Bug 1986228: NE-310 e2e test for HSTS

openshift · Jul 28, 2021 · c4c3e62 · c4c3e62
1 parent e2cdf40
commit c4c3e62
Show file tree

Hide file tree

Showing 2 changed files with 165 additions and 0 deletions.
diff --git a/test/e2e/hsts_policy_test.go b/test/e2e/hsts_policy_test.go
@@ -0,0 +1,122 @@
+// +build e2e
+
+package e2e
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	configv1 "github.com/openshift/api/config/v1"
+	operatorv1 "github.com/openshift/api/operator/v1"
+	routev1 "github.com/openshift/api/route/v1"
+	"github.com/openshift/cluster-ingress-operator/pkg/operator/controller"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// Helper function for int32 pointers
+func intPtr(s int32) *int32 {
+	return &s
+}
+
+func TestHstsPolicyWorks(t *testing.T) {
+	icName := types.NamespacedName{Namespace: operatorNamespace, Name: "hsts-policy"}
+	domain := icName.Name + "." + dnsConfig.Spec.BaseDomain
+	domain2 := icName.Name + "2." + dnsConfig.Spec.BaseDomain
+
+	maxAgePolicy := configv1.MaxAgePolicy{LargestMaxAge: intPtr(99999), SmallestMaxAge: intPtr(1)}
+	domainPatterns := []string{domain, domain2}
+	hstsPolicy := []configv1.RequiredHSTSPolicy{
+		{
+			DomainPatterns:          domainPatterns,
+			PreloadPolicy:           configv1.RequirePreloadPolicy,
+			IncludeSubDomainsPolicy: configv1.RequireIncludeSubDomains,
+			MaxAge:                  maxAgePolicy,
+		},
+	}
+	ic := newPrivateIngress(icName, domain, hstsPolicy)
+	if err := kclient.Create(context.TODO(), ic); err != nil {
+		t.Fatalf("failed to create ingress config %s: %v", icName, err)
+	} else {
+		p := ic.Spec.RequiredHSTSPolicies[0]
+		t.Logf("created an ingress config with DomainPatterns: %v, preload policy: %s, includeSubDomains policy: %s, largest age: %d, smallest age: %d", p.DomainPatterns, p.PreloadPolicy, p.IncludeSubDomainsPolicy, *p.MaxAge.LargestMaxAge, *p.MaxAge.SmallestMaxAge)
+	}
+	defer assertIngressConfigDeleted(t, kclient, ic)
+
+	conditions := []operatorv1.OperatorCondition{
+		{Type: operatorv1.IngressControllerAvailableConditionType, Status: operatorv1.ConditionTrue},
+		{Type: operatorv1.LoadBalancerManagedIngressConditionType, Status: operatorv1.ConditionFalse},
+		{Type: operatorv1.DNSManagedIngressConditionType, Status: operatorv1.ConditionFalse},
+	}
+	io := newPrivateController(icName, domain)
+	if err := kclient.Create(context.TODO(), io); err != nil {
+		t.Fatalf("failed to create ingresscontroller %s: %v", icName, err)
+	}
+	defer assertIngressControllerDeleted(t, kclient, io)
+	if err := waitForIngressControllerCondition(t, kclient, 5*time.Minute, icName, conditions...); err != nil {
+		t.Fatalf("failed to observe expected conditions: %v", err)
+	}
+
+	deployment := &appsv1.Deployment{}
+	if err := kclient.Get(context.TODO(), controller.RouterDeploymentName(io), deployment); err != nil {
+		t.Fatalf("failed to get ingresscontroller deployment: %v", err)
+	}
+
+	service := &corev1.Service{}
+	if err := kclient.Get(context.TODO(), controller.InternalIngressControllerServiceName(io), service); err != nil {
+		t.Fatalf("failed to get ingresscontroller service: %v", err)
+	}
+
+	echoPod := buildEchoPod("hsts-policy-echo", deployment.Namespace)
+	if err := kclient.Create(context.TODO(), echoPod); err != nil {
+		t.Fatalf("failed to create pod %s/%s: %v", echoPod.Namespace, echoPod.Name, err)
+	}
+	defer func() {
+		if err := kclient.Delete(context.TODO(), echoPod); err != nil {
+			t.Fatalf("failed to delete pod %s/%s: %v", echoPod.Namespace, echoPod.Name, err)
+		}
+	}()
+
+	echoService := buildEchoService(echoPod.Name, echoPod.Namespace, echoPod.ObjectMeta.Labels)
+	if err := kclient.Create(context.TODO(), echoService); err != nil {
+		t.Fatalf("failed to create service %s/%s: %v", echoService.Namespace, echoService.Name, err)
+	}
+	defer func() {
+		if err := kclient.Delete(context.TODO(), echoService); err != nil {
+			t.Fatalf("failed to delete service %s/%s: %v", echoService.Namespace, echoService.Name, err)
+		}
+	}()
+
+	// this should pass the HSTS policy validation
+	echoRoute := buildRoute(echoPod.Name, echoPod.Namespace, echoService.Name)
+	echoRoute.Spec = routev1.RouteSpec{Host: domain, TLS: &routev1.TLSConfig{Termination: routev1.TLSTerminationReencrypt}}
+	echoRoute.Annotations = map[string]string{
+		"haproxy.router.openshift.io/hsts_header": "max-age=99999",
+	}
+	if err := kclient.Create(context.TODO(), echoRoute); err != nil {
+		t.Fatalf("failed to create route %s/%s: %v", echoRoute.Namespace, echoRoute.Name, err)
+	} else {
+		t.Logf("created a route %s/%s with annotation %s", echoRoute.Namespace, echoRoute.Name, echoRoute.Annotations)
+	}
+
+	// this should fail the HSTS policy validation
+	echoRoute2 := buildRoute(echoPod.Name+"2", echoPod.Namespace, echoService.Name)
+	echoRoute2.Spec = routev1.RouteSpec{Host: domain2, TLS: &routev1.TLSConfig{Termination: routev1.TLSTerminationReencrypt}}
+	echoRoute2.Annotations = map[string]string{
+		"haproxy.router.openshift.io/hsts_header": "max-age=99999999",
+	}
+	if err := kclient.Create(context.TODO(), echoRoute2); err == nil {
+		t.Fatalf("failed to reject invalid route %s/%s, max-age 99999999", echoRoute2.Namespace, echoRoute2.Name)
+	} else {
+		t.Logf("rejected an invalid route %s/%s with annotation %s: %v", echoRoute2.Namespace, echoRoute2.Name, echoRoute2.Annotations, err)
+	}
+
+	defer func() {
+		if err := kclient.Delete(context.TODO(), echoRoute); err != nil {
+			t.Fatalf("failed to delete route %s/%s: %v", echoRoute.Namespace, echoRoute.Name, err)
+		}
+	}()
+}
diff --git a/test/e2e/operator_test.go b/test/e2e/operator_test.go
@@ -2421,6 +2421,19 @@ func newPrivateController(name types.NamespacedName, domain string) *operatorv1.
 	}
 }
 
