Skip to content

Commit

Permalink
test: validate bypass hostname check behaviour
Browse files Browse the repository at this point in the history
see #76
  • Loading branch information
clementnuss committed Aug 23, 2022
1 parent de7764d commit 16732b2
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 14 deletions.
61 changes: 49 additions & 12 deletions internal/controller/csr_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@ func TestValidCsrApproved(t *testing.T) {
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &validCsr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(validCsr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(validCsr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.False(t, denied)
assert.True(t, approved)
Expand All @@ -58,7 +59,8 @@ func TestWrongSignerCsr(t *testing.T) {
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.False(t, denied)
assert.False(t, approved)
Expand All @@ -78,12 +80,38 @@ func TestNonMatchingCommonNameUsername(t *testing.T) {
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, denied)
assert.False(t, approved)
}

func TestHostnameSANNameMismatchWithBypass(t *testing.T) {
csrParams := CsrParams{
csrName: "csr-mismatch-SAN-hostname-with-bypass",
nodeName: testNodeName,
dnsName: "hostname-000.test.ch",
}
dnsResolver.Zones[csrParams.dnsName+"."] = mockdns.Zone{
A: []string{"192.168.0.14"},
} // we mock the dns zone of this test, as we really only want the invalid dns name to make it fail

csrController.BypassHostnameCheck = true
defer func() { csrController.BypassHostnameCheck = false }()

csr := createCsr(t, csrParams)
_, nodeClientSet, _ := createControlPlaneUser(t, csr.Spec.Username, []string{"system:masters"})

_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log("CSR rejected with the following reason:" + reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, approved)
assert.False(t, denied)
}
func TestInvalidDNSName(t *testing.T) {
csrParams := CsrParams{
csrName: "csr-invalid-dnsName",
Expand All @@ -99,7 +127,8 @@ func TestInvalidDNSName(t *testing.T) {
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, denied)
assert.False(t, approved)
Expand All @@ -120,7 +149,8 @@ func TestInvalidRegexName(t *testing.T) {
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, denied)
assert.False(t, approved)
Expand All @@ -137,7 +167,8 @@ func TestUnresolvedDNSName(t *testing.T) {
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, denied)
assert.False(t, approved)
Expand All @@ -156,7 +187,8 @@ func TestMismatchedResolvedIpsSANIps(t *testing.T) {
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, denied)
assert.False(t, approved)
Expand All @@ -176,7 +208,8 @@ func TestExpirationSecondsTooLarge(t *testing.T) {
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, denied)
assert.False(t, approved)
Expand All @@ -198,7 +231,8 @@ func TestBypassDNSResolution(t *testing.T) {
testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, approved)
assert.False(t, denied)
Expand All @@ -222,7 +256,8 @@ func TestIPv4NotWhitelisted(t *testing.T) {
testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.False(t, approved)
assert.True(t, denied)
Expand All @@ -246,7 +281,8 @@ func TestIPv6NotWhitelisted(t *testing.T) {
testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.False(t, approved)
assert.True(t, denied)
Expand All @@ -269,7 +305,8 @@ func TestIPv6WithoutDNSNotWhitelisted(t *testing.T) {
testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, err := waitCsrApprovalStatus(csr.Name)
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.False(t, approved)
assert.True(t, denied)
Expand Down
16 changes: 14 additions & 2 deletions internal/controller/testenv_setup_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ import (
"github.com/postfinance/kubelet-csr-approver/internal/controller"

"github.com/thanhpk/randstr"
capiv1 "k8s.io/api/certificates/v1"
certificates_v1 "k8s.io/api/certificates/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientset "k8s.io/client-go/kubernetes"
Expand All @@ -54,7 +55,7 @@ var csrController *controller.CertificateSigningRequestReconciler
var testContext context.Context
var testContextCancel context.CancelFunc

func waitCsrApprovalStatus(csrName string) (approved, denied bool, err error) {
func waitCsrApprovalStatus(csrName string) (approved, denied bool, reason string, err error) {
for i := 0; i < 3; i++ {
time.Sleep(250 * time.Millisecond)
csr, err := adminClientset.CertificatesV1().CertificateSigningRequests().
Expand All @@ -63,7 +64,18 @@ func waitCsrApprovalStatus(csrName string) (approved, denied bool, err error) {
continue
}

approved, denied = controller.GetCertApprovalCondition(&csr.Status)
for _, c := range csr.Status.Conditions {
if c.Type == capiv1.CertificateApproved {
approved = true
reason = c.Message
}

if c.Type == capiv1.CertificateDenied {
denied = true
reason = c.Message

}
}
if approved || denied {
break
}
Expand Down

0 comments on commit 16732b2

Please sign in to comment.