ContainerImage.Pinniped/test/integration/supervisor_upstream_test.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package integration

import (
	"encoding/base64"
	"testing"

	"github.com/stretchr/testify/require"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
	"go.pinniped.dev/test/testlib"
)

func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {
	env := testlib.IntegrationEnv(t)

	t.Run("invalid missing secret and bad issuer", func(t *testing.T) {
		t.Parallel()
		spec := v1alpha1.OIDCIdentityProviderSpec{
			Issuer: "https://127.0.0.1:444444/invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
			Client: v1alpha1.OIDCClient{
				SecretName: "does-not-exist",
			},
		}
		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)
		expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
			{
				Type:    "ClientCredentialsValid",
				Status:  v1alpha1.ConditionFalse,
				Reason:  "SecretNotFound",
				Message: `secret "does-not-exist" not found`,
			},
			{
				Type:   "OIDCDiscoverySucceeded",
				Status: v1alpha1.ConditionFalse,
				Reason: "Unreachable",
				Message: `failed to perform OIDC discovery against "https://127.0.0.1:444444/invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee":
Get "https://127.0.0.1:444444/invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration": dial tcp: address 444444: in [truncated 10 chars]`,
			},
		})
	})

	t.Run("invalid issuer with trailing slash", func(t *testing.T) {
		t.Parallel()
		spec := v1alpha1.OIDCIdentityProviderSpec{
			Issuer: env.SupervisorUpstreamOIDC.Issuer + "/",
			TLS: &v1alpha1.TLSSpec{
				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
			},
			AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
				AdditionalScopes: []string{"email", "profile"},
			},
			Client: v1alpha1.OIDCClient{
				SecretName: testlib.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
			},
		}
		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)
		expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
			{
				Type:    "ClientCredentialsValid",
				Status:  v1alpha1.ConditionTrue,
				Reason:  "Success",
				Message: "loaded client credentials",
			},
			{
				Type:   "OIDCDiscoverySucceeded",
				Status: v1alpha1.ConditionFalse,
				Reason: "Unreachable",
				Message: `failed to perform OIDC discovery against "` + env.SupervisorUpstreamOIDC.Issuer + `/":
oidc: issuer did not match the issuer returned by provider, expected "` + env.SupervisorUpstreamOIDC.Issuer + `/" got "` + env.SupervisorUpstreamOIDC.Issuer + `"`,
			},
		})
	})

	t.Run("valid", func(t *testing.T) {
		t.Parallel()
		spec := v1alpha1.OIDCIdentityProviderSpec{
			Issuer: env.SupervisorUpstreamOIDC.Issuer,
			TLS: &v1alpha1.TLSSpec{
				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
			},
			AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
				AdditionalScopes: []string{"email", "profile"},
			},
			Client: v1alpha1.OIDCClient{
				SecretName: testlib.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
			},
		}
		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseReady)
		expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
			{
				Type:    "ClientCredentialsValid",
				Status:  v1alpha1.ConditionTrue,
				Reason:  "Success",
				Message: "loaded client credentials",
			},
			{
				Type:    "OIDCDiscoverySucceeded",
				Status:  v1alpha1.ConditionTrue,
				Reason:  "Success",
				Message: "discovered issuer configuration",
			},
		})
	})
}

func expectUpstreamConditions(t *testing.T, upstream *v1alpha1.OIDCIdentityProvider, expected []v1alpha1.Condition) {
	t.Helper()
	normalized := make([]v1alpha1.Condition, 0, len(upstream.Status.Conditions))
	for _, c := range upstream.Status.Conditions {
		c.ObservedGeneration = 0
		c.LastTransitionTime = metav1.Time{}
		normalized = append(normalized, c)
	}
	require.ElementsMatch(t, expected, normalized)
}
Changing references from 1.19 to 1.20 2021-01-07 22:58:09 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package integration`

			`import (`
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 00:16:16 +00:00			`"encoding/base64"`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`"testing"`

			`"github.com/stretchr/testify/require"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`

Use new 'go.pinniped.dev/generated/latest' package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-02-16 19:00:08 +00:00			`"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"`
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`"go.pinniped.dev/test/testlib"`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`)`

			`func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {`
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`env := testlib.IntegrationEnv(t)`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00
			`t.Run("invalid missing secret and bad issuer", func(t *testing.T) {`
			`t.Parallel()`
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-16 22:27:09 +00:00			`spec := v1alpha1.OIDCIdentityProviderSpec{`
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com> 2021-09-29 13:26:29 +00:00			`Issuer: "https://127.0.0.1:444444/invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`Client: v1alpha1.OIDCClient{`
			`SecretName: "does-not-exist",`
			`},`
			`}`
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`expectUpstreamConditions(t, upstream, []v1alpha1.Condition{`
			`{`
			`Type: "ClientCredentialsValid",`
			`Status: v1alpha1.ConditionFalse,`
			`Reason: "SecretNotFound",`
			Message: `secret "does-not-exist" not found`,
			`},`
			`{`
upstreamwatcher: preserve oidc discovery error Signed-off-by: Mo Khan <mok@vmware.com> 2021-05-07 19:59:04 +00:00			`Type: "OIDCDiscoverySucceeded",`
			`Status: v1alpha1.ConditionFalse,`
			`Reason: "Unreachable",`
Do not truncate x509 errors Signed-off-by: Monis Khan <mok@vmware.com> 2021-09-29 13:26:29 +00:00			Message: `failed to perform OIDC discovery against "https://127.0.0.1:444444/invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee":
			Get "https://127.0.0.1:444444/invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration": dial tcp: address 444444: in [truncated 10 chars]`,
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`},`
			`})`
			`})`

upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com> 2021-05-10 04:22:34 +00:00			`t.Run("invalid issuer with trailing slash", func(t *testing.T) {`
			`t.Parallel()`
			`spec := v1alpha1.OIDCIdentityProviderSpec{`
Merge branch 'main' into initial_ldap 2021-05-11 18:09:37 +00:00			`Issuer: env.SupervisorUpstreamOIDC.Issuer + "/",`
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com> 2021-05-10 04:22:34 +00:00			`TLS: &v1alpha1.TLSSpec{`
Merge branch 'main' into initial_ldap 2021-05-11 18:09:37 +00:00			`CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),`
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com> 2021-05-10 04:22:34 +00:00			`},`
			`AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{`
			`AdditionalScopes: []string{"email", "profile"},`
			`},`
			`Client: v1alpha1.OIDCClient{`
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`SecretName: testlib.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,`
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com> 2021-05-10 04:22:34 +00:00			`},`
			`}`
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)`
upstreamwatcher: do not truncate explicit oidc errors This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com> 2021-05-10 04:22:34 +00:00			`expectUpstreamConditions(t, upstream, []v1alpha1.Condition{`
			`{`
			`Type: "ClientCredentialsValid",`
			`Status: v1alpha1.ConditionTrue,`
			`Reason: "Success",`
			`Message: "loaded client credentials",`
			`},`
			`{`
			`Type: "OIDCDiscoverySucceeded",`
			`Status: v1alpha1.ConditionFalse,`
			`Reason: "Unreachable",`
Merge branch 'main' into initial_ldap 2021-05-11 18:09:37 +00:00			Message: `failed to perform OIDC discovery against "` + env.SupervisorUpstreamOIDC.Issuer + `/":
			oidc: issuer did not match the issuer returned by provider, expected "` + env.SupervisorUpstreamOIDC.Issuer + `/" got "` + env.SupervisorUpstreamOIDC.Issuer + `"`,
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`},`
			`})`
			`})`

			`t.Run("valid", func(t *testing.T) {`
			`t.Parallel()`
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-16 22:27:09 +00:00			`spec := v1alpha1.OIDCIdentityProviderSpec{`
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-04-07 19:56:09 +00:00			`Issuer: env.SupervisorUpstreamOIDC.Issuer,`
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 00:16:16 +00:00			`TLS: &v1alpha1.TLSSpec{`
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-04-07 19:56:09 +00:00			`CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),`
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 00:16:16 +00:00			`},`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{`
			`AdditionalScopes: []string{"email", "profile"},`
			`},`
			`Client: v1alpha1.OIDCClient{`
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`SecretName: testlib.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`},`
			`}`
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com> 2021-06-22 15:23:19 +00:00			`upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseReady)`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`expectUpstreamConditions(t, upstream, []v1alpha1.Condition{`
			`{`
			`Type: "ClientCredentialsValid",`
			`Status: v1alpha1.ConditionTrue,`
			`Reason: "Success",`
			`Message: "loaded client credentials",`
			`},`
			`{`
			`Type: "OIDCDiscoverySucceeded",`
			`Status: v1alpha1.ConditionTrue,`
			`Reason: "Success",`
			`Message: "discovered issuer configuration",`
			`},`
			`})`
			`})`
			`}`

Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-16 22:27:09 +00:00			`func expectUpstreamConditions(t testing.T, upstream v1alpha1.OIDCIdentityProvider, expected []v1alpha1.Condition) {`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`t.Helper()`
			`normalized := make([]v1alpha1.Condition, 0, len(upstream.Status.Conditions))`
			`for _, c := range upstream.Status.Conditions {`
			`c.ObservedGeneration = 0`
			`c.LastTransitionTime = metav1.Time{}`
			`normalized = append(normalized, c)`
			`}`
			`require.ElementsMatch(t, expected, normalized)`
			`}`