Use context variable instead of instance variable for certs

cucumber.yml

@@ -150,11 +150,18 @@ authenticators_jwt: >
   -r cucumber/authenticators_oidc
   cucumber/authenticators_jwt
 
+authenticators_k8s: >
+  --tags "not @skip and @authenticators_k8s"
+  --format pretty
+  -r cucumber/_authenticators_common
+  cucumber/authenticators_k8s
+
+
 # NOTE: We have to require the needed files from "api" individually, because
 #       if you mass require the folder it includes "api"s env.rb, which screws
 #       things up because (I think) it sets ENV['CONJUR_ACCOUNT'].  Cucumber
 #       profiles need to be thought through better and refactored most likely.
-#       
+#
 rotators: >
   --tags 'not @manual and @rotators'
   --format pretty

cucumber/authenticators_k8s/features/http_proxy.feature

@@ -1,11 +1,11 @@
+@authenticators_k8s
 Feature: A permitted Conjur host can authenticate with a valid resource restrictions
   that is defined in the id and the kubernetes host can be reached through a
   http_proxy
 
-  #  This test executes an authentication against k8s through an http proxy
-  #  and is executed after standing up the
-  #  ci/test_suites/authenticators_k8s/dev/dev_conjur_http_proxy.template.yaml file in the k8s
-  #  environment to ensure the proxy and env variable are available
+  #  This test executes an authentication against k8s through an http proxy and is executed after
+  #  standing up the ci/test_suites/authenticators_k8s/dev/dev_conjur_http_proxy.template.yaml
+  #  file in the k8s environment to ensure the proxy and env variable are available
   @http_proxy
   Scenario: Authenticate as a Pod.
     Given I can login to pod matching "app=inventory-pod" to authn-k8s as "*/*"

cucumber/authenticators_k8s/features/sni.feature

@@ -1,3 +1,4 @@
+@authenticators_k8s
 Feature: A permitted Conjur host can authenticate with a valid resource restrictions
   that is defined in the id and the kubernetes host has a corresponding SSL certificate
 

cucumber/authenticators_k8s/features/step_definitions/authenticate_steps.rb

@@ -41,11 +41,12 @@ def authenticate_k8s(host, cert, key, conjur_id)
 
   cert = nil
   unless nocertkey
-    expect(@cert.to_s).not_to be_empty, "ERROR: Certificate fetched was empty or nil but was expected to be present!"
-    cert = OpenSSL::X509::Certificate.new(@cert)
+    cert = @scenario_context.get(:cert)
+    expect(cert.to_s).not_to be_empty, "ERROR: Certificate fetched was empty or nil but was expected to be present!"
+    cert = OpenSSL::X509::Certificate.new(cert)
   end
 
-  key = nocertkey ? nil : @pkey
+  key = nocertkey ? nil : @scenario_context.get(:pkey)
 
   begin
     response = authenticate_k8s(authn_k8s_host, cert, key, conjur_id)
@@ -69,8 +70,8 @@ def authenticate_k8s(host, cert, key, conjur_id)
     conjur_id = "#{hostid_prefix}/#{hostid_suffix}"
   end
 
-  cert = nocertkey ? nil : OpenSSL::X509::Certificate.new(@cert)
-  key = nocertkey ? nil : @pkey
+  cert = nocertkey ? nil : OpenSSL::X509::Certificate.new(@scenario_context.get(:cert))
+  key = nocertkey ? nil : @scenario_context.get(:pkey) #@pkey
 
   begin
     response = authenticate_k8s(authn_k8s_host, cert, key, conjur_id)

cucumber/authenticators_k8s/features/step_definitions/login_steps.rb

@@ -12,9 +12,9 @@ def login username, request_ip, authn_k8s_host, pkey, headers = {}
       headers: headers
     )["inject_client_cert?request_ip=#{request_ip}"].post(csr.to_pem)
 
-  @cert = pod_certificate
+  @scenario_context.set(:cert, pod_certificate) # @cert = pod_certificate
 
-  if @cert.to_s.empty?
+  if @scenario_context.get(:cert).to_s.empty?
     puts("WARN: Certificate is empty!")
     warn("WARN: Certificate is empty!")
   end
@@ -36,16 +36,16 @@ def login_with_custom_prefix request_ip, host_id_suffix, host_id_prefix, success
 
 def login_with_username request_ip, username, success, headers = {}
   begin
-    @pkey = OpenSSL::PKey::RSA.new(2048)
-    response = login(username, request_ip, authn_k8s_host, @pkey, headers)
+    @scenario_context.set(:pkey, OpenSSL::PKey::RSA.new(2048))
+    response = login(username, request_ip, authn_k8s_host, @scenario_context.get(:pkey), headers)
     expect(response.code).to be(202)
   rescue
     raise if success
 
     @error = $!
   end
-
-  expect(@cert).to include("BEGIN CERTIFICATE") unless @cert.to_s.empty?
+  cert =  @scenario_context.get(:cert)
+  expect(cert).to include("BEGIN CERTIFICATE") unless cert.to_s.empty?
 end
 
 Then(/^I( can)? login to pod matching "([^"]*)" to authn-k8s as "([^"]*)"(?: with prefix "([^"]*)")?$/) do |success, objectid, host_id_suffix, host_id_prefix|
@@ -96,12 +96,12 @@ def login_with_username request_ip, username, success, headers = {}
 end
 
 When(/^the certificate subject name is "([^"]*)"$/) do |subject_name|
-  certificate = OpenSSL::X509::Certificate.new(@cert)
+  certificate = OpenSSL::X509::Certificate.new(@scenario_context.get(:cert))
   expect(certificate.subject.to_s).to eq(substitute!(subject_name))
 end
 
 When(/^the certificate is valid for 3 days$/) do ||
-  certificate = OpenSSL::X509::Certificate.new(@cert)
+  certificate = OpenSSL::X509::Certificate.new(@scenario_context.get(:cert))
   expect(certificate.not_after - certificate.not_before).to eq(3 * 24 * 60 * 60)
 end
 

cucumber/authenticators_k8s/features/support/hooks.rb

@@ -38,4 +38,13 @@
       )
     end
   end
+
+  # Create a new Scenario Context to use for sharing
+  # data between scenario steps.
+  @scenario_context = Utilities::ScenarioContext.new
+end
+
+After do
+  # Reset scenario context
+  @scenario_context.reset!
 end