|
| 1 | +/* |
| 2 | +Copyright 2026 The Flux authors |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package auth_test |
| 18 | + |
| 19 | +import ( |
| 20 | + "fmt" |
| 21 | + "strings" |
| 22 | + "testing" |
| 23 | + |
| 24 | + "github.com/golang-jwt/jwt/v5" |
| 25 | + |
| 26 | + "github.com/fluxcd/pkg/auth" |
| 27 | +) |
| 28 | + |
| 29 | +func TestFindPodServiceAccount(t *testing.T) { |
| 30 | + tests := []struct { |
| 31 | + name string |
| 32 | + readFile func(string) ([]byte, error) |
| 33 | + wantNamespace string |
| 34 | + wantName string |
| 35 | + wantErr string |
| 36 | + }{ |
| 37 | + { |
| 38 | + name: "valid token with correct subject", |
| 39 | + readFile: fakeReadFile(t, makeToken(t, jwt.MapClaims{ |
| 40 | + "sub": "system:serviceaccount:flux-system:source-controller", |
| 41 | + })), |
| 42 | + wantNamespace: "flux-system", |
| 43 | + wantName: "source-controller", |
| 44 | + }, |
| 45 | + { |
| 46 | + name: "read file error", |
| 47 | + readFile: func(string) ([]byte, error) { |
| 48 | + return nil, fmt.Errorf("file not found") |
| 49 | + }, |
| 50 | + wantErr: "failed to read service account token file", |
| 51 | + }, |
| 52 | + { |
| 53 | + name: "invalid JWT", |
| 54 | + readFile: fakeReadFile(t, "not-a-jwt"), |
| 55 | + wantErr: "failed to parse service account token", |
| 56 | + }, |
| 57 | + { |
| 58 | + name: "subject with too few parts", |
| 59 | + readFile: fakeReadFile(t, makeToken(t, jwt.MapClaims{ |
| 60 | + "sub": "system:serviceaccount", |
| 61 | + })), |
| 62 | + wantErr: "invalid subject format", |
| 63 | + }, |
| 64 | + { |
| 65 | + name: "subject with too many parts", |
| 66 | + readFile: fakeReadFile(t, makeToken(t, jwt.MapClaims{ |
| 67 | + "sub": "system:serviceaccount:ns:name:extra", |
| 68 | + })), |
| 69 | + wantErr: "invalid subject format", |
| 70 | + }, |
| 71 | + { |
| 72 | + name: "empty subject", |
| 73 | + readFile: fakeReadFile(t, makeToken(t, jwt.MapClaims{ |
| 74 | + "sub": "", |
| 75 | + })), |
| 76 | + wantErr: "invalid subject format", |
| 77 | + }, |
| 78 | + { |
| 79 | + name: "no subject claim", |
| 80 | + readFile: fakeReadFile(t, makeToken(t, jwt.MapClaims{ |
| 81 | + "iss": "kubernetes/serviceaccount", |
| 82 | + })), |
| 83 | + wantErr: "invalid subject format", |
| 84 | + }, |
| 85 | + { |
| 86 | + name: "non-string subject claim", |
| 87 | + readFile: fakeReadFile(t, makeToken(t, jwt.MapClaims{ |
| 88 | + "iss": "kubernetes/serviceaccount", |
| 89 | + "sub": 12345, |
| 90 | + })), |
| 91 | + wantErr: "failed to get subject from service account token", |
| 92 | + }, |
| 93 | + } |
| 94 | + |
| 95 | + for _, tt := range tests { |
| 96 | + t.Run(tt.name, func(t *testing.T) { |
| 97 | + result, err := auth.FindPodServiceAccount(tt.readFile) |
| 98 | + |
| 99 | + if tt.wantErr != "" { |
| 100 | + if err == nil { |
| 101 | + t.Fatalf("expected error containing %q, got nil", tt.wantErr) |
| 102 | + } |
| 103 | + if got := err.Error(); !strings.Contains(got, tt.wantErr) { |
| 104 | + t.Errorf("error = %q, want it to contain %q", got, tt.wantErr) |
| 105 | + } |
| 106 | + return |
| 107 | + } |
| 108 | + |
| 109 | + if err != nil { |
| 110 | + t.Fatalf("unexpected error: %v", err) |
| 111 | + } |
| 112 | + if result.Namespace != tt.wantNamespace { |
| 113 | + t.Errorf("namespace = %q, want %q", result.Namespace, tt.wantNamespace) |
| 114 | + } |
| 115 | + if result.Name != tt.wantName { |
| 116 | + t.Errorf("name = %q, want %q", result.Name, tt.wantName) |
| 117 | + } |
| 118 | + }) |
| 119 | + } |
| 120 | +} |
| 121 | + |
| 122 | +func TestFindPodServiceAccount_ReadsCorrectPath(t *testing.T) { |
| 123 | + const expectedPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" |
| 124 | + |
| 125 | + var gotPath string |
| 126 | + readFile := func(name string) ([]byte, error) { |
| 127 | + gotPath = name |
| 128 | + return []byte(makeToken(t, jwt.MapClaims{ |
| 129 | + "sub": "system:serviceaccount:default:my-sa", |
| 130 | + })), nil |
| 131 | + } |
| 132 | + |
| 133 | + _, err := auth.FindPodServiceAccount(readFile) |
| 134 | + if err != nil { |
| 135 | + t.Fatalf("unexpected error: %v", err) |
| 136 | + } |
| 137 | + if gotPath != expectedPath { |
| 138 | + t.Errorf("read path = %q, want %q", gotPath, expectedPath) |
| 139 | + } |
| 140 | +} |
| 141 | + |
| 142 | +// makeToken creates an unsigned JWT string with the given claims. |
| 143 | +func makeToken(t *testing.T, claims jwt.MapClaims) string { |
| 144 | + t.Helper() |
| 145 | + tok := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) |
| 146 | + s, err := tok.SignedString([]byte("test-secret")) |
| 147 | + if err != nil { |
| 148 | + t.Fatalf("failed to sign test token: %v", err) |
| 149 | + } |
| 150 | + return s |
| 151 | +} |
| 152 | + |
| 153 | +// fakeReadFile returns a readFile function that ignores the path |
| 154 | +// and returns the given token string. |
| 155 | +func fakeReadFile(t *testing.T, token string) func(string) ([]byte, error) { |
| 156 | + t.Helper() |
| 157 | + return func(string) ([]byte, error) { |
| 158 | + return []byte(token), nil |
| 159 | + } |
| 160 | +} |
0 commit comments