testlib

package
Version: v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 26, 2022 License: Apache-2.0 Imports: 52 Imported by: 0

Documentation

Overview

Copyright 2022 the Pinniped contributors. All Rights Reserved. SPDX-License-Identifier: Apache-2.0

Index

Constants

View Source
const (
	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
	HasExternalLoadBalancerProvider  Capability = "hasExternalLoadBalancerProvider"
	CanReachInternetLDAPPorts        Capability = "canReachInternetLDAPPorts"

	KindDistro KubeDistro = "Kind"
	GKEDistro  KubeDistro = "GKE"
	AKSDistro  KubeDistro = "AKS"
	EKSDistro  KubeDistro = "EKS"
	TKGSDistro KubeDistro = "TKGS"
)

Variables

This section is empty.

Functions

func AccessAsGroupTest

func AccessAsGroupTest(
	ctx context.Context,
	testGroup string,
	clientUnderTest kubernetes.Interface,
) func(t *testing.T)

AccessAsGroupTest runs a generic test in which a clientUnderTest with membership in group testGroup tries to auth to the kube API (i.e., list namespaces).

Use this function if you want to simply validate that a user can auth to the kube API (via a group membership) after performing a Pinniped credential exchange.

func AccessAsGroupWithKubectlTest

func AccessAsGroupWithKubectlTest(
	testKubeConfigYAML string,
	testGroup string,
	expectedNamespace string,
) func(t *testing.T)

func AccessAsUserTest

func AccessAsUserTest(
	ctx context.Context,
	testUsername string,
	clientUnderTest kubernetes.Interface,
) func(t *testing.T)

AccessAsUserTest runs a generic test in which a clientUnderTest operating with username testUsername tries to auth to the kube API (i.e., list namespaces).

Use this function if you want to simply validate that a user can auth to the kube API after performing a Pinniped credential exchange.

func AccessAsUserWithKubectlTest

func AccessAsUserWithKubectlTest(
	testKubeConfigYAML string,
	testUsername string,
	expectedNamespace string,
) func(t *testing.T)

func AddTestUserToGroup added in v0.15.0

func AddTestUserToGroup(t *testing.T, env *TestEnv, testGroupName, testUserName string)

AddTestUserToGroup adds a test user to a group within the test-users directory.

func ChangeADTestUserPassword added in v0.15.0

func ChangeADTestUserPassword(t *testing.T, env *TestEnv, testUserName string)

ChangeADTestUserPassword changes the user's password to a new one.

func CreateClientCredsSecret

func CreateClientCredsSecret(t *testing.T, clientID string, clientSecret string) *corev1.Secret

func CreateFreshADTestGroup added in v0.15.0

func CreateFreshADTestGroup(t *testing.T, env *TestEnv) string

CreateFreshADTestGroup creates a fresh test group in AD to use for this test and returns the group's name.

func CreateFreshADTestUser added in v0.15.0

func CreateFreshADTestUser(t *testing.T, env *TestEnv) (string, string)

CreateFreshADTestUser creates a fresh test user in AD to use for this test and returns their username and password.

func CreateNamespace added in v0.11.0

func CreateNamespace(ctx context.Context, t *testing.T, name string) *corev1.Namespace

func CreatePod

func CreatePod(ctx context.Context, t *testing.T, name, namespace string, spec corev1.PodSpec) *corev1.Pod

func CreateTestClusterRoleBinding

func CreateTestClusterRoleBinding(t *testing.T, subject rbacv1.Subject, roleRef rbacv1.RoleRef) *rbacv1.ClusterRoleBinding

func CreateTestFederationDomain

func CreateTestFederationDomain(ctx context.Context, t *testing.T, issuer string, certSecretName string, expectStatus configv1alpha1.FederationDomainStatusCondition) *configv1alpha1.FederationDomain

CreateTestFederationDomain creates and returns a test FederationDomain in $PINNIPED_TEST_SUPERVISOR_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. If the provided issuer is not the empty string, then it will be used for the FederationDomain.Spec.Issuer field. Else, a random issuer will be generated.

func CreateTestJWTAuthenticator

func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec) corev1.TypedLocalObjectReference

CreateTestJWTAuthenticator creates and returns a test JWTAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test JWT authenticator within the test namespace.

func CreateTestJWTAuthenticatorForCLIUpstream

func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference

CreateTestJWTAuthenticatorForCLIUpstream creates and returns a test JWTAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test JWT authenticator within the test namespace.

