k8s.io/kubernetes@v1.29.3/test/integration/clustertrustbundles/signer_name_change_forbidden_test.go (about) 1 /* 2 Copyright 2022 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package clustertrustbundles 18 19 import ( 20 "context" 21 "crypto/x509" 22 "crypto/x509/pkix" 23 "fmt" 24 "math/big" 25 "testing" 26 27 certsv1alpha1 "k8s.io/api/certificates/v1alpha1" 28 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 29 "k8s.io/client-go/kubernetes" 30 kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" 31 "k8s.io/kubernetes/test/integration/framework" 32 ) 33 34 func TestCTBSignerNameChangeForbidden(t *testing.T) { 35 testCases := []struct { 36 objectName string 37 signer1 string 38 signer2 string 39 }{ 40 { 41 objectName: "foo", 42 signer1: "", 43 signer2: "foo.com/bar", 44 }, 45 { 46 objectName: "foo.com:bar:abc", 47 signer1: "foo.com/bar", 48 signer2: "", 49 }, 50 { 51 objectName: "foo.com:bar:abc", 52 signer1: "foo.com/bar", 53 signer2: "foo.com/bar2", 54 }, 55 } 56 57 for _, tc := range testCases { 58 t.Run(fmt.Sprintf("%s -> %s", tc.signer1, tc.signer2), func(t *testing.T) { 59 60 ctx := context.Background() 61 62 server := kubeapiservertesting.StartTestServerOrDie(t, nil, []string{"--feature-gates=ClusterTrustBundle=true"}, framework.SharedEtcd()) 63 defer server.TearDownFn() 64 65 client := kubernetes.NewForConfigOrDie(server.ClientConfig) 66 67 bundle1 := &certsv1alpha1.ClusterTrustBundle{ 68 ObjectMeta: metav1.ObjectMeta{ 69 Name: tc.objectName, 70 }, 71 Spec: certsv1alpha1.ClusterTrustBundleSpec{ 72 SignerName: tc.signer1, 73 TrustBundle: mustMakePEMBlock("CERTIFICATE", nil, mustMakeCertificate(t, &x509.Certificate{ 74 SerialNumber: big.NewInt(0), 75 Subject: pkix.Name{ 76 CommonName: "root1", 77 }, 78 IsCA: true, 79 BasicConstraintsValid: true, 80 })), 81 }, 82 } 83 bundle1, err := client.CertificatesV1alpha1().ClusterTrustBundles().Create(ctx, bundle1, metav1.CreateOptions{}) 84 if err != nil { 85 t.Fatalf("Error while creating bundle1: %v", err) 86 } 87 88 // Pick a new signer name that is still compatible with the admission 89 // restrictions on object name. That way the admission plugin won't get in 90 // the way by forbidding the update due to an incompatible name on the 91 // cluster trust bundle. 92 bundle1.Spec.SignerName = tc.signer2 93 94 _, err = client.CertificatesV1alpha1().ClusterTrustBundles().Update(ctx, bundle1, metav1.UpdateOptions{}) 95 if err == nil { 96 t.Fatalf("Got nil error from updating bundle foo-com--bar from signerName=foo.com/bar to signerName=foo.com/bar2, but wanted an error") 97 } 98 }) 99 } 100 101 }