mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-05 21:15:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use templates to reduce duplication in concierge_tls_spec_test.go

Browse Source 
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
This commit is contained in:
Ryan Richard
2024-07-23 14:25:44 -07:00
parent 3a303cc8fb
commit f381c92f0b
1 changed files with 56 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

309
test/integration/concierge_tls_spec_test.go
View File

@@ -24,336 +24,132 @@ import (
func TestTLSSpecKubeBuilderValidationConcierge_Parallel(t *testing.T) {
env := testlib.IntegrationEnv(t)
webhookAuthenticatorYamlTemplate := here.Doc(`
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
%s
`)
jwtAuthenticatorYamlTemplate := here.Doc(`
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
%s
`)
testCases := []struct {
name string
customWebhookAuthenticatorYaml string
customJWTAuthenticatorYaml string
resourceNamePrefix string
expectedError string
name string
tlsYAML string
expectedError string
}{
{
name: "should disallow certificate authority data source with missing name",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
kind: Secret
key: bar
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
kind: Secret
key: bar
`),
resourceNamePrefix: "invalid-tls-spec-missing-name",
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.name: Required value`,
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.name: Required value`,
},
{
name: "should disallow certificate authority data source with empty value for name",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
kind: Secret
name: ""
key: bar
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
kind: Secret
name: ""
key: bar
`),
resourceNamePrefix: "invalid-tls-spec-empty-name",
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.name: Invalid value: "": spec.tls.certificateAuthorityDataSource.name in body should be at least 1 chars long`,
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.name: Invalid value: "": spec.tls.certificateAuthorityDataSource.name in body should be at least 1 chars long`,
},
{
name: "should disallow certificate authority data source with missing key",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
kind: Secret
name: foo
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
kind: Secret
name: foo
`),
resourceNamePrefix: "invalid-tls-spec-missing-key",
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.key: Required value`,
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.key: Required value`,
},
{
name: "should disallow certificate authority data source with empty value for key",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
kind: Secret
name: foo
key: ""
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
kind: Secret
name: foo
key: ""
`),
resourceNamePrefix: "invalid-tls-spec-empty-kind",
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.key: Invalid value: "": spec.tls.certificateAuthorityDataSource.key in body should be at least 1 chars long`,
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.key: Invalid value: "": spec.tls.certificateAuthorityDataSource.key in body should be at least 1 chars long`,
},
{
name: "should disallow certificate authority data source with missing kind",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
name: foo
key: bar
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
name: foo
key: bar
`),
resourceNamePrefix: "invalid-tls-spec-missing-kind",
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Required value`,
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Required value`,
},
{
name: "should disallow certificate authority data source with empty value for kind",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
kind: ""
name: foo
key: bar
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
kind: ""
name: foo
key: bar
`),
resourceNamePrefix: "invalid-tls-spec-invalid-kind",
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Unsupported value: "": supported values: "Secret", "ConfigMap"`,
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Unsupported value: "": supported values: "Secret", "ConfigMap"`,
},
{
name: "should disallow certificate authority data source with invalid kind",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
kind: sorcery
name: foo
key: bar
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
kind: sorcery
name: foo
key: bar
`),
resourceNamePrefix: "invalid-tls-spec-invalid-kind",
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Unsupported value: "sorcery": supported values: "Secret", "ConfigMap"`,
expectedError: `The %s "%s" is invalid: spec.tls.certificateAuthorityDataSource.kind: Unsupported value: "sorcery": supported values: "Secret", "ConfigMap"`,
},
{
name: "should create a custom resource passing all validations using a Secret source",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
kind: Secret
name: foo
key: bar
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
kind: Secret
name: foo
key: bar
`),
resourceNamePrefix: "valid-webhook-auth-secret-kind",
expectedError: "",
expectedError: "",
},
{
name: "should create a custom resource passing all validations using a ConfigMap source",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
tlsYAML: here.Doc(`
tls:
certificateAuthorityDataSource:
kind: ConfigMap
name: foo
key: bar
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
tls:
certificateAuthorityDataSource:
kind: ConfigMap
name: foo
key: bar
`),
resourceNamePrefix: "valid-webhook-auth-cm-kind",
expectedError: "",
expectedError: "",
},
{
name: "should create a custom resource without any tls spec",
customWebhookAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: WebhookAuthenticator
metadata:
name: %s
spec:
endpoint: %s
`),
customJWTAuthenticatorYaml: here.Doc(`
---
apiVersion: authentication.concierge.%s/v1alpha1
kind: JWTAuthenticator
metadata:
name: %s
spec:
issuer: %s
audience: some-audience
`),
resourceNamePrefix: "no-tls-spec",
expectedError: "",
name: "should create a custom resource without any tls spec",
tlsYAML: "",
expectedError: "",
},
}
@@ -361,9 +157,15 @@ func TestTLSSpecKubeBuilderValidationConcierge_Parallel(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
// Further indent every line except for the first line by four spaces.
// Use four spaces because that's what here.Doc uses.
// Do not indent the first line because the template already indents it.
indentedTLSYAML := strings.ReplaceAll(tc.tlsYAML, "\n", "\n ")
t.Run("apply webhook authenticator", func(t *testing.T) {
webhookResourceName := tc.resourceNamePrefix + "-" + testlib.RandHex(t, 7)
webhookYamlBytes := []byte(fmt.Sprintf(tc.customWebhookAuthenticatorYaml, env.APIGroupSuffix, webhookResourceName, env.TestWebhook.Endpoint))
webhookResourceName := "test-webhook-authenticator-" + testlib.RandHex(t, 7)
webhookYamlBytes := []byte(fmt.Sprintf(webhookAuthenticatorYamlTemplate,
env.APIGroupSuffix, webhookResourceName, env.TestWebhook.Endpoint, indentedTLSYAML))
performKubectlApply(
t,
@@ -378,8 +180,9 @@ func TestTLSSpecKubeBuilderValidationConcierge_Parallel(t *testing.T) {
t.Run("apply jwt authenticator", func(t *testing.T) {
_, supervisorIssuer := env.SupervisorUpstreamOIDC.InferTheIssuerURL(t)
jwtAuthenticatorResourceName := tc.resourceNamePrefix + "-" + testlib.RandHex(t, 7)
jwtAuthenticatorYamlBytes := []byte(fmt.Sprintf(tc.customJWTAuthenticatorYaml, env.APIGroupSuffix, jwtAuthenticatorResourceName, supervisorIssuer))
jwtAuthenticatorResourceName := "test-jwt-authenticator-" + testlib.RandHex(t, 7)
jwtAuthenticatorYamlBytes := []byte(fmt.Sprintf(jwtAuthenticatorYamlTemplate,
env.APIGroupSuffix, jwtAuthenticatorResourceName, supervisorIssuer, indentedTLSYAML))
performKubectlApply(
t,