djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2fa81546f3
ContainerImage.Pinniped/internal/fositestorage/authorizationcode/authorizationcode_test.go

520 lines
20 KiB
Go
Raw Normal View History

Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
// SPDX-License-Identifier: Apache-2.0
package authorizationcode
import (
"context"
"crypto/ed25519"
"crypto/x509"
"encoding/json"
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
"fmt"
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
"math/rand"
"net/url"
"strings"
"testing"
"time"
fuzz "github.com/google/gofuzz"
"github.com/ory/fosite"
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
"github.com/ory/fosite/handler/oauth2"
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
"github.com/ory/fosite/handler/openid"
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
"github.com/pkg/errors"
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
"github.com/stretchr/testify/require"
"gopkg.in/square/go-jose.v2"
corev1 "k8s.io/api/core/v1"
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
apierrors "k8s.io/apimachinery/pkg/api/errors"
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
"k8s.io/apimachinery/pkg/runtime"
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
"k8s.io/apimachinery/pkg/runtime/schema"
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
"k8s.io/apimachinery/pkg/types"
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
"k8s.io/client-go/kubernetes/fake"
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
kubetesting "k8s.io/client-go/testing"
Update all deps to latest where possible, bump Kube deps to v0.23.1 Highlights from this dep bump: 1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation for use in tests. We must bump this dep as Kube code uses a newer version now. We would have to rewrite hundreds of test log assertions without this copy. 2. Use github.com/felixge/httpsnoop to undo the changes made by ory/fosite#636 for CLI based login flows. This is required for backwards compatibility with older versions of our CLI. A separate change after this will update the CLI to be more flexible (it is purposefully not part of this change to confirm that we did not break anything). For all browser login flows, we now redirect using http.StatusSeeOther instead of http.StatusFound. 3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global process flags 4. Only bump github.com/ory/x to v0.0.297 instead of the latest v0.0.321 because v0.0.298+ pulls in a newer version of go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver. We should update k8s.io/apiserver to use the newer code. 5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to k8s.io/utils/clock and k8s.io/utils/clock/testing 6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new kubetesting.NewDeleteActionWithOptions 7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by fosite's new rotated_secrets OAuth client field. This new field is currently not relevant to us as we have no private clients. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-10 22:22:36 +00:00
clocktesting "k8s.io/utils/clock/testing"
Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-01 22:53:22 +00:00
"go.pinniped.dev/internal/fositestorage"
Use a custom type for our static CLI client (smaller change). Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change). There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example. This should be 100% refactor, with no user-observable change. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 16:27:30 +00:00
"go.pinniped.dev/internal/oidc/clientregistry"
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
"go.pinniped.dev/internal/psession"
"go.pinniped.dev/internal/testutil"
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
)
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
const namespace = "test-ns"
WIP passing lifetime through to storage, unit tests are failing Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 20:15:40 +00:00
var fakeNow = time.Date(2030, time.January, 1, 0, 0, 0, 0, time.UTC)
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
var lifetime = time.Minute * 10
var fakeNowPlusLifetimeAsString = metav1.Time{Time: fakeNow.Add(lifetime)}.Format(time.RFC3339)
WIP passing lifetime through to storage, unit tests are failing Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 20:15:40 +00:00
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
func TestAuthorizationCodeStorage(t *testing.T) {
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
secretsGVR := schema.GroupVersionResource{
Group: "",
Version: "v1",
Resource: "secrets",
}
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
wantActions := []kubetesting.Action{
kubetesting.NewCreateAction(secretsGVR, namespace, &corev1.Secret{
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
Use the more specific label name of "storage.pinniped.dev/type" Instead of the less specific "storage.pinniped.dev" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 22:39:11 +00:00
"storage.pinniped.dev/type": "authcode",
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
},
