custom-kube-scheduler/kubernetes/pkg/credentialprovider/aws/aws_credentials_test.go

/*
Copyright 2014 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package credentials

import (
	"encoding/base64"
	"fmt"
	"math/rand"
	"path"
	"strconv"
	"testing"
	"time"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/service/ecr"

	"k8s.io/kubernetes/pkg/credentialprovider"
)

const user = "foo"
const password = "1234567890abcdef" // Fake value for testing.
const email = "not@val.id"

// Mock implementation
// randomizePassword is used to check for a cache hit to verify the password
// has not changed
type testTokenGetter struct {
	user              string
	password          string
	endpoint          string
	randomizePassword bool
}

type testTokenGetterFactory struct {
	getter tokenGetter
}

func (f *testTokenGetterFactory) GetTokenGetterForRegion(region string) (tokenGetter, error) {
	return f.getter, nil
}

func (p *testTokenGetter) GetAuthorizationToken(input *ecr.GetAuthorizationTokenInput) (*ecr.GetAuthorizationTokenOutput, error) {
	if p.randomizePassword {
		rand.Seed(int64(time.Now().Nanosecond()))
		p.password = strconv.Itoa(rand.Int())
	}
	expiration := time.Now().Add(1 * time.Hour)
	// expiration := time.Now().Add(5 * time.Second) //for testing with the cache expiring
	creds := []byte(fmt.Sprintf("%s:%s", p.user, p.password))
	data := &ecr.AuthorizationData{
		AuthorizationToken: aws.String(base64.StdEncoding.EncodeToString(creds)),
		ExpiresAt:          &expiration,
		ProxyEndpoint:      aws.String(p.endpoint),
	}
	output := &ecr.GetAuthorizationTokenOutput{
		AuthorizationData: []*ecr.AuthorizationData{data},
	}
	return output, nil //p.svc.GetAuthorizationToken(input)
}

func TestRegistryPatternMatch(t *testing.T) {
	grid := []struct {
		Registry string
		Expected bool
	}{
		{"123456789012.dkr.ecr.lala-land-1.amazonaws.com", true},
		// fips
		{"123456789012.dkr.ecr-fips.lala-land-1.amazonaws.com", true},
		// .cn
		{"123456789012.dkr.ecr.lala-land-1.amazonaws.com.cn", true},
		// registry ID too long
		{"1234567890123.dkr.ecr.lala-land-1.amazonaws.com", false},
		// registry ID too short
		{"12345678901.dkr.ecr.lala-land-1.amazonaws.com", false},
		// registry ID has invalid chars
		{"12345678901A.dkr.ecr.lala-land-1.amazonaws.com", false},
		// region has invalid chars
		{"123456789012.dkr.ecr.lala-land-1!.amazonaws.com", false},
		// region starts with invalid char
		{"123456789012.dkr.ecr.#lala-land-1.amazonaws.com", false},
		// invalid host suffix
		{"123456789012.dkr.ecr.lala-land-1.amazonaws.hacker.com", false},
		// invalid host suffix
		{"123456789012.dkr.ecr.lala-land-1.hacker.com", false},
		// invalid host suffix
		{"123456789012.dkr.ecr.lala-land-1.amazonaws.lol", false},
		// without dkr
		{"123456789012.dog.ecr.lala-land-1.amazonaws.com", false},
		// without ecr
		{"123456789012.dkr.cat.lala-land-1.amazonaws.com", false},
		// without amazonaws
		{"123456789012.dkr.cat.lala-land-1.awsamazon.com", false},
		// too short
		{"123456789012.lala-land-1.amazonaws.com", false},
	}
	for _, g := range grid {
		actual := ecrPattern.MatchString(g.Registry)
		if actual != g.Expected {
			t.Errorf("unexpected pattern match value, want %v for %s", g.Expected, g.Registry)
		}
	}
}

func TestParseRepoURLPass(t *testing.T) {
	registryID := "123456789012"
	region := "lala-land-1"
	port := "9001"
	registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com"
	image := path.Join(registry, port, "foo/bar")
	parsedURL, err := parseRepoURL(image)

	if err != nil {
		t.Errorf("Could not parse URL: %s, err: %v", image, err)
	}
	if registryID != parsedURL.registryID {
		t.Errorf("Unexpected registryID value, want: %s, got: %s", registryID, parsedURL.registryID)
	}
	if region != parsedURL.region {
		t.Errorf("Unexpected region value, want: %s, got: %s", region, parsedURL.region)
	}
	if registry != parsedURL.registry {
		t.Errorf("Unexpected registry value, want: %s, got: %s", registry, parsedURL.registry)
	}
}

func TestParseRepoURLFail(t *testing.T) {
	registry := "123456789012.foo.bar.baz"
	image := path.Join(registry, "foo/bar")
	parsedURL, err := parseRepoURL(image)
	expectedErr := "123456789012.foo.bar.baz is not a valid ECR repository URL"

	if err == nil {
		t.Errorf("Should fail to parse URL %s", image)
	}
	if err.Error() != expectedErr {
		t.Errorf("Unexpected error, want: %s, got: %v", expectedErr, err)
	}
	if parsedURL != nil {
		t.Errorf("Expected parsedURL to be nil")
	}
}

func TestECRProvide(t *testing.T) {
	registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com"
	otherRegistries := []string{
		"123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn",
		"private.registry.com",
		"gcr.io",
	}
	image := path.Join(registry, "foo/bar")
	p := newECRProvider(&testTokenGetterFactory{
		getter: &testTokenGetter{
			user:     user,
			password: password,
			endpoint: registry,
		},
	})
	keyring := &credentialprovider.BasicDockerKeyring{}
	keyring.Add(p.Provide(image))

