diff --git a/pkg/app/sleep.go b/pkg/app/sleep.go
index 67293527..bd368530 100644
--- a/pkg/app/sleep.go
+++ b/pkg/app/sleep.go
@@ -1,7 +1,13 @@
package app
import (
+ "fmt"
+
+ "github.com/maistra/maistra-test-tool/pkg/util/check/assert"
+ "github.com/maistra/maistra-test-tool/pkg/util/check/common"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
+ "github.com/maistra/maistra-test-tool/pkg/util/pod"
+ "github.com/maistra/maistra-test-tool/pkg/util/retry"
"github.com/maistra/maistra-test-tool/pkg/util/test"
)
@@ -53,6 +59,78 @@ func (a *sleep) WaitReady(t test.TestHelper) {
oc.WaitDeploymentRolloutComplete(t, a.ns, "sleep")
}
+type CurlOpts struct {
+ Method string
+ Headers []string
+ Options []string
+}
+
+func ExecInSleepPod(t test.TestHelper, ns string, command string, checks ...common.CheckFunc) {
+ t.T().Helper()
+ retry.UntilSuccess(t, func(t test.TestHelper) {
+ t.T().Helper()
+ oc.Exec(t, pod.MatchingSelector("app=sleep", ns), "sleep", command, checks...)
+ })
+}
+
+func AssertSleepPodRequestSuccess(t test.TestHelper, sleepNamespace string, url string, opts ...CurlOpts) {
+ assertSleepPodRequestResponse(t, sleepNamespace, url, "200", opts...)
+}
+
+func AssertSleepPodRequestFailure(t test.TestHelper, sleepNamespace string, url string, opts ...CurlOpts) {
+ assertSleepPodRequestResponse(t, sleepNamespace, url, curlFailedMessage, opts...)
+}
+
+func AssertSleepPodRequestForbidden(t test.TestHelper, sleepNamespace string, url string, opts ...CurlOpts) {
+ assertSleepPodRequestResponse(t, sleepNamespace, url, "403", opts...)
+}
+
+func AssertSleepPodRequestUnauthorized(t test.TestHelper, sleepNamespace string, url string, opts ...CurlOpts) {
+ assertSleepPodRequestResponse(t, sleepNamespace, url, "401", opts...)
+}
+
+func AssertSleepPodZeroesPlaceholder(t test.TestHelper, sleepNamespace string, url string, opts ...CurlOpts) {
+ assertSleepPodRequestResponse(t, sleepNamespace, url, "000", opts...)
+}
+
+func assertSleepPodRequestResponse(t test.TestHelper, sleepNamespace, url, expected string, opts ...CurlOpts) {
+ command := buildCurlCmd(url, opts...)
+ ExecInSleepPod(t, sleepNamespace, command,
+ assert.OutputContains(expected,
+ fmt.Sprintf("Got expected \"%s\"", expected),
+ fmt.Sprintf("Expect \"%s\", but got a different response", expected)))
+}
+
+func buildCurlCmd(url string, opts ...CurlOpts) string {
+ var opt CurlOpts
+ if len(opts) > 0 {
+ opt = opts[0]
+ } else {
+ opt = CurlOpts{}
+ }
+
+ method, headers, options := "", "", ""
+ if opt.Method == "" {
+ method = "GET"
+ } else {
+ method = opt.Method
+ }
+ if opt.Options != nil {
+ for _, option := range opt.Options {
+ options += " " + option
+ }
+ }
+ if opt.Headers != nil {
+ for _, header := range opt.Headers {
+ headers += fmt.Sprintf(` -H "%s"`, header)
+ }
+ }
+
+ return fmt.Sprintf(`curl -sS %s%s -X %s -o /dev/null -w "%%{http_code}" %s 2>/dev/null || echo %s`, options, headers, method, url, curlFailedMessage)
+}
+
+const curlFailedMessage = "CURL_FAILED"
+
const sleepTemplate = `
apiVersion: v1
kind: ServiceAccount
diff --git a/pkg/tests/ossm/operator/clusterwide_mode_test.go b/pkg/tests/ossm/operator/clusterwide_mode_test.go
index 4155a172..b1b3445a 100644
--- a/pkg/tests/ossm/operator/clusterwide_mode_test.go
+++ b/pkg/tests/ossm/operator/clusterwide_mode_test.go
@@ -375,26 +375,20 @@ spec:
oc.WaitSMCPReady(t, meshNamespace, smcpName)
t.LogStep("Check if mTLS is enabled in foo")
- retry.UntilSuccess(t, func(t test.TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", "foo"),
- "sleep",
- "curl http://httpbin.foo:8000/headers -s",
- assert.OutputContains("X-Forwarded-Client-Cert",
- "mTLS is enabled in namespace foo (X-Forwarded-Client-Cert header is present)",
- "mTLS is not enabled in namespace foo (X-Forwarded-Client-Cert header is not present)"))
- })
+ app.ExecInSleepPod(t,
+ "foo",
+ "curl http://httpbin.foo:8000/headers -s",
+ assert.OutputContains("X-Forwarded-Client-Cert",
+ "mTLS is enabled in namespace foo (X-Forwarded-Client-Cert header is present)",
+ "mTLS is not enabled in namespace foo (X-Forwarded-Client-Cert header is not present)"))
t.LogStep("Check that mTLS is NOT enabled in legacy")
- retry.UntilSuccess(t, func(t test.TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", "foo"),
- "sleep",
- "curl http://httpbin.legacy:8000/headers -s",
- assert.OutputDoesNotContain("X-Forwarded-Client-Cert",
- "mTLS is not enabled in namespace legacy (X-Forwarded-Client-Cert header is not present)",
- "mTLS is enabled in namespace legacy, but shouldn't be (X-Forwarded-Client-Cert header is present when it shouldn't be)"))
- })
+ app.ExecInSleepPod(t,
+ "foo",
+ "curl http://httpbin.legacy:8000/headers -s",
+ assert.OutputDoesNotContain("X-Forwarded-Client-Cert",
+ "mTLS is not enabled in namespace legacy (X-Forwarded-Client-Cert header is not present)",
+ "mTLS is enabled in namespace legacy, but shouldn't be (X-Forwarded-Client-Cert header is present when it shouldn't be)"))
})
t.NewSubTest("cluster wide works with profiles").Run(func(t test.TestHelper) {
diff --git a/pkg/tests/ossm/smoke_test.go b/pkg/tests/ossm/smoke_test.go
index 3753bbd1..95eeb4e4 100644
--- a/pkg/tests/ossm/smoke_test.go
+++ b/pkg/tests/ossm/smoke_test.go
@@ -24,7 +24,6 @@ import (
"github.com/maistra/maistra-test-tool/pkg/util/check/assert"
"github.com/maistra/maistra-test-tool/pkg/util/env"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
"github.com/maistra/maistra-test-tool/pkg/util/retry"
"github.com/maistra/maistra-test-tool/pkg/util/test"
. "github.com/maistra/maistra-test-tool/pkg/util/test"
@@ -135,23 +134,19 @@ func checkSMCP(t TestHelper, ns string) {
}
func assertTrafficFlowsThroughProxy(t TestHelper, ns string) {
- retry.UntilSuccess(t, func(t test.TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns), "sleep",
- "curl -sI http://productpage:9080",
- assert.OutputContains(
- "HTTP/1.1 200 OK",
- "ProductPage returns 200 OK",
- "ProductPage didn't return 200 OK"),
- assert.OutputContains(
- "server: istio-envoy",
- "HTTP header 'server: istio-envoy' is present in the response",
- "HTTP header 'server: istio-envoy' is missing from the response"),
- assert.OutputContains(
- "x-envoy-decorator-operation",
- "HTTP header 'x-envoy-decorator-operation' is present in the response",
- "HTTP header 'x-envoy-decorator-operation' is missing from the response"))
- })
+ app.ExecInSleepPod(t, ns, "curl -sI http://productpage:9080",
+ assert.OutputContains(
+ "HTTP/1.1 200 OK",
+ "ProductPage returns 200 OK",
+ "ProductPage didn't return 200 OK"),
+ assert.OutputContains(
+ "server: istio-envoy",
+ "HTTP header 'server: istio-envoy' is present in the response",
+ "HTTP header 'server: istio-envoy' is missing from the response"),
+ assert.OutputContains(
+ "x-envoy-decorator-operation",
+ "HTTP header 'x-envoy-decorator-operation' is present in the response",
+ "HTTP header 'x-envoy-decorator-operation' is missing from the response"))
}
func assertProxiesReadyInLessThan10Seconds(t TestHelper, ns string) {
diff --git a/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go b/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go
index aa4e4176..c37bce9b 100644
--- a/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go
+++ b/pkg/tests/tasks/extensions/threescale_wasm_plugin_test.go
@@ -6,14 +6,12 @@ import (
"strings"
"github.com/maistra/maistra-test-tool/pkg/app"
- "github.com/maistra/maistra-test-tool/pkg/util/check/assert"
"github.com/maistra/maistra-test-tool/pkg/util/check/require"
"github.com/maistra/maistra-test-tool/pkg/util/curl"
"github.com/maistra/maistra-test-tool/pkg/util/env"
"github.com/maistra/maistra-test-tool/pkg/util/istio"
"github.com/maistra/maistra-test-tool/pkg/util/ns"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
"github.com/maistra/maistra-test-tool/pkg/util/request"
"github.com/maistra/maistra-test-tool/pkg/util/retry"
"github.com/maistra/maistra-test-tool/pkg/util/test"
@@ -89,9 +87,11 @@ func TestThreeScaleWasmPlugin(t *testing.T) {
t.LogStep("Deploy sleep app")
app.InstallAndWaitReady(t, app.Sleep(ns.Foo))
+ httpbinUrl := "http://httpbin:8000/headers"
+ CurlOpts := app.CurlOpts{Headers: []string{"Authorization: Bearer " + token}}
t.LogStep("Verify that a request from sleep to httpbin with token returns 200")
- sendRequestFromSleepToHttpbin(t, token, "200")
+ app.AssertSleepPodRequestSuccess(t, ns.Foo, httpbinUrl, CurlOpts)
t.LogStep("Apply JWT config and 3scale plugin to sleep")
oc.ApplyTemplate(t, ns.Foo, jwtAuthnTmpl, map[string]interface{}{"AppLabel": "sleep"})
@@ -102,10 +102,10 @@ func TestThreeScaleWasmPlugin(t *testing.T) {
// JWT authentication filter is applied only to inbound listeners, so 3scale plugin configured
// to use JWT filter metadata always fails on outbound.
t.LogStep("Verify that a request from sleep to httpbin returns 403")
- sendRequestFromSleepToHttpbin(t, token, "403")
+ app.AssertSleepPodRequestForbidden(t, ns.Foo, httpbinUrl, CurlOpts)
} else {
t.LogStep("Verify that a request from sleep to httpbin returns 200")
- sendRequestFromSleepToHttpbin(t, token, "200")
+ app.AssertSleepPodRequestSuccess(t, ns.Foo, httpbinUrl, CurlOpts)
}
if env.GetSMCPVersion().GreaterThanOrEqual(version.SMCP_2_3) {
@@ -119,9 +119,12 @@ func TestThreeScaleWasmPlugin(t *testing.T) {
oc.WaitSMCPReady(t, meshNamespace, smcpName)
// SMCP v2.5 no longer supports APPLY_WASM_PLUGINS_TO_INBOUND_ONLY
if env.GetSMCPVersion().GreaterThanOrEqual(version.SMCP_2_5) {
- sendRequestFromSleepToHttpbin(t, token, "403")
+ t.LogStep("Verify that a request from sleep to httpbin returns 403, for SMCP v2.5+")
+ app.AssertSleepPodRequestForbidden(t, ns.Foo, httpbinUrl, CurlOpts)
+
} else {
- sendRequestFromSleepToHttpbin(t, token, "200")
+ t.LogStep("Verify that a request from sleep to httpbin returns 200")
+ app.AssertSleepPodRequestSuccess(t, ns.Foo, httpbinUrl, CurlOpts)
}
}
@@ -134,24 +137,20 @@ func TestThreeScaleWasmPlugin(t *testing.T) {
"ApplyWasmPluginsToInboundOnly": false,
})
oc.WaitSMCPReady(t, meshNamespace, smcpName)
- sendRequestFromSleepToHttpbin(t, token, "403")
+
+ t.LogStep("Verify that a request from sleep to httpbin returns 403")
+ app.AssertSleepPodRequestForbidden(t, ns.Foo, httpbinUrl, CurlOpts)
t.LogStep("Enable SERVER mode in the WASM plugin and check if returns 200")
oc.ApplyTemplate(t, ns.Foo, wasmPluginTmpl, map[string]interface{}{
"AppLabel": "sleep",
"ServerMode": true,
})
- sendRequestFromSleepToHttpbin(t, token, "200")
+
+ t.LogStep("Verify that a request from sleep to httpbin returns 200")
+ app.AssertSleepPodRequestSuccess(t, ns.Foo, httpbinUrl, CurlOpts)
}
})
}
-func sendRequestFromSleepToHttpbin(t test.TestHelper, token, expectedHTTPStatus string) {
- retry.UntilSuccess(t, func(t test.TestHelper) {
- oc.Exec(t, pod.MatchingSelector("app=sleep", ns.Foo), "sleep",
- fmt.Sprintf(`curl http://httpbin:8000/headers -H "Authorization: Bearer %s" -s -o /dev/null -w "%%{http_code}"`, token),
- assert.OutputContains(expectedHTTPStatus,
- fmt.Sprintf("Received %s as expected", expectedHTTPStatus),
- "Received unexpected status code"))
- })
-}
+//fmt.Sprintf(`curl http://httpbin:8000/headers -H "Authorization: Bearer %s" -s -o /dev/null -w "%%{http_code}"`, token),
diff --git a/pkg/tests/tasks/security/authentication/auth_test.go b/pkg/tests/tasks/security/authentication/auth_test.go
index ef46b099..97c3679c 100644
--- a/pkg/tests/tasks/security/authentication/auth_test.go
+++ b/pkg/tests/tasks/security/authentication/auth_test.go
@@ -28,7 +28,6 @@ import (
"github.com/maistra/maistra-test-tool/pkg/util/env"
"github.com/maistra/maistra-test-tool/pkg/util/istio"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
"github.com/maistra/maistra-test-tool/pkg/util/request"
"github.com/maistra/maistra-test-tool/pkg/util/retry"
. "github.com/maistra/maistra-test-tool/pkg/util/test"
@@ -63,33 +62,23 @@ func TestAuthPolicy(t *testing.T) {
retry.UntilSuccess(t, func(t TestHelper) {
for _, from := range fromNamespaces {
for _, to := range toNamespaces {
- assertConnectionSuccessful(t, from, to)
+ app.AssertSleepPodRequestSuccess(t, from, fmt.Sprintf("http://httpbin.%s:8000/ip", to))
}
}
})
t.NewSubTest("enable auto mTLS").Run(func(t TestHelper) {
t.LogStep("Check if mTLS is enabled in foo")
- retry.UntilSuccess(t, func(t TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", "foo"),
- "sleep",
- "curl http://httpbin.foo:8000/headers -s",
- assert.OutputContains("X-Forwarded-Client-Cert",
- "mTLS is enabled in namespace foo (X-Forwarded-Client-Cert header is present)",
- "mTLS is not enabled in namespace foo (X-Forwarded-Client-Cert header is not present)"))
- })
+ app.ExecInSleepPod(t, "foo", "curl http://httpbin.foo:8000/headers -s",
+ assert.OutputContains("X-Forwarded-Client-Cert",
+ "mTLS is enabled in namespace foo (X-Forwarded-Client-Cert header is present)",
+ "mTLS is not enabled in namespace foo (X-Forwarded-Client-Cert header is not present)"))
