194 lines
4.9 KiB
Go
194 lines
4.9 KiB
Go
/*
|
|
Copyright 2022 The Flux authors
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package registry
|
|
|
|
import (
|
|
"net/url"
|
|
"testing"
|
|
|
|
"github.com/google/go-containerregistry/pkg/authn"
|
|
. "github.com/onsi/gomega"
|
|
corev1 "k8s.io/api/core/v1"
|
|
)
|
|
|
|
const repoURL = "https://example.com"
|
|
|
|
func TestLoginOptionFromSecret(t *testing.T) {
|
|
testURL := "oci://registry.example.com/foo/bar"
|
|
testUser := "flux"
|
|
testPassword := "somepassword"
|
|
testDockerconfigjson := `{"auths":{"registry.example.com":{"username":"flux","password":"somepassword","auth":"Zmx1eDpzb21lcGFzc3dvcmQ="}}}`
|
|
testDockerconfigjsonHTTPS := `{"auths":{"https://registry.example.com":{"username":"flux","password":"somepassword","auth":"Zmx1eDpzb21lcGFzc3dvcmQ="}}}`
|
|
dockerconfigjsonKey := ".dockerconfigjson"
|
|
|
|
tests := []struct {
|
|
name string
|
|
url string
|
|
secretType corev1.SecretType
|
|
secretData map[string][]byte
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "generic secret",
|
|
url: testURL,
|
|
secretType: corev1.SecretTypeOpaque,
|
|
secretData: map[string][]byte{
|
|
"username": []byte(testUser),
|
|
"password": []byte(testPassword),
|
|
},
|
|
},
|
|
{
|
|
name: "generic secret without username",
|
|
url: testURL,
|
|
secretType: corev1.SecretTypeOpaque,
|
|
secretData: map[string][]byte{
|
|
"password": []byte(testPassword),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "generic secret without password",
|
|
url: testURL,
|
|
secretType: corev1.SecretTypeOpaque,
|
|
secretData: map[string][]byte{
|
|
"username": []byte(testUser),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "generic secret without username and password",
|
|
url: testURL,
|
|
secretType: corev1.SecretTypeOpaque,
|
|
},
|
|
{
|
|
name: "docker-registry secret",
|
|
url: testURL,
|
|
secretType: corev1.SecretTypeDockerConfigJson,
|
|
secretData: map[string][]byte{
|
|
dockerconfigjsonKey: []byte(testDockerconfigjson),
|
|
},
|
|
},
|
|
{
|
|
name: "docker-registry secret host mismatch",
|
|
url: "oci://registry.gitlab.com",
|
|
secretType: corev1.SecretTypeDockerConfigJson,
|
|
secretData: map[string][]byte{
|
|
dockerconfigjsonKey: []byte(testDockerconfigjson),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "docker-registry secret invalid host",
|
|
url: "oci://registry .gitlab.com",
|
|
secretType: corev1.SecretTypeDockerConfigJson,
|
|
secretData: map[string][]byte{
|
|
dockerconfigjsonKey: []byte(testDockerconfigjson),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "docker-registry secret invalid docker config",
|
|
url: testURL,
|
|
secretType: corev1.SecretTypeDockerConfigJson,
|
|
secretData: map[string][]byte{
|
|
dockerconfigjsonKey: []byte("foo"),
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "docker-registry secret with URL scheme",
|
|
url: testURL,
|
|
secretType: corev1.SecretTypeDockerConfigJson,
|
|
secretData: map[string][]byte{
|
|
dockerconfigjsonKey: []byte(testDockerconfigjsonHTTPS),
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
g := NewWithT(t)
|
|
|
|
secret := corev1.Secret{}
|
|
secret.Name = "test-secret"
|
|
secret.Data = tt.secretData
|
|
secret.Type = tt.secretType
|
|
|
|
_, err := LoginOptionFromSecret(tt.url, secret)
|
|
g.Expect(err != nil).To(Equal(tt.wantErr))
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestKeychainAdaptHelper(t *testing.T) {
|
|
g := NewWithT(t)
|
|
reg, err := url.Parse(repoURL)
|
|
if err != nil {
|
|
g.Expect(err).ToNot(HaveOccurred())
|
|
}
|
|
|
|
auth := helper{
|
|
username: "flux",
|
|
password: "flux_password",
|
|
registry: reg.Host,
|
|
}
|
|
|
|
tests := []struct {
|
|
name string
|
|
auth authn.Keychain
|
|
expectedLogin bool
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "Login from basic auth with empty auth",
|
|
auth: authn.NewKeychainFromHelper(helper{}),
|
|
expectedLogin: false,
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "Login from basic auth",
|
|
auth: authn.NewKeychainFromHelper(auth),
|
|
expectedLogin: true,
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "Login with missing password",
|
|
auth: authn.NewKeychainFromHelper(helper{username: "flux", registry: reg.Host}),
|
|
expectedLogin: false,
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
g := NewWithT(t)
|
|
loginOpt, err := KeychainAdaptHelper(tt.auth)(repoURL)
|
|
if tt.wantErr {
|
|
g.Expect(err).To(HaveOccurred())
|
|
return
|
|
}
|
|
g.Expect(err).To(BeNil())
|
|
|
|
if tt.expectedLogin {
|
|
g.Expect(loginOpt).ToNot(BeNil())
|
|
} else {
|
|
g.Expect(loginOpt).To(BeNil())
|
|
}
|
|
})
|
|
}
|
|
}
|