msb-public
/
helm
mirror of https://github.com/helm/helm
1
0
Code Issues Projects Releases Wiki Activity

simplify tests

Browse Source 
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
pull/31212/head
Terry Howe 2 weeks ago
parent eed25dbf70
commit 33ce306b7f
No known key found for this signature in database
1 changed files with 188 additions and 364 deletions
Show Stats Download Patch File Download Diff File

552
pkg/registry/authorizer_test.go
Unescape View File

@ -18,402 +18,226 @@ package registry
import ( import (
"context" "context"
"errors"
"io"
"net/http" "net/http"
"strings" "net/http/httptest"
"testing" "testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"oras.land/oras-go/v2/registry/remote/auth" "oras.land/oras-go/v2/registry/remote/auth"
) )
type roundTripFunc func(*http.Request) (*http.Response, error) type mockCredentialsStore struct {
username string
func (f roundTripFunc) RoundTrip(r *http.Request) (*http.Response, error) { return f(r) } password string
err error
func newHTTPClient(rt roundTripFunc) *http.Client {
return &http.Client{Transport: rt}
}
func resp(status int, body string) *http.Response {
return &http.Response{StatusCode: status, Body: io.NopCloser(strings.NewReader(body))}
} }
// fakeStore is a fake credentials store used to assert it is used when username/password are not set. func (m *mockCredentialsStore) Get(_ context.Context, _ string) (auth.Credential, error) {
type fakeStore struct{ called bool } if m.err != nil {
return auth.EmptyCredential, m.err
func (f *fakeStore) Get(_ context.Context, _ string) (auth.Credential, error) {
f.called = true
return auth.Credential{}, nil
}
func (f *fakeStore) Put(_ context.Context, _ string, _ auth.Credential) error { return nil }
func (f *fakeStore) Delete(_ context.Context, _ string) error { return nil }
func TestNewAuthorizer_UsernamePassword(t *testing.T) {
hc := newHTTPClient(func(r *http.Request) (*http.Response, error) {
// ensure user-agent header is set by authorizer
ua := r.Header.Get("User-Agent")
if ua == "" {
t.Fatalf("expected User-Agent to be set")
}
return resp(200, "ok"), nil
})
a := NewAuthorizer(hc, nil, "user", "pass")
if !a.AttemptBearerAuthentication {
t.Fatalf("AttemptBearerAuthentication should start true")
}
// Verify credential function returns our basic auth creds
cred, err := a.Credential(t.Context(), "example.com")
if err != nil {
t.Fatalf("unexpected err: %v", err)
}
if cred.Username != "user" || cred.Password != "pass" {
t.Fatalf("credential not set correctly: %+v", cred)
} }
// simple do to trigger user-agent path and flip AttemptBearerAuthentication to false return auth.Credential{
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil) Username: m.username,
_, err = a.Do(req) Password: m.password,
if err != nil { }, nil
t.Fatalf("unexpected Do error: %v", err) }
}
if a.AttemptBearerAuthentication { func (m *mockCredentialsStore) Put(_ context.Context, _ string, _ auth.Credential) error {
t.Fatalf("AttemptBearerAuthentication should be false after Do") return nil
}
func (m *mockCredentialsStore) Delete(_ context.Context, _ string) error {
return nil
}
func TestNewAuthorizer(t *testing.T) {
tests := []struct {
name string
username string
password string
}{
{
name: "with username and password",
username: "testuser",
password: "testpass",
},
{
name: "without credentials",
username: "",
password: "",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
httpClient := &http.Client{}
credStore := &mockCredentialsStore{}
authorizer := NewAuthorizer(httpClient, credStore, tt.username, tt.password)
require.NotNil(t, authorizer)
assert.Equal(t, httpClient, authorizer.Client.Client)
assert.True(t, authorizer.AttemptBearerAuthentication)
assert.NotNil(t, authorizer.Credential)
if tt.username != "" && tt.password != "" {
cred, err := authorizer.Credential(t.Context(), "")
require.NoError(t, err)
assert.Equal(t, tt.username, cred.Username)
assert.Equal(t, tt.password, cred.Password)
}
})
} }
} }
func TestNewAuthorizer_CredentialStoreUsed(t *testing.T) { func TestNewAuthorizer_WithCredentialsStore(t *testing.T) {
fs := &fakeStore{} httpClient := &http.Client{}
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) { return resp(200, "ok"), nil }) credStore := &mockCredentialsStore{
a := NewAuthorizer(hc, fs, "", "") username: "storeuser",
// invoke Credential to ensure it delegates to store password: "storepass",
_, _ = a.Credential(t.Context(), "registry.example")
if !fs.called {
t.Fatalf("expected credential store to be called")
} }
}
func TestEnableCache_SetsCache(t *testing.T) { authorizer := NewAuthorizer(httpClient, credStore, "", "")
a := NewAuthorizer(newHTTPClient(func(_ *http.Request) (*http.Response, error) { return resp(200, "ok"), nil }), nil, "", "")
if a.Cache != nil { require.NotNil(t, authorizer)
t.Fatalf("cache should be nil before EnableCache")
} cred, err := authorizer.Credential(t.Context(), "test.com")
a.EnableCache() require.NoError(t, err)
if a.Cache == nil { assert.Equal(t, "storeuser", cred.Username)
t.Fatalf("cache should be set after EnableCache") assert.Equal(t, "storepass", cred.Password)
}
} }
func TestDo_SuccessFirstTry_DisablesAttempt(t *testing.T) { func TestAuthorizer_EnableCache(t *testing.T) {
calls := 0 httpClient := &http.Client{}
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) { credStore := &mockCredentialsStore{}
calls++
return resp(200, "ok"), nil
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://registry.example/v2/", nil)
req.Host = "registry.example" // not ghcr.io
_, err := a.Do(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if calls != 1 {
t.Fatalf("expected 1 call, got %d", calls)
}
if a.AttemptBearerAuthentication {
t.Fatalf("AttemptBearerAuthentication should be false after success")
}
}
func TestDo_AuthErrorThenRetry(t *testing.T) { authorizer := NewAuthorizer(httpClient, credStore, "", "")
calls := 0 assert.Nil(t, authorizer.Cache)
hc := newHTTPClient(func(*http.Request) (*http.Response, error) {
calls++
if calls == 1 {
return nil, errors.New("unexpected response status code 401")
}
return resp(200, "ok"), nil
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil)
req.Host = "example.com"
_, err := a.Do(req)
if err != nil {
t.Fatalf("unexpected error after retry: %v", err)
}
if calls != 2 {
t.Fatalf("expected 2 calls on auth error, got %d", calls)
}
// After a retry that succeeds on second attempt, AttemptBearerAuthentication remains true
// because the flag is only set to false after a successful first attempt
if !a.AttemptBearerAuthentication {
t.Fatalf("AttemptBearerAuthentication should remain true after retry path")
}
}
func TestDo_NonAuthErrorReturned(t *testing.T) { authorizer.EnableCache()
calls := 0 assert.NotNil(t, authorizer.Cache)
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) {
calls++
return nil, errors.New("network down")
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil)
req.Host = "example.com"
_, err := a.Do(req)
if err == nil || !strings.Contains(err.Error(), "network down") {
t.Fatalf("expected network error, got %v", err)
}
if calls != 1 {
t.Fatalf("expected only 1 call on non-auth error, got %d", calls)
}
// In this branch the code returns before flipping AttemptBearerAuthentication at end of block
if !a.AttemptBearerAuthentication {
t.Fatalf("AttemptBearerAuthentication should remain true when returning early on non-auth error")
}
} }
func TestDo_GHCRSkipsFirstAttempt(t *testing.T) { func TestAuthorizer_Do(t *testing.T) {
calls := 0 tests := []struct {
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) { name string
calls++ host string
return resp(200, "ok"), nil authHeader string
}) serverStatus int
a := NewAuthorizer(hc, nil, "", "") expectForceOAuth2 bool
req, _ := http.NewRequest(http.MethodGet, "https://ghcr.io/v2/", nil) expectBearerAuthAfter bool
req.Host = "ghcr.io" }{
_, err := a.Do(req) {
if err != nil { name: "successful request without auth header",
t.Fatalf("unexpected error: %v", err) host: "registry.example.com",
} authHeader: "",
if calls != 1 { serverStatus: 200,
t.Fatalf("expected single call for ghcr.io, got %d", calls) expectForceOAuth2: true,
} expectBearerAuthAfter: false,
if a.AttemptBearerAuthentication { },
t.Fatalf("AttemptBearerAuthentication should be false after ghcr path") {
} name: "request with existing auth header",
} host: "registry.example.com",
authHeader: "Bearer token123",
serverStatus: 200,
expectForceOAuth2: false,
expectBearerAuthAfter: true,
},
{
name: "ghcr.io special handling",
host: "ghcr.io",
authHeader: "",
serverStatus: 200,
expectForceOAuth2: false,
expectBearerAuthAfter: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
w.WriteHeader(tt.serverStatus)
w.Write([]byte("success"))
}))
defer server.Close()
func TestDo_WithAuthorizationHeader_SkipsPreflight(t *testing.T) { httpClient := &http.Client{}
calls := 0 credStore := &mockCredentialsStore{}
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) {
calls++
return resp(200, "ok"), nil
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil)
req.Header.Set("Authorization", "Bearer token")
_, err := a.Do(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if calls != 1 {
t.Fatalf("expected one direct call when Authorization present, got %d", calls)
}
if !a.AttemptBearerAuthentication {
t.Fatalf("AttemptBearerAuthentication should remain true when Authorization header is present")
}
}
func TestDo_ForceAttemptOAuth2_SetForNonGHCR(t *testing.T) { authorizer := NewAuthorizer(httpClient, credStore, "", "")
calls := 0
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) {
calls++
return resp(200, "ok"), nil
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil)
req.Host = "example.com"
// First call should set ForceAttemptOAuth2 to true for non-ghcr.io hosts
_, err := a.Do(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !a.ForceAttemptOAuth2 {
t.Fatalf("ForceAttemptOAuth2 should be true for non-ghcr.io hosts")
}
}
func TestDo_ForceAttemptOAuth2_NotSetForGHCR(t *testing.T) { req, err := http.NewRequest(http.MethodGet, server.URL, nil)
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) { require.NoError(t, err)
return resp(200, "ok"), nil req.Host = tt.host
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://ghcr.io/v2/", nil)
req.Host = "ghcr.io"
_, err := a.Do(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if a.ForceAttemptOAuth2 {
t.Fatalf("ForceAttemptOAuth2 should be false for ghcr.io")
}
}
func TestDo_MultipleAuthErrors_RetriesCorrectly(t *testing.T) { if tt.authHeader != "" {
calls := 0 req.Header.Set("Authorization", tt.authHeader)
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) { }
calls++
switch calls {
case 1:
return nil, errors.New("unexpected response status code 401: Unauthorized")
case 2:
return resp(200, "ok"), nil
default:
t.Fatalf("unexpected number of calls: %d", calls)
return nil, errors.New("unexpected")
}
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil)
req.Host = "example.com"
resp, err := a.Do(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if resp.StatusCode != http.StatusOK {
t.Fatalf("expected 200 status, got %d", resp.StatusCode)
}
if calls != 2 {
t.Fatalf("expected exactly 2 calls for retry, got %d", calls)
}
}
func TestDo_403Error_RetriesCorrectly(t *testing.T) { resp, err := authorizer.Do(req)
calls := 0
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) {
calls++
if calls == 1 {
return nil, errors.New("unexpected response status code 403: Forbidden")
}
return resp(200, "ok"), nil
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil)
req.Host = "example.com"
_, err := a.Do(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if calls != 2 {
t.Fatalf("expected 2 calls for 403 error retry, got %d", calls)
}
}
func TestDo_AttemptBearerAuthentication_False_SkipsLogic(t *testing.T) { require.NoError(t, err)
calls := 0 require.NotNil(t, resp)
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) { assert.Equal(t, tt.expectBearerAuthAfter, authorizer.AttemptBearerAuthentication)
calls++
return resp(200, "ok"), nil if tt.authHeader == "" {
}) assert.Equal(t, tt.expectForceOAuth2, authorizer.ForceAttemptOAuth2)
a := NewAuthorizer(hc, nil, "", "") }
a.AttemptBearerAuthentication = false // Explicitly set to false
resp.Body.Close()
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil) })
_, err := a.Do(req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if calls != 1 {
t.Fatalf("expected single call when AttemptBearerAuthentication is false, got %d", calls)
}
if a.AttemptBearerAuthentication {
t.Fatalf("AttemptBearerAuthentication should remain false")
} }
} }
func TestDo_SequentialRequests_MaintainsState(t *testing.T) { func TestAuthorizer_Do_WithBearerAttemptDisabled(t *testing.T) {
callCount := 0 server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) { w.WriteHeader(http.StatusOK)
callCount++ w.Write([]byte("success"))
return resp(200, "ok"), nil }))
}) defer server.Close()
a := NewAuthorizer(hc, nil, "", "")
// First request without auth header
req1, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil)
req1.Host = "example.com"
_, err := a.Do(req1)
if err != nil {
t.Fatalf("first request failed: %v", err)
}
if a.AttemptBearerAuthentication {
t.Fatalf("AttemptBearerAuthentication should be false after first request")
}
// Second request should go straight through httpClient := &http.Client{}
req2, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/charts", nil) credStore := &mockCredentialsStore{}
req2.Host = "example.com"
_, err = a.Do(req2)
if err != nil {
t.Fatalf("second request failed: %v", err)
}
// Should only have made 2 calls total (no retry on second) authorizer := NewAuthorizer(httpClient, credStore, "", "")
if callCount != 2 { authorizer.AttemptBearerAuthentication = false
t.Fatalf("expected 2 total calls, got %d", callCount)
} req, err := http.NewRequest(http.MethodGet, server.URL, nil)
} require.NoError(t, err)
req.Host = "registry.example.com"
func TestDo_ErrorMessageParsing_404NotRetried(t *testing.T) { resp, err := authorizer.Do(req)
calls := 0
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) { require.NoError(t, err)
calls++ require.NotNil(t, resp)
// 404 error should contain "40" but not trigger retry since it's not 401/403 assert.Equal(t, http.StatusOK, resp.StatusCode)
return nil, errors.New("unexpected response status code 404: Not Found") assert.False(t, authorizer.AttemptBearerAuthentication)
})
a := NewAuthorizer(hc, nil, "", "") resp.Body.Close()
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil) }
req.Host = "example.com"
func TestAuthorizer_Do_NonRetryableError(t *testing.T) {
_, err := a.Do(req) server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
if err == nil || !strings.Contains(err.Error(), "404") { w.WriteHeader(http.StatusInternalServerError)
t.Fatalf("expected 404 error, got %v", err) w.Write([]byte("internal server error"))
} }))
if calls != 2 { defer server.Close()
t.Fatalf("expected 2 calls for 404 (matches '40' pattern), got %d", calls)
} httpClient := &http.Client{}
} credStore := &mockCredentialsStore{}
authorizer := NewAuthorizer(httpClient, credStore, "", "")
req, err := http.NewRequest(http.MethodGet, server.URL, nil)
require.NoError(t, err)
req.Host = "registry.example.com"
func TestDo_ErrorMessageParsing_NonStatusCodeError(t *testing.T) { resp, err := authorizer.Do(req)
calls := 0
hc := newHTTPClient(func(_ *http.Request) (*http.Response, error) {
calls++
// Error containing "40" but not a status code error
return nil, errors.New("failed after 40 attempts")
})
a := NewAuthorizer(hc, nil, "", "")
req, _ := http.NewRequest(http.MethodGet, "https://example.com/v2/", nil)
req.Host = "example.com"
_, err := a.Do(req)
if err == nil || !strings.Contains(err.Error(), "40 attempts") {
t.Fatalf("expected error with '40 attempts', got %v", err)
}
// Should not retry since it doesn't match the pattern despite containing "40"
if calls != 1 {
t.Fatalf("expected 1 call (no retry for non-status code errors), got %d", calls)
}
}
func TestNewAuthorizer_NilHttpClient(t *testing.T) { require.NoError(t, err)
// Test that NewAuthorizer works with nil HTTP client require.NotNil(t, resp)
a := NewAuthorizer(nil, nil, "user", "pass") assert.Equal(t, http.StatusInternalServerError, resp.StatusCode)
if a == nil {
t.Fatalf("NewAuthorizer should not return nil") resp.Body.Close()
}
if a.Client.Client != nil {
t.Fatalf("expected nil HTTP client to remain nil")
}
// Verify credential function still works
cred, err := a.Credential(t.Context(), "example.com")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if cred.Username != "user" || cred.Password != "pass" {
t.Fatalf("credentials not set correctly: %+v", cred)
}
} }

Write Preview
Loading…
Cancel
Save