2021-01-07 22:58:09 +00:00
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
2020-11-11 23:10:06 +00:00
// SPDX-License-Identifier: Apache-2.0
2021-05-12 21:00:39 +00:00
package oidcupstreamwatcher
2020-11-11 23:10:06 +00:00
import (
"context"
2020-11-17 00:15:58 +00:00
"encoding/base64"
2020-11-11 23:10:06 +00:00
"encoding/json"
"net/http"
"net/url"
2021-07-07 19:50:13 +00:00
"reflect"
2020-11-11 23:10:06 +00:00
"strings"
"testing"
"time"
"github.com/stretchr/testify/require"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
2021-10-08 22:48:21 +00:00
"k8s.io/apimachinery/pkg/types"
2020-11-11 23:10:06 +00:00
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes/fake"
2021-02-16 19:00:08 +00:00
"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
pinnipedfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
pinnipedinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
2021-09-29 13:26:29 +00:00
"go.pinniped.dev/internal/certauthority"
2020-11-11 23:10:06 +00:00
"go.pinniped.dev/internal/controllerlib"
"go.pinniped.dev/internal/oidc/provider"
2020-11-17 00:15:58 +00:00
"go.pinniped.dev/internal/testutil"
2021-04-09 00:28:01 +00:00
"go.pinniped.dev/internal/testutil/oidctestutil"
2020-11-11 23:10:06 +00:00
"go.pinniped.dev/internal/testutil/testlogger"
2020-11-30 20:54:11 +00:00
"go.pinniped.dev/internal/upstreamoidc"
2020-11-11 23:10:06 +00:00
)
2021-04-10 01:49:43 +00:00
func TestOIDCUpstreamWatcherControllerFilterSecret ( t * testing . T ) {
2020-12-18 23:41:07 +00:00
t . Parallel ( )
tests := [ ] struct {
name string
secret metav1 . Object
wantAdd bool
wantUpdate bool
wantDelete bool
} {
{
name : "a secret of the right type" ,
secret : & corev1 . Secret {
Type : "secrets.pinniped.dev/oidc-client" ,
ObjectMeta : metav1 . ObjectMeta { Name : "some-name" , Namespace : "some-namespace" } ,
} ,
wantAdd : true ,
wantUpdate : true ,
wantDelete : true ,
} ,
{
name : "a secret of the wrong type" ,
secret : & corev1 . Secret {
Type : "secrets.pinniped.dev/not-the-oidc-client-type" ,
ObjectMeta : metav1 . ObjectMeta { Name : "some-name" , Namespace : "some-namespace" } ,
} ,
} ,
{
name : "resource of wrong data type" ,
secret : & corev1 . Namespace {
ObjectMeta : metav1 . ObjectMeta { Name : "some-name" , Namespace : "some-namespace" } ,
} ,
} ,
}
for _ , test := range tests {
test := test
t . Run ( test . name , func ( t * testing . T ) {
t . Parallel ( )
fakePinnipedClient := pinnipedfake . NewSimpleClientset ( )
pinnipedInformers := pinnipedinformers . NewSharedInformerFactory ( fakePinnipedClient , 0 )
fakeKubeClient := fake . NewSimpleClientset ( )
kubeInformers := informers . NewSharedInformerFactory ( fakeKubeClient , 0 )
testLog := testlogger . New ( t )
cache := provider . NewDynamicUpstreamIDPProvider ( )
2021-04-07 23:12:13 +00:00
cache . SetOIDCIdentityProviders ( [ ] provider . UpstreamOIDCIdentityProviderI {
2020-12-18 23:41:07 +00:00
& upstreamoidc . ProviderConfig { Name : "initial-entry" } ,
} )
secretInformer := kubeInformers . Core ( ) . V1 ( ) . Secrets ( )
withInformer := testutil . NewObservableWithInformerOption ( )
2021-05-12 21:00:39 +00:00
New (
2020-12-18 23:41:07 +00:00
cache ,
nil ,
pinnipedInformers . IDP ( ) . V1alpha1 ( ) . OIDCIdentityProviders ( ) ,
secretInformer ,
testLog ,
withInformer . WithInformer ,
)
unrelated := corev1 . Secret { }
filter := withInformer . GetFilterForInformer ( secretInformer )
require . Equal ( t , test . wantAdd , filter . Add ( test . secret ) )
require . Equal ( t , test . wantUpdate , filter . Update ( & unrelated , test . secret ) )
require . Equal ( t , test . wantUpdate , filter . Update ( test . secret , & unrelated ) )
require . Equal ( t , test . wantDelete , filter . Delete ( test . secret ) )
} )
}
}
2021-04-10 01:49:43 +00:00
func TestOIDCUpstreamWatcherControllerSync ( t * testing . T ) {
2020-11-11 23:10:06 +00:00
t . Parallel ( )
now := metav1 . NewTime ( time . Now ( ) . UTC ( ) )
earlier := metav1 . NewTime ( now . Add ( - 1 * time . Hour ) . UTC ( ) )
// Start another test server that answers discovery successfully.
2020-11-17 00:15:58 +00:00
testIssuerCA , testIssuerURL := newTestIssuer ( t )
testIssuerCABase64 := base64 . StdEncoding . EncodeToString ( [ ] byte ( testIssuerCA ) )
2020-11-11 23:10:06 +00:00
testIssuerAuthorizeURL , err := url . Parse ( "https://example.com/authorize" )
require . NoError ( t , err )
2021-09-29 13:26:29 +00:00
wrongCA , err := certauthority . New ( "foo" , time . Hour )
require . NoError ( t , err )
wrongCABase64 := base64 . StdEncoding . EncodeToString ( wrongCA . Bundle ( ) )
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition := v1alpha1 . Condition {
Type : "AdditionalAuthorizeParametersValid" ,
Status : "True" ,
Reason : "Success" ,
Message : "additionalAuthorizeParameters parameter names are allowed" ,
LastTransitionTime : now ,
}
happyAdditionalAuthorizeParametersValidConditionEarlier := happyAdditionalAuthorizeParametersValidCondition
happyAdditionalAuthorizeParametersValidConditionEarlier . LastTransitionTime = earlier
2020-11-11 23:10:06 +00:00
var (
2021-10-08 22:48:21 +00:00
testNamespace = "test-namespace"
testName = "test-name"
testSecretName = "test-client-secret"
testAdditionalScopes = [ ] string { "scope1" , "scope2" , "scope3" }
2021-10-14 22:49:44 +00:00
testExpectedScopes = [ ] string { "openid" , "scope1" , "scope2" , "scope3" }
2021-10-18 23:41:31 +00:00
testDefaultExpectedScopes = [ ] string { "openid" , "offline_access" , "email" , "profile" }
2021-10-14 22:49:44 +00:00
testAdditionalParams = [ ] v1alpha1 . Parameter { { Name : "prompt" , Value : "consent" } , { Name : "foo" , Value : "bar" } }
testExpectedAdditionalParams = map [ string ] string { "prompt" : "consent" , "foo" : "bar" }
2021-10-08 22:48:21 +00:00
testClientID = "test-oidc-client-id"
testClientSecret = "test-oidc-client-secret"
testValidSecretData = map [ string ] [ ] byte { "clientID" : [ ] byte ( testClientID ) , "clientSecret" : [ ] byte ( testClientSecret ) }
testGroupsClaim = "test-groups-claim"
testUsernameClaim = "test-username-claim"
testUID = types . UID ( "test-uid" )
2020-11-11 23:10:06 +00:00
)
tests := [ ] struct {
name string
inputUpstreams [ ] runtime . Object
inputSecrets [ ] runtime . Object
wantErr string
wantLogs [ ] string
2020-11-30 20:54:11 +00:00
wantResultingCache [ ] provider . UpstreamOIDCIdentityProviderI
2020-12-16 22:27:09 +00:00
wantResultingUpstreams [ ] v1alpha1 . OIDCIdentityProvider
2020-11-11 23:10:06 +00:00
} {
{
name : "no upstreams" ,
} ,
{
name : "missing secret" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2020-11-11 23:10:06 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="secret \"test-client-secret\" not found" "reason"="SecretNotFound" "status"="False" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="secret \"test-client-secret\" not found" "name"="test-name" "namespace"="test-namespace" "reason"="SecretNotFound" "type"="ClientCredentialsValid" ` ,
2020-11-11 23:10:06 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-11 23:10:06 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "SecretNotFound" ,
Message : ` secret "test-client-secret" not found ` ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "discovered issuer configuration" ,
} ,
} ,
} ,
} } ,
} ,
{
name : "secret has wrong type" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2020-11-11 23:10:06 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "some-other-type" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="referenced Secret \"test-client-secret\" has wrong type \"some-other-type\" (should be \"secrets.pinniped.dev/oidc-client\")" "reason"="SecretWrongType" "status"="False" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="referenced Secret \"test-client-secret\" has wrong type \"some-other-type\" (should be \"secrets.pinniped.dev/oidc-client\")" "name"="test-name" "namespace"="test-namespace" "reason"="SecretWrongType" "type"="ClientCredentialsValid" ` ,
2020-11-11 23:10:06 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-11 23:10:06 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "SecretWrongType" ,
Message : ` referenced Secret "test-client-secret" has wrong type "some-other-type" (should be "secrets.pinniped.dev/oidc-client") ` ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "discovered issuer configuration" ,
} ,
} ,
} ,
} } ,
} ,
{
name : "secret is missing key" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2020-11-11 23:10:06 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="referenced Secret \"test-client-secret\" is missing required keys [\"clientID\" \"clientSecret\"]" "reason"="SecretMissingKeys" "status"="False" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="referenced Secret \"test-client-secret\" is missing required keys [\"clientID\" \"clientSecret\"]" "name"="test-name" "namespace"="test-namespace" "reason"="SecretMissingKeys" "type"="ClientCredentialsValid" ` ,
2020-11-11 23:10:06 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-11 23:10:06 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "SecretMissingKeys" ,
Message : ` referenced Secret "test-client-secret" is missing required keys ["clientID" "clientSecret"] ` ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "discovered issuer configuration" ,
} ,
} ,
} ,
} } ,
} ,
2020-11-17 00:15:58 +00:00
{
name : "TLS CA bundle is invalid base64" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2020-11-17 00:15:58 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : "test-name" } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2020-11-17 00:15:58 +00:00
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec {
CertificateAuthorityData : "invalid-base64" ,
} ,
2021-10-14 22:49:44 +00:00
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2020-11-17 00:15:58 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7" "reason"="InvalidTLSConfig" "status"="False" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidTLSConfig" "type"="OIDCDiscoverySucceeded" ` ,
2020-11-17 00:15:58 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2020-11-17 00:15:58 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-17 00:15:58 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-17 00:15:58 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "loaded client credentials" ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "InvalidTLSConfig" ,
Message : ` spec.certificateAuthorityData is invalid: illegal base64 data at input byte 7 ` ,
} ,
} ,
} ,
} } ,
} ,
{
name : "TLS CA bundle does not have any certificates" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2020-11-17 00:15:58 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : "test-name" } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2020-11-17 00:15:58 +00:00
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec {
CertificateAuthorityData : base64 . StdEncoding . EncodeToString ( [ ] byte ( "not-a-pem-ca-bundle" ) ) ,
} ,
2021-10-14 22:49:44 +00:00
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2020-11-17 00:15:58 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="spec.certificateAuthorityData is invalid: no certificates found" "reason"="InvalidTLSConfig" "status"="False" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="spec.certificateAuthorityData is invalid: no certificates found" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidTLSConfig" "type"="OIDCDiscoverySucceeded" ` ,
2020-11-