Skip to content

Commit

Permalink
test: add testcase covering issue #247
Browse files Browse the repository at this point in the history
Signed-off-by: Clément Nussbaumer <[email protected]>
  • Loading branch information
clementnuss committed May 7, 2024
1 parent 1690a7e commit f91b9a1
Showing 1 changed file with 29 additions and 9 deletions.
38 changes: 29 additions & 9 deletions internal/controller/csr_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,18 +87,15 @@ func TestNonMatchingCommonNameUsername(t *testing.T) {
assert.False(t, approved)
}

func TestHostnameSANNameMismatchWithBypass(t *testing.T) {
func TestRegexCheckActiveWithBypass(t *testing.T) {
csrParams := CsrParams{
csrName: "csr-mismatch-SAN-hostname-with-bypass",
nodeName: testNodeName,
dnsName: "hostname-000.test.ch",
dnsName: "hostname-000.test.ch,auth.evil.io",
}
dnsResolver.Zones[csrParams.dnsName+"."] = mockdns.Zone{
A: []string{"192.168.0.14"},
} // we mock the dns zone of this test, as we really only want the invalid dns name to make it fail

csrController.BypassHostnameCheck = true
defer func() { csrController.BypassHostnameCheck = false }()
csrController.BypassDNSResolution = true
defer func() { csrController.BypassDNSResolution = false }()

csr := createCsr(t, csrParams)
_, nodeClientSet, _ := createControlPlaneUser(t, csr.Spec.Username, []string{"system:masters"})
Expand All @@ -109,8 +106,8 @@ func TestHostnameSANNameMismatchWithBypass(t *testing.T) {
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log("CSR rejected with the following reason:" + reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, approved)
assert.False(t, denied)
assert.False(t, approved)
assert.True(t, denied)
}
func TestInvalidDNSName(t *testing.T) {
csrParams := CsrParams{
Expand Down Expand Up @@ -215,6 +212,29 @@ func TestExpirationSecondsTooLarge(t *testing.T) {
assert.False(t, approved)
}

func TestSANCheckedEvenWithDNSResolutionBypassed(t *testing.T) {
csrParams := CsrParams{
csrName: "dns-bypass-regex-check-san",
nodeName: testNodeName,
dnsName: testNodeName + "-unresolved.test.ch",
}
csr := createCsr(t, csrParams)
_, nodeClientSet, _ := createControlPlaneUser(t, csr.Spec.Username, []string{"system:masters"})

csrController.BypassDNSResolution = true
defer func() { csrController.BypassDNSResolution = false }()

_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(
testContext, &csr, metav1.CreateOptions{})
require.Nil(t, err, "Could not create the CSR.")

approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
t.Log(reason)
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
assert.True(t, approved)
assert.False(t, denied)
}

func TestBypassDNSResolution(t *testing.T) {
csrParams := CsrParams{
csrName: "dns-bypass",
Expand Down

0 comments on commit f91b9a1

Please sign in to comment.