t.LogStep("Check that mTLS is NOT enabled in legacy")
- retry.UntilSuccess(t, func(t TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", "foo"),
- "sleep",
- "curl http://httpbin.legacy:8000/headers -s",
- assert.OutputDoesNotContain("X-Forwarded-Client-Cert",
- "mTLS is not enabled in namespace legacy (X-Forwarded-Client-Cert header is not present)",
- "mTLS is enabled in namespace legacy, but shouldn't be (X-Forwarded-Client-Cert header is present when it shouldn't be)"))
- })
+ app.ExecInSleepPod(t, "legacy", "curl http://httpbin.legacy:8000/headers -s",
+ assert.OutputDoesNotContain("X-Forwarded-Client-Cert",
+ "mTLS is not enabled in namespace legacy (X-Forwarded-Client-Cert header is not present)",
+ "mTLS is enabled in namespace legacy, but shouldn't be (X-Forwarded-Client-Cert header is present when it shouldn't be)"))
})
t.NewSubTest("enable global mTLS STRICT mode").Run(func(t TestHelper) {
@@ -98,19 +87,11 @@ func TestAuthPolicy(t *testing.T) {
t.Cleanup(func() {
oc.DeleteFromString(t, meshNamespace, PeerAuthenticationMTLSStrict)
})
-
t.LogStep("Check whether requests from legacy namespace to foo and bar namespace return 000 placeholder")
retry.UntilSuccess(t, func(t TestHelper) {
from := "legacy"
for _, to := range []string{"foo", "bar"} {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", from),
- "sleep",
- fmt.Sprintf(`curl http://httpbin.%s:8000/ip -s -o /dev/null -w "sleep.%s to httpbin.%s: %%{http_code}" || echo %s`,
- to, from, to, curlFailedMessage),
- assert.OutputContains("000",
- fmt.Sprintf("sleep.%s request to httpbin.%s received expected placeholder 000", from, to),
- fmt.Sprintf("sleep.%s request to httpbin.%s, expexted placeholder 000 not found", from, to)))
+ app.AssertSleepPodZeroesPlaceholder(t, from, fmt.Sprintf("http://httpbin.%s:8000/ip", to))
}
})
})
@@ -126,10 +107,11 @@ func TestAuthPolicy(t *testing.T) {
retry.UntilSuccess(t, func(t TestHelper) {
for _, from := range []string{"foo", "bar", "legacy"} {
for _, to := range []string{"foo", "bar"} {
+ url := fmt.Sprintf("http://httpbin.%s:8000/ip", to)
if from == "legacy" && to == "foo" {
- assertConnectionFailure(t, from, to)
+ app.AssertSleepPodRequestFailure(t, from, url)
} else {
- assertConnectionSuccessful(t, from, to)
+ app.AssertSleepPodRequestSuccess(t, from, url)
}
}
}
@@ -145,7 +127,7 @@ func TestAuthPolicy(t *testing.T) {
t.LogStep("Check whether request failed from legacy namespace to bar namespace")
retry.UntilSuccess(t, func(t TestHelper) {
- assertConnectionFailure(t, "legacy", "bar")
+ app.AssertSleepPodRequestFailure(t, "legacy", "http://httpbin.bar:8000/ip")
})
t.LogStep("Refine mutual TLS per port")
@@ -153,7 +135,7 @@ func TestAuthPolicy(t *testing.T) {
t.LogStep("Check whether request succeed from legacy namespace to bar namespace")
retry.UntilSuccess(t, func(t TestHelper) {
- assertConnectionSuccessful(t, "legacy", "bar")
+ app.AssertSleepPodRequestSuccess(t, "legacy", "http://httpbin.bar:8000/ip")
})
})
@@ -166,7 +148,7 @@ func TestAuthPolicy(t *testing.T) {
t.LogStep("Check whether request succeed legacy namespace to foo namespace")
retry.UntilSuccess(t, func(t TestHelper) {
- assertConnectionSuccessful(t, "legacy", "foo")
+ app.AssertSleepPodRequestSuccess(t, "legacy", "http://httpbin.foo:8000/ip")
})
})
@@ -243,10 +225,6 @@ func requireResponseStatus(t TestHelper, url string, requestOption curl.RequestO
curl.Request(t, url, requestOption, require.ResponseStatus(statusCode))
}
-const (
- curlFailedMessage = "CURL_FAILED"
-)
-
const (
WorkloadPolicyStrict = `
apiVersion: security.istio.io/v1beta1
diff --git a/pkg/tests/tasks/security/authentication/mtls_migration_test.go b/pkg/tests/tasks/security/authentication/mtls_migration_test.go
index 9951406c..4ce7c602 100644
--- a/pkg/tests/tasks/security/authentication/mtls_migration_test.go
+++ b/pkg/tests/tasks/security/authentication/mtls_migration_test.go
@@ -20,11 +20,8 @@ import (
"github.com/maistra/maistra-test-tool/pkg/app"
"github.com/maistra/maistra-test-tool/pkg/tests/ossm"
- "github.com/maistra/maistra-test-tool/pkg/util/check/assert"
- "github.com/maistra/maistra-test-tool/pkg/util/check/common"
"github.com/maistra/maistra-test-tool/pkg/util/env"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
"github.com/maistra/maistra-test-tool/pkg/util/retry"
"github.com/maistra/maistra-test-tool/pkg/util/test"
)
@@ -54,7 +51,7 @@ func TestMTlsMigration(t *testing.T) {
retry.UntilSuccess(t, func(t test.TestHelper) {
for _, from := range fromNamespaces {
for _, to := range toNamespaces {
- assertConnectionSuccessful(t, from, to)
+ app.AssertSleepPodRequestSuccess(t, from, fmt.Sprintf("http://httpbin.%s:8000/ip", to))
}
}
})
@@ -67,10 +64,11 @@ func TestMTlsMigration(t *testing.T) {
retry.UntilSuccess(t, func(t test.TestHelper) {
for _, from := range fromNamespaces {
for _, to := range toNamespaces {
+ url := fmt.Sprintf("http://httpbin.%s:8000/ip", to)
if from == "legacy" && to == "foo" {
- assertConnectionFailure(t, from, to)
+ app.AssertSleepPodRequestFailure(t, from, url)
} else {
- assertConnectionSuccessful(t, from, to)
+ app.AssertSleepPodRequestSuccess(t, from, url)
}
}
}
@@ -88,10 +86,11 @@ func TestMTlsMigration(t *testing.T) {
retry.UntilSuccess(t, func(t test.TestHelper) {
for _, from := range fromNamespaces {
for _, to := range toNamespaces {
+ url := fmt.Sprintf("http://httpbin.%s:8000/ip", to)
if from == "legacy" {
- assertConnectionFailure(t, from, to)
+ app.AssertSleepPodRequestFailure(t, from, url)
} else {
- assertConnectionSuccessful(t, from, to)
+ app.AssertSleepPodRequestSuccess(t, from, url)
}
}
}
@@ -99,25 +98,3 @@ func TestMTlsMigration(t *testing.T) {
})
})
}
-
-func assertConnectionSuccessful(t test.TestHelper, from string, to string) {
- curlFromTo(t, from, to,
- assert.OutputContains("200",
- fmt.Sprintf("%s connects to %s", from, to),
- fmt.Sprintf("%s can't connect to %s", from, to)))
-}
-
-func assertConnectionFailure(t test.TestHelper, from string, to string) {
- curlFromTo(t, from, to,
- assert.OutputContains("failed to connect",
- fmt.Sprintf("%s can't conect to %s", from, to),
- fmt.Sprintf("%s can connect to %s, but shouldn't", from, to)))
-}
-
-func curlFromTo(t test.TestHelper, from string, to string, checks ...common.CheckFunc) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", from),
- "sleep",
- fmt.Sprintf(`curl http://httpbin.%s:8000/ip -s -o /dev/null -w "sleep.%s to httpbin.%s: %%{http_code}" || echo "failed to connect"`, to, from, to),
- checks...)
-}
diff --git a/pkg/tests/tasks/security/authorization/common.go b/pkg/tests/tasks/security/authorization/common.go
deleted file mode 100644
index a051138e..00000000
--- a/pkg/tests/tasks/security/authorization/common.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package authorization
-
-import (
- "fmt"
-
- "github.com/maistra/maistra-test-tool/pkg/util/check/assert"
- "github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
- "github.com/maistra/maistra-test-tool/pkg/util/retry"
- "github.com/maistra/maistra-test-tool/pkg/util/test"
-)
-
-func httpbinRequest(method string, path string, headers ...string) string {
- headerArgs := ""
- for _, header := range headers {
- headerArgs += fmt.Sprintf(` -H "%s"`, header)
- }
- return fmt.Sprintf(`curl "http://httpbin:8000%s" -X %s%s -sS -o /dev/null -w "%%{http_code}"`, path, method, headerArgs)
-}
-
-func assertHttpbinRequestSucceeds(t test.TestHelper, ns string, curlCommand string) {
- t.T().Helper()
- retry.UntilSuccess(t, func(t test.TestHelper) {
- t.T().Helper()
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns),
- "sleep",
- curlCommand,
- assert.OutputContains(
- "200",
- "Got expected 200 OK from httpbin",
- "Expected 200 OK from httpbin, but got a different HTTP code"))
- })
-}
-
-func assertRequestAccepted(t test.TestHelper, ns string, curlCommand string) {
- t.T().Helper()
- retry.UntilSuccess(t, func(t test.TestHelper) {
- t.T().Helper()
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns),
- "sleep",
- curlCommand,
- assert.OutputContains(
- "200",
- "Got the expected 200 OK response for request from httpbin",
- "Expected the AuthorizationPolicy to accept request (expected HTTP status 200), but got a different HTTP code"))
- })
-}
-
-func assertRequestDenied(t test.TestHelper, ns string, curlCommand string, expectedStatusCode string) {
- t.T().Helper()
- retry.UntilSuccess(t, func(t test.TestHelper) {
- t.T().Helper()
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns),
- "sleep",
- curlCommand,
- assert.OutputContains(
- expectedStatusCode,
- fmt.Sprintf("Got the expected %s response code", expectedStatusCode),
- fmt.Sprintf("Expected the AuthorizationPolicy to reject request (expected HTTP status %s), but got a different HTTP code", expectedStatusCode)))
- })
-}
diff --git a/pkg/tests/tasks/security/authorization/deny_test.go b/pkg/tests/tasks/security/authorization/deny_test.go
index 8276abe8..c3c1f431 100644
--- a/pkg/tests/tasks/security/authorization/deny_test.go
+++ b/pkg/tests/tasks/security/authorization/deny_test.go
@@ -26,6 +26,8 @@ import (
func TestAuthorizationDenyAllow(t *testing.T) {
test.NewTest(t).Id("T23").Groups(test.Full, test.InterOp, test.ARM).Run(func(t test.TestHelper) {
ns := "foo"
+ curlOptsAdmin := app.CurlOpts{Headers: []string{"x-token: admin"}}
+ curlOptsGuest := app.CurlOpts{Headers: []string{"x-token: guest"}}
t.Cleanup(func() {
oc.RecreateNamespace(t, ns)
})
@@ -38,7 +40,7 @@ func TestAuthorizationDenyAllow(t *testing.T) {
app.InstallAndWaitReady(t, app.Httpbin(ns), app.Sleep(ns))
t.LogStep("Check if httpbin returns 200 OK when no authorization policies are in place")
- assertHttpbinRequestSucceeds(t, ns, httpbinRequest("GET", "/ip"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/ip")
t.NewSubTest("explicitly deny request").Run(func(t test.TestHelper) {
t.Cleanup(func() {
@@ -48,10 +50,10 @@ func TestAuthorizationDenyAllow(t *testing.T) {
oc.ApplyString(t, ns, DenyGETPolicy)
t.LogStep("Verify that GET request is denied")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/get"), "403")
+ app.AssertSleepPodRequestForbidden(t, ns, "http://httpbin:8000/get")
t.LogStep("Verify that POST request is allowed")
- assertRequestAccepted(t, ns, httpbinRequest("POST", "/post"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/post", app.CurlOpts{Method: "POST"})
})
t.NewSubTest("deny request header").Run(func(t test.TestHelper) {
@@ -62,10 +64,10 @@ func TestAuthorizationDenyAllow(t *testing.T) {
oc.ApplyString(t, ns, DenyHeaderNotAdminPolicy)
t.LogStep("Verify that GET request with HTTP header 'x-token: admin' is allowed")
- assertRequestAccepted(t, ns, httpbinRequest("GET", "/get", "x-token: admin"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/get", curlOptsAdmin)
t.LogStep("Verify that GET request with HTTP header 'x-token: guest' is denied")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/get", "x-token: guest"), "403")
+ app.AssertSleepPodRequestForbidden(t, ns, "http://httpbin:8000/get", curlOptsGuest)
})
t.NewSubTest("allow request path").Run(func(t test.TestHelper) {
@@ -80,13 +82,13 @@ func TestAuthorizationDenyAllow(t *testing.T) {
oc.ApplyString(t, ns, AllowPathIPPolicy)
t.LogStep("Verify that GET request with the HTTP header 'x-token: guest' at path '/ip' is denied")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/ip", "x-token: guest"), "403")
+ app.AssertSleepPodRequestForbidden(t, ns, "http://httpbin:8000/ip", curlOptsGuest)
t.LogStep("Verify that GET request with HTTP header 'x-token: admin' at path '/ip' is allowed")
- assertRequestAccepted(t, ns, httpbinRequest("GET", "/ip", "x-token: admin"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/ip", curlOptsAdmin)
t.LogStep("Verify that GET request with HTTP header 'x-token: admin' at path '/get' is denied")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/get", "x-token: admin"), "403")
+ app.AssertSleepPodRequestForbidden(t, ns, "http://httpbin:8000/get", curlOptsAdmin)
})
})
}
diff --git a/pkg/tests/tasks/security/authorization/ext_auth_test.go b/pkg/tests/tasks/security/authorization/ext_auth_test.go
index e4e468c9..9a7c8823 100644
--- a/pkg/tests/tasks/security/authorization/ext_auth_test.go
+++ b/pkg/tests/tasks/security/authorization/ext_auth_test.go
@@ -43,7 +43,7 @@ func TestEnvoyExtAuthzHttpExtensionProvider(t *testing.T) {
})
t.LogStep("Check if httpbin returns 200 OK when no authorization policies are in place")
- assertHttpbinRequestSucceeds(t, ns, httpbinRequest("GET", "/ip"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/ip")
t.LogStep("Deploy the External Authorizer and Verify the sample external authorizer is up and running")
oc.ApplyTemplate(t, ns, ExternalAuthzService, nil)
@@ -125,13 +125,13 @@ spec:
oc.ApplyString(t, ns, ExternalRoute)
t.LogStep("Verify a request to path /headers with header x-ext-authz: deny is denied by the sample ext_authz server:")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/headers", "x-ext-authz: deny"), "403")
+ app.AssertSleepPodRequestForbidden(t, ns, "http://httpbin:8000/headers", app.CurlOpts{Headers: []string{"x-ext-authz: deny"}})
t.LogStep("Verify a request to path /headers with header x-ext-authz: allow is allowed by the sample ext_authz server")
- assertRequestAccepted(t, ns, httpbinRequest("GET", "/headers", "x-ext-authz: allow"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/headers", app.CurlOpts{Headers: []string{"x-ext-authz: allow"}})
t.LogStep("Verify a request to path /ip is allowed and does not trigger the external authorization")
- assertHttpbinRequestSucceeds(t, ns, httpbinRequest("GET", "/ip"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/ip")
})
}
@@ -153,7 +153,7 @@ func TestEnvoyExtAuthzGrpcExtensionProvider(t *testing.T) {
})
t.LogStep("Check if httpbin returns 200 OK when no authorization policies are in place")
- assertHttpbinRequestSucceeds(t, ns, httpbinRequest("GET", "/ip"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/ip")
t.LogStep("Deploy the External Authorizer and Verify the sample external authorizer is up and running")
oc.ApplyTemplate(t, ns, ExternalAuthzService, nil)
@@ -207,13 +207,13 @@ spec:
oc.ApplyString(t, ns, ExternalRouteGrpc)
t.LogStep("Verify a request to path /headers with header x-ext-authz: deny is denied by the sample ext_authz server:")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/headers", "x-ext-authz: deny"), "403")
+ app.AssertSleepPodRequestForbidden(t, ns, "http://httpbin:8000/headers", app.CurlOpts{Headers: []string{"x-ext-authz: deny"}})
t.LogStep("Verify a request to path /headers with header x-ext-authz: allow is allowed by the sample ext_authz server")
- assertRequestAccepted(t, ns, httpbinRequest("GET", "/headers", "x-ext-authz: allow"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/headers", app.CurlOpts{Headers: []string{"x-ext-authz: allow"}})
t.LogStep("Verify a request to path /ip is allowed and does not trigger the external authorization")
- assertHttpbinRequestSucceeds(t, ns, httpbinRequest("GET", "/ip"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/ip")
})
}
diff --git a/pkg/tests/tasks/security/authorization/jwt_test.go b/pkg/tests/tasks/security/authorization/jwt_test.go
index c5b87e9b..93992c96 100644
--- a/pkg/tests/tasks/security/authorization/jwt_test.go
+++ b/pkg/tests/tasks/security/authorization/jwt_test.go
@@ -40,7 +40,7 @@ func TestAuthorizationJWT(t *testing.T) {
app.InstallAndWaitReady(t, app.Httpbin(ns), app.Sleep(ns))
t.LogStep("Check if httpbin returns 200 OK when no authorization policies are in place")
- assertHttpbinRequestSucceeds(t, ns, httpbinRequest("GET", "/ip"))
+ app.AssertSleepPodRequestSuccess(t, ns, "http://httpbin:8000/ip")
jwtURL := "https://raw.githubusercontent.com/istio/istio/release-1.9/security/tools/jwt/samples/demo.jwt"
token := string(curl.Request(t, jwtURL, nil))
@@ -48,6 +48,8 @@ func TestAuthorizationJWT(t *testing.T) {
groupURL := "https://raw.githubusercontent.com/istio/istio/release-1.9/security/tools/jwt/samples/groups-scope.jwt"
tokenGroup := string(curl.Request(t, groupURL, nil))
+ headersUrl := "http://httpbin:8000/headers"
+
t.Cleanup(func() {
oc.DeleteFromString(t, ns, JWTExampleRule)
})
@@ -55,10 +57,10 @@ func TestAuthorizationJWT(t *testing.T) {
t.NewSubTest("Allow requests with valid JWT and list-typed claims").Run(func(t test.TestHelper) {
t.LogStep("Verify that a request with an invalid JWT is denied")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/headers", bearerTokenHeader("invalidToken")), "401")
+ app.AssertSleepPodRequestUnauthorized(t, ns, headersUrl, app.CurlOpts{Headers: []string{bearerTokenHeader("invalidToken")}})
t.LogStep("Verify that a request without a JWT is allowed because there is no authorization policy")
- assertRequestAccepted(t, ns, httpbinRequest("GET", "/headers"))
+ app.AssertSleepPodRequestSuccess(t, ns, headersUrl)
})
t.NewSubTest("Security authorization allow JWT requestPrincipal").Run(func(t test.TestHelper) {
@@ -67,10 +69,10 @@ func TestAuthorizationJWT(t *testing.T) {
})
oc.ApplyString(t, ns, JWTRequireRule)
t.LogStep("Verify that a request with a valid JWT is allowed")
- assertRequestAccepted(t, ns, httpbinRequest("GET", "/headers", bearerTokenHeader(token)))
+ app.AssertSleepPodRequestSuccess(t, ns, headersUrl, app.CurlOpts{Headers: []string{bearerTokenHeader(token)}})
t.LogStep("Verify request without a JWT is denied")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/headers"), "403")
+ app.AssertSleepPodRequestForbidden(t, ns, headersUrl)
})
t.NewSubTest("Security authorization allow JWT claims group").Run(func(t test.TestHelper) {
@@ -79,10 +81,10 @@ func TestAuthorizationJWT(t *testing.T) {
})
oc.ApplyString(t, ns, JWTGroupClaimRule)
t.LogStep("Verify that a request with the JWT that includes group1 in the groups claim is allowed")
- assertRequestAccepted(t, ns, httpbinRequest("GET", "/headers", bearerTokenHeader(tokenGroup)))
+ app.AssertSleepPodRequestSuccess(t, ns, headersUrl, app.CurlOpts{Headers: []string{bearerTokenHeader(tokenGroup)}})
t.LogStep("Verify that a request with a JWT, which does not have the groups claim is rejected")
- assertRequestDenied(t, ns, httpbinRequest("GET", "/headers", bearerTokenHeader(token)), "403")
+ app.AssertSleepPodRequestForbidden(t, ns, headersUrl, app.CurlOpts{Headers: []string{bearerTokenHeader(token)}})
})
})
}
diff --git a/pkg/tests/tasks/security/authorization/tcp_test.go b/pkg/tests/tasks/security/authorization/tcp_test.go
index f5b99c59..13f7d1d9 100644
--- a/pkg/tests/tasks/security/authorization/tcp_test.go
+++ b/pkg/tests/tasks/security/authorization/tcp_test.go
@@ -22,8 +22,6 @@ import (
"github.com/maistra/maistra-test-tool/pkg/tests/ossm"
"github.com/maistra/maistra-test-tool/pkg/util/check/assert"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
- "github.com/maistra/maistra-test-tool/pkg/util/retry"
"github.com/maistra/maistra-test-tool/pkg/util/test"
)
@@ -44,10 +42,8 @@ func TestAuthorizationTCPTraffic(t *testing.T) {
app.InstallAndWaitReady(t, app.Sleep(ns), app.Echo(ns))
t.LogStep("Verify sleep to echo TCP connections")
- retry.UntilSuccess(t, func(t test.TestHelper) {
- assertPortTcpEchoAccepted(t, ns, "9000")
- assertPortTcpEchoAccepted(t, ns, "9001")
- })
+ assertPortTcpEchoAccepted(t, ns, "9000")
+ assertPortTcpEchoAccepted(t, ns, "9001")
t.NewSubTest("TCP invalid policy").Run(func(t test.TestHelper) {
t.Cleanup(func() {
@@ -57,10 +53,8 @@ func TestAuthorizationTCPTraffic(t *testing.T) {
oc.ApplyString(t, ns, TCPAllowGETPolicy)
t.LogStep("Check whether the requests to port 9000 and 9001 are denied")
- retry.UntilSuccess(t, func(t test.TestHelper) {
- assertPortTcpEchoDenied(t, ns, "9000")
- assertPortTcpEchoDenied(t, ns, "9001")
- })
+ assertPortTcpEchoDenied(t, ns, "9000")
+ assertPortTcpEchoDenied(t, ns, "9001")
})
t.NewSubTest("TCP deny policy").Run(func(t test.TestHelper) {
@@ -71,10 +65,8 @@ func TestAuthorizationTCPTraffic(t *testing.T) {
oc.ApplyString(t, ns, TCPDenyGETPolicy)
t.LogStep("Check whether the request to port 9000 is denied and request to port 9001 is accepted")
- retry.UntilSuccess(t, func(t test.TestHelper) {
- assertPortTcpEchoDenied(t, ns, "9000")
- assertPortTcpEchoAccepted(t, ns, "9001")
- })
+ assertPortTcpEchoDenied(t, ns, "9000")
+ assertPortTcpEchoAccepted(t, ns, "9001")
})
t.NewSubTest("TCP ALLOW policy").Run(func(t test.TestHelper) {
@@ -85,18 +77,15 @@ func TestAuthorizationTCPTraffic(t *testing.T) {
oc.ApplyString(t, ns, TCPAllowPolicy)
t.LogStep("Check whether the requests to port 9000 and 9001 are accepted")
- retry.UntilSuccess(t, func(t test.TestHelper) {
- assertPortTcpEchoAccepted(t, ns, "9000")
- assertPortTcpEchoAccepted(t, ns, "9001")
- })
+ assertPortTcpEchoAccepted(t, ns, "9000")
+ assertPortTcpEchoAccepted(t, ns, "9001")
})
})
}
func assertPortTcpEchoAccepted(t test.TestHelper, ns string, port string) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns),
- "sleep",
+ app.ExecInSleepPod(t,
+ ns,
fmt.Sprintf(`sh -c 'echo "port %s" | nc %s %s' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'`,
port, "tcp-echo", port),
assert.OutputContains(
@@ -106,9 +95,8 @@ func assertPortTcpEchoAccepted(t test.TestHelper, ns string, port string) {
}
func assertPortTcpEchoDenied(t test.TestHelper, ns string, port string) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns),
- "sleep",
+ app.ExecInSleepPod(t,
+ ns,
fmt.Sprintf(`sh -c 'echo "port %s" | nc %s %s' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'`,
port, "tcp-echo", port),
assert.OutputContains(
diff --git a/pkg/tests/tasks/security/authorization/trust_domain_test.go b/pkg/tests/tasks/security/authorization/trust_domain_test.go
index 6cf86624..084d30be 100644
--- a/pkg/tests/tasks/security/authorization/trust_domain_test.go
+++ b/pkg/tests/tasks/security/authorization/trust_domain_test.go
@@ -16,17 +16,12 @@ package authorization
import (
"fmt"
- "net/http"
- "strconv"
"testing"
"github.com/maistra/maistra-test-tool/pkg/app"
"github.com/maistra/maistra-test-tool/pkg/tests/ossm"
- "github.com/maistra/maistra-test-tool/pkg/util/check/assert"
"github.com/maistra/maistra-test-tool/pkg/util/env"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
- "github.com/maistra/maistra-test-tool/pkg/util/retry"
. "github.com/maistra/maistra-test-tool/pkg/util/test"
"github.com/maistra/maistra-test-tool/pkg/util/version"
)
@@ -35,6 +30,7 @@ func TestTrustDomainMigration(t *testing.T) {
NewTest(t).Id("T24").Groups(Full, InterOp, ARM).Run(func(t TestHelper) {
foo := "foo"
bar := "bar"
+ httpbinUrl := "http://httpbin.foo:8000/ip"
t.Log("This test verifies trust domain migration")
t.Log("Doc reference: https://istio.io/latest/docs/tasks/security/authorization/authz-td-migration/")
@@ -65,8 +61,8 @@ func TestTrustDomainMigration(t *testing.T) {
t.NewSubTest("Case 1: Verifying policy works").Run(func(t TestHelper) {
t.LogStep("Check whether requests to foo namespace return 403 to foo namespace and 200 to bar namespace")
- runCurlInSleepPod(t, foo, http.StatusForbidden)
- runCurlInSleepPod(t, bar, http.StatusOK)
+ app.AssertSleepPodRequestForbidden(t, foo, httpbinUrl)
+ app.AssertSleepPodRequestSuccess(t, bar, httpbinUrl)
})
t.NewSubTest("Case 2: Migrate trust domain without trust domain aliases").Run(func(t TestHelper) {
@@ -75,8 +71,8 @@ func TestTrustDomainMigration(t *testing.T) {
oc.RestartAllPodsAndWaitReady(t, foo, bar)
t.LogStep("Check whether requests to foo namespace return 403 to foo and bar namespaces")
- runCurlInSleepPod(t, foo, http.StatusForbidden)
- runCurlInSleepPod(t, bar, http.StatusForbidden)
+ app.AssertSleepPodRequestForbidden(t, foo, httpbinUrl)
+ app.AssertSleepPodRequestForbidden(t, bar, httpbinUrl)
})
t.NewSubTest("Case 3: Migrate trust domain with trust domain aliases").Run(func(t TestHelper) {
@@ -85,23 +81,12 @@ func TestTrustDomainMigration(t *testing.T) {
oc.RestartAllPodsAndWaitReady(t, foo, bar)
t.LogStep("Check whether requests to foo namespace return 403 to foo and 200 to bar namespaces")
- runCurlInSleepPod(t, foo, http.StatusForbidden)
- runCurlInSleepPod(t, bar, http.StatusOK)
+ app.AssertSleepPodRequestForbidden(t, foo, httpbinUrl)
+ app.AssertSleepPodRequestSuccess(t, bar, httpbinUrl)
})
})
}
-func runCurlInSleepPod(t TestHelper, ns string, expectedStatus int) {
- t.Logf("Verifying curl output, expecting %d", expectedStatus)
- retry.UntilSuccess(t, func(t TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns),
- "sleep",
- `curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"`,
- assert.OutputContains(strconv.Itoa(expectedStatus), "", ""))
- })
-}
-
func applyTrustDomain(t TestHelper, domain, alias string, mtls bool) {
t.Logf("Configure spec.security.trust.domain to %q and alias %q", domain, alias)
diff --git a/pkg/tests/tasks/security/certmanager/istio_csr_test.go b/pkg/tests/tasks/security/certmanager/istio_csr_test.go
index 26e0f2f8..68b5ae85 100644
--- a/pkg/tests/tasks/security/certmanager/istio_csr_test.go
+++ b/pkg/tests/tasks/security/certmanager/istio_csr_test.go
@@ -15,7 +15,6 @@ import (
"github.com/maistra/maistra-test-tool/pkg/util/istio"
"github.com/maistra/maistra-test-tool/pkg/util/ns"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
"github.com/maistra/maistra-test-tool/pkg/util/retry"
"github.com/maistra/maistra-test-tool/pkg/util/template"
"github.com/maistra/maistra-test-tool/pkg/util/test"
@@ -101,16 +100,7 @@ func TestIstioCsr(t *testing.T) {
app.InstallAndWaitReady(t, app.Httpbin(ns.Foo), app.Sleep(ns.Foo))
t.LogStep("Check if httpbin returns 200 OK ")
- retry.UntilSuccess(t, func(t test.TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns.Foo),
- "sleep",
- `curl http://httpbin:8000/ip -s -o /dev/null -w "%{http_code}"`,
- assert.OutputContains(
- "200",
- "Got expected 200 OK from httpbin",
- "Expected 200 OK from httpbin, but got a different HTTP code"))
- })
+ app.AssertSleepPodRequestSuccess(t, ns.Foo, "http://httpbin:8000/ip")
t.LogStep("Check mTLS traffic from ingress gateway to httpbin")
oc.ApplyFile(t, ns.Foo, "https://raw.githubusercontent.com/maistra/istio/maistra-2.5/samples/httpbin/httpbin-gateway.yaml")
diff --git a/pkg/tests/tasks/security/certmanager/plugin_ca_test.go b/pkg/tests/tasks/security/certmanager/plugin_ca_test.go
index 410c7a64..a713ab0b 100644
--- a/pkg/tests/tasks/security/certmanager/plugin_ca_test.go
+++ b/pkg/tests/tasks/security/certmanager/plugin_ca_test.go
@@ -76,17 +76,8 @@ func TestPluginCaCert(t *testing.T) {
t.LogStep("Deploy httpbin and sleep")
app.InstallAndWaitReady(t, app.Httpbin(ns.Foo), app.Sleep(ns.Foo))
- t.LogStep("Check if httpbin returns 200 OK ")
- retry.UntilSuccess(t, func(t test.TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns.Foo),
- "sleep",
- `curl http://httpbin:8000/ip -s -o /dev/null -w "%{http_code}"`,
- assert.OutputContains(
- "200",
- "Got expected 200 OK from httpbin",
- "Expected 200 OK from httpbin, but got a different HTTP code"))
- })
+ t.LogStep("Check if httpbin returns 200 OK")
+ app.AssertSleepPodRequestSuccess(t, ns.Foo, "http://httpbin:8000/ip")
t.LogStep("Check mTLS traffic from ingress gateway to httpbin")
oc.ApplyFile(t, ns.Foo, "https://raw.githubusercontent.com/maistra/istio/maistra-2.5/samples/httpbin/httpbin-gateway.yaml")
diff --git a/pkg/tests/tasks/traffic/egress/access_external_services_test.go b/pkg/tests/tasks/traffic/egress/access_external_services_test.go
index f25c82db..7bacf583 100644
--- a/pkg/tests/tasks/traffic/egress/access_external_services_test.go
+++ b/pkg/tests/tasks/traffic/egress/access_external_services_test.go
@@ -45,8 +45,7 @@ func TestAccessExternalServices(t *testing.T) {
ossm.DeployControlPlane(t)
t.LogStepf("Install sleep into %s", ns.Bookinfo)
- sleep := app.Sleep(ns.Bookinfo)
- app.InstallAndWaitReady(t, sleep)
+ app.InstallAndWaitReady(t, app.Sleep(ns.Bookinfo))
t.LogStepf("Install httpbin in %s", ns.MeshExternal)
httpbin := app.HttpbinNoSidecar(ns.MeshExternal)
@@ -54,7 +53,7 @@ func TestAccessExternalServices(t *testing.T) {
t.LogStep("Make request to external httpbin from sleep")
httpbinHeadersUrl := fmt.Sprintf("http://%s.%s:8000/headers", httpbin.Name(), httpbin.Namespace())
- assertRequestSuccess(t, sleep, httpbinHeadersUrl)
+ app.AssertSleepPodRequestSuccess(t, ns.Bookinfo, httpbinHeadersUrl)
t.LogStep("Make sure that external httpbin was not discovered by Istio") // - it would happen if mesh-external namespaces was added to the SMMR
istioctl.CheckClusters(t,
@@ -79,7 +78,7 @@ func TestAccessExternalServices(t *testing.T) {
)
t.LogStep("Make request to external httpbin from sleep again, and expect it denied")
- assertRequestFailure(t, sleep, httpbinHeadersUrl)
+ app.AssertSleepPodRequestFailure(t, ns.Bookinfo, httpbinHeadersUrl)
t.NewSubTest("allow request to external httpbin after applying ServiceEntry").Run(func(t test.TestHelper) {
t.Cleanup(func() {
@@ -90,7 +89,7 @@ func TestAccessExternalServices(t *testing.T) {
oc.ApplyString(t, ns.Bookinfo, httpbinServiceEntry)
t.LogStep("Send a request to external httpbin")
- assertRequestSuccess(t, sleep, httpbinHeadersUrl)
+ app.AssertSleepPodRequestSuccess(t, ns.Bookinfo, httpbinHeadersUrl)
})
})
}
diff --git a/pkg/tests/tasks/traffic/egress/egress_common.go b/pkg/tests/tasks/traffic/egress/egress_common.go
deleted file mode 100644
index e0cc14bf..00000000
--- a/pkg/tests/tasks/traffic/egress/egress_common.go
+++ /dev/null
@@ -1,51 +0,0 @@
-package egress
-
-import (
- "fmt"
-
- "github.com/maistra/maistra-test-tool/pkg/app"
- "github.com/maistra/maistra-test-tool/pkg/util/check/assert"
- "github.com/maistra/maistra-test-tool/pkg/util/check/common"
- "github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
- "github.com/maistra/maistra-test-tool/pkg/util/retry"
- "github.com/maistra/maistra-test-tool/pkg/util/test"
-)
-
-func execInSleepPod(t test.TestHelper, ns string, command string, checks ...common.CheckFunc) {
- t.T().Helper()
- retry.UntilSuccess(t, func(t test.TestHelper) {
- t.T().Helper()
- oc.Exec(t, pod.MatchingSelector("app=sleep", ns), "sleep", command, checks...)
- })
-}
-
-func assertRequestSuccess(t test.TestHelper, client app.App, url string) {
- execInSleepPod(t, client.Namespace(), buildGetRequestCmd(url),
- assert.OutputContains("200",
- fmt.Sprintf("Got expected 200 OK from %s", url),
- fmt.Sprintf("Expect 200 OK from %s, but got a different HTTP code", url)))
-}
-
-func assertRequestFailure(t test.TestHelper, client app.App, url string) {
- execInSleepPod(t, client.Namespace(), buildGetRequestCmd(url),
- assert.OutputContains(curlFailedMessage,
- "Got a failure message as expected",
- "Expect request to failed, but got a response"))
-}
-
-func assertInsecureRequestSuccess(t test.TestHelper, client app.App, url string) {
- url = fmt.Sprintf(`curl -sSL --insecure -o /dev/null -w "%%{http_code}" %s 2>/dev/null || echo %s`, url, curlFailedMessage)
- execInSleepPod(t, client.Namespace(), url,
- assert.OutputContains("200",
- fmt.Sprintf("Got expected 200 OK from %s", url),
- fmt.Sprintf("Expect 200 OK from %s, but got a different HTTP code", url)))
-}
-
-func buildGetRequestCmd(location string) string {
- return fmt.Sprintf(`curl -sSL -o /dev/null -w "%%{http_code}" %s 2>/dev/null || echo %s`, location, curlFailedMessage)
-}
-
-const (
- curlFailedMessage = "CURL_FAILED"
-)
diff --git a/pkg/tests/tasks/traffic/egress/egress_gateways_test.go b/pkg/tests/tasks/traffic/egress/egress_gateways_test.go
index aa58f632..a2f88d5b 100644
--- a/pkg/tests/tasks/traffic/egress/egress_gateways_test.go
+++ b/pkg/tests/tasks/traffic/egress/egress_gateways_test.go
@@ -33,8 +33,7 @@ func TestEgressGateways(t *testing.T) {
ossm.DeployControlPlane(t)
t.LogStep("Install sleep pod")
- sleep := app.Sleep(ns.Bookinfo)
- app.InstallAndWaitReady(t, sleep)
+ app.InstallAndWaitReady(t, app.Sleep(ns.Bookinfo))
t.NewSubTest("HTTP").Run(func(t TestHelper) {
t.LogStepf("Install external httpbin")
@@ -53,7 +52,7 @@ func TestEgressGateways(t *testing.T) {
oc.DeleteFromTemplate(t, ns.Bookinfo, httpbinHttpGateway, smcp)
})
- assertRequestSuccess(t, sleep, "http://httpbin.mesh-external:8000/headers")
+ app.AssertSleepPodRequestSuccess(t, ns.Bookinfo, "http://httpbin.mesh-external:8000/headers")
})
t.NewSubTest("HTTPS").Run(func(t TestHelper) {
@@ -79,7 +78,12 @@ func TestEgressGateways(t *testing.T) {
})
t.Log("Send HTTPS request to external nginx")
- assertInsecureRequestSuccess(t, sleep, "https://my-nginx.mesh-external.svc.cluster.local")
+ app.AssertSleepPodRequestSuccess(
+ t,
+ ns.Bookinfo,
+ "https://my-nginx.mesh-external.svc.cluster.local",
+ app.CurlOpts{Options: []string{"--insecure"}},
+ )
})
})
}
diff --git a/pkg/tests/tasks/traffic/egress/egress_gateways_tls_file_mount_test.go b/pkg/tests/tasks/traffic/egress/egress_gateways_tls_file_mount_test.go
index b5b4bd74..23e52518 100644
--- a/pkg/tests/tasks/traffic/egress/egress_gateways_tls_file_mount_test.go
+++ b/pkg/tests/tasks/traffic/egress/egress_gateways_tls_file_mount_test.go
@@ -72,7 +72,7 @@ func TestTLSOrigination(t *testing.T) {
})
t.LogStep("Verify that request to external nginx is routed through the egress gateway (response 200 indicates that the TLS origination is done by the egress gateway)")
- execInSleepPod(t, ns.Bookinfo,
+ app.ExecInSleepPod(t, ns.Bookinfo,
`curl -sS http://my-nginx.mesh-external.svc.cluster.local`,
assert.OutputContains(
"Welcome to nginx",
@@ -114,7 +114,7 @@ func TestTLSOrigination(t *testing.T) {
app.WaitReady(t, app.NginxExternalMTLS(ns.MeshExternal))
t.LogStep("Verify NGINX server")
- execInSleepPod(t, ns.Bookinfo,
+ app.ExecInSleepPod(t, ns.Bookinfo,
`curl -sS http://my-nginx.mesh-external.svc.cluster.local`,
assert.OutputContains(
"Welcome to nginx",
diff --git a/pkg/tests/tasks/traffic/egress/egress_gateways_tls_sds_test.go b/pkg/tests/tasks/traffic/egress/egress_gateways_tls_sds_test.go
index 1ef5a72e..7418822a 100644
--- a/pkg/tests/tasks/traffic/egress/egress_gateways_tls_sds_test.go
+++ b/pkg/tests/tasks/traffic/egress/egress_gateways_tls_sds_test.go
@@ -38,8 +38,7 @@ func TestTLSOriginationSDS(t *testing.T) {
ossm.DeployControlPlane(t)
t.LogStep("Install sleep pod")
- sleep := app.Sleep(ns.Bookinfo)
- app.InstallAndWaitReady(t, sleep)
+ app.InstallAndWaitReady(t, app.Sleep(ns.Bookinfo))
t.LogStep("Deploy nginx mTLS server and create secrets in the mesh namespace")
app.InstallAndWaitReady(t, app.NginxExternalMTLS(ns.MeshExternal))
@@ -51,6 +50,6 @@ func TestTLSOriginationSDS(t *testing.T) {
oc.ApplyString(t, meshNamespace, nginxServiceEntry, originateMtlsSdsSToNginx)
t.Log("Send HTTP request to external nginx to verify mTLS origination")
- assertRequestSuccess(t, sleep, "http://my-nginx.mesh-external.svc.cluster.local")
+ app.AssertSleepPodRequestSuccess(t, ns.Bookinfo, "http://my-nginx.mesh-external.svc.cluster.local")
})
}
diff --git a/pkg/tests/tasks/traffic/egress/egress_tls_origination_test.go b/pkg/tests/tasks/traffic/egress/egress_tls_origination_test.go
index 77676e4b..992ff6ba 100644
--- a/pkg/tests/tasks/traffic/egress/egress_tls_origination_test.go
+++ b/pkg/tests/tasks/traffic/egress/egress_tls_origination_test.go
@@ -26,16 +26,15 @@ import (
func TestEgressTLSOrigination(t *testing.T) {
test.NewTest(t).Id("T12").Groups(test.Full, test.InterOp, test.ARM).Run(func(t test.TestHelper) {
- sleep := app.Sleep(ns.Bookinfo)
t.Cleanup(func() {
oc.RecreateNamespace(t, ns.MeshExternal)
- app.Uninstall(t, sleep)
+ app.Uninstall(t, app.Sleep(ns.Bookinfo))
})
ossm.DeployControlPlane(t)
t.LogStep("Install sleep pod")
- app.InstallAndWaitReady(t, sleep)
+ app.InstallAndWaitReady(t, app.Sleep(ns.Bookinfo))
t.NewSubTest("TrafficManagement_egress_tls_origination").Run(func(t test.TestHelper) {
t.Log("TLS origination for egress traffic")
@@ -51,7 +50,7 @@ func TestEgressTLSOrigination(t *testing.T) {
oc.ApplyString(t, ns.Bookinfo, meshRouteHttpRequestsToHttpsPort)
oc.ApplyString(t, ns.Bookinfo, originateTlsToNginx)
- assertRequestSuccess(t, sleep, "http://my-nginx.mesh-external.svc.cluster.local")
+ app.AssertSleepPodRequestSuccess(t, ns.Bookinfo, "http://my-nginx.mesh-external.svc.cluster.local")
})
})
}
diff --git a/pkg/tests/tasks/traffic/egress/egress_wildcard_hosts_test.go b/pkg/tests/tasks/traffic/egress/egress_wildcard_hosts_test.go
index cf6f999b..a4ed90d3 100644
--- a/pkg/tests/tasks/traffic/egress/egress_wildcard_hosts_test.go
+++ b/pkg/tests/tasks/traffic/egress/egress_wildcard_hosts_test.go
@@ -21,8 +21,6 @@ import (
"github.com/maistra/maistra-test-tool/pkg/tests/ossm"
"github.com/maistra/maistra-test-tool/pkg/util/check/assert"
"github.com/maistra/maistra-test-tool/pkg/util/oc"
- "github.com/maistra/maistra-test-tool/pkg/util/pod"
- "github.com/maistra/maistra-test-tool/pkg/util/retry"
. "github.com/maistra/maistra-test-tool/pkg/util/test"
)
@@ -64,25 +62,21 @@ func TestEgressWildcard(t *testing.T) {
func assertExternalRequestSuccess(t TestHelper, ns string) {
t.LogStep("Check external request to en.wikipedia.org and de.wikipedia.org")
- retry.UntilSuccess(t, func(t TestHelper) {
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns),
- "sleep",
- `curl -s https://en.wikipedia.org/wiki/Main_Page`,
- assert.OutputContains(
- "Wikipedia, the free encyclopedia",
- "Received the correct response from en.wikipedia.org",
- "Failed to receive the correct response from en.wikipedia.org"))
+ app.ExecInSleepPod(t,
+ ns,
+ `curl -s https://en.wikipedia.org/wiki/Main_Page`,
+ assert.OutputContains(
+ "Wikipedia, the free encyclopedia",
+ "Received the correct response from en.wikipedia.org",
+ "Failed to receivExecInSleepPode the correct response from en.wikipedia.org"))
- oc.Exec(t,
- pod.MatchingSelector("app=sleep", ns),
- "sleep",
- `curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite`,
- assert.OutputContains(
- "Wikipedia – Die freie Enzyklopädie",
- "Received the correct response from de.wikipedia.org",
- "Failed to receive the correct response from de.wikipedia.org"))
- })
+ app.ExecInSleepPod(t,
+ ns,
+ `curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite`,
+ assert.OutputContains(
+ "Wikipedia – Die freie Enzyklopädie",
+ "Received the correct response from de.wikipedia.org",
+ "Failed to receive the correct response from de.wikipedia.org"))
}
const (