uranusjr commented on a change in pull request #18258:
URL: https://github.com/apache/airflow/pull/18258#discussion_r708834881
##########
File path: tests/security/test_kerberos.py
##########
@@ -104,3 +105,255 @@ def test_args_from_cli(self):
)
assert ctx.value.code == 1
+
+
+class TestKerberosUnit(unittest.TestCase):
Review comment:
Should we use a pytest setup instead? `pytest.mark.paramtrize`,
`caplog`, and `pytest.raises` are easier to use than `parameterized`,
`assertLogs`, and `assertRaises` IMO. But this is minor and I’m OK if you feel
the current approach is more familiar etc.
##########
File path: tests/security/test_kerberos.py
##########
@@ -104,3 +105,255 @@ def test_args_from_cli(self):
)
assert ctx.value.code == 1
+
+
+class TestKerberosUnit(unittest.TestCase):
+ @parameterized.expand(
+ [
+ (
+ {('kerberos', 'reinit_frequency'): '42'},
+ [
+ 'kinit',
+ '-f',
+ '-a',
+ '-r',
+ '42m',
+ '-k',
+ '-t',
+ 'keytab',
+ '-c',
+ '/tmp/airflow_krb5_ccache',
+ 'test-principal',
+ ],
+ ),
+ (
+ {('kerberos', 'forwardable'): 'True', ('kerberos',
'include_ip'): 'True'},
+ [
+ 'kinit',
+ '-f',
+ '-a',
+ '-r',
+ '3600m',
+ '-k',
+ '-t',
+ 'keytab',
+ '-c',
+ '/tmp/airflow_krb5_ccache',
+ 'test-principal',
+ ],
+ ),
+ (
+ {('kerberos', 'forwardable'): 'False', ('kerberos',
'include_ip'): 'False'},
+ [
+ 'kinit',
+ '-F',
+ '-A',
+ '-r',
+ '3600m',
+ '-k',
+ '-t',
+ 'keytab',
+ '-c',
+ '/tmp/airflow_krb5_ccache',
+ 'test-principal',
+ ],
+ ),
+ ]
+ )
+ def test_renew_from_kt(self, kerberos_config, expected_cmd):
+ with self.assertLogs(kerberos.log) as log_ctx,
conf_vars(kerberos_config), mock.patch(
+ 'airflow.security.kerberos.subprocess'
+ ) as mock_subprocess, mock.patch(
+ 'airflow.security.kerberos.NEED_KRB181_WORKAROUND', None
+ ), mock.patch(
+ 'airflow.security.kerberos.open',
mock.mock_open(read_data=b'X-CACHECONF:')
+ ), mock.patch(
+ 'time.sleep', return_value=None
+ ):
+
mock_subprocess.Popen.return_value.__enter__.return_value.returncode = 0
+ mock_subprocess.call.return_value = 0
+ renew_from_kt(principal="test-principal", keytab="keytab")
+
+ assert mock_subprocess.Popen.call_args[0][0] == expected_cmd
+
+ expected_cmd_text = " ".join(shlex.quote(f) for f in expected_cmd)
+ assert log_ctx.output == [
+ f'INFO:airflow.security.kerberos:Re-initialising kerberos from
keytab: {expected_cmd_text}',
+ 'INFO:airflow.security.kerberos:Renewing kerberos ticket to work
around kerberos 1.8.1: '
+ 'kinit -c /tmp/airflow_krb5_ccache -R',
+ ]
+
+ mock_subprocess.assert_has_calls(
+ [
+ mock.call.Popen(
+ expected_cmd,
+ bufsize=-1,
+ close_fds=True,
+ stderr=mock_subprocess.PIPE,
+ stdout=mock_subprocess.PIPE,
+ universal_newlines=True,
+ ),
+ mock.call.Popen().__enter__(),
+ mock.call.Popen().__enter__().wait(),
+ mock.call.Popen().__exit__(None, None, None),
+ mock.call.call(['kinit', '-c', '/tmp/airflow_krb5_ccache',
'-R'], close_fds=True),
+ ]
+ )
Review comment:
`assert_has_calls` [is
non-exhaustive](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.Mock.assert_has_calls).
Are we expecting `subprocess.Popen` to be called by anything else here? If
not, we should use `assert mock_subprocess.mock_calls == [...]` isntead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
