d422a92e66
* Before this change, even on non-AWS platforms, the Enabled() check attempts to make calls to the metadata endpoint when the session and credentials are initialized (in order to determine if the provider should be initialized at all). * This can cause latency because the SDK times out and retries -- up to 20 seconds of latency has been observed on non-AWS platforms when the metadata IP was blocked with an iptables rule. * Instead, check once if we are running on an EC2 platform, first trying to find the EC2 UUID in system files, and second attempting to get credentials. * Add a benchmark test that includes intialization and the credential check.
343 lines
9.9 KiB
Go
343 lines
9.9 KiB
Go
/*
|
|
Copyright 2014 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package credentials
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"fmt"
|
|
"math/rand"
|
|
"path"
|
|
"strconv"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/service/ecr"
|
|
|
|
"k8s.io/kubernetes/pkg/credentialprovider"
|
|
)
|
|
|
|
const user = "foo"
|
|
const password = "1234567890abcdef" // Fake value for testing.
|
|
const email = "not@val.id"
|
|
|
|
// Mock implementation
|
|
// randomizePassword is used to check for a cache hit to verify the password
|
|
// has not changed
|
|
type testTokenGetter struct {
|
|
user string
|
|
password string
|
|
endpoint string
|
|
randomizePassword bool
|
|
}
|
|
|
|
type testTokenGetterFactory struct {
|
|
getter tokenGetter
|
|
}
|
|
|
|
func (f *testTokenGetterFactory) GetTokenGetterForRegion(region string) (tokenGetter, error) {
|
|
return f.getter, nil
|
|
}
|
|
|
|
func (p *testTokenGetter) GetAuthorizationToken(input *ecr.GetAuthorizationTokenInput) (*ecr.GetAuthorizationTokenOutput, error) {
|
|
if p.randomizePassword {
|
|
rand.Seed(int64(time.Now().Nanosecond()))
|
|
p.password = strconv.Itoa(rand.Int())
|
|
}
|
|
expiration := time.Now().Add(1 * time.Hour)
|
|
// expiration := time.Now().Add(5 * time.Second) //for testing with the cache expiring
|
|
creds := []byte(fmt.Sprintf("%s:%s", p.user, p.password))
|
|
data := &ecr.AuthorizationData{
|
|
AuthorizationToken: aws.String(base64.StdEncoding.EncodeToString(creds)),
|
|
ExpiresAt: &expiration,
|
|
ProxyEndpoint: aws.String(p.endpoint),
|
|
}
|
|
output := &ecr.GetAuthorizationTokenOutput{
|
|
AuthorizationData: []*ecr.AuthorizationData{data},
|
|
}
|
|
return output, nil //p.svc.GetAuthorizationToken(input)
|
|
}
|
|
|
|
func TestRegistryPatternMatch(t *testing.T) {
|
|
grid := []struct {
|
|
Registry string
|
|
Expected bool
|
|
}{
|
|
{"123456789012.dkr.ecr.lala-land-1.amazonaws.com", true},
|
|
// fips
|
|
{"123456789012.dkr.ecr-fips.lala-land-1.amazonaws.com", true},
|
|
// .cn
|
|
{"123456789012.dkr.ecr.lala-land-1.amazonaws.com.cn", true},
|
|
// registry ID too long
|
|
{"1234567890123.dkr.ecr.lala-land-1.amazonaws.com", false},
|
|
// registry ID too short
|
|
{"12345678901.dkr.ecr.lala-land-1.amazonaws.com", false},
|
|
// registry ID has invalid chars
|
|
{"12345678901A.dkr.ecr.lala-land-1.amazonaws.com", false},
|
|
// region has invalid chars
|
|
{"123456789012.dkr.ecr.lala-land-1!.amazonaws.com", false},
|
|
// region starts with invalid char
|
|
{"123456789012.dkr.ecr.#lala-land-1.amazonaws.com", false},
|
|
// invalid host suffix
|
|
{"123456789012.dkr.ecr.lala-land-1.amazonaws.hacker.com", false},
|
|
// invalid host suffix
|
|
