Remove error from cert auth and add unit tests

akshaymankar · akshaymankar · commit 2f0a2b4cb1ae · 2019-07-24T00:01:15.000+01:00
diff --git a/kubernetes-client/package.yaml b/kubernetes-client/package.yaml
@@ -23,13 +23,14 @@ tests:
       - kubernetes-client
       - hspec
       - yaml
+      - file-embed
   example:
     main: App.hs
     source-dirs: example
     dependencies:
       - kubernetes-client
 extra-source-files:
-  - test/testdata/*
+  - test/testdata/**/*
   - README.md
 dependencies:
   - base >=4.7 && <5.0
diff --git a/kubernetes-client/src/Kubernetes/Client/Auth/ClientCert.hs b/kubernetes-client/src/Kubernetes/Client/Auth/ClientCert.hs
@@ -1,5 +1,6 @@
 module Kubernetes.Client.Auth.ClientCert where
 
+import Control.Exception.Safe                (Exception, throwM)
 import Data.Text.Encoding
 import Kubernetes.Client.Auth.Internal.Types
 import Kubernetes.Client.Internal.TLSUtils
@@ -13,7 +14,8 @@ clientCertFileAuth auth (tlsParams, cfg) = do
   certFile <- clientCertificate auth
   keyFile <- clientKey auth
   return $ do
-    cert <- credentialLoadX509 certFile keyFile >>= either error return
+    cert <- credentialLoadX509 certFile keyFile
+            >>= either (throwM . CredentialLoadException) return
     let newParams = (setClientCert cert tlsParams)
         newCfg = (disableValidateAuthMethods cfg)
     return (newParams, newCfg)
@@ -33,3 +35,7 @@ clientCertDataAuth auth (tlsParams, cfg) = do
 disableValidateAuthMethods :: KubernetesClientConfig -> KubernetesClientConfig
 disableValidateAuthMethods kcfg = kcfg { configValidateAuthMethods = False }
 
+data CredentialLoadException = CredentialLoadException String
+  deriving Show
+
+instance Exception CredentialLoadException
diff --git a/kubernetes-client/test/Kubernetes/Client/Auth/ClientCertSpec.hs b/kubernetes-client/test/Kubernetes/Client/Auth/ClientCertSpec.hs
@@ -0,0 +1,77 @@
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE TemplateHaskell   #-}
+module Kubernetes.Client.Auth.ClientCertSpec where
+
+import Test.Hspec
+
+import Data.FileEmbed
+import Data.Maybe                        (isJust, isNothing)
+import Data.Text.Encoding                (decodeUtf8)
+import Kubernetes.Client.Auth.ClientCert
+import Kubernetes.Client.KubeConfig
+import Kubernetes.OpenAPI
+import Network.TLS                       (defaultParamsClient)
+
+import qualified Data.ByteString.Base64 as B64
+
+emptyAuthInfo :: AuthInfo
+emptyAuthInfo = AuthInfo Nothing Nothing Nothing Nothing Nothing Nothing Nothing Nothing Nothing Nothing Nothing Nothing
+
+spec :: Spec
+spec = do
+  let inputTLSParams = defaultParamsClient "" ""
+      certFilePath = "test/testdata/certs/certificate.pem"
+      keyFilePath =  "test/testdata/certs/private-key.pem"
+      base64EncodedCert = decodeUtf8 $ B64.encode $(embedFile $ "test/testdata/certs/certificate.pem")
+      base64EncodedKey = decodeUtf8 $ B64.encode $(embedFile $ "test/testdata/certs/private-key.pem")
