uranusjr commented on a change in pull request #18258: URL: https://github.com/apache/airflow/pull/18258#discussion_r708834881
########## File path: tests/security/test_kerberos.py ########## @@ -104,3 +105,255 @@ def test_args_from_cli(self): ) assert ctx.value.code == 1 + + +class TestKerberosUnit(unittest.TestCase): Review comment: Should we use a pytest setup instead? `pytest.mark.paramtrize`, `caplog`, and `pytest.raises` are easier to use than `parameterized`, `assertLogs`, and `assertRaises` IMO. But this is minor and I’m OK if you feel the current approach is more familiar etc. ########## File path: tests/security/test_kerberos.py ########## @@ -104,3 +105,255 @@ def test_args_from_cli(self): ) assert ctx.value.code == 1 + + +class TestKerberosUnit(unittest.TestCase): + @parameterized.expand( + [ + ( + {('kerberos', 'reinit_frequency'): '42'}, + [ + 'kinit', + '-f', + '-a', + '-r', + '42m', + '-k', + '-t', + 'keytab', + '-c', + '/tmp/airflow_krb5_ccache', + 'test-principal', + ], + ), + ( + {('kerberos', 'forwardable'): 'True', ('kerberos', 'include_ip'): 'True'}, + [ + 'kinit', + '-f', + '-a', + '-r', + '3600m', + '-k', + '-t', + 'keytab', + '-c', + '/tmp/airflow_krb5_ccache', + 'test-principal', + ], + ), + ( + {('kerberos', 'forwardable'): 'False', ('kerberos', 'include_ip'): 'False'}, + [ + 'kinit', + '-F', + '-A', + '-r', + '3600m', + '-k', + '-t', + 'keytab', + '-c', + '/tmp/airflow_krb5_ccache', + 'test-principal', + ], + ), + ] + ) + def test_renew_from_kt(self, kerberos_config, expected_cmd): + with self.assertLogs(kerberos.log) as log_ctx, conf_vars(kerberos_config), mock.patch( + 'airflow.security.kerberos.subprocess' + ) as mock_subprocess, mock.patch( + 'airflow.security.kerberos.NEED_KRB181_WORKAROUND', None + ), mock.patch( + 'airflow.security.kerberos.open', mock.mock_open(read_data=b'X-CACHECONF:') + ), mock.patch( + 'time.sleep', return_value=None + ): + mock_subprocess.Popen.return_value.__enter__.return_value.returncode = 0 + mock_subprocess.call.return_value = 0 + renew_from_kt(principal="test-principal", keytab="keytab") + + assert mock_subprocess.Popen.call_args[0][0] == expected_cmd + + expected_cmd_text = " ".join(shlex.quote(f) for f in expected_cmd) + assert log_ctx.output == [ + f'INFO:airflow.security.kerberos:Re-initialising kerberos from keytab: {expected_cmd_text}', + 'INFO:airflow.security.kerberos:Renewing kerberos ticket to work around kerberos 1.8.1: ' + 'kinit -c /tmp/airflow_krb5_ccache -R', + ] + + mock_subprocess.assert_has_calls( + [ + mock.call.Popen( + expected_cmd, + bufsize=-1, + close_fds=True, + stderr=mock_subprocess.PIPE, + stdout=mock_subprocess.PIPE, + universal_newlines=True, + ), + mock.call.Popen().__enter__(), + mock.call.Popen().__enter__().wait(), + mock.call.Popen().__exit__(None, None, None), + mock.call.call(['kinit', '-c', '/tmp/airflow_krb5_ccache', '-R'], close_fds=True), + ] + ) Review comment: `assert_has_calls` [is non-exhaustive](https://docs.python.org/3/library/unittest.mock.html#unittest.mock.Mock.assert_has_calls). Are we expecting `subprocess.Popen` to be called by anything else here? If not, we should use `assert mock_subprocess.mock_calls == [...]` isntead. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org