Skip to content

Commit 2fc9096

Browse files
soltyshsoltysh
committed
Basic audit extended test
1 parent 17902cf commit 2fc9096

File tree

2 files changed

+154
-3
lines changed

2 files changed

+154
-3
lines changed

test/extended/cluster/audit.go

+150
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,150 @@
1+
package cluster
2+
3+
import (
4+
"bufio"
5+
"fmt"
6+
"os"
7+
"path/filepath"
8+
"strings"
9+
10+
g "github.com/onsi/ginkgo"
11+
o "github.com/onsi/gomega"
12+
13+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
14+
apiv1 "k8s.io/kubernetes/pkg/api/v1"
15+
"k8s.io/kubernetes/test/e2e/framework"
16+
)
17+
18+
var _ = g.Describe("[Feature:Audit] Basic audit", func() {
19+
f := framework.NewDefaultFramework("audit")
20+
21+
g.It("should audit API calls", func() {
22+
namespace := f.Namespace.Name
23+
24+
// Create & Delete pod
25+
pod := &apiv1.Pod{
26+
ObjectMeta: metav1.ObjectMeta{
27+
Name: "audit-pod",
28+
},
29+
Spec: apiv1.PodSpec{
30+
Containers: []apiv1.Container{{
31+
Name: "pause",
32+
Image: framework.GetPauseImageName(f.ClientSet),
33+
}},
34+
},
35+
}
36+
f.PodClient().CreateSync(pod)
37+
f.PodClient().DeleteSync(pod.Name, &metav1.DeleteOptions{}, framework.DefaultPodDeletionTimeout)
38+
39+
// Create, Read, Delete secret
40+
secret := &apiv1.Secret{
41+
ObjectMeta: metav1.ObjectMeta{
42+
Name: "audit-secret",
43+
},
44+
Data: map[string][]byte{
45+
"top-secret": []byte("foo-bar"),
46+
},
47+
}
48+
_, err := f.ClientSet.Core().Secrets(f.Namespace.Name).Create(secret)
49+
framework.ExpectNoError(err, "failed to create audit-secret")
50+
_, err = f.ClientSet.Core().Secrets(f.Namespace.Name).Get(secret.Name, metav1.GetOptions{})
51+
framework.ExpectNoError(err, "failed to get audit-secret")
52+
err = f.ClientSet.Core().Secrets(f.Namespace.Name).Delete(secret.Name, &metav1.DeleteOptions{})
53+
framework.ExpectNoError(err, "failed to delete audit-secret")
54+
55+
// /version should not be audited
56+
_, err = f.ClientSet.Core().RESTClient().Get().AbsPath("/version").DoRaw()
57+
framework.ExpectNoError(err, "failed to query version")
58+
59+
expectedEvents := []auditEvent{{
60+
method: "create",
61+
namespace: namespace,
62+
uri: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
63+
response: "201",
64+
}, {
65+
method: "delete",
66+
namespace: namespace,
67+
uri: fmt.Sprintf("/api/v1/namespaces/%s/pods/%s", namespace, pod.Name),
68+
response: "200",
69+
}, {
70+
method: "create",
71+
namespace: namespace,
72+
uri: fmt.Sprintf("/api/v1/namespaces/%s/secrets", namespace),
73+
response: "201",
74+
}, {
75+
method: "get",
76+
namespace: namespace,
77+
uri: fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", namespace, secret.Name),
78+
response: "200",
79+
}, {
80+
method: "delete",
81+
namespace: namespace,
82+
uri: fmt.Sprintf("/api/v1/namespaces/%s/secrets/%s", namespace, secret.Name),
83+
response: "200",
84+
}}
85+
expectAuditLines(f, expectedEvents)
86+
})
87+
})
88+
89+
type auditEvent struct {
90+
method, namespace, uri, response string
91+
}
92+
93+
// Search the audit log for the expected audit lines.
94+
func expectAuditLines(f *framework.Framework, expected []auditEvent) {
95+
expectations := map[auditEvent]bool{}
96+
for _, event := range expected {
97+
expectations[event] = false
98+
}
99+
100+
stream, err := os.Open(filepath.Join(os.Getenv("LOG_DIR"), "audit.log"))
101+
defer stream.Close()
102+
framework.ExpectNoError(err, "error opening audit log")
103+
scanner := bufio.NewScanner(stream)
104+
for scanner.Scan() {
105+
line := scanner.Text()
106+
event, err := parseAuditLine(line)
107+
framework.ExpectNoError(err)
108+
109+
// If the event was expected, mark it as found.
110+
if _, found := expectations[event]; found {
111+
expectations[event] = true
112+
}
113+
}
114+
framework.ExpectNoError(scanner.Err(), "error reading audit log")
115+
116+
for event, found := range expectations {
117+
o.Expect(found).To(o.BeTrue(), "Event %#v not found!", event)
118+
}
119+
}
120+
121+
func parseAuditLine(line string) (auditEvent, error) {
122+
fields := strings.Fields(line)
123+
if len(fields) < 3 {
124+
return auditEvent{}, fmt.Errorf("could not parse audit line: %s", line)
125+
}
126+
// Ignore first field (timestamp)
127+
if fields[1] != "AUDIT:" {
128+
return auditEvent{}, fmt.Errorf("unexpected audit line format: %s", line)
129+
}
130+
fields = fields[2:]
131+
event := auditEvent{}
132+
for _, f := range fields {
133+
parts := strings.SplitN(f, "=", 2)
134+
if len(parts) != 2 {
135+
return auditEvent{}, fmt.Errorf("could not parse audit line (part: %q): %s", f, line)
136+
}
137+
value := strings.Trim(parts[1], "\"")
138+
switch parts[0] {
139+
case "method":
140+
event.method = value
141+
case "namespace":
142+
event.namespace = value
143+
case "uri":
144+
event.uri = value
145+
case "response":
146+
event.response = value
147+
}
148+
}
149+
return event, nil
150+
}

test/extended/setup.sh

+4-3
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ function os::test::extended::focus () {
1616
TEST_REPORT_FILE_NAME=focus_parallel TEST_PARALLEL="${PARALLEL_NODES:-5}" os::test::extended::run -- -ginkgo.skip "\[Serial\]" -test.timeout 6h ${TEST_EXTENDED_ARGS-} || exitstatus=$?
1717

1818
# Then run everything that requires serial and matches the $FOCUS, serially.
19-
# there is bit of overlap here because not all serial tests declare [Serial], so they might have run in the
19+
# there is bit of overlap here because not all serial tests declare [Serial], so they might have run in the
2020
# parallel section above. Hopefully your focus was precise enough to exclude them, and we should be adding
2121
# the [Serial] tag to them as needed.
2222
os::log::info ""
@@ -110,11 +110,12 @@ function os::test::extended::setup () {
110110
CONFIG_VERSION="${CONTROLLER_VERSION}"
111111
fi
112112
os::start::configure_server "${CONFIG_VERSION}"
113-
#turn on audit logging for extended tests ... mimic what is done in os::start::configure_server, but don't
113+
# turn on audit logging for extended tests ... mimic what is done in os::start::configure_server, but don't
114114
# put change there - only want this for extended tests
115115
os::log::info "Turn on audit logging"
116116
cp "${SERVER_CONFIG_DIR}/master/master-config.yaml" "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml"
117-
openshift ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" --patch="{\"auditConfig\": {\"enabled\": true}}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml"
117+
openshift ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" --patch="{\"auditConfig\": {\"enabled\": true, \"auditFilePath\": \"${LOG_DIR}/audit.log\"}}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml"
118+
exit 1
118119

119120
cp "${SERVER_CONFIG_DIR}/master/master-config.yaml" "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml"
120121
openshift ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" --patch="{\"templateServiceBrokerConfig\": {\"templateNamespaces\": [\"openshift\"]}}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml"

0 commit comments

Comments
 (0)