testlib

package
v0.20.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 27, 2022 License: Apache-2.0 Imports: 54 Imported by: 0

Documentation

Overview

Copyright 2022 the Pinniped contributors. All Rights Reserved. SPDX-License-Identifier: Apache-2.0

Index

Constants

View Source 
const (
	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
	HasExternalLoadBalancerProvider  Capability = "hasExternalLoadBalancerProvider"
	CanReachInternetLDAPPorts        Capability = "canReachInternetLDAPPorts"

	KindDistro KubeDistro = "Kind"
	GKEDistro  KubeDistro = "GKE"
	AKSDistro  KubeDistro = "AKS"
	EKSDistro  KubeDistro = "EKS"
	TKGSDistro KubeDistro = "TKGS"
)

Variables

This section is empty.

Functions

func AccessAsGroupTest 

func AccessAsGroupTest(
	ctx context.Context,
	testGroup string,
	clientUnderTest kubernetes.Interface,
) func(t *testing.T)

AccessAsGroupTest runs a generic test in which a clientUnderTest with membership in group testGroup tries to auth to the kube API (i.e., list namespaces).

Use this function if you want to simply validate that a user can auth to the kube API (via a group membership) after performing a Pinniped credential exchange.

func AccessAsGroupWithKubectlTest 

func AccessAsGroupWithKubectlTest(
	testKubeConfigYAML string,
	testGroup string,
	expectedNamespace string,
) func(t *testing.T)

func AccessAsUserTest 

func AccessAsUserTest(
	ctx context.Context,
	testUsername string,
	clientUnderTest kubernetes.Interface,
) func(t *testing.T)

AccessAsUserTest runs a generic test in which a clientUnderTest operating with username testUsername tries to auth to the kube API (i.e., list namespaces).

Use this function if you want to simply validate that a user can auth to the kube API after performing a Pinniped credential exchange.

func AccessAsUserWithKubectlTest 

func AccessAsUserWithKubectlTest(
	testKubeConfigYAML string,
	testUsername string,
	expectedNamespace string,
) func(t *testing.T)

func AddTestUserToGroup added in v0.15.0 

func AddTestUserToGroup(t *testing.T, env *TestEnv, testGroupName, testUserName string)

AddTestUserToGroup adds a test user to a group within the test-users directory.

func ChangeADTestUserPassword added in v0.15.0 

func ChangeADTestUserPassword(t *testing.T, env *TestEnv, testUserName string)

ChangeADTestUserPassword changes the user's password to a new one.

func CreateClientCredsSecret 

func CreateClientCredsSecret(t *testing.T, clientID string, clientSecret string) *corev1.Secret

func CreateFreshADTestGroup added in v0.15.0 

func CreateFreshADTestGroup(t *testing.T, env *TestEnv) string

CreateFreshADTestGroup creates a fresh test group in AD to use for this test and returns the group's name.

func CreateFreshADTestUser added in v0.15.0 

func CreateFreshADTestUser(t *testing.T, env *TestEnv) (string, string)

CreateFreshADTestUser creates a fresh test user in AD to use for this test and returns their username and password.

func CreateNamespace added in v0.11.0 

func CreateNamespace(ctx context.Context, t *testing.T, name string) *corev1.Namespace

func CreateOIDCClient added in v0.20.0 

func CreateOIDCClient(t *testing.T, spec configv1alpha1.OIDCClientSpec, expectedPhase configv1alpha1.OIDCClientPhase) (string, string)

func CreatePod 

func CreatePod(ctx context.Context, t *testing.T, name, namespace string, spec corev1.PodSpec) *corev1.Pod

func CreateTestActiveDirectoryIdentityProvider added in v0.11.0 

func CreateTestActiveDirectoryIdentityProvider(t *testing.T, spec idpv1alpha1.ActiveDirectoryIdentityProviderSpec, expectedPhase idpv1alpha1.ActiveDirectoryIdentityProviderPhase) *idpv1alpha1.ActiveDirectoryIdentityProvider

func CreateTestClusterRoleBinding 

func CreateTestClusterRoleBinding(t *testing.T, subject rbacv1.Subject, roleRef rbacv1.RoleRef) *rbacv1.ClusterRoleBinding

func CreateTestFederationDomain 

func CreateTestFederationDomain(ctx context.Context, t *testing.T, issuer string, certSecretName string, expectStatus configv1alpha1.FederationDomainStatusCondition) *configv1alpha1.FederationDomain

CreateTestFederationDomain creates and returns a test FederationDomain in $PINNIPED_TEST_SUPERVISOR_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. If the provided issuer is not the empty string, then it will be used for the FederationDomain.Spec.Issuer field. Else, a random issuer will be generated.

func CreateTestJWTAuthenticator 

func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, spec auth1alpha1.JWTAuthenticatorSpec) corev1.TypedLocalObjectReference

CreateTestJWTAuthenticator creates and returns a test JWTAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test JWT authenticator within the test namespace.

func CreateTestJWTAuthenticatorForCLIUpstream 

func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference

CreateTestJWTAuthenticatorForCLIUpstream creates and returns a test JWTAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test JWT authenticator within the test namespace.