{"123456789012.dkr.ecr.lala-land-1.hacker.com", false},
|
|
// invalid host suffix
|
|
{"123456789012.dkr.ecr.lala-land-1.amazonaws.lol", false},
|
|
// without dkr
|
|
{"123456789012.dog.ecr.lala-land-1.amazonaws.com", false},
|
|
// without ecr
|
|
{"123456789012.dkr.cat.lala-land-1.amazonaws.com", false},
|
|
// without amazonaws
|
|
{"123456789012.dkr.cat.lala-land-1.awsamazon.com", false},
|
|
// too short
|
|
{"123456789012.lala-land-1.amazonaws.com", false},
|
|
}
|
|
for _, g := range grid {
|
|
actual := ecrPattern.MatchString(g.Registry)
|
|
if actual != g.Expected {
|
|
t.Errorf("unexpected pattern match value, want %v for %s", g.Expected, g.Registry)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestParseRepoURLPass(t *testing.T) {
|
|
registryID := "123456789012"
|
|
region := "lala-land-1"
|
|
port := "9001"
|
|
registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com"
|
|
image := path.Join(registry, port, "foo/bar")
|
|
parsedURL, err := parseRepoURL(image)
|
|
|
|
if err != nil {
|
|
t.Errorf("Could not parse URL: %s, err: %v", image, err)
|
|
}
|
|
if registryID != parsedURL.registryID {
|
|
t.Errorf("Unexpected registryID value, want: %s, got: %s", registryID, parsedURL.registryID)
|
|
}
|
|
if region != parsedURL.region {
|
|
t.Errorf("Unexpected region value, want: %s, got: %s", region, parsedURL.region)
|
|
}
|
|
if registry != parsedURL.registry {
|
|
t.Errorf("Unexpected registry value, want: %s, got: %s", registry, parsedURL.registry)
|
|
}
|
|
}
|
|
|
|
func TestParseRepoURLFail(t *testing.T) {
|
|
registry := "123456789012.foo.bar.baz"
|
|
image := path.Join(registry, "foo/bar")
|
|
parsedURL, err := parseRepoURL(image)
|
|
expectedErr := "123456789012.foo.bar.baz is not a valid ECR repository URL"
|
|
|
|
if err == nil {
|
|
t.Errorf("Should fail to parse URL %s", image)
|
|
}
|
|
if err.Error() != expectedErr {
|
|
t.Errorf("Unexpected error, want: %s, got: %v", expectedErr, err)
|
|
}
|
|
if parsedURL != nil {
|
|
t.Errorf("Expected parsedURL to be nil")
|
|
}
|
|
}
|
|
|
|
func isAlwaysEC2() bool {
|
|
return true
|
|
}
|
|
|
|
func TestECRProvide(t *testing.T) {
|
|
registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com"
|
|
otherRegistries := []string{
|
|
"123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn",
|
|
"private.registry.com",
|
|
"gcr.io",
|
|
}
|
|
image := path.Join(registry, "foo/bar")
|
|
p := newECRProvider(&testTokenGetterFactory{
|
|
getter: &testTokenGetter{
|
|
user: user,
|
|
password: password,
|
|
endpoint: registry,
|
|
},
|
|
}, isAlwaysEC2)
|
|
keyring := &credentialprovider.BasicDockerKeyring{}
|
|
keyring.Add(p.Provide(image))
|
|
|
|
// Verify that we get the expected username/password combo for
|
|
// an ECR image name.
|
|
creds, ok := keyring.Lookup(image)
|
|
if !ok {
|
|
t.Errorf("Didn't find expected URL: %s", image)
|
|
return
|
|
}
|
|
if len(creds) > 1 {
|
|
t.Errorf("Got more hits than expected: %s", creds)
|
|
}
|
|
cred := creds[0]
|
|
if user != cred.Username {
|
|
t.Errorf("Unexpected username value, want: %s, got: %s", user, cred.Username)
|
|
}
|
|
if password != creds[0].Password {
|
|
t.Errorf("Unexpected password value, want: %s, got: %s", password, cred.Password)
|
|
}
|
|
if email != creds[0].Email {
|
|
t.Errorf("Unexpected email value, want: %s, got: %s", email, cred.Email)
|
|
}
|
|
|
|
// Verify that we get an error for other images.
