mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-01-08 07:11:53 +00:00
Merge pull request #1812 from vmware-tanzu/tcr_test_more_output_on_failure
Add more output on failure of TokenCredentialRequest integration tests
This commit is contained in:
Ben Petersen
GitHub
@@ -39,7 +39,7 @@ func TestUnsuccessfulCredentialRequest_Parallel(t *testing.T) {
|
||||
},
|
||||
},
|
||||
)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
require.Nil(t, response.Status.Credential)
|
||||
require.NotNil(t, response.Status.Message)
|
||||
require.Equal(t, "authentication failed", *response.Status.Message)
|
||||
@@ -147,7 +147,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
|
||||
loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook},
|
||||
)
|
||||
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
|
||||
require.Empty(t, response.Spec)
|
||||
require.Nil(t, response.Status.Credential)
|
||||
@@ -170,7 +170,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken_Parallel(t *
|
||||
|
||||
require.Error(t, err)
|
||||
statusError, isStatus := err.(*errors.StatusError)
|
||||
require.True(t, isStatus)
|
||||
require.True(t, isStatus, testlib.Sdump(err))
|
||||
|
||||
require.Equal(t, 1, len(statusError.ErrStatus.Details.Causes))
|
||||
cause := statusError.ErrStatus.Details.Causes[0]
|
||||
|
||||
@@ -644,7 +644,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
clusterAdminCredentials, impersonationProxyURL, impersonationProxyCACertPEM, nil).
|
||||
PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
||||
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
|
||||
// The WhoAmI API is lossy:
|
||||
// - It drops UID
|
||||
@@ -695,7 +695,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
// check that we impersonated the correct user and that the original user is retained in the extra
|
||||
whoAmI, err := nestedImpersonationClient.PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
||||
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
require.Equal(t,
|
||||
expectedWhoAmIRequestResponse(
|
||||
"other-user-to-impersonate",
|
||||
@@ -851,7 +851,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
|
||||
whoAmI, err := nestedImpersonationClient.IdentityV1alpha1().WhoAmIRequests().
|
||||
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
require.Equal(t,
|
||||
expectedWhoAmIRequestResponse(
|
||||
"system:serviceaccount:kube-system:root-ca-cert-publisher",
|
||||
@@ -875,7 +875,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
).PinnipedConcierge
|
||||
whoAmI, err := impersonationProxyPinnipedConciergeClient.IdentityV1alpha1().WhoAmIRequests().
|
||||
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
expectedGroups := make([]string, 0, len(env.TestUser.ExpectedGroups)+1) // make sure we do not mutate env.TestUser.ExpectedGroups
|
||||
expectedGroups = append(expectedGroups, env.TestUser.ExpectedGroups...)
|
||||
expectedGroups = append(expectedGroups, "system:authenticated")
|
||||
@@ -897,7 +897,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
|
||||
// we expect the impersonation proxy to match the behavior of KAS in regards to anonymous requests
|
||||
if env.HasCapability(testlib.AnonymousAuthenticationSupported) {
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
require.Equal(t,
|
||||
expectedWhoAmIRequestResponse(
|
||||
"system:anonymous",
|
||||
@@ -918,7 +918,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
impersonationProxyURL, impersonationProxyCACertPEM, nil).PinnipedConcierge
|
||||
whoAmI, err = impersonationProxyServiceAccountPinnipedConciergeClient.IdentityV1alpha1().WhoAmIRequests().
|
||||
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
require.Equal(t,
|
||||
expectedWhoAmIRequestResponse(
|
||||
serviceaccount.MakeUsername(namespaceName, saName),
|
||||
@@ -997,7 +997,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
|
||||
whoAmITokenReq, err := impersonationProxySAClient.PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
||||
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
|
||||
// new service account tokens include the pod info in the extra fields
|
||||
require.Equal(t,
|
||||
@@ -1444,7 +1444,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
|
||||
whoAmI, err := impersonationProxyAnonymousClient.PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
|
||||
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
require.Equal(t,
|
||||
expectedWhoAmIRequestResponse(
|
||||
"system:anonymous",
|
||||
@@ -1978,7 +1978,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
// Note that library.CreateTokenCredentialRequest makes an unauthenticated request, so we can't meaningfully
|
||||
// perform this part of the test on a cluster which does not allow anonymous authentication.
|
||||
tokenCredentialRequestResponse, err := testlib.CreateTokenCredentialRequest(ctx, t, credentialRequestSpecWithWorkingCredentials)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
|
||||
require.NotNil(t, tokenCredentialRequestResponse.Status.Message, "expected an error message but got nil")
|
||||
require.Equal(t, "authentication failed", *tokenCredentialRequestResponse.Status.Message)
|
||||
|
||||
@@ -39,10 +39,21 @@ func TestWhoAmI_Kubeadm_Parallel(t *testing.T) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
||||
defer cancel()
|
||||
|
||||
adminClient := testlib.NewKubernetesClientset(t)
|
||||
|
||||
whoAmI, err := testlib.NewConciergeClientset(t).IdentityV1alpha1().WhoAmIRequests().
|
||||
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
|
||||
require.NoError(t, err, testlib.Sdump(err))
|
||||
|
||||
var wantGroups []string
|
||||
if testutil.KubeServerMinorVersionInBetweenInclusive(t, adminClient.Discovery(), 0, 28) {
|
||||
wantGroups = []string{"system:masters", "system:authenticated"}
|
||||
} else {
|
||||
// See https://github.com/kubernetes/enhancements/issues/4214. Admin kubeconfigs from kubeadm
|
||||
// which previously had system:masters now have kubeadm:cluster-admins instead.
|
||||
wantGroups = []string{"kubeadm:cluster-admins", "system:authenticated"}
|
||||
}
|
||||
|
||||
// this user info is based off of the bootstrap cert user created by kubeadm
|
||||
require.Equal(t,
|
||||
&identityv1alpha1.WhoAmIRequest{
|
||||
@@ -50,10 +61,7 @@ func TestWhoAmI_Kubeadm_Parallel(t *testing.T) {
|
||||
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
|
||||
User: identityv1alpha1.UserInfo{
|
||||
Username: "kubernetes-admin",
|
||||
Groups: []string{
|
||||
"system:masters",
|
||||
"system:authenticated",
|
||||
},
|
||||
Groups: wantGroups,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user