Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 713db4efe3
Branches Tags
custom-kube-...
/
kubernetes
/
test
/
integration
/
auth
/
bootstraptoken_test.go

bootstraptoken_test.go 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 
  1. /*
    2. 

  2. Copyright 2017 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package auth
    18. 

  18. 

  19. import (
    20. 

  20. 	"bytes"
    21. 

  21. 	"fmt"
    22. 

  22. 	"io/ioutil"
    23. 

  23. 	"net/http"
    24. 

  24. 	"testing"
    25. 

  25. 	"time"
    26. 

  26. 

  27. 	corev1 "k8s.io/api/core/v1"
    28. 

  28. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    29. 

  29. 	"k8s.io/apimachinery/pkg/labels"
    30. 

  30. 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
    31. 

  31. 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
    32. 

  32. 	"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
    33. 

  33. 	bootstraputil "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap"
    34. 

  34. 	"k8s.io/kubernetes/test/integration"
    35. 

  35. 	"k8s.io/kubernetes/test/integration/framework"
    36. 

  36. )
    37. 

  37. 

  38. type bootstrapSecrets []*corev1.Secret
    39. 

  39. 

  40. func (b bootstrapSecrets) List(selector labels.Selector) (ret []*corev1.Secret, err error) {
    41. 

  41. 	return b, nil
    42. 

  42. }
    43. 

  43. 

  44. func (b bootstrapSecrets) Get(name string) (*corev1.Secret, error) {
    45. 

  45. 	return b[0], nil
    46. 

  46. }
    47. 

  47. 

  48. // TestBootstrapTokenAuth tests the bootstrap token auth provider
    49. 

  49. func TestBootstrapTokenAuth(t *testing.T) {
    50. 

  50. 	tokenID, err := bootstraputil.GenerateTokenID()
    51. 

  51. 	if err != nil {
    52. 

  52. 		t.Fatalf("unexpected error: %v", err)
    53. 

  53. 	}
    54. 

  54. 	secret, err := bootstraputil.GenerateTokenSecret()
    55. 

  55. 	if err != nil {
    56. 

  56. 		t.Fatalf("unexpected error: %v", err)
    57. 

  57. 	}
    58. 

  58. 	var bootstrapSecretValid = &corev1.Secret{
    59. 

  59. 		ObjectMeta: metav1.ObjectMeta{
    60. 

  60. 			Namespace: metav1.NamespaceSystem,
    61. 

  61. 			Name:      bootstrapapi.BootstrapTokenSecretPrefix,
    62. 

  62. 		},
    63. 

  63. 		Type: corev1.SecretTypeBootstrapToken,
    64. 

  64. 		Data: map[string][]byte{
    65. 

  65. 			bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
    66. 

  66. 			bootstrapapi.BootstrapTokenSecretKey:           []byte(secret),
    67. 

  67. 			bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
    68. 

  68. 		},
    69. 

  69. 	}
    70. 

  70. 	var bootstrapSecretInvalid = &corev1.Secret{
    71. 

  71. 		ObjectMeta: metav1.ObjectMeta{
    72. 

  72. 			Namespace: metav1.NamespaceSystem,
    73. 

  73. 			Name:      bootstrapapi.BootstrapTokenSecretPrefix,
    74. 

  74. 		},
    75. 

  75. 		Type: corev1.SecretTypeBootstrapToken,
    76. 

  76. 		Data: map[string][]byte{
    77. 

  77. 			bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
    78. 

  78. 			bootstrapapi.BootstrapTokenSecretKey:           []byte("invalid"),
    79. 

  79. 			bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
    80. 

  80. 		},
    81. 

  81. 	}
    82. 

  82. 	var expiredBootstrapToken = &corev1.Secret{
    83. 

  83. 		ObjectMeta: metav1.ObjectMeta{
    84. 

  84. 			Namespace: metav1.NamespaceSystem,
    85. 

  85. 			Name:      bootstrapapi.BootstrapTokenSecretPrefix,
    86. 

  86. 		},
    87. 

  87. 		Type: corev1.SecretTypeBootstrapToken,
    88. 

  88. 		Data: map[string][]byte{
    89. 

  89. 			bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
    90. 

  90. 			bootstrapapi.BootstrapTokenSecretKey:           []byte("invalid"),
    91. 

  91. 			bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
    92. 

  92. 			bootstrapapi.BootstrapTokenExpirationKey:       []byte(bootstraputil.TimeStringFromNow(-time.Hour)),
    93. 

  93. 		},
    94. 

  94. 	}
    95. 

  95. 	type request struct {
    96. 

  96. 		verb        string
    97. 

  97. 		URL         string
    98. 

  98. 		body        string
    99. 

  99. 		statusCodes map[int]bool // Set of expected resp.StatusCode if all goes well.
    100. 

  100. 	}
    101. 

  101. 	tests := []struct {
    102. 

  102. 		name    string
    103. 

  103. 		request request
    104. 

  104. 		secret  *corev1.Secret
    105. 

  105. 	}{
    106. 

  106. 		{
    107. 

  107. 			name:    "valid token",
    108. 

  108. 			request: request{verb: "GET", URL: path("pods", "", ""), body: "", statusCodes: integration.Code200},
    109. 

  109. 			secret:  bootstrapSecretValid,
    110. 

  110. 		},
    111. 

  111. 		{
    112. 

  112. 			name:    "invalid token format",
    113. 

  113. 			request: request{verb: "GET", URL: path("pods", "", ""), body: "", statusCodes: integration.Code401},
    114. 

  114. 			secret:  bootstrapSecretInvalid,
    115. 

  115. 		},
    116. 

  116. 		{
    117. 

  117. 			name:    "invalid token expired",
    118. 

  118. 			request: request{verb: "GET", URL: path("pods", "", ""), body: "", statusCodes: integration.Code401},
    119. 

  119. 			secret:  expiredBootstrapToken,
    120. 

  120. 		},
    121. 

  121. 	}
    122. 

  122. 	for _, test := range tests {
    123. 

  123. 

  124. 		authenticator := bearertoken.New(bootstrap.NewTokenAuthenticator(bootstrapSecrets{test.secret}))
    125. 

  125. 		// Set up a master
    126. 

  126. 		masterConfig := framework.NewIntegrationTestMasterConfig()
    127. 

  127. 		masterConfig.GenericConfig.Authentication.Authenticator = authenticator
    128. 

  128. 		_, s, closeFn := framework.RunAMaster(masterConfig)
    129. 

  129. 		defer closeFn()
    130. 

  130. 

  131. 		ns := framework.CreateTestingNamespace("auth-bootstrap-token", s, t)
    132. 

  132. 		defer framework.DeleteTestingNamespace(ns, s, t)
    133. 

  133. 

  134. 		previousResourceVersion := make(map[string]float64)
    135. 

  135. 		transport := http.DefaultTransport
    136. 

  136. 

  137. 		token := tokenID + "." + secret
    138. 

  138. 		var bodyStr string
    139. 

  139. 		if test.request.body != "" {
    140. 

  140. 			sub := ""
    141. 

  141. 			if test.request.verb == "PUT" {
    142. 

  142. 				// For update operations, insert previous resource version
    143. 

  143. 				if resVersion := previousResourceVersion[getPreviousResourceVersionKey(test.request.URL, "")]; resVersion != 0 {
    144. 

  144. 					sub += fmt.Sprintf(",\r\n\"resourceVersion\": \"%v\"", resVersion)
    145. 

  145. 				}
    146. 

  146. 				sub += fmt.Sprintf(",\r\n\"namespace\": %q", ns.Name)
    147. 

  147. 			}
    148. 

  148. 			bodyStr = fmt.Sprintf(test.request.body, sub)
    149. 

  149. 		}
    150. 

  150. 		test.request.body = bodyStr
    151. 

  151. 		bodyBytes := bytes.NewReader([]byte(bodyStr))
    152. 

  152. 		req, err := http.NewRequest(test.request.verb, s.URL+test.request.URL, bodyBytes)
    153. 

  153. 		if err != nil {
    154. 

  154. 			t.Fatalf("unexpected error: %v", err)
    155. 

  155. 		}
    156. 

  156. 		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
    157. 

  157. 		if test.request.verb == "PATCH" {
    158. 

  158. 			req.Header.Set("Content-Type", "application/merge-patch+json")
    159. 

  159. 		}
    160. 

  160. 

  161. 		func() {
    162. 

  162. 			resp, err := transport.RoundTrip(req)
    163. 

  163. 			if err != nil {
    164. 

  164. 				t.Logf("case %v", test.name)
    165. 

  165. 				t.Fatalf("unexpected error: %v", err)
    166. 

  166. 			}
    167. 

  167. 			defer resp.Body.Close()
    168. 

  168. 			b, _ := ioutil.ReadAll(resp.Body)
    169. 

  169. 			if _, ok := test.request.statusCodes[resp.StatusCode]; !ok {
    170. 

  170. 				t.Logf("case %v", test.name)
    171. 

  171. 				t.Errorf("Expected status one of %v, but got %v", test.request.statusCodes, resp.StatusCode)
    172. 

  172. 				t.Errorf("Body: %v", string(b))
    173. 

  173. 			} else {
    174. 

  174. 				if test.request.verb == "POST" {
    175. 

  175. 					// For successful create operations, extract resourceVersion
    176. 

  176. 					id, currentResourceVersion, err := parseResourceVersion(b)
    177. 

  177. 					if err == nil {
    178. 

  178. 						key := getPreviousResourceVersionKey(test.request.URL, id)
    179. 

  179. 						previousResourceVersion[key] = currentResourceVersion
    180. 

  180. 					}
    181. 

  181. 				}
    182. 

  182. 			}
    183. 

  183. 

  184. 		}()
    185. 

  185. 	}
    186. 

  186. }
    187. 

  187.