diff --git a/test/e2e/argo_server_test.go b/test/e2e/argo_server_test.go index 9b8ea119e4e9..9b45d976e0ef 100644 --- a/test/e2e/argo_server_test.go +++ b/test/e2e/argo_server_test.go @@ -33,6 +33,7 @@ const baseUrl = "http://localhost:2746" // testing behaviour really is a non-goal type ArgoServerSuite struct { fixtures.E2ESuite + username string bearerToken string } @@ -54,7 +55,9 @@ func (s *ArgoServerSuite) e() *httpexpect.Expect { Client: httpClient, }). Builder(func(req *httpexpect.Request) { - if s.bearerToken != "" { + if s.username != "" { + req.WithBasicAuth(s.username, "garbage") + } else if s.bearerToken != "" { req.WithHeader("Authorization", "Bearer "+s.bearerToken) } }) @@ -319,14 +322,21 @@ func (s *ArgoServerSuite) TestOauth() { } func (s *ArgoServerSuite) TestUnauthorized() { - s.T().Skip("K3S RBAC appears to be broken: https://github.com/k3s-io/k3s/issues/3756") - token := s.bearerToken - defer func() { s.bearerToken = token }() - s.bearerToken = "test-token" - s.e().GET("/api/v1/workflows/argo"). - Expect(). - Status(401) + s.T().Run("Bearer", func(t *testing.T) { + s.bearerToken = "test-token" + defer func() { s.bearerToken = token }() + s.e().GET("/api/v1/workflows/argo"). + Expect(). + Status(401) + }) + s.T().Run("Basic", func(t *testing.T) { + s.username = "garbage" + defer func() { s.username = "" }() + s.e().GET("/api/v1/workflows/argo"). + Expect(). + Status(401) + }) } func (s *ArgoServerSuite) TestCookieAuth() { @@ -340,8 +350,6 @@ func (s *ArgoServerSuite) TestCookieAuth() { } func (s *ArgoServerSuite) TestPermission() { - s.T().Skip("K3S RBAC appears to be broken: https://github.com/k3s-io/k3s/issues/3756") - nsName := fixtures.Namespace // Create good serviceaccount goodSaName := "argotestgood" diff --git a/util/kubeconfig/kubeconfig.go b/util/kubeconfig/kubeconfig.go index e63ba30ce809..4d253809a9df 100644 --- a/util/kubeconfig/kubeconfig.go +++ b/util/kubeconfig/kubeconfig.go @@ -57,12 +57,10 @@ func GetRestConfig(token string) (*restclient.Config, error) { // convert a basic token (username, password) into a REST config func GetBasicRestConfig(username, password string) (*restclient.Config, error) { - restConfig, err := DefaultRestConfig() + restConfig, err := restConfigWithoutAuth() if err != nil { return nil, err } - restConfig.BearerToken = "" - restConfig.BearerTokenFile = "" restConfig.Username = username restConfig.Password = password return restConfig, nil @@ -70,20 +68,52 @@ func GetBasicRestConfig(username, password string) (*restclient.Config, error) { // convert a bearer token into a REST config func GetBearerRestConfig(token string) (*restclient.Config, error) { - restConfig, err := DefaultRestConfig() + restConfig, err := restConfigWithoutAuth() if err != nil { return nil, err } - restConfig.BearerToken = "" - restConfig.BearerTokenFile = "" - restConfig.Username = "" - restConfig.Password = "" - if token != "" { - restConfig.BearerToken = token - } + restConfig.BearerToken = token return restConfig, nil } +// populate everything except +// - username +// - password +// - bearerToken +// - client private key +func restConfigWithoutAuth() (*restclient.Config, error) { + c, err := DefaultRestConfig() + if err != nil { + return nil, err + } + t := c.TLSClientConfig + return &restclient.Config{ + Host: c.Host, + APIPath: c.APIPath, + ContentConfig: c.ContentConfig, + TLSClientConfig: restclient.TLSClientConfig{ + Insecure: t.Insecure, + ServerName: t.ServerName, + CertFile: t.CertFile, + CAFile: t.CAFile, + CertData: t.CertData, + CAData: t.CAData, + NextProtos: c.NextProtos, + }, + UserAgent: c.UserAgent, + DisableCompression: c.DisableCompression, + Transport: c.Transport, + WrapTransport: c.WrapTransport, + QPS: c.QPS, + Burst: c.Burst, + RateLimiter: c.RateLimiter, + WarningHandler: c.WarningHandler, + Timeout: c.Timeout, + Dial: c.Dial, + Proxy: c.Proxy, + }, nil +} + // Return the AuthString include Auth type(Basic or Bearer) func GetAuthString(in *restclient.Config, explicitKubeConfigPath string) (string, error) { // Checking Basic Auth