CreateTestJWTAuthenticatorForCLIUpstream gets the OIDC issuer info from IntegrationEnv().CLIUpstreamOIDC.

func CreateTestSecret

func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType corev1.SecretType, stringData map[string]string) *corev1.Secret

func CreateTestWebhookAuthenticator

func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference

CreateTestWebhookAuthenticator creates and returns a test WebhookAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test webhook authenticator within the test namespace.

func DeactivateADTestUser added in v0.15.0

func DeactivateADTestUser(t *testing.T, env *TestEnv, testUserName string)

DeactivateADTestUser deactivates the test user.

func DeleteTestADUser added in v0.15.0

func DeleteTestADUser(t *testing.T, env *TestEnv, testUserName string)

DeleteTestADUser deletes the test user created for this test.

func GetExpectedCiphers added in v0.16.0

func GetExpectedCiphers(config *tls.Config) string

func LockADTestUser added in v0.15.0

func LockADTestUser(t *testing.T, env *TestEnv, testUserName string)

LockADTestUser locks the test user's account by entering the wrong password a bunch of times.

func LookupIP

func LookupIP(ctx context.Context, hostname string) ([]net.IP, error)

LookupIP looks up the IP address of the provided hostname, preferring IPv4.

func MaskTokens

func MaskTokens(in string) string

MaskTokens makes a best-effort attempt to mask out things that look like secret tokens in test output. Provides more readable test output, but also obscures sensitive state params and authcodes from public test output.

func NewAPIExtensionsV1Client added in v0.13.0

func NewAPIExtensionsV1Client(t *testing.T) apiextensionsv1.ApiextensionsV1Interface

func NewAggregatedClientset

func NewAggregatedClientset(t *testing.T) aggregatorclient.Interface

func NewAnonymousClientRestConfig

func NewAnonymousClientRestConfig(t *testing.T) *rest.Config

Returns a rest.Config without any user authentication info.

func NewAnonymousConciergeClientset

func NewAnonymousConciergeClientset(t *testing.T) conciergeclientset.Interface

func NewClientConfig

func NewClientConfig(t *testing.T) *rest.Config

func NewClientsetForKubeConfig

func NewClientsetForKubeConfig(t *testing.T, kubeConfig string) kubernetes.Interface

func NewClientsetWithCertAndKey

func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface

func NewConciergeClientset

func NewConciergeClientset(t *testing.T) conciergeclientset.Interface

func NewKubeclient

func NewKubeclient(t *testing.T, config *rest.Config) *kubeclient.Client

func NewKubeclientOptions added in v0.11.0

func NewKubeclientOptions(t *testing.T, config *rest.Config) []kubeclient.Option

func NewKubernetesClientset

func NewKubernetesClientset(t *testing.T) kubernetes.Interface

func NewLoggerReader

func NewLoggerReader(t *testing.T, name string, reader io.Reader) io.Reader

NewLoggerReader wraps an io.Reader to log its input and output. It also performs some heuristic token masking.

func NewRestConfigFromKubeconfig

func NewRestConfigFromKubeconfig(t *testing.T, kubeConfig string) *rest.Config

func NewSupervisorClientset

func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface

func PinnipedCLIPath

func PinnipedCLIPath(t *testing.T) string

PinnipedCLIPath returns the path to the Pinniped CLI binary, built on demand and cached between tests.

func RandBytes

func RandBytes(t *testing.T, numBytes int) []byte

func RandHex

func RandHex(t *testing.T, numBytes int) string

func RedactURLParams

func RedactURLParams(fullURL *url.URL) string

Remove any potentially sensitive query param and fragment values for test logging.

func RequireEventually

func RequireEventually(
	t *testing.T,
	f func(requireEventually *require.Assertions),
	waitFor time.Duration,
	tick time.Duration,
	msgAndArgs ...interface{},
)

