mirror of
https://github.com/argoproj/argo-cd.git
synced 2026-04-03 15:28:48 +02:00
fa54ce221e
* oras-go client should fallback to docker config if no credentials specified Signed-off-by: Tony Au-Yeung <tony@elevenlabs.io> * Fix tests Signed-off-by: Tony Au-Yeung <tony@elevenlabs.io> * Fix lint Signed-off-by: Tony Au-Yeung <tony@elevenlabs.io> * gofumpt Signed-off-by: Tony Au-Yeung <tony@elevenlabs.io> * Validate auth header Signed-off-by: Tony Au-Yeung <tony@elevenlabs.io> --------- Signed-off-by: Tony Au-Yeung <tony@elevenlabs.io>
385 lines
11 KiB
Go
385 lines
11 KiB
Go
package helm
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"fmt"
|
|
"math"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"gopkg.in/yaml.v2"
|
|
|
|
"github.com/argoproj/argo-cd/v2/util/io"
|
|
)
|
|
|
|
type fakeIndexCache struct {
|
|
data []byte
|
|
}
|
|
|
|
func (f *fakeIndexCache) SetHelmIndex(_ string, indexData []byte) error {
|
|
f.data = indexData
|
|
return nil
|
|
}
|
|
|
|
func (f *fakeIndexCache) GetHelmIndex(_ string, indexData *[]byte) error {
|
|
*indexData = f.data
|
|
return nil
|
|
}
|
|
|
|
func TestIndex(t *testing.T) {
|
|
t.Run("Invalid", func(t *testing.T) {
|
|
client := NewClient("", Creds{}, false, "", "")
|
|
_, err := client.GetIndex(false, 10000)
|
|
require.Error(t, err)
|
|
})
|
|
t.Run("Stable", func(t *testing.T) {
|
|
client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "", "")
|
|
index, err := client.GetIndex(false, 10000)
|
|
require.NoError(t, err)
|
|
assert.NotNil(t, index)
|
|
})
|
|
t.Run("BasicAuth", func(t *testing.T) {
|
|
client := NewClient("https://argoproj.github.io/argo-helm", Creds{
|
|
Username: "my-password",
|
|
Password: "my-username",
|
|
}, false, "", "")
|
|
index, err := client.GetIndex(false, 10000)
|
|
require.NoError(t, err)
|
|
assert.NotNil(t, index)
|
|
})
|
|
|
|
t.Run("Cached", func(t *testing.T) {
|
|
fakeIndex := Index{Entries: map[string]Entries{"fake": {}}}
|
|
data := bytes.Buffer{}
|
|
err := yaml.NewEncoder(&data).Encode(fakeIndex)
|
|
require.NoError(t, err)
|
|
|
|
client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "", "", WithIndexCache(&fakeIndexCache{data: data.Bytes()}))
|
|
index, err := client.GetIndex(false, 10000)
|
|
|
|
require.NoError(t, err)
|
|
assert.Equal(t, fakeIndex, *index)
|
|
})
|
|
|
|
t.Run("Limited", func(t *testing.T) {
|
|
client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "", "")
|
|
_, err := client.GetIndex(false, 100)
|
|
|
|
assert.ErrorContains(t, err, "unexpected end of stream")
|
|
})
|
|
}
|
|
|
|
func Test_nativeHelmChart_ExtractChart(t *testing.T) {
|
|
client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "", "")
|
|
path, closer, err := client.ExtractChart("argo-cd", "0.7.1", "", false, math.MaxInt64, true)
|
|
require.NoError(t, err)
|
|
defer io.Close(closer)
|
|
info, err := os.Stat(path)
|
|
require.NoError(t, err)
|
|
assert.True(t, info.IsDir())
|
|
}
|
|
|
|
func Test_nativeHelmChart_ExtractChartWithLimiter(t *testing.T) {
|
|
client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "", "")
|
|
_, _, err := client.ExtractChart("argo-cd", "0.7.1", "", false, 100, false)
|
|
require.Error(t, err, "error while iterating on tar reader: unexpected EOF")
|
|
}
|
|
|
|
func Test_nativeHelmChart_ExtractChart_insecure(t *testing.T) {
|
|
client := NewClient("https://argoproj.github.io/argo-helm", Creds{InsecureSkipVerify: true}, false, "", "")
|
|
path, closer, err := client.ExtractChart("argo-cd", "0.7.1", "", false, math.MaxInt64, true)
|
|
require.NoError(t, err)
|
|
defer io.Close(closer)
|
|
info, err := os.Stat(path)
|
|
require.NoError(t, err)
|
|
assert.True(t, info.IsDir())
|
|
}
|
|
|
|
func Test_normalizeChartName(t *testing.T) {
|
|
t.Run("Test non-slashed name", func(t *testing.T) {
|
|
n := normalizeChartName("mychart")
|
|
assert.Equal(t, "mychart", n)
|
|
})
|
|
t.Run("Test single-slashed name", func(t *testing.T) {
|
|
n := normalizeChartName("myorg/mychart")
|
|
assert.Equal(t, "mychart", n)
|
|
})
|
|
t.Run("Test chart name with suborg", func(t *testing.T) {
|
|
n := normalizeChartName("myorg/mysuborg/mychart")
|
|
assert.Equal(t, "mychart", n)
|
|
})
|
|
t.Run("Test double-slashed name", func(t *testing.T) {
|
|
n := normalizeChartName("myorg//mychart")
|
|
assert.Equal(t, "mychart", n)
|
|
})
|
|
t.Run("Test invalid chart name - ends with slash", func(t *testing.T) {
|
|
n := normalizeChartName("myorg/")
|
|
assert.Equal(t, "myorg/", n)
|
|
})
|
|
t.Run("Test invalid chart name - is dot", func(t *testing.T) {
|
|
n := normalizeChartName("myorg/.")
|
|
assert.Equal(t, "myorg/.", n)
|
|
})
|
|
t.Run("Test invalid chart name - is two dots", func(t *testing.T) {
|
|
n := normalizeChartName("myorg/..")
|
|
assert.Equal(t, "myorg/..", n)
|
|
})
|
|
}
|
|
|
|
func TestIsHelmOciRepo(t *testing.T) {
|
|
assert.True(t, IsHelmOciRepo("demo.goharbor.io"))
|
|
assert.True(t, IsHelmOciRepo("demo.goharbor.io:8080"))
|
|
assert.False(t, IsHelmOciRepo("https://demo.goharbor.io"))
|
|
assert.False(t, IsHelmOciRepo("https://demo.goharbor.io:8080"))
|
|
}
|
|
|
|
func TestGetIndexURL(t *testing.T) {
|
|
urlTemplate := `https://gitlab.com/projects/%s/packages/helm/stable`
|
|
t.Run("URL without escaped characters", func(t *testing.T) {
|
|
rawURL := fmt.Sprintf(urlTemplate, "232323982")
|
|
want := rawURL + "/index.yaml"
|
|
got, err := getIndexURL(rawURL)
|
|
assert.Equal(t, want, got)
|
|
require.NoError(t, err)
|
|
})
|
|
t.Run("URL with escaped characters", func(t *testing.T) {
|
|
rawURL := fmt.Sprintf(urlTemplate, "mygroup%2Fmyproject")
|
|
want := rawURL + "/index.yaml"
|
|
got, err := getIndexURL(rawURL)
|
|
assert.Equal(t, want, got)
|
|
require.NoError(t, err)
|
|
})
|
|
t.Run("URL with invalid escaped characters", func(t *testing.T) {
|
|
rawURL := fmt.Sprintf(urlTemplate, "mygroup%**myproject")
|
|
got, err := getIndexURL(rawURL)
|
|
assert.Equal(t, "", got)
|
|
require.Error(t, err)
|
|
})
|
|
}
|
|
|
|
func TestGetTagsFromUrl(t *testing.T) {
|
|
t.Run("should return tags correctly while following the link header", func(t *testing.T) {
|
|
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Logf("called %s", r.URL.Path)
|
|
responseTags := TagsList{}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
if !strings.Contains(r.URL.String(), "token") {
|
|
w.Header().Set("Link", fmt.Sprintf("<https://%s%s?token=next-token>; rel=next", r.Host, r.URL.Path))
|
|
responseTags.Tags = []string{"first"}
|
|
} else {
|
|
responseTags.Tags = []string{
|
|
"second",
|
|
"2.8.0",
|
|
"2.8.0-prerelease",
|
|
"2.8.0_build",
|
|
"2.8.0-prerelease_build",
|
|
"2.8.0-prerelease.1_build.1234",
|
|
}
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
err := json.NewEncoder(w).Encode(responseTags)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}))
|
|
|
|
client := NewClient(server.URL, Creds{InsecureSkipVerify: true}, true, "", "")
|
|
|
|
tags, err := client.GetTags("mychart", true)
|
|
require.NoError(t, err)
|
|
assert.ElementsMatch(t, tags.Tags, []string{
|
|
"first",
|
|
"second",
|
|
"2.8.0",
|
|
"2.8.0-prerelease",
|
|
"2.8.0+build",
|
|
"2.8.0-prerelease+build",
|
|
"2.8.0-prerelease.1+build.1234",
|
|
})
|
|
})
|
|
|
|
t.Run("should return an error not when oci is not enabled", func(t *testing.T) {
|
|
client := NewClient("example.com", Creds{}, false, "", "")
|
|
|
|
_, err := client.GetTags("my-chart", true)
|
|
assert.ErrorIs(t, OCINotEnabledErr, err)
|
|
})
|
|
}
|
|
|
|
func TestGetTagsFromURLPrivateRepoAuthentication(t *testing.T) {
|
|
username := "my-username"
|
|
password := "my-password"
|
|
expectedAuthorization := "Basic bXktdXNlcm5hbWU6bXktcGFzc3dvcmQ=" // base64(user:password)
|
|
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Logf("called %s", r.URL.Path)
|
|
|
|
authorization := r.Header.Get("Authorization")
|
|
|
|
if authorization == "" {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="helm repo to get tags"`)
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
assert.Equal(t, expectedAuthorization, authorization)
|
|
|
|
responseTags := TagsList{
|
|
Tags: []string{
|
|
"2.8.0",
|
|
"2.8.0-prerelease",
|
|
"2.8.0_build",
|
|
"2.8.0-prerelease_build",
|
|
"2.8.0-prerelease.1_build.1234",
|
|
},
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
err := json.NewEncoder(w).Encode(responseTags)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}))
|
|
t.Cleanup(server.Close)
|
|
|
|
serverURL, err := url.Parse(server.URL)
|
|
require.NoError(t, err)
|
|
|
|
testCases := []struct {
|
|
name string
|
|
repoURL string
|
|
}{
|
|
{
|
|
name: "should login correctly when the repo path is in the server root with http scheme",
|
|
repoURL: server.URL,
|
|
},
|
|
{
|
|
name: "should login correctly when the repo path is not in the server root with http scheme",
|
|
repoURL: fmt.Sprintf("%s/my-repo", server.URL),
|
|
},
|
|
{
|
|
name: "should login correctly when the repo path is in the server root without http scheme",
|
|
repoURL: serverURL.Host,
|
|
},
|
|
{
|
|
name: "should login correctly when the repo path is not in the server root without http scheme",
|
|
repoURL: fmt.Sprintf("%s/my-repo", serverURL.Host),
|
|
},
|
|
}
|
|
|
|
for _, testCase := range testCases {
|
|
t.Run(testCase.name, func(t *testing.T) {
|
|
client := NewClient(testCase.repoURL, Creds{
|
|
InsecureSkipVerify: true,
|
|
Username: username,
|
|
Password: password,
|
|
}, true, "", "")
|
|
|
|
tags, err := client.GetTags("mychart", true)
|
|
|
|
require.NoError(t, err)
|
|
assert.ElementsMatch(t, tags.Tags, []string{
|
|
"2.8.0",
|
|
"2.8.0-prerelease",
|
|
"2.8.0+build",
|
|
"2.8.0-prerelease+build",
|
|
"2.8.0-prerelease.1+build.1234",
|
|
})
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestGetTagsFromURLEnvironmentAuthentication(t *testing.T) {
|
|
bearerToken := "Zm9vOmJhcg=="
|
|
expectedAuthorization := "Basic " + bearerToken
|
|
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Logf("called %s", r.URL.Path)
|
|
|
|
authorization := r.Header.Get("Authorization")
|
|
if authorization == "" {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="helm repo to get tags"`)
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
assert.Equal(t, expectedAuthorization, authorization)
|
|
|
|
responseTags := TagsList{
|
|
Tags: []string{
|
|
"2.8.0",
|
|
"2.8.0-prerelease",
|
|
"2.8.0_build",
|
|
"2.8.0-prerelease_build",
|
|
"2.8.0-prerelease.1_build.1234",
|
|
},
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
err := json.NewEncoder(w).Encode(responseTags)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}))
|
|
t.Cleanup(server.Close)
|
|
|
|
serverURL, err := url.Parse(server.URL)
|
|
require.NoError(t, err)
|
|
|
|
tempDir := t.TempDir()
|
|
configPath := filepath.Join(tempDir, "config.json")
|
|
t.Setenv("DOCKER_CONFIG", tempDir)
|
|
|
|
config := fmt.Sprintf(`{"auths":{"%s":{"auth":"%s"}}}`, server.URL, bearerToken)
|
|
require.NoError(t, os.WriteFile(configPath, []byte(config), 0o666))
|
|
|
|
testCases := []struct {
|
|
name string
|
|
repoURL string
|
|
}{
|
|
{
|
|
name: "should login correctly when the repo path is in the server root with http scheme",
|
|
repoURL: server.URL,
|
|
},
|
|
{
|
|
name: "should login correctly when the repo path is not in the server root with http scheme",
|
|
repoURL: fmt.Sprintf("%s/my-repo", server.URL),
|
|
},
|
|
{
|
|
name: "should login correctly when the repo path is in the server root without http scheme",
|
|
repoURL: serverURL.Host,
|
|
},
|
|
{
|
|
name: "should login correctly when the repo path is not in the server root without http scheme",
|
|
repoURL: fmt.Sprintf("%s/my-repo", serverURL.Host),
|
|
},
|
|
}
|
|
|
|
for _, testCase := range testCases {
|
|
t.Run(testCase.name, func(t *testing.T) {
|
|
client := NewClient(testCase.repoURL, Creds{
|
|
InsecureSkipVerify: true,
|
|
}, true, "", "")
|
|
|
|
tags, err := client.GetTags("mychart", true)
|
|
|
|
require.NoError(t, err)
|
|
assert.ElementsMatch(t, tags.Tags, []string{
|
|
"2.8.0",
|
|
"2.8.0-prerelease",
|
|
"2.8.0+build",
|
|
"2.8.0-prerelease+build",
|
|
"2.8.0-prerelease.1+build.1234",
|
|
})
|
|
})
|
|
}
|
|
}
|