|
|
for _, otherRegistry := range otherRegistries {
|
|
image = path.Join(otherRegistry, "foo/bar")
|
|
_, ok = keyring.Lookup(image)
|
|
if ok {
|
|
t.Errorf("Unexpectedly found image: %s", image)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestECRProvideCached(t *testing.T) {
|
|
registry := "123456789012.dkr.ecr.lala-land-1.amazonaws.com"
|
|
p := newECRProvider(&testTokenGetterFactory{
|
|
getter: &testTokenGetter{
|
|
user: user,
|
|
password: password,
|
|
endpoint: registry,
|
|
randomizePassword: true,
|
|
},
|
|
}, isAlwaysEC2)
|
|
image1 := path.Join(registry, "foo/bar")
|
|
image2 := path.Join(registry, "bar/baz")
|
|
keyring := &credentialprovider.BasicDockerKeyring{}
|
|
keyring.Add(p.Provide(image1))
|
|
// time.Sleep(6 * time.Second) //for testing with the cache expiring
|
|
keyring.Add(p.Provide(image2))
|
|
// Verify that we get the credentials from the
|
|
// cache the second time
|
|
creds1, ok := keyring.Lookup(image1)
|
|
if !ok {
|
|
t.Errorf("Didn't find expected URL: %s", image1)
|
|
return
|
|
}
|
|
if len(creds1) != 2 {
|
|
t.Errorf("Got more hits than expected: %s", creds1)
|
|
}
|
|
|
|
if creds1[0].Password != creds1[1].Password {
|
|
t.Errorf("cached credentials do not match")
|
|
}
|
|
|
|
creds2, ok := keyring.Lookup(image2)
|
|
if !ok {
|
|
t.Errorf("Didn't find expected URL: %s", image1)
|
|
return
|
|
}
|
|
if len(creds2) != 2 {
|
|
t.Errorf("Got more hits than expected: %s", creds2)
|
|
}
|
|
|
|
if creds2[0].Password != creds2[1].Password {
|
|
t.Errorf("cached credentials do not match")
|
|
}
|
|
if creds1[0].Password != creds2[0].Password {
|
|
t.Errorf("cached credentials do not match")
|
|
}
|
|
}
|
|
|
|
func TestChinaECRProvide(t *testing.T) {
|
|
registry := "123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn"
|
|
otherRegistries := []string{
|
|
"123456789012.dkr.ecr.lala-land-1.amazonaws.com",
|
|
"private.registry.com",
|
|
"gcr.io",
|
|
}
|
|
image := path.Join(registry, "foo/bar")
|
|
p := newECRProvider(&testTokenGetterFactory{
|
|
getter: &testTokenGetter{
|
|
user: user,
|
|
password: password,
|
|
endpoint: registry,
|
|
},
|
|
}, isAlwaysEC2)
|
|
keyring := &credentialprovider.BasicDockerKeyring{}
|
|
keyring.Add(p.Provide(image))
|
|
// Verify that we get the expected username/password combo for
|
|
// an ECR image name.
|
|
creds, ok := keyring.Lookup(image)
|
|
if !ok {
|
|
t.Errorf("Didn't find expected URL: %s", image)
|
|
return
|
|
}
|
|
if len(creds) > 1 {
|
|
t.Errorf("Got more hits than expected: %s", creds)
|
|
}
|
|
cred := creds[0]
|
|
if user != cred.Username {
|
|
t.Errorf("Unexpected username value, want: %s, got: %s", user, cred.Username)
|
|
}
|
|
if password != cred.Password {
|
|
t.Errorf("Unexpected password value, want: %s, got: %s", password, cred.Password)
|
|
}
|
|
if email != cred.Email {
|
|
t.Errorf("Unexpected email value, want: %s, got: %s", email, cred.Email)
|
|
}
|
|
|
|
// Verify that we get an error for other images.
|
|
for _, otherRegistry := range otherRegistries {
|
|
image = path.Join(otherRegistry, image)
|
|
_, ok = keyring.Lookup(image)
|
|
if ok {
|
|
t.Errorf("Unexpectedly found image: %s", image)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestChinaECRProvideCached(t *testing.T) {
|
|
registry := "123456789012.dkr.ecr.cn-foo-1.amazonaws.com.cn"
|
|
p := newECRProvider(&testTokenGetterFactory{
|
|
getter: &testTokenGetter{
|
|
user: user,
|
|
password: password,
|
|
endpoint: registry,
|
|
randomizePassword: true,
|
|
},
|
|
}, isAlwaysEC2)
|
|
image := path.Join(registry, "foo/bar")
|
|
keyring := &credentialprovider.BasicDockerKeyring{}
|
|
keyring.Add(p.Provide(image))
|
|
// time.Sleep(6 * time.Second) //for testing with the cache expiring
|
|
keyring.Add(p.Provide(image))
|
|
// Verify that we get the credentials from the
|
|
// cache the second time
|
|
creds, ok := keyring.Lookup(image)
|
|
if !ok {
|
|
t.Errorf("Didn't find expected URL: %s", image)
|
|
return
|
|
}
|
|
if len(creds) != 2 {
|
|
t.Errorf("Got more hits than expected: %s", creds)
|
|
}
|
|
|
|
if creds[0].Password != creds[1].Password {
|
|
t.Errorf("cached credentials do not match")
|
|
}
|
|
}
|
|
|
|
func BenchmarkSetupLatency(b *testing.B) {
|
|
p := newECRProvider(&ecrTokenGetterFactory{cache: make(map[string]tokenGetter)}, ec2ValidationImpl)
|
|
_ = p.Enabled()
|
|
}
|