Merge pull request #38 from tg123/auth_unit_test

add auth unit test

Author: brendandburns

tests/AuthTests.cs

@@ -0,0 +1,316 @@
+using System;
+using System.IO;
+using System.Linq;
+using System.Net;
+using System.Net.Http.Headers;
+using System.Security.Cryptography.X509Certificates;
+using k8s.Models;
+using k8s.Tests.Mock;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Server.Kestrel.Https;
+using Microsoft.Rest;
+using Xunit;
+
+namespace k8s.Tests
+{
+    public class AuthTests
+    {
+        private static HttpOperationResponse<Corev1PodList> ExecuteListPods(IKubernetes client)
+        {
+            return client.ListNamespacedPodWithHttpMessagesAsync("default").Result;
+        }
+
+        [Fact]
+        public void TestAnonymous()
+        {
+            using (var server = new MockKubeApiServer())
+            {
+                var client = new Kubernetes(new KubernetesClientConfiguration
+                {
+                    Host = server.Uri.ToString()
+                });
+
+                var listTask = ExecuteListPods(client);
+
+                Assert.True(listTask.Response.IsSuccessStatusCode);
+                Assert.Equal(1, listTask.Body.Items.Count);
+            }
+
+            using (var server = new MockKubeApiServer(cxt =>
+            {
+                cxt.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
+                return false;
+            }))
+            {
+                var client = new Kubernetes(new KubernetesClientConfiguration
+                {
+                    Host = server.Uri.ToString()
+                });
+
+                var listTask = ExecuteListPods(client);
+
+                Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+            }
+        }
+
+        [Fact]
+        public void TestBasicAuth()
+        {
+            const string testName = "test_name";
+            const string testPassword = "test_password";
+
+            using (var server = new MockKubeApiServer(cxt =>
+            {
+                var header = cxt.Request.Headers["Authorization"].FirstOrDefault();
+
+                var expect = new AuthenticationHeaderValue("Basic", Utils.Base64Encode($"{testName}:{testPassword}"))
+                    .ToString();
+
+                if (header != expect)
+                {
+                    cxt.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
+                    return false;
+                }
+
+                return true;
+            }))
+            {
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        Username = testName,
+                        Password = testPassword
+                    });
+
+                    var listTask = ExecuteListPods(client);
+                    Assert.True(listTask.Response.IsSuccessStatusCode);
+                    Assert.Equal(1, listTask.Body.Items.Count);
+                }
+
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        Username = "wrong name",
+                        Password = testPassword
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+                }
+
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        Username = testName,
+                        Password = "wrong password"
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+                }
+
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        Username = "both wrong",
+                        Password = "wrong password"
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+                }
+
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString()
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+                }
+
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        Username = "xx"
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+                }
+            }
+        }
+
+        [Fact]
+        public void TestCert()
+        {
+            var serverCertificateData = File.ReadAllText("assets/apiserver-pfx-data.txt");
+
+            var clientCertificateKeyData = File.ReadAllText("assets/client-key-data.txt");
+            var clientCertificateData = File.ReadAllText("assets/client-certificate-data.txt");
+
+            var serverCertificate = new X509Certificate2(Convert.FromBase64String(serverCertificateData));
+            var clientCertificate = new X509Certificate2(Convert.FromBase64String(clientCertificateData));
+
+            var clientCertificateValidationCalled = false;
+
+            using (var server = new MockKubeApiServer(listenConfigure: options =>
+            {
+                options.UseHttps(new HttpsConnectionAdapterOptions
+                {
+                    ServerCertificate = serverCertificate,
+                    ClientCertificateMode = ClientCertificateMode.RequireCertificate,
+                    ClientCertificateValidation = (certificate, chain, valid) =>
+                    {
+                        clientCertificateValidationCalled = true;
+                        return clientCertificate.Equals(certificate);
+                    }
+                });
+            }))
+            {
+                {
+                    clientCertificateValidationCalled = false;
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        ClientCertificateData = clientCertificateData,
+                        ClientCertificateKey = clientCertificateKeyData,
+                        SslCaCert = serverCertificate,
+                        SkipTlsVerify = false
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.True(clientCertificateValidationCalled);
+                    Assert.True(listTask.Response.IsSuccessStatusCode);
+                    Assert.Equal(1, listTask.Body.Items.Count);
+                }
+
+                {
+                    clientCertificateValidationCalled = false;
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        ClientCertificateData = clientCertificateData,
+                        ClientCertificateKey = clientCertificateKeyData,
+                        SkipTlsVerify = true
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.True(clientCertificateValidationCalled);
+                    Assert.True(listTask.Response.IsSuccessStatusCode);
+                    Assert.Equal(1, listTask.Body.Items.Count);
+                }
+
+                {
+                    clientCertificateValidationCalled = false;
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        ClientCertificate = "assets/client.crt", // TODO amazoning why client.crt != client-data.txt
+                        ClientKey = "assets/client.key", // TODO  bad naming param
+                        SkipTlsVerify = true
+                    });
+
+                    Assert.ThrowsAny<Exception>(() => ExecuteListPods(client));
+                    Assert.True(clientCertificateValidationCalled);
+                }
+
+                {
+                    clientCertificateValidationCalled = false;
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        SkipTlsVerify = true
+                    });
+
+                    Assert.ThrowsAny<Exception>(() => ExecuteListPods(client));
+                    Assert.False(clientCertificateValidationCalled);
+                }
+            }
+        }
+
+        [Fact]
+        public void TestToken()
+        {
+            const string token = "testingtoken";
+
+            using (var server = new MockKubeApiServer(cxt =>
+            {
+                var header = cxt.Request.Headers["Authorization"].FirstOrDefault();
+
+                var expect = new AuthenticationHeaderValue("Bearer", token).ToString();
+
+                if (header != expect)
+                {
+                    cxt.Response.StatusCode = (int) HttpStatusCode.Unauthorized;
+                    return false;
+                }
+
+                return true;
+            }))
+            {
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        AccessToken = token
+                    });
+
+                    var listTask = ExecuteListPods(client);
+                    Assert.True(listTask.Response.IsSuccessStatusCode);
+                    Assert.Equal(1, listTask.Body.Items.Count);
+                }
+
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        AccessToken = "wrong token"
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+                }
+
+
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString(),
+                        Username = "wrong name",
+                        Password = "same password"
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+                }
+
+                {
+                    var client = new Kubernetes(new KubernetesClientConfiguration
+                    {
+                        Host = server.Uri.ToString()
+                    });
+
+                    var listTask = ExecuteListPods(client);
+
+                    Assert.Equal(HttpStatusCode.Unauthorized, listTask.Response.StatusCode);
+                }
+            }
+        }
+    }
+}

tests/Mock/MockKubeApiServer.cs

@@ -0,0 +1,54 @@
+using System;
+using System.Linq;
+using System.Net;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Hosting.Server.Features;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Server.Kestrel.Core;
+
+namespace k8s.Tests.Mock
+{
+    public class MockKubeApiServer : IDisposable
+    {
+        // paste from minikube /api/v1/namespaces/default/pods
+        public const string MockPodResponse =
+                "{\r\n  \"kind\": \"PodList\",\r\n  \"apiVersion\": \"v1\",\r\n  \"metadata\": {\r\n    \"selfLink\": \"/api/v1/namespaces/default/pods\",\r\n    \"resourceVersion\": \"1762810\"\r\n  },\r\n  \"items\": [\r\n    {\r\n      \"metadata\": {\r\n        \"name\": \"nginx-1493591563-xb2v4\",\r\n        \"generateName\": \"nginx-1493591563-\",\r\n        \"namespace\": \"default\",\r\n        \"selfLink\": \"/api/v1/namespaces/default/pods/nginx-1493591563-xb2v4\",\r\n        \"uid\": \"ac1abb94-9c58-11e7-aaf5-00155d744505\",\r\n        \"resourceVersion\": \"1737928\",\r\n        \"creationTimestamp\": \"2017-09-18T10:03:51Z\",\r\n        \"labels\": {\r\n          \"app\": \"nginx\",\r\n          \"pod-template-hash\": \"1493591563\"\r\n        },\r\n        \"annotations\": {\r\n          \"kubernetes.io/created-by\": \"{\\\"kind\\\":\\\"SerializedReference\\\",\\\"apiVersion\\\":\\\"v1\\\",\\\"reference\\\":{\\\"kind\\\":\\\"ReplicaSet\\\",\\\"namespace\\\":\\\"default\\\",\\\"name\\\":\\\"nginx-1493591563\\\",\\\"uid\\\":\\\"ac013b63-9c58-11e7-aaf5-00155d744505\\\",\\\"apiVersion\\\":\\\"extensions\\\",\\\"resourceVersion\\\":\\\"5306\\\"}}\\n\"\r\n        },\r\n        \"ownerReferences\": [\r\n          {\r\n            \"apiVersion\": \"extensions/v1beta1\",\r\n            \"kind\": \"ReplicaSet\",\r\n            \"name\": \"nginx-1493591563\",\r\n            \"uid\": \"ac013b63-9c58-11e7-aaf5-00155d744505\",\r\n            \"controller\": true,\r\n            \"blockOwnerDeletion\": true\r\n          }\r\n        ]\r\n      },\r\n      \"spec\": {\r\n        \"volumes\": [\r\n          {\r\n            \"name\": \"default-token-3zzcj\",\r\n            \"secret\": {\r\n              \"secretName\": \"default-token-3zzcj\",\r\n              \"defaultMode\": 420\r\n            }\r\n          }\r\n        ],\r\n        \"containers\": [\r\n          {\r\n            \"name\": \"nginx\",\r\n            \"image\": \"nginx\",\r\n            \"resources\": {},\r\n            \"volumeMounts\": [\r\n              {\r\n                \"name\": \"default-token-3zzcj\",\r\n                \"readOnly\": true,\r\n                \"mountPath\": \"/var/run/secrets/kubernetes.io/serviceaccount\"\r\n              }\r\n            ],\r\n            \"terminationMessagePath\": \"/dev/termination-log\",\r\n            \"terminationMessagePolicy\": \"File\",\r\n            \"imagePullPolicy\": \"Always\"\r\n          }\r\n        ],\r\n        \"restartPolicy\": \"Always\",\r\n        \"terminationGracePeriodSeconds\": 30,\r\n        \"dnsPolicy\": \"ClusterFirst\",\r\n        \"serviceAccountName\": \"default\",\r\n        \"serviceAccount\": \"default\",\r\n        \"nodeName\": \"ubuntu\",\r\n        \"securityContext\": {},\r\n        \"schedulerName\": \"default-scheduler\"\r\n      },\r\n      \"status\": {\r\n        \"phase\": \"Running\",\r\n        \"conditions\": [\r\n          {\r\n            \"type\": \"Initialized\",\r\n            \"status\": \"True\",\r\n            \"lastProbeTime\": null,\r\n            \"lastTransitionTime\": \"2017-09-18T10:03:51Z\"\r\n          },\r\n          {\r\n            \"type\": \"Ready\",\r\n            \"status\": \"True\",\r\n            \"lastProbeTime\": null,\r\n            \"lastTransitionTime\": \"2017-10-12T07:09:21Z\"\r\n          },\r\n          {\r\n            \"type\": \"PodScheduled\",\r\n            \"status\": \"True\",\r\n            \"lastProbeTime\": null,\r\n            \"lastTransitionTime\": \"2017-09-18T10:03:51Z\"\r\n          }\r\n        ],\r\n        \"hostIP\": \"192.168.188.42\",\r\n        \"podIP\": \"172.17.0.5\",\r\n        \"startTime\": \"2017-09-18T10:03:51Z\",\r\n        \"containerStatuses\": [\r\n          {\r\n            \"name\": \"nginx\",\r\n            \"state\": {\r\n              \"running\": {\r\n                \"startedAt\": \"2017-10-12T07:09:20Z\"\r\n              }\r\n            },\r\n            \"lastState\": {\r\n              \"terminated\": {\r\n                \"exitCode\": 0,\r\n                \"reason\": \"Completed\",\r\n                \"startedAt\": \"2017-10-10T21:35:51Z\",\r\n                \"finishedAt\": \"2017-10-12T07:07:37Z\",\r\n                \"containerID\": \"docker://94df3f3965807421ad6dc76618e00b76cb15d024919c4946f3eb46a92659c62a\"\r\n              }\r\n            },\r\n            \"ready\": true,\r\n            \"restartCount\": 7,\r\n            \"image\": \"nginx:latest\",\r\n            \"imageID\": \"docker-pullable://nginx@sha256:004ac1d5e791e705f12a17c80d7bb1e8f7f01aa7dca7deee6e65a03465392072\",\r\n            \"containerID\": \"docker://fa11bdd48c9b7d3a6c4c3f9b6d7319743c3455ab8d00c57d59c083b319b88194\"\r\n          }\r\n        ],\r\n        \"qosClass\": \"BestEffort\"\r\n      }\r\n    }\r\n  ]\r\n}"
+            ;
+
+        private readonly IWebHost _webHost;
+
+        public MockKubeApiServer(Func<HttpContext, bool> shouldNext = null, Action<ListenOptions> listenConfigure = null,
+            string resp = MockPodResponse)
+        {
+            shouldNext = shouldNext ?? (_ => true);
+            listenConfigure = listenConfigure ?? (_ => { });
+
+            _webHost = WebHost.CreateDefaultBuilder()
+                .Configure(app => app.Run(httpContext =>
+                {
+                    if (shouldNext(httpContext))
+                    {
+                        httpContext.Response.WriteAsync(resp);
+                    }
+
+                    return Task.Delay(0);
+                }))
+                .UseKestrel(options => { options.Listen(IPAddress.Loopback, 0, listenConfigure); })
+                .Build();
+
+            _webHost.Start();
+        }
+
+        public Uri Uri => _webHost.ServerFeatures.Get<IServerAddressesFeature>().Addresses
+            .Select(a => new Uri(a)).First();
+
+        public void Dispose()
+        {
+            _webHost.StopAsync();
+            _webHost.WaitForShutdown();
+        }
+    }
+}