Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tests for default server #1537

Merged
merged 1 commit into from
Apr 19, 2021
Merged

Add tests for default server #1537

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions tests/data/default-server/invalid-tls-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: default-server-secret
type: kubernetes.io/tls
data:
tls.crt:
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdXh6aXlKNFg5ZVlodGZETXhLYk95S0g1UmdZLzl2ekZkT1BaQUNoNURiemM1bG9yClZsK2J3REt4UU1pNytMcVIxOXZhQVpNczJoM25QcnpVRzVSN3B2aCtTblVIMWw2bHVnYzBibXQ5Sk1TUHFhTHEKOFl1LzNJZGpSUDc3OUdnNUtJdHJRLy9RZW9hZGxTZFdLaUw2R2dwZENXbDErN1Z4dkIzdVNqMFlORjlwaTUxdApKS0pwUDJFM1RwdjZ2VTNEK0lFWVpKTzVoeU5QVWREYU9SMHBnNjczZ0YwTm5NaFdFVDFBbkdRanNCODBCbEVECjdrRE5PVC9tQW9GVWtLU0NWMUxhQ0pZQTlNV0hpL0VESkgrclRJMTZzMGxFMmdWN09neVVwYm1uTG9jM1ZwcjAKYWprRWpHMUlvTUZEeFFRK1NoQUI3Tjl4eHNsY3J3ZkttSkdodHdJREFRQUJBb0lCQUVuZHpXbUZmOUFEV2F1Sgp0RXl0elZSSEhURVhwb2pLb09qVVNnWlY4L1FJYXV4RkRIYThwNi9vVXpGUURXVFR3bCtFMnp0ajdvRHM3UzFIClBqVGxHU3VCVGRuMitYRVhURFYwUXE2VW9JS3pWa09SblU1ZDdSQVNJbzVLV3d6UldEODVTczg5WGdBQXhKVHQKUW9hLzZCdi9tMXJyMXpmWEdWODZNYWY5Rm1FVjI5bmpCcHZ3cUpzOFlUaFU5VE5BRUdnbkxBWGFJYTJZSUJTSgozcVhJd1RrdFBHUUZyZUowdnBiOVlaTkRxWk0rMmI1K3BBVEVXclpyeTQxTlpvdzhNUnVOYnoxVU5sWXkyazZKCjlXclUxUDVYM2l3dEZmcXA3TzREakNOMFR2Y1Y1Nm5QczJoYldDeHp4RmxFalJwNW5KQ3Bsdi9yNCt4eHJVRWQKd0NjU0x3RUNnWUVBOGVDUGM2S2JpSXVFUWxwVjcxTXRQMjdBZzhkMzN5aWZKajAvQ3R3RlF6dlhWcHZCSHFRagphUE1ZaEswZ3o0MzFHMGtqVUpTeUU2STJYVWhFU3gxZUw2TU5sVS9xc29Uc0JaZEV3N0cvMFRhdW1TQUJWemZPCkIvckdtbEZkZitxWVpiR3pIdGtvbVJWb1JqVWtPcGRJL3RnL1ZlSmJ3K1RIS2dYS01NU2V5cjhDZ1lFQXhnbTkKWXN5dVZVUGlEdDhuL1JXeEJwZ1Zqazk0M3BFOVFjK2FVK0VPcGROK2NNQjkvaGJiWUpMZEZ2WUUwd2s1cEQ1SQpibktscjZycndEVUJKNWY2TXM0L3gyS3JISjlCQ3VNT3JyTEVTVm42ZG9NdDhWdEtpQkVLTVFuSnIzYmM4UDV3CnpvVmNhRGl1dCtISjcySG83cG5QQTFhaS9QV1ZwM2pZUTlCSXZ3a0NnWUJRNzkzUXlmYlZxQ25uc2liVFlMZmgKWkFRVGxLbXVDUC9JWWZJNGhndFV4aTkya2NQN3B0MGFmMDRUQjRQVk1DRjJzZkNaUkVpYWZVdEh4Nmppb2I4awpuYUVyOTRRSG5LY0Y3K3BZdWFBQU9CWVFzejcvbW5MZEJMTjBiQW1uaGk3Y3lLdXhoT1VxNUpqeDlWSmNNTWVDClQ0WlNETjY4SEUvdzVlTVVrcGE0TFFLQmdGM0piUXhtUE1XYW9XdERtYytNdjBxTktlQThtTlJtMmlqWnBZL0YKek1jUnN4YTR3ckpicHNkRXBqbmlod1Jlb1JLOGdGYjJLcXRYK2RBTUNpRHpJNFYrRWN4ZVdRVDBFcnlTTFhqawpwbnJLaHdnck5jM1EyeW8zVDZsTHBsMVhvR2p0UndVM09UME9Zd2dvZ1JiQ09xc000bklGVEtrWnNTY2YzdU8yCnQwenBBb0dCQU5Fc1V4Yit6UHpKbEgwL2hOTlhteisvNGx4aXlJb1ZQQXgzaEtBemtjOGtkZzhoS25XWkZhK0YKTjZMOXZjTDhNbnRjNHpmVDdDanNxWGJ2cGUzRUFOeGk4TWRSZzd1Z093L2NiZWdLVklZY3hTdXdRKzYrNUZYOApKRzlhbGxzdXovTk40b2RpMzRvblpEVmRZcURnY2xaZnZucXZKMHZWSzc1VXhQZ3F3aUJQCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
8 changes: 8 additions & 0 deletions tests/data/default-server/new-tls-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: default-server-secret
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQyakNDQXNLZ0F3SUJBZ0lKQU9BV0U3RWVwbmhyTUEwR0NTcUdTSWIzRFFFQkJRVUFNRkV4Q3pBSkJnTlYKQkFZVEFrZENNUmN3RlFZRFZRUUlFdzVEWVcxaWNtbGtaMlZ6YUdseVpURU9NQXdHQTFVRUNoTUZibWRwYm5neApHVEFYQmdOVkJBTVRFR05oWm1VdVpYaGhiWEJzWlM1amIyMHdIaGNOTVRjd056TXhNVEUxTmpVNFdoY05NVGd3Ck56TXhNVEUxTmpVNFdqQlJNUXN3Q1FZRFZRUUdFd0pIUWpFWE1CVUdBMVVFQ0JNT1EyRnRZbkpwWkdkbGMyaHAKY21VeERqQU1CZ05WQkFvVEJXNW5hVzU0TVJrd0Z3WURWUVFERXhCallXWmxMbVY0WVcxd2JHVXVZMjl0TUlJQgpJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBODB0ZUlBTmM2M0dVQnU4U2hsZkh5OE1TCkVkdVE0am1CVm5BRzZ3TTZ5ZHdlbzhNS1MvZDFWSi9qWmRSMytnTVJMU0Y5d0xYU0hTaVBiK0VaOWcxc0RSUDgKWGhxaEhBcyszdnUva0Z5K1ZLYTdneWZwTGJGTkNsOS9vRStKZUxReWh3S2JwS1lrODg0ZDhKaGlhVFJvR05BRgp1S2RFTVRKc2ZHdTVOWGxYdkZxZ0lieWw3d3BCWGF6WXBjZUFoZUQ3azFMTlBNdnpaZ3llcWw0dk9qUDg4ck9vCkJ6Tm1seGdvODQ2VW5SN0c0L3NuZ0RFdVpPZXdYSWZlRVhXZDU1VTVzaFFtZWN6aExiaUducFZUNG9PWGhPWk8KYkd6ejNrY1RJOFlxOVc4eCswVkovaWZKQ0VYVitETzFEUXI2MEZDVTloSnQ3N2kwZ2NGWE9MNk5IYUVyVndJRApBUUFCbzRHME1JR3hNQjBHQTFVZERnUVdCQlJwSkg5b3RWYUtTM3dYV1IwdEZkK0hoQjRUYVRDQmdRWURWUjBqCkJIb3dlSUFVYVNSL2FMVldpa3Q4RjFrZExSWGZoNFFlRTJtaFZhUlRNRkV4Q3pBSkJnTlZCQVlUQWtkQ01SY3cKRlFZRFZRUUlFdzVEWVcxaWNtbGtaMlZ6YUdseVpURU9NQXdHQTFVRUNoTUZibWRwYm5neEdUQVhCZ05WQkFNVApFR05oWm1VdVpYaGhiWEJzWlM1amIyMkNDUURnRmhPeEhxWjRhekFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHClNJYjNEUUVCQlFVQUE0SUJBUUNsdEdaVE5SMFVVdVJqRVQxa1ZDdzB0QXY0YkswdFdUVDNoUVJkbmNkYjZRVGQKQkRUMEFPbjVTL1pSSytVZmJ2cllnSCsyRlZjZVE0Mzc1V2pNWGl4SUJ1QnprZlJMc01EMmZnMmlVc205NXcvUApZUFpmYW9vZjlMTVQ2V3BKYkl5N2VjWHpKZGN3aWJucnRkelc3VHljSE16ODlaZTEvR2xXRHQzZmp4YVlRTDhxCnRyWUFMWVFGU1NqZ2drdGRKeWkzRXdlem9jekV0dGFjSFYrb0xGT3F1c3EvMG83UDFabFJicXdHM3BqWUVHbUcKU3N3cVEzd25YMXpzamtBRFg2bkFCYkdaZHFaMWVZZVlIL0RTQm42ZFNGWjJaZEFRcWxIdTBJSE14aVdIa2poYwpoc1FwbUxNUFg4RTZ4SG5oT1dtbWRJVnAzbUlSdEEyQnhmYzROUWlQCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBODB0ZUlBTmM2M0dVQnU4U2hsZkh5OE1TRWR1UTRqbUJWbkFHNndNNnlkd2VvOE1LClMvZDFWSi9qWmRSMytnTVJMU0Y5d0xYU0hTaVBiK0VaOWcxc0RSUDhYaHFoSEFzKzN2dS9rRnkrVkthN2d5ZnAKTGJGTkNsOS9vRStKZUxReWh3S2JwS1lrODg0ZDhKaGlhVFJvR05BRnVLZEVNVEpzZkd1NU5YbFh2RnFnSWJ5bAo3d3BCWGF6WXBjZUFoZUQ3azFMTlBNdnpaZ3llcWw0dk9qUDg4ck9vQnpObWx4Z284NDZVblI3RzQvc25nREV1ClpPZXdYSWZlRVhXZDU1VTVzaFFtZWN6aExiaUducFZUNG9PWGhPWk9iR3p6M2tjVEk4WXE5Vzh4KzBWSi9pZkoKQ0VYVitETzFEUXI2MEZDVTloSnQ3N2kwZ2NGWE9MNk5IYUVyVndJREFRQUJBb0lCQUhEeGxBaVloeEpsNzZvbwpZaGtydHZ6STJpS2dJMnBoOThFQTBMVlpFbm1UVGtZSHpVZm00UGtnSUppdFFlVTJkMHJVT1dTMUE0MjF2cURaCmh3dkt2MVp5NkwxbTcxUHRoSXBQcEdhSUozTjAwNmZYWjFCbTlyVFNFSldEVnZaSjhRcnNFd1VrZkJNU3BLT0UKbW1yc2dVYkRpMlJsZ2lxMGxkaE15ZlloRnJIQkdNYy9yWmh6ZkZucHNPSzhzRlArTTUvSVhkUjYyS21TemFrdgpLcE55TDZ5dmFUWTZ5dGwwRTd3NE1VREtGZ28wczhIdHdNdHdtWXE5aUFpdVhnOUhnOFp0VExIVnREWDlBVGRJCjliZVB0TUFDdWdEd3daZ2ppMEdTd2h0dkdmZFhleE1OaUhFWGVVaWpVMUVMWVFVWGZ3TUF0Y3hQbGF1dTZUU1YKNGZhc1lJRUNnWUVBL1pIbDBkdFgyQ25IZGJjdWExZ2xVMHo1RHZXTVMyVHFSaHNTM3JsaEZNeFJ6cGlkTHVLaApzS2xiblQyOElZNDRaUFBic1U4QVUvK0E5QWVPZmx6dG5xZ3RFemphVW4wTzJ2c2NLUUpNWXY3N0lzcStrV3BtCjZBNVIxSDdGbzk4SGRxSmRnZ3pSenVZeDRkOTYrWTk3SUJRV0psSVZ2MW56R1RGVWNPYVhlNzhDZ1lFQTlhQkMKb0hIdDRKTVlxRHJBZ1BIVnRpaWhoWDJpT3RsamxMUy9pVXVhenBSaUVhajdsZGZoTURGVG9xNkZId0ZCelErVwpCV09TNTlBQ1lYaVZKTS9nRHJRaVNWQ3QyRTFMa2dYTmVMQWJYaUJZSXcwNlQ4eDhsSmRTZzdid01OTU93SDBzClpMOUdLbm9zSWdqaS9MMDZaUndsOFBCU1hWVUF3VU9yV2RaakZta0NnWUI1bVRHZ3haTUdzbUpZYlJQeG5qK28KQnMyWkF0L1lkL2h3emlMcWMvTytTWTBoaWNZMjZhK29URThHeE1nblAxQ0QrUDF0dGZqdVR5VEQ0YXZQcFRpKwpVTi9zeStMR2svby93UlBzQnBJakZ5dlByM0pid2E2L3NiNUVMTmNTa3EyOWtuZE5HbUN5MjJrb2JFZEl6aW01ClpHaUt6K3BsN1BqTEtBRGFjM3BKZVFLQmdDRGlVY2sxTjRtblo5ZXQ5ZlBOYkxVMGYxdGwxSUJZZGxLRVdGaEQKUFBpSE9SSHdNNjU5OW5JRFNKVXhGRFZ3YjZUS2YyVTlUWCtuZzRvVklMS0srZzQ5NDVFNU1lMFJmQnFTbUUyZQpGaXZsM0tia3NIZmFncHRLSHd2dlEvemxaTVkwZStzSkNKWExRWGxWQXo2ZS91Qm1nbFhkZHNsMEJlUFo4V2pYCm9QQnhBb0dCQUlHQW1Oek1xNi8yS0NOQ3VmWkVDZGJ5NEMwVnVwTTJ4aHZkSmJ6Z2F0cFVxZ2d6LytzQlNBNVcKTzlXd21uQmFZdFBUcHZWdXFXUU9mYmF0RERmMlJab2lOUnBlMGQwdE9GeVFrZEh3UUVDdCtFYTZIMWpRYkh2MwoxVnFGeTBDbDFxYmZRektibzdaMmh4NnlXbElBaUJ6Yy8yeWt3cEhZbzdiMFo4K3ltOUtiCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
91 changes: 91 additions & 0 deletions tests/suite/test_default_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
from ssl import SSLError

