mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-05 13:07:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backfill unit tests for garbage_collector audit logging

Browse Source
This commit is contained in:
Joshua Casey
2024-11-11 10:13:07 -06:00
parent f4f393e5de
commit f9e1dd4bec
2 changed files with 165 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/controller/supervisorstorage/garbage_collector.go
View File

@@ -7,6 +7,8 @@ import (
"context" "context"
"errors" "errors"
"fmt" "fmt"
"slices"
"strings"
"time" "time"
"github.com/ory/fosite" "github.com/ory/fosite"
@@ -114,6 +116,11 @@ func (c *garbageCollectorController) Sync(ctx controllerlib.Context) error {
return err return err
} }
// Sort secrets by name so that audit log tests are deterministic
slices.SortStableFunc(listOfSecrets, func(a, b *corev1.Secret) int {
return strings.Compare(a.ObjectMeta.Name, b.ObjectMeta.Name)
})
for i := range listOfSecrets { for i := range listOfSecrets {
secret := listOfSecrets[i] secret := listOfSecrets[i]

159
internal/controller/supervisorstorage/garbage_collector_test.go
View File

@@ -4,6 +4,7 @@
package supervisorstorage package supervisorstorage
import ( import (
"bytes"
"context" "context"
"encoding/json" "encoding/json"
"errors" "errors"
@@ -138,19 +139,23 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
syncContext *controllerlib.Context syncContext *controllerlib.Context
fakeClock *clocktesting.FakeClock fakeClock *clocktesting.FakeClock
frozenNow time.Time frozenNow time.Time
auditLog *bytes.Buffer
wantAuditLogs []testutil.WantedAuditLog
) )
// Defer starting the informers until the last possible moment so that the // Defer starting the informers until the last possible moment so that the
// nested Before's can keep adding things to the informer caches. // nested Before's can keep adding things to the informer caches.
var startInformersAndController = func(idpCache dynamicupstreamprovider.DynamicUpstreamIDPProvider) { var startInformersAndController = func(idpCache dynamicupstreamprovider.DynamicUpstreamIDPProvider) {
// Set this at the last second to allow for injection of server override. // Set this at the last second to allow for injection of server override.
var auditLogger plog.AuditLogger
auditLogger, auditLog = plog.TestLogger(t)
subject = GarbageCollectorController( subject = GarbageCollectorController(
idpCache, idpCache,
fakeClock, fakeClock,
kubeClient, kubeClient,
kubeInformers.Core().V1().Secrets(), kubeInformers.Core().V1().Secrets(),
controllerlib.WithInformer, controllerlib.WithInformer,
plog.New(), auditLogger,
) )
// Set this at the last second to support calling subject.Name(). // Set this at the last second to support calling subject.Name().
@@ -192,6 +197,8 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
it.After(func() { it.After(func() {
cancelContextCancelFunc() cancelContextCancelFunc()
testutil.CompareAuditLogs(t, wantAuditLogs, auditLog.String())
}) })
when("there are secrets without the garbage-collect-after annotation", func() { when("there are secrets without the garbage-collect-after annotation", func() {
@@ -387,6 +394,27 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Upstream OIDC Token Revoked",
map[string]any{
"sessionID": "request-id-1",
"type": "refresh_token",
},
),
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "authcode",
},
),
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-2",
"storageType": "authcode",
},
),
}
}) })
}) })
@@ -511,6 +539,27 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Upstream OIDC Token Revoked",
map[string]any{
"sessionID": "request-id-1",
"type": "access_token",
},
),
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "authcode",
},
),
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-2",
"storageType": "authcode",
},
),
}
}) })
}) })
@@ -651,6 +700,15 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "authcode",
},
),
}
}) })
}) })
@@ -722,6 +780,15 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "authcode",
},
),
}
}) })
}) })
@@ -827,6 +894,15 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "authcode",
},
),
}
}) })
}) })
@@ -906,6 +982,15 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "authcode",
},
),
}
}) })
}) })
@@ -1030,6 +1115,27 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "access-token",
},
),
testutil.WantAuditLog("Upstream OIDC Token Revoked",
map[string]any{
"sessionID": "request-id-2",
"type": "refresh_token",
},
),
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-2",
"storageType": "access-token",
},
),
}
}) })
}) })
@@ -1154,6 +1260,27 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "access-token",
},
),
testutil.WantAuditLog("Upstream OIDC Token Revoked",
map[string]any{
"sessionID": "request-id-2",
"type": "access_token",
},
),
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-2",
"storageType": "access-token",
},
),
}
}) })
}) })
@@ -1231,6 +1358,21 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Upstream OIDC Token Revoked",
map[string]any{
"sessionID": "request-id-1",
"type": "refresh_token",
},
),
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "refresh-token",
},
),
}
}) })
}) })
@@ -1308,6 +1450,21 @@ func TestGarbageCollectorControllerSync(t *testing.T) {
}, },
kubeClient.Actions(), kubeClient.Actions(),
) )
wantAuditLogs = []testutil.WantedAuditLog{
testutil.WantAuditLog("Upstream OIDC Token Revoked",
map[string]any{
"sessionID": "request-id-1",
"type": "access_token",
},
),
testutil.WantAuditLog("Session Garbage Collected",
map[string]any{
"sessionID": "request-id-1",
"storageType": "refresh-token",
},
),
}
}) })
}) })