+  describe "ClientCert File Authentication" $ do
+    context "when cert and key file are provided in AuthInfo" $ do
+      let auth = emptyAuthInfo { clientCertificate = Just $ certFilePath
+                               , clientKey = Just $ keyFilePath }
+      it "should detect client cert file auth" $ do
+        inputConfig <- newConfig
+        isJust (clientCertFileAuth auth (inputTLSParams, inputConfig)) `shouldBe` True
+
+      it "should disable validate auth method" $ do
+        inputConfig <- newConfig
+        case clientCertFileAuth auth (inputTLSParams, inputConfig) of
+          Nothing -> expectationFailure "expected to detect client cert file auth"
+          Just detectedAuth -> do
+            (_, cfg) <- detectedAuth
+            configValidateAuthMethods cfg `shouldBe` False
+
+    it "should return Nothing if the cert file is not provided" $ do
+      let auth = emptyAuthInfo {clientKey = Just "/some/file"}
+      inputConfig <- newConfig
+      isNothing (clientCertFileAuth auth (inputTLSParams, inputConfig)) `shouldBe` True
+
+    it "should return Nothing if the key file is not provided" $ do
+      let auth = emptyAuthInfo {clientCertificate = Just "/some/file"}
+      inputConfig <- newConfig
+      isNothing (clientCertFileAuth auth (undefined, inputConfig)) `shouldBe` True
+
+  describe "ClientCert Data Authentication" $ do
+    context "when cert and key file are provided in AuthInfo" $ do
+      let auth = emptyAuthInfo { clientCertificateData = Just base64EncodedCert
+                               , clientKeyData = Just base64EncodedKey}
+      it "should detect client cert data auth" $ do
+        inputConfig <- newConfig
+        isJust (clientCertDataAuth auth (inputTLSParams, inputConfig)) `shouldBe` True
+
+      it "should disable validate auth method" $ do
+        inputConfig <- newConfig
+        case clientCertDataAuth auth (inputTLSParams, inputConfig) of
+          Nothing -> expectationFailure "expected to detect client cert file auth"
+          Just detectedAuth -> do
+            (_, cfg) <- detectedAuth
+            configValidateAuthMethods cfg `shouldBe` False
+
+    it "should return Nothing if the cert file is not provided" $ do
+      let auth = emptyAuthInfo {clientKeyData = Just base64EncodedKey}
+      inputConfig <- newConfig
+      isNothing (clientCertDataAuth auth (inputTLSParams, inputConfig)) `shouldBe` True
+
+    it "should return Nothing if the key file is not provided" $ do
+      let auth = emptyAuthInfo {clientCertificateData = Just base64EncodedCert}
+      inputConfig <- newConfig
+      isNothing (clientCertDataAuth auth (inputTLSParams, inputConfig)) `shouldBe` True
diff --git a/kubernetes-client/test/Kubernetes/Client/KubeConfigSpec.hs b/kubernetes-client/test/Kubernetes/Client/KubeConfigSpec.hs
@@ -0,0 +1,36 @@
+{-# LANGUAGE OverloadedStrings   #-}
+{-# LANGUAGE ScopedTypeVariables #-}
+module Kubernetes.Client.KubeConfigSpec where
+
+import           Data.Aeson                   (decode, encode, parseJSON,
+                                               toJSON)
+import           Data.Maybe                   (fromJust)
+import           Data.Yaml                    (decodeFile)
+import           Kubernetes.Client.KubeConfig (AuthInfo (..), Cluster (..),
+                                               Config, Context (..),
+                                               getAuthInfo, getCluster,
+                                               getContext)
+import           Test.Hspec
+
+spec :: Spec
+spec = do
+  let getConfig :: IO Config
+      getConfig = fromJust <$> decodeFile "test/testdata/kubeconfig.yaml"
+  describe "FromJSON and ToJSON instances" $ do
+    it "roundtrips successfully" $ do
+      config <- getConfig
+      decode (encode (toJSON config)) `shouldBe` Just config
+  describe "getContext" $ do
+    it "returns the correct context" $ do
+      config <- getConfig
+      getContext config `shouldBe` (Right (Context "cluster-aaa" "user-aaa" Nothing))
+
+  describe "getCluster" $ do
+    it "returns the correct cluster" $ do
+      config <- getConfig
+      server <$> getCluster config `shouldBe` (Right "https://aaa.example.com")
+
+  describe "getAuthInfo" $ do
+    it "returns the correct authInfo" $ do
+      config <- getConfig
+      fst <$> getAuthInfo config `shouldBe` (Right "user-aaa")
diff --git a/kubernetes-client/test/Spec.hs b/kubernetes-client/test/Spec.hs
@@ -1,31 +1 @@
-{-# LANGUAGE OverloadedStrings   #-}
-{-# LANGUAGE ScopedTypeVariables #-}
-
-import           Data.Aeson                   (decode, encode, parseJSON,
-                                               toJSON)
-import           Data.Maybe                   (fromJust)
-import           Data.Yaml                    (decodeFile)
-import           Kubernetes.Client.KubeConfig (AuthInfo (..), Cluster (..),
-                                               Config, Context (..),
-                                               getAuthInfo, getCluster,
-                                               getContext)
-import           Test.Hspec
-
-main :: IO ()
-main = do
-  config :: Config <- fromJust <$> decodeFile "test/testdata/kubeconfig.yaml"
-  hspec $ do
-    describe "FromJSON and ToJSON instances" $ do
-      it "roundtrips successfully" $ do
-        decode (encode (toJSON config)) `shouldBe` Just config
-    describe "getContext" $ do
-      it "returns the correct context" $ do
-        getContext config `shouldBe` (Right (Context "cluster-aaa" "user-aaa" Nothing))
-
-    describe "getCluster" $ do
-      it "returns the correct cluster" $ do
-        server <$> getCluster config `shouldBe` (Right "https://aaa.example.com")
-
-    describe "getAuthInfo" $ do
-      it "returns the correct authInfo" $ do
-        fst <$> getAuthInfo config `shouldBe` (Right "user-aaa")
+{-# OPTIONS_GHC -F -pgmF hspec-discover #-}
diff --git a/kubernetes-client/test/testdata/certs/certificate.pem b/kubernetes-client/test/testdata/certs/certificate.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsDCCAZgCCQCyRyEmfEJy9jANBgkqhkiG9w0BAQUFADAZMRcwFQYDVQQDDA5z
+ZWxmLXNpZ25lZC1jYTAgFw0xOTA3MjMyMTUwMThaGA8yMTI5MDEyNzIxNTAxOFow
+GTEXMBUGA1UEAwwOc2VsZi1zaWduZWQtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDbxmgIae5FUbLu76NmsUbbo7D0Bk6cUpII/lhREQptoL4YkOo3
+MnLVQ6bkTG1hdWkN2A+eDHDJklNR6zzrCAA395lKhCZWSxq9o3AFWFMI8TWSptxL
+X/fl/vDh1pH4u/nGjKC1fSf2F9nvxywIgd0PNttWG8bNMzl3gZULfg0TWKvSX6Ln
+9SLA9Whsr3WMQno46JiKauB7z1+9Qc+26uEOi6kpc2mYIDTCUO5+umUEsV+seQS+
+TUe9lMQCLuZVmnWoygbCx5+eXm//iYOBSz8Z5jpEOuA6mY9FJAUU3uoGR656NImZ
+IBjgVSZBIDleq2V/lmdbjHy8GpQTMtButMorAgMBAAEwDQYJKoZIhvcNAQEFBQAD
+ggEBALHSlOI+Ra6QWr5V3FQS2ypkddK19RZ3TxEvCt8Brt2uNBw6Oxw/qLq17xiB
+C7bJV1SA9MNqdv1grk1kVil5aUeAGLIQtVD3C1/qiCgfP+HN1Fb0QnMcxJwESRmc
+TDQoYEkZp/TqgggDbmJD6S91EpXs1QiAvNA5+9L8ikOrOJQeHkzFen9PXoSqkVTl
+XPwOsCIzcBnuq+agt3pkiFcHtm348y4Yjv3kOimAhzanR96DH2DtTBCmDE/cYW7j
+s5aOI/MKlrZxh2gFvgqBZMjVUv8bNuDAU+8prDH4YzsDFeGKD42lDvnL+XQ69xKE
+oLBoM+xTo5QwQp0ZWW3srw47BKo=
+-----END CERTIFICATE-----
diff --git a/kubernetes-client/test/testdata/certs/private-key.pem b/kubernetes-client/test/testdata/certs/private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA28ZoCGnuRVGy7u+jZrFG26Ow9AZOnFKSCP5YUREKbaC+GJDq
+NzJy1UOm5ExtYXVpDdgPngxwyZJTUes86wgAN/eZSoQmVksavaNwBVhTCPE1kqbc
+S1/35f7w4daR+Lv5xoygtX0n9hfZ78csCIHdDzbbVhvGzTM5d4GVC34NE1ir0l+i
+5/UiwPVobK91jEJ6OOiYimrge89fvUHPturhDoupKXNpmCA0wlDufrplBLFfrHkE
+vk1HvZTEAi7mVZp1qMoGwsefnl5v/4mDgUs/GeY6RDrgOpmPRSQFFN7qBkeuejSJ
+mSAY4FUmQSA5Xqtlf5ZnW4x8vBqUEzLQbrTKKwIDAQABAoIBACG0nRHlRSCmdf3F
+DNdcCtT2ltXl/bplw3XTpDHSnjnP9DeKShFrEEd616advgy7WABCiaqgl8+iPFsM
+68vT70ymEYFnIQYNAK3i2fRH5nwxmhjCtHhu4HMKlWDdaoeuNJFp0d/jsPRCFi96
+6Vrop8GElUDwg53G5GJaokQf8dtsbg05Qv0C+BLMjYoXt+OCSYn0Jnzc3YLyn6pf
+0Ubhb5X73+pSFcY0JindJzHo/c3k5255VOorimxSA9Kr0glYJ2MlOuWM7khZfWjJ
+yJPEfa0hM/mPkR2WZ3Rif1Hb01BcrpjsNmQKFDKG+gumxL0CYzUlxOrVI5RO5+yC
+wKw8FYkCgYEA/QSzpNxc+qtYj9lJL3p2sxN8cQNOhDOF3DdEZmwToPF2JQKqnDo0
+5LDugNgUuOilVFYGxmLNC9RMB+PgOT7kHgZY99cZFuUCww85j2NIbdoATXFZvUdD
+O2E9o4X4RQ4+WQTZZ01sfjxMa6Y+t5HC49wvwHwdY0SMA3w6jPkBer8CgYEA3l1q
+yJObFV6rorCoeJIpLPGs1lQpXb0qgENmE6tnwYQ56mIuP0mLiSvqkISWwQyEiPjZ
+g9O70adOLom/0l9ssIsE1bHk/k/391rzYsvXvHM/uuIFNd7yqYApBLXq3jiNZbfq
+CeoWkymez0VOWzgIQxh2UHZ+5+qRSMDgV6hq55UCgYBr00ofcs2pAcZvHyFCO4VE
+UYSRwOAAFNjx/ReIMny29M/te9JrW57Y6tHpVKyYFIUIiNTATLCnXuS75A/VNYkP
+hpL5o9AMYrInoGBeS+g88E96sViWAj2Tm6AiBODFxQkq9JcVn/ghX98NbT6DCnos
+ktRCymHXwQmOHq3xD9jijwKBgGX3KFQ5e0/dTY8Yuugu/bqiR8MwbJeTer2+Kjyy
+yK0wWO5lfxd+PgH0pWcHpal4d/3nPrb4jJOiyHMGr3NkVo7N8LWdEYicWvSOPDT9
+jDvaDUtBAWqmhVe8cRK76Ktl+1C9eRB6y0dIOo6JFVk25HL/8KEM9Tybj2txJm6L
+yBnRAoGBAN3K6EhZ6eO0BorVNi8/5KaE8D0f3ZFEgUBEpVwiJLmL1hXbsiv2JyjE
++dR+reScpl8NODycnnFzBzlIijB52CZWo+cxyFSvZxz3RrJZ8XaM/fg5MgNmcwLQ
+zejmoH7LuYD4z/OaPzgupJZlRUZNADOqZ8alsxSIvOHkImUAT9Q2
+-----END RSA PRIVATE KEY-----
