Commit d9950473 authored by Patrick Barker's avatar Patrick Barker Committed by Patrick Barker

adds dynamic audit integration test

parent 5d19fda5
...@@ -29,6 +29,7 @@ import ( ...@@ -29,6 +29,7 @@ import (
"k8s.io/apiserver/pkg/storage/storagebackend" "k8s.io/apiserver/pkg/storage/storagebackend"
utilflag "k8s.io/apiserver/pkg/util/flag" utilflag "k8s.io/apiserver/pkg/util/flag"
auditbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered" auditbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered"
auditdynamic "k8s.io/apiserver/plugin/pkg/audit/dynamic"
audittruncate "k8s.io/apiserver/plugin/pkg/audit/truncate" audittruncate "k8s.io/apiserver/plugin/pkg/audit/truncate"
restclient "k8s.io/client-go/rest" restclient "k8s.io/client-go/rest"
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
...@@ -241,6 +242,9 @@ func TestAddFlags(t *testing.T) { ...@@ -241,6 +242,9 @@ func TestAddFlags(t *testing.T) {
InitialBackoff: 2 * time.Second, InitialBackoff: 2 * time.Second,
GroupVersionString: "audit.k8s.io/v1alpha1", GroupVersionString: "audit.k8s.io/v1alpha1",
}, },
DynamicOptions: apiserveroptions.AuditDynamicOptions{
BatchConfig: auditdynamic.NewDefaultWebhookBatchConfig(),
},
PolicyFile: "/policy", PolicyFile: "/policy",
}, },
Features: &apiserveroptions.FeatureOptions{ Features: &apiserveroptions.FeatureOptions{
......
...@@ -148,9 +148,14 @@ type AuditWebhookOptions struct { ...@@ -148,9 +148,14 @@ type AuditWebhookOptions struct {
GroupVersionString string GroupVersionString string
} }
// AuditDynamicOptions control the configuration of dynamic backends for audit events
type AuditDynamicOptions struct { type AuditDynamicOptions struct {
// Enabled tells whether the dynamic audit capability is enabled. // Enabled tells whether the dynamic audit capability is enabled.
Enabled bool Enabled bool
// Configuration for batching backend. This is currently only used as an override
// for integration tests
BatchConfig *pluginbuffered.BatchConfig
} }
func NewAuditOptions() *AuditOptions { func NewAuditOptions() *AuditOptions {
...@@ -174,7 +179,8 @@ func NewAuditOptions() *AuditOptions { ...@@ -174,7 +179,8 @@ func NewAuditOptions() *AuditOptions {
GroupVersionString: "audit.k8s.io/v1", GroupVersionString: "audit.k8s.io/v1",
}, },
DynamicOptions: AuditDynamicOptions{ DynamicOptions: AuditDynamicOptions{
Enabled: false, Enabled: false,
BatchConfig: plugindynamic.NewDefaultWebhookBatchConfig(),
}, },
} }
} }
...@@ -634,7 +640,7 @@ func (o *AuditDynamicOptions) newBackend( ...@@ -634,7 +640,7 @@ func (o *AuditDynamicOptions) newBackend(
dc := &plugindynamic.Config{ dc := &plugindynamic.Config{
Informer: informer, Informer: informer,
BufferedConfig: plugindynamic.NewDefaultWebhookBatchConfig(), BufferedConfig: o.BatchConfig,
EventConfig: plugindynamic.EventConfig{ EventConfig: plugindynamic.EventConfig{
Sink: eventSink, Sink: eventSink,
Source: corev1.EventSource{ Source: corev1.EventSource{
......
...@@ -30,6 +30,7 @@ import ( ...@@ -30,6 +30,7 @@ import (
"k8s.io/kubernetes/cmd/kube-apiserver/app/options" "k8s.io/kubernetes/cmd/kube-apiserver/app/options"
"k8s.io/kubernetes/pkg/master" "k8s.io/kubernetes/pkg/master"
"k8s.io/kubernetes/pkg/master/reconcilers" "k8s.io/kubernetes/pkg/master/reconcilers"
"k8s.io/kubernetes/test/integration/framework"
) )
func TestWebhookLoopback(t *testing.T) { func TestWebhookLoopback(t *testing.T) {
...@@ -40,7 +41,7 @@ func TestWebhookLoopback(t *testing.T) { ...@@ -40,7 +41,7 @@ func TestWebhookLoopback(t *testing.T) {
called := int32(0) called := int32(0)
client, _ := startTestServer(t, stopCh, TestServerSetup{ client, _ := framework.StartTestServer(t, stopCh, framework.TestServerSetup{
ModifyServerRunOptions: func(opts *options.ServerRunOptions) { ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
}, },
ModifyServerConfig: func(config *master.Config) { ModifyServerConfig: func(config *master.Config) {
......
...@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and ...@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
package apiserver package framework
import ( import (
"io/ioutil" "io/ioutil"
...@@ -36,7 +36,6 @@ import ( ...@@ -36,7 +36,6 @@ import (
"k8s.io/kubernetes/cmd/kube-apiserver/app" "k8s.io/kubernetes/cmd/kube-apiserver/app"
"k8s.io/kubernetes/cmd/kube-apiserver/app/options" "k8s.io/kubernetes/cmd/kube-apiserver/app/options"
"k8s.io/kubernetes/pkg/master" "k8s.io/kubernetes/pkg/master"
"k8s.io/kubernetes/test/integration/framework"
) )
type TestServerSetup struct { type TestServerSetup struct {
...@@ -44,8 +43,8 @@ type TestServerSetup struct { ...@@ -44,8 +43,8 @@ type TestServerSetup struct {
ModifyServerConfig func(*master.Config) ModifyServerConfig func(*master.Config)
} }
// startTestServer runs a kube-apiserver, optionally calling out to the setup.ModifyServerRunOptions and setup.ModifyServerConfig functions // StartTestServer runs a kube-apiserver, optionally calling out to the setup.ModifyServerRunOptions and setup.ModifyServerConfig functions
func startTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup) (client.Interface, *rest.Config) { func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup) (client.Interface, *rest.Config) {
certDir, _ := ioutil.TempDir("", "test-integration-"+t.Name()) certDir, _ := ioutil.TempDir("", "test-integration-"+t.Name())
go func() { go func() {
<-stopCh <-stopCh
...@@ -89,7 +88,7 @@ func startTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup ...@@ -89,7 +88,7 @@ func startTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup
kubeAPIServerOptions.SecureServing.ServerCert.CertDirectory = certDir kubeAPIServerOptions.SecureServing.ServerCert.CertDirectory = certDir
kubeAPIServerOptions.InsecureServing.BindPort = 0 kubeAPIServerOptions.InsecureServing.BindPort = 0
kubeAPIServerOptions.Etcd.StorageConfig.Prefix = path.Join("/", uuid.New(), "registry") kubeAPIServerOptions.Etcd.StorageConfig.Prefix = path.Join("/", uuid.New(), "registry")
kubeAPIServerOptions.Etcd.StorageConfig.Transport.ServerList = []string{framework.GetEtcdURL()} kubeAPIServerOptions.Etcd.StorageConfig.Transport.ServerList = []string{GetEtcdURL()}
kubeAPIServerOptions.ServiceClusterIPRange = *defaultServiceClusterIPRange kubeAPIServerOptions.ServiceClusterIPRange = *defaultServiceClusterIPRange
kubeAPIServerOptions.Authentication.RequestHeader.UsernameHeaders = []string{"X-Remote-User"} kubeAPIServerOptions.Authentication.RequestHeader.UsernameHeaders = []string{"X-Remote-User"}
kubeAPIServerOptions.Authentication.RequestHeader.GroupHeaders = []string{"X-Remote-Group"} kubeAPIServerOptions.Authentication.RequestHeader.GroupHeaders = []string{"X-Remote-Group"}
......
...@@ -59,87 +59,8 @@ rules: ...@@ -59,87 +59,8 @@ rules:
"audit.k8s.io/v1": auditv1.SchemeGroupVersion, "audit.k8s.io/v1": auditv1.SchemeGroupVersion,
"audit.k8s.io/v1beta1": auditv1beta1.SchemeGroupVersion, "audit.k8s.io/v1beta1": auditv1beta1.SchemeGroupVersion,
} }
)
// TestAudit ensures that both v1beta1 and v1 version audit api could work.
