Skip to content

Commit

Permalink
add negative integration tests for gmsa on Linux
Browse files Browse the repository at this point in the history
  • Loading branch information
mrkdeng committed Jun 19, 2023
1 parent 0de7229 commit de84c2e
Showing 1 changed file with 151 additions and 0 deletions.
151 changes: 151 additions & 0 deletions agent/engine/engine_sudo_linux_integ_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -939,6 +939,157 @@ func TestGMSADomainlessTaskFile(t *testing.T) {
verifyTaskIsStopped(stateChangeEvents, testTask)
}

func TestGMSATaskFileS3Err(t *testing.T) {
t.Setenv("ECS_GMSA_SUPPORTED", "True")
t.Setenv("ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
t.Setenv("ZZZ_SKIP_CREDENTIALS_FETCHER_INVOCATION_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")

cfg := defaultTestConfigIntegTest()
cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
cfg.TaskCleanupWaitDuration = 3 * time.Second
cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
cfg.AWSRegion = "us-west-2"

taskEngine, done, _ := setupGMSALinux(cfg, nil, t)
defer done()

stateChangeEvents := taskEngine.StateChangeEvents()

testContainer := createTestContainer()
testContainer.Name = "testGMSATaskFile"

hostConfig := "{\"SecurityOpt\": [\"credentialspec:arn:aws:::s3:testbucket/test-gmsa.json\"]}"
testContainer.DockerConfig.HostConfig = &hostConfig

testTask := &apitask.Task{
Arn: "testGMSAFileTaskARN",
Family: "family",
Version: "1",
DesiredStatusUnsafe: apitaskstatus.TaskRunning,
Containers: []*apicontainer.Container{testContainer},
}
testTask.Containers[0].TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
testTask.ResourcesMapUnsafe = make(map[string][]taskresource.TaskResource)
testTask.Containers[0].Command = getLongRunningCommand()

go taskEngine.AddTask(testTask)

err := verifyTaskIsRunning(stateChangeEvents, testTask)
assert.Error(t, err)
}

func TestGMSATaskFileSSMErr(t *testing.T) {
t.Setenv("ECS_GMSA_SUPPORTED", "True")
t.Setenv("ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
t.Setenv("ZZZ_SKIP_CREDENTIALS_FETCHER_INVOCATION_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")

cfg := defaultTestConfigIntegTest()
cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
cfg.TaskCleanupWaitDuration = 3 * time.Second
cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
cfg.AWSRegion = "us-west-2"

taskEngine, done, _ := setupGMSALinux(cfg, nil, t)
defer done()

stateChangeEvents := taskEngine.StateChangeEvents()

testContainer := createTestContainer()
testContainer.Name = "testGMSATaskFile"

hostConfig := "{\"SecurityOpt\": [\"credentialspec:aws:arn:ssm:us-west-2:123456789012:document/test-gmsa.json\"]}"
testContainer.DockerConfig.HostConfig = &hostConfig

testTask := &apitask.Task{
Arn: "testGMSAFileTaskARN",
Family: "family",
Version: "1",
DesiredStatusUnsafe: apitaskstatus.TaskRunning,
Containers: []*apicontainer.Container{testContainer},
}
testTask.Containers[0].TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
testTask.ResourcesMapUnsafe = make(map[string][]taskresource.TaskResource)
testTask.Containers[0].Command = getLongRunningCommand()

go taskEngine.AddTask(testTask)

err := verifyTaskIsRunning(stateChangeEvents, testTask)
assert.Error(t, err)
}

func TestGMSANotRunningErr(t *testing.T) {
t.Setenv("ECS_GMSA_SUPPORTED", "True")
t.Setenv("ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
t.Setenv("ZZZ_SKIP_CREDENTIALS_FETCHER_INVOCATION_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "False")

cfg := defaultTestConfigIntegTest()
cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
cfg.TaskCleanupWaitDuration = 3 * time.Second
cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
cfg.AWSRegion = "us-west-2"

taskEngine, done, _ := setupGMSALinux(cfg, nil, t)
defer done()

stateChangeEvents := taskEngine.StateChangeEvents()

// Setup test gmsa file
credentialSpecDataDir := "/tmp"
testFileName := "test-gmsa.json"
testCredSpecFilePath := filepath.Join(credentialSpecDataDir, testFileName)
_, err := os.Create(testCredSpecFilePath)
require.NoError(t, err)

// add local credentialspec file
testCredSpecData := []byte(`{
"CmsPlugins": [
"ActiveDirectory"
],
"DomainJoinConfig": {
"Sid": "S-1-5-21-975084816-3050680612-2826754290",
"MachineAccountName": "gmsa-acct-test",
"Guid": "92a07e28-bd9f-4bf3-b1f7-0894815a5257",
"DnsTreeName": "gmsa.test.com",
"DnsName": "gmsa.test.com",
"NetBiosName": "gmsa"
},
"ActiveDirectoryConfig": {
"GroupManagedServiceAccounts": [
{
"Name": "gmsa-acct-test",
"Scope": "gmsa.test.com"
}
]
}
}`)

err = ioutil.WriteFile(testCredSpecFilePath, testCredSpecData, 0755)
require.NoError(t, err)

testContainer := createTestContainer()
testContainer.Name = "testGMSATaskFile"

hostConfig := "{\"SecurityOpt\": [\"credentialspec:file:///tmp/test-gmsa.json\"]}"
testContainer.DockerConfig.HostConfig = &hostConfig

testTask := &apitask.Task{
Arn: "testGMSAFileTaskARN",
Family: "family",
Version: "1",
DesiredStatusUnsafe: apitaskstatus.TaskRunning,
Containers: []*apicontainer.Container{testContainer},
}
testTask.Containers[0].TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
testTask.ResourcesMapUnsafe = make(map[string][]taskresource.TaskResource)
testTask.Containers[0].Command = getLongRunningCommand()

go taskEngine.AddTask(testTask)

err = verifyTaskIsRunning(stateChangeEvents, testTask)
assert.Error(t, err)

}

func verifyContainerBindMount(client *sdkClient.Client, id, expectedBind string) error {
dockerContainer, err := client.ContainerInspect(context.TODO(), id)
if err != nil {
Expand Down

0 comments on commit de84c2e

Please sign in to comment.