test: add unit tests for VPC stuffs

pyrooka · pyrooka · commit e6007168063b · 2021-10-26T19:31:41.000+02:00
diff --git a/resources/ibm-credentials-vpc.env b/resources/ibm-credentials-vpc.env
@@ -0,0 +1,11 @@
+# VPC auth with default config
+SERVICE1_AUTH_TYPE=vpc
+
+# VPC auth with profile CRN
+SERVICE2_AUTH_TYPE=vpc
+SERVICE2_IAM_PROFILE_CRN=crn:iam-profile1
+SERVICE2_AUTH_URL=http://vpc.imds.com/api
+
+# VPC auth with profile ID
+SERVICE3_AUTH_TYPE=vpc
+SERVICE3_IAM_PROFILE_ID=iam-profile1-id
diff --git a/test/test_utils.py b/test/test_utils.py
@@ -376,6 +376,36 @@ def test_get_authenticator_from_credential_file():
     assert authenticator.token_manager.scope is None
     del os.environ['IBM_CREDENTIALS_FILE']
 
+    file_path = os.path.join(os.path.dirname(__file__),
+                             '../resources/ibm-credentials-vpc.env')
+    os.environ['IBM_CREDENTIALS_FILE'] = file_path
+    authenticator = get_authenticator_from_environment('service1')
+    assert authenticator is not None
+    assert authenticator.authentication_type() == Authenticator.AUTHTYPE_VPC
+    assert authenticator.token_manager.iam_profile_crn is None
+    assert authenticator.token_manager.iam_profile_id is None
+    assert authenticator.token_manager.url == 'http://169.254.169.254'
+
+    file_path = os.path.join(os.path.dirname(__file__),
+                             '../resources/ibm-credentials-vpc.env')
+    os.environ['IBM_CREDENTIALS_FILE'] = file_path
+    authenticator = get_authenticator_from_environment('service2')
+    assert authenticator is not None
+    assert authenticator.authentication_type() == Authenticator.AUTHTYPE_VPC
+    assert authenticator.token_manager.iam_profile_crn == 'crn:iam-profile1'
+    assert authenticator.token_manager.iam_profile_id is None
+    assert authenticator.token_manager.url == 'http://vpc.imds.com/api'
+
+    file_path = os.path.join(os.path.dirname(__file__),
+                             '../resources/ibm-credentials-vpc.env')
+    os.environ['IBM_CREDENTIALS_FILE'] = file_path
+    authenticator = get_authenticator_from_environment('service3')
+    assert authenticator is not None
+    assert authenticator.authentication_type() == Authenticator.AUTHTYPE_VPC
+    assert authenticator.token_manager.iam_profile_crn is None
+    assert authenticator.token_manager.iam_profile_id == 'iam-profile1-id'
+    assert authenticator.token_manager.url == 'http://169.254.169.254'
+
 
 def test_get_authenticator_from_credential_file_scope():
     file_path = os.path.join(os.path.dirname(__file__),
diff --git a/test/test_vpc_instance_authenticator.py b/test/test_vpc_instance_authenticator.py
@@ -0,0 +1,66 @@
+# pylint: disable=missing-docstring
+import pytest
+
+from ibm_cloud_sdk_core.authenticators import VPCInstanceAuthenticator, Authenticator
+
+
+TEST_IAM_PROFILE_CRN = 'crn:iam-profile:123'
+TEST_IAM_PROFILE_ID = 'iam-id-123'
+
+
+def test_constructor():
+    authenticator =VPCInstanceAuthenticator(iam_profile_id=TEST_IAM_PROFILE_ID, url='someurl.com')
+    assert authenticator is not None
+    assert authenticator.authentication_type() == Authenticator.AUTHTYPE_VPC
+    assert authenticator.token_manager.iam_profile_crn is None
+    assert authenticator.token_manager.iam_profile_id == TEST_IAM_PROFILE_ID
+    assert authenticator.token_manager.url == 'someurl.com'
+
+
+def test_setters():
+    authenticator =VPCInstanceAuthenticator(iam_profile_id=TEST_IAM_PROFILE_ID, url='someurl.com')
+    assert authenticator is not None
+    assert authenticator.authentication_type() == Authenticator.AUTHTYPE_VPC
+    assert authenticator.token_manager.iam_profile_crn is None
+    assert authenticator.token_manager.iam_profile_id == TEST_IAM_PROFILE_ID
+    assert authenticator.token_manager.url == 'someurl.com'
+
+    # Set the IAM profile CRN to trigger a validation which will fail,
+    # because at most one of iam_profile_crn or iam_profile_id may be specified.
+    with pytest.raises(ValueError) as err:
+        authenticator.set_iam_profile_crn(TEST_IAM_PROFILE_CRN)
+    assert str(
+        err.value) == 'At most one of "iam_profile_id" or "iam_profile_crn" may be specified.'
