github.com/Azure/aad-pod-identity@v1.8.17/pkg/nmi/managed_test.go (about) 1 package nmi 2 3 import ( 4 "context" 5 "reflect" 6 "testing" 7 8 aadpodid "github.com/Azure/aad-pod-identity/pkg/apis/aadpodidentity" 9 10 v1 "k8s.io/api/core/v1" 11 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 12 ) 13 14 func (c *TestKubeClient) ListPodIdsWithBinding(podns string, labels map[string]string) ([]aadpodid.AzureIdentity, error) { 15 identities, _ := c.azureIdentities.([]aadpodid.AzureIdentity) 16 return identities, nil 17 } 18 19 func (c *TestKubeClient) GetPod(ns, name string) (v1.Pod, error) { 20 return v1.Pod{}, nil 21 } 22 23 func TestGetIdentitiesManagedClient(t *testing.T) { 24 cases := []struct { 25 name string 26 azureIdentities []aadpodid.AzureIdentity 27 clientID string 28 resourceID string 29 expectedErr bool 30 expectedAzureIdentity *aadpodid.AzureIdentity 31 isNamespaced bool 32 podName string 33 podNamespace string 34 }{ 35 { 36 name: "no azure identity found", 37 azureIdentities: nil, 38 expectedErr: true, 39 expectedAzureIdentity: nil, 40 podName: "pod1", 41 podNamespace: "default", 42 }, 43 { 44 name: "clientID in request, but no matching identity", 45 azureIdentities: []aadpodid.AzureIdentity{ 46 { 47 ObjectMeta: metav1.ObjectMeta{ 48 Name: "azid2", 49 Namespace: "default", 50 }, 51 Spec: aadpodid.AzureIdentitySpec{ 52 ClientID: "clientid2", 53 ResourceID: "clientid1", // ensure we are matching against ClientID, not ResourceID 54 }, 55 }, 56 }, 57 expectedErr: true, 58 expectedAzureIdentity: nil, 59 podName: "pod2", 60 podNamespace: "default", 61 clientID: "clientid1", 62 }, 63 { 64 name: "resourceID in request, but no matching identity", 65 azureIdentities: []aadpodid.AzureIdentity{ 66 { 67 ObjectMeta: metav1.ObjectMeta{ 68 Name: "azid2", 69 Namespace: "default", 70 }, 71 Spec: aadpodid.AzureIdentitySpec{ 72 ClientID: "clientid1", // ensure we are matching against ResourceID, not ClientID 73 ResourceID: "resourceid2", 74 }, 75 }, 76 }, 77 expectedErr: true, 78 expectedAzureIdentity: nil, 79 podName: "pod2", 80 podNamespace: "default", 81 clientID: "resourceid1", 82 }, 83 { 84 name: "clientID in request, found matching identity", 85 azureIdentities: []aadpodid.AzureIdentity{ 86 { 87 ObjectMeta: metav1.ObjectMeta{ 88 Name: "azid3", 89 Namespace: "default", 90 }, 91 Spec: aadpodid.AzureIdentitySpec{ 92 ClientID: "clientid3", 93 }, 94 }, 95 }, 96 expectedErr: false, 97 expectedAzureIdentity: &aadpodid.AzureIdentity{ 98 ObjectMeta: metav1.ObjectMeta{ 99 Name: "azid3", 100 Namespace: "default", 101 }, 102 Spec: aadpodid.AzureIdentitySpec{ 103 ClientID: "clientid3", 104 }, 105 }, 106 podName: "pod3", 107 podNamespace: "default", 108 clientID: "clientid3", 109 }, 110 { 111 name: "resourceID in request, found matching identity", 112 azureIdentities: []aadpodid.AzureIdentity{ 113 { 114 ObjectMeta: metav1.ObjectMeta{ 115 Name: "azid3", 116 Namespace: "default", 117 }, 118 Spec: aadpodid.AzureIdentitySpec{ 119 ResourceID: "resourceid3", 120 }, 121 }, 122 }, 123 expectedErr: false, 124 expectedAzureIdentity: &aadpodid.AzureIdentity{ 125 ObjectMeta: metav1.ObjectMeta{ 126 Name: "azid3", 127 Namespace: "default", 128 }, 129 Spec: aadpodid.AzureIdentitySpec{ 130 ResourceID: "resourceid3", 131 }, 132 }, 133 podName: "pod3", 134 podNamespace: "default", 135 resourceID: "resourceid3", 136 }, 137 { 138 name: "no identity in request, first matching identity in namespace returned", 139 azureIdentities: []aadpodid.AzureIdentity{ 140 { 141 ObjectMeta: metav1.ObjectMeta{ 142 Name: "azid2", 143 Namespace: "default", 144 }, 145 Spec: aadpodid.AzureIdentitySpec{ 146 ClientID: "clientid2", 147 ResourceID: "resourceid2", 148 }, 149 }, 150 { 151 ObjectMeta: metav1.ObjectMeta{ 152 Name: "azid3", 153 Namespace: "default", 154 }, 155 Spec: aadpodid.AzureIdentitySpec{ 156 ClientID: "clientid3", 157 ResourceID: "resourceid3", 158 }, 159 }, 160 }, 161 expectedErr: false, 162 expectedAzureIdentity: &aadpodid.AzureIdentity{ 163 ObjectMeta: metav1.ObjectMeta{ 164 Name: "azid2", 165 Namespace: "default", 166 }, 167 Spec: aadpodid.AzureIdentitySpec{ 168 ClientID: "clientid2", 169 ResourceID: "resourceid2", 170 }, 171 }, 172 podName: "pod4", 173 podNamespace: "default", 174 }, 175 } 176 177 for _, tc := range cases { 178 t.Run(tc.name, func(t *testing.T) { 179 tokenClient, err := NewManagedTokenClient(NewTestKubeClient(tc.azureIdentities), Config{Namespaced: true}) 180 if err != nil { 181 t.Fatalf("expected err to be nil, got: %v", err) 182 } 183 184 azIdentity, err := tokenClient.GetIdentities(context.Background(), tc.podNamespace, tc.podName, tc.clientID, tc.resourceID) 185 if tc.expectedErr != (err != nil) { 186 t.Fatalf("expected error: %v, got: %v", tc.expectedErr, err) 187 } 188 if !reflect.DeepEqual(tc.expectedAzureIdentity, azIdentity) { 189 t.Fatalf("expected the azure identity to be equal") 190 } 191 }) 192 } 193 }