admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ce7fdddfd5ade3ce02ab183200dd37f66f87aff4
kubesphere/pkg/models/registries/v2/secret_authenticator_test.go
mango f018a23023 chore: add licenses check tools (#4706) 
* feat: check licenses header with skywalking-eye and support check tools.

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* feat: check licenses header with skywalking-eye and support check tools.

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* feat: check licenses header with skywalking-eye and support check tools.

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* remove verify-licenses because verify-all exist.

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* update modules.txt

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* revert go.mod

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* update vendor directory.

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* revert go.sum

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* revert go.sum

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* ignore `pkg/controller/application/status.go`

Signed-off-by: mango <xu.weiKyrie@foxmail.com>

* add license header.

Signed-off-by: mango <xu.weiKyrie@foxmail.com>
2022-03-09 10:25:13 +08:00

187 lines
4.9 KiB
Go
Raw Blame History

// Copyright 2022 The KubeSphere Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
package v2
import (
"encoding/base64"
"fmt"
"net/http"
"net/http/httptest"
"testing"
"time"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/onsi/gomega/gexec"
"github.com/google/go-cmp/cmp"
"github.com/google/go-containerregistry/pkg/authn"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func buildSecret(registry, username, password string, insecure bool) *v1.Secret {
auth := fmt.Sprintf("%s:%s", username, password)
authString := fmt.Sprintf("{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"\",\"auth\":\"%s\"}}}", registry, username, password, base64.StdEncoding.EncodeToString([]byte(auth)))
secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "docker",
Namespace: v1.NamespaceDefault,
},
Data: map[string][]byte{
v1.DockerConfigJsonKey: []byte(authString),
},
Type: v1.SecretTypeDockerConfigJson,
}
if insecure {
secret.Annotations = make(map[string]string)
secret.Annotations[forceInsecure] = "true"
}
return secret
}
func TestSecretAuthenticator(t *testing.T) {
secret := buildSecret("dockerhub.qingcloud.com", "guest", "guest", false)
secretAuthenticator, err := NewSecretAuthenticator(secret)
if err != nil {
t.Fatal(err)
}
auth, err := secretAuthenticator.Authorization()
if err != nil {
t.Fatal(err)
}
expected := &authn.AuthConfig{
Username: "guest",
Password: "guest",
Auth: "Z3Vlc3Q6Z3Vlc3Q=",
}
if diff := cmp.Diff(auth, expected); len(diff) != 0 {
t.Errorf("%T, got+ expected-, %s", expected, diff)
}
}
func TestAuthn(t *testing.T) {
testCases := []struct {
name string
secret *v1.Secret
auth bool
expectErr bool
}{
{
name: "Should authenticate with correct credential",
secret: buildSecret("https://dockerhub.qingcloud.com", "guest", "guest", false),
auth: true,
expectErr: false,
},
{
name: "Shouldn't authenticate with incorrect credentials",
secret: buildSecret("https://index.docker.io", "foo", "bar", false),
auth: false,
expectErr: true,
},
{
name: "Shouldn't authenticate with no credentials",
secret: nil,
auth: false,
expectErr: true,
},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
secretAuthenticator, err := NewSecretAuthenticator(testCase.secret)
if err != nil {
t.Errorf("error creating secretAuthenticator, %v", err)
}
ok, err := secretAuthenticator.Auth()
if testCase.auth != ok {
t.Errorf("expected auth result: %v, but got %v", testCase.auth, ok)
}
if testCase.expectErr && err == nil {
t.Errorf("expected error, but got nil")
}
if !testCase.expectErr && err != nil {
t.Errorf("authentication error, %v", err)
}
})
}
}
var (
registryServer *httptest.Server
tlsRegistryServer *httptest.Server
)
func TestRegistry(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Registry Test Suite")
}
var _ = BeforeSuite(func(done Done) {
// anonymous registry
fakeHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
w.Write([]byte("ok"))
})
tlsRegistryServer = httptest.NewTLSServer(fakeHandler)
registryServer = httptest.NewServer(fakeHandler)
close(done)
}, 30)
var _ = AfterSuite(func() {
By("tearing down the test environment")
gexec.KillAndWait(5 * time.Second)
registryServer.Close()
tlsRegistryServer.Close()
})
var _ = Describe("Registry", func() {
Context("Registry", func() {
It("skip TLS certification checks", func() {
secret := buildSecret(tlsRegistryServer.URL, "", "", true)
secretAuthenticator, err := NewSecretAuthenticator(secret)
Expect(err).Should(BeNil())
_, err = secretAuthenticator.Auth()
Expect(err).Should(BeNil())
})
It("self-signed certs are not trusted", func() {
secret := buildSecret(tlsRegistryServer.URL, "", "", false)
secretAuthenticator, err := NewSecretAuthenticator(secret)
Expect(err).Should(BeNil())
_, err = secretAuthenticator.Auth()
Expect(err).ShouldNot(BeNil())
})
It("insecure registry", func() {
// Loopback addr always be insecure, http scheme will be used.
secret := buildSecret(registryServer.URL, "", "", false)
secretAuthenticator, err := NewSecretAuthenticator(secret)
Expect(err).Should(BeNil())
_, err = secretAuthenticator.Auth()
Expect(err).Should(BeNil())
})
})
})
Reference in New Issue View Git Blame Copy Permalink