test(ws): Notebooks 2.0 // Backend // Add tests

Signed-off-by: Yehudit Kerido <[email protected]>

Author: Yehudit Kerido

workspaces/backend/go.mod

@@ -60,6 +60,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
@@ -93,6 +94,7 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/grpc v1.65.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

workspaces/backend/internal/auth/authentication_test.go

@@ -0,0 +1,106 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"net/http"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("NewRequestAuthenticator", func() {
+	const (
+		userHeader   = "X-User"
+		groupsHeader = "X-Groups"
+		userPrefix   = "service-account:"
+	)
+
+	type authTestInput struct {
+		userHeaderValue     string
+		groupsHeaderValue   string
+		userPrefix          string
+		expectAuthenticated bool
+		expectedUserName    string
+		expectedGroups      []string
+	}
+
+	runAuthTest := func(input authTestInput) {
+		authn, err := NewRequestAuthenticator(userHeader, input.userPrefix, groupsHeader)
+		Expect(err).NotTo(HaveOccurred())
+
+		req, _ := http.NewRequest("GET", "/", http.NoBody)
+		if input.userHeaderValue != "" {
+			req.Header.Set(userHeader, input.userHeaderValue)
+		}
+		if input.groupsHeaderValue != "" {
+			req.Header.Set(groupsHeader, input.groupsHeaderValue)
+		}
+
+		resp, ok, err := authn.AuthenticateRequest(req)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ok).To(Equal(input.expectAuthenticated))
+		if input.expectAuthenticated {
+			Expect(resp).NotTo(BeNil())
+			Expect(resp.User.GetName()).To(Equal(input.expectedUserName))
+			Expect(resp.User.GetGroups()).To(Equal(input.expectedGroups))
+		} else {
+			Expect(resp).To(BeNil())
+		}
+	}
+	It("authenticates user without prefix", func() {
+		runAuthTest(authTestInput{
+			userHeaderValue:     "test-user",
+			groupsHeaderValue:   "group-a,group-b",
+			userPrefix:          "",
+			expectAuthenticated: true,
+			expectedUserName:    "test-user",
+			expectedGroups:      []string{"group-a,group-b"},
+		})
+	})
+
+	It("authenticates user and trims prefix", func() {
+		runAuthTest(authTestInput{
+			userHeaderValue:     userPrefix + "test-user",
+			groupsHeaderValue:   "group-c",
+			userPrefix:          userPrefix,
+			expectAuthenticated: true,
+			expectedUserName:    "test-user",
+			expectedGroups:      []string{"group-c"},
+		})
+	})
+
+	It("authenticates user when prefix is configured but not present", func() {
+		runAuthTest(authTestInput{
+			userHeaderValue:     "another-user",
+			groupsHeaderValue:   "",
+			userPrefix:          userPrefix,
+			expectAuthenticated: true,
+			expectedUserName:    "another-user",
+			expectedGroups:      []string{},
+		})
+	})
+
+	It("handles unauthenticated request", func() {
+		runAuthTest(authTestInput{
+			userHeaderValue:     "",
+			groupsHeaderValue:   "some-group",
+			userPrefix:          userPrefix,
+			expectAuthenticated: false,
+		})
+	})
+})

workspaces/backend/internal/auth/authorization_test.go

@@ -0,0 +1,131 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authentication/user"
+)
+
+type mockObject struct {
+	metav1.ObjectMeta
+	metav1.TypeMeta
+}
+
+func (m *mockObject) GetObjectKind() schema.ObjectKind { return &m.TypeMeta }
+
+func (m *mockObject) DeepCopyObject() runtime.Object {
+	return &mockObject{
+		ObjectMeta: *m.ObjectMeta.DeepCopy(),
+		TypeMeta:   m.TypeMeta,
+	}
+}
+
+var _ runtime.Object = &mockObject{}
+var _ = Describe("NewResourcePolicy", func() {
+	It("creates policy for a namespaced resource", func() {
+		mock := &mockObject{}
+		mock.SetName("my-deployment")
+		mock.SetNamespace("my-namespace")
+		mock.SetGroupVersionKind(schema.GroupVersionKind{
+			Group:   "apps",
+			Version: "v1",
+			Kind:    "Deployment",
+		})
+
+		policy := NewResourcePolicy(ResourceVerbGet, mock)
+
+		Expect(policy).NotTo(BeNil())
+		Expect(policy.Verb).To(Equal(ResourceVerbGet))
+		Expect(policy.Group).To(Equal("apps"))
+		Expect(policy.Version).To(Equal("v1"))
+		Expect(policy.Kind).To(Equal("Deployment"))
+		Expect(policy.Namespace).To(Equal("my-namespace"))
+		Expect(policy.Name).To(Equal("my-deployment"))
+	})
+
+	It("creates policy for a cluster-scoped resource", func() {
+		mock := &mockObject{}
+		mock.SetName("my-cluster-role")
+		mock.SetGroupVersionKind(schema.GroupVersionKind{
+			Group:   "rbac.authorization.k8s.io",
+			Version: "v1",
+			Kind:    "ClusterRole",
+		})
+
+		policy := NewResourcePolicy(ResourceVerbDelete, mock)
+
+		Expect(policy).NotTo(BeNil())
+		Expect(policy.Verb).To(Equal(ResourceVerbDelete))
+		Expect(policy.Group).To(Equal("rbac.authorization.k8s.io"))
+		Expect(policy.Kind).To(Equal("ClusterRole"))
+		Expect(policy.Name).To(Equal("my-cluster-role"))
+		Expect(policy.Namespace).To(BeEmpty())
+	})
+})
+
+var _ = Describe("AttributesFor", func() {
+	userInfo := &user.DefaultInfo{
+		Name:   "test-user",
+		Groups: []string{"group-a", "system:authenticated"},
+	}
+
+	It("creates attributes for a specific resource", func() {
+		policy := &ResourcePolicy{
+			Verb:      ResourceVerbUpdate,
+			Group:     "kubeflow.org",
+			Version:   "v1beta1",
+			Kind:      "Workspace",
+			Namespace: "user-namespace",
+			Name:      "my-workspace",
+		}
+
+		attrs := policy.AttributesFor(userInfo)
+		Expect(attrs).NotTo(BeNil())
+		Expect(attrs.GetUser()).To(Equal(userInfo))
+		Expect(attrs.GetVerb()).To(Equal("update"))
+		Expect(attrs.GetNamespace()).To(Equal("user-namespace"))
+		Expect(attrs.GetAPIGroup()).To(Equal("kubeflow.org"))
+		Expect(attrs.GetAPIVersion()).To(Equal("v1beta1"))
+		Expect(attrs.GetResource()).To(Equal("Workspace"))
+		Expect(attrs.GetName()).To(Equal("my-workspace"))
+		Expect(attrs.IsResourceRequest()).To(BeTrue())
+	})
+
+	It("creates attributes for a collection of resources", func() {
+		policy := &ResourcePolicy{
+			Verb:      ResourceVerbList,
+			Group:     "kubeflow.org",
+			Version:   "v1beta1",
+			Kind:      "Workspace",
+			Namespace: "user-namespace",
+			Name:      "",
+		}
+
+		attrs := policy.AttributesFor(userInfo)
+		Expect(attrs).NotTo(BeNil())
+		Expect(attrs.GetUser()).To(Equal(userInfo))
+		Expect(attrs.GetVerb()).To(Equal("list"))
+		Expect(attrs.GetNamespace()).To(Equal("user-namespace"))
+		Expect(attrs.GetName()).To(BeEmpty())
+		Expect(attrs.IsResourceRequest()).To(BeTrue())
+	})
+})

workspaces/backend/internal/auth/suite_test.go

@@ -0,0 +1,29 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestAuth(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Auth Suite")
+}

workspaces/backend/internal/helper/k8s_test.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package helper
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var _ = Describe("Helper functions", func() {
+	Describe("BuildScheme", func() {
+		It("should return a scheme that recognizes Pod and Workspace types", func() {
+			scheme, err := BuildScheme()
+			Expect(err).NotTo(HaveOccurred())
+			Expect(scheme).NotTo(BeNil())
+
+			podGVK := corev1.SchemeGroupVersion.WithKind("Pod")
+			Expect(scheme.Recognizes(podGVK)).To(BeTrue())
+
+			workspaceGVK := schema.GroupVersionKind{
+				Group:   "kubeflow.org",
+				Version: "v1beta1",
+				Kind:    "Workspace",
+			}
+			Expect(scheme.Recognizes(workspaceGVK)).To(BeTrue())
+		})
+	})
+})

workspaces/backend/internal/helper/suite_test.go

@@ -0,0 +1,29 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package helper
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestHelper(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Helper Suite")
+}