forked from Kuadrant/testsuite
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add kubernetes token-review identity tests
- Loading branch information
Showing
6 changed files
with
84 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
17 changes: 17 additions & 0 deletions
17
testsuite/tests/kuadrant/authorino/identity/token_review/conftest.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
"""Conftest for kubernetes token-review tests""" | ||
|
||
import pytest | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def create_service_account(request, openshift, blame): | ||
"""Creates service account and returns its unique name""" | ||
|
||
def _create_service_account(name): | ||
sa_name = blame(name) | ||
sa = openshift.do_action("create", "sa", sa_name, "-o", "json", "--dry-run=client", parse_output=True) | ||
request.addfinalizer(lambda: sa.delete(ignore_not_found=True)) | ||
sa.create() | ||
return sa_name | ||
|
||
return _create_service_account |
31 changes: 31 additions & 0 deletions
31
testsuite/tests/kuadrant/authorino/identity/token_review/test_audiences.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
"""Test kubernetes token-review authorization with bound sa token that should contain all specified audiences""" | ||
|
||
import pytest | ||
|
||
|
||
pytestmark = [pytest.mark.authorino] | ||
|
||
TEST_AUDIENCES = ["test-aud1", "test-aud2", "test-aud3"] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization(authorization): | ||
"""Add kubernetes token-review identity with custom audiences specified""" | ||
authorization.identity.add_kubernetes("token-review-aud", TEST_AUDIENCES) | ||
return authorization | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def service_account_token(create_service_account, openshift): | ||
"""Create service account and request its bound token with the custom audiences""" | ||
service_account = create_service_account("tkn-rev") | ||
return openshift.get_serviceaccount_auth_token(service_account, TEST_AUDIENCES) | ||
|
||
|
||
def test_custom_audience(service_account_token, client): | ||
"""Test kubernetes token-review by adding custom audiences to the sa token and using it for the request""" | ||
response = client.get("/get") | ||
assert response.status_code == 401 | ||
|
||
response = client.get("/get", headers={"Authorization": "Bearer " + service_account_token}) | ||
assert response.status_code == 200 |
29 changes: 29 additions & 0 deletions
29
testsuite/tests/kuadrant/authorino/identity/token_review/test_host.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
"""Test kubernetes token-review authorization with bound sa token that should contain host as audience by default""" | ||
|
||
import pytest | ||
|
||
|
||
pytestmark = [pytest.mark.authorino] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization(authorization): | ||
"""Add kubernetes token-review identity without any audiences""" | ||
authorization.identity.add_kubernetes("token-review-host") | ||
return authorization | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def service_account_token(create_service_account, openshift, hostname): | ||
"""Create service account and request its bound token with the hostname as audience""" | ||
service_account = create_service_account("tkn-rev") | ||
return openshift.get_serviceaccount_auth_token(service_account, [hostname.hostname]) | ||
|
||
|
||
def test_host_audience(client, service_account_token): | ||
"""Test kubernetes token-review by adding hostname audience to the sa token and using it for the request""" | ||
response = client.get("/get") | ||
assert response.status_code == 401 | ||
|
||
response = client.get("/get", headers={"Authorization": "Bearer " + service_account_token}) | ||
assert response.status_code == 200 |