CreateTestJWTAuthenticatorForCLIUpstream gets the OIDC issuer info from IntegrationEnv().CLIUpstreamOIDC.

func CreateTestLDAPIdentityProvider 

func CreateTestLDAPIdentityProvider(t *testing.T, spec idpv1alpha1.LDAPIdentityProviderSpec, expectedPhase idpv1alpha1.LDAPIdentityProviderPhase) *idpv1alpha1.LDAPIdentityProvider

func CreateTestOIDCIdentityProvider 

func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityProviderSpec, expectedPhase idpv1alpha1.OIDCIdentityProviderPhase) *idpv1alpha1.OIDCIdentityProvider

func CreateTestSecret 

func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType corev1.SecretType, stringData map[string]string) *corev1.Secret

func CreateTestWebhookAuthenticator 

func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference

CreateTestWebhookAuthenticator creates and returns a test WebhookAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which describes the test webhook authenticator within the test namespace.

func CreateTokenCredentialRequest 

func CreateTokenCredentialRequest(ctx context.Context, t *testing.T, spec v1alpha1.TokenCredentialRequestSpec) (*v1alpha1.TokenCredentialRequest, error)

func DeactivateADTestUser added in v0.15.0 

func DeactivateADTestUser(t *testing.T, env *TestEnv, testUserName string)

DeactivateADTestUser deactivates the test user.

func GetExpectedCiphers added in v0.16.0 

func GetExpectedCiphers(config *tls.Config) string

func LockADTestUser added in v0.15.0 

func LockADTestUser(t *testing.T, env *TestEnv, testUserName string)

LockADTestUser locks the test user's account by entering the wrong password a bunch of times.

func LookupIP 

func LookupIP(ctx context.Context, hostname string) ([]net.IP, error)

LookupIP looks up the IP address of the provided hostname, preferring IPv4.

func MaskTokens 

func MaskTokens(in string) string

MaskTokens makes a best-effort attempt to mask out things that look like secret tokens in test output. Provides more readable test output, but also obscures sensitive state params and authcodes from public test output.

func NewAPIExtensionsV1Client added in v0.13.0 

func NewAPIExtensionsV1Client(t *testing.T) apiextensionsv1.ApiextensionsV1Interface

func NewAggregatedClientset 

func NewAggregatedClientset(t *testing.T) aggregatorclient.Interface

func NewAnonymousClientRestConfig 

func NewAnonymousClientRestConfig(t *testing.T) *rest.Config

Returns a rest.Config without any user authentication info.

func NewAnonymousConciergeClientset 

func NewAnonymousConciergeClientset(t *testing.T) conciergeclientset.Interface

func NewAnonymousSupervisorClientset added in v0.20.0 

func NewAnonymousSupervisorClientset(t *testing.T) supervisorclientset.Interface

func NewClientConfig 

func NewClientConfig(t *testing.T) *rest.Config

func NewClientsetForKubeConfig 

func NewClientsetForKubeConfig(t *testing.T, kubeConfig string) kubernetes.Interface

func NewClientsetWithCertAndKey 

func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface

func NewConciergeClientset 

func NewConciergeClientset(t *testing.T) conciergeclientset.Interface

func NewKubeclient 

func NewKubeclient(t *testing.T, config *rest.Config) *kubeclient.Client

func NewKubeclientOptions added in v0.11.0 

func NewKubeclientOptions(t *testing.T, config *rest.Config) []kubeclient.Option

func NewKubernetesClientset 

func NewKubernetesClientset(t *testing.T) kubernetes.Interface

func NewLoggerReader 

func NewLoggerReader(t *testing.T, name string, reader io.Reader) io.Reader

NewLoggerReader wraps an io.Reader to log its input and output. It also performs some heuristic token masking.

func NewRestConfigFromKubeconfig 

func NewRestConfigFromKubeconfig(t *testing.T, kubeConfig string) *rest.Config

func NewSupervisorClientset 

func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface

func PinnipedCLIPath 

func PinnipedCLIPath(t *testing.T) string

PinnipedCLIPath returns the path to the Pinniped CLI binary, built on demand and cached between tests.

func RandBytes 

func RandBytes(t *testing.T, numBytes int) []byte

func RandHex 

func RandHex(t *testing.T, numBytes int) string

func RedactURLParams 

func RedactURLParams(fullURL *url.URL) string

Remove any potentially sensitive query param and fragment values for test logging.

func RequireEventually 

func RequireEventually(
	t *testing.T,
	f func(requireEventually *require.Assertions),
	waitFor time.Duration,
	tick time.Duration,
	msgAndArgs ...interface{},
)

RequireEventually is similar to require.Eventually() except that it is thread safe and provides a richer way to write per-iteration assertions.

func RequireEventuallyWithoutError 

func RequireEventuallyWithoutError(
	t *testing.T,
	f func() (bool, error),
	waitFor time.Duration,
	tick time.Duration,
	msgAndArgs ...interface{},
)

RequireEventuallyWithoutError is similar to require.Eventually() except that it also allows the caller to return an error from the condition function. If the condition function returns an error at any point, the assertion will immediately fail.

func RequireEventuallyf 

func RequireEventuallyf(
	t *testing.T,
	f func(requireEventually *require.Assertions),
	waitFor time.Duration,
	tick time.Duration,
	msg string,
	args ...interface{},
)

func RequireNeverWithoutError 

func RequireNeverWithoutError(
	t *testing.T,
	f func() (bool, error),
	waitFor time.Duration,
	tick time.Duration,
	msgAndArgs ...interface{},
)

RequireNeverWithoutError is similar to require.Never() except that it also allows the caller to return an error from the condition function. If the condition function returns an error at any point, the assertion will immediately fail.

func RestrictiveSecurityContext added in v0.20.0 

func RestrictiveSecurityContext() *corev1.SecurityContext

RestrictiveSecurityContext returns a container SecurityContext which will be allowed by the most restrictive level of Pod Security Admission policy (as of Kube v1.25's policies).

func RunNmapSSLEnum added in v0.16.0 

func RunNmapSSLEnum(t *testing.T, host string, port uint16) (string, string)

func Sdump 

func Sdump(a ...interface{}) string

func SkipTestWhenActiveDirectoryIsUnavailable added in v0.18.0 

func SkipTestWhenActiveDirectoryIsUnavailable(t *testing.T, env *TestEnv)

func SkipTestWhenLDAPIsUnavailable added in v0.18.0 

func SkipTestWhenLDAPIsUnavailable(t *testing.T, env *TestEnv)

func WaitForUserToHaveAccess 

func WaitForUserToHaveAccess(t *testing.T, user string, groups []string, shouldHaveAccessTo *authorizationv1.ResourceAttributes)

Types

type Capability 

type Capability string

type KubeDistro 

type KubeDistro string

type TestEnv 

type TestEnv struct {
	ToolsNamespace                 string                               `json:"toolsNamespace"`
	ConciergeNamespace             string                               `json:"conciergeNamespace"`
	SupervisorNamespace            string                               `json:"supervisorNamespace"`
	ConciergeAppName               string                               `json:"conciergeAppName"`
	SupervisorAppName              string                               `json:"supervisorAppName"`
	SupervisorCustomLabels         map[string]string                    `json:"supervisorCustomLabels"`
	ConciergeCustomLabels          map[string]string                    `json:"conciergeCustomLabels"`
	KubernetesDistribution         KubeDistro                           `json:"kubernetesDistribution"`
	Capabilities                   map[Capability]bool                  `json:"capabilities"`
	TestWebhook                    auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
	SupervisorHTTPSAddress         string                               `json:"supervisorHttpsAddress"`
	SupervisorHTTPSIngressAddress  string                               `json:"supervisorHttpsIngressAddress"`
	SupervisorHTTPSIngressCABundle string                               `json:"supervisorHttpsIngressCABundle"`
	Proxy                          string                               `json:"proxy"`
	APIGroupSuffix                 string                               `json:"apiGroupSuffix"`
	ShellContainerImage            string                               `json:"shellContainer"`

	TestUser struct {
		Token            string   `json:"token"`
		ExpectedUsername string   `json:"expectedUsername"`
		ExpectedGroups   []string `json:"expectedGroups"`
	} `json:"testUser"`

	CLIUpstreamOIDC                   TestOIDCUpstream `json:"cliOIDCUpstream"`
	SupervisorUpstreamOIDC            TestOIDCUpstream `json:"supervisorOIDCUpstream"`
	SupervisorUpstreamLDAP            TestLDAPUpstream `json:"supervisorLDAPUpstream"`
	SupervisorUpstreamActiveDirectory TestLDAPUpstream `json:"supervisorActiveDirectoryUpstream"`
	// contains filtered or unexported fields
}

