Skip to content

Commit

Permalink
Remove leftover mocks and misleading tests
Browse files Browse the repository at this point in the history 
Signed-off-by: Michael Shen <mshen@redhat.com>
  • Loading branch information
@mjlshen
mjlshen committed Nov 19, 2023
1 parent d95a734 commit 2142d25
Show file tree
Hide file tree
Showing 6 changed files with 143 additions and 539 deletions.
284 changes: 56 additions & 228 deletions cmd/ocm-backplane/cloud/common_test.go
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,9 @@
package cloud

import (
"context"
"errors"
"fmt"
"io"
"net/http"
"strings"
"time"
"testing"

"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/credentials"
Expand All @@ -16,10 +12,8 @@ import (
"github.com/golang/mock/gomock"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
v1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
"github.com/openshift/backplane-cli/pkg/awsutil"
cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
"github.com/openshift/backplane-cli/pkg/cli/config"
"github.com/openshift/backplane-cli/pkg/client/mocks"
"github.com/openshift/backplane-cli/pkg/utils"
mocks2 "github.com/openshift/backplane-cli/pkg/utils/mocks"
)
Expand All @@ -30,21 +24,17 @@ var _ = Describe("getIsolatedCredentials", func() {
mockCtrl *gomock.Controller
mockOcmInterface *mocks2.MockOCMInterface
mockClientUtil *mocks2.MockClientUtils
mockClient *mocks.MockClientInterface

testOcmToken string
testClusterID string
testAccessKeyID string
testSecretAccessKey string
testSessionToken string
testExpiration time.Time
)

BeforeEach(func() {
mockCtrl = gomock.NewController(GinkgoT())

mockClient = mocks.NewMockClientInterface(mockCtrl)

mockOcmInterface = mocks2.NewMockOCMInterface(mockCtrl)
utils.DefaultOCMInterface = mockOcmInterface

Expand All @@ -56,61 +46,13 @@ var _ = Describe("getIsolatedCredentials", func() {
testAccessKeyID = "test-access-key-id"
testSecretAccessKey = "test-secret-access-key"
testSessionToken = "test-session-token"
testExpiration = time.UnixMilli(1691606228384)
})

AfterEach(func() {
mockCtrl.Finish()
})

Context("Execute getIsolatedCredentials", func() {
It("should return AWS STS credentials", func() {
mockOcmInterface.EXPECT().GetOCMAccessToken().Return(&testOcmToken, nil).Times(1)
GetBackplaneConfiguration = func() (bpConfig config.BackplaneConfiguration, err error) {
return config.BackplaneConfiguration{
URL: "testUrl.com",
ProxyURL: "testProxyUrl.com",
AssumeInitialArn: "arn:aws:iam::123456789:role/ManagedOpenShift-Support-Role",
}, nil
}
StsClientWithProxy = func(proxyURL string) (*sts.Client, error) {
return &sts.Client{}, nil
}
AssumeRoleWithJWT = func(jwt string, roleArn string, stsClient stscreds.AssumeRoleWithWebIdentityAPIClient) (aws.Credentials, error) {
return aws.Credentials{
AccessKeyID: testAccessKeyID,
SecretAccessKey: testSecretAccessKey,
SessionToken: testSessionToken,
}, nil
}
NewStaticCredentialsProvider = func(key, secret, session string) credentials.StaticCredentialsProvider {
return credentials.StaticCredentialsProvider{}
}
mockClientUtil.EXPECT().MakeRawBackplaneAPIClientWithAccessToken("testUrl.com", testOcmToken).Return(mockClient, nil).Times(1)
mockClient.EXPECT().GetAssumeRoleSequence(context.TODO(), testClusterID).Return(&http.Response{
StatusCode: 200,
Body: io.NopCloser(strings.NewReader(`{"assumption_sequence":[{"name": "name_one", "arn": "arn_one"},{"name": "name_two", "arn": "arn_two"}]}`)),
}, nil).Times(1)
AssumeRoleSequence = func(roleSessionName string, seedClient stscreds.AssumeRoleAPIClient, roleArnSequence []string, proxyURL string, stsClientProviderFunc awsutil.STSClientProviderFunc) (aws.Credentials, error) {
return aws.Credentials{
AccessKeyID: testAccessKeyID,
SecretAccessKey: testSecretAccessKey,
SessionToken: testSessionToken,
Expires: testExpiration,
}, nil
}

credentials, err := getIsolatedCredentials(testClusterID)
Expect(err).To(BeNil())
Expect(credentials).To(Equal(aws.Credentials{
AccessKeyID: testAccessKeyID,
SecretAccessKey: testSecretAccessKey,
SessionToken: testSessionToken,
Source: "",
CanExpire: false,
Expires: testExpiration,
}))
})
It("should fail if no argument is provided", func() {
_, err := getIsolatedCredentials("")
Expect(err).To(Equal(fmt.Errorf("must provide non-empty cluster ID")))
Expand Down Expand Up @@ -229,134 +171,51 @@ var _ = Describe("getIsolatedCredentials", func() {
_, err := getIsolatedCredentials(testClusterID)
Expect(err.Error()).To(Equal("failed to create backplane client with access token: foo"))
})
It("should fail if cannot retrieve role sequence", func() {
mockOcmInterface.EXPECT().GetOCMAccessToken().Return(&testOcmToken, nil).Times(1)
GetBackplaneConfiguration = func() (bpConfig config.BackplaneConfiguration, err error) {
return config.BackplaneConfiguration{
URL: "testUrl.com",
ProxyURL: "testProxyUrl.com",
AssumeInitialArn: "arn:aws:iam::123456789:role/ManagedOpenShift-Support-Role",
}, nil
}
StsClientWithProxy = func(proxyURL string) (*sts.Client, error) {
return &sts.Client{}, nil
}
AssumeRoleWithJWT = func(jwt string, roleArn string, stsClient stscreds.AssumeRoleWithWebIdentityAPIClient) (aws.Credentials, error) {
return aws.Credentials{
AccessKeyID: testAccessKeyID,
SecretAccessKey: testSecretAccessKey,
SessionToken: testSessionToken,
}, nil
}
NewStaticCredentialsProvider = func(key, secret, session string) credentials.StaticCredentialsProvider {
return credentials.StaticCredentialsProvider{}
}
mockClientUtil.EXPECT().MakeRawBackplaneAPIClientWithAccessToken("testUrl.com", testOcmToken).Return(mockClient, nil).Times(1)
mockClient.EXPECT().GetAssumeRoleSequence(context.TODO(), testClusterID).Return(nil, errors.New("error")).Times(1)

_, err := getIsolatedCredentials(testClusterID)
Expect(err.Error()).To(Equal("failed to fetch arn sequence: error"))
})
It("should fail if fetching assume role sequence doesn't return a 200 status code", func() {
mockOcmInterface.EXPECT().GetOCMAccessToken().Return(&testOcmToken, nil).Times(1)
GetBackplaneConfiguration = func() (bpConfig config.BackplaneConfiguration, err error) {
return config.BackplaneConfiguration{
URL: "testUrl.com",
ProxyURL: "testProxyUrl.com",
AssumeInitialArn: "arn:aws:iam::123456789:role/ManagedOpenShift-Support-Role",
}, nil
}
StsClientWithProxy = func(proxyURL string) (*sts.Client, error) {
return &sts.Client{}, nil
}
AssumeRoleWithJWT = func(jwt string, roleArn string, stsClient stscreds.AssumeRoleWithWebIdentityAPIClient) (aws.Credentials, error) {
return aws.Credentials{
AccessKeyID: testAccessKeyID,
SecretAccessKey: testSecretAccessKey,
SessionToken: testSessionToken,
}, nil
}
NewStaticCredentialsProvider = func(key, secret, session string) credentials.StaticCredentialsProvider {
return credentials.StaticCredentialsProvider{}
}
mockClientUtil.EXPECT().MakeRawBackplaneAPIClientWithAccessToken("testUrl.com", testOcmToken).Return(mockClient, nil).Times(1)
mockClient.EXPECT().GetAssumeRoleSequence(context.TODO(), testClusterID).Return(&http.Response{
StatusCode: 401,
Status: "Unauthorized",
Body: io.NopCloser(strings.NewReader(`{"assumption_sequence":[{"name": "name_one", "arn": "arn_one"},{"name": "name_two", "arn": "arn_two"}]}`)),
}, nil).Times(1)
})
})

_, err := getIsolatedCredentials(testClusterID)
Expect(err.Error()).To(Equal("failed to fetch arn sequence: Unauthorized"))
})
It("should fail if it cannot unmarshal backplane API response", func() {
mockOcmInterface.EXPECT().GetOCMAccessToken().Return(&testOcmToken, nil).Times(1)
GetBackplaneConfiguration = func() (bpConfig config.BackplaneConfiguration, err error) {
return config.BackplaneConfiguration{
URL: "testUrl.com",
ProxyURL: "testProxyUrl.com",
AssumeInitialArn: "arn:aws:iam::123456789:role/ManagedOpenShift-Support-Role",
}, nil
}
StsClientWithProxy = func(proxyURL string) (*sts.Client, error) {
return &sts.Client{}, nil
}
AssumeRoleWithJWT = func(jwt string, roleArn string, stsClient stscreds.AssumeRoleWithWebIdentityAPIClient) (aws.Credentials, error) {
return aws.Credentials{
AccessKeyID: testAccessKeyID,
SecretAccessKey: testSecretAccessKey,
SessionToken: testSessionToken,
}, nil
}
NewStaticCredentialsProvider = func(key, secret, session string) credentials.StaticCredentialsProvider {
return credentials.StaticCredentialsProvider{}
// newTestCluster assembles a *cmv1.Cluster while handling the error to help out with inline test-case generation
func newTestCluster(t *testing.T, cb *cmv1.ClusterBuilder) *cmv1.Cluster {
cluster, err := cb.Build()
if err != nil {
t.Fatalf("failed to build cluster: %s", err)
}

return cluster
}

func TestIsIsolatedBackplaneAccess(t *testing.T) {
tests := []struct {
name string
cluster *cmv1.Cluster
expected bool
}{
{
name: "AWS non-STS",
cluster: newTestCluster(t, cmv1.NewCluster().AWS(cmv1.NewAWS().STS(cmv1.NewSTS().Enabled(false)))),
expected: false,
},
{
name: "GCP",
cluster: newTestCluster(t, cmv1.NewCluster().GCP(cmv1.NewGCP())),
expected: false,
},
}

//cmv1.NewStsSupportJumpRole().RoleArn(OldFlowSupportRole)
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
actual, err := isIsolatedBackplaneAccess(test.cluster)
if err != nil {
t.Errorf("unexpected err: %v", err)
}

if test.expected != actual {
t.Errorf("expected: %v, got: %v", test.expected, actual)
}
mockClientUtil.EXPECT().MakeRawBackplaneAPIClientWithAccessToken("testUrl.com", testOcmToken).Return(mockClient, nil).Times(1)
mockClient.EXPECT().GetAssumeRoleSequence(context.TODO(), testClusterID).Return(&http.Response{
StatusCode: 200,
Body: io.NopCloser(strings.NewReader("")),
}, nil).Times(1)

_, err := getIsolatedCredentials(testClusterID)
Expect(err.Error()).To(Equal("failed to unmarshal response: unexpected end of JSON input"))
})
It("should fail if it cannot assume the role sequence", func() {
mockOcmInterface.EXPECT().GetOCMAccessToken().Return(&testOcmToken, nil).Times(1)
GetBackplaneConfiguration = func() (bpConfig config.BackplaneConfiguration, err error) {
return config.BackplaneConfiguration{
URL: "testUrl.com",
ProxyURL: "testProxyUrl.com",
AssumeInitialArn: "arn:aws:iam::123456789:role/ManagedOpenShift-Support-Role",
}, nil
}
StsClientWithProxy = func(proxyURL string) (*sts.Client, error) {
return &sts.Client{}, nil
}
AssumeRoleWithJWT = func(jwt string, roleArn string, stsClient stscreds.AssumeRoleWithWebIdentityAPIClient) (aws.Credentials, error) {
return aws.Credentials{
AccessKeyID: testAccessKeyID,
SecretAccessKey: testSecretAccessKey,
SessionToken: testSessionToken,
}, nil
}
NewStaticCredentialsProvider = func(key, secret, session string) credentials.StaticCredentialsProvider {
return credentials.StaticCredentialsProvider{}
}
mockClientUtil.EXPECT().MakeRawBackplaneAPIClientWithAccessToken("testUrl.com", testOcmToken).Return(mockClient, nil).Times(1)
mockClient.EXPECT().GetAssumeRoleSequence(context.TODO(), testClusterID).Return(&http.Response{
StatusCode: 200,
Body: io.NopCloser(strings.NewReader(`{"assumption_sequence":[{"name": "name_one", "arn": "arn_one"},{"name": "name_two", "arn": "arn_two"}]}`)),
}, nil).Times(1)
AssumeRoleSequence = func(roleSessionName string, seedClient stscreds.AssumeRoleAPIClient, roleArnSequence []string, proxyURL string, stsClientProviderFunc awsutil.STSClientProviderFunc) (aws.Credentials, error) {
return aws.Credentials{}, errors.New("oops")
}

_, err := getIsolatedCredentials(testClusterID)
Expect(err.Error()).To(Equal("failed to assume role sequence: oops"))
})
})

})
}
}

var _ = Describe("isIsolatedBackplaneAccess", func() {
var (
Expand All @@ -380,47 +239,16 @@ var _ = Describe("isIsolatedBackplaneAccess", func() {
})

