Refactor registry test code

oss-fuzz in coverage mode was broken due to duplicate symbols. Refactoring the registry test code and referencing it directly fixes it. Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
fluxcd · Feb 15, 2022 · b4aff4f · b4aff4f
1 parent 5ce2c41
commit b4aff4f
Show file tree

Hide file tree

Showing 7 changed files with 220 additions and 224 deletions.
diff --git a/controllers/policy_test.go b/controllers/policy_test.go
@@ -31,6 +31,7 @@ import (
 	aclapi "github.com/fluxcd/pkg/apis/acl"
 
 	imagev1 "github.com/fluxcd/image-reflector-controller/api/v1beta1"
+	"github.com/fluxcd/image-reflector-controller/internal/test"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -42,7 +43,7 @@ var _ = Describe("ImagePolicy controller", func() {
 	var registryServer *httptest.Server
 
 	BeforeEach(func() {
-		registryServer = newRegistryServer()
+		registryServer = test.NewRegistryServer()
 	})
 
 	AfterEach(func() {
@@ -61,7 +62,7 @@ var _ = Describe("ImagePolicy controller", func() {
 		It("fails to reconcile an ImagePolicy with a cross-ns ref", func() {
 			// a bona fide image repo is needed so that it _would_ succeed if not for the disallowed cross-ns ref.
 			versions := []string{"1.0.1", "1.0.2", "1.1.0-alpha"}
-			imgRepo := loadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
+			imgRepo := test.LoadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
 
 			repo := imagev1.ImageRepository{
 				Spec: imagev1.ImageRepositorySpec{
@@ -119,7 +120,7 @@ var _ = Describe("ImagePolicy controller", func() {
 		When("Using SemVerPolicy", func() {
 			It("calculates an image from a repository's tags", func() {
 				versions := []string{"0.1.0", "0.1.1", "0.2.0", "1.0.0", "1.0.1", "1.0.2", "1.1.0-alpha"}
-				imgRepo := loadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
+				imgRepo := test.LoadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
@@ -184,7 +185,7 @@ var _ = Describe("ImagePolicy controller", func() {
 		When("Using SemVerPolicy with invalid range", func() {
 			It("fails with invalid policy error", func() {
 				versions := []string{"0.1.0", "0.1.1", "0.2.0", "1.0.0", "1.0.1", "1.0.2", "1.1.0-alpha"}
-				imgRepo := loadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
+				imgRepo := test.LoadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
@@ -250,7 +251,7 @@ var _ = Describe("ImagePolicy controller", func() {
 		When("Usign AlphabeticalPolicy", func() {
 			It("calculates an image from a repository's tags", func() {
 				versions := []string{"xenial", "yakkety", "zesty", "artful", "bionic"}
-				imgRepo := loadImages(registryServer, "test-alphabetical-policy-"+randStringRunes(5), versions)
+				imgRepo := test.LoadImages(registryServer, "test-alphabetical-policy-"+randStringRunes(5), versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
@@ -312,7 +313,7 @@ var _ = Describe("ImagePolicy controller", func() {
 		When("valid regex supplied", func() {
 			It("correctly filters the repo tags", func() {
 				versions := []string{"test-0.1.0", "test-0.1.1", "dev-0.2.0", "1.0.0", "1.0.1", "1.0.2", "1.1.0-alpha"}
-				imgRepo := loadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
+				imgRepo := test.LoadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
 						Interval: metav1.Duration{Duration: reconciliationInterval},
@@ -380,7 +381,7 @@ var _ = Describe("ImagePolicy controller", func() {
 		When("invalid regex supplied", func() {
 			It("fails to reconcile returning error", func() {
 				versions := []string{"test-0.1.0", "test-0.1.1", "dev-0.2.0", "1.0.0", "1.0.1", "1.0.2", "1.1.0-alpha"}
-				imgRepo := loadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
+				imgRepo := test.LoadImages(registryServer, "test-semver-policy-"+randStringRunes(5), versions)
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
 						Interval: metav1.Duration{Duration: reconciliationInterval},
@@ -455,7 +456,7 @@ var _ = Describe("ImagePolicy controller", func() {
 			It("grants access", func() {
 				versions := []string{"1.0.0", "1.0.1"}
 				imageName := "test-acl-" + randStringRunes(5)
-				imgRepo := loadImages(registryServer, imageName, versions)
+				imgRepo := test.LoadImages(registryServer, imageName, versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
@@ -514,7 +515,7 @@ var _ = Describe("ImagePolicy controller", func() {
 				Expect(pol.Status.LatestImage).To(Equal(imgRepo + ":1.0.1"))
 
 				// Updating the image should reconcile the cross-namespace policy
-				imgRepo = loadImages(registryServer, imageName, []string{"1.0.2"})
+				imgRepo = test.LoadImages(registryServer, imageName, []string{"1.0.2"})
 				Eventually(func() bool {
 					err := r.Get(ctx, imageObjectName, &repo)
 					return err == nil && repo.Status.LastScanResult.TagCount == len(versions)+1
@@ -542,7 +543,7 @@ var _ = Describe("ImagePolicy controller", func() {
 				defer k8sClient.Delete(context.Background(), policyNamespace)
 
 				versions := []string{"1.0.0", "1.0.1"}
-				imgRepo := loadImages(registryServer, "acl-image-"+randStringRunes(5), versions)
+				imgRepo := test.LoadImages(registryServer, "acl-image-"+randStringRunes(5), versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
@@ -615,7 +616,7 @@ var _ = Describe("ImagePolicy controller", func() {
 				defer k8sClient.Delete(context.Background(), policyNamespace)
 
 				versions := []string{"1.0.0", "1.0.1"}
-				imgRepo := loadImages(registryServer, "acl-image-"+randStringRunes(5), versions)
+				imgRepo := test.LoadImages(registryServer, "acl-image-"+randStringRunes(5), versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
@@ -698,7 +699,7 @@ var _ = Describe("ImagePolicy controller", func() {
 
 				versions := []string{"1.0.0", "1.0.1"}
 				imageName := "acl-image-" + randStringRunes(5)
-				imgRepo := loadImages(registryServer, imageName, versions)
+				imgRepo := test.LoadImages(registryServer, imageName, versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
@@ -771,7 +772,7 @@ var _ = Describe("ImagePolicy controller", func() {
 				Expect(pol.Status.LatestImage).To(Equal(imgRepo + ":1.0.1"))
 
 				// Updating the image should reconcile the cross-namespace policy
-				imgRepo = loadImages(registryServer, imageName, []string{"1.0.2"})
+				imgRepo = test.LoadImages(registryServer, imageName, []string{"1.0.2"})
 				Eventually(func() bool {
 					err := r.Get(ctx, repoObjectName, &repo)
 					return err == nil && repo.Status.LastScanResult.TagCount == len(versions)+1
@@ -799,7 +800,7 @@ var _ = Describe("ImagePolicy controller", func() {
 				defer k8sClient.Delete(context.Background(), policyNamespace)
 
 				versions := []string{"1.0.0", "1.0.1"}
-				imgRepo := loadImages(registryServer, "acl-image-"+randStringRunes(5), versions)
+				imgRepo := test.LoadImages(registryServer, "acl-image-"+randStringRunes(5), versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{

diff --git a/controllers/registry_test.go b/controllers/registry_test.go
@@ -17,29 +17,25 @@ limitations under the License.
 package controllers
 
 import (
-	"encoding/base64"
-	"encoding/json"
-	"net/http"
 	"net/http/httptest"
-	"strings"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/google/go-containerregistry/pkg/registry"
-	"github.com/google/go-containerregistry/pkg/v1/random"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+
+	"github.com/fluxcd/image-reflector-controller/internal/test"
 )
 
 var _ = Context("Registry handler", func() {
 
 	It("serves a tag list", func() {
-		srv := newRegistryServer()
+		srv := test.NewRegistryServer()
 		defer srv.Close()
 
 		uploadedTags := []string{"tag1", "tag2"}
-		repoString := loadImages(srv, "testimage", uploadedTags)
+		repoString := test.LoadImages(srv, "testimage", uploadedTags)
 		repo, _ := name.NewRepository(repoString)
 
 		tags, err := remote.List(repo)
@@ -48,158 +44,6 @@ var _ = Context("Registry handler", func() {
 	})
 })
 
-// ---
-
-// pre-populated db of tags, so it's not necessary to upload images to
-// get results from remote.List.
-var convenientTags = map[string][]string{
-	"convenient": []string{
-		"tag1", "tag2",
-	},
-}
-
-// set up a local registry for testing scanning
-func newRegistryServer() *httptest.Server {
-	regHandler := registry.New()
-	srv := httptest.NewServer(&tagListHandler{
-		registryHandler: regHandler,
-		imagetags:       convenientTags,
-	})
-	return srv
-}
-
-func newAuthenticatedRegistryServer(username, pass string) *httptest.Server {
-	regHandler := registry.New()
-	regHandler = &tagListHandler{
-		registryHandler: regHandler,
-		imagetags:       convenientTags,
-	}
-	regHandler = &authHandler{
-		registryHandler: regHandler,
-		allowedUser:     username,
-		allowedPass:     pass,
-	}
-	srv := httptest.NewServer(regHandler)
-	return srv
-}
-
-// Get the registry part of an image from the registry server
-func registryName(srv *httptest.Server) string {
-	if strings.HasPrefix(srv.URL, "https://") {
-		return strings.TrimPrefix(srv.URL, "https://")
-	} // else assume HTTP
-	return strings.TrimPrefix(srv.URL, "http://")
-}
-
-// loadImages uploads images to the local registry, and returns the
-// image repo
-// name. https://github.com/google/go-containerregistry/blob/v0.1.1/pkg/registry/compatibility_test.go
-// has an example of loading a test registry with a random image.
-func loadImages(srv *httptest.Server, imageName string, versions []string, options ...remote.Option) string {
-	imgRepo := registryName(srv) + "/" + imageName
-	for _, tag := range versions {
-		imgRef, err := name.NewTag(imgRepo + ":" + tag)
-		Expect(err).ToNot(HaveOccurred())
-		img, err := random.Image(512, 1)
-		Expect(err).ToNot(HaveOccurred())
-		Expect(remote.Write(imgRef, img, options...)).To(Succeed())
-	}
-	return imgRepo
-}
-
-// the go-containerregistry test registry implementation does not
-// serve /myimage/tags/list. Until it does, I'm adding this handler.
-// NB:
-// - assumes repo name is a single element
-// - assumes no overwriting tags
-
-type tagListHandler struct {
-	registryHandler http.Handler
-	imagetags       map[string][]string
-}
-
-type tagListResult struct {
-	Name string   `json:"name"`
-	Tags []string `json:"tags"`
-}
-
-func (h *tagListHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// a tag list request has a path like: /v2/<repo>/tags/list
-	if withoutTagsList := strings.TrimSuffix(r.URL.Path, "/tags/list"); r.Method == "GET" && withoutTagsList != r.URL.Path {
-		repo := strings.TrimPrefix(withoutTagsList, "/v2/")
-		if tags, ok := h.imagetags[repo]; ok {
-			w.Header().Set("Content-Type", "application/json")
-			w.WriteHeader(http.StatusOK)
-			result := tagListResult{
-				Name: repo,
-				Tags: tags,
-			}
-			Expect(json.NewEncoder(w).Encode(result)).To(Succeed())
-			println("Requested tags", repo, strings.Join(tags, ", "))
-			return
-		}
-		w.WriteHeader(http.StatusNotFound)
-		return
-	}
-
-	// record the fact of a PUT to a tag; the path looks like: /v2/<repo>/manifests/<tag>
-	h.registryHandler.ServeHTTP(w, r)
-	if r.Method == "PUT" {
-		pathElements := strings.Split(r.URL.Path, "/")
-		if len(pathElements) == 5 && pathElements[1] == "v2" && pathElements[3] == "manifests" {
-			repo, tag := pathElements[2], pathElements[4]
-			println("Recording tag", repo, tag)
-			h.imagetags[repo] = append(h.imagetags[repo], tag)
-		}
-	}
-}
-
-// there's no authentication in go-containerregistry/pkg/registry;
-// this wrapper adds basic auth to a registry handler. NB: the
-// important thing is to be able to test that the credentials get from
-// the secret to the registry API library; it's assumed that the
-// registry API library does e.g., OAuth2 correctly.  See
-// https://tools.ietf.org/html/rfc7617 regarding basic authentication.
-
-type authHandler struct {
-	allowedUser, allowedPass string
-	registryHandler          http.Handler
-}
-
-// ServeHTTP serves a request which needs authentication.
-func (h *authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	authHeader := r.Header.Get("Authorization")
-	if authHeader == "" {
-		w.Header().Add("WWW-Authenticate", `Basic realm="Registry"`)
-		w.WriteHeader(401)
-		return
-	}
-	if !strings.HasPrefix(authHeader, "Basic ") {
-		w.WriteHeader(403)
-		w.Write([]byte(`Authorization header does not being with "Basic "`))
-		return
-	}
-	namePass, err := base64.StdEncoding.DecodeString(authHeader[6:])
-	if err != nil {
-		w.WriteHeader(403)
-		w.Write([]byte(`Authorization header doesn't appear to be base64-encoded`))
-		return
-	}
-	namePassSlice := strings.SplitN(string(namePass), ":", 2)
-	if len(namePassSlice) != 2 {
-		w.WriteHeader(403)
-		w.Write([]byte(`Authorization header doesn't appear to be colon-separated value `))
-		w.Write(namePass)
-		return
-	}
-	if namePassSlice[0] != h.allowedUser || namePassSlice[1] != h.allowedPass {
-		w.WriteHeader(403)
-		w.Write([]byte(`Authorization failed: wrong username or password`))
-		return
-	}
-	h.registryHandler.ServeHTTP(w, r)
-}
-
 var _ = Context("Authentication handler", func() {
 
 	var registryServer *httptest.Server
@@ -208,22 +52,22 @@ var _ = Context("Authentication handler", func() {
 	BeforeEach(func() {
 		username = "user"
 		password = "password1"
-		registryServer = newAuthenticatedRegistryServer(username, password)
+		registryServer = test.NewAuthenticatedRegistryServer(username, password)
 	})
 
 	AfterEach(func() {
 		registryServer.Close()
 	})
 
 	It("rejects requests without authentication", func() {
-		repo, err := name.NewRepository(registryName(registryServer) + "/convenient")
+		repo, err := name.NewRepository(test.RegistryName(registryServer) + "/convenient")
 		Expect(err).ToNot(HaveOccurred())
 		_, err = remote.List(repo)
 		Expect(err).To(HaveOccurred())
 	})
 
 	It("accepts requests with correct authentication", func() {
-		repo, err := name.NewRepository(registryName(registryServer) + "/convenient")
+		repo, err := name.NewRepository(test.RegistryName(registryServer) + "/convenient")
 		Expect(err).ToNot(HaveOccurred())
 		auth := &authn.Basic{
 			Username: username,