Add e2e tests for auth annotation

2017-11-12 13:52:55 -03:00 · 2017-11-12 13:52:55 -03:00 · a858c549d9
commit a858c549d9
parent 35363ff9f9
8 changed files with 416 additions and 28 deletions
--- a/test/e2e/annotations/alias.go
+++ b/test/e2e/annotations/alias.go
@ -19,6 +19,7 @@ package annotations
 import (
 	"fmt"
 	"net/http"
+	"strings"

 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -75,7 +76,11 @@ var _ = framework.IngressNginxDescribe("Annotations - Alias", func() {
 		Expect(err).NotTo(HaveOccurred())
 		Expect(ing).NotTo(BeNil())

-		err = f.WaitForNginxServer(host)
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name foo") &&
+					!strings.Contains(server, "return 503")
+			})
 		Expect(err).NotTo(HaveOccurred())

 		resp, body, errs := gorequest.New().
@ -98,19 +103,19 @@ var _ = framework.IngressNginxDescribe("Annotations - Alias", func() {
 	})

 	It("should return status code 200 for host 'foo' and 'bar'", func() {
-		host := "bar"
+		host := "foo"
 		ing, err := f.EnsureIngress(&v1beta1.Ingress{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      host,
 				Namespace: f.Namespace.Name,
 				Annotations: map[string]string{
-					"nginx.ingress.kubernetes.io/server-alias": host,
+					"nginx.ingress.kubernetes.io/server-alias": "bar",
 				},
 			},
 			Spec: v1beta1.IngressSpec{
 				Rules: []v1beta1.IngressRule{
 					{
-						Host: "foo",
+						Host: host,
 						IngressRuleValue: v1beta1.IngressRuleValue{
 							HTTP: &v1beta1.HTTPIngressRuleValue{
 								Paths: []v1beta1.HTTPIngressPath{
@ -132,7 +137,11 @@ var _ = framework.IngressNginxDescribe("Annotations - Alias", func() {
 		Expect(err).NotTo(HaveOccurred())
 		Expect(ing).NotTo(BeNil())

-		err = f.WaitForNginxServer(host)
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name foo") &&
+					!strings.Contains(server, "return 503")
+			})
 		Expect(err).NotTo(HaveOccurred())

 		hosts := []string{"foo", "bar"}
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -1,15 +1,303 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package annotations