import pytest

from suite.resources_utils import create_secret_from_yaml, is_secret_present, delete_secret, wait_before_test, \
ensure_connection, replace_secret
from suite.ssl_utils import get_server_certificate_subject
from settings import TEST_DATA, DEPLOYMENTS


def assert_cn(endpoint, cn):
host = "random" # any host would work
subject_dict = get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl)
Copy link
Contributor

@soneillf5 soneillf5 Apr 16, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we pass null or empty string or update the function to take the parameter optionally ? Or remove the host param if its not needed?

Copy link
Contributor Author

@pleshakov pleshakov Apr 16, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

while to test the default server we can use any host value, I think it's better to control that host value here in assert_cn, rather than coming up with the default value in get_server_certificate_subject. the other places we use that function (test_tls.py, test_virtual_server_tls.py and test_wildcard_tls_secret.py) all need to set a specific host header and can't rely on any default value.

the purpose of the default server is to handle requests for unknown hosts - hosts for which there is no Ingress/VS resources. So that's why random works. But it could as well be "example.com" or "1.1.1.1".

assert subject_dict[b'CN'] == cn.encode('ascii')


def assert_unrecognized_name_error(endpoint):
try:
host = "random" # any host would work
get_server_certificate_subject(endpoint.public_ip, host, endpoint.port_ssl)
pytest.fail("We expected an SSLError here, but didn't get it or got another error. Exiting...")
except SSLError as e:
assert "SSL" in e.library
assert "TLSV1_UNRECOGNIZED_NAME" in e.reason


secret_path=f"{DEPLOYMENTS}/common/default-server-secret.yaml"
test_data_path=f"{TEST_DATA}/default-server"
invalid_secret_path=f"{test_data_path}/invalid-tls-secret.yaml"
new_secret_path=f"{test_data_path}/new-tls-secret.yaml"
secret_name="default-server-secret"
secret_namespace="nginx-ingress"


@pytest.fixture(scope="class")
def default_server_setup(ingress_controller_endpoint, ingress_controller):
ensure_connection(f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/")


@pytest.fixture(scope="class")
def secret_setup(request, kube_apis):
def fin():
if is_secret_present(kube_apis.v1, secret_name, secret_namespace):
print("cleaning up secret!")
delete_secret(kube_apis.v1, secret_name, secret_namespace)
# restore the original secret created in ingress_controller_prerequisites fixture
create_secret_from_yaml(kube_apis.v1, secret_namespace, secret_path)

request.addfinalizer(fin)


@pytest.mark.ingresses
class TestDefaultServer:
def test_with_default_tls_secret(self, kube_apis, ingress_controller_endpoint, secret_setup, default_server_setup):
print("Step 1: ensure CN of the default server TLS cert")
assert_cn(ingress_controller_endpoint, "NGINXIngressController")

print("Step 2: ensure CN of the default server TLS cert after removing the secret")
delete_secret(kube_apis.v1, secret_name, secret_namespace)
wait_before_test(1)
# Ingress Controller retains the previous valid secret
assert_cn(ingress_controller_endpoint, "NGINXIngressController")

print("Step 3: ensure CN of the default TLS cert after creating an updated secret")
create_secret_from_yaml(kube_apis.v1, secret_namespace, new_secret_path)
wait_before_test(1)
assert_cn(ingress_controller_endpoint, "cafe.example.com")

print("Step 4: ensure CN of the default TLS cert after making the secret invalid")
replace_secret(kube_apis.v1, secret_name, secret_namespace, invalid_secret_path)
wait_before_test(1)
# Ingress Controller retains the previous valid secret
assert_cn(ingress_controller_endpoint, "cafe.example.com")

print("Step 5: ensure CN of the default TLS cert after restoring the secret")
replace_secret(kube_apis.v1, secret_name, secret_namespace, secret_path)
wait_before_test(1)
assert_cn(ingress_controller_endpoint, "NGINXIngressController")

@pytest.mark.parametrize(
"ingress_controller",
[
pytest.param(
{"extra_args": ["-default-server-tls-secret="]},
),
],
indirect=True,
)
def test_without_default_tls_secret(self, ingress_controller_endpoint, default_server_setup):
print("Ensure connection to HTTPS cannot be established")
assert_unrecognized_name_error(ingress_controller_endpoint)