f func() (bool, error), waitFor time.Duration, ...)
- func RequireEventuallyf(t *testing.T, f func(requireEventually *require.Assertions), ...)
- func RequireNeverWithoutError(t *testing.T, f func() (bool, error), waitFor time.Duration, ...)
- func RunNmapSSLEnum(t *testing.T, host string, port uint16) (string, string)
- func Sdump(a ...interface{}) string
- func SkipTestWhenActiveDirectoryIsUnavailable(t *testing.T, env *TestEnv)
- func SkipTestWhenLDAPIsUnavailable(t *testing.T, env *TestEnv)
- func WaitForUserToHaveAccess(t *testing.T, user string, groups []string, ...)
- type Capability
- type KubeDistro
- type TestEnv
- type TestLDAPUpstream
- type TestOIDCUpstream
Constants ¶
const ( ClusterSigningKeyIsAvailable Capability = "clusterSigningKeyIsAvailable" AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported" HasExternalLoadBalancerProvider Capability = "hasExternalLoadBalancerProvider" CanReachInternetLDAPPorts Capability = "canReachInternetLDAPPorts" KindDistro KubeDistro = "Kind" GKEDistro KubeDistro = "GKE" AKSDistro KubeDistro = "AKS" EKSDistro KubeDistro = "EKS" TKGSDistro KubeDistro = "TKGS" )
Variables ¶
This section is empty.
Functions ¶
func AccessAsGroupTest ¶
func AccessAsGroupTest( ctx context.Context, testGroup string, clientUnderTest kubernetes.Interface, ) func(t *testing.T)
AccessAsGroupTest runs a generic test in which a clientUnderTest with membership in group testGroup tries to auth to the kube API (i.e., list namespaces).
Use this function if you want to simply validate that a user can auth to the kube API (via a group membership) after performing a Pinniped credential exchange.
func AccessAsUserTest ¶
func AccessAsUserTest( ctx context.Context, testUsername string, clientUnderTest kubernetes.Interface, ) func(t *testing.T)
AccessAsUserTest runs a generic test in which a clientUnderTest operating with username testUsername tries to auth to the kube API (i.e., list namespaces).
Use this function if you want to simply validate that a user can auth to the kube API after performing a Pinniped credential exchange.
func AddTestUserToGroup ¶ added in v0.15.0
AddTestUserToGroup adds a test user to a group within the test-users directory.
func ChangeADTestUserPassword ¶ added in v0.15.0
ChangeADTestUserPassword changes the user's password to a new one.
func CreateClientCredsSecret ¶
func CreateFreshADTestGroup ¶ added in v0.15.0
CreateFreshADTestGroup creates a fresh test group in AD to use for this test and returns the group's name.
func CreateFreshADTestUser ¶ added in v0.15.0
CreateFreshADTestUser creates a fresh test user in AD to use for this test and returns their username and password.
func CreateNamespace ¶ added in v0.11.0
func CreateTestActiveDirectoryIdentityProvider ¶ added in v0.11.0
func CreateTestActiveDirectoryIdentityProvider(t *testing.T, spec idpv1alpha1.ActiveDirectoryIdentityProviderSpec, expectedPhase idpv1alpha1.ActiveDirectoryIdentityProviderPhase) *idpv1alpha1.ActiveDirectoryIdentityProvider
func CreateTestFederationDomain ¶
func CreateTestFederationDomain(ctx context.Context, t *testing.T, issuer string, certSecretName string, expectStatus configv1alpha1.FederationDomainStatusCondition) *configv1alpha1.FederationDomain
CreateTestFederationDomain creates and returns a test FederationDomain in $PINNIPED_TEST_SUPERVISOR_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. If the provided issuer is not the empty string, then it will be used for the FederationDomain.Spec.Issuer field. Else, a random issuer will be generated.
func CreateTestJWTAuthenticator ¶
func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec) corev1.TypedLocalObjectReference
CreateTestJWTAuthenticator creates and returns a test JWTAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test JWT authenticator within the test namespace.
func CreateTestJWTAuthenticatorForCLIUpstream ¶
func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference
CreateTestJWTAuthenticatorForCLIUpstream creates and returns a test JWTAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test JWT authenticator within the test namespace.
CreateTestJWTAuthenticatorForCLIUpstream gets the OIDC issuer info from IntegrationEnv().CLIUpstreamOIDC.
func CreateTestLDAPIdentityProvider ¶
func CreateTestLDAPIdentityProvider(t *testing.T, spec idpv1alpha1.LDAPIdentityProviderSpec, expectedPhase idpv1alpha1.LDAPIdentityProviderPhase) *idpv1alpha1.LDAPIdentityProvider
func CreateTestOIDCIdentityProvider ¶
func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityProviderSpec, expectedPhase idpv1alpha1.OIDCIdentityProviderPhase) *idpv1alpha1.OIDCIdentityProvider
func CreateTestSecret ¶
func CreateTestWebhookAuthenticator ¶
func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference
CreateTestWebhookAuthenticator creates and returns a test WebhookAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test webhook authenticator within the test namespace.
func CreateTokenCredentialRequest ¶
func CreateTokenCredentialRequest(ctx context.Context, t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error)
func DeactivateADTestUser ¶ added in v0.15.0
DeactivateADTestUser deactivates the test user.
func DeleteTestADUser ¶ added in v0.15.0
DeleteTestADUser deletes the test user created for this test.
func GetExpectedCiphers ¶ added in v0.16.0
func LockADTestUser ¶ added in v0.15.0
LockADTestUser locks the test user's account by entering the wrong password a bunch of times.
func MaskTokens ¶
MaskTokens makes a best-effort attempt to mask out things that look like secret tokens in test output. Provides more readable test output, but also obscures sensitive state params and authcodes from public test output.
func NewAPIExtensionsV1Client ¶ added in v0.13.0
func NewAPIExtensionsV1Client(t *testing.T) apiextensionsv1.ApiextensionsV1Interface
func NewAggregatedClientset ¶
func NewAggregatedClientset(t *testing.T) aggregatorclient.Interface
func NewAnonymousClientRestConfig ¶
Returns a rest.Config without any user authentication info.
func NewAnonymousConciergeClientset ¶
func NewAnonymousConciergeClientset(t *testing.T) conciergeclientset.Interface
func NewClientsetForKubeConfig ¶
func NewClientsetForKubeConfig(t *testing.T, kubeConfig string) kubernetes.Interface
func NewClientsetWithCertAndKey ¶
func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface
func NewConciergeClientset ¶
func NewConciergeClientset(t *testing.T) conciergeclientset.Interface
func NewKubeclient ¶
func NewKubeclientOptions ¶ added in v0.11.0
func NewKubernetesClientset ¶
func NewKubernetesClientset(t *testing.T) kubernetes.Interface
func NewLoggerReader ¶
NewLoggerReader wraps an io.Reader to log its input and output. It also performs some heuristic token masking.
func NewSupervisorClientset ¶
func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface
func PinnipedCLIPath ¶
PinnipedCLIPath returns the path to the Pinniped CLI binary, built on demand and cached between tests.
func RedactURLParams ¶
Remove any potentially sensitive query param and fragment values for test logging.
func RequireEventually ¶
func RequireEventually( t *testing.T, f func(requireEventually *require.Assertions), waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}, )
RequireEventually is similar to require.Eventually() except that it is thread safe and provides a richer way to write per-iteration assertions.
func RequireEventuallyWithoutError ¶
func RequireEventuallyWithoutError( t *testing.T, f func() (bool, error), waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}, )
RequireEventuallyWithoutError is similar to require.Eventually() except that it also allows the caller to return an error from the condition function. If the condition function returns an error at any point, the assertion will immediately fail.
func RequireEventuallyf ¶
func RequireNeverWithoutError ¶
func RequireNeverWithoutError( t *testing.T, f func() (bool, error), waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}, )
RequireNeverWithoutError is similar to require.Never() except that it also allows the caller to return an error from the condition function. If the condition function returns an error at any point, the assertion will immediately fail.
func RunNmapSSLEnum ¶ added in v0.16.0
func SkipTestWhenActiveDirectoryIsUnavailable ¶ added in v0.18.0
func SkipTestWhenLDAPIsUnavailable ¶ added in v0.18.0
func WaitForUserToHaveAccess ¶
func WaitForUserToHaveAccess(t *testing.T, user string, groups []string, shouldHaveAccessTo *authorizationv1.ResourceAttributes)
Types ¶
type Capability ¶
type Capability string
type KubeDistro ¶
type KubeDistro string
type TestEnv ¶
type TestEnv struct { ToolsNamespace string `json:"toolsNamespace"` ConciergeNamespace string `json:"conciergeNamespace"` SupervisorNamespace string `json:"supervisorNamespace"` ConciergeAppName string `json:"conciergeAppName"` SupervisorAppName string `json:"supervisorAppName"` SupervisorCustomLabels map[string]string `json:"supervisorCustomLabels"` ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"` KubernetesDistribution KubeDistro `json:"kubernetesDistribution"` Capabilities map[Capability]bool `json:"capabilities"` TestWebhook auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"` SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"` SupervisorHTTPSIngressAddress string `json:"supervisorHttpsIngressAddress"` SupervisorHTTPSIngressCABundle string `json:"supervisorHttpsIngressCABundle"` Proxy string `json:"proxy"` APIGroupSuffix string `json:"apiGroupSuffix"` ShellContainerImage string `json:"shellContainer"` TestUser struct { Token string `json:"token"` ExpectedUsername string `json:"expectedUsername"` ExpectedGroups []string `json:"expectedGroups"` } `json:"testUser"` CLIUpstreamOIDC TestOIDCUpstream `json:"cliOIDCUpstream"` SupervisorUpstreamOIDC TestOIDCUpstream `json:"supervisorOIDCUpstream"` SupervisorUpstreamLDAP TestLDAPUpstream `json:"supervisorLDAPUpstream"` SupervisorUpstreamActiveDirectory TestLDAPUpstream `json:"supervisorActiveDirectoryUpstream"` // contains filtered or unexported fields }
TestEnv captures all the external parameters consumed by our integration tests.
func IntegrationEnv ¶
IntegrationEnv gets the integration test environment from OS environment variables. This method also implies SkipUnlessIntegration().
func (*TestEnv) HasCapability ¶
func (e *TestEnv) HasCapability(cap Capability) bool
func (*TestEnv) ProxyEnv ¶
ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy.
func (*TestEnv) WithCapability ¶
func (e *TestEnv) WithCapability(cap Capability) *TestEnv
func (*TestEnv) WithKubeDistribution ¶
func (e *TestEnv) WithKubeDistribution(distro KubeDistro) *TestEnv
WithKubeDistribution skips the test unless it will run on the expected cluster type. Please use this sparingly. We would prefer that a test run on every cluster type where it can possibly run, so prefer to run everywhere when possible or use cluster capabilities when needed, rather than looking at the type of cluster to decide to skip a test. However, there are some tests that do not depend on or interact with Kubernetes itself which really only need to run on on a single platform to give us the coverage that we desire.
func (*TestEnv) WithoutCapability ¶
func (e *TestEnv) WithoutCapability(cap Capability) *TestEnv
type TestLDAPUpstream ¶
type TestLDAPUpstream struct { Host string `json:"host"` Domain string `json:"domain"` StartTLSOnlyHost string `json:"startTLSOnlyHost"` CABundle string `json:"caBundle"` BindUsername string `json:"bindUsername"` BindPassword string `json:"bindPassword"` UserSearchBase string `json:"userSearchBase"` DefaultNamingContextSearchBase string `json:"defaultNamingContextSearchBase"` GroupSearchBase string `json:"groupSearchBase"` TestUserDN string `json:"testUserDN"` TestUserCN string `json:"testUserCN"` TestUserPassword string `json:"testUserPassword"` TestUserMailAttributeName string `json:"testUserMailAttributeName"` TestUserMailAttributeValue string `json:"testUserMailAttributeValue"` TestUserUniqueIDAttributeName string `json:"testUserUniqueIDAttributeName"` TestUserUniqueIDAttributeValue string `json:"testUserUniqueIDAttributeValue"` TestUserDirectGroupsCNs []string `json:"testUserDirectGroupsCNs"` TestUserDirectGroupsDNs []string `json:"testUserDirectGroupsDNs"` //nolint:revive // this is "distinguished names", not "DNS" TestUserSAMAccountNameValue string `json:"testUserSAMAccountNameValue"` TestUserPrincipalNameValue string `json:"testUserPrincipalNameValue"` TestUserIndirectGroupsSAMAccountNames []string `json:"TestUserIndirectGroupsSAMAccountNames"` TestUserIndirectGroupsSAMAccountPlusDomainNames []string `json:"TestUserIndirectGroupsSAMAccountPlusDomainNames"` TestDeactivatedUserSAMAccountNameValue string `json:"TestDeactivatedUserSAMAccountNameValue"` TestDeactivatedUserPassword string `json:"TestDeactivatedUserPassword"` }
type TestOIDCUpstream ¶
type TestOIDCUpstream struct { Issuer string `json:"issuer"` CABundle string `json:"caBundle"` AdditionalScopes []string `json:"additionalScopes"` UsernameClaim string `json:"usernameClaim"` GroupsClaim string `json:"groupsClaim"` ClientID string `json:"clientID"` ClientSecret string `json:"clientSecret"` CallbackURL string `json:"callback"` Username string `json:"username"` Password string `json:"password"` ExpectedGroups []string `json:"expectedGroups"` }
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package browsertest provides integration test helpers for our browser-based tests.
|
Package browsertest provides integration test helpers for our browser-based tests. |