mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2025-12-23 06:15:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Small fixes for integration tests

Browse Source
This commit is contained in:
Joshua Casey
2024-11-19 21:17:30 -06:00
parent ce2dcbdbb3
commit 0a28c818ad
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
test/integration/audit_test.go
View File

@@ -124,7 +124,7 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) {
sessionCachePath := tempDir + "/test-sessions.yaml"
credentialCachePath := tempDir + "/test-credentials.yaml"
kubeconfigPath := runPinnipedGetKubeconfig(t, env, pinnipedExe, tempDir, []string{
pinnipedStyleKubeconfigPath := runPinnipedGetKubeconfig(t, env, pinnipedExe, tempDir, []string{
"get", "kubeconfig",
"--concierge-api-group-suffix", env.APIGroupSuffix,
"--concierge-authenticator-type", "jwt",
@@ -140,7 +140,11 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) {
timeBeforeLogin := metav1.Now()
// Run kubectl command which should run an LDAP-style login without interactive prompts for username and password.
kubectlCmd := exec.CommandContext(ctx, "kubectl", "auth", "whoami", "--kubeconfig", kubeconfigPath)
// We'd prefer to use "kubectl auth whoami" but that's only available in recent K8s.
// Generally on a kind cluster there is a clusterrolebinding "system:basic-user" and a clusterrole "system:basic-user"
// that allows those in group "system:authenticated" to call this API, so it does prove that we authenticated.
kubectlCmd := exec.CommandContext(ctx, "kubectl", "auth", "can-i", "create", "selfsubjectaccessreviews",
"--kubeconfig", pinnipedStyleKubeconfigPath)
kubectlCmd.Env = slices.Concat(os.Environ(), env.ProxyEnv())
kubectlOutput, err := kubectlCmd.CombinedOutput()
require.NoErrorf(t, err,
@@ -197,7 +201,7 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) {
{
"message": "TokenCredentialRequest Authenticated User",
"authenticator": map[string]any{
// this always pinniped.dev even when the API group suffix was customized because of the way that the production code works
// this is always pinniped.dev even when the API group suffix was customized because of the way that the production code works
"apiGroup": "authentication.concierge.pinniped.dev",
"kind": "JWTAuthenticator",
"name": authenticator.Name,
@@ -277,7 +281,11 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) {
// Do a second login, which should cause audit logs with non-redacted personal info.
// Run kubectl command which should run an LDAP-style login without interactive prompts for username and password.
kubectlCmd = exec.CommandContext(ctx, "kubectl", "auth", "whoami", "--kubeconfig", kubeconfigPath)
// We'd prefer to use "kubectl auth whoami" but that's only available in recent K8s.
// Generally on a kind cluster there is a clusterrolebinding "system:basic-user" and a clusterrole "system:basic-user"
// that allows those in group "system:authenticated" to call this API, so it does prove that we authenticated.
kubectlCmd = exec.CommandContext(ctx, "kubectl", "auth", "can-i", "create", "selfsubjectaccessreviews",
"--kubeconfig", pinnipedStyleKubeconfigPath)
kubectlCmd.Env = slices.Concat(os.Environ(), env.ProxyEnv())
kubectlOutput, err = kubectlCmd.CombinedOutput()
require.NoErrorf(t, err,
@@ -341,7 +349,8 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) {
{
"message": "TokenCredentialRequest Authenticated User",
"authenticator": map[string]any{
"apiGroup": "authentication.concierge." + env.APIGroupSuffix,
// this is always pinniped.dev even when the API group suffix was customized because of the way that the production code works
"apiGroup": "authentication.concierge.pinniped.dev",
"kind": "JWTAuthenticator",
"name": authenticator.Name,
},