Add tests

Author: MichaelEischer

internal/cmd/ske/kubeconfig/login/login_test.go

@@ -2,12 +2,21 @@ package login
 
 import (
 	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/http/httputil"
+	"net/url"
+	"strings"
 	"testing"
 	"time"
 
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/google/uuid"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/cache"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
 	"github.com/stackitcloud/stackit-sdk-go/services/ske"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -21,6 +30,10 @@ var testCtx = context.WithValue(context.Background(), testCtxKey{}, "foo")
 var testClient = &ske.APIClient{}
 var testProjectId = uuid.NewString()
 var testClusterName = "cluster"
+var testOrganization = uuid.NewString()
+var testAccessToken = "access-token-test-" + uuid.NewString()
+var testExchangedToken = "access-token-exchanged-" + uuid.NewString()
+var testTokenEndpoint = "https://accounts.stackit.cloud/test/endpoint" //nolint:gosec // Actually just a URL
 
 const testRegion = "eu01"
 
@@ -30,14 +43,15 @@ func fixtureClusterConfig(mods ...func(clusterConfig *clusterConfig)) *clusterCo
 		ClusterName:      testClusterName,
 		cacheKey:         "",
 		Region:           testRegion,
+		OrganizationID:   testOrganization,
 	}
 	for _, mod := range mods {
 		mod(clusterConfig)
 	}
 	return clusterConfig
 }
 
-func fixtureRequest(mods ...func(request *ske.ApiCreateKubeconfigRequest)) ske.ApiCreateKubeconfigRequest {
+func fixtureLoginRequest(mods ...func(request *ske.ApiCreateKubeconfigRequest)) ske.ApiCreateKubeconfigRequest {
 	request := testClient.CreateKubeconfig(testCtx, testProjectId, testRegion, testClusterName)
 	request = request.CreateKubeconfigPayload(ske.CreateKubeconfigPayload{})
 	for _, mod := range mods {
@@ -46,6 +60,40 @@ func fixtureRequest(mods ...func(request *ske.ApiCreateKubeconfigRequest)) ske.A
 	return request
 }
 
