mirrors/omni
1
0
Fork 0
mirror of https://github.com/siderolabs/omni.git synced 2025-08-07 18:17:00 +02:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity
main
omni/internal/backend/k8sproxy/jwt_test.go
Artem Chernyshev ed946b30a6
feat: display OMNI_ENDPOINT in the service account creation UI 
Fixes: https://github.com/siderolabs/omni/issues/858

Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
2025-01-29 15:27:36 +03:00

133 lines
3.3 KiB
Go
Raw Permalink Blame History

// Copyright (c) 2025 Sidero Labs, Inc.
//
// Use of this software is governed by the Business Source License
// included in the LICENSE file.
package k8sproxy_test
import (
"testing"
"time"
"github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/siderolabs/omni/internal/backend/k8sproxy"
)
func TestJWTValidation(t *testing.T) {
for _, tt := range []struct { //nolint:govet
name string
claims k8sproxy.Claims
expectedErrorContains string
}{
{
name: "missing-subject",
claims: k8sproxy.Claims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "issuer",
Subject: "",
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
},
Cluster: "cluster-a",
Groups: []string{"group-a"},
},
expectedErrorContains: "subject is empty",
},
{
name: "missing-cluster",
claims: k8sproxy.Claims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "issuer",
Subject: "subject-a",
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
},
Cluster: "",
Groups: []string{"group-a"},
},
expectedErrorContains: "cluster is empty",
},
{
name: "missing-expiration",
claims: k8sproxy.Claims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "issuer",
Subject: "subject-a",
ExpiresAt: nil,
},
Cluster: "cluster-a",
Groups: []string{"group-a"},
},
expectedErrorContains: "expiration is empty",
},
{
name: "no-groups",
claims: k8sproxy.Claims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "issuer",
Subject: "subject-a",
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
},
Cluster: "cluster-a",
Groups: []string{},
},
expectedErrorContains: "groups is empty",
},
{
name: "expired",
claims: k8sproxy.Claims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "issuer",
Subject: "subject-a",
ExpiresAt: jwt.NewNumericDate(time.Now().Add(-time.Hour)),
},
Cluster: "cluster-a",
Groups: []string{"group-a"},
},
expectedErrorContains: "token is expired by",
},
{
name: "not-yet-valid",
claims: k8sproxy.Claims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "issuer",
Subject: "subject-a",
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
NotBefore: jwt.NewNumericDate(time.Now().Add(time.Hour)),
},
Cluster: "cluster-a",
Groups: []string{"group-a"},
},
expectedErrorContains: "token is not valid yet",
},
{
name: "valid",
claims: k8sproxy.Claims{
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "issuer",
Subject: "subject-a",
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
NotBefore: jwt.NewNumericDate(time.Now().Add(-time.Hour)),
},
Cluster: "cluster-a",
Groups: []string{"group-a"},
},
expectedErrorContains: "",
},
} {
t.Run(tt.name, func(t *testing.T) {
err := tt.claims.Valid()
if tt.expectedErrorContains != "" {
var validationError *jwt.ValidationError
require.ErrorAs(t, err, &validationError)
assert.ErrorContains(t, validationError, tt.expectedErrorContains)
} else {
require.NoError(t, err)
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink