Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[k8s] Refactor auth integration tests to unit tests #1563

Merged
merged 1 commit into from
Aug 13, 2019
Merged

[k8s] Refactor auth integration tests to unit tests #1563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 69 additions & 1 deletion edgelet/edgelet-kube/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,21 @@ pub use settings::Settings;

#[cfg(test)]
mod tests {
use crate::settings::Settings;
use config::{Config, File, FileFormat};
use futures::future;
use hyper::service::Service;
use hyper::{Body, Request, Response, StatusCode};
use json_patch::merge;
use native_tls::TlsConnector;
use serde_json::{self, json, Value as JsonValue};
use typed_headers::{mime, ContentLength, ContentType, HeaderMapExt};
use url::Url;

use edgelet_test_utils::web::ResponseFuture;
use kube_client::{Client as KubeClient, Config as KubeConfig, Error, TokenSource};

use crate::settings::Settings;
use crate::KubeModuleRuntime;

pub const PROXY_TRUST_BUNDLE_CONFIG_MAP_NAME: &str = "device1-iotedged-proxy-trust-bundle";

Expand Down Expand Up @@ -80,4 +91,61 @@ mod tests {

config.try_into().unwrap()
}

#[derive(Clone)]
pub struct TestTokenSource;

impl TokenSource for TestTokenSource {
type Error = Error;

fn get(&self) -> kube_client::error::Result<Option<String>> {
Ok(None)
}
}

pub fn create_runtime<S: Service>(
settings: Settings,
service: S,
) -> KubeModuleRuntime<TestTokenSource, S> {
let client = KubeClient::with_client(get_config(), service);

KubeModuleRuntime::new(client, settings)
}

pub fn get_config() -> KubeConfig<TestTokenSource> {
KubeConfig::new(
Url::parse("https://localhost:443").unwrap(),
"/api".to_string(),
TestTokenSource,
TlsConnector::new().unwrap(),
)
}

pub fn response(
status_code: StatusCode,
response: impl Fn() -> String + Clone + Send + 'static,
) -> ResponseFuture {
let response = response();
let response_len = response.len();

let mut response = Response::new(response.into());
*response.status_mut() = status_code;
response
.headers_mut()
.typed_insert(&ContentLength(response_len as u64));
response
.headers_mut()
.typed_insert(&ContentType(mime::APPLICATION_JSON));

Box::new(future::ok(response)) as ResponseFuture
}

pub fn not_found_handler(_: Request<Body>) -> ResponseFuture {
let response = Response::builder()
.status(StatusCode::NOT_FOUND)
.body(Body::default())
.unwrap();

Box::new(future::ok(response))
}
}
269 changes: 269 additions & 0 deletions edgelet/edgelet-kube/src/module/authentication.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,3 +116,272 @@ where
None => Either::B(future::ok(AuthId::None)),
}
}

#[cfg(test)]
mod tests {
use futures::future;
use hyper::service::service_fn;
use hyper::{header, Body, Method, Request, Response, StatusCode};
use maplit::btreemap;
use serde_json::json;
use tokio::runtime::Runtime;
use typed_headers::{mime, ContentLength, ContentType, HeaderMapExt};

use edgelet_core::{AuthId, Authenticator};
use edgelet_test_utils::routes;
use edgelet_test_utils::web::{
make_req_dispatcher, HttpMethod, RequestHandler, RequestPath, ResponseFuture,
};

use crate::tests::{create_runtime, make_settings, not_found_handler, response};
use crate::ErrorKind;

#[test]
fn it_authenticates_with_none_when_no_auth_token_provided() {
let settings = make_settings(None);

let dispatch_table = routes!(
POST "/apis/authentication.k8s.io/v1/tokenreviews" => unauthenticated_token_review_handler()
);

let handler = make_req_dispatcher(dispatch_table, Box::new(not_found_handler));
let service = service_fn(handler);
let runtime = create_runtime(settings, service);
let req = Request::default();

let task = runtime.authenticate(&req);

let mut runtime = Runtime::new().unwrap();
let auth_id = runtime.block_on(task).unwrap();

assert_eq!(auth_id, AuthId::None)
}

#[test]
fn it_authenticates_with_none_when_invalid_auth_header_provided() {
let settings = make_settings(None);

let dispatch_table = routes!(
POST "/apis/authentication.k8s.io/v1/tokenreviews" => unauthenticated_token_review_handler()
);

let handler = make_req_dispatcher(dispatch_table, Box::new(not_found_handler));
let service = service_fn(handler);
let runtime = create_runtime(settings, service);
let mut req = Request::default();
req.headers_mut()
.insert(header::AUTHORIZATION, "BeErer token".parse().unwrap());

let task = runtime.authenticate(&req);

let mut runtime = Runtime::new().unwrap();
let auth_id = runtime.block_on(task).unwrap();

assert_eq!(auth_id, AuthId::None)
}

#[test]
fn it_authenticates_with_none_when_invalid_auth_token_provided() {
let settings = make_settings(None);

let dispatch_table = routes!(
POST "/apis/authentication.k8s.io/v1/tokenreviews" => unauthenticated_token_review_handler()
);

let handler = make_req_dispatcher(dispatch_table, Box::new(not_found_handler));
let service = service_fn(handler);
let runtime = create_runtime(settings, service);
let mut req = Request::default();
req.headers_mut().insert(
header::AUTHORIZATION,
"\u{3aa}\u{3a9}\u{3a4}".parse().unwrap(),
);

let task = runtime.authenticate(&req);

let mut runtime = Runtime::new().unwrap();
let err = runtime.block_on(task).unwrap_err();