RequireEventually is similar to require.Eventually() except that it is thread safe and provides a richer way to write per-iteration assertions.

func RequireEventuallyWithoutError

func RequireEventuallyWithoutError(
	t *testing.T,
	f func() (bool, error),
	waitFor time.Duration,
	tick time.Duration,
	msgAndArgs ...interface{},
)

RequireEventuallyWithoutError is similar to require.Eventually() except that it also allows the caller to return an error from the condition function. If the condition function returns an error at any point, the assertion will immediately fail.

func RequireEventuallyf

func RequireEventuallyf(
	t *testing.T,
	f func(requireEventually *require.Assertions),
	waitFor time.Duration,
	tick time.Duration,
	msg string,
	args ...interface{},
)

func RequireNeverWithoutError

func RequireNeverWithoutError(
	t *testing.T,
	f func() (bool, error),
	waitFor time.Duration,
	tick time.Duration,
	msgAndArgs ...interface{},
)

RequireNeverWithoutError is similar to require.Never() except that it also allows the caller to return an error from the condition function. If the condition function returns an error at any point, the assertion will immediately fail.

func RunNmapSSLEnum added in v0.16.0

func RunNmapSSLEnum(t *testing.T, host string, port uint16) (string, string)

func Sdump

func Sdump(a ...interface{}) string

func SkipTestWhenActiveDirectoryIsUnavailable added in v0.18.0

func SkipTestWhenActiveDirectoryIsUnavailable(t *testing.T, env *TestEnv)

func SkipTestWhenLDAPIsUnavailable added in v0.18.0

func SkipTestWhenLDAPIsUnavailable(t *testing.T, env *TestEnv)

func WaitForUserToHaveAccess

func WaitForUserToHaveAccess(t *testing.T, user string, groups []string, shouldHaveAccessTo *authorizationv1.ResourceAttributes)

Types

type Capability

type Capability string

type KubeDistro

type KubeDistro string

type TestEnv

type TestEnv struct {
	ToolsNamespace                 string                               `json:"toolsNamespace"`
	ConciergeNamespace             string                               `json:"conciergeNamespace"`
	SupervisorNamespace            string                               `json:"supervisorNamespace"`
	ConciergeAppName               string                               `json:"conciergeAppName"`
	SupervisorAppName              string                               `json:"supervisorAppName"`
	SupervisorCustomLabels         map[string]string                    `json:"supervisorCustomLabels"`
	ConciergeCustomLabels          map[string]string                    `json:"conciergeCustomLabels"`
	KubernetesDistribution         KubeDistro                           `json:"kubernetesDistribution"`
	Capabilities                   map[Capability]bool                  `json:"capabilities"`
	TestWebhook                    auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
	SupervisorHTTPSAddress         string                               `json:"supervisorHttpsAddress"`
	SupervisorHTTPSIngressAddress  string                               `json:"supervisorHttpsIngressAddress"`
	SupervisorHTTPSIngressCABundle string                               `json:"supervisorHttpsIngressCABundle"`
	Proxy                          string                               `json:"proxy"`
	APIGroupSuffix                 string                               `json:"apiGroupSuffix"`
	ShellContainerImage            string                               `json:"shellContainer"`

	TestUser struct {
		Token            string   `json:"token"`
		ExpectedUsername string   `json:"expectedUsername"`
		ExpectedGroups   []string `json:"expectedGroups"`
	} `json:"testUser"`

	CLIUpstreamOIDC                   TestOIDCUpstream `json:"cliOIDCUpstream"`
	SupervisorUpstreamOIDC            TestOIDCUpstream `json:"supervisorOIDCUpstream"`
	SupervisorUpstreamLDAP            TestLDAPUpstream `json:"supervisorLDAPUpstream"`
	SupervisorUpstreamActiveDirectory TestLDAPUpstream `json:"supervisorActiveDirectoryUpstream"`
	// contains filtered or unexported fields
}

TestEnv captures all the external parameters consumed by our integration tests.

