custom-kube-scheduler/kubernetes/test/utils/audit_dynamic.go

/*
Copyright 2018 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package utils

import (
	"fmt"
	"io/ioutil"
	"net/http"
	"net/http/httptest"
	"sync"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	auditregv1alpha1 "k8s.io/api/auditregistration/v1alpha1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apimachinery/pkg/util/wait"
	auditinternal "k8s.io/apiserver/pkg/apis/audit"
	auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
	"k8s.io/apiserver/pkg/audit"
)

// AuditTestServer is a helper server for dynamic audit testing
type AuditTestServer struct {
	Name            string
	LockedEventList *LockedEventList
	Server          *httptest.Server
	t               *testing.T
}

// LockedEventList is an event list with a lock for concurrent access
type LockedEventList struct {
	*sync.RWMutex
	EventList auditinternal.EventList
}

// NewLockedEventList returns a new LockedEventList
func NewLockedEventList() *LockedEventList {
	return &LockedEventList{
		RWMutex:   &sync.RWMutex{},
		EventList: auditinternal.EventList{},
	}
}

// NewAuditTestServer returns a new audit test server
func NewAuditTestServer(t *testing.T, name string) *AuditTestServer {
	s := &AuditTestServer{
		Name:            name,
		LockedEventList: NewLockedEventList(),
		t:               t,
	}
	s.buildServer()
	return s
}

// GetEventList safely returns the internal event list
func (a *AuditTestServer) GetEventList() auditinternal.EventList {
	a.LockedEventList.RLock()
	defer a.LockedEventList.RUnlock()
	return a.LockedEventList.EventList
}

// ResetEventList resets the internal event list
func (a *AuditTestServer) ResetEventList() {
	a.LockedEventList.Lock()
	defer a.LockedEventList.Unlock()
	a.LockedEventList.EventList = auditinternal.EventList{}
}

// AppendEvents will add the given events to the internal event list
func (a *AuditTestServer) AppendEvents(events []auditinternal.Event) {
	a.LockedEventList.Lock()
	defer a.LockedEventList.Unlock()
	a.LockedEventList.EventList.Items = append(a.LockedEventList.EventList.Items, events...)
}

// WaitForEvents waits for the given events to arrive in the server or the 30s timeout is reached
func (a *AuditTestServer) WaitForEvents(expected []AuditEvent) ([]AuditEvent, error) {
	var missing []AuditEvent
	err := wait.PollImmediate(50*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
		var err error
		el := a.GetEventList()
		if len(el.Items) < 1 {
			return false, nil
		}
		missing, err = CheckAuditList(el, expected)
		if err != nil {
			return false, nil
		}
		return true, nil
	})
	return missing, err
}

// WaitForNumEvents checks that at least the given number of events has arrived or the 30s timeout is reached
func (a *AuditTestServer) WaitForNumEvents(numEvents int) error {
	err := wait.PollImmediate(50*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
		el := a.GetEventList()
		if len(el.Items) < numEvents {
			return false, nil
		}
		return true, nil
	})
	if err != nil {
		return fmt.Errorf("%v: %d events failed to arrive in %v", err, numEvents, wait.ForeverTestTimeout)
	}
	return nil
}

// Health polls the server healthcheck until successful or the 30s timeout has been reached
func (a *AuditTestServer) Health() error {
	err := wait.PollImmediate(100*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
		resp, err := http.Get(fmt.Sprintf("%s/health", a.Server.URL))
		if err != nil {
			return false, nil
		}
		if resp.StatusCode != 200 {
			return false, nil
		}
		return true, nil
	})
	if err != nil {
		return fmt.Errorf("server %s permanently failed health check: %v", a.Server.URL, err)
	}
	return nil
}

// Close the server
func (a *AuditTestServer) Close() {
	a.Server.Close()
}

// BuildSinkConfiguration creates a generic audit sink configuration for this server
func (a *AuditTestServer) BuildSinkConfiguration() *auditregv1alpha1.AuditSink {
	return &auditregv1alpha1.AuditSink{
		ObjectMeta: metav1.ObjectMeta{
			Name: a.Name,
		},
		Spec: auditregv1alpha1.AuditSinkSpec{
			Policy: auditregv1alpha1.Policy{
				Level: auditregv1alpha1.LevelRequestResponse,
				Stages: []auditregv1alpha1.Stage{
					auditregv1alpha1.StageResponseStarted,
					auditregv1alpha1.StageResponseComplete,
				},
			},
			Webhook: auditregv1alpha1.Webhook{
				ClientConfig: auditregv1alpha1.WebhookClientConfig{
					URL: &a.Server.URL,
				},
			},
		},
	}
}

// buildServer creates an http test server that will update the internal event list
// with the value it receives
func (a *AuditTestServer) buildServer() {
	decoder := audit.Codecs.UniversalDecoder(auditv1.SchemeGroupVersion)
	mux := http.NewServeMux()
	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		body, err := ioutil.ReadAll(r.Body)
		require.NoError(a.t, err, "could not read request body")
		el := auditinternal.EventList{}
		err = runtime.DecodeInto(decoder, body, &el)
		r.Body.Close()
		require.NoError(a.t, err, "failed decoding buf: %b, apiVersion: %s", body, auditv1.SchemeGroupVersion)
		a.AppendEvents(el.Items)
		w.WriteHeader(200)
	})
	mux.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(200)
	})
	a.Server = httptest.NewServer(mux)
}