assert_eq!(err.kind(), &ErrorKind::ModuleAuthenticationError);
}

#[test]
fn it_authenticates_with_none_when_unknown_auth_token_provided() {
let settings = make_settings(None);

let dispatch_table = routes!(
POST "/apis/authentication.k8s.io/v1/tokenreviews" => unauthenticated_token_review_handler()
);

let handler = make_req_dispatcher(dispatch_table, Box::new(not_found_handler));
let service = service_fn(handler);
let runtime = create_runtime(settings, service);
let mut req = Request::default();
req.headers_mut().insert(
header::AUTHORIZATION,
"Bearer token-unknown".parse().unwrap(),
);

let task = runtime.authenticate(&req);

let mut runtime = Runtime::new().unwrap();
let auth_id = runtime.block_on(task).unwrap();

assert_eq!(auth_id, AuthId::None)
}

#[test]
fn it_authenticates_with_none_when_module_auth_token_provided_but_sa_does_not_exists() {
let settings = make_settings(None);

let dispatch_table = routes!(
POST "/apis/authentication.k8s.io/v1/tokenreviews" => authenticated_token_review_handler(),
);

let handler = make_req_dispatcher(dispatch_table, Box::new(not_found_handler));
let service = service_fn(handler);
let runtime = create_runtime(settings, service);
let mut req = Request::default();
req.headers_mut()
.insert(header::AUTHORIZATION, "Bearer token".parse().unwrap());

let task = runtime.authenticate(&req);

let mut runtime = Runtime::new().unwrap();
let err = runtime.block_on(task).unwrap_err();

assert_eq!(err.kind(), &ErrorKind::KubeClient);
}

#[test]
fn it_authenticates_with_sa_name_when_sa_does_not_contain_original_name() {
let settings = make_settings(None);

let dispatch_table = routes!(
POST "/apis/authentication.k8s.io/v1/tokenreviews" => authenticated_token_review_handler(),
GET format!("/api/v1/namespaces/{}/serviceaccounts/edgeagent", settings.namespace()) => get_service_account_without_annotations_handler(),
);

let handler = make_req_dispatcher(dispatch_table, Box::new(not_found_handler));
let service = service_fn(handler);
let runtime = create_runtime(settings, service);
let mut req = Request::default();
req.headers_mut()
.insert(header::AUTHORIZATION, "Bearer token".parse().unwrap());

let task = runtime.authenticate(&req);

let mut runtime = Runtime::new().unwrap();
let auth_id = runtime.block_on(task).unwrap();

assert_eq!(auth_id, AuthId::Value("edgeagent".into()));
}

#[test]
fn it_authenticates_with_original_name_when_module_auth_token_provided() {
let settings = make_settings(None);

let dispatch_table = routes!(
POST "/apis/authentication.k8s.io/v1/tokenreviews" => authenticated_token_review_handler(),
GET format!("/api/v1/namespaces/{}/serviceaccounts/edgeagent", settings.namespace()) => get_service_account_with_annotations_handler(),
);

let handler = make_req_dispatcher(dispatch_table, Box::new(not_found_handler));
let service = service_fn(handler);
let runtime = create_runtime(settings, service);
let mut req = Request::default();
req.headers_mut()
.insert(header::AUTHORIZATION, "Bearer token".parse().unwrap());

let task = runtime.authenticate(&req);

let mut runtime = Runtime::new().unwrap();
let auth_id = runtime.block_on(task).unwrap();

assert_eq!(auth_id, AuthId::Value("$edgeAgent".into()));
}

fn authenticated_token_review_handler() -> impl Fn(Request<Body>) -> ResponseFuture + Clone {
make_token_review_handler(|| {
json!({
"kind": "TokenReview",
"spec": { "token": "token" },
"status": {
"authenticated": true,
"user": {
"username": "system:serviceaccount:my-namespace:edgeagent"
}
}}
)
.to_string()
})
}

fn unauthenticated_token_review_handler() -> impl Fn(Request<Body>) -> ResponseFuture + Clone {
make_token_review_handler(|| {
json!({
"kind": "TokenReview",
"spec": { "token": "token" },
"status": {
"authenticated": false,
}}
)
.to_string()
})
}

fn make_token_review_handler(
on_token_review: impl Fn() -> String + Clone + Send + 'static,
) -> impl Fn(Request<Body>) -> ResponseFuture + Clone {
move |_| {
let response = on_token_review();
let response_len = response.len();

let mut response = Response::new(response.into());
response
.headers_mut()
.typed_insert(&ContentLength(response_len as u64));
response
.headers_mut()
.typed_insert(&ContentType(mime::APPLICATION_JSON));
Box::new(future::ok(response)) as ResponseFuture
}
}

fn get_service_account_with_annotations_handler(
) -> impl Fn(Request<Body>) -> ResponseFuture + Clone {
move |_| {
response(StatusCode::OK, || {
json!({
"kind": "ServiceAccount",
"apiVersion": "v1",
"metadata": {
"name": "edgeagent",
"namespace": "my-namespace",
"annotations": {
"net.azure-devices.edge.original-moduleid": "$edgeAgent"
}
}
})
.to_string()
})
}
}

fn get_service_account_without_annotations_handler(
) -> impl Fn(Request<Body>) -> ResponseFuture + Clone {
move |_| {
response(StatusCode::OK, || {
json!({
"kind": "ServiceAccount",
"apiVersion": "v1",
"metadata": {
"name": "edgeagent",
"namespace": "my-namespace",
}
})
.to_string()
})
}
}
}
Loading