+func newPrivateIngress(name types.NamespacedName, domain string, hstsPolicy []configv1.RequiredHSTSPolicy) *configv1.Ingress {
+	return &configv1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: name.Namespace,
+			Name:      name.Name,
+		},
+		Spec: configv1.IngressSpec{
+			Domain:               domain,
+			RequiredHSTSPolicies: hstsPolicy,
+		},
+	}
+}
+
 func waitForAvailableReplicas(t *testing.T, cl client.Client, ic *operatorv1.IngressController, timeout time.Duration, expectedReplicas int32) error {
 	ic = ic.DeepCopy()
 	name := types.NamespacedName{Namespace: ic.Namespace, Name: ic.Name}
@@ -2594,6 +2607,15 @@ func assertIngressControllerDeleted(t *testing.T, cl client.Client, ing *operato
 	}
 }
 
+func assertIngressConfigDeleted(t *testing.T, cl client.Client, ing *configv1.Ingress) {
+	t.Helper()
+	if err := deleteIngressConfig(cl, ing, 2*time.Minute); err != nil {
+		t.Fatalf("WARNING: cloud resources may have been leaked! failed to delete ingressconfig %s: %v", ing.Name, err)
+	} else {
+		t.Logf("deleted ingressconfig %s", ing.Name)
+	}
+}
+
 func deleteIngressController(t *testing.T, cl client.Client, ic *operatorv1.IngressController, timeout time.Duration) error {
 	t.Helper()
 	name := types.NamespacedName{Namespace: ic.Namespace, Name: ic.Name}
@@ -2617,6 +2639,27 @@ func deleteIngressController(t *testing.T, cl client.Client, ic *operatorv1.Ingr
 	return nil
 }
 
+func deleteIngressConfig(cl client.Client, ic *configv1.Ingress, timeout time.Duration) error {
+	name := types.NamespacedName{Namespace: ic.Namespace, Name: ic.Name}
+	if err := cl.Delete(context.TODO(), ic); err != nil {
+		return fmt.Errorf("failed to delete ingress config: %v", err)
+	}
+
+	err := wait.PollImmediate(1*time.Second, timeout, func() (bool, error) {
+		if err := cl.Get(context.TODO(), name, ic); err != nil {
+			if errors.IsNotFound(err) {
+				return true, nil
+			}
+			return false, nil
+		}
+		return false, nil
+	})
+	if err != nil {
+		return fmt.Errorf("timed out waiting for ingress config to be deleted: %v", err)
+	}
+	return nil
+}
+
 func createDefaultCertTestSecret(cl client.Client, name string) (*corev1.Secret, error) {
 	defaultCert := `-----BEGIN CERTIFICATE-----
 MIIDIjCCAgqgAwIBAgIBBjANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCVVMx