Commit 856a1db5 authored by Chao Xu's avatar Chao Xu

fix the webhook unit test; the server cert needs to have a valid CN;

fix a fuzzer;
parent 186a0684
......@@ -53,6 +53,7 @@ func (f *fakeHookSource) Run(stopCh <-chan struct{}) {}
type fakeServiceResolver struct {
base url.URL
path string
}
func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) {
......@@ -60,7 +61,7 @@ func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL,
return nil, fmt.Errorf("couldn't resolve service location")
}
u := f.base
u.Path = name
u.Path = f.path
return &u, nil
}
......@@ -89,7 +90,6 @@ func TestAdmit(t *testing.T) {
if err != nil {
t.Fatal(err)
}
wh.serviceResolver = fakeServiceResolver{*serverURL}
wh.clientCert = clientCert
wh.clientKey = clientKey
......@@ -123,16 +123,16 @@ func TestAdmit(t *testing.T) {
type test struct {
hookSource fakeHookSource
path string
expectAllow bool
errorContains string
}
ccfg := func(result string) registrationv1alpha1.AdmissionHookClientConfig {
return registrationv1alpha1.AdmissionHookClientConfig{
Service: registrationv1alpha1.ServiceReference{
Name: result,
},
CABundle: caCert,
}
ccfg := registrationv1alpha1.AdmissionHookClientConfig{
Service: registrationv1alpha1.ServiceReference{
Name: "webhook-test",
Namespace: "default",
},
CABundle: caCert,
}
matchEverythingRules := []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll},
......@@ -148,66 +148,72 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "nomatch",
ClientConfig: ccfg("disallow"),
ClientConfig: ccfg,
Rules: []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.Create},
}},
}},
},
path: "disallow",
expectAllow: true,
},
"match & allow": {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "allow",
ClientConfig: ccfg("allow"),
ClientConfig: ccfg,
Rules: matchEverythingRules,
}},
},
path: "allow",
expectAllow: true,
},
"match & disallow": {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "disallow",
ClientConfig: ccfg("disallow"),
ClientConfig: ccfg,
Rules: matchEverythingRules,
}},
},
path: "disallow",
errorContains: "without explanation",
},
"match & disallow ii": {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "disallowReason",
ClientConfig: ccfg("disallowReason"),
ClientConfig: ccfg,
Rules: matchEverythingRules,
}},
},
path: "disallowReason",
errorContains: "you shall not pass",
},
"match & fail (but allow because fail open)": {
hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "internalErr A",
ClientConfig: ccfg("internalErr"),
ClientConfig: ccfg,
Rules: matchEverythingRules,
}, {
Name: "invalidReq B",
ClientConfig: ccfg("invalidReq"),
Name: "internalErr B",
ClientConfig: ccfg,
Rules: matchEverythingRules,
}, {
Name: "invalidResp C",
ClientConfig: ccfg("invalidResp"),
Name: "internalErr C",
ClientConfig: ccfg,
Rules: matchEverythingRules,
}},
},
path: "internalErr",
expectAllow: true,
},
}
for name, tt := range table {
wh.hookSource = &tt.hookSource
wh.serviceResolver = fakeServiceResolver{base: *serverURL, path: tt.path}
err = wh.Admit(admission.NewAttributesRecord(&object, &oldObject, kind, namespace, name, resource, subResource, operation, &userInfo))
if tt.expectAllow != (err == nil) {
......
......@@ -61,7 +61,7 @@ openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem
# Create a server certiticate
openssl genrsa -out serverKey.pem 2048
openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN_BASE}_server" -config server.conf
openssl req -new -key serverKey.pem -out server.csr -subj "/CN=webhook-test.default.svc" -config server.conf
openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf
# Create a client certiticate
......@@ -104,4 +104,4 @@ done
rm *.pem
rm *.csr
rm *.srl
rm *.conf
\ No newline at end of file
rm *.conf
......@@ -18,6 +18,7 @@ package rest
import (
"io"
"net"
"net/http"
"path/filepath"
"reflect"
......@@ -236,6 +237,8 @@ func TestAnonymousConfig(t *testing.T) {
func(r *clientcmdapi.AuthProviderConfig, f fuzz.Continue) {
r.Config = map[string]string{}
},
// Dial does not require fuzzer
func(r *func(network, addr string) (net.Conn, error), f fuzz.Continue) {},
)
for i := 0; i < 20; i++ {
original := &Config{}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment