istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/pkg/credentialfetcher/fetcher_test.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package credentialfetcher
    16  
    17  import (
    18  	"testing"
    19  
    20  	"istio.io/istio/pkg/security"
    21  	"istio.io/istio/security/pkg/credentialfetcher/plugin"
    22  )
    23  
    24  func TestNewCredFetcher(t *testing.T) {
    25  	testCases := map[string]struct {
    26  		fetcherType      string
    27  		trustdomain      string
    28  		jwtPath          string
    29  		identityProvider string
    30  		expectedErr      string
    31  		expectedToken    string
    32  		expectedIdp      string
    33  	}{
    34  		"gce test": {
    35  			fetcherType:      security.GCE,
    36  			trustdomain:      "abc.svc.id.goog",
    37  			jwtPath:          "/var/run/secrets/tokens/istio-token",
    38  			identityProvider: security.GCE,
    39  			expectedErr:      "", // No error when ID token auth is enabled.
    40  			expectedToken:    "",
    41  			expectedIdp:      "GoogleComputeEngine",
    42  		},
    43  		"mock test": {
    44  			fetcherType:      security.Mock,
    45  			trustdomain:      "",
    46  			jwtPath:          "",
    47  			identityProvider: "fakeIDP",
    48  			expectedErr:      "",
    49  			expectedToken:    "test_token",
    50  			expectedIdp:      "fakeIDP",
    51  		},
    52  		"invalid test": {
    53  			fetcherType:      "foo",
    54  			trustdomain:      "",
    55  			jwtPath:          "",
    56  			identityProvider: "",
    57  			expectedErr:      "invalid credential fetcher type foo",
    58  			expectedToken:    "",
    59  			expectedIdp:      "",
    60  		},
    61  	}
    62  
    63  	// Disable token refresh for GCE VM credential fetcher.
    64  	plugin.SetTokenRotation(false)
    65  	for id, tc := range testCases {
    66  		id, tc := id, tc
    67  		t.Run(id, func(t *testing.T) {
    68  			t.Parallel()
    69  			cf, err := NewCredFetcher(
    70  				tc.fetcherType, tc.trustdomain, tc.jwtPath, tc.identityProvider)
    71  			if cf != nil {
    72  				defer cf.Stop()
    73  			}
    74  			if len(tc.expectedErr) > 0 {
    75  				if err == nil {
    76  					t.Errorf("%s: succeeded. Error expected: %v", id, err)
    77  				} else if err.Error() != tc.expectedErr {
    78  					t.Errorf("%s: incorrect error message: %s VS %s",
    79  						id, err.Error(), tc.expectedErr)
    80  				}
    81  			} else {
    82  				if err != nil {
    83  					t.Errorf("%s: unexpected Error: %v", id, err)
    84  				}
    85  				idp := cf.GetIdentityProvider()
    86  				if idp != tc.expectedIdp {
    87  					t.Errorf("%s: GetIdentityProvider returned %s, expected %s", id, idp, tc.expectedIdp)
    88  				}
    89  				if tc.fetcherType == security.Mock {
    90  					token, err := cf.GetPlatformCredential()
    91  					if err != nil {
    92  						t.Errorf("%s: unexpected error calling GetPlatformCredential: %v", id, err)
    93  					}
    94  					if token != tc.expectedToken {
    95  						t.Errorf("%s: GetPlatformCredential returned %s, expected %s", id, token, tc.expectedToken)
    96  					}
    97  				}
    98  			}
    99  		})
   100  	}
   101  	// Restore token refresh for other tests.
   102  	plugin.SetTokenRotation(true)
   103  }