Skip to content

Commit 68c6657

Browse files
clementnussclementnuss
committed
test: validate bypass hostname check behaviour
see #76
1 parent f7f44c2 commit 68c6657

File tree

2 files changed

+63
-14
lines changed

2 files changed

+63
-14
lines changed

internal/controller/csr_controller_test.go

+49-12
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,8 @@ func TestValidCsrApproved(t *testing.T) {
3838
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &validCsr, metav1.CreateOptions{})
3939
require.Nil(t, err, "Could not create the CSR.")
4040

41-
approved, denied, err := waitCsrApprovalStatus(validCsr.Name)
41+
approved, denied, reason, err := waitCsrApprovalStatus(validCsr.Name)
42+
t.Log(reason)
4243
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
4344
assert.False(t, denied)
4445
assert.True(t, approved)
@@ -58,7 +59,8 @@ func TestWrongSignerCsr(t *testing.T) {
5859
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
5960
require.Nil(t, err, "Could not create the CSR.")
6061

61-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
62+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
63+
t.Log(reason)
6264
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
6365
assert.False(t, denied)
6466
assert.False(t, approved)
@@ -78,12 +80,38 @@ func TestNonMatchingCommonNameUsername(t *testing.T) {
7880
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
7981
require.Nil(t, err, "Could not create the CSR.")
8082

81-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
83+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
84+
t.Log(reason)
8285
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
8386
assert.True(t, denied)
8487
assert.False(t, approved)
8588
}
8689

90+
func TestHostnameSANNameMismatchWithBypass(t *testing.T) {
91+
csrParams := CsrParams{
92+
csrName: "csr-mismatch-SAN-hostname-with-bypass",
93+
nodeName: testNodeName,
94+
dnsName: "hostname-000.test.ch",
95+
}
96+
dnsResolver.Zones[csrParams.dnsName+"."] = mockdns.Zone{
97+
A: []string{"192.168.0.14"},
98+
} // we mock the dns zone of this test, as we really only want the invalid dns name to make it fail
99+
100+
csrController.BypassHostnameCheck = true
101+
defer func() { csrController.BypassHostnameCheck = false }()
102+
103+
csr := createCsr(t, csrParams)
104+
_, nodeClientSet, _ := createControlPlaneUser(t, csr.Spec.Username, []string{"system:masters"})
105+
106+
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
107+
require.Nil(t, err, "Could not create the CSR.")
108+
109+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
110+
t.Log("CSR rejected with the following reason:" + reason)
111+
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
112+
assert.True(t, approved)
113+
assert.False(t, denied)
114+
}
87115
func TestInvalidDNSName(t *testing.T) {
88116
csrParams := CsrParams{
89117
csrName: "csr-invalid-dnsName",
@@ -99,7 +127,8 @@ func TestInvalidDNSName(t *testing.T) {
99127
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
100128
require.Nil(t, err, "Could not create the CSR.")
101129

102-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
130+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
131+
t.Log(reason)
103132
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
104133
assert.True(t, denied)
105134
assert.False(t, approved)
@@ -120,7 +149,8 @@ func TestInvalidRegexName(t *testing.T) {
120149
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
121150
require.Nil(t, err, "Could not create the CSR.")
122151

123-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
152+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
153+
t.Log(reason)
124154
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
125155
assert.True(t, denied)
126156
assert.False(t, approved)
@@ -137,7 +167,8 @@ func TestUnresolvedDNSName(t *testing.T) {
137167
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
138168
require.Nil(t, err, "Could not create the CSR.")
139169

140-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
170+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
171+
t.Log(reason)
141172
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
142173
assert.True(t, denied)
143174
assert.False(t, approved)
@@ -156,7 +187,8 @@ func TestMismatchedResolvedIpsSANIps(t *testing.T) {
156187
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
157188
require.Nil(t, err, "Could not create the CSR.")
158189

159-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
190+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
191+
t.Log(reason)
160192
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
161193
assert.True(t, denied)
162194
assert.False(t, approved)
@@ -176,7 +208,8 @@ func TestExpirationSecondsTooLarge(t *testing.T) {
176208
_, err := nodeClientSet.CertificatesV1().CertificateSigningRequests().Create(testContext, &csr, metav1.CreateOptions{})
177209
require.Nil(t, err, "Could not create the CSR.")
178210

179-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
211+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
212+
t.Log(reason)
180213
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
181214
assert.True(t, denied)
182215
assert.False(t, approved)
@@ -198,7 +231,8 @@ func TestBypassDNSResolution(t *testing.T) {
198231
testContext, &csr, metav1.CreateOptions{})
199232
require.Nil(t, err, "Could not create the CSR.")
200233

201-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
234+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
235+
t.Log(reason)
202236
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
203237
assert.True(t, approved)
204238
assert.False(t, denied)
@@ -222,7 +256,8 @@ func TestIPv4NotWhitelisted(t *testing.T) {
222256
testContext, &csr, metav1.CreateOptions{})
223257
require.Nil(t, err, "Could not create the CSR.")
224258

225-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
259+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
260+
t.Log(reason)
226261
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
227262
assert.False(t, approved)
228263
assert.True(t, denied)
@@ -246,7 +281,8 @@ func TestIPv6NotWhitelisted(t *testing.T) {
246281
testContext, &csr, metav1.CreateOptions{})
247282
require.Nil(t, err, "Could not create the CSR.")
248283

249-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
284+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
285+
t.Log(reason)
250286
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
251287
assert.False(t, approved)
252288
assert.True(t, denied)
@@ -269,7 +305,8 @@ func TestIPv6WithoutDNSNotWhitelisted(t *testing.T) {
269305
testContext, &csr, metav1.CreateOptions{})
270306
require.Nil(t, err, "Could not create the CSR.")
271307

272-
approved, denied, err := waitCsrApprovalStatus(csr.Name)
308+
approved, denied, reason, err := waitCsrApprovalStatus(csr.Name)
309+
t.Log(reason)
273310
require.Nil(t, err, "Could not retrieve the CSR to check its approval status")
274311
assert.False(t, approved)
275312
assert.True(t, denied)

internal/controller/testenv_setup_test.go

+14-2
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ import (
3535
"github.com/postfinance/kubelet-csr-approver/internal/controller"
3636

3737
"github.com/thanhpk/randstr"
38+
capiv1 "k8s.io/api/certificates/v1"
3839
certificates_v1 "k8s.io/api/certificates/v1"
3940
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
4041
clientset "k8s.io/client-go/kubernetes"
@@ -54,7 +55,7 @@ var csrController *controller.CertificateSigningRequestReconciler
5455
var testContext context.Context
5556
var testContextCancel context.CancelFunc
5657

57-
func waitCsrApprovalStatus(csrName string) (approved, denied bool, err error) {
58+
func waitCsrApprovalStatus(csrName string) (approved, denied bool, reason string, err error) {
5859
for i := 0; i < 3; i++ {
5960
time.Sleep(250 * time.Millisecond)
6061
csr, err := adminClientset.CertificatesV1().CertificateSigningRequests().
@@ -63,7 +64,18 @@ func waitCsrApprovalStatus(csrName string) (approved, denied bool, err error) {
6364
continue
6465
}
6566

66-
approved, denied = controller.GetCertApprovalCondition(&csr.Status)
67+
for _, c := range csr.Status.Conditions {
68+
if c.Type == capiv1.CertificateApproved {
69+
approved = true
70+
reason = c.Message
71+
}
72+
73+
if c.Type == capiv1.CertificateDenied {
74+
denied = true
75+
reason = c.Message
76+
77+
}
78+
}
6779
if approved || denied {
6880
break
6981
}

0 commit comments

Comments
 (0)