Skip to content

Commit 9cc7276

Browse files
mrkdengYiyuanzzz
mrkdeng
authored and
Yiyuanzzz
committed
add negative integration tests for gmsa on Linux
1 parent 8987260 commit 9cc7276

File tree

1 file changed

+153
-0
lines changed

1 file changed

+153
-0
lines changed

agent/engine/engine_sudo_linux_integ_test.go

+153
Original file line numberDiff line numberDiff line change
@@ -941,6 +941,159 @@ func TestGMSADomainlessTaskFile(t *testing.T) {
941941
verifyTaskIsStopped(stateChangeEvents, testTask)
942942
}
943943

944+
func TestGMSATaskFileS3Err(t *testing.T) {
945+
t.Setenv("ECS_GMSA_SUPPORTED", "True")
946+
t.Setenv("ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
947+
t.Setenv("ZZZ_SKIP_CREDENTIALS_FETCHER_INVOCATION_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
948+
949+
cfg := defaultTestConfigIntegTest()
950+
cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
951+
cfg.TaskCleanupWaitDuration = 3 * time.Second
952+
cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
953+
cfg.AWSRegion = "us-west-2"
954+
955+
taskEngine, done, _ := setupGMSALinux(cfg, nil, t)
956+
defer done()
957+
958+
stateChangeEvents := taskEngine.StateChangeEvents()
959+
960+
testContainer := createTestContainer()
961+
testContainer.Name = "testGMSATaskFile"
962+
963+
hostConfig := "{\"SecurityOpt\": [\"credentialspec:arn:aws:::s3:testbucket/test-gmsa.json\"]}"
964+
testContainer.DockerConfig.HostConfig = &hostConfig
965+
966+
testTask := &apitask.Task{
967+
Arn: "testGMSAFileTaskARN",
968+
Family: "family",
969+
Version: "1",
970+
DesiredStatusUnsafe: apitaskstatus.TaskRunning,
971+
Containers: []*apicontainer.Container{testContainer},
972+
}
973+
testTask.Containers[0].TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
974+
testTask.ResourcesMapUnsafe = make(map[string][]taskresource.TaskResource)
975+
testTask.Containers[0].Command = getLongRunningCommand()
976+
977+
go taskEngine.AddTask(testTask)
978+
979+
err := verifyTaskIsRunning(stateChangeEvents, testTask)
980+
assert.Error(t, err)
981+
assert.Error(t, err, "Task went straight to STOPPED without running, task: testGMSAFileTaskARN")
982+
}
983+
984+
func TestGMSATaskFileSSMErr(t *testing.T) {
985+
t.Setenv("ECS_GMSA_SUPPORTED", "True")
986+
t.Setenv("ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
987+
t.Setenv("ZZZ_SKIP_CREDENTIALS_FETCHER_INVOCATION_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
988+
989+
cfg := defaultTestConfigIntegTest()
990+
cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
991+
cfg.TaskCleanupWaitDuration = 3 * time.Second
992+
cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
993+
cfg.AWSRegion = "us-west-2"
994+
995+
taskEngine, done, _ := setupGMSALinux(cfg, nil, t)
996+
defer done()
997+
998+
stateChangeEvents := taskEngine.StateChangeEvents()
999+
1000+
testContainer := createTestContainer()
1001+
testContainer.Name = "testGMSATaskFile"
1002+
1003+
hostConfig := "{\"SecurityOpt\": [\"credentialspec:aws:arn:ssm:us-west-2:123456789012:document/test-gmsa.json\"]}"
1004+
testContainer.DockerConfig.HostConfig = &hostConfig
1005+
1006+
testTask := &apitask.Task{
1007+
Arn: "testGMSAFileTaskARN",
1008+
Family: "family",
1009+
Version: "1",
1010+
DesiredStatusUnsafe: apitaskstatus.TaskRunning,
1011+
Containers: []*apicontainer.Container{testContainer},
1012+
}
1013+
testTask.Containers[0].TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
1014+
testTask.ResourcesMapUnsafe = make(map[string][]taskresource.TaskResource)
1015+
testTask.Containers[0].Command = getLongRunningCommand()
1016+
1017+
go taskEngine.AddTask(testTask)
1018+
1019+
err := verifyTaskIsRunning(stateChangeEvents, testTask)
1020+
assert.Error(t, err)
1021+
assert.Error(t, err, "Task went straight to STOPPED without running, task: testGMSAFileTaskARN")
1022+
}
1023+
1024+
func TestGMSANotRunningErr(t *testing.T) {
1025+
t.Setenv("ECS_GMSA_SUPPORTED", "True")
1026+
t.Setenv("ZZZ_SKIP_DOMAIN_JOIN_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "True")
1027+
t.Setenv("ZZZ_SKIP_CREDENTIALS_FETCHER_INVOCATION_CHECK_NOT_SUPPORTED_IN_PRODUCTION", "False")
1028+
1029+
cfg := defaultTestConfigIntegTest()
1030+
cfg.TaskCPUMemLimit.Value = config.ExplicitlyDisabled
1031+
cfg.TaskCleanupWaitDuration = 3 * time.Second
1032+
cfg.GMSACapable = config.BooleanDefaultFalse{Value: config.ExplicitlyEnabled}
1033+
cfg.AWSRegion = "us-west-2"
1034+
1035+
taskEngine, done, _ := setupGMSALinux(cfg, nil, t)
1036+
defer done()
1037+
1038+
stateChangeEvents := taskEngine.StateChangeEvents()
1039+
1040+
// Setup test gmsa file
1041+
credentialSpecDataDir := "/tmp"
1042+
testFileName := "test-gmsa.json"
1043+
testCredSpecFilePath := filepath.Join(credentialSpecDataDir, testFileName)
1044+
_, err := os.Create(testCredSpecFilePath)
1045+
require.NoError(t, err)
1046+
1047+
// add local credentialspec file
1048+
testCredSpecData := []byte(`{
1049+
"CmsPlugins": [
1050+
"ActiveDirectory"
1051+
],
1052+
"DomainJoinConfig": {
1053+
"Sid": "S-1-5-21-975084816-3050680612-2826754290",
1054+
"MachineAccountName": "gmsa-acct-test",
1055+
"Guid": "92a07e28-bd9f-4bf3-b1f7-0894815a5257",
1056+
"DnsTreeName": "gmsa.test.com",
1057+
"DnsName": "gmsa.test.com",
1058+
"NetBiosName": "gmsa"
1059+
},
1060+
"ActiveDirectoryConfig": {
1061+
"GroupManagedServiceAccounts": [
1062+
{
1063+
"Name": "gmsa-acct-test",
1064+
"Scope": "gmsa.test.com"
1065+
}
1066+
]
1067+
}
1068+
}`)
1069+
1070+
err = ioutil.WriteFile(testCredSpecFilePath, testCredSpecData, 0755)
1071+
require.NoError(t, err)
1072+
1073+
testContainer := createTestContainer()
1074+
testContainer.Name = "testGMSATaskFile"
1075+
1076+
hostConfig := "{\"SecurityOpt\": [\"credentialspec:file:///tmp/test-gmsa.json\"]}"
1077+
testContainer.DockerConfig.HostConfig = &hostConfig
1078+
1079+
testTask := &apitask.Task{
1080+
Arn: "testGMSAFileTaskARN",
1081+
Family: "family",
1082+
Version: "1",
1083+
DesiredStatusUnsafe: apitaskstatus.TaskRunning,
1084+
Containers: []*apicontainer.Container{testContainer},
1085+
}
1086+
testTask.Containers[0].TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
1087+
testTask.ResourcesMapUnsafe = make(map[string][]taskresource.TaskResource)
1088+
testTask.Containers[0].Command = getLongRunningCommand()
1089+
1090+
go taskEngine.AddTask(testTask)
1091+
1092+
err = verifyTaskIsRunning(stateChangeEvents, testTask)
1093+
assert.Error(t, err)
1094+
assert.Error(t, err, "Task went straight to STOPPED without running, task: testGMSAFileTaskARN")
1095+
}
1096+
9441097
func verifyContainerBindMount(client *sdkClient.Client, id, expectedBind string) error {
9451098
dockerContainer, err := client.ContainerInspect(context.TODO(), id)
9461099
if err != nil {

0 commit comments

Comments
 (0)