697bc4cd1d
Previously every Handler function was receiving the session token in the form of a jwt string, in consequence every time we want to access the encrypted claims of the jwt we needed to run a decryption process, additionally we were decrypting the jwt twice, first at the session validation then inside each handler function, this was also causing a lot of using related to the merge between m3 and mcs What changed: Now we validate and decrypt the jwt once in `configure_mcs.go`, this works for both, mcs (console) and operator sessions, and then pass the decrypted claims to all the functions that need it, so no further token validation or decryption is need it.
83 lines
1.9 KiB
Go
83 lines
1.9 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"testing"
|
|
|
|
"github.com/minio/mcs/cluster"
|
|
operatorClientset "github.com/minio/minio-operator/pkg/client/clientset/versioned"
|
|
)
|
|
|
|
type operatorClientTest struct {
|
|
client *operatorClientset.Clientset
|
|
}
|
|
|
|
var operatorAuthenticateMock func(ctx context.Context) ([]byte, error)
|
|
|
|
// MinIOInstanceDelete implements the minio instance delete action from minio-operator
|
|
func (c *operatorClientTest) Authenticate(ctx context.Context) ([]byte, error) {
|
|
return operatorAuthenticateMock(ctx)
|
|
}
|
|
|
|
func Test_isServiceAccountTokenValid(t *testing.T) {
|
|
|
|
successResponse := func() {
|
|
operatorAuthenticateMock = func(ctx context.Context) ([]byte, error) {
|
|
return nil, nil
|
|
}
|
|
}
|
|
|
|
failResponse := func() {
|
|
operatorAuthenticateMock = func(ctx context.Context) ([]byte, error) {
|
|
return nil, errors.New("something went wrong")
|
|
}
|
|
}
|
|
|
|
opClientClientSet, _ := cluster.OperatorClient("")
|
|
|
|
opClient := &operatorClientTest{
|
|
client: opClientClientSet,
|
|
}
|
|
|
|
type args struct {
|
|
ctx context.Context
|
|
operatorClient *operatorClientTest
|
|
mockFunction func()
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want bool
|
|
}{
|
|
{
|
|
name: "Success authentication - correct jwt (service account token)",
|
|
args: args{
|
|
ctx: context.Background(),
|
|
operatorClient: opClient,
|
|
mockFunction: successResponse,
|
|
},
|
|
want: true,
|
|
},
|
|
{
|
|
name: "Fail authentication - incorrect jwt (service account token)",
|
|
args: args{
|
|
ctx: context.Background(),
|
|
operatorClient: opClient,
|
|
mockFunction: failResponse,
|
|
},
|
|
want: false,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if tt.args.mockFunction != nil {
|
|
tt.args.mockFunction()
|
|
}
|
|
if got := isServiceAccountTokenValid(tt.args.ctx, tt.args.operatorClient); got != tt.want {
|
|
t.Errorf("isServiceAccountTokenValid() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|