func IntegrationEnv

func IntegrationEnv(t *testing.T) *TestEnv

IntegrationEnv gets the integration test environment from OS environment variables. This method also implies SkipUnlessIntegration().

func (*TestEnv) HasCapability

func (e *TestEnv) HasCapability(cap Capability) bool

func (*TestEnv) ProxyEnv

func (e *TestEnv) ProxyEnv() []string

ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy.

func (*TestEnv) WithCapability

func (e *TestEnv) WithCapability(cap Capability) *TestEnv

func (*TestEnv) WithKubeDistribution

func (e *TestEnv) WithKubeDistribution(distro KubeDistro) *TestEnv

WithKubeDistribution skips the test unless it will run on the expected cluster type. Please use this sparingly. We would prefer that a test run on every cluster type where it can possibly run, so prefer to run everywhere when possible or use cluster capabilities when needed, rather than looking at the type of cluster to decide to skip a test. However, there are some tests that do not depend on or interact with Kubernetes itself which really only need to run on on a single platform to give us the coverage that we desire.

func (*TestEnv) WithoutCapability

func (e *TestEnv) WithoutCapability(cap Capability) *TestEnv

type TestLDAPUpstream

type TestLDAPUpstream struct {
	Host                                            string   `json:"host"`
	Domain                                          string   `json:"domain"`
	StartTLSOnlyHost                                string   `json:"startTLSOnlyHost"`
	CABundle                                        string   `json:"caBundle"`
	BindUsername                                    string   `json:"bindUsername"`
	BindPassword                                    string   `json:"bindPassword"`
	UserSearchBase                                  string   `json:"userSearchBase"`
	DefaultNamingContextSearchBase                  string   `json:"defaultNamingContextSearchBase"`
	GroupSearchBase                                 string   `json:"groupSearchBase"`
	TestUserDN                                      string   `json:"testUserDN"`
	TestUserCN                                      string   `json:"testUserCN"`
	TestUserPassword                                string   `json:"testUserPassword"`
	TestUserMailAttributeName                       string   `json:"testUserMailAttributeName"`
	TestUserMailAttributeValue                      string   `json:"testUserMailAttributeValue"`
	TestUserUniqueIDAttributeName                   string   `json:"testUserUniqueIDAttributeName"`
	TestUserUniqueIDAttributeValue                  string   `json:"testUserUniqueIDAttributeValue"`
	TestUserDirectGroupsCNs                         []string `json:"testUserDirectGroupsCNs"`
	TestUserDirectGroupsDNs                         []string `json:"testUserDirectGroupsDNs"` //nolint:revive // this is "distinguished names", not "DNS"
	TestUserSAMAccountNameValue                     string   `json:"testUserSAMAccountNameValue"`
	TestUserPrincipalNameValue                      string   `json:"testUserPrincipalNameValue"`
	TestUserIndirectGroupsSAMAccountNames           []string `json:"TestUserIndirectGroupsSAMAccountNames"`
	TestUserIndirectGroupsSAMAccountPlusDomainNames []string `json:"TestUserIndirectGroupsSAMAccountPlusDomainNames"`
	TestDeactivatedUserSAMAccountNameValue          string   `json:"TestDeactivatedUserSAMAccountNameValue"`
	TestDeactivatedUserPassword                     string   `json:"TestDeactivatedUserPassword"`
}

type TestOIDCUpstream

type TestOIDCUpstream struct {
	Issuer           string   `json:"issuer"`
	CABundle         string   `json:"caBundle"`
	AdditionalScopes []string `json:"additionalScopes"`
	UsernameClaim    string   `json:"usernameClaim"`
	GroupsClaim      string   `json:"groupsClaim"`
	ClientID         string   `json:"clientID"`
	ClientSecret     string   `json:"clientSecret"`
	CallbackURL      string   `json:"callback"`
	Username         string   `json:"username"`
	Password         string   `json:"password"`
	ExpectedGroups   []string `json:"expectedGroups"`
}

Directories

Path Synopsis
Package browsertest provides integration test helpers for our browser-based tests.
Package browsertest provides integration test helpers for our browser-based tests.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL