github.com/stackdocker/rkt@v0.10.1-0.20151109095037-1aa827478248/tests/rkt_auth_test.go (about) 1 // Copyright 2015 The rkt Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package main 16 17 import ( 18 "fmt" 19 "io/ioutil" 20 "os" 21 "path/filepath" 22 "strings" 23 "testing" 24 25 taas "github.com/coreos/rkt/tests/test-auth-server/aci" 26 "github.com/coreos/rkt/tests/testutils" 27 ) 28 29 func TestAuthSanity(t *testing.T) { 30 ctx := testutils.NewRktRunCtx() 31 defer ctx.Cleanup() 32 server := runServer(t, taas.None) 33 defer server.Close() 34 expectedRunRkt(ctx, t, server.URL, "sanity", authSuccessfulDownload) 35 } 36 37 const ( 38 authSuccessfulDownload = "Authentication succeeded." 39 authFailedDownload = "error downloading ACI: bad HTTP status code: 401" 40 ) 41 42 type authConfDir int 43 44 const ( 45 authConfDirNone authConfDir = iota 46 authConfDirLocal 47 authConfDirSystem 48 ) 49 50 type genericAuthTest struct { 51 name string 52 confDir authConfDir 53 expectedLine string 54 } 55 56 func TestAuthBasic(t *testing.T) { 57 tests := []genericAuthTest{ 58 {"basic-no-config", authConfDirNone, authFailedDownload}, 59 {"basic-local-config", authConfDirLocal, authSuccessfulDownload}, 60 {"basic-system-config", authConfDirSystem, authSuccessfulDownload}, 61 } 62 testAuthGeneric(t, taas.Basic, tests) 63 } 64 65 func TestAuthOauth(t *testing.T) { 66 tests := []genericAuthTest{ 67 {"oauth-no-config", authConfDirNone, authFailedDownload}, 68 {"oauth-local-config", authConfDirLocal, authSuccessfulDownload}, 69 {"oauth-system-config", authConfDirSystem, authSuccessfulDownload}, 70 } 71 testAuthGeneric(t, taas.Oauth, tests) 72 } 73 74 func testAuthGeneric(t *testing.T, auth taas.Type, tests []genericAuthTest) { 75 server := runServer(t, auth) 76 defer server.Close() 77 ctx := testutils.NewRktRunCtx() 78 defer ctx.Cleanup() 79 for _, tt := range tests { 80 switch tt.confDir { 81 case authConfDirNone: 82 // no config to write 83 case authConfDirLocal: 84 writeConfig(t, ctx.LocalDir(), "test.json", server.Conf) 85 case authConfDirSystem: 86 writeConfig(t, ctx.SystemDir(), "test.json", server.Conf) 87 default: 88 panic("Wrong config directory") 89 } 90 expectedRunRkt(ctx, t, server.URL, tt.name, tt.expectedLine) 91 ctx.Reset() 92 } 93 } 94 95 func TestAuthOverride(t *testing.T) { 96 ctx := testutils.NewRktRunCtx() 97 defer ctx.Cleanup() 98 server := runServer(t, taas.Oauth) 99 defer server.Close() 100 tests := []struct { 101 systemConfig string 102 localConfig string 103 name string 104 resultBeforeOverride string 105 resultAfterOverride string 106 }{ 107 {server.Conf, getInvalidOAuthConfig(server.Conf), "valid-system-invalid-local", authSuccessfulDownload, authFailedDownload}, 108 {getInvalidOAuthConfig(server.Conf), server.Conf, "invalid-system-valid-local", authFailedDownload, authSuccessfulDownload}, 109 } 110 for _, tt := range tests { 111 writeConfig(t, ctx.SystemDir(), "test.json", tt.systemConfig) 112 expectedRunRkt(ctx, t, server.URL, tt.name+"-1", tt.resultBeforeOverride) 113 writeConfig(t, ctx.LocalDir(), "test.json", tt.localConfig) 114 expectedRunRkt(ctx, t, server.URL, tt.name+"-2", tt.resultAfterOverride) 115 ctx.Reset() 116 } 117 } 118 119 func TestAuthIgnore(t *testing.T) { 120 server := runServer(t, taas.Oauth) 121 defer server.Close() 122 testAuthIgnoreBogusFiles(t, server) 123 testAuthIgnoreSubdirectories(t, server) 124 } 125 126 func testAuthIgnoreBogusFiles(t *testing.T, server *taas.Server) { 127 ctx := testutils.NewRktRunCtx() 128 defer ctx.Cleanup() 129 writeConfig(t, ctx.SystemDir(), "README", "This is system config") 130 writeConfig(t, ctx.LocalDir(), "README", "This is local config") 131 writeConfig(t, ctx.SystemDir(), "test.notjson", server.Conf) 132 writeConfig(t, ctx.LocalDir(), "test.notjson", server.Conf) 133 expectedRunRkt(ctx, t, server.URL, "oauth-bogus-files", authFailedDownload) 134 } 135 136 func testAuthIgnoreSubdirectories(t *testing.T, server *taas.Server) { 137 ctx := testutils.NewRktRunCtx() 138 defer ctx.Cleanup() 139 localSubdir := filepath.Join(ctx.LocalDir(), "subdir") 140 systemSubdir := filepath.Join(ctx.SystemDir(), "subdir") 141 writeConfig(t, localSubdir, "test.json", server.Conf) 142 writeConfig(t, systemSubdir, "test.json", server.Conf) 143 expectedRunRkt(ctx, t, server.URL, "oauth-subdirectories", authFailedDownload) 144 } 145 146 func runServer(t *testing.T, auth taas.Type) *taas.Server { 147 actool := testutils.GetValueFromEnvOrPanic("ACTOOL") 148 gotool := testutils.GetValueFromEnvOrPanic("GO") 149 server, err := taas.NewServerWithPaths(auth, 20, actool, gotool) 150 if err != nil { 151 t.Fatalf("Could not start server: %v", err) 152 } 153 go serverHandler(t, server) 154 return server 155 } 156 157 func serverHandler(t *testing.T, server *taas.Server) { 158 for { 159 select { 160 case msg, ok := <-server.Msg: 161 if ok { 162 t.Logf("server: %v", msg) 163 } 164 case <-server.Stop: 165 return 166 } 167 } 168 } 169 170 // expectedRunRkt tries to fetch and run a prog.aci from host within 171 // given directory on host. Note that directory can be anything - it's 172 // useful for ensuring that image name is unique and for descriptive 173 // purposes. 174 func expectedRunRkt(ctx *testutils.RktRunCtx, t *testing.T, host, dir, line string) { 175 // First, check that --insecure-skip-verify is required 176 // The server does not provide signatures for now. 177 cmd := fmt.Sprintf(`%s --debug run --mds-register=false %s/%s/prog.aci`, ctx.Cmd(), host, dir) 178 child := spawnOrFail(t, cmd) 179 defer child.Wait() 180 signatureErrorLine := "error downloading the signature file" 181 if err := expectWithOutput(child, signatureErrorLine); err != nil { 182 t.Fatalf("Didn't receive expected output %q: %v", signatureErrorLine, err) 183 } 184 185 // Then, run with --insecure-skip-verify 186 cmd = fmt.Sprintf(`%s --debug --insecure-skip-verify run --mds-register=false %s/%s/prog.aci`, ctx.Cmd(), host, dir) 187 child = spawnOrFail(t, cmd) 188 defer child.Wait() 189 if err := expectWithOutput(child, line); err != nil { 190 t.Fatalf("Didn't receive expected output %q: %v", line, err) 191 } 192 } 193 194 func writeConfig(t *testing.T, baseDir, filename, contents string) { 195 dir := authDir(baseDir) 196 if err := os.MkdirAll(dir, 0755); err != nil { 197 t.Fatalf("Failed to create config directory %q: %v", dir, err) 198 } 199 path := filepath.Join(dir, filename) 200 os.Remove(path) 201 if err := ioutil.WriteFile(path, []byte(contents), 0644); err != nil { 202 t.Fatalf("Failed to write file %q: %v", path, err) 203 } 204 } 205 206 func authDir(confDir string) string { 207 return filepath.Join(confDir, "auth.d") 208 } 209 210 func getInvalidOAuthConfig(conf string) string { 211 return strings.Replace(conf, "sometoken", "someobviouslywrongtoken", 1) 212 }