-// Tests:
-// No auth
-// Basic
+import (
+	"fmt"
+	"net/http"
+	"os/exec"
+	"strings"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/parnurzeal/gorequest"
+
+	corev1 "k8s.io/api/core/v1"
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("Annotations - Alias", func() {
+	f := framework.NewDefaultFramework("alias")
+
+	BeforeEach(func() {
+		err := f.NewEchoDeployment()
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	AfterEach(func() {
+	})
+
+	It("should return status code 200 when no authentication is configured", func() {
+		host := "auth"
+
+		ing, err := f.EnsureIngress(buildIngress(host, f.Namespace.Name))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name auth") &&
+					!strings.Contains(server, "return 503")
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, body, errs := gorequest.New().
+			Get(f.NginxHTTPURL).
+			Set("Host", host).
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+		Expect(body).Should(ContainSubstring(fmt.Sprintf("host=%v", host)))
+	})
+
+	It("should return status code 503 when authentication is configured with an invalid secret", func() {
+		host := "auth"
+
+		bi := buildIngress(host, f.Namespace.Name)
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something"
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
+
+		ing, err := f.EnsureIngress(bi)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name auth") &&
+					strings.Contains(server, "return 503")
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, body, errs := gorequest.New().
+			Get(f.NginxHTTPURL).
+			Set("Host", host).
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusServiceUnavailable))
+		Expect(body).Should(ContainSubstring("503 Service Temporarily Unavailable"))
+	})
+
+	It("should return status code 401 when authentication is configured but Authorization header is not configured", func() {
+		host := "auth"
+
+		s, err := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace.Name))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(s).NotTo(BeNil())
+		Expect(s.ObjectMeta).NotTo(BeNil())
+
+		bi := buildIngress(host, f.Namespace.Name)
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-secret"] = s.Name
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
+
+		ing, err := f.EnsureIngress(bi)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name auth") &&
+					!strings.Contains(server, "return 503")
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, body, errs := gorequest.New().
+			Get(f.NginxHTTPURL).
+			Set("Host", host).
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusUnauthorized))
+		Expect(body).Should(ContainSubstring("401 Authorization Required"))
+	})
+
+	It("should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials", func() {
+		host := "auth"
+
+		s, err := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace.Name))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(s).NotTo(BeNil())
+		Expect(s.ObjectMeta).NotTo(BeNil())
+
+		bi := buildIngress(host, f.Namespace.Name)
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-secret"] = s.Name
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
+
+		ing, err := f.EnsureIngress(bi)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name auth") &&
+					!strings.Contains(server, "return 503")
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, body, errs := gorequest.New().
+			Get(f.NginxHTTPURL).
+			Set("Host", host).
+			SetBasicAuth("user", "pass").
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusUnauthorized))
+		Expect(body).Should(ContainSubstring("401 Authorization Required"))
+	})
+
+	It("should return status code 200 when authentication is configured and Authorization header is sent", func() {
+		host := "auth"
+
+		s, err := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace.Name))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(s).NotTo(BeNil())
+		Expect(s.ObjectMeta).NotTo(BeNil())
+
+		bi := buildIngress(host, f.Namespace.Name)
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-secret"] = s.Name
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
+
+		ing, err := f.EnsureIngress(bi)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name auth") &&
+					!strings.Contains(server, "return 503")
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, _, errs := gorequest.New().
+			Get(f.NginxHTTPURL).
+			Set("Host", host).
+			SetBasicAuth("foo", "bar").
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+	})
+
+	It("should return status code 500 when authentication is configured with invalid content and Authorization header is sent", func() {
+		host := "auth"
+
+		s, err := f.EnsureSecret(
+			&corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: f.Namespace.Name,
+				},
+				Data: map[string][]byte{
+					// invalid content
+					"auth": []byte("foo:"),
+				},
+				Type: corev1.SecretTypeOpaque,
+			},
+		)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(s).NotTo(BeNil())
+		Expect(s.ObjectMeta).NotTo(BeNil())
+
+		bi := buildIngress(host, f.Namespace.Name)
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-secret"] = s.Name
+		bi.Annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
+
+		ing, err := f.EnsureIngress(bi)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		err = f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name auth") &&
+					!strings.Contains(server, "return 503")
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, _, errs := gorequest.New().
+			Get(f.NginxHTTPURL).
+			Set("Host", host).
+			SetBasicAuth("foo", "bar").
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusInternalServerError))
+	})
+})
+
+// TODO: test Digest Auth
 //   401
 //   Realm name
 //   Auth ok
 //   Auth error
-// Digest
-//   401
-//   Realm name
-//   Auth ok
-//   Auth error
-// Check return 403 if there's an error retrieving the secret
+
+func buildIngress(host, namespace string) *v1beta1.Ingress {
+	return &v1beta1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        host,
+			Namespace:   namespace,
+			Annotations: map[string]string{},
+		},
+		Spec: v1beta1.IngressSpec{
+			Rules: []v1beta1.IngressRule{
+				{
+					Host: host,
+					IngressRuleValue: v1beta1.IngressRuleValue{
+						HTTP: &v1beta1.HTTPIngressRuleValue{
+							Paths: []v1beta1.HTTPIngressPath{
+								{
+									Path: "/",
+									Backend: v1beta1.IngressBackend{
+										ServiceName: "http-svc",
+										ServicePort: intstr.FromInt(80),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func buildSecret(username, password, name, namespace string) *corev1.Secret {
+	out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput()
+	encpass := fmt.Sprintf("%v:%s\n", username, out)
+	Expect(err).NotTo(HaveOccurred())
+
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:                       name,
+			Namespace:                  namespace,
+			DeletionGracePeriodSeconds: framework.NewInt64(1),
+		},
+		Data: map[string][]byte{
+			"auth": []byte(encpass),
+		},
+		Type: corev1.SecretTypeOpaque,
+	}
+}