def test_jwt_auth_response_codes_and_location(self, kube_apis,
jwt_auth_setup,
test_namespace):
print("Step 1: execute check after secrets creation")
execute_checks(jwt_auth_setup, step_1_expected_results)
print("Step 2: replace master secret")
replace_secret(
kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret-updated.yaml")
wait_before_test(1)
execute_checks(jwt_auth_setup, step_2_expected_results)
print("Step 3: now replace minion secret as well")
replace_secret(
kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret-updated.yaml")
wait_before_test(1)
execute_checks(jwt_auth_setup, step_3_expected_results)
print("Step 4: now remove minion secret")
delete_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name,
test_namespace)
wait_before_test(1)
execute_checks(jwt_auth_setup, step_4_expected_results)
print("Step 5: finally remove master secret as well")
delete_secret(kube_apis.v1, jwt_auth_setup.master_secret_name,
test_namespace)
wait_before_test(1)
execute_checks(jwt_auth_setup, step_5_expected_results)
def test_jwt_auth_response_codes_and_location(self, kube_apis, jwt_auth_setup, test_namespace):
print("Step 1: execute check after secrets creation")
execute_checks(jwt_auth_setup, step_1_expected_results)
print("Step 2: replace master secret")
replace_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-master-secret-updated.yaml")
wait_before_test(1)
execute_checks(jwt_auth_setup, step_2_expected_results)
print("Step 3: now replace minion secret as well")
replace_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace,
f"{TEST_DATA}/jwt-auth-mergeable/jwt-minion-secret-updated.yaml")
wait_before_test(1)
execute_checks(jwt_auth_setup, step_3_expected_results)
print("Step 4: now remove minion secret")
delete_secret(kube_apis.v1, jwt_auth_setup.minion_secret_name, test_namespace)
wait_before_test(1)
execute_checks(jwt_auth_setup, step_4_expected_results)
print("Step 5: finally remove master secret as well")
delete_secret(kube_apis.v1, jwt_auth_setup.master_secret_name, test_namespace)
wait_before_test(1)
execute_checks(jwt_auth_setup, step_5_expected_results)
def test_response_code_500_with_invalid_secret(self, kube_apis,
jwt_secrets_setup,
test_namespace, jwt_secret):
req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2"
replace_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace,
f"{TEST_DATA}/jwt-secrets/jwt-secret-invalid.yaml")
wait_before_test(1)
resp = requests.get(
req_url,
headers={"host": jwt_secrets_setup.ingress_host},
cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 500
def test_certificate_subject_updates_after_secret_update(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_certificate_subject_remains_with_invalid_secret(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'ES'
assert subject_dict[b'ST'] == b'CanaryIslands'
assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject_remains_with_invalid_secret(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'ES'
assert subject_dict[b'ST'] == b'CanaryIslands'
assert subject_dict[b'CN'] == b'example.com'
def test_certificate_subject_updates_after_secret_update(self, kube_apis, ingress_controller_prerequisites, wildcard_tls_secret_ingress_controller,
wildcard_tls_secret_setup):
replace_secret(kube_apis.v1, wildcard_tls_secret_ingress_controller.secret_name,
ingress_controller_prerequisites.namespace,
f"{TEST_DATA}/wildcard-tls-secret/gb-wildcard-tls-secret.yaml")
wait_before_test(1)
subject_dict = get_server_certificate_subject(wildcard_tls_secret_setup.public_endpoint.public_ip,
wildcard_tls_secret_setup.ingress_host,
wildcard_tls_secret_setup.public_endpoint.port_ssl)
assert subject_dict[b'C'] == b'GB'
assert subject_dict[b'ST'] == b'Cambridgeshire'
assert subject_dict[b'CN'] == b'cafe.example.com'
def test_tls_termination(self, kube_apis, crd_ingress_controller,
virtual_server_setup, clean_up):
print("\nStep 1: no secret")
assert_unrecognized_name_error(virtual_server_setup)
print("\nStep 2: deploy secret and check")
secret_name = create_secret_from_yaml(
kube_apis.v1, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 3: remove secret and check")
delete_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace)
wait_before_test(1)
assert_unrecognized_name_error(virtual_server_setup)
print("\nStep 4: restore secret and check")
create_secret_from_yaml(
kube_apis.v1, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 5: deploy invalid secret and check")
delete_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace)
create_secret_from_yaml(
kube_apis.v1, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/invalid-tls-secret.yaml")
wait_before_test(1)
assert_unrecognized_name_error(virtual_server_setup)
print("\nStep 6: restore secret and check")
delete_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace)
create_secret_from_yaml(
kube_apis.v1, virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml")
wait_before_test(1)
assert_us_subject(virtual_server_setup)
print("\nStep 7: update secret and check")
replace_secret(kube_apis.v1, secret_name,
virtual_server_setup.namespace,
f"{TEST_DATA}/virtual-server-tls/new-tls-secret.yaml")
wait_before_test(1)
assert_gb_subject(virtual_server_setup)
def test_response_code_403_with_invalid_secret(self, kube_apis,
auth_basic_secrets_setup,
test_namespace,
auth_basic_secret):
req_url = f"http://{auth_basic_secrets_setup.public_endpoint.public_ip}:{auth_basic_secrets_setup.public_endpoint.port}/backend2"
replace_secret(
kube_apis.v1, auth_basic_secret.secret_name, test_namespace,
f"{TEST_DATA}/auth-basic-secrets/auth-basic-secret-invalid.yaml")
wait_before_test(1)
resp = requests.get(
req_url,
headers={
"host":
auth_basic_secrets_setup.ingress_host,
"authorization":
f"Basic {to_base64(auth_basic_secrets_setup.credentials)}"
})
assert resp.status_code == 403
def test_tls_termination(self, kube_apis, ingress_controller_endpoint,
test_namespace, tls_setup):
print("Step 1: no secret")
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 2: deploy secret and check")
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 3: remove secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
wait_before_test(1)
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 4: restore secret and check")
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 5: deploy invalid secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.invalid_secret_path)
wait_before_test(1)
assert_unrecognized_name_error(ingress_controller_endpoint,
tls_setup.ingress_host)
print("Step 6: restore secret and check")
delete_secret(kube_apis.v1, tls_setup.secret_name, test_namespace)
create_secret_from_yaml(kube_apis.v1, test_namespace,
tls_setup.secret_path)
wait_before_test(1)
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
print("Step 7: update secret and check")
replace_secret(kube_apis.v1, tls_setup.secret_name, test_namespace,
tls_setup.new_secret_path)
wait_before_test(1)
assert_gb_subject(ingress_controller_endpoint, tls_setup.ingress_host)
def test_with_default_tls_secret(self, kube_apis,
ingress_controller_endpoint, secret_setup,
default_server_setup):
print("Step 1: ensure CN of the default server TLS cert")
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
print(
"Step 2: ensure CN of the default server TLS cert after removing the secret"
)
delete_secret(kube_apis.v1, secret_name, secret_namespace)
wait_before_test(1)
# Ingress Controller retains the previous valid secret
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
print(
"Step 3: ensure CN of the default TLS cert after creating an updated secret"
)
create_secret_from_yaml(kube_apis.v1, secret_namespace,
new_secret_path)
wait_before_test(1)
assert_cn(ingress_controller_endpoint, "cafe.example.com")
print(
"Step 4: ensure CN of the default TLS cert after making the secret invalid"
)
replace_secret(kube_apis.v1, secret_name, secret_namespace,
invalid_secret_path)
wait_before_test(1)
# Ingress Controller retains the previous valid secret
assert_cn(ingress_controller_endpoint, "cafe.example.com")
print(
"Step 5: ensure CN of the default TLS cert after restoring the secret"
)
replace_secret(kube_apis.v1, secret_name, secret_namespace,
secret_path)
wait_before_test(1)
assert_cn(ingress_controller_endpoint, "NGINXIngressController")
def test_response_code_500_with_invalid_secret(self, kube_apis, jwt_secrets_setup, test_namespace, jwt_secret):
req_url = f"http://{jwt_secrets_setup.public_endpoint.public_ip}:{jwt_secrets_setup.public_endpoint.port}/backend2"
replace_secret(kube_apis.v1, jwt_secret.secret_name, test_namespace, f"{TEST_DATA}/jwt-secrets/jwt-secret-invalid.yaml")
wait_before_test(1)
resp = requests.get(req_url, headers={"host": jwt_secrets_setup.ingress_host}, cookies={"auth_token": jwt_secrets_setup.jwt_token})
assert resp.status_code == 500