+
+    authenticator.set_iam_profile_id(None)
+    assert authenticator.token_manager.iam_profile_id is None
+
+    authenticator.set_iam_profile_crn(TEST_IAM_PROFILE_CRN)
+    assert authenticator.token_manager.iam_profile_crn == TEST_IAM_PROFILE_CRN
+
+
+def test_constructor_validate_failed():
+    with pytest.raises(ValueError) as err:
+        VPCInstanceAuthenticator(
+		iam_profile_crn=TEST_IAM_PROFILE_CRN,
+		iam_profile_id=TEST_IAM_PROFILE_ID,
+	)
+    assert str(
+        err.value) == 'At most one of "iam_profile_id" or "iam_profile_crn" may be specified.'
+
+
+def test_authenticate():
+    def mock_get_token():
+        return 'mock_token'
+
+    authenticator = VPCInstanceAuthenticator(iam_profile_crn=TEST_IAM_PROFILE_CRN)
+    authenticator.token_manager.get_token = mock_get_token
+
+    # Simulate an SDK API request that needs to be authenticated.
+    request = {'headers': {}}
+
+    # Trigger the "get token" processing to obtain the access token and add to the "SDK request".
+    authenticator.authenticate(request)
+
+    # Verify that the "authenticate()" method added the Authorization header
+    assert request['headers']['Authorization'] == 'Bearer mock_token'
diff --git a/test/test_vpc_instance_token_manager.py b/test/test_vpc_instance_token_manager.py
@@ -0,0 +1,203 @@
+# coding: utf-8
+
+# Copyright 2021 IBM All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# pylint: disable=missing-docstring
+import json
+import logging
+
+import pytest
+import responses
+
+from ibm_cloud_sdk_core import ApiException, VPCInstanceTokenManager
+
+
+TEST_TOKEN = 'abc123'
+TEST_IAM_TOKEN = 'iam-abc123'
+TEST_IAM_PROFILE_CRN = 'crn:iam-profile:123'
+TEST_IAM_PROFILE_ID = 'iam-id-123'
+
+
+def test_constructor():
+    token_manager = VPCInstanceTokenManager(
+        iam_profile_crn=TEST_IAM_PROFILE_CRN,
+    )
+
+    assert token_manager.iam_profile_crn is TEST_IAM_PROFILE_CRN
+    assert token_manager.iam_profile_id is None
+    assert token_manager.access_token is None
+
+
+def test_setters():
+    token_manager = VPCInstanceTokenManager(
+        iam_profile_crn=TEST_IAM_PROFILE_CRN,
+    )
+
+    assert token_manager.iam_profile_crn is TEST_IAM_PROFILE_CRN
+    assert token_manager.iam_profile_id is None
+    assert token_manager.access_token is None
+
+    token_manager.set_iam_profile_crn(None)
+    assert token_manager.iam_profile_crn is None
+
+    token_manager.set_iam_profile_id(TEST_IAM_PROFILE_ID)
+    assert token_manager.iam_profile_id == TEST_IAM_PROFILE_ID
+
+
+@responses.activate
+def test_retrieve_instance_identity_token(caplog):
+    caplog.set_level(logging.DEBUG)
+
+    token_manager = VPCInstanceTokenManager(
+        iam_profile_crn=TEST_IAM_PROFILE_CRN,
+        url='http://someurl.com',
+    )
+
+    response = {
+        'access_token': TEST_TOKEN,
+    }
+
+    responses.add(responses.PUT, 'http://someurl.com/instance_identity/v1/token',
+                  body=json.dumps(response), status=200)
+
+    ii_token = token_manager.retrieve_instance_identity_token()
+    assert len(responses.calls) == 1
+    assert responses.calls[0].request.headers['version'] == '2021-09-20'
+    assert responses.calls[0].request.headers['Content-Type'] == 'application/json'
+    assert responses.calls[0].request.headers['Accept'] == 'application/json'
+    assert responses.calls[0].request.headers['Metadata-Flavor'] == 'ibm'
+    assert responses.calls[0].request.body == '{"expires_in": 300}'
+    assert ii_token == TEST_TOKEN
+    # Check the logs.
+    #pylint: disable=line-too-long
+    assert caplog.record_tuples[0][2] == 'Invoking VPC \'create_access_token\' operation: http://someurl.com/instance_identity/v1/token'
+    assert caplog.record_tuples[1][2] == 'Returned from VPC \'create_access_token\' operation."'
+
+@responses.activate
+def test_retrieve_instance_identity_token_failed(caplog):
+    caplog.set_level(logging.DEBUG)
+
+    token_manager = VPCInstanceTokenManager(
+        iam_profile_crn=TEST_IAM_PROFILE_CRN,
+        url='http://someurl.com',
+    )
+
+    response = {
+        'errors': ['Ooops'],
+    }
+
+    responses.add(responses.PUT, 'http://someurl.com/instance_identity/v1/token',
+                  body=json.dumps(response), status=400)
+
+    with pytest.raises(ApiException):
+        token_manager.retrieve_instance_identity_token()
+
+    assert len(responses.calls) == 1
+    # Check the logs.
+    #pylint: disable=line-too-long
+    assert caplog.record_tuples[0][2] == 'Invoking VPC \'create_access_token\' operation: http://someurl.com/instance_identity/v1/token'
+
+@responses.activate
+def test_request_token_with_crn(caplog):
+    caplog.set_level(logging.DEBUG)
+
+    token_manager = VPCInstanceTokenManager(
+        iam_profile_crn=TEST_IAM_PROFILE_CRN,
+    )
+
+    # Mock the retrieve instance identity token method.
+    def mock_retrieve_instance_identity_token():
+        return TEST_TOKEN
+    token_manager.retrieve_instance_identity_token = mock_retrieve_instance_identity_token
+
+    response = {
+        'access_token': TEST_IAM_TOKEN,
+    }
+
+    responses.add(responses.POST, 'http://169.254.169.254/instance_identity/v1/iam_token',
+                  body=json.dumps(response), status=200)
+
+    response = token_manager.request_token()
+    assert len(responses.calls) == 1
+    assert responses.calls[0].request.headers['Content-Type'] == 'application/json'
+    assert responses.calls[0].request.headers['Accept'] == 'application/json'
+    assert responses.calls[0].request.headers['Authorization'] == 'Bearer ' + TEST_TOKEN
+    assert responses.calls[0].request.body == '{"trusted_profile": "{\\"crn\\": \\"crn:iam-profile:123\\"}"}'
+    assert responses.calls[0].request.params['version'] == '2021-09-20'
+    # Check the logs.
+    #pylint: disable=line-too-long
+    assert caplog.record_tuples[0][2] == 'Invoking VPC \'create_iam_token\' operation: http://169.254.169.254/instance_identity/v1/iam_token'
+    assert caplog.record_tuples[1][2] == 'Returned from VPC \'create_iam_token\' operation."'
+
+
+@responses.activate
+def test_request_token_with_id(caplog):
+    caplog.set_level(logging.DEBUG)
+
+    token_manager = VPCInstanceTokenManager(
+        iam_profile_id=TEST_IAM_PROFILE_ID,
+    )
+
+    # Mock the retrieve instance identity token method.
+    def mock_retrieve_instance_identity_token():
+        return TEST_TOKEN
+    token_manager.retrieve_instance_identity_token = mock_retrieve_instance_identity_token
+
+    response = {
+        'access_token': TEST_IAM_TOKEN,
+    }
+
+    responses.add(responses.POST, 'http://169.254.169.254/instance_identity/v1/iam_token',
+                  body=json.dumps(response), status=200)
+
+    response = token_manager.request_token()
+    assert len(responses.calls) == 1
+    assert responses.calls[0].request.headers['Content-Type'] == 'application/json'
+    assert responses.calls[0].request.headers['Accept'] == 'application/json'
+    assert responses.calls[0].request.headers['Authorization'] == 'Bearer ' + TEST_TOKEN
+    assert responses.calls[0].request.body == '{"trusted_profile": "{\\"id\\": \\"iam-id-123\\"}"}'
+    assert responses.calls[0].request.params['version'] == '2021-09-20'
+    # Check the logs.
+    #pylint: disable=line-too-long
+    assert caplog.record_tuples[0][2] == 'Invoking VPC \'create_iam_token\' operation: http://169.254.169.254/instance_identity/v1/iam_token'
+    assert caplog.record_tuples[1][2] == 'Returned from VPC \'create_iam_token\' operation."'
+
+
+@responses.activate
+def test_request_token_with_failed(caplog):
+    caplog.set_level(logging.DEBUG)
+
+    token_manager = VPCInstanceTokenManager(
+        iam_profile_id=TEST_IAM_PROFILE_ID,
+    )
+
+    # Mock the retrieve instance identity token method.
+    def mock_retrieve_instance_identity_token():
+        return TEST_TOKEN
+    token_manager.retrieve_instance_identity_token = mock_retrieve_instance_identity_token
+
+    response = {
+        'errors': ['Ooops'],
+    }
+
+    responses.add(responses.POST, 'http://169.254.169.254/instance_identity/v1/iam_token',
+                  body=json.dumps(response), status=400)
+
+    with pytest.raises(ApiException):
+        token_manager.request_token()
+    assert len(responses.calls) == 1
+    # Check the logs.
+    #pylint: disable=line-too-long
+    assert caplog.record_tuples[0][2] == 'Invoking VPC \'create_iam_token\' operation: http://169.254.169.254/instance_identity/v1/iam_token'