WIP passing lifetime through to storage, unit tests are failing Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 20:15:40 +00:00
Annotations: map[string]string{
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
"storage.pinniped.dev/garbage-collect-after": fakeNowPlusLifetimeAsString,
WIP passing lifetime through to storage, unit tests are failing Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 20:15:40 +00:00
},
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
},
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
Data: map[string][]byte{
Supervisor should emit a warning when access token lifetime is too short
2022-01-18 23:34:19 +00:00
"pinniped-storage-data": []byte(`{"active":true,"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`),
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
"pinniped-storage-version": []byte("1"),
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
},
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
Type: "storage.pinniped.dev/authcode",
}),
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
kubetesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-authcode-pwu5zs7lekbhnln2w4"),
kubetesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-authcode-pwu5zs7lekbhnln2w4"),
kubetesting.NewUpdateAction(secretsGVR, namespace, &corev1.Secret{
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
Use the more specific label name of "storage.pinniped.dev/type" Instead of the less specific "storage.pinniped.dev" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 22:39:11 +00:00
"storage.pinniped.dev/type": "authcode",
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
},
WIP passing lifetime through to storage, unit tests are failing Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 20:15:40 +00:00
Annotations: map[string]string{
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
"storage.pinniped.dev/garbage-collect-after": fakeNowPlusLifetimeAsString,
WIP passing lifetime through to storage, unit tests are failing Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 20:15:40 +00:00
},
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
},
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
Data: map[string][]byte{
Supervisor should emit a warning when access token lifetime is too short
2022-01-18 23:34:19 +00:00
"pinniped-storage-data": []byte(`{"active":false,"request":{"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","warnings":null,"oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token","upstreamAccessToken":"","upstreamSubject":"some-subject","upstreamIssuer":"some-issuer"}}},"requestedAudience":null,"grantedAudience":null},"version":"2"}`),
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
"pinniped-storage-version": []byte("1"),
},
Type: "storage.pinniped.dev/authcode",
}),
}
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
ctx, client, _, storage := makeTestSubject()
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
request := &fosite.Request{
ID: "abcd-1",
RequestedAt: time.Time{},
Use a custom type for our static CLI client (smaller change). Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change). There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example. This should be 100% refactor, with no user-observable change. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 16:27:30 +00:00
Client: &clientregistry.Client{
DefaultOpenIDConnectClient: fosite.DefaultOpenIDConnectClient{
DefaultClient: &fosite.DefaultClient{
ID: "pinny",
Secret: nil,
RedirectURIs: nil,
GrantTypes: nil,
ResponseTypes: nil,
Scopes: nil,
Audience: nil,
Public: true,
},
JSONWebKeysURI: "where",
JSONWebKeys: nil,
TokenEndpointAuthMethod: "something",
RequestURIs: nil,
RequestObjectSigningAlgorithm: "",
TokenEndpointAuthSigningAlgorithm: "",
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
},
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
},
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
RequestedScope: nil,
GrantedScope: nil,
Form: url.Values{"key": []string{"val"}},
Session: testutil.NewFakePinnipedSession(),
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
RequestedAudience: nil,
GrantedAudience: nil,
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
}
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
err := storage.CreateAuthorizeCodeSession(ctx, "fancy-signature", request)
require.NoError(t, err)
newRequest, err := storage.GetAuthorizeCodeSession(ctx, "fancy-signature", nil)
require.NoError(t, err)
require.Equal(t, request, newRequest)
err = storage.InvalidateAuthorizeCodeSession(ctx, "fancy-signature")
require.NoError(t, err)
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
testutil.LogActualJSONFromCreateAction(t, client, 0) // makes it easier to update expected values when needed
testutil.LogActualJSONFromUpdateAction(t, client, 3) // makes it easier to update expected values when needed
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
require.Equal(t, wantActions, client.Actions())
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
// Doing a Get on an invalidated session should still return the session, but also return an error.
invalidatedRequest, err := storage.GetAuthorizeCodeSession(ctx, "fancy-signature", nil)
require.EqualError(t, err, "authorization code session for fancy-signature has already been used: Authorization code has ben invalidated")
require.Equal(t, "abcd-1", invalidatedRequest.GetID())
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
}
func TestGetNotFound(t *testing.T) {
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
ctx, _, _, storage := makeTestSubject()
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
_, notFoundErr := storage.GetAuthorizeCodeSession(ctx, "non-existent-signature", nil)
require.EqualError(t, notFoundErr, "not_found")
require.True(t, errors.Is(notFoundErr, fosite.ErrNotFound))
}
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
func TestInvalidateWhenNotFound(t *testing.T) {
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
ctx, _, _, storage := makeTestSubject()
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
notFoundErr := storage.InvalidateAuthorizeCodeSession(ctx, "non-existent-signature")
require.EqualError(t, notFoundErr, "not_found")
require.True(t, errors.Is(notFoundErr, fosite.ErrNotFound))
}
func TestInvalidateWhenConflictOnUpdateHappens(t *testing.T) {
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
ctx, client, _, storage := makeTestSubject()
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
client.PrependReactor("update", "secrets", func(_ kubetesting.Action) (bool, runtime.Object, error) {
return true, nil, apierrors.NewConflict(schema.GroupResource{
Group: "",
Resource: "secrets",
}, "some-secret-name", fmt.Errorf("there was a conflict"))
})
request := &fosite.Request{
ID: "some-request-id",
Use a custom type for our static CLI client (smaller change). Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change). There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example. This should be 100% refactor, with no user-observable change. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 16:27:30 +00:00
Client: &clientregistry.Client{},
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
Session: testutil.NewFakePinnipedSession(),
Back-fill some more unit tests on authorizationcode_test.go
2020-12-02 22:10:41 +00:00
}
err := storage.CreateAuthorizeCodeSession(ctx, "fancy-signature", request)
require.NoError(t, err)
err = storage.InvalidateAuthorizeCodeSession(ctx, "fancy-signature")
require.EqualError(t, err, `The request could not be completed due to concurrent access: failed to update authcode for signature fancy-signature at resource version : Operation cannot be fulfilled on secrets "some-secret-name": there was a conflict`)
}
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
func TestWrongVersion(t *testing.T) {
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
ctx, _, secrets, storage := makeTestSubject()
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
Use the more specific label name of "storage.pinniped.dev/type" Instead of the less specific "storage.pinniped.dev" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 22:39:11 +00:00
"storage.pinniped.dev/type": "authcode",
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
},
},
Data: map[string][]byte{
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
"pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"not-the-right-version","active": true}`),
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
"pinniped-storage-version": []byte("1"),
},
Type: "storage.pinniped.dev/authcode",
}
_, err := secrets.Create(ctx, secret, metav1.CreateOptions{})
require.NoError(t, err)
_, err = storage.GetAuthorizeCodeSession(ctx, "fancy-signature", nil)
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
require.EqualError(t, err, "authorization request data has wrong version: authorization code session for fancy-signature has version not-the-right-version instead of 2")
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
}
func TestNilSessionRequest(t *testing.T) {
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
ctx, _, secrets, storage := makeTestSubject()
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
secret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
Use the more specific label name of "storage.pinniped.dev/type" Instead of the less specific "storage.pinniped.dev" Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-04 22:39:11 +00:00
"storage.pinniped.dev/type": "authcode",
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
},
},
Data: map[string][]byte{
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
"pinniped-storage-data": []byte(`{"nonsense-key": "nonsense-value", "version":"2", "active": true}`),
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
"pinniped-storage-version": []byte("1"),
},
Type: "storage.pinniped.dev/authcode",
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
}
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
_, err := secrets.Create(ctx, secret, metav1.CreateOptions{})
require.NoError(t, err)
_, err = storage.GetAuthorizeCodeSession(ctx, "fancy-signature", nil)
require.EqualError(t, err, "malformed authorization code session for fancy-signature: authorization request data must be present")
}
func TestCreateWithNilRequester(t *testing.T) {
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
ctx, _, _, storage := makeTestSubject()
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
err := storage.CreateAuthorizeCodeSession(ctx, "signature-doesnt-matter", nil)
require.EqualError(t, err, "requester must be of type fosite.Request")
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
}
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
func TestCreateWithWrongRequesterDataTypes(t *testing.T) {
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
ctx, _, _, storage := makeTestSubject()
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
request := &fosite.Request{
Session: nil,
Use a custom type for our static CLI client (smaller change). Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change). There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example. This should be 100% refactor, with no user-observable change. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 16:27:30 +00:00
Client: &clientregistry.Client{},
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
}
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
err := storage.CreateAuthorizeCodeSession(ctx, "signature-doesnt-matter", request)
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
require.EqualError(t, err, "requester's session must be of type PinnipedSession")
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
request = &fosite.Request{
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
Session: &psession.PinnipedSession{},
Add pkce and openidconnect storage - Also refactor authorizationcode_test Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-02 01:18:32 +00:00
Client: nil,
}
err = storage.CreateAuthorizeCodeSession(ctx, "signature-doesnt-matter", request)
Use a custom type for our static CLI client (smaller change). Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change). There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example. This should be 100% refactor, with no user-observable change. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 16:27:30 +00:00
require.EqualError(t, err, "requester's client must be of type clientregistry.Client")
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
}
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
func makeTestSubject() (context.Context, *fake.Clientset, corev1client.SecretInterface, oauth2.AuthorizeCodeStorage) {
client := fake.NewSimpleClientset()
secrets := client.CoreV1().Secrets(namespace)
Update all deps to latest where possible, bump Kube deps to v0.23.1 Highlights from this dep bump: 1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation for use in tests. We must bump this dep as Kube code uses a newer version now. We would have to rewrite hundreds of test log assertions without this copy. 2. Use github.com/felixge/httpsnoop to undo the changes made by ory/fosite#636 for CLI based login flows. This is required for backwards compatibility with older versions of our CLI. A separate change after this will update the CLI to be more flexible (it is purposefully not part of this change to confirm that we did not break anything). For all browser login flows, we now redirect using http.StatusSeeOther instead of http.StatusFound. 3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global process flags 4. Only bump github.com/ory/x to v0.0.297 instead of the latest v0.0.321 because v0.0.298+ pulls in a newer version of go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver. We should update k8s.io/apiserver to use the newer code. 5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to k8s.io/utils/clock and k8s.io/utils/clock/testing 6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new kubetesting.NewDeleteActionWithOptions 7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by fosite's new rotated_secrets OAuth client field. This new field is currently not relevant to us as we have no private clients. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-10 22:22:36 +00:00
return context.Background(), client, secrets, New(secrets, clocktesting.NewFakeClock(fakeNow).Now, lifetime)
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
}
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
// TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession asserts that we can correctly round trip our authorize code session.
// It will detect any changes to fosite.AuthorizeRequest and guarantees that all interface types have concrete implementations.
func TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession(t *testing.T) {
validSession := NewValidEmptyAuthorizeCodeSession()
// sanity check our valid session
Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-01 22:53:22 +00:00
extractedRequest, err := fositestorage.ValidateAndExtractAuthorizeRequest(validSession.Request)
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
require.NoError(t, err)
require.Equal(t, validSession.Request, extractedRequest)
// checked above
Use a custom type for our static CLI client (smaller change). Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change). There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example. This should be 100% refactor, with no user-observable change. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-15 16:27:30 +00:00
defaultClient := validSession.Request.Client.(*clientregistry.Client)
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
pinnipedSession := validSession.Request.Session.(*psession.PinnipedSession)
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
// makes it easier to use a raw string
replacer := strings.NewReplacer("`", "a")
randString := func(c fuzz.Continue) string {
for {
s := c.RandString()
if len(s) == 0 {
continue // skip empty string
}
return replacer.Replace(s)
}
}
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-01 19:01:23 +00:00
// deterministic fuzzing of fosite.Request
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
f := fuzz.New().RandSource(rand.NewSource(1)).NilChance(0).NumElements(1, 3).Funcs(
// these functions guarantee that these are the only interface types we need to fill out
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-01 19:01:23 +00:00
// if fosite.Request changes to add more, the fuzzer will panic
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
func(fc *fosite.Client, c fuzz.Continue) {
c.Fuzz(defaultClient)
*fc = defaultClient
},
func(fs *fosite.Session, c fuzz.Continue) {
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
c.Fuzz(pinnipedSession)
*fs = pinnipedSession
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
},
// these types contain an interface{} that we need to handle
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
// this is safe because we explicitly provide the PinnipedSession concrete type
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
func(value *map[string]interface{}, c fuzz.Continue) {
// cover all the JSON data types just in case
*value = map[string]interface{}{
randString(c): float64(c.Intn(1 << 32)),
randString(c): map[string]interface{}{
randString(c): []interface{}{float64(c.Intn(1 << 32))},
randString(c): map[string]interface{}{
randString(c): nil,
randString(c): map[string]interface{}{
randString(c): c.RandBool(),
},
},
},
}
},
// JWK contains an interface{} Key that we need to handle
// this is safe because JWK explicitly implements JSON marshalling and unmarshalling
func(jwk *jose.JSONWebKey, c fuzz.Continue) {
key, _, err := ed25519.GenerateKey(c)
require.NoError(t, err)
jwk.Key = key
// set these fields to make the .Equal comparison work
jwk.Certificates = []*x509.Certificate{}
jwk.CertificatesURL = &url.URL{}
jwk.CertificateThumbprintSHA1 = []byte{}
jwk.CertificateThumbprintSHA256 = []byte{}
},
// set this to make the .Equal comparison work
// this is safe because Time explicitly implements JSON marshalling and unmarshalling
func(tp *time.Time, c fuzz.Continue) {
Switch fuzzing test to UTC Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 19:04:25 +00:00
*tp = time.Unix(c.Int63n(1<<32), c.Int63n(1<<32)).UTC()
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
},
// make random strings that do not contain any ` characters
func(s *string, c fuzz.Continue) {
*s = randString(c)
},
// handle string type alias
func(s *fosite.TokenType, c fuzz.Continue) {
*s = fosite.TokenType(randString(c))
Require refresh tokens for upstream OIDC and save more session data - Requiring refresh tokens to be returned from upstream OIDC idps - Storing refresh tokens (for oidc) and idp information (for all idps) in custom session data during authentication - Don't pass access=offline all the time
2021-10-08 22:48:21 +00:00
},
func(s *types.UID, c fuzz.Continue) {
*s = types.UID(randString(c))
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
},
// handle string type alias
func(s *fosite.Arguments, c fuzz.Continue) {
n := c.Intn(3) + 1 // 1 to 3 items
arguments := make(fosite.Arguments, n)
for i := range arguments {
arguments[i] = randString(c)
}
*s = arguments
},
)
f.Fuzz(validSession)
const name = "fuzz" // value is irrelevant
ctx := context.Background()
secrets := fake.NewSimpleClientset().CoreV1().Secrets(name)
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 22:47:58 +00:00
storage := New(secrets, func() time.Time { return fakeNow }, lifetime)
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
// issue a create using the fuzzed request to confirm that marshalling works
err = storage.CreateAuthorizeCodeSession(ctx, name, validSession.Request)
require.NoError(t, err)
// retrieve a copy of the fuzzed request from storage to confirm that unmarshalling works
newRequest, err := storage.GetAuthorizeCodeSession(ctx, name, nil)
require.NoError(t, err)
// the fuzzed request and the copy from storage should be exactly the same
require.Equal(t, validSession.Request, newRequest)
secretList, err := secrets.List(ctx, metav1.ListOptions{})
require.NoError(t, err)
require.Len(t, secretList.Items, 1)
authorizeCodeSessionJSONFromStorage := string(secretList.Items[0].Data["pinniped-storage-data"])
// set these to match CreateAuthorizeCodeSession so that .JSONEq works
validSession.Active = true
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-06 22:28:13 +00:00
validSession.Version = "2"
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
validSessionJSONBytes, err := json.MarshalIndent(validSession, "", "\t")
require.NoError(t, err)
authorizeCodeSessionJSONFromFuzzing := string(validSessionJSONBytes)
// the fuzzed session and storage session should have identical JSON
require.JSONEq(t, authorizeCodeSessionJSONFromFuzzing, authorizeCodeSessionJSONFromStorage)
Add struct field for storing upstream access token in downstream session
2021-12-06 22:43:39 +00:00
// t.Log("actual value from fuzzing", authorizeCodeSessionJSONFromFuzzing) // can be useful when updating expected value
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
// while the fuzzer will panic if AuthorizeRequest changes in a way that cannot be fuzzed,
// if it adds a new field that can be fuzzed, this check will fail
// thus if AuthorizeRequest changes, we will detect it here (though we could possibly miss an omitempty field)
Update all deps to latest where possible, bump Kube deps to v0.23.1 Highlights from this dep bump: 1. Made a copy of the v0.4.0 github.com/go-logr/stdr implementation for use in tests. We must bump this dep as Kube code uses a newer version now. We would have to rewrite hundreds of test log assertions without this copy. 2. Use github.com/felixge/httpsnoop to undo the changes made by ory/fosite#636 for CLI based login flows. This is required for backwards compatibility with older versions of our CLI. A separate change after this will update the CLI to be more flexible (it is purposefully not part of this change to confirm that we did not break anything). For all browser login flows, we now redirect using http.StatusSeeOther instead of http.StatusFound. 3. Drop plog.RemoveKlogGlobalFlags as klog no longer mutates global process flags 4. Only bump github.com/ory/x to v0.0.297 instead of the latest v0.0.321 because v0.0.298+ pulls in a newer version of go.opentelemetry.io/otel/semconv which breaks k8s.io/apiserver. We should update k8s.io/apiserver to use the newer code. 5. Migrate all code from k8s.io/apimachinery/pkg/util/clock to k8s.io/utils/clock and k8s.io/utils/clock/testing 6. Delete testutil.NewDeleteOptionsRecorder and migrate to the new kubetesting.NewDeleteActionWithOptions 7. Updated ExpectedAuthorizeCodeSessionJSONFromFuzzing caused by fosite's new rotated_secrets OAuth client field. This new field is currently not relevant to us as we have no private clients. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-10 22:22:36 +00:00
require.JSONEq(t, ExpectedAuthorizeCodeSessionJSONFromFuzzing, authorizeCodeSessionJSONFromFuzzing, "actual:\n%s", authorizeCodeSessionJSONFromFuzzing)
Add authorization code storage Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-19 04:30:05 +00:00
}
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
func TestReadFromSecret(t *testing.T) {
tests := []struct {
name string
secret *corev1.Secret
Revoke upstream OIDC refresh tokens during GC
2021-11-10 23:34:19 +00:00
wantSession *Session
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
wantErr string
}{
{
name: "happy path",
secret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
"storage.pinniped.dev/type": "authcode",
},
},
Data: map[string][]byte{
"pinniped-storage-data": []byte(`{"request":{"id":"abcd-1","session":{"fosite":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"custom":{"providerUID":"fake-provider-uid","providerName":"fake-provider-name","providerType":"fake-provider-type","oidc":{"upstreamRefreshToken":"fake-upstream-refresh-token"}}}},"version":"2","active": true}`),
"pinniped-storage-version": []byte("1"),
},
Type: "storage.pinniped.dev/authcode",
},
Revoke upstream OIDC refresh tokens during GC
2021-11-10 23:34:19 +00:00
wantSession: &Session{
WIP towards revoking upstream refresh tokens during GC - Discover the revocation endpoint of the upstream provider in oidc_upstream_watcher.go and save it into the cache for future use by the garbage collector controller - Adds RevokeRefreshToken to UpstreamOIDCIdentityProviderI - Implements the production version of RevokeRefreshToken - Implements test doubles for RevokeRefreshToken for future use in garbage collector's unit tests - Prefactors the crud and session storage types for future use in the garbage collector controller - See remaining TODOs in garbage_collector.go
2021-10-22 21:32:26 +00:00
Version: "2",
Active: true,
Request: &fosite.Request{
ID: "abcd-1",
Client: &clientregistry.Client{},
Session: &psession.PinnipedSession{
Fosite: &openid.DefaultSession{
Username: "snorlax",
Subject: "panda",
},
Custom: &psession.CustomSessionData{
ProviderUID: "fake-provider-uid",
ProviderName: "fake-provider-name",
ProviderType: "fake-provider-type",
OIDC: &psession.OIDCSessionData{
UpstreamRefreshToken: "fake-upstream-refresh-token",
},
},
},
},
},
},
{
name: "wrong secret type",
secret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
"storage.pinniped.dev/type": "authcode",
},
},
Data: map[string][]byte{
"pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"2","active": true}`),
"pinniped-storage-version": []byte("1"),
},
Type: "storage.pinniped.dev/not-authcode",
},
wantErr: "secret storage data has incorrect type: storage.pinniped.dev/not-authcode must equal storage.pinniped.dev/authcode",
},
{
name: "wrong session version",
secret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
"storage.pinniped.dev/type": "authcode",
},
},
Data: map[string][]byte{
"pinniped-storage-data": []byte(`{"request":{"id":"abcd-1"},"version":"wrong-version-here","active": true}`),
"pinniped-storage-version": []byte("1"),
},
Type: "storage.pinniped.dev/authcode",
},
wantErr: "authorization request data has wrong version: authorization code session has version wrong-version-here instead of 2",
},
{
name: "missing request",
secret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "pinniped-storage-authcode-pwu5zs7lekbhnln2w4",
ResourceVersion: "",
Labels: map[string]string{
"storage.pinniped.dev/type": "authcode",
},
},
Data: map[string][]byte{
"pinniped-storage-data": []byte(`{"version":"2","active": true}`),
"pinniped-storage-version": []byte("1"),
},
Type: "storage.pinniped.dev/authcode",
},
wantErr: "malformed authorization code session: authorization request data must be present",
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
session, err := ReadFromSecret(tt.secret)
if tt.wantErr == "" {
require.NoError(t, err)
require.Equal(t, tt.wantSession, session)
} else {
require.EqualError(t, err, tt.wantErr)
require.Nil(t, session)
}
})
}
}
Reference in New Issue Copy Permalink