From 5f1baf8a668a4da6b71d02c0685be42990d89624 Mon Sep 17 00:00:00 2001 From: Maciej Szulik Date: Mon, 5 Mar 2018 12:13:46 +0100 Subject: [PATCH] Additional audit tests --- test/integration/audit_test.go | 69 ++++++++++++++++++++++++++++++++-- 1 file changed, 66 insertions(+), 3 deletions(-) diff --git a/test/integration/audit_test.go b/test/integration/audit_test.go index 462d11b80f64..ea6a54129b6f 100644 --- a/test/integration/audit_test.go +++ b/test/integration/audit_test.go @@ -1,21 +1,25 @@ package integration import ( + "io/ioutil" + "os" "testing" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/apis/audit" kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" + configapi "github.com/openshift/origin/pkg/cmd/server/apis/config" testutil "github.com/openshift/origin/test/util" testserver "github.com/openshift/origin/test/util/server" ) -func setupAuditTest(t *testing.T) (kclientset.Interface, func()) { +func setupAudit(t *testing.T, auditConfig configapi.AuditConfig) (kclientset.Interface, func()) { masterConfig, err := testserver.DefaultMasterOptions() if err != nil { t.Fatalf("error creating config: %v", err) } - masterConfig.AuditConfig.Enabled = true + masterConfig.AuditConfig = auditConfig kubeConfigFile, err := testserver.StartConfiguredMasterAPI(masterConfig) if err != nil { t.Fatalf("error starting server: %v", err) @@ -30,7 +34,7 @@ func setupAuditTest(t *testing.T) (kclientset.Interface, func()) { } func TestBasicFunctionalityWithAudit(t *testing.T) { - kubeClient, fn := setupAuditTest(t) + kubeClient, fn := setupAudit(t, configapi.AuditConfig{Enabled: true}) defer fn() if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil { @@ -39,3 +43,62 @@ func TestBasicFunctionalityWithAudit(t *testing.T) { // TODO: test oc debug, exec, rsh, port-forward } + +func TestAuditConfigEmbeded(t *testing.T) { + auditConfig := configapi.AuditConfig{ + Enabled: true, + PolicyConfiguration: &audit.Policy{ + Rules: []audit.PolicyRule{ + {Level: audit.LevelMetadata}, + }, + }, + } + kubeClient, fn := setupAudit(t, auditConfig) + defer fn() + + if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil { + t.Errorf("Unexpected error watching pods: %v", err) + } +} + +func TestAuditConfigV1Alpha1File(t *testing.T) { + testAuditConfigFile(t, []byte(` +apiVersion: audit.k8s.io/v1alpha1 +kind: Policy +rules: +- level: Metadata +`)) +} + +func TestAuditConfigV1Beta1File(t *testing.T) { + testAuditConfigFile(t, []byte(` +apiVersion: audit.k8s.io/v1beta1 +kind: Policy +rules: +- level: Metadata +`)) +} + +func testAuditConfigFile(t *testing.T, policy []byte) { + tmp, err := ioutil.TempFile("", "audit-policy") + if err != nil { + t.Fatalf("Cannot create a temporary file: %v", err) + } + defer os.Remove(tmp.Name()) + if _, err := tmp.Write(policy); err != nil { + t.Fatalf("Cannot write to a temporary file: %v", err) + } + if err := tmp.Close(); err != nil { + t.Fatalf("Cannot close a temporary file: %v", err) + } + auditConfig := configapi.AuditConfig{ + Enabled: true, + PolicyFile: tmp.Name(), + } + kubeClient, fn := setupAudit(t, auditConfig) + defer fn() + + if _, err := kubeClient.Core().Pods(metav1.NamespaceDefault).Watch(metav1.ListOptions{}); err != nil { + t.Errorf("Unexpected error watching pods: %v", err) + } +}