func TestAudit(t *testing.T) {
for version := range versions {
testAudit(t, version)
}
}
func testAudit(t *testing.T, version string) {
// prepare audit policy file
auditPolicy := []byte(strings.Replace(auditPolicyPattern, "{version}", version, 1))
policyFile, err := ioutil.TempFile("", "audit-policy.yaml")
if err != nil {
t.Fatalf("Failed to create audit policy file: %v", err)
}
defer os.Remove(policyFile.Name())
if _, err := policyFile.Write(auditPolicy); err != nil {
t.Fatalf("Failed to write audit policy file: %v", err)
}
if err := policyFile.Close(); err != nil {
t.Fatalf("Failed to close audit policy file: %v", err)
}
// prepare audit log file
logFile, err := ioutil.TempFile("", "audit.log")
if err != nil {
t.Fatalf("Failed to create audit log file: %v", err)
}
defer os.Remove(logFile.Name())
// start api server
result := kubeapiservertesting.StartTestServerOrDie(t, nil,
[]string{
"--audit-policy-file", policyFile.Name(),
"--audit-log-version", version,
"--audit-log-mode", "blocking",
"--audit-log-path", logFile.Name()},
framework.SharedEtcd())
defer result.TearDownFn()
kubeclient, err := kubernetes.NewForConfig(result.ClientConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
func() {
// create, get, watch, update, patch, list and delete configmap.
configMap := &apiv1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: "audit-configmap",
},
Data: map[string]string{
"map-key": "map-value",
},
}
_, err := kubeclient.CoreV1().ConfigMaps(namespace).Create(configMap)
expectNoError(t, err, "failed to create audit-configmap")
_, err = kubeclient.CoreV1().ConfigMaps(namespace).Get(configMap.Name, metav1.GetOptions{})
expectNoError(t, err, "failed to get audit-configmap")
configMapChan, err := kubeclient.CoreV1().ConfigMaps(namespace).Watch(watchOptions)
expectNoError(t, err, "failed to create watch for config maps")
configMapChan.Stop()
_, err = kubeclient.CoreV1().ConfigMaps(namespace).Update(configMap) expectedEvents = []utils.AuditEvent{
expectNoError(t, err, "failed to update audit-configmap")
_, err = kubeclient.CoreV1().ConfigMaps(namespace).Patch(configMap.Name, types.JSONPatchType, patch)
expectNoError(t, err, "failed to patch configmap")
_, err = kubeclient.CoreV1().ConfigMaps(namespace).List(metav1.ListOptions{})
expectNoError(t, err, "failed to list config maps")
err = kubeclient.CoreV1().ConfigMaps(namespace).Delete(configMap.Name, &metav1.DeleteOptions{})
expectNoError(t, err, "failed to delete audit-configmap")
}()
expectedEvents := []utils.AuditEvent{
{ {
Level: auditinternal.LevelRequestResponse, Level: auditinternal.LevelRequestResponse,
Stage: auditinternal.StageResponseComplete, Stage: auditinternal.StageResponseComplete,
...@@ -238,7 +159,56 @@ func testAudit(t *testing.T, version string) { ...@@ -238,7 +159,56 @@ func testAudit(t *testing.T, version string) {
AuthorizeDecision: "allow", AuthorizeDecision: "allow",
}, },
} }
)
// TestAudit ensures that both v1beta1 and v1 version audit api could work.
func TestAudit(t *testing.T) {
for version := range versions {
testAudit(t, version)
}
}
func testAudit(t *testing.T, version string) {
// prepare audit policy file
auditPolicy := []byte(strings.Replace(auditPolicyPattern, "{version}", version, 1))
policyFile, err := ioutil.TempFile("", "audit-policy.yaml")
if err != nil {
t.Fatalf("Failed to create audit policy file: %v", err)
}
defer os.Remove(policyFile.Name())
if _, err := policyFile.Write(auditPolicy); err != nil {
t.Fatalf("Failed to write audit policy file: %v", err)
}
if err := policyFile.Close(); err != nil {
t.Fatalf("Failed to close audit policy file: %v", err)
}
// prepare audit log file
logFile, err := ioutil.TempFile("", "audit.log")
if err != nil {
t.Fatalf("Failed to create audit log file: %v", err)
}
defer os.Remove(logFile.Name())
// start api server
result := kubeapiservertesting.StartTestServerOrDie(t, nil,
[]string{
"--audit-policy-file", policyFile.Name(),
"--audit-log-version", version,
"--audit-log-mode", "blocking",
"--audit-log-path", logFile.Name()},
framework.SharedEtcd())
defer result.TearDownFn()
kubeclient, err := kubernetes.NewForConfig(result.ClientConfig)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
// perform configmap operations
configMapOperations(t, kubeclient)
// check for corresponding audit logs
stream, err := os.Open(logFile.Name()) stream, err := os.Open(logFile.Name())
if err != nil { if err != nil {
t.Fatalf("Unexpected error: %v", err) t.Fatalf("Unexpected error: %v", err)
...@@ -253,6 +223,47 @@ func testAudit(t *testing.T, version string) { ...@@ -253,6 +223,47 @@ func testAudit(t *testing.T, version string) {
} }
} }
// configMapOperations is a set of known operations perfomed on the configmap type
// which correspond to the expected events.
