Fix linux-specific clientaccess test

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Fix linux-specific clientaccess test
0d15457c · Brad Davidson · Brad Davidson · 9bdab191 · 0d15457c · 0d15457c
Commit 0d15457c authored Feb 05, 2025 by Brad Davidson Committed by Brad Davidson Feb 07, 2025
Showing with 65 additions and 59 deletions

unitcoverage.yaml .github/workflows/unitcoverage.yaml +4 -5

token_linux_test.go pkg/clientaccess/token_linux_test.go +61 -0

token_test.go pkg/clientaccess/token_test.go +0 -54

No files found.
--- a/.github/workflows/unitcoverage.yaml
+++ b/.github/workflows/unitcoverage.yaml
@@ -26,8 +26,8 @@ permissions:
  contents: read

 jobs:
-  test:
-    name: Unit Tests
+  test-unit-linux:
+    name: Unit Tests (linux)
    runs-on: ubuntu-24.04
    timeout-minutes: 20
    steps:
@@ -53,8 +53,8 @@ jobs:
        files: ./coverage.out
        flags: unittests # optional
        verbose: true # optional (default = false)
-  wtest:
-    name: Unit Tests (Windows 2022)
+  test-unit-windows:
+    name: Unit Tests (windows)
    runs-on: windows-2022
    timeout-minutes: 20
    steps:
@@ -75,4 +75,3 @@ jobs:
        files: ./coverage.out
        flags: unittests # optional
        verbose: true # optional (default = false)
-
--- a/pkg/clientaccess/token_linux_test.go
+++ b/pkg/clientaccess/token_linux_test.go
+//go:build linux
+// +build linux
+
+package clientaccess
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// Test_UnitTrustedCA confirms that tokens are validated when the server uses a cert (self-signed or otherwise)
+// that is trusted by the OS CA bundle. This test must be run first, since it mucks with the system root certs.
+// NOTE:
+// This tests only works on Linux, where we can override the default CA bundle with the SSL_CERT_FILE env var.
+// On other operating systems, the default CA bundle is loaded via OS-specific crypto APIs.
+func Test_UnitTrustedCA(t *testing.T) {
+	assert := assert.New(t)
+	server := newTLSServer(t, defaultUsername, defaultPassword, false)
+	defer server.Close()
+	digest, _ := hashCA(getServerCA(server))
+
+	testInfo := &Info{
+		CACerts:  getServerCA(server),
+		BaseURL:  server.URL,
+		Username: defaultUsername,
+		Password: defaultPassword,
+		caHash:   digest,
+	}
+
+	testCases := []struct {
+		token    string
+		expected string
+	}{
+		{defaultPassword, ""},
+		{testInfo.String(), testInfo.Username},
+	}
+
+	// Point OS CA bundle at this test's CA cert to simulate a trusted CA cert.
+	// Note that this only works if the OS CA bundle has not yet been loaded in this process,
+	// as it is cached for the duration of the process lifetime.
+	// Ref: https://github.com/golang/go/issues/41888
+	path := t.TempDir() + "/ca.crt"
+	writeServerCA(server, path)
+	os.Setenv("SSL_CERT_FILE", path)
+
+	for _, testCase := range testCases {
+		info, err := ParseAndValidateToken(server.URL, testCase.token)
+		if assert.NoError(err, testCase) {
+			assert.Nil(info.CACerts, testCase)
+			assert.Equal(testCase.expected, info.Username, testCase.token)
+		}
+
+		info, err = ParseAndValidateToken(server.URL, testCase.token, WithUser("agent"))
+		if assert.NoError(err, testCase) {
+			assert.Nil(info.CACerts, testCase)
+			assert.Equal("agent", info.Username, testCase)
+		}
+	}
+}
--- a/pkg/clientaccess/token_test.go
+++ b/pkg/clientaccess/token_test.go
@@ -24,60 +24,6 @@ var (
 	defaultToken    = "abcdef.0123456789abcdef"
 )

-// Test_UnitTrustedCA confirms that tokens are validated when the server uses a cert (self-signed or otherwise)
-// that is trusted by the OS CA bundle. This test must be run first, since it mucks with the system root certs.
-func Test_UnitTrustedCA(t *testing.T) {
-	assert := assert.New(t)
-	server := newTLSServer(t, defaultUsername, defaultPassword, false)
-	defer server.Close()
-	digest, _ := hashCA(getServerCA(server))
-
-	testInfo := &Info{
-		CACerts:  getServerCA(server),
-		BaseURL:  server.URL,
-		Username: defaultUsername,
-		Password: defaultPassword,
-		caHash:   digest,
-	}
-
-	testCases := []struct {
-		token    string
-		expected string
-	}{
-		{defaultPassword, ""},
-		{testInfo.String(), testInfo.Username},
-	}
-
-	// Point OS CA bundle at this test's CA cert to simulate a trusted CA cert.
-	// Note that this only works if the OS CA bundle has not yet been loaded in this process,
-	// as it is cached for the duration of the process lifetime.
-	// Ref: https://github.com/golang/go/issues/41888
-	path := t.TempDir() + "/ca.crt"
-	writeServerCA(server, path)
-	os.Setenv("SSL_CERT_FILE", path)
-
-	for _, testCase := range testCases {
-		info, err := ParseAndValidateToken(server.URL, testCase.token)
-		if assert.NoError(err, testCase) {
-			assert.Nil(info.CACerts, testCase)
-			assert.Equal(testCase.expected, info.Username, testCase.token)
-		}
-
-		info, err = ParseAndValidateToken(server.URL, testCase.token, WithUser("agent"))
-		if assert.NoError(err, testCase) {
-			assert.Nil(info.CACerts, testCase)
-			assert.Equal("agent", info.Username, testCase)
-		}
-	}
-
-	// Confirm that the cert is actually trusted by the OS CA bundle by making a request
-	// with empty cert pool
-	testInfo.CACerts = nil
-	res, err := testInfo.Get("/v1-k3s/server-bootstrap")
-	assert.NoError(err)
-	assert.NotEmpty(res)
-}
-
 // Test_UnitUntrustedCA confirms that tokens are validated when the server uses a self-signed cert
 // that is NOT trusted by the OS CA bundle.
 func Test_UnitUntrustedCA(t *testing.T) {