rework unit test
This commit is contained in:
Felix Kunde
parent
1e0b7286bd
commit
b3f4af063d
|
|
@ -727,7 +727,7 @@ func (c *Cluster) updateSecret(
|
||||||
|
|
||||||
// check if next rotation can happen sooner
|
// check if next rotation can happen sooner
|
||||||
// if rotation interval has been decreased
|
// if rotation interval has been decreased
|
||||||
currentRotationDate, _ := c.getNextRotationDate(currentTime)
|
currentRotationDate, nextRotationDateStr := c.getNextRotationDate(currentTime)
|
||||||
if nextRotationDate.After(currentRotationDate) {
|
if nextRotationDate.After(currentRotationDate) {
|
||||||
nextRotationDate = currentRotationDate
|
nextRotationDate = currentRotationDate
|
||||||
}
|
}
|
||||||
|
|
@ -747,8 +747,6 @@ func (c *Cluster) updateSecret(
|
||||||
*retentionUsers = append(*retentionUsers, secretUsername)
|
*retentionUsers = append(*retentionUsers, secretUsername)
|
||||||
}
|
}
|
||||||
secret.Data["password"] = []byte(util.RandomPassword(constants.PasswordLength))
|
secret.Data["password"] = []byte(util.RandomPassword(constants.PasswordLength))
|
||||||
|
|
||||||
_, nextRotationDateStr = c.getNextRotationDate(currentTime)
|
|
||||||
secret.Data["nextRotation"] = []byte(nextRotationDateStr)
|
secret.Data["nextRotation"] = []byte(nextRotationDateStr)
|
||||||
|
|
||||||
updateSecret = true
|
updateSecret = true
|
||||||
|
|
|
||||||
|
|
@ -270,13 +270,29 @@ func TestUpdateSecret(t *testing.T) {
|
||||||
|
|
||||||
clusterName := "acid-test-cluster"
|
clusterName := "acid-test-cluster"
|
||||||
namespace := "default"
|
namespace := "default"
|
||||||
username := "foo"
|
dbname := "app"
|
||||||
|
dbowner := "appowner"
|
||||||
secretTemplate := config.StringTemplate("{username}.{cluster}.credentials")
|
secretTemplate := config.StringTemplate("{username}.{cluster}.credentials")
|
||||||
rotationUsers := make(spec.PgUserMap)
|
rotationUsers := make(spec.PgUserMap)
|
||||||
retentionUsers := make([]string, 0)
|
retentionUsers := make([]string, 0)
|
||||||
yesterday := time.Now().AddDate(0, 0, -1)
|
|
||||||
|
|
||||||
// new cluster with pvc storage resize mode and configured labels
|
// define manifest users and enable rotation for dbowner
|
||||||
|
pg := acidv1.Postgresql{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: clusterName,
|
||||||
|
Namespace: namespace,
|
||||||
|
},
|
||||||
|
Spec: acidv1.PostgresSpec{
|
||||||
|
Databases: map[string]string{dbname: dbowner},
|
||||||
|
Users: map[string]acidv1.UserFlags{"foo": {}, dbowner: {}},
|
||||||
|
UsersWithInPlaceSecretRotation: []string{dbowner},
|
||||||
|
Volume: acidv1.Volume{
|
||||||
|
Size: "1Gi",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
// new cluster with enabled password rotation
|
||||||
var cluster = New(
|
var cluster = New(
|
||||||
Config{
|
Config{
|
||||||
OpConfig: config.Config{
|
OpConfig: config.Config{
|
||||||
|
|
@ -291,44 +307,61 @@ func TestUpdateSecret(t *testing.T) {
|
||||||
ClusterNameLabel: "cluster-name",
|
ClusterNameLabel: "cluster-name",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}, client, acidv1.Postgresql{}, logger, eventRecorder)
|
}, client, pg, logger, eventRecorder)
|
||||||
|
|
||||||
cluster.Name = clusterName
|
cluster.Name = clusterName
|
||||||
cluster.Namespace = namespace
|
cluster.Namespace = namespace
|
||||||
cluster.pgUsers = map[string]spec.PgUser{}
|
cluster.pgUsers = map[string]spec.PgUser{}
|
||||||
cluster.Spec.Users = map[string]acidv1.UserFlags{username: {}}
|
|
||||||
cluster.initRobotUsers()
|
cluster.initRobotUsers()
|
||||||
|
|
||||||
// create a secret for user foo
|
// create secrets
|
||||||
|
cluster.syncSecrets()
|
||||||
|
// initialize rotation with current time
|
||||||
cluster.syncSecrets()
|
cluster.syncSecrets()
|
||||||
|
|
||||||
secret, err := cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretTemplate.Format("username", username, "cluster", clusterName), metav1.GetOptions{})
|
tomorrow := time.Now().AddDate(0, 0, 2)
|
||||||
assert.NoError(t, err)
|
|
||||||
generatedSecret := cluster.Secrets[secret.UID]
|
|
||||||
|
|
||||||
// now update the secret setting next rotation date (yesterday + interval)
|
for username := range cluster.Spec.Users {
|
||||||
cluster.updateSecret(username, generatedSecret, &rotationUsers, &retentionUsers, yesterday)
|
pgUser := cluster.pgUsers[username]
|
||||||
updatedSecret, err := cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretTemplate.Format("username", username, "cluster", clusterName), metav1.GetOptions{})
|
|
||||||
assert.NoError(t, err)
|
|
||||||
|
|
||||||
nextRotation := string(updatedSecret.Data["nextRotation"])
|
// first, get the secret
|
||||||
_, nextRotationDate := cluster.getNextRotationDate(yesterday)
|
secret, err := cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretTemplate.Format("username", username, "cluster", clusterName), metav1.GetOptions{})
|
||||||
if nextRotation != nextRotationDate {
|
assert.NoError(t, err)
|
||||||
t.Errorf("%s: updated secret does not contain correct rotation date: expected %s, got %s", testName, nextRotationDate, nextRotation)
|
secretPassword := string(secret.Data["password"])
|
||||||
}
|
|
||||||
|
|
||||||
// update secret again but use current time to trigger rotation
|
// now update the secret setting a next rotation date (tomorrow + interval)
|
||||||
cluster.updateSecret(username, generatedSecret, &rotationUsers, &retentionUsers, time.Now())
|
cluster.updateSecret(username, secret, &rotationUsers, &retentionUsers, tomorrow)
|
||||||
updatedSecret, err = cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretTemplate.Format("username", username, "cluster", clusterName), metav1.GetOptions{})
|
updatedSecret, err := cluster.KubeClient.Secrets(namespace).Get(context.TODO(), secretTemplate.Format("username", username, "cluster", clusterName), metav1.GetOptions{})
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
if len(rotationUsers) != 1 && len(retentionUsers) != 1 {
|
// check that passwords are different
|
||||||
t.Errorf("%s: unexpected number of users to rotate - expected only foo, found %d", testName, len(rotationUsers))
|
rotatedPassword := string(updatedSecret.Data["password"])
|
||||||
}
|
if secretPassword == rotatedPassword {
|
||||||
|
t.Errorf("%s: password unchanged in updated secret for %s", testName, username)
|
||||||
|
}
|
||||||
|
|
||||||
secretUsername := string(updatedSecret.Data["username"])
|
// check that next rotation date is tomorrow + interval, not date in secret + interval
|
||||||
rotatedUsername := username + time.Now().Format("060102")
|
nextRotation := string(updatedSecret.Data["nextRotation"])
|
||||||
if secretUsername != rotatedUsername {
|
_, nextRotationDate := cluster.getNextRotationDate(tomorrow)
|
||||||
t.Errorf("%s: updated secret does not contain correct username: expected %s, got %s", testName, rotatedUsername, secretUsername)
|
if nextRotation != nextRotationDate {
|
||||||
|
t.Errorf("%s: updated secret of %s does not contain correct rotation date: expected %s, got %s", testName, username, nextRotationDate, nextRotation)
|
||||||
|
}
|
||||||
|
|
||||||
|
// compare username, when it's dbowner they should be equal because of UsersWithInPlaceSecretRotation
|
||||||
|
secretUsername := string(updatedSecret.Data["username"])
|
||||||
|
if pgUser.IsDbOwner {
|
||||||
|
if secretUsername != username {
|
||||||
|
t.Errorf("%s: username differs in updated secret: expected %s, got %s", testName, username, secretUsername)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
rotatedUsername := username + tomorrow.Format("060102")
|
||||||
|
if secretUsername != rotatedUsername {
|
||||||
|
t.Errorf("%s: updated secret does not contain correct username: expected %s, got %s", testName, rotatedUsername, secretUsername)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(rotationUsers) != 1 && len(retentionUsers) != 1 {
|
||||||
|
t.Errorf("%s: unexpected number of users to rotate - expected only %s, found %d", testName, username, len(rotationUsers))
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue