Add integration test that covers STS flow from Envoy to Auth backend#20173
Merged
istio-testing merged 8 commits intoistio:masterfrom Jan 21, 2020
Merged
Add integration test that covers STS flow from Envoy to Auth backend#20173istio-testing merged 8 commits intoistio:masterfrom
istio-testing merged 8 commits intoistio:masterfrom
Conversation
howardjohn
reviewed
Jan 14, 2020
howardjohn
reviewed
Jan 14, 2020
Member
Author
|
/test unit-tests_istio |
Member
|
Ah just fatal has that issue. Thanks for the reference
…On Tue, Jan 14, 2020 at 1:30 PM Jimmy Chen ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In security/pkg/stsservice/mock/xdsserver.go
<#20173 (comment)>:
> + if h, ok := metadata[credentialTokenHeaderKey]; ok {
+ if len(h) != 1 {
+ c.t.Errorf("xDS stream (id: %d, url: %s) sends multiple tokens (%d)", id, url, len(h))
+ }
+ if h[0] != c.lastReceivedToken {
+ c.numTokenReceived++
+ c.lastReceivedToken = h[0]
+ }
+ if c.expectedToken != "" && strings.TrimPrefix(h[0], "Bearer ") != c.expectedToken {
+ c.t.Errorf("xDS stream (id: %d, url: %s) sent a token that does "+
+ "not match expected token (%s vs %s)", id, url, h[0], c.expectedToken)
+ } else {
+ c.t.Logf("xDS stream (id: %d, url: %s) has valid token: %v", id, url, h[0])
+ }
+ } else {
+ c.t.Errorf("XDS stream (id: %d, url: %s) does not have token in metadata %+v",
I think this works. I insert a c.t.Errorf("dummy error") before return nil
here and the test fails with that error.
From https://golang.org/pkg/testing/#T, it says
A test ends when its Test function returns or calls any of the methods
FailNow, Fatal, Fatalf, SkipNow, Skip, or Skipf. Those methods, as well as
the Parallel method, must be called only from the goroutine running the
Test function. The other reporting methods, such as the variations of Log
and Error, may be called simultaneously from multiple goroutines.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#20173?email_source=notifications&email_token=AAEYGXOH5IYDUDW6MDHOLYTQ5YVHHA5CNFSM4KGYNPTKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCRXX6TA#discussion_r366582272>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXKVKBFAZFHYJ5O3JATQ5YVHHANCNFSM4KGYNPTA>
.
|
5 tasks
liminw
reviewed
Jan 17, 2020
mandarjog
approved these changes
Jan 21, 2020
Contributor
mandarjog
left a comment
There was a problem hiding this comment.
/lgtm
This STS server can be used for telemetry STS testing as well.
Member
Author
|
Thanks a lot for the review! @liminw and @mandarjog |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added a test framework which starts a STS server, a auth backend, a XDS server and an Envoy.
Envoy loads bootstrap config, and the config specifies gRPC connection to XDS server. The gRPC connection config specifies secure token exchange (STS) for dynamic token.
The gRPC library has a client that sends a STS request to the STS server. STS server calls auth backend for dynamic token, and STS server returns the dyanmic token to the client.
On receiving the dyanmic token, Envoy sets up XDS stream to the XDS server, and the server validates that dynamic token. After token validation, the XDS server starts pushing config over that stream.
A basic test is added using this framework.
#20133