| /* |
| Copyright 2017 The Kubernetes Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| package validating |
| |
| import ( |
| "net/url" |
| "strings" |
| "testing" |
| |
| "github.com/stretchr/testify/assert" |
| "github.com/stretchr/testify/require" |
| |
| "k8s.io/api/admission/v1beta1" |
| corev1 "k8s.io/api/core/v1" |
| "k8s.io/apimachinery/pkg/api/errors" |
| "k8s.io/apimachinery/pkg/runtime" |
| webhooktesting "k8s.io/apiserver/pkg/admission/plugin/webhook/testing" |
| ) |
| |
| // TestValidate tests that ValidatingWebhook#Validate works as expected |
| func TestValidate(t *testing.T) { |
| scheme := runtime.NewScheme() |
| require.NoError(t, v1beta1.AddToScheme(scheme)) |
| require.NoError(t, corev1.AddToScheme(scheme)) |
| |
| testServer := webhooktesting.NewTestServer(t) |
| testServer.StartTLS() |
| defer testServer.Close() |
| |
| serverURL, err := url.ParseRequestURI(testServer.URL) |
| if err != nil { |
| t.Fatalf("this should never happen? %v", err) |
| } |
| |
| stopCh := make(chan struct{}) |
| defer close(stopCh) |
| |
| for _, tt := range webhooktesting.NewNonMutatingTestCases(serverURL) { |
| wh, err := NewValidatingAdmissionWebhook(nil) |
| if err != nil { |
| t.Errorf("%s: failed to create validating webhook: %v", tt.Name, err) |
| continue |
| } |
| |
| ns := "webhook-test" |
| client, informer := webhooktesting.NewFakeDataSource(ns, tt.Webhooks, false, stopCh) |
| |
| wh.SetAuthenticationInfoResolverWrapper(webhooktesting.Wrapper(webhooktesting.NewAuthenticationInfoResolver(new(int32)))) |
| wh.SetServiceResolver(webhooktesting.NewServiceResolver(*serverURL)) |
| wh.SetScheme(scheme) |
| wh.SetExternalKubeClientSet(client) |
| wh.SetExternalKubeInformerFactory(informer) |
| |
| informer.Start(stopCh) |
| informer.WaitForCacheSync(stopCh) |
| |
| if err = wh.ValidateInitialization(); err != nil { |
| t.Errorf("%s: failed to validate initialization: %v", tt.Name, err) |
| continue |
| } |
| |
| attr := webhooktesting.NewAttribute(ns, nil, tt.IsDryRun) |
| err = wh.Validate(attr) |
| if tt.ExpectAllow != (err == nil) { |
| t.Errorf("%s: expected allowed=%v, but got err=%v", tt.Name, tt.ExpectAllow, err) |
| } |
| // ErrWebhookRejected is not an error for our purposes |
| if tt.ErrorContains != "" { |
| if err == nil || !strings.Contains(err.Error(), tt.ErrorContains) { |
| t.Errorf("%s: expected an error saying %q, but got %v", tt.Name, tt.ErrorContains, err) |
| } |
| } |
| if _, isStatusErr := err.(*errors.StatusError); err != nil && !isStatusErr { |
| t.Errorf("%s: expected a StatusError, got %T", tt.Name, err) |
| } |
| fakeAttr, ok := attr.(*webhooktesting.FakeAttributes) |
| if !ok { |
| t.Errorf("Unexpected error, failed to convert attr to webhooktesting.FakeAttributes") |
| continue |
| } |
| if len(tt.ExpectAnnotations) == 0 { |
| assert.Empty(t, fakeAttr.GetAnnotations(), tt.Name+": annotations not set as expected.") |
| } else { |
| assert.Equal(t, tt.ExpectAnnotations, fakeAttr.GetAnnotations(), tt.Name+": annotations not set as expected.") |
| } |
| } |
| } |
| |
| // TestValidateCachedClient tests that ValidatingWebhook#Validate should cache restClient |
| func TestValidateCachedClient(t *testing.T) { |
| scheme := runtime.NewScheme() |
| require.NoError(t, v1beta1.AddToScheme(scheme)) |
| require.NoError(t, corev1.AddToScheme(scheme)) |
| |
| testServer := webhooktesting.NewTestServer(t) |
| testServer.StartTLS() |
| defer testServer.Close() |
| serverURL, err := url.ParseRequestURI(testServer.URL) |
| if err != nil { |
| t.Fatalf("this should never happen? %v", err) |
| } |
| |
| stopCh := make(chan struct{}) |
| defer close(stopCh) |
| |
| wh, err := NewValidatingAdmissionWebhook(nil) |
| if err != nil { |
| t.Fatalf("Failed to create validating webhook: %v", err) |
| } |
| wh.SetServiceResolver(webhooktesting.NewServiceResolver(*serverURL)) |
| wh.SetScheme(scheme) |
| |
| for _, tt := range webhooktesting.NewCachedClientTestcases(serverURL) { |
| ns := "webhook-test" |
| client, informer := webhooktesting.NewFakeDataSource(ns, tt.Webhooks, false, stopCh) |
| |
| // override the webhook source. The client cache will stay the same. |
| cacheMisses := new(int32) |
| wh.SetAuthenticationInfoResolverWrapper(webhooktesting.Wrapper(webhooktesting.NewAuthenticationInfoResolver(cacheMisses))) |
| wh.SetExternalKubeClientSet(client) |
| wh.SetExternalKubeInformerFactory(informer) |
| |
| informer.Start(stopCh) |
| informer.WaitForCacheSync(stopCh) |
| |
| if err = wh.ValidateInitialization(); err != nil { |
| t.Errorf("%s: failed to validate initialization: %v", tt.Name, err) |
| continue |
| } |
| |
| err = wh.Validate(webhooktesting.NewAttribute(ns, nil, false)) |
| if tt.ExpectAllow != (err == nil) { |
| t.Errorf("%s: expected allowed=%v, but got err=%v", tt.Name, tt.ExpectAllow, err) |
| } |
| |
| if tt.ExpectCacheMiss && *cacheMisses == 0 { |
| t.Errorf("%s: expected cache miss, but got no AuthenticationInfoResolver call", tt.Name) |
| } |
| |
| if !tt.ExpectCacheMiss && *cacheMisses > 0 { |
| t.Errorf("%s: expected client to be cached, but got %d AuthenticationInfoResolver calls", tt.Name, *cacheMisses) |
| } |
| } |
| } |