	// Verify that we get the expected username/password combo for
	// an ECR image name.
	creds, ok := keyring.Lookup(image)
	if !ok {
		t.Errorf("Didn't find expected URL: %s", image)
		return
	}
	if len(creds) > 1 {
		t.Errorf("Got more hits than expected: %s", creds)
	}
	cred := creds[0]
	if user != cred.Username {
		t.Errorf("Unexpected username value, want: %s, got: %s", user, cred.Username)
	}
	if password != creds[0].Password {
		t.Errorf("Unexpected password value, want: %s, got: %s", password, cred.Password)
	}
	if email != creds[0].Email {
		t.Errorf("Unexpected email value, want: %s, got: %s", email, cred.Email)
	}

	// Verify that we get an error for other images.
	for _, otherRegistry := range otherRegistries {
		image = path.Join(otherRegistry, "foo/bar")
		_, ok = keyring.Lookup(image)
		if ok {
			t.Errorf("Unexpectedly found image: %s", image)
			return
		}
	}
}

func TestECRProvideCached(t *testing.T) {
	registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com"
	p := newECRProvider(&testTokenGetterFactory{
		getter: &testTokenGetter{
			user:              user,
			password:          password,
			endpoint:          registry,
			randomizePassword: true,
		},
	})
	image1 := path.Join(registry, "foo/bar")
	image2 := path.Join(registry, "bar/baz")
	keyring := &credentialprovider.BasicDockerKeyring{}
	keyring.Add(p.Provide(image1))
	// time.Sleep(6 * time.Second) //for testing with the cache expiring
	keyring.Add(p.Provide(image2))
	// Verify that we get the credentials from the
	// cache the second time
	creds1, ok := keyring.Lookup(image1)
	if !ok {
		t.Errorf("Didn't find expected URL: %s", image1)
		return
	}
	if len(creds1) != 2 {
		t.Errorf("Got more hits than expected: %s", creds1)
	}

	if creds1[0].Password != creds1[1].Password {
		t.Errorf("cached credentials do not match")
	}

	creds2, ok := keyring.Lookup(image2)
	if !ok {
		t.Errorf("Didn't find expected URL: %s", image1)
		return
	}
	if len(creds2) != 2 {
		t.Errorf("Got more hits than expected: %s", creds2)
	}

	if creds2[0].Password != creds2[1].Password {
		t.Errorf("cached credentials do not match")
	}
	if creds1[0].Password != creds2[0].Password {
		t.Errorf("cached credentials do not match")
	}
}

func TestChinaECRProvide(t *testing.T) {
	registry := "123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn"
	otherRegistries := []string{
		"123456789012.dkr.ecr.lala-land-1.amazonaws.com",
		"private.registry.com",
		"gcr.io",
	}
	image := path.Join(registry, "foo/bar")
	p := newECRProvider(&testTokenGetterFactory{
		getter: &testTokenGetter{
			user:     user,
			password: password,
			endpoint: registry,
		},
	})
	keyring := &credentialprovider.BasicDockerKeyring{}
	keyring.Add(p.Provide(image))
	// Verify that we get the expected username/password combo for
	// an ECR image name.
	creds, ok := keyring.Lookup(image)
	if !ok {
		t.Errorf("Didn't find expected URL: %s", image)
		return
	}
	if len(creds) > 1 {
		t.Errorf("Got more hits than expected: %s", creds)
	}
	cred := creds[0]
	if user != cred.Username {
		t.Errorf("Unexpected username value, want: %s, got: %s", user, cred.Username)
	}
	if password != cred.Password {
		t.Errorf("Unexpected password value, want: %s, got: %s", password, cred.Password)
	}
	if email != cred.Email {
		t.Errorf("Unexpected email value, want: %s, got: %s", email, cred.Email)
	}

	// Verify that we get an error for other images.
	for _, otherRegistry := range otherRegistries {
		image = path.Join(otherRegistry, image)
		_, ok = keyring.Lookup(image)
		if ok {
			t.Errorf("Unexpectedly found image: %s", image)
			return
		}
	}
}

func TestChinaECRProvideCached(t *testing.T) {
	registry := "123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn"
	p := newECRProvider(&testTokenGetterFactory{
		getter: &testTokenGetter{
			user:              user,
			password:          password,
			endpoint:          registry,
			randomizePassword: true,
		},
	})
	image := path.Join(registry, "foo/bar")
	keyring := &credentialprovider.BasicDockerKeyring{}
	keyring.Add(p.Provide(image))
	// time.Sleep(6 * time.Second) //for testing with the cache expiring
	keyring.Add(p.Provide(image))
	// Verify that we get the credentials from the
	// cache the second time
	creds, ok := keyring.Lookup(image)
	if !ok {
		t.Errorf("Didn't find expected URL: %s", image)
		return
	}
	if len(creds) != 2 {
		t.Errorf("Got more hits than expected: %s", creds)
	}

	if creds[0].Password != creds[1].Password {
		t.Errorf("cached credentials do not match")
	}
}