-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #350 from averevki/test-k8s-tokenreview
Add kubernetes token-review identity tests
- Loading branch information
Showing
7 changed files
with
123 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
"""Service Account object for OpenShift""" | ||
|
||
from testsuite.openshift import OpenShiftObject | ||
from testsuite.openshift.client import OpenShiftClient | ||
|
||
|
||
class ServiceAccount(OpenShiftObject): | ||
"""Service account object for OpenShift""" | ||
|
||
def __init__(self, openshift: OpenShiftClient, model: dict): | ||
self.openshift = openshift | ||
super().__init__(model, context=openshift.context) | ||
|
||
@classmethod | ||
def create_instance(cls, openshift: OpenShiftClient, name: str, labels: dict[str, str] = None): | ||
"""Creates new instance of service account""" | ||
model = { | ||
"kind": "ServiceAccount", | ||
"apiVersion": "v1", | ||
"metadata": { | ||
"name": name, | ||
"labels": labels, | ||
}, | ||
} | ||
|
||
return cls(openshift, model) | ||
|
||
def get_auth_token(self, audiences: list[str] = None) -> str: | ||
"""Requests and returns bound token for service account""" | ||
audiences_args = [f"--audience={a}" for a in audiences or []] | ||
return self.openshift.do_action("create", "token", self.name(), *audiences_args).out().strip() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
32 changes: 32 additions & 0 deletions
32
testsuite/tests/kuadrant/authorino/identity/token_review/conftest.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
"""Conftest for kubernetes token-review tests""" | ||
|
||
import pytest | ||
|
||
from testsuite.httpx.auth import HeaderApiKeyAuth | ||
from testsuite.openshift.service_account import ServiceAccount | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def create_service_account(request, openshift, blame, module_label): | ||
"""Creates and returns service account""" | ||
|
||
def _create_service_account(name): | ||
service_account = ServiceAccount.create_instance(openshift, blame(name), labels={"app": module_label}) | ||
request.addfinalizer(service_account.delete) | ||
service_account.commit() | ||
return service_account | ||
|
||
return _create_service_account | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def service_account_token(create_service_account, audience): | ||
"""Create service account and request its bound token with the hostname as audience""" | ||
service_account = create_service_account("tkn-rev") | ||
return service_account.get_auth_token(audience) | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def auth(service_account_token): | ||
"""Create request auth with service account token as API key""" | ||
return HeaderApiKeyAuth(service_account_token, "Bearer") |
30 changes: 30 additions & 0 deletions
30
testsuite/tests/kuadrant/authorino/identity/token_review/test_audiences.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
"""Test kubernetes token-review authorization with bound sa token that should contain all specified audiences""" | ||
|
||
import pytest | ||
|
||
pytestmark = [pytest.mark.authorino] | ||
|
||
|
||
TEST_AUDIENCES = ["test-aud1", "test-aud2", "test-aud3"] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization(authorization): | ||
"""Add kubernetes token-review identity with custom audiences specified""" | ||
authorization.identity.add_kubernetes("token-review-aud", TEST_AUDIENCES) | ||
return authorization | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def audience(): | ||
"""Return custom audiences for the service account bound token""" | ||
return TEST_AUDIENCES | ||
|
||
|
||
def test_custom_audience(client, auth): | ||
"""Test kubernetes token-review by adding custom audiences to the sa token and using it for the request""" | ||
response = client.get("/get") | ||
assert response.status_code == 401 | ||
|
||
response = client.get("/get", auth=auth) | ||
assert response.status_code == 200 |
27 changes: 27 additions & 0 deletions
27
testsuite/tests/kuadrant/authorino/identity/token_review/test_host.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
"""Test kubernetes token-review authorization with bound sa token that should contain host as audience by default""" | ||
|
||
import pytest | ||
|
||
pytestmark = [pytest.mark.authorino] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization(authorization): | ||
"""Add kubernetes token-review identity without any audiences""" | ||
authorization.identity.add_kubernetes("token-review-host") | ||
return authorization | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def audience(hostname): | ||
"""Return hostname as only audience for the service account bound token""" | ||
return [hostname.hostname] | ||
|
||
|
||
def test_host_audience(client, auth): | ||
"""Test kubernetes token-review by adding hostname audience to the sa token and using it for the request""" | ||
response = client.get("/get") | ||
assert response.status_code == 401 | ||
|
||
response = client.get("/get", auth=auth) | ||
assert response.status_code == 200 |