From 30011095784144c9b941959ad7c29cde9be90443 Mon Sep 17 00:00:00 2001 From: Guillaume Demonet Date: Tue, 23 Jun 2020 13:19:13 +0200 Subject: [PATCH] tests: Add positive check for auth success We only assessed if an authentication attempt failed, while tried to check the actual permissions for an authn assumed successful. To make errors more explicit, we add a `then` check that the "authentication succeeds". See: #2634 --- tests/post/features/salt_api.feature | 9 ++++++--- tests/post/steps/test_salt_api.py | 6 ++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/tests/post/features/salt_api.feature b/tests/post/features/salt_api.feature index 4733b650bb..efe1241d7d 100644 --- a/tests/post/features/salt_api.feature +++ b/tests/post/features/salt_api.feature @@ -3,7 +3,8 @@ Feature: SaltAPI Scenario: Login to SaltAPI using Basic auth Given the Kubernetes API is available When we login to SaltAPI as 'admin' using password 'admin' - Then we can ping all minions + Then authentication succeeds + And we can ping all minions And we can invoke '[".*"]' on '*' And we have '@wheel' perms And we have '@runner' perms @@ -12,7 +13,8 @@ Feature: SaltAPI Scenario: Login to SaltAPI using the storage-operator ServiceAccount Given the Kubernetes API is available When we login to SaltAPI with the ServiceAccount 'kube-system/storage-operator' - Then we can invoke '["disk.dump", {"state.sls": {"kwargs": {"mods": r"metalk8s\.volumes.*"}}}]' on '*' + Then authentication succeeds + And we can invoke '["disk.dump", {"state.sls": {"kwargs": {"mods": r"metalk8s\.volumes.*"}}}]' on '*' And we have '@jobs' perms And we can not ping all minions And we can not run state 'test.nop' on '*' @@ -20,7 +22,8 @@ Feature: SaltAPI Scenario: Login to SaltAPI using any ServiceAccount Given the Kubernetes API is available When we login to SaltAPI with the ServiceAccount 'kube-system/default' - Then we have no permissions + Then authentication succeeds + And we have no permissions Scenario: SaltAPI impersonation using a ServiceAccount Given the Kubernetes API is available diff --git a/tests/post/steps/test_salt_api.py b/tests/post/steps/test_salt_api.py index 0ae7b288ab..00d4a2c00b 100644 --- a/tests/post/steps/test_salt_api.py +++ b/tests/post/steps/test_salt_api.py @@ -146,6 +146,12 @@ def run_state_on_targets(host, context, negated, module, targets): def authentication_fails(host, context): assert context['salt-api']['login-status-code'] == 401 + +@then('authentication succeeds') +def authentication_succeeds(host, context): + assert context['salt-api']['login-status-code'] == 200 + + @then(parsers.parse("we can invoke '{modules}' on '{targets}'")) def invoke_module_on_target(host, context, modules, targets): assert {targets: ast.literal_eval(modules)} in context['salt-api']['perms']