// This is shared by the dynamic test
func configMapOperations(t *testing.T, kubeclient kubernetes.Interface) {
// create, get, watch, update, patch, list and delete configmap.
configMap := &apiv1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: "audit-configmap",
},
Data: map[string]string{
"map-key": "map-value",
},
}
_, err := kubeclient.CoreV1().ConfigMaps(namespace).Create(configMap)
expectNoError(t, err, "failed to create audit-configmap")
_, err = kubeclient.CoreV1().ConfigMaps(namespace).Get(configMap.Name, metav1.GetOptions{})
expectNoError(t, err, "failed to get audit-configmap")
configMapChan, err := kubeclient.CoreV1().ConfigMaps(namespace).Watch(watchOptions)
expectNoError(t, err, "failed to create watch for config maps")
for range configMapChan.ResultChan() {
// Block until watchOptions.TimeoutSeconds expires.
// If the test finishes before watchOptions.TimeoutSeconds expires, the watch audit
// event at stage ResponseComplete will not be generated.
}
_, err = kubeclient.CoreV1().ConfigMaps(namespace).Update(configMap)
expectNoError(t, err, "failed to update audit-configmap")
_, err = kubeclient.CoreV1().ConfigMaps(namespace).Patch(configMap.Name, types.JSONPatchType, patch)
expectNoError(t, err, "failed to patch configmap")
_, err = kubeclient.CoreV1().ConfigMaps(namespace).List(metav1.ListOptions{})
expectNoError(t, err, "failed to list config maps")
err = kubeclient.CoreV1().ConfigMaps(namespace).Delete(configMap.Name, &metav1.DeleteOptions{})
expectNoError(t, err, "failed to delete audit-configmap")
}
func expectNoError(t *testing.T, err error, msg string) { func expectNoError(t *testing.T, err error, msg string) {
if err != nil { if err != nil {
t.Fatalf("%s: %v", msg, err) t.Fatalf("%s: %v", msg, err)
......
...@@ -25,11 +25,14 @@ import ( ...@@ -25,11 +25,14 @@ import (
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
auditinternal "k8s.io/apiserver/pkg/apis/audit" auditinternal "k8s.io/apiserver/pkg/apis/audit"
"k8s.io/apiserver/pkg/audit" "k8s.io/apiserver/pkg/audit"
) )
// AuditEvent is a simplified representation of an audit event for testing purposes
type AuditEvent struct { type AuditEvent struct {
ID types.UID
Level auditinternal.Level Level auditinternal.Level
Stage auditinternal.Stage Stage auditinternal.Stage
RequestURI string RequestURI string
...@@ -45,17 +48,21 @@ type AuditEvent struct { ...@@ -45,17 +48,21 @@ type AuditEvent struct {
AuthorizeDecision string AuthorizeDecision string
} }
// Search the audit log for the expected audit lines. // CheckAuditLines searches the audit log for the expected audit lines.
// if includeID is true the event ids will also be verified
func CheckAuditLines(stream io.Reader, expected []AuditEvent, version schema.GroupVersion) (missing []AuditEvent, err error) { func CheckAuditLines(stream io.Reader, expected []AuditEvent, version schema.GroupVersion) (missing []AuditEvent, err error) {
expectations := map[AuditEvent]bool{} expectations := buildEventExpectations(expected)
for _, event := range expected {
expectations[event] = false
}
scanner := bufio.NewScanner(stream) scanner := bufio.NewScanner(stream)
for scanner.Scan() { for scanner.Scan() {
line := scanner.Text() line := scanner.Text()
event, err := parseAuditLine(line, version) e := &auditinternal.Event{}
decoder := audit.Codecs.UniversalDecoder(version)
if err := runtime.DecodeInto(decoder, []byte(line), e); err != nil {
return expected, fmt.Errorf("failed decoding buf: %s, apiVersion: %s", line, version)
}
event, err := testEventFromInternal(e)
if err != nil { if err != nil {
return expected, err return expected, err
} }
...@@ -69,22 +76,65 @@ func CheckAuditLines(stream io.Reader, expected []AuditEvent, version schema.Gro ...@@ -69,22 +76,65 @@ func CheckAuditLines(stream io.Reader, expected []AuditEvent, version schema.Gro
return expected, err return expected, err
} }
missing = make([]AuditEvent, 0) missing = findMissing(expectations)
for event, found := range expectations { return missing, nil
if !found { }
missing = append(missing, event)
// CheckAuditList searches an audit event list for the expected audit events.
// if includeID is true the event ids will also be verified
func CheckAuditList(el auditinternal.EventList, expected []AuditEvent) (missing []AuditEvent, err error) {
expectations := buildEventExpectations(expected)
for _, e := range el.Items {
event, err := testEventFromInternal(&e)
if err != nil {
return expected, err
}
// If the event was expected, mark it as found.
if _, found := expectations[event]; found {
expectations[event] = true
} }
} }
missing = findMissing(expectations)
return missing, nil return missing, nil
} }
func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error) { // CheckForDuplicates checks a list for duplicate events
e := &auditinternal.Event{} func CheckForDuplicates(el auditinternal.EventList) (auditinternal.EventList, error) {
decoder := audit.Codecs.UniversalDecoder(version) // eventMap holds a map of audit events with just a nil value
if err := runtime.DecodeInto(decoder, []byte(line), e); err != nil { eventMap := map[AuditEvent]*bool{}
return AuditEvent{}, fmt.Errorf("failed decoding buf: %s, apiVersion: %s", line, version) duplicates := auditinternal.EventList{}
var err error
for _, e := range el.Items {
event, err := testEventFromInternal(&e)
if err != nil {
return duplicates, err
}
event.ID = e.AuditID
if _, ok := eventMap[event]; ok {
duplicates.Items = append(duplicates.Items, e)
err = fmt.Errorf("failed duplicate check")
continue
}
eventMap[event] = nil
} }
return duplicates, err
}
// buildEventExpectations creates a bool map out of a list of audit events
func buildEventExpectations(expected []AuditEvent) map[AuditEvent]bool {
expectations := map[AuditEvent]bool{}
for _, event := range expected {
expectations[event] = false
}
return expectations
}
// testEventFromInternal takes an internal audit event and returns a test event
// if includeID is true the event id will be included
func testEventFromInternal(e *auditinternal.Event) (AuditEvent, error) {
event := AuditEvent{ event := AuditEvent{
Level: e.Level, Level: e.Level,
Stage: e.Stage, Stage: e.Stage,
...@@ -113,3 +163,14 @@ func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error ...@@ -113,3 +163,14 @@ func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"] event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
return event, nil return event, nil
} }
// findMissing checks for false values in the expectations map and returns them as a list
func findMissing(expectations map[AuditEvent]bool) []AuditEvent {
var missing []AuditEvent
for event, found := range expectations {
if !found {
missing = append(missing, event)
}
}
return missing
}
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package utils
import (
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"sync"
"testing"
"time"
"github.com/stretchr/testify/require"
auditregv1alpha1 "k8s.io/api/auditregistration/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/wait"
auditinternal "k8s.io/apiserver/pkg/apis/audit"
auditv1 "k8s.io/apiserver/pkg/apis/audit/v1"
"k8s.io/apiserver/pkg/audit"
)
// AuditTestServer is a helper server for dynamic audit testing
type AuditTestServer struct {
Name string
LockedEventList *LockedEventList
Server *httptest.Server
t *testing.T
}
// LockedEventList is an event list with a lock for concurrent access
type LockedEventList struct {
*sync.RWMutex
EventList auditinternal.EventList
}
// NewLockedEventList returns a new LockedEventList
func NewLockedEventList() *LockedEventList {
return &LockedEventList{
RWMutex: &sync.RWMutex{},
EventList: auditinternal.EventList{},
}
}
// NewAuditTestServer returns a new audit test server
func NewAuditTestServer(t *testing.T, name string) *AuditTestServer {
s := &AuditTestServer{
Name: name,
LockedEventList: NewLockedEventList(),
t: t,
}
s.buildServer()
return s
}
// GetEventList safely returns the internal event list
func (a *AuditTestServer) GetEventList() auditinternal.EventList {
a.LockedEventList.RLock()
defer a.LockedEventList.RUnlock()
return a.LockedEventList.EventList
}
// ResetEventList resets the internal event list
func (a *AuditTestServer) ResetEventList() {
a.LockedEventList.Lock()
defer a.LockedEventList.Unlock()
a.LockedEventList.EventList = auditinternal.EventList{}
}
// AppendEvents will add the given events to the internal event list
func (a *AuditTestServer) AppendEvents(events []auditinternal.Event) {
a.LockedEventList.Lock()
defer a.LockedEventList.Unlock()
a.LockedEventList.EventList.Items = append(a.LockedEventList.EventList.Items, events...)
}
// WaitForEvents waits for the given events to arrive in the server or the 30s timeout is reached
func (a *AuditTestServer) WaitForEvents(expected []AuditEvent) ([]AuditEvent, error) {
var missing []AuditEvent
err := wait.PollImmediate(50*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
var err error
a.LockedEventList.RLock()
defer a.LockedEventList.RUnlock()
el := a.GetEventList()
if len(el.Items) < 1 {
return false, nil
}
missing, err = CheckAuditList(el, expected)
if err != nil {
return false, nil
}
return true, nil
})
return missing, err
}
// WaitForNumEvents checks that at least the given number of events has arrived or the 30s timeout is reached
func (a *AuditTestServer) WaitForNumEvents(numEvents int) error {
err := wait.PollImmediate(50*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
el := a.GetEventList()
if len(el.Items) < numEvents {
return false, nil
}
return true, nil
})
if err != nil {
return fmt.Errorf("%v: %d events failed to arrive in %v", err, numEvents, wait.ForeverTestTimeout)
}
return nil
}
// Health polls the server healthcheck until successful or the 30s timeout has been reached
func (a *AuditTestServer) Health() error {
err := wait.PollImmediate(100*time.Millisecond, wait.ForeverTestTimeout, func() (bool, error) {
resp, err := http.Get(fmt.Sprintf("%s/health", a.Server.URL))
if err != nil {
return false, nil
}
if resp.StatusCode != 200 {
return false, nil
}
return true, nil
})
if err != nil {
return fmt.Errorf("server %s permanently failed health check: %v", a.Server.URL, err)
}
return nil
}
// Close the server
func (a *AuditTestServer) Close() {
a.Server.Close()
}
// BuildSinkConfiguration creates a generic audit sink configuration for this server
func (a *AuditTestServer) BuildSinkConfiguration() *auditregv1alpha1.AuditSink {
return &auditregv1alpha1.AuditSink{
ObjectMeta: metav1.ObjectMeta{
Name: a.Name,
},
Spec: auditregv1alpha1.AuditSinkSpec{
Policy: auditregv1alpha1.Policy{
Level: auditregv1alpha1.LevelRequestResponse,
Stages: []auditregv1alpha1.Stage{
auditregv1alpha1.StageResponseStarted,
auditregv1alpha1.StageResponseComplete,
},
},
Webhook: auditregv1alpha1.Webhook{
ClientConfig: auditregv1alpha1.WebhookClientConfig{
URL: &a.Server.URL,
},
},
},
}
}
// buildServer creates an http test server that will update the internal event list
// with the value it receives
func (a *AuditTestServer) buildServer() {
decoder := audit.Codecs.UniversalDecoder(auditv1.SchemeGroupVersion)
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
body, err := ioutil.ReadAll(r.Body)
require.NoError(a.t, err, "could not read request body")
el := auditinternal.EventList{}
err = runtime.DecodeInto(decoder, body, &el)
r.Body.Close()
require.NoError(a.t, err, "failed decoding buf: %b, apiVersion: %s", body, auditv1.SchemeGroupVersion)
a.AppendEvents(el.Items)
w.WriteHeader(200)
})
mux.HandleFunc("/health", func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(200)
})
a.Server = httptest.NewServer(mux)
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment