ContainerImage.Pinniped/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go

// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package webhookcachefiller

import (
	"context"
	"encoding/base64"
	"fmt"
	"io/ioutil"
	"net/http"
	"os"
	"testing"

	"github.com/stretchr/testify/require"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/client-go/tools/clientcmd"
	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"

	auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
	pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
	pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"
	"go.pinniped.dev/internal/controller/authenticator/authncache"
	"go.pinniped.dev/internal/controllerlib"
	"go.pinniped.dev/internal/testutil"
	"go.pinniped.dev/internal/testutil/testlogger"
)

func TestController(t *testing.T) {
	t.Parallel()

	tests := []struct {
		name             string
		syncKey          controllerlib.Key
		webhooks         []runtime.Object
		wantErr          string
		wantLogs         []string
		wantCacheEntries int
	}{
		{
			name:    "not found",
			syncKey: controllerlib.Key{Name: "test-name"},
			wantLogs: []string{
				`webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookAuthenticator does not exist yet or was deleted"`,
			},
		},
		{
			name:    "invalid webhook",
			syncKey: controllerlib.Key{Name: "test-name"},
			webhooks: []runtime.Object{
				&auth1alpha1.WebhookAuthenticator{
					ObjectMeta: metav1.ObjectMeta{
						Name: "test-name",
					},
					Spec: auth1alpha1.WebhookAuthenticatorSpec{
						Endpoint: "invalid url",
					},
				},
			},
			wantErr: `failed to build webhook config: parse "http://invalid url": invalid character " " in host name`,
		},
		{
			name:    "valid webhook",
			syncKey: controllerlib.Key{Name: "test-name"},
			webhooks: []runtime.Object{
				&auth1alpha1.WebhookAuthenticator{
					ObjectMeta: metav1.ObjectMeta{
						Name: "test-name",
					},
					Spec: auth1alpha1.WebhookAuthenticatorSpec{
						Endpoint: "https://example.com",
						TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: ""},
					},
				},
			},
			wantLogs: []string{
				`webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name"}`,
			},
			wantCacheEntries: 1,
		},
	}
	for _, tt := range tests {
		tt := tt
		t.Run(tt.name, func(t *testing.T) {
			t.Parallel()

			fakeClient := pinnipedfake.NewSimpleClientset(tt.webhooks...)
			informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0)
			cache := authncache.New()
			testLog := testlogger.NewLegacy(t) //nolint: staticcheck  // old test with lots of log statements

			controller := New(cache, informers.Authentication().V1alpha1().WebhookAuthenticators(), testLog.Logger)

			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()

			informers.Start(ctx.Done())
			controllerlib.TestRunSynchronously(t, controller)

			syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey}

			if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" {
				require.EqualError(t, err, tt.wantErr)
			} else {
				require.NoError(t, err)
			}
			require.Equal(t, tt.wantLogs, testLog.Lines())
			require.Equal(t, tt.wantCacheEntries, len(cache.Keys()))
		})
	}
}

func TestNewWebhookAuthenticator(t *testing.T) {
	t.Run("temp file failure", func(t *testing.T) {
		brokenTempFile := func(_ string, _ string) (*os.File, error) { return nil, fmt.Errorf("some temp file error") }
		res, err := newWebhookAuthenticator(nil, brokenTempFile, clientcmd.WriteToFile)
		require.Nil(t, res)
		require.EqualError(t, err, "unable to create temporary file: some temp file error")
	})

	t.Run("marshal failure", func(t *testing.T) {
		marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") }
		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{}, ioutil.TempFile, marshalError)
		require.Nil(t, res)
		require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error")
	})

	t.Run("invalid base64", func(t *testing.T) {
		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
			Endpoint: "https://example.com",
			TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},
		}, ioutil.TempFile, clientcmd.WriteToFile)
		require.Nil(t, res)
		require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7")
	})

	t.Run("invalid pem data", func(t *testing.T) {
		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
			Endpoint: "https://example.com",
			TLS:      &auth1alpha1.TLSSpec{CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("bad data"))},
		}, ioutil.TempFile, clientcmd.WriteToFile)
		require.Nil(t, res)
		require.EqualError(t, err, "invalid TLS configuration: certificateAuthorityData is not valid PEM: data does not contain any valid RSA or ECDSA certificates")
	})

	t.Run("valid config with no TLS spec", func(t *testing.T) {
		res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
			Endpoint: "https://example.com",
		}, ioutil.TempFile, clientcmd.WriteToFile)
		require.NotNil(t, res)
		require.NoError(t, err)
	})

	t.Run("success", func(t *testing.T) {
		caBundle, url := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
			body, err := ioutil.ReadAll(r.Body)
			require.NoError(t, err)
			require.Contains(t, string(body), "test-token")
			_, err = w.Write([]byte(`{}`))
			require.NoError(t, err)
		})
		spec := &auth1alpha1.WebhookAuthenticatorSpec{
			Endpoint: url,
			TLS: &auth1alpha1.TLSSpec{
				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)),
			},
		}
		res, err := newWebhookAuthenticator(spec, ioutil.TempFile, clientcmd.WriteToFile)
		require.NoError(t, err)
		require.NotNil(t, res)

		resp, authenticated, err := res.AuthenticateToken(context.Background(), "test-token")
		require.NoError(t, err)
		require.Nil(t, resp)
		require.False(t, authenticated)
	})
}
Merge branch 'main' into upstream_access_revocation_during_gc 2022-01-14 18:49:22 +00:00			`// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.`
Save 2 lines by using inline-style comments for Copyright Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-16 14:19:51 +00:00			`// SPDX-License-Identifier: Apache-2.0`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00
			`package webhookcachefiller`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"fmt"`
			`"io/ioutil"`
			`"net/http"`
			`"os"`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/runtime"`
			`"k8s.io/client-go/tools/clientcmd"`
			`clientcmdapi "k8s.io/client-go/tools/clientcmd/api"`

Use new 'go.pinniped.dev/generated/latest' package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-16 19:00:08 +00:00			`auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"`
			`pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"`
			`pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"`
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`"go.pinniped.dev/internal/controller/authenticator/authncache"`
Add Go vanity import paths. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-18 19:56:24 +00:00			`"go.pinniped.dev/internal/controllerlib"`
			`"go.pinniped.dev/internal/testutil"`
			`"go.pinniped.dev/internal/testutil/testlogger"`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`)`

			`func TestController(t *testing.T) {`
			`t.Parallel()`

			`tests := []struct {`
			`name string`
			`syncKey controllerlib.Key`
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`webhooks []runtime.Object`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`wantErr string`
			`wantLogs []string`
			`wantCacheEntries int`
			`}{`
			`{`
			`name: "not found",`
Declare war on namespaces Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 18:59:32 +00:00			`syncKey: controllerlib.Key{Name: "test-name"},`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`wantLogs: []string{`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookAuthenticator does not exist yet or was deleted"`,
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`},`
			`},`
			`{`
			`name: "invalid webhook",`
Declare war on namespaces Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 18:59:32 +00:00			`syncKey: controllerlib.Key{Name: "test-name"},`
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`webhooks: []runtime.Object{`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`&auth1alpha1.WebhookAuthenticator{`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`ObjectMeta: metav1.ObjectMeta{`
Declare war on namespaces Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 18:59:32 +00:00			`Name: "test-name",`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`},`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`Spec: auth1alpha1.WebhookAuthenticatorSpec{`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`Endpoint: "invalid url",`
			`},`
			`},`
			`},`
			wantErr: `failed to build webhook config: parse "http://invalid url": invalid character " " in host name`,
			`},`
			`{`
			`name: "valid webhook",`
Declare war on namespaces Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 18:59:32 +00:00			`syncKey: controllerlib.Key{Name: "test-name"},`
Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`webhooks: []runtime.Object{`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`&auth1alpha1.WebhookAuthenticator{`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`ObjectMeta: metav1.ObjectMeta{`
Declare war on namespaces Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 18:59:32 +00:00			`Name: "test-name",`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`},`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`Spec: auth1alpha1.WebhookAuthenticatorSpec{`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`Endpoint: "https://example.com",`
Rename `idp.concierge.pinniped.dev` to `authentication.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:03:25 +00:00			`TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: ""},`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`},`
			`},`
			`},`
			`wantLogs: []string{`
Declare war on namespaces Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 18:59:32 +00:00			`webhookcachefiller-controller "level"=0 "msg"="added new webhook authenticator" "endpoint"="https://example.com" "webhook"={"name":"test-name"}`,
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`},`
			`wantCacheEntries: 1,`
			`},`
			`}`
			`for _, tt := range tests {`
			`tt := tt`
			`t.Run(tt.name, func(t *testing.T) {`
			`t.Parallel()`

Rename existing references to "IDP" and "Identity Provider". Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 19:02:21 +00:00			`fakeClient := pinnipedfake.NewSimpleClientset(tt.webhooks...)`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0)`
Revert server side token credential request API group changes Signed-off-by: Monis Khan <mok@vmware.com> 2021-02-09 20:51:35 +00:00			`cache := authncache.New()`
Update all deps to latest where possible, bump Kube deps to v0.23.1 Highlights from this dep bump: 1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation for use in tests. We must bump this dep as Kube code uses a newer version now. We would have to rewrite hundreds of test log assertions without this copy. 2. Use github.com/felixge/httpsnoop to undo the changes made by ory/fosite#636 for CLI based login flows. This is required for backwards compatibility with older versions of our CLI. A separate change after this will update the CLI to be more flexible (it is purposefully not part of this change to confirm that we did not break anything). For all browser login flows, we now redirect using http.StatusSeeOther instead of http.StatusFound. 3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global process flags 4. Only bump github.com/ory/x to v0.0.297 instead of the latest v0.0.321 because v0.0.298+ pulls in a newer version of go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver. We should update k8s.io/apiserver to use the newer code. 5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to k8s.io/utils/clock and k8s.io/utils/clock/testing 6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new kubetesting.NewDeleteActionWithOptions 7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by fosite's new rotated_secrets OAuth client field. This new field is currently not relevant to us as we have no private clients. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-10 22:22:36 +00:00			`testLog := testlogger.NewLegacy(t) //nolint: staticcheck // old test with lots of log statements`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00
Update all deps to latest where possible, bump Kube deps to v0.23.1 Highlights from this dep bump: 1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation for use in tests. We must bump this dep as Kube code uses a newer version now. We would have to rewrite hundreds of test log assertions without this copy. 2. Use github.com/felixge/httpsnoop to undo the changes made by ory/fosite#636 for CLI based login flows. This is required for backwards compatibility with older versions of our CLI. A separate change after this will update the CLI to be more flexible (it is purposefully not part of this change to confirm that we did not break anything). For all browser login flows, we now redirect using http.StatusSeeOther instead of http.StatusFound. 3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global process flags 4. Only bump github.com/ory/x to v0.0.297 instead of the latest v0.0.321 because v0.0.298+ pulls in a newer version of go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver. We should update k8s.io/apiserver to use the newer code. 5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to k8s.io/utils/clock and k8s.io/utils/clock/testing 6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new kubetesting.NewDeleteActionWithOptions 7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by fosite's new rotated_secrets OAuth client field. This new field is currently not relevant to us as we have no private clients. Signed-off-by: Monis Khan <mok@vmware.com> 2021-12-10 22:22:36 +00:00			`controller := New(cache, informers.Authentication().V1alpha1().WebhookAuthenticators(), testLog.Logger)`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00
All controller unit tests should not cancel context until test is over All controller unit tests were accidentally using a timeout context for the informers, instead of a cancel context which stays alive until each test is completely finished. There is no reason to risk unpredictable behavior of a timeout being reached during an individual test, even though with the previous 3 second timeout it could only be reached on a machine which is running orders of magnitude slower than usual, since each test usually runs in about 100-300 ms. Unfortunately, sometimes our CI workers might get that slow. This sparked a review of other usages of timeout contexts in other tests, and all of them were increased to a minimum value of 1 minute, under the rule of thumb that our tests will be more reliable on slow machines if they "pass fast and fail slow". 2021-03-05 01:25:43 +00:00			`ctx, cancel := context.WithCancel(context.Background())`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`defer cancel()`

			`informers.Start(ctx.Done())`
			`controllerlib.TestRunSynchronously(t, controller)`

			`syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey}`

			`if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" {`
			`require.EqualError(t, err, tt.wantErr)`
			`} else {`
			`require.NoError(t, err)`
			`}`
			`require.Equal(t, tt.wantLogs, testLog.Lines())`
			`require.Equal(t, tt.wantCacheEntries, len(cache.Keys()))`
			`})`
			`}`
			`}`

			`func TestNewWebhookAuthenticator(t *testing.T) {`
			`t.Run("temp file failure", func(t *testing.T) {`
			`brokenTempFile := func(_ string, _ string) (*os.File, error) { return nil, fmt.Errorf("some temp file error") }`
			`res, err := newWebhookAuthenticator(nil, brokenTempFile, clientcmd.WriteToFile)`
			`require.Nil(t, res)`
			`require.EqualError(t, err, "unable to create temporary file: some temp file error")`
			`})`

			`t.Run("marshal failure", func(t *testing.T) {`
			`marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") }`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{}, ioutil.TempFile, marshalError)`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`require.Nil(t, res)`
			`require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error")`
			`})`

			`t.Run("invalid base64", func(t *testing.T) {`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`Endpoint: "https://example.com",`
Rename `idp.concierge.pinniped.dev` to `authentication.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:03:25 +00:00			`TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"},`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`}, ioutil.TempFile, clientcmd.WriteToFile)`
			`require.Nil(t, res)`
			`require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7")`
			`})`

webhookcachefiller: be stricter about CA bundle validation Signed-off-by: Monis Khan <mok@vmware.com> 2021-04-28 17:49:42 +00:00			`t.Run("invalid pem data", func(t *testing.T) {`
			`res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{`
			`Endpoint: "https://example.com",`
			`TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("bad data"))},`
			`}, ioutil.TempFile, clientcmd.WriteToFile)`
			`require.Nil(t, res)`
Force the use of secure TLS config This change updates the TLS config used by all pinniped components. There are no configuration knobs associated with this change. Thus this change tightens our static defaults. There are four TLS config levels: 1. Secure (TLS 1.3 only) 2. Default (TLS 1.2+ best ciphers that are well supported) 3. Default LDAP (TLS 1.2+ with less good ciphers) 4. Legacy (currently unused, TLS 1.2+ with all non-broken ciphers) Highlights per component: 1. pinniped CLI - uses "secure" config against KAS - uses "default" for all other connections 2. concierge - uses "secure" config as an aggregated API server - uses "default" config as a impersonation proxy API server - uses "secure" config against KAS - uses "default" config for JWT authenticater (mostly, see code) - no changes to webhook authenticater (see code) 3. supervisor - uses "default" config as a server - uses "secure" config against KAS - uses "default" config against OIDC IDPs - uses "default LDAP" config against LDAP IDPs Signed-off-by: Monis Khan <mok@vmware.com> 2021-10-20 11:59:24 +00:00			`require.EqualError(t, err, "invalid TLS configuration: certificateAuthorityData is not valid PEM: data does not contain any valid RSA or ECDSA certificates")`
webhookcachefiller: be stricter about CA bundle validation Signed-off-by: Monis Khan <mok@vmware.com> 2021-04-28 17:49:42 +00:00			`})`

Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`t.Run("valid config with no TLS spec", func(t *testing.T) {`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`Endpoint: "https://example.com",`
			`}, ioutil.TempFile, clientcmd.WriteToFile)`
			`require.NotNil(t, res)`
			`require.NoError(t, err)`
			`})`

			`t.Run("success", func(t *testing.T) {`
			`caBundle, url := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {`
			`body, err := ioutil.ReadAll(r.Body)`
			`require.NoError(t, err)`
			`require.Contains(t, string(body), "test-token")`
			_, err = w.Write([]byte(`{}`))
			`require.NoError(t, err)`
			`})`
Rename WebhookIdentityProvider to WebhookAuthenticator. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:39:26 +00:00			`spec := &auth1alpha1.WebhookAuthenticatorSpec{`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`Endpoint: url,`
Rename `idp.concierge.pinniped.dev` to `authentication.concierge.pinniped.dev`. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 16:03:25 +00:00			`TLS: &auth1alpha1.TLSSpec{`
Fix base64 encoding style in webhookcachefiller. This was previously using the unpadded (raw) base64 encoder, which worked sometimes (if the CA happened to be a length that didn't require padding). The correct encoding is the `base64.StdEncoding` one that includes padding. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-15 18:54:19 +00:00			`CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(caBundle)),`
Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-09-14 15:41:36 +00:00			`},`
			`}`
			`res, err := newWebhookAuthenticator(spec, ioutil.TempFile, clientcmd.WriteToFile)`
			`require.NoError(t, err)`
			`require.NotNil(t, res)`

			`resp, authenticated, err := res.AuthenticateToken(context.Background(), "test-token")`
			`require.NoError(t, err)`
			`require.Nil(t, resp)`
			`require.False(t, authenticated)`
			`})`
			`}`