Context("Execute isIsolatedBackplaneAccess", func() {
It("returns false with no error if cluster has no AWS field", func() {
result, err := isIsolatedBackplaneAccess(&v1.Cluster{})

Expect(result).To(Equal(false))
Expect(err).To(BeNil())
})
It("returns false with no error if cluster AWS field has no STS field", func() {
clusterBuilder := v1.ClusterBuilder{}
clusterBuilder.AWS(&v1.AWSBuilder{})
cluster, _ := clusterBuilder.Build()
result, err := isIsolatedBackplaneAccess(cluster)

Expect(result).To(Equal(false))
Expect(err).To(BeNil())
})
It("returns false with no error if cluster is non-STS enabled", func() {
stsBuilder := &v1.STSBuilder{}
stsBuilder.Enabled(false)

awsBuilder := &v1.AWSBuilder{}
awsBuilder.STS(stsBuilder)

clusterBuilder := v1.ClusterBuilder{}
clusterBuilder.AWS(awsBuilder)

cluster, _ := clusterBuilder.Build()
result, err := isIsolatedBackplaneAccess(cluster)

Expect(result).To(Equal(false))
Expect(err).To(BeNil())
})
It("returns an error if fails to get STS Support Jump Role from OCM for STS enabled cluster", func() {
mockOcmInterface.EXPECT().GetStsSupportJumpRoleARN(testClusterID).Return("", errors.New("oops"))

stsBuilder := &v1.STSBuilder{}
stsBuilder := &cmv1.STSBuilder{}
stsBuilder.Enabled(true)

awsBuilder := &v1.AWSBuilder{}
awsBuilder := &cmv1.AWSBuilder{}
awsBuilder.STS(stsBuilder)

clusterBuilder := v1.ClusterBuilder{}
clusterBuilder := cmv1.ClusterBuilder{}
clusterBuilder.AWS(awsBuilder)
clusterBuilder.ID(testClusterID)

Expand All @@ -432,13 +260,13 @@ var _ = Describe("isIsolatedBackplaneAccess", func() {
It("returns an error if fails to parse STS Support Jump Role from OCM for STS enabled cluster", func() {
mockOcmInterface.EXPECT().GetStsSupportJumpRoleARN(testClusterID).Return("not-an-arn", nil)

stsBuilder := &v1.STSBuilder{}
stsBuilder := &cmv1.STSBuilder{}
stsBuilder.Enabled(true)

awsBuilder := &v1.AWSBuilder{}
awsBuilder := &cmv1.AWSBuilder{}
awsBuilder.STS(stsBuilder)

clusterBuilder := v1.ClusterBuilder{}
clusterBuilder := cmv1.ClusterBuilder{}
clusterBuilder.AWS(awsBuilder)
clusterBuilder.ID(testClusterID)

Expand All @@ -450,13 +278,13 @@ var _ = Describe("isIsolatedBackplaneAccess", func() {
It("returns false with no error for STS enabled cluster with ARN that matches old support flow ARN", func() {
mockOcmInterface.EXPECT().GetStsSupportJumpRoleARN(testClusterID).Return("arn:aws:iam::123456789:role/RH-Technical-Support-Access", nil)

stsBuilder := &v1.STSBuilder{}
stsBuilder := &cmv1.STSBuilder{}
stsBuilder.Enabled(true)

awsBuilder := &v1.AWSBuilder{}
awsBuilder := &cmv1.AWSBuilder{}
awsBuilder.STS(stsBuilder)

clusterBuilder := v1.ClusterBuilder{}
clusterBuilder := cmv1.ClusterBuilder{}
clusterBuilder.AWS(awsBuilder)
clusterBuilder.ID(testClusterID)

Expand All @@ -469,13 +297,13 @@ var _ = Describe("isIsolatedBackplaneAccess", func() {
It("returns true with no error for STS enabled cluster with ARN that doesn't match old support flow ARN", func() {
mockOcmInterface.EXPECT().GetStsSupportJumpRoleARN(testClusterID).Return("arn:aws:iam::123456789:role/RH-Technical-Support-12345", nil)

stsBuilder := &v1.STSBuilder{}
stsBuilder := &cmv1.STSBuilder{}
stsBuilder.Enabled(true)

awsBuilder := &v1.AWSBuilder{}
awsBuilder := &cmv1.AWSBuilder{}
awsBuilder.STS(stsBuilder)

clusterBuilder := v1.ClusterBuilder{}
clusterBuilder := cmv1.ClusterBuilder{}
clusterBuilder.AWS(awsBuilder)
clusterBuilder.ID(testClusterID)

Expand Down
Loading

0 comments on commit 2142d25

Please sign in to comment.