djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/test/integration/supervisor_discovery_test.go

588 lines
26 KiB
Go
Raw Normal View History

supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package integration
import (
"context"
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
"crypto/tls"
"crypto/x509"
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
"crypto/x509/pkix"
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
"encoding/json"
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
"fmt"
"io/ioutil"
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
"net"
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
"net/http"
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
"net/url"
"strings"
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
"testing"
"time"
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
"github.com/stretchr/testify/assert"
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
"github.com/stretchr/testify/require"
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
corev1 "k8s.io/api/core/v1"
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
"k8s.io/client-go/kubernetes"
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
"go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
"go.pinniped.dev/internal/certauthority"
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
"go.pinniped.dev/internal/here"
"go.pinniped.dev/test/library"
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
env := library.IntegrationEnv(t)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
pinnipedClient := library.NewPinnipedClientset(t)
kubeClient := library.NewClientset(t)
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
ns := env.SupervisorNamespace
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
defer cancel()
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
temporarilyRemoveAllOIDCProviderConfigs(ctx, t, ns, pinnipedClient)
scheme := "https"
address := env.SupervisorHTTPSAddress // hostname and port for direct access to the supervisor's port 443
hostname1 := strings.Split(address, ":")[0]
issuer1 := fmt.Sprintf("%s://%s/issuer1", scheme, address)
sniCertificateSecretName1 := "integration-test-sni-cert-1"
// Create an OIDCProviderConfig with an sniCertificateSecretName.
oidcProviderConfig1 := library.CreateTestOIDCProvider(ctx, t, issuer1, sniCertificateSecretName1)
requireStatus(t, pinnipedClient, oidcProviderConfig1.Namespace, oidcProviderConfig1.Name, v1alpha1.SuccessOIDCProviderStatus)
// The sniCertificateSecretName Secret does not exist, so the endpoints should fail with TLS errors.
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
// Create the Secret.
Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 23:33:08 +00:00
ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1, kubeClient)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil)
// Update the config to take away the sniCertificateSecretName.
sniCertificateSecretName1update := "integration-test-sni-cert-1-update"
oidcProviderConfig1LatestVersion, err := pinnipedClient.ConfigV1alpha1().OIDCProviderConfigs(ns).Get(ctx, oidcProviderConfig1.Name, metav1.GetOptions{})
require.NoError(t, err)
oidcProviderConfig1LatestVersion.Spec.SNICertificateSecretName = sniCertificateSecretName1update
_, err = pinnipedClient.ConfigV1alpha1().OIDCProviderConfigs(ns).Update(ctx, oidcProviderConfig1LatestVersion, metav1.UpdateOptions{})
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
require.NoError(t, err)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
// The the endpoints should fail with TLS errors again.
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
supervisor-oidc: checkpoint: controller watches OIDCProviderConfig Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 14:53:05 +00:00
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
// Create a Secret at the updated name.
Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 23:33:08 +00:00
ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1update, kubeClient)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
// Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil)
// To test SNI virtual hosting, send requests to discovery endpoints when the public address is different from the issuer name.
hostname2 := "some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com"
hostnamePort2 := "2684"
issuer2 := fmt.Sprintf("%s://%s:%s/issuer2", scheme, hostname2, hostnamePort2)
sniCertificateSecretName2 := "integration-test-sni-cert-2"
// Create an OIDCProviderConfig with an sniCertificateSecretName.
oidcProviderConfig2 := library.CreateTestOIDCProvider(ctx, t, issuer2, sniCertificateSecretName2)
requireStatus(t, pinnipedClient, oidcProviderConfig2.Namespace, oidcProviderConfig2.Name, v1alpha1.SuccessOIDCProviderStatus)
// Create the Secret.
Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 23:33:08 +00:00
ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, sniCertificateSecretName2, kubeClient)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{
hostname2 + ":" + hostnamePort2: address,
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
})
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
}
Test SNI & default certs being used at the same time in integration test
2020-10-28 15:58:50 +00:00
func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
env := library.IntegrationEnv(t)
pinnipedClient := library.NewPinnipedClientset(t)
kubeClient := library.NewClientset(t)
ns := env.SupervisorNamespace
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel()
temporarilyRemoveAllOIDCProviderConfigs(ctx, t, ns, pinnipedClient)
scheme := "https"
address := env.SupervisorHTTPSAddress // hostname and port for direct access to the supervisor's port 443
hostAndPortSegments := strings.Split(address, ":")
hostname := hostAndPortSegments[0]
port := "443"
if len(hostAndPortSegments) > 1 {
port = hostAndPortSegments[1]
}
ips, err := net.DefaultResolver.LookupIP(ctx, "ip4", hostname)
require.NoError(t, err)
ip := ips[0]
ipAsString := ip.String()
ipWithPort := ipAsString + ":" + port
issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort)
issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address)
// Create an OIDCProviderConfig without an sniCertificateSecretName.
oidcProviderConfig1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "")
requireStatus(t, pinnipedClient, oidcProviderConfig1.Namespace, oidcProviderConfig1.Name, v1alpha1.SuccessOIDCProviderStatus)
// There is no default TLS cert and the sniCertificateSecretName was not set, so the endpoints should fail with TLS errors.
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress)
// Create a Secret at the special name which represents the default TLS cert.
Configure name of the supervisor default TLS cert secret via ConfigMap Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-28 18:56:50 +00:00
specialNameForDefaultTLSCertSecret := "pinniped-supervisor-default-tls-certificate" //nolint:gosec // this is not a hardcoded credential
Test SNI & default certs being used at the same time in integration test
2020-10-28 15:58:50 +00:00
defaultCA := createTLSCertificateSecret(ctx, t, ns, "cert-hostname-doesnt-matter", []net.IP{ip}, specialNameForDefaultTLSCertSecret, kubeClient)
// Now that the Secret exists, we should be able to access the endpoints by IP address using the CA.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
// Create an OIDCProviderConfig with an sniCertificateSecretName.
sniCertificateSecretName := "integration-test-sni-cert-1"
oidcProviderConfig2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, sniCertificateSecretName)
requireStatus(t, pinnipedClient, oidcProviderConfig2.Namespace, oidcProviderConfig2.Name, v1alpha1.SuccessOIDCProviderStatus)
// Create the Secret.
sniCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, sniCertificateSecretName, kubeClient)
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA from the SNI cert.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(sniCA.Bundle()), issuerUsingHostname, nil)
// And we can still access the other issuer using the default cert.
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
}
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
func TestSupervisorOIDCDiscovery(t *testing.T) {
env := library.IntegrationEnv(t)
client := library.NewPinnipedClientset(t)
ns := env.SupervisorNamespace
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel()
temporarilyRemoveAllOIDCProviderConfigs(ctx, t, ns, client)
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
tests := []struct {
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
Scheme string
Address string
CABundle string
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
}{
{Scheme: "http", Address: env.SupervisorHTTPAddress},
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
{Scheme: "https", Address: env.SupervisorHTTPSIngressAddress, CABundle: env.SupervisorHTTPSIngressCABundle},
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
}
for _, test := range tests {
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
scheme := test.Scheme
addr := test.Address
caBundle := test.CABundle
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
if addr == "" {
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// Both cases are not required, so when one is empty skip it.
continue
}
// Test that there is no default discovery endpoint available when there are no OIDCProviderConfigs.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, fmt.Sprintf("%s://%s", scheme, addr))
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// Define several unique issuer strings.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
issuer1 := fmt.Sprintf("%s://%s/nested/issuer1", scheme, addr)
issuer2 := fmt.Sprintf("%s://%s/nested/issuer2", scheme, addr)
issuer3 := fmt.Sprintf("%s://%s/issuer3", scheme, addr)
issuer4 := fmt.Sprintf("%s://%s/issuer4", scheme, addr)
issuer5 := fmt.Sprintf("%s://%s/issuer5", scheme, addr)
issuer6 := fmt.Sprintf("%s://%s/issuer6", scheme, addr)
badIssuer := fmt.Sprintf("%s://%s/badIssuer?cannot-use=queries", scheme, addr)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// When OIDCProviderConfig are created in sequence they each cause a discovery endpoint to appear only for as long as the OIDCProviderConfig exists.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer1, client)
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config1, client, ns, scheme, addr, caBundle, issuer1)
config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer2, client)
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config2, client, ns, scheme, addr, caBundle, issuer2)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// The auto-created JWK's were different from each other.
require.NotEqual(t, jwks1.Keys[0]["x"], jwks2.Keys[0]["x"])
require.NotEqual(t, jwks1.Keys[0]["y"], jwks2.Keys[0]["y"])
// When multiple OIDCProviderConfigs exist at the same time they each serve a unique discovery endpoint.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
config3, jwks3 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer3, client)
config4, jwks4 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer4, client)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
requireDiscoveryEndpointsAreWorking(t, scheme, addr, caBundle, issuer3, nil) // discovery for issuer3 is still working after issuer4 started working
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// The auto-created JWK's were different from each other.
require.NotEqual(t, jwks3.Keys[0]["x"], jwks4.Keys[0]["x"])
require.NotEqual(t, jwks3.Keys[0]["y"], jwks4.Keys[0]["y"])
// Editing a provider to change the issuer name updates the endpoints that are being served.
updatedConfig4 := editOIDCProviderConfigIssuerName(t, config4, client, ns, issuer5)
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, issuer4)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
jwks5 := requireDiscoveryEndpointsAreWorking(t, scheme, addr, caBundle, issuer5, nil)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// The JWK did not change when the issuer name was updated.
require.Equal(t, jwks4.Keys[0], jwks5.Keys[0])
// When they are deleted they stop serving discovery endpoints.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config3, client, ns, scheme, addr, caBundle, issuer3)
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, updatedConfig4, client, ns, scheme, addr, caBundle, issuer5)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// When the same issuer is added twice, both issuers are marked as duplicates, and neither provider is serving.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
config6Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer6, client)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
config6Duplicate2 := library.CreateTestOIDCProvider(ctx, t, issuer6, "")
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
requireStatus(t, client, ns, config6Duplicate1.Name, v1alpha1.DuplicateOIDCProviderStatus)
requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.DuplicateOIDCProviderStatus)
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, issuer6)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// If we delete the first duplicate issuer, the second duplicate issuer starts serving.
requireDelete(t, client, ns, config6Duplicate1.Name)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
requireWellKnownEndpointIsWorking(t, scheme, addr, caBundle, issuer6, nil)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.SuccessOIDCProviderStatus)
// When we finally delete all issuers, the endpoint should be down.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config6Duplicate2, client, ns, scheme, addr, caBundle, issuer6)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// "Host" headers can be used to send requests to discovery endpoints when the public address is different from the issuer name.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
issuer7 := fmt.Sprintf("%s://some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com:2684/issuer7", scheme)
config7, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer7, client)
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config7, client, ns, scheme, addr, caBundle, issuer7)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
// When we create a provider with an invalid issuer, the status is set to invalid.
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
badConfig := library.CreateTestOIDCProvider(ctx, t, badIssuer, "")
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
requireStatus(t, client, ns, badConfig.Name, v1alpha1.InvalidOIDCProviderStatus)
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, badIssuer)
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, badConfig, client, ns, scheme, addr, caBundle, badIssuer)
Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet
2020-10-20 22:57:10 +00:00
}
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 23:33:08 +00:00
func createTLSCertificateSecret(ctx context.Context, t *testing.T, ns string, hostname string, ips []net.IP, secretName string, kubeClient kubernetes.Interface) *certauthority.CA {
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
// Create a CA.
ca, err := certauthority.New(pkix.Name{CommonName: "Acme Corp"}, 1000*time.Hour)
require.NoError(t, err)
// Using the CA, create a TLS server cert.
Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 23:33:08 +00:00
tlsCert, err := ca.Issue(pkix.Name{CommonName: hostname}, []string{hostname}, ips, 1000*time.Hour)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
require.NoError(t, err)
// Write the serving cert to the SNI secret.
tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(tlsCert)
require.NoError(t, err)
secret := corev1.Secret{
TypeMeta: metav1.TypeMeta{},
ObjectMeta: metav1.ObjectMeta{
Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 23:33:08 +00:00
Name: secretName,
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
Namespace: ns,
},
StringData: map[string]string{
"tls.crt": string(tlsCertChainPEM),
"tls.key": string(tlsPrivateKeyPEM),
},
}
_, err = kubeClient.CoreV1().Secrets(ns).Create(ctx, &secret, metav1.CreateOptions{})
require.NoError(t, err)
// Delete the Secret when the test ends.
t.Cleanup(func() {
t.Helper()
deleteCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 23:33:08 +00:00
err := kubeClient.CoreV1().Secrets(ns).Delete(deleteCtx, secretName, metav1.DeleteOptions{})
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
require.NoError(t, err)
})
return ca
}
func temporarilyRemoveAllOIDCProviderConfigs(ctx context.Context, t *testing.T, ns string, client pinnipedclientset.Interface) {
// Temporarily remove any existing OIDCProviderConfigs from the cluster so we can test from a clean slate.
originalConfigList, err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).List(ctx, metav1.ListOptions{})
require.NoError(t, err)
for _, config := range originalConfigList.Items {
err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Delete(ctx, config.Name, metav1.DeleteOptions{})
require.NoError(t, err)
}
// When this test has finished, recreate any OIDCProviderConfigs that had existed on the cluster before this test.
t.Cleanup(func() {
cleanupCtx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
defer cancel()
for _, config := range originalConfigList.Items {
thisConfig := config
thisConfig.ResourceVersion = "" // Get rid of resource version since we can't create an object with one.
_, err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Create(cleanupCtx, &thisConfig, metav1.CreateOptions{})
require.NoError(t, err)
}
})
}
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
func jwksURLForIssuer(scheme, host, path string) string {
Add a test for when issuer hostname and supervisor public address differ
2020-10-20 22:22:03 +00:00
return fmt.Sprintf("%s://%s/%s/jwks.json", scheme, host, strings.TrimPrefix(path, "/"))
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
}
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
func wellKnownURLForIssuer(scheme, host, path string) string {
Add a test for when issuer hostname and supervisor public address differ
2020-10-20 22:22:03 +00:00
return fmt.Sprintf("%s://%s/%s/.well-known/openid-configuration", scheme, host, strings.TrimPrefix(path, "/"))
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
}
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
func requireDiscoveryEndpointsAreNotFound(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string) {
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
t.Helper()
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
issuerURL, err := url.Parse(issuerName)
require.NoError(t, err)
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
requireEndpointNotFound(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host, supervisorCABundle)
requireEndpointNotFound(t, jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host, supervisorCABundle)
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
}
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
func requireEndpointNotFound(t *testing.T, url, host, caBundle string) {
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
t.Helper()
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
httpClient := newHTTPClient(t, caBundle, nil)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
defer cancel()
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
requestNonExistentPath, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
require.NoError(t, err)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
requestNonExistentPath.Host = host
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
var response *http.Response
assert.Eventually(t, func() bool {
response, err = httpClient.Do(requestNonExistentPath) //nolint:bodyclose
return err == nil && response.StatusCode == http.StatusNotFound
}, 10*time.Second, 200*time.Millisecond)
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
require.NoError(t, err)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
require.Equal(t, http.StatusNotFound, response.StatusCode)
err = response.Body.Close()
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
require.NoError(t, err)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
func requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t *testing.T, url string) {
t.Helper()
httpClient := newHTTPClient(t, "", nil)
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
defer cancel()
request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
require.NoError(t, err)
assert.Eventually(t, func() bool {
_, err = httpClient.Do(request) //nolint:bodyclose
return err != nil && strings.Contains(err.Error(), "tls: unrecognized name")
}, 10*time.Second, 200*time.Millisecond)
require.Error(t, err)
Add a way to set a default supervisor TLS cert for when SNI won't work - Setting a Secret in the supervisor's namespace with a special name will cause it to get picked up and served as the supervisor's TLS cert for any request which does not have a matching SNI cert. - This is especially useful for when there is no DNS record for an issuer and the user will be accessing it via IP address. This is not how we would expect it to be used in production, but it might be useful for other cases. - Includes a new integration test - Also suppress all of the warnings about ignoring the error returned by Close() in lines like `defer x.Close()` to make GoLand happier
2020-10-27 23:33:08 +00:00
require.EqualError(t, err, fmt.Sprintf(`Get "%s": remote error: tls: unrecognized name`, url))
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
}
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
func requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(
test/integration: reuse CreateTestOIDCProvider helper Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 13:09:49 +00:00
ctx context.Context,
t *testing.T,
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
supervisorScheme, supervisorAddress, supervisorCABundle string,
test/integration: reuse CreateTestOIDCProvider helper Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 13:09:49 +00:00
issuerName string,
client pinnipedclientset.Interface,
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
) (*v1alpha1.OIDCProviderConfig, *ExpectedJWKSResponseFormat) {
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
t.Helper()
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
newOIDCProviderConfig := library.CreateTestOIDCProvider(ctx, t, issuerName, "")
jwksResult := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, nil)
test/integration: reuse CreateTestOIDCProvider helper Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-15 13:09:49 +00:00
requireStatus(t, client, newOIDCProviderConfig.Namespace, newOIDCProviderConfig.Name, v1alpha1.SuccessOIDCProviderStatus)
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
return newOIDCProviderConfig, jwksResult
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
func requireDiscoveryEndpointsAreWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string, dnsOverrides map[string]string) *ExpectedJWKSResponseFormat {
requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, dnsOverrides)
jwksResult := requireJWKSEndpointIsWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, dnsOverrides)
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
return jwksResult
}
Add a test for when issuer hostname and supervisor public address differ
2020-10-20 22:22:03 +00:00
func requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
t *testing.T,
existingOIDCProviderConfig *v1alpha1.OIDCProviderConfig,
client pinnipedclientset.Interface,
ns string,
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
supervisorScheme, supervisorAddress, supervisorCABundle string,
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
issuerName string,
) {
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
t.Helper()
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
defer cancel()
// Delete the OIDCProviderConfig.
err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Delete(ctx, existingOIDCProviderConfig.Name, metav1.DeleteOptions{})
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
require.NoError(t, err)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
// Fetch that same discovery endpoint as before, but now it should not exist anymore. Give it some time for the endpoint to go away.
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
supervisor-oidc: checkpoint: controller watches OIDCProviderConfig Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 14:53:05 +00:00
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string, dnsOverrides map[string]string) {
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
t.Helper()
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
issuerURL, err := url.Parse(issuerName)
require.NoError(t, err)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
response, responseBody := requireSuccessEndpointResponse(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerName, supervisorCABundle, dnsOverrides) //nolint:bodyclose
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
// Check that the response matches our expectations.
expectedResultTemplate := here.Doc(`{
"issuer": "%s",
"authorization_endpoint": "%s/oauth2/authorize",
"token_endpoint": "%s/oauth2/token",
"token_endpoint_auth_methods_supported": ["client_secret_basic"],
"token_endpoint_auth_signing_alg_values_supported": ["RS256"],
"jwks_uri": "%s/jwks.json",
"scopes_supported": ["openid", "offline"],
"response_types_supported": ["code"],
"claims_supported": ["groups"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"]
}`)
expectedJSON := fmt.Sprintf(expectedResultTemplate, issuerName, issuerName, issuerName, issuerName)
require.Equal(t, "application/json", response.Header.Get("content-type"))
require.JSONEq(t, expectedJSON, responseBody)
}
type ExpectedJWKSResponseFormat struct {
Keys []map[string]string
}
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
func requireJWKSEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string, dnsOverrides map[string]string) *ExpectedJWKSResponseFormat {
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
t.Helper()
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
issuerURL, err := url.Parse(issuerName)
require.NoError(t, err)
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
response, responseBody := requireSuccessEndpointResponse(t, //nolint:bodyclose
jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path),
issuerName,
supervisorCABundle,
dnsOverrides,
)
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
var result ExpectedJWKSResponseFormat
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
err = json.Unmarshal([]byte(responseBody), &result)
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
require.NoError(t, err)
require.Len(t, result.Keys, 1)
jwk := result.Keys[0]
require.Len(t, jwk, 7) // make sure there are no extra values, i.e. does not include private key
require.NotEmpty(t, jwk["kid"])
require.Equal(t, "sig", jwk["use"])
require.Equal(t, "EC", jwk["kty"])
require.Equal(t, "P-256", jwk["crv"])
require.Equal(t, "ES256", jwk["alg"])
require.NotEmpty(t, jwk["x"])
require.NotEmpty(t, jwk["y"])
require.Equal(t, "application/json", response.Header.Get("content-type"))
return &result
}
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
func requireSuccessEndpointResponse(t *testing.T, endpointURL, issuer, caBundle string, dnsOverrides map[string]string) (*http.Response, string) {
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
t.Helper()
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
httpClient := newHTTPClient(t, caBundle, dnsOverrides)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
defer cancel()
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
// Define a request to the new discovery endpoint which should have been created by an OIDCProviderConfig.
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
requestDiscoveryEndpoint, err := http.NewRequestWithContext(
ctx,
http.MethodGet,
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
endpointURL,
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
nil,
)
require.NoError(t, err)
Add a test for when issuer hostname and supervisor public address differ
2020-10-20 22:22:03 +00:00
issuerURL, err := url.Parse(issuer)
require.NoError(t, err)
// Set the host header on the request to match the issuer's hostname, which could potentially be different
// from the public ingress address, e.g. when a load balancer is used, so we want to test here that the host
// header is respected by the supervisor server.
requestDiscoveryEndpoint.Host = issuerURL.Host
test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-20 21:00:36 +00:00
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
// Fetch that discovery endpoint. Give it some time for the endpoint to come into existence.
var response *http.Response
assert.Eventually(t, func() bool {
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
response, err = httpClient.Do(requestDiscoveryEndpoint) //nolint:bodyclose
supervisor-oidc: checkpoint: controller watches OIDCProviderConfig Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 14:53:05 +00:00
return err == nil && response.StatusCode == http.StatusOK
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
}, 10*time.Second, 200*time.Millisecond)
require.NoError(t, err)
supervisor-oidc: checkpoint: controller watches OIDCProviderConfig Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-07 14:53:05 +00:00
require.Equal(t, http.StatusOK, response.StatusCode)
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
responseBody, err := ioutil.ReadAll(response.Body)
require.NoError(t, err)
err = response.Body.Close()
require.NoError(t, err)
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
return response, string(responseBody)
}
Add integration test for the OIDC discovery endpoint - Intended to be a red test in this commit; will make it go green in a future commit - Enhance env.go and prepare-for-integration-tests.sh to make it possible to write integration tests for the supervisor app by setting more env vars and by exposing the service to the kind host on a localhost port - Add `--clean` option to prepare-for-integration-tests.sh to make it easier to start fresh - Make prepare-for-integration-tests.sh advise you to run `go test -v -count 1 ./test/integration` because this does not buffer the test output - Make concierge_api_discovery_test.go pass by adding expectations for the new OIDCProviderConfig type
2020-10-07 00:53:29 +00:00
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
func editOIDCProviderConfigIssuerName(
t *testing.T,
existingOIDCProviderConfig *v1alpha1.OIDCProviderConfig,
client pinnipedclientset.Interface,
ns string,
newIssuerName string,
) *v1alpha1.OIDCProviderConfig {
t.Helper()
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
defer cancel()
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
Integration test for per-issuer OIDC JWKS endpoints
2020-10-19 19:21:18 +00:00
mostRecentVersion, err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Get(ctx, existingOIDCProviderConfig.Name, metav1.GetOptions{})
require.NoError(t, err)
mostRecentVersion.Spec.Issuer = newIssuerName
updated, err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Update(ctx, mostRecentVersion, metav1.UpdateOptions{})
require.NoError(t, err)
return updated
supervisor-oidc: add OIDCProviderConfig CRD This will hopefully come in handy later if we ever decide to add support for multiple OIDC providers as a part of one supervisor. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-10-06 19:20:29 +00:00
}
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
supervisor-oidc: checkpoint: add status to provider CRD Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 17:27:45 +00:00
func requireDelete(t *testing.T, client pinnipedclientset.Interface, ns, name string) {
t.Helper()
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Delete(ctx, name, metav1.DeleteOptions{})
require.NoError(t, err)
}
func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name string, status v1alpha1.OIDCProviderStatus) {
t.Helper()
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
var opc *v1alpha1.OIDCProviderConfig
var err error
assert.Eventually(t, func() bool {
opc, err = client.ConfigV1alpha1().OIDCProviderConfigs(ns).Get(ctx, name, metav1.GetOptions{})
return err == nil && opc.Status.Status == status
}, 10*time.Second, 200*time.Millisecond)
require.NoError(t, err)
require.Equalf(t, status, opc.Status.Status, "unexpected status (message = '%s')", opc.Status.Message)
}
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
func newHTTPClient(t *testing.T, caBundle string, dnsOverrides map[string]string) *http.Client {
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
c := &http.Client{}
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
realDialer := &net.Dialer{}
overrideDialContext := func(ctx context.Context, network, addr string) (net.Conn, error) {
replacementAddr, hasKey := dnsOverrides[addr]
if hasKey {
t.Logf("DialContext replacing addr %s with %s", addr, replacementAddr)
addr = replacementAddr
} else if dnsOverrides != nil {
t.Fatal("dnsOverrides was provided but not used, which was probably a mistake")
}
return realDialer.DialContext(ctx, network, addr)
}
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
if caBundle != "" { // CA bundle is optional
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM([]byte(caBundle))
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
c.Transport = &http.Transport{
DialContext: overrideDialContext,
TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS13, RootCAs: caCertPool},
}
} else {
c.Transport = &http.Transport{
DialContext: overrideDialContext,
}
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
}
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command
2020-10-27 21:57:25 +00:00
Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not)
2020-10-20 23:46:33 +00:00
return c
}