+func fixtureTokenExchangeRequest(tokenEndpoint string) *http.Request {
+	form := url.Values{}
+	form.Set("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+	form.Set("client_id", "stackit-cli-0000-0000-000000000001")
+	form.Set("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
+	form.Set("requested_token_type", "urn:ietf:params:oauth:token-type:id_token")
+	form.Set("scope", "openid profile email groups")
+	form.Set("subject_token", testAccessToken)
+	form.Set("resource", "resource://organizations/"+testOrganization+"/projects/"+testProjectId+"/regions/"+testRegion+"/ske/"+testClusterName)
+
+	req, _ := http.NewRequestWithContext(
+		testCtx,
+		http.MethodPost,
+		tokenEndpoint,
+		strings.NewReader(form.Encode()),
+	)
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	return req
+}
+
+func fixtureTokenExchangeResponse() string {
+	type exchangeReponse struct {
+		AccessToken    string `json:"access_token"`
+		IssuedTokeType string `json:"issued_token_type"`
+		TokenType      string `json:"token_type"`
+	}
+	response, _ := json.Marshal(exchangeReponse{
+		AccessToken:    testExchangedToken,
+		IssuedTokeType: "urn:ietf:params:oauth:token-type:id_token",
+		TokenType:      "Bearer",
+	})
+	return string(response)
+}
+
 func TestBuildRequest(t *testing.T) {
 	tests := []struct {
 		description     string
@@ -55,7 +103,7 @@ func TestBuildRequest(t *testing.T) {
 		{
 			description:   "expiration time",
 			clusterConfig: fixtureClusterConfig(),
-			expectedRequest: fixtureRequest().CreateKubeconfigPayload(ske.CreateKubeconfigPayload{
+			expectedRequest: fixtureLoginRequest().CreateKubeconfigPayload(ske.CreateKubeconfigPayload{
 				ExpirationSeconds: utils.Ptr("1800")}),
 		},
 	}
@@ -134,7 +182,187 @@ zbRjZmli7cnenEnfnNoFIGbgkbjGXRUCIC5zFtWXFK7kA+B2vDxD0DlLcQodNwi4
 			if execCredential == nil {
 				t.Fatal("execCredential is nil")
 			}
-			diff := cmp.Diff(execCredential, tt.expectedExecCredentialRequest)
+			expected, _ := json.Marshal(tt.expectedExecCredentialRequest)
+			diff := cmp.Diff(execCredential, expected)
+			if diff != "" {
+				t.Fatalf("Data does not match: %s", diff)
+			}
+		})
+	}
+}
+
+func TestBuildTokenExchangeRequest(t *testing.T) {
+	cfg := fixtureClusterConfig()
+	expectedRequest := fixtureTokenExchangeRequest(testTokenEndpoint)
+	req, err := buildRequestToExchangeTokens(testCtx, testTokenEndpoint, testAccessToken, cfg)
+	if err != nil {
+		t.Fatalf("func returned error: %s", err)
+	}
+	// directly using cmp.Diff is not possible, so dump the requests first
+	expected, err := httputil.DumpRequest(expectedRequest, true)
+	if err != nil {
+		t.Fatalf("fail to dump expected: %s", err)
+	}
+	actual, err := httputil.DumpRequest(req, true)
+	if err != nil {
+		t.Fatalf("fail to dump actual: %s", err)
+	}
+	diff := cmp.Diff(actual, expected)
+	if diff != "" {
+		t.Fatalf("Data does not match: %s", diff)
+	}
+}
+
+func TestParseTokenExchangeResponse(t *testing.T) {
+	response := fixtureTokenExchangeResponse()
+
+	tests := []struct {
+		description string
+		response    string
+		status      int
+		expectError bool
+	}{
+		{
+			description: "valid response",
+			response:    response,
+			status:      http.StatusOK,
+		},
+		{
+			description: "error status",
+			response:    response, // valid response to make sure the status code is checked
+			status:      http.StatusForbidden,
+			expectError: true,
+		},
+		{
+			description: "error content",
+			response:    "{}",
+			status:      http.StatusOK,
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.description, func(t *testing.T) {
+			w := httptest.NewRecorder()
+			w.WriteHeader(tt.status)
+			_, _ = w.WriteString(tt.response)
+			resp := w.Result()
+
+			defer func() {
+				tempErr := resp.Body.Close()
+				if tempErr != nil {
+					t.Fatalf("failed to close response body: %v", tempErr)
+				}
+			}()
+			accessToken, err := parseTokenExchangeResponse(resp)
+			if tt.expectError {
+				if err == nil {
+					t.Fatal("expected error got nil")
+				}
+			} else {
+				if err != nil {
+					t.Fatalf("func returned error: %s", err)
+				}
+				diff := cmp.Diff(accessToken, testExchangedToken)
+				if diff != "" {
+					t.Fatalf("Token does not match: %s", diff)
+				}
+			}
+		})
+	}
+}
+
+func TestExchangeToken(t *testing.T) {
+	config := fixtureClusterConfig(func(clusterConfig *clusterConfig) {
+		clusterConfig.cacheKey = "test-exchange-token-" + uuid.NewString()
+	})
+	var request *http.Request
+	response := fixtureTokenExchangeResponse()
+	defer cache.OverwriteCacheDir(t)()
+	if err := cache.Init(); err != nil {
+		t.Fatalf("cache init failed: %s", err)
+	}
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		// only compare body as the headers will differ
+		expected, err := io.ReadAll(request.Body)
+		if err != nil {
+			t.Errorf("fail to dump expected: %s", err)
+		}
+		actual, err := io.ReadAll(req.Body)
+		if err != nil {
+			t.Errorf("fail to dump actual: %s", err)
+		}
+		diff := cmp.Diff(actual, expected)
+		if diff != "" {
+			w.WriteHeader(http.StatusBadRequest)
+			t.Errorf("request mismatch: %v", diff)
+			return
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		_, err = w.Write([]byte(response))
+		if err != nil {
+			t.Errorf("Failed to write response: %v", err)
+		}
+	})
+	server := httptest.NewServer(handler)
+	defer server.Close()
+
+	request = fixtureTokenExchangeRequest(server.URL)
+	idToken, err := exchangeToken(testCtx, server.Client(), server.URL, testAccessToken, config)
+	if err != nil {
+		t.Fatalf("func returned error: %s", err)
+	}
+	diff := cmp.Diff(idToken, testExchangedToken)
+	if diff != "" {
+		t.Fatalf("Exchanged token does not match: %s", diff)
+	}
+}
+
+func TestParseTokenToExecCredential(t *testing.T) {
+	expirationTime := time.Now().Add(30 * time.Minute)
+	expectedTime := expirationTime.Add(-5 * time.Minute)
+	token, err := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
+		ExpiresAt: jwt.NewNumericDate(expirationTime),
+	}).SigningString()
+	if err != nil {
+		t.Fatalf("token generation failed: %v", err)
+	}
+	token += ".signatureAAA"
+
+	tests := []struct {
+		description                   string
+		token                         string
+		expectedExecCredentialRequest *clientauthenticationv1.ExecCredential
+	}{
+		{
+			description: "expiration time",
+			token:       token,
+			expectedExecCredentialRequest: &clientauthenticationv1.ExecCredential{
+				TypeMeta: v1.TypeMeta{
+					APIVersion: clientauthenticationv1.SchemeGroupVersion.String(),
+					Kind:       "ExecCredential",
+				},
+				Status: &clientauthenticationv1.ExecCredentialStatus{
+					ExpirationTimestamp: &v1.Time{Time: expectedTime},
+					Token:               token,
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.description, func(t *testing.T) {
+			execCredential, err := parseTokenToExecCredential(tt.token)
+			if err != nil {
+				t.Fatalf("func returned error: %s", err)
+			}
+			if execCredential == nil {
+				t.Fatal("execCredential is nil")
+			}
+			expected, _ := json.Marshal(tt.expectedExecCredentialRequest)
+			diff := cmp.Diff(execCredential, expected)
 			if diff != "" {
 				t.Fatalf("Data does not match: %s", diff)
 			}

