1/* 2Copyright 2017 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17package webhook 18 19import ( 20 stdjson "encoding/json" 21 "fmt" 22 "io" 23 "io/ioutil" 24 "net/http" 25 "net/http/httptest" 26 "os" 27 "reflect" 28 "testing" 29 "time" 30 31 "github.com/stretchr/testify/assert" 32 "github.com/stretchr/testify/require" 33 34 "k8s.io/apimachinery/pkg/runtime" 35 "k8s.io/apimachinery/pkg/runtime/schema" 36 "k8s.io/apimachinery/pkg/runtime/serializer/json" 37 "k8s.io/apimachinery/pkg/util/wait" 38 auditinternal "k8s.io/apiserver/pkg/apis/audit" 39 auditv1 "k8s.io/apiserver/pkg/apis/audit/v1" 40 auditv1beta1 "k8s.io/apiserver/pkg/apis/audit/v1beta1" 41 "k8s.io/apiserver/pkg/audit" 42 "k8s.io/client-go/tools/clientcmd/api/v1" 43) 44 45// newWebhookHandler returns a handler which receives webhook events and decodes the 46// request body. The caller passes a callback which is called on each webhook POST. 47// The object passed to cb is of the same type as list. 48func newWebhookHandler(t *testing.T, list runtime.Object, cb func(events runtime.Object)) http.Handler { 49 s := json.NewSerializer(json.DefaultMetaFactory, audit.Scheme, audit.Scheme, false) 50 return &testWebhookHandler{ 51 t: t, 52 list: list, 53 onEvents: cb, 54 serializer: s, 55 } 56} 57 58type testWebhookHandler struct { 59 t *testing.T 60 61 list runtime.Object 62 onEvents func(events runtime.Object) 63 64 serializer runtime.Serializer 65} 66 67func (t *testWebhookHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { 68 err := func() error { 69 body, err := ioutil.ReadAll(r.Body) 70 if err != nil { 71 return fmt.Errorf("read webhook request body: %v", err) 72 } 73 74 obj, _, err := t.serializer.Decode(body, nil, t.list.DeepCopyObject()) 75 if err != nil { 76 return fmt.Errorf("decode request body: %v", err) 77 } 78 if reflect.TypeOf(obj).Elem() != reflect.TypeOf(t.list).Elem() { 79 return fmt.Errorf("expected %T, got %T", t.list, obj) 80 } 81 t.onEvents(obj) 82 return nil 83 }() 84 85 if err == nil { 86 io.WriteString(w, "{}") 87 return 88 } 89 // In a goroutine, can't call Fatal. 90 assert.NoError(t.t, err, "failed to read request body") 91 http.Error(w, err.Error(), http.StatusInternalServerError) 92} 93 94func newWebhook(t *testing.T, endpoint string, groupVersion schema.GroupVersion) *backend { 95 config := v1.Config{ 96 Clusters: []v1.NamedCluster{ 97 {Cluster: v1.Cluster{Server: endpoint, InsecureSkipTLSVerify: true}}, 98 }, 99 } 100 f, err := ioutil.TempFile("", "k8s_audit_webhook_test_") 101 require.NoError(t, err, "creating temp file") 102 103 defer func() { 104 f.Close() 105 os.Remove(f.Name()) 106 }() 107 108 // NOTE(ericchiang): Do we need to use a proper serializer? 109 require.NoError(t, stdjson.NewEncoder(f).Encode(config), "writing kubeconfig") 110 111 retryBackoff := wait.Backoff{ 112 Duration: 500 * time.Millisecond, 113 Factor: 1.5, 114 Jitter: 0.2, 115 Steps: 5, 116 } 117 b, err := NewBackend(f.Name(), groupVersion, retryBackoff, nil) 118 require.NoError(t, err, "initializing backend") 119 120 return b.(*backend) 121} 122 123func TestWebhook(t *testing.T) { 124 versions := []schema.GroupVersion{auditv1.SchemeGroupVersion, auditv1beta1.SchemeGroupVersion} 125 for _, version := range versions { 126 gotEvents := false 127 128 s := httptest.NewServer(newWebhookHandler(t, &auditv1.EventList{}, func(events runtime.Object) { 129 gotEvents = true 130 })) 131 defer s.Close() 132 133 backend := newWebhook(t, s.URL, auditv1.SchemeGroupVersion) 134 135 // Ensure this doesn't return a serialization error. 136 event := &auditinternal.Event{} 137 require.NoError(t, backend.processEvents(event), fmt.Sprintf("failed to send events, apiVersion: %s", version)) 138 require.True(t, gotEvents, fmt.Sprintf("no events received, apiVersion: %s", version)) 139 } 140} 141