github.com/oam-dev/cluster-gateway@v1.9.0/pkg/apis/cluster/v1alpha1/clustergateway_proxy_configuration_test.go

github.com/oam-dev/cluster-gateway@v1.9.0/pkg/apis/cluster/v1alpha1/clustergateway_proxy_configuration_test.go (about)

     1  /*
     2  Copyright 2022 The KubeVela Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8  	http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package v1alpha1
    18  
    19  import (
    20  	"fmt"
    21  	"testing"
    22  
    23  	"github.com/stretchr/testify/require"
    24  	"k8s.io/apiserver/pkg/authentication/user"
    25  	"k8s.io/client-go/rest"
    26  	"k8s.io/utils/pointer"
    27  )
    28  
    29  func TestExchangeIdentity(t *testing.T) {
    30  	testcases := map[string]struct {
    31  		Exchanger *ClientIdentityExchanger
    32  		UserInfo  user.Info
    33  		Cluster   string
    34  		Matched   bool
    35  		RuleName  string
    36  		Projected *rest.ImpersonationConfig
    37  		Error     error
    38  	}{
    39  		"match-user": {
    40  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
    41  				Name:   "user-match",
    42  				Type:   PrivilegedIdentityExchanger,
    43  				Source: &IdentityExchangerSource{User: pointer.String("test")},
    44  			}}},
    45  			UserInfo:  &user.DefaultInfo{Name: "test"},
    46  			Matched:   true,
    47  			RuleName:  "user-match",
    48  			Projected: &rest.ImpersonationConfig{},
    49  			Error:     nil,
    50  		},
    51  		"match-group": {
    52  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
    53  				Name:   "group-match",
    54  				Type:   StaticMappingIdentityExchanger,
    55  				Source: &IdentityExchangerSource{Group: pointer.String("test-group")},
    56  				Target: &IdentityExchangerTarget{Groups: []string{"projected"}},
    57  			}}},
    58  			UserInfo:  &user.DefaultInfo{Name: "test", Groups: []string{"group", "test-group"}},
    59  			Matched:   true,
    60  			RuleName:  "group-match",
    61  			Projected: &rest.ImpersonationConfig{Groups: []string{"projected"}},
    62  			Error:     nil,
    63  		},
    64  		"match-uid": {
    65  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
    66  				Name:   "uid-match",
    67  				Type:   PrivilegedIdentityExchanger,
    68  				Source: &IdentityExchangerSource{UID: pointer.String("12345")},
    69  			}}},
    70  			UserInfo:  &user.DefaultInfo{Name: "abc", UID: "12345"},
    71  			Matched:   true,
    72  			RuleName:  "uid-match",
    73  			Projected: &rest.ImpersonationConfig{},
    74  			Error:     nil,
    75  		},
    76  		"match-cluster": {
    77  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
    78  				Name:   "name-match",
    79  				Type:   PrivilegedIdentityExchanger,
    80  				Source: &IdentityExchangerSource{User: pointer.String("test"), Cluster: pointer.String("c1")},
    81  			}, {
    82  				Name:   "group-match",
    83  				Type:   StaticMappingIdentityExchanger,
    84  				Source: &IdentityExchangerSource{Group: pointer.String("test-group"), Cluster: pointer.String("c2")},
    85  				Target: &IdentityExchangerTarget{Groups: []string{"projected"}},
    86  			}}},
    87  			UserInfo:  &user.DefaultInfo{Name: "test", Groups: []string{"group", "test-group"}},
    88  			Cluster:   "c2",
    89  			Matched:   true,
    90  			RuleName:  "group-match",
    91  			Projected: &rest.ImpersonationConfig{Groups: []string{"projected"}},
    92  			Error:     nil,
    93  		},
    94  		"match-user-pattern": {
    95  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
    96  				Name:   "user-pattern-match",
    97  				Type:   PrivilegedIdentityExchanger,
    98  				Source: &IdentityExchangerSource{UserPattern: pointer.String("test-.*")},
    99  			}}},
   100  			UserInfo:  &user.DefaultInfo{Name: "test-1234"},
   101  			Matched:   true,
   102  			RuleName:  "user-pattern-match",
   103  			Projected: &rest.ImpersonationConfig{},
   104  			Error:     nil,
   105  		},
   106  		"match-group-pattern": {
   107  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
   108  				Name:   "group-pattern-match",
   109  				Type:   StaticMappingIdentityExchanger,
   110  				Source: &IdentityExchangerSource{GroupPattern: pointer.String("test-group:.+")},
   111  				Target: &IdentityExchangerTarget{Groups: []string{"projected"}},
   112  			}}},
   113  			UserInfo:  &user.DefaultInfo{Name: "test", Groups: []string{"group:1", "test-group:2"}},
   114  			Matched:   true,
   115  			RuleName:  "group-pattern-match",
   116  			Projected: &rest.ImpersonationConfig{Groups: []string{"projected"}},
   117  			Error:     nil,
   118  		},
   119  		"match-cluster-pattern": {
   120  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
   121  				Name:   "cluster-pattern-match",
   122  				Type:   StaticMappingIdentityExchanger,
   123  				Source: &IdentityExchangerSource{ClusterPattern: pointer.String("cluster-\\d+")},
   124  				Target: &IdentityExchangerTarget{User: "special"},
   125  			}}},
   126  			UserInfo:  &user.DefaultInfo{Name: "test"},
   127  			Cluster:   "cluster-1",
   128  			Matched:   true,
   129  			RuleName:  "cluster-pattern-match",
   130  			Projected: &rest.ImpersonationConfig{UserName: "special"},
   131  			Error:     nil,
   132  		},
   133  		"not-implemented": {
   134  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
   135  				Name:   "external-identity-exchange",
   136  				Type:   ExternalIdentityExchanger,
   137  				Source: &IdentityExchangerSource{ClusterPattern: pointer.String("cluster-\\d+")},
   138  				URL:    pointer.String("http://1.2.3.4:5000"),
   139  			}}},
   140  			UserInfo:  &user.DefaultInfo{Name: "test"},
   141  			Cluster:   "cluster-1",
   142  			Matched:   true,
   143  			RuleName:  "external-identity-exchange",
   144  			Projected: nil,
   145  			Error:     fmt.Errorf("ExternalIdentityExchanger is not implemented"),
   146  		},
   147  		"no-match": {
   148  			Exchanger: &ClientIdentityExchanger{Rules: []ClientIdentityExchangeRule{{
   149  				Name:   "cluster-pattern-match",
   150  				Type:   StaticMappingIdentityExchanger,
   151  				Source: &IdentityExchangerSource{ClusterPattern: pointer.String("cluster-\\d+")},
   152  				Target: &IdentityExchangerTarget{User: "special"},
   153  			}}},
   154  			UserInfo: &user.DefaultInfo{Name: "test"},
   155  			Cluster:  "cluster-other",
   156  			Matched:  false,
   157  		},
   158  	}
   159  	for name, tt := range testcases {
   160  		t.Run(name, func(t *testing.T) {
   161  			matched, ruleName, projected, err := ExchangeIdentity(tt.Exchanger, tt.UserInfo, tt.Cluster)
   162  			if tt.Error != nil {
   163  				require.Error(t, tt.Error, err)
   164  				return
   165  			}
   166  			require.NoError(t, err)
   167  			require.Equal(t, tt.Matched, matched)
   168  			require.Equal(t, tt.RuleName, ruleName)
   169  			require.Equal(t, tt.Projected, projected)
   170  		})
   171  	}
   172  }