TestEnv captures all the external parameters consumed by our integration tests.

func IntegrationEnv 

func IntegrationEnv(t *testing.T) *TestEnv

IntegrationEnv gets the integration test environment from OS environment variables. This method also implies SkipUnlessIntegration().

func (*TestEnv) HasCapability 

func (e *TestEnv) HasCapability(cap Capability) bool

func (*TestEnv) ProxyEnv 

func (e *TestEnv) ProxyEnv() []string

ProxyEnv returns a set of environment variable strings (e.g., to combine with os.Environ()) which set up the configured test HTTP proxy.

func (*TestEnv) WithCapability 

func (e *TestEnv) WithCapability(cap Capability) *TestEnv

func (*TestEnv) WithKubeDistribution 

func (e *TestEnv) WithKubeDistribution(distro KubeDistro) *TestEnv

WithKubeDistribution skips the test unless it will run on the expected cluster type. Please use this sparingly. We would prefer that a test run on every cluster type where it can possibly run, so prefer to run everywhere when possible or use cluster capabilities when needed, rather than looking at the type of cluster to decide to skip a test. However, there are some tests that do not depend on or interact with Kubernetes itself which really only need to run on on a single platform to give us the coverage that we desire.

func (*TestEnv) WithoutCapability 

func (e *TestEnv) WithoutCapability(cap Capability) *TestEnv

type TestLDAPUpstream 

type TestLDAPUpstream struct {
	Host                                            string   `json:"host"`
	Domain                                          string   `json:"domain"`
	StartTLSOnlyHost                                string   `json:"startTLSOnlyHost"`
	CABundle                                        string   `json:"caBundle"`
	BindUsername                                    string   `json:"bindUsername"`
	BindPassword                                    string   `json:"bindPassword"`
	UserSearchBase                                  string   `json:"userSearchBase"`
	DefaultNamingContextSearchBase                  string   `json:"defaultNamingContextSearchBase"`
	GroupSearchBase                                 string   `json:"groupSearchBase"`
	TestUserDN                                      string   `json:"testUserDN"`
	TestUserCN                                      string   `json:"testUserCN"`
	TestUserPassword                                string   `json:"testUserPassword"`
	TestUserMailAttributeName                       string   `json:"testUserMailAttributeName"`
	TestUserMailAttributeValue                      string   `json:"testUserMailAttributeValue"`
	TestUserUniqueIDAttributeName                   string   `json:"testUserUniqueIDAttributeName"`
	TestUserUniqueIDAttributeValue                  string   `json:"testUserUniqueIDAttributeValue"`
	TestUserDirectGroupsCNs                         []string `json:"testUserDirectGroupsCNs"`
	TestUserDirectGroupsDNs                         []string `json:"testUserDirectGroupsDNs"` //nolint:revive // this is "distinguished names", not "DNS"
	TestUserSAMAccountNameValue                     string   `json:"testUserSAMAccountNameValue"`
	TestUserPrincipalNameValue                      string   `json:"testUserPrincipalNameValue"`
	TestUserIndirectGroupsSAMAccountNames           []string `json:"TestUserIndirectGroupsSAMAccountNames"`
	TestUserIndirectGroupsSAMAccountPlusDomainNames []string `json:"TestUserIndirectGroupsSAMAccountPlusDomainNames"`
	TestDeactivatedUserSAMAccountNameValue          string   `json:"TestDeactivatedUserSAMAccountNameValue"`
	TestDeactivatedUserPassword                     string   `json:"TestDeactivatedUserPassword"`
}

type TestOIDCUpstream 

type TestOIDCUpstream struct {
	Issuer           string   `json:"issuer"`
	CABundle         string   `json:"caBundle"`
	AdditionalScopes []string `json:"additionalScopes"`
	UsernameClaim    string   `json:"usernameClaim"`
	GroupsClaim      string   `json:"groupsClaim"`
	ClientID         string   `json:"clientID"`
	ClientSecret     string   `json:"clientSecret"`
	CallbackURL      string   `json:"callback"`
	Username         string   `json:"username"`
	Password         string   `json:"password"`
	ExpectedGroups   []string `json:"expectedGroups"`
}

Source Files

View all Source files

Directories

Path Synopsis
Package browsertest provides integration test helpers for our browser-based tests.
 Package browsertest provides integration test helpers for our browser-based tests.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.