Commit 856a1db5 authored by Chao Xu's avatar Chao Xu

fix the webhook unit test; the server cert needs to have a valid CN;

fix a fuzzer;
parent 186a0684
...@@ -53,6 +53,7 @@ func (f *fakeHookSource) Run(stopCh <-chan struct{}) {} ...@@ -53,6 +53,7 @@ func (f *fakeHookSource) Run(stopCh <-chan struct{}) {}
type fakeServiceResolver struct { type fakeServiceResolver struct {
base url.URL base url.URL
path string
} }
func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) { func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) {
...@@ -60,7 +61,7 @@ func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL, ...@@ -60,7 +61,7 @@ func (f fakeServiceResolver) ResolveEndpoint(namespace, name string) (*url.URL,
return nil, fmt.Errorf("couldn't resolve service location") return nil, fmt.Errorf("couldn't resolve service location")
} }
u := f.base u := f.base
u.Path = name u.Path = f.path
return &u, nil return &u, nil
} }
...@@ -89,7 +90,6 @@ func TestAdmit(t *testing.T) { ...@@ -89,7 +90,6 @@ func TestAdmit(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
wh.serviceResolver = fakeServiceResolver{*serverURL}
wh.clientCert = clientCert wh.clientCert = clientCert
wh.clientKey = clientKey wh.clientKey = clientKey
...@@ -123,16 +123,16 @@ func TestAdmit(t *testing.T) { ...@@ -123,16 +123,16 @@ func TestAdmit(t *testing.T) {
type test struct { type test struct {
hookSource fakeHookSource hookSource fakeHookSource
path string
expectAllow bool expectAllow bool
errorContains string errorContains string
} }
ccfg := func(result string) registrationv1alpha1.AdmissionHookClientConfig { ccfg := registrationv1alpha1.AdmissionHookClientConfig{
return registrationv1alpha1.AdmissionHookClientConfig{ Service: registrationv1alpha1.ServiceReference{
Service: registrationv1alpha1.ServiceReference{ Name: "webhook-test",
Name: result, Namespace: "default",
}, },
CABundle: caCert, CABundle: caCert,
}
} }
matchEverythingRules := []registrationv1alpha1.RuleWithOperations{{ matchEverythingRules := []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll}, Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.OperationAll},
...@@ -148,66 +148,72 @@ func TestAdmit(t *testing.T) { ...@@ -148,66 +148,72 @@ func TestAdmit(t *testing.T) {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "nomatch", Name: "nomatch",
ClientConfig: ccfg("disallow"), ClientConfig: ccfg,
Rules: []registrationv1alpha1.RuleWithOperations{{ Rules: []registrationv1alpha1.RuleWithOperations{{
Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.Create}, Operations: []registrationv1alpha1.OperationType{registrationv1alpha1.Create},
}}, }},
}}, }},
}, },
path: "disallow",
expectAllow: true, expectAllow: true,
}, },
"match & allow": { "match & allow": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "allow", Name: "allow",
ClientConfig: ccfg("allow"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}}, }},
}, },
path: "allow",
expectAllow: true, expectAllow: true,
}, },
"match & disallow": { "match & disallow": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "disallow", Name: "disallow",
ClientConfig: ccfg("disallow"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}}, }},
}, },
path: "disallow",
errorContains: "without explanation", errorContains: "without explanation",
}, },
"match & disallow ii": { "match & disallow ii": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "disallowReason", Name: "disallowReason",
ClientConfig: ccfg("disallowReason"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}}, }},
}, },
path: "disallowReason",
errorContains: "you shall not pass", errorContains: "you shall not pass",
}, },
"match & fail (but allow because fail open)": { "match & fail (but allow because fail open)": {
hookSource: fakeHookSource{ hookSource: fakeHookSource{
hooks: []registrationv1alpha1.ExternalAdmissionHook{{ hooks: []registrationv1alpha1.ExternalAdmissionHook{{
Name: "internalErr A", Name: "internalErr A",
ClientConfig: ccfg("internalErr"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}, { }, {
Name: "invalidReq B", Name: "internalErr B",
ClientConfig: ccfg("invalidReq"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}, { }, {
Name: "invalidResp C", Name: "internalErr C",
ClientConfig: ccfg("invalidResp"), ClientConfig: ccfg,
Rules: matchEverythingRules, Rules: matchEverythingRules,
}}, }},
}, },
path: "internalErr",
expectAllow: true, expectAllow: true,
}, },
} }
for name, tt := range table { for name, tt := range table {
wh.hookSource = &tt.hookSource wh.hookSource = &tt.hookSource
wh.serviceResolver = fakeServiceResolver{base: *serverURL, path: tt.path}
err = wh.Admit(admission.NewAttributesRecord(&object, &oldObject, kind, namespace, name, resource, subResource, operation, &userInfo)) err = wh.Admit(admission.NewAttributesRecord(&object, &oldObject, kind, namespace, name, resource, subResource, operation, &userInfo))
if tt.expectAllow != (err == nil) { if tt.expectAllow != (err == nil) {
......
...@@ -61,7 +61,7 @@ openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem ...@@ -61,7 +61,7 @@ openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem
# Create a server certiticate # Create a server certiticate
openssl genrsa -out serverKey.pem 2048 openssl genrsa -out serverKey.pem 2048
openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN_BASE}_server" -config server.conf openssl req -new -key serverKey.pem -out server.csr -subj "/CN=webhook-test.default.svc" -config server.conf
openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf
# Create a client certiticate # Create a client certiticate
...@@ -104,4 +104,4 @@ done ...@@ -104,4 +104,4 @@ done
rm *.pem rm *.pem
rm *.csr rm *.csr
rm *.srl rm *.srl
rm *.conf rm *.conf
\ No newline at end of file
...@@ -18,6 +18,7 @@ package rest ...@@ -18,6 +18,7 @@ package rest
import ( import (
"io" "io"
"net"
"net/http" "net/http"
"path/filepath" "path/filepath"
"reflect" "reflect"
...@@ -236,6 +237,8 @@ func TestAnonymousConfig(t *testing.T) { ...@@ -236,6 +237,8 @@ func TestAnonymousConfig(t *testing.T) {
func(r *clientcmdapi.AuthProviderConfig, f fuzz.Continue) { func(r *clientcmdapi.AuthProviderConfig, f fuzz.Continue) {
r.Config = map[string]string{} r.Config = map[string]string{}
}, },
// Dial does not require fuzzer
func(r *func(network, addr string) (net.Conn, error), f fuzz.Continue) {},
) )
for i := 0; i < 20; i++ { for i := 0; i < 20; i++ {
original := &Config{} original := &Config{}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment