def test_jwt_auth_response_codes_and_location(self, kube_apis, jwt_auth_setup, test_namespace): print("Step 1: execute check after secrets creation") execute_checks(jwt_auth_setup, step_1_expected_results) print("Step 2: replace master secret") replace_secret( kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret-updated.yaml") wait_before_test(1) execute_checks(jwt_auth_setup, step_2_expected_results) print("Step 3: now replace minion secret as well") replace_secret( kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret-updated.yaml") wait_before_test(1) execute_checks(jwt_auth_setup, step_3_expected_results) print("Step 4: now remove minion secret") delete_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace) wait_before_test(1) execute_checks(jwt_auth_setup, step_4_expected_results) print("Step 5: finally remove master secret as well") delete_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace) wait_before_test(1) execute_checks(jwt_auth_setup, step_5_expected_results)
def test_jwt_auth_response_codes_and_location(self, kube_apis, jwt_auth_setup, test_namespace): print("Step 1: execute check after secrets creation") execute_checks(jwt_auth_setup, step_1_expected_results) print("Step 2: replace master secret") replace_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret-updated.yaml") wait_before_test(1) execute_checks(jwt_auth_setup, step_2_expected_results) print("Step 3: now replace minion secret as well") replace_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace, f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret-updated.yaml") wait_before_test(1) execute_checks(jwt_auth_setup, step_3_expected_results) print("Step 4: now remove minion secret") delete_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace) wait_before_test(1) execute_checks(jwt_auth_setup, step_4_expected_results) print("Step 5: finally remove master secret as well") delete_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace) wait_before_test(1) execute_checks(jwt_auth_setup, step_5_expected_results)
def test_response_code_500_with_invalid_secret(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret): req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2" replace_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret-invalid.yaml") wait_before_test(1) resp = requests.get( req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 500
def test_certificate_subject_updates_after_secret_update(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml") wait_before_test(1) subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'GB' assert subject_dict[b'ST'] == b'Cambridgeshire' assert subject_dict[b'CN'] == b'cafe.example.com'
def test_certificate_subject_remains_with_invalid_secret(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller, wildcard_tls_secret_setup): replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name, ingress_controller_prerequisites.namespace, f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml") wait_before_test(1) subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip, wildcard_tls_secret_setup.ingress_host, wildcard_tls_secret_setup.public_endpoint.port_ssl) assert subject_dict[b'C'] == b'ES' assert subject_dict[b'ST'] == b'CanaryIslands' assert subject_dict[b'CN'] == b'example.com'
def test_tls_termination(self, kube_apis, crd_ingress_controller, virtual_server_setup, clean_up): print("\nStep 1: no secret") assert_unrecognized_name_error(virtual_server_setup) print("\nStep 2: deploy secret and check") secret_name = create_secret_from_yaml( kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 3: remove secret and check") delete_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace) wait_before_test(1) assert_unrecognized_name_error(virtual_server_setup) print("\nStep 4: restore secret and check") create_secret_from_yaml( kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 5: deploy invalid secret and check") delete_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace) create_secret_from_yaml( kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/invalid-tls-secret.yaml") wait_before_test(1) assert_unrecognized_name_error(virtual_server_setup) print("\nStep 6: restore secret and check") delete_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace) create_secret_from_yaml( kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml") wait_before_test(1) assert_us_subject(virtual_server_setup) print("\nStep 7: update secret and check") replace_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/new-tls-secret.yaml") wait_before_test(1) assert_gb_subject(virtual_server_setup)
def test_response_code_403_with_invalid_secret(self, kube_apis, auth_basic_secrets_setup, test_namespace, auth_basic_secret): req_url = f"http://{auth_basic_secrets_setup.public_endpoint.public_ip}:{auth_basic_secrets_setup.public_endpoint.port}/backend2" replace_secret( kube_apis.v1, auth_basic_secret.secret_name, test_namespace, f"{TEST_DATA}/auth-basic-secrets/auth-basic-secret-invalid.yaml") wait_before_test(1) resp = requests.get( req_url, headers={ "host": auth_basic_secrets_setup.ingress_host, "authorization": f"Basic {to_base64(auth_basic_secrets_setup.credentials)}" }) assert resp.status_code == 403
def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_namespace, tls_setup): print("Step 1: no secret") assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 2: deploy secret and check") create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 3: remove secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) wait_before_test(1) assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 4: restore secret and check") create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 5: deploy invalid secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.invalid_secret_path) wait_before_test(1) assert_unrecognized_name_error(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 6: restore secret and check") delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace) create_secret_from_yaml(kube_apis.v1, test_namespace, tls_setup.secret_path) wait_before_test(1) assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host) print("Step 7: update secret and check") replace_secret(kube_apis.v1, tls_setup.secret_name, test_namespace, tls_setup.new_secret_path) wait_before_test(1) assert_gb_subject(ingress_controller_endpoint, tls_setup.ingress_host)
def test_with_default_tls_secret(self, kube_apis, ingress_controller_endpoint, secret_setup, default_server_setup): print("Step 1: ensure CN of the default server TLS cert") assert_cn(ingress_controller_endpoint, "NGINXIngressController") print( "Step 2: ensure CN of the default server TLS cert after removing the secret" ) delete_secret(kube_apis.v1, secret_name, secret_namespace) wait_before_test(1) # Ingress Controller retains the previous valid secret assert_cn(ingress_controller_endpoint, "NGINXIngressController") print( "Step 3: ensure CN of the default TLS cert after creating an updated secret" ) create_secret_from_yaml(kube_apis.v1, secret_namespace, new_secret_path) wait_before_test(1) assert_cn(ingress_controller_endpoint, "cafe.example.com") print( "Step 4: ensure CN of the default TLS cert after making the secret invalid" ) replace_secret(kube_apis.v1, secret_name, secret_namespace, invalid_secret_path) wait_before_test(1) # Ingress Controller retains the previous valid secret assert_cn(ingress_controller_endpoint, "cafe.example.com") print( "Step 5: ensure CN of the default TLS cert after restoring the secret" ) replace_secret(kube_apis.v1, secret_name, secret_namespace, secret_path) wait_before_test(1) assert_cn(ingress_controller_endpoint, "NGINXIngressController")
def test_response_code_500_with_invalid_secret(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret): req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2" replace_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret-invalid.yaml") wait_before_test(1) resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token}) assert resp.status_code == 500