k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cmd/kubeadm/test/kubeconfig/util.go (about)

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package kubeconfig
    18  
    19  import (
    20  	"crypto/x509"
    21  	"encoding/pem"
    22  	"testing"
    23  	"time"
    24  
    25  	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
    26  
    27  	certstestutil "k8s.io/kubernetes/cmd/kubeadm/app/util/certs"
    28  )
    29  
    30  // AssertKubeConfigCurrentCluster is a utility function for kubeadm testing that asserts if the CurrentCluster in
    31  // the given KubeConfig object contains refers to a specific cluster
    32  func AssertKubeConfigCurrentCluster(t *testing.T, config *clientcmdapi.Config, expectedAPIServerAddress string, expectedAPIServerCaCert *x509.Certificate) {
    33  	currentContext := config.Contexts[config.CurrentContext]
    34  	currentCluster := config.Clusters[currentContext.Cluster]
    35  
    36  	// Assert expectedAPIServerAddress
    37  	if currentCluster.Server != expectedAPIServerAddress {
    38  		t.Errorf("kubeconfig.currentCluster.Server is [%s], expected [%s]", currentCluster.Server, expectedAPIServerAddress)
    39  	}
    40  
    41  	// Assert the APIServerCaCert
    42  	if len(currentCluster.CertificateAuthorityData) == 0 {
    43  		t.Error("kubeconfig.currentCluster.CertificateAuthorityData is empty, expected not empty")
    44  		return
    45  	}
    46  
    47  	block, _ := pem.Decode(currentCluster.CertificateAuthorityData)
    48  	currentAPIServerCaCert, err := x509.ParseCertificate(block.Bytes)
    49  	if err != nil {
    50  		t.Errorf("kubeconfig.currentCluster.CertificateAuthorityData is not a valid CA: %v", err)
    51  		return
    52  	}
    53  
    54  	if !currentAPIServerCaCert.Equal(expectedAPIServerCaCert) {
    55  		t.Errorf("kubeconfig.currentCluster.CertificateAuthorityData not correspond to the expected CA cert")
    56  	}
    57  }
    58  
    59  // AssertKubeConfigCurrentAuthInfoWithClientCert is a utility function for kubeadm testing that asserts if the CurrentAuthInfo in
    60  // the given KubeConfig object contains a clientCert that refers to a specific client name, is signed by the expected CA, includes the expected organizations
    61  func AssertKubeConfigCurrentAuthInfoWithClientCert(t *testing.T, config *clientcmdapi.Config, signinCa *x509.Certificate, expectedNotAfter time.Time, expectedClientName string, expectedOrganizations ...string) {
    62  	currentContext := config.Contexts[config.CurrentContext]
    63  	currentAuthInfo := config.AuthInfos[currentContext.AuthInfo]
    64  
    65  	// assert clientCert
    66  	if len(currentAuthInfo.ClientCertificateData) == 0 {
    67  		t.Error("kubeconfig.currentAuthInfo.ClientCertificateData is empty, expected not empty")
    68  		return
    69  	}
    70  
    71  	block, _ := pem.Decode(config.AuthInfos[currentContext.AuthInfo].ClientCertificateData)
    72  	currentClientCert, err := x509.ParseCertificate(block.Bytes)
    73  	if err != nil {
    74  		t.Errorf("kubeconfig.currentAuthInfo.ClientCertificateData is not a valid CA: %v", err)
    75  		return
    76  	}
    77  
    78  	// Asserts the clientCert is signed by the signinCa
    79  	certstestutil.AssertCertificateIsSignedByCa(t, currentClientCert, signinCa)
    80  
    81  	// Assert the clientCert has expected NotAfter
    82  	certstestutil.AssertCertificateHasNotAfter(t, currentClientCert, expectedNotAfter)
    83  
    84  	// Asserts the clientCert has ClientAuth ExtKeyUsage
    85  	certstestutil.AssertCertificateHasClientAuthUsage(t, currentClientCert)
    86  
    87  	// Asserts the clientCert has expected expectedUserName as CommonName
    88  	certstestutil.AssertCertificateHasCommonName(t, currentClientCert, expectedClientName)
    89  
    90  	// Asserts the clientCert has expected Organizations
    91  	certstestutil.AssertCertificateHasOrganizations(t, currentClientCert, expectedOrganizations...)
    92  }
    93  
    94  // AssertKubeConfigCurrentAuthInfoWithToken is a utility function for kubeadm testing that asserts if the CurrentAuthInfo in
    95  // the given KubeConfig object refers to expected token
    96  func AssertKubeConfigCurrentAuthInfoWithToken(t *testing.T, config *clientcmdapi.Config, expectedClientName, expectedToken string) {
    97  	currentContext := config.Contexts[config.CurrentContext]
    98  	currentAuthInfo := config.AuthInfos[currentContext.AuthInfo]
    99  
   100  	// assert token
   101  	if currentAuthInfo.Token != expectedToken {
   102  		t.Errorf("kubeconfig.currentAuthInfo.Token [%s], expected [%s]", currentAuthInfo.Token, expectedToken)
   103  		return
   104  	}
   105  }
   106  
   107  // AssertKubeConfigCurrentContextWithClusterName is a utility function for kubeadm testing that asserts if the Current Cluster config in
   108  // the given KubeConfig object refers to expected cluster name
   109  func AssertKubeConfigCurrentContextWithClusterName(t *testing.T, config *clientcmdapi.Config, expectedClusterName string) {
   110  	currentContext := config.Contexts[config.CurrentContext]
   111  
   112  	// assert cluster name
   113  	if currentContext.Cluster != expectedClusterName {
   114  		t.Errorf("kubeconfig.currentContext.clusterName [%s], expected [%s]", currentContext.Cluster, expectedClusterName)
   115  		return
   116  	}
   117  }