internal/pkg/cache/cache.go

@@ -11,6 +11,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"strconv"
+	"testing"
 	"time"
 
 	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
@@ -29,6 +30,13 @@ const (
 	cacheKeyMaxAge = 90 * 24 * time.Hour
 )
 
+func OverwriteCacheDir(t *testing.T) func() {
+	cacheDirOverwrite = t.TempDir()
+	return func() {
+		cacheDirOverwrite = ""
+	}
+}
+
 func Init() error {
 	var cacheDir string
 	if cacheDirOverwrite == "" {

internal/pkg/cache/cache_test.go

@@ -11,15 +11,8 @@ import (
 	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
 )
 
-func overwriteCacheDir(t *testing.T) func() {
-	cacheDirOverwrite = t.TempDir()
-	return func() {
-		cacheDirOverwrite = ""
-	}
-}
-
 func TestGetObjectErrors(t *testing.T) {
-	defer overwriteCacheDir(t)()
+	defer OverwriteCacheDir(t)()
 	if err := Init(); err != nil {
 		t.Fatalf("cache init failed: %s", err)
 	}
@@ -59,7 +52,7 @@ func TestGetObjectErrors(t *testing.T) {
 	}
 }
 func TestPutObject(t *testing.T) {
-	defer overwriteCacheDir(t)()
+	defer OverwriteCacheDir(t)()
 	if err := Init(); err != nil {
 		t.Fatalf("cache init failed: %s", err)
 	}
@@ -138,7 +131,7 @@ func TestPutObject(t *testing.T) {
 }
 
 func TestDeleteObject(t *testing.T) {
-	defer overwriteCacheDir(t)()
+	defer OverwriteCacheDir(t)()
 	if err := Init(); err != nil {
 		t.Fatalf("cache init failed: %s", err)
 	}
@@ -225,7 +218,7 @@ func TestWriteAndRead(t *testing.T) {
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
-			defer overwriteCacheDir(t)()
+			defer OverwriteCacheDir(t)()
 			if tt.clearKeys {
 				clearKeys(t)
 			}
@@ -254,7 +247,7 @@ func TestWriteAndRead(t *testing.T) {
 }
 
 func TestCacheCleanup(t *testing.T) {
-	defer overwriteCacheDir(t)()
+	defer OverwriteCacheDir(t)()
 	if err := Init(); err != nil {
 		t.Fatalf("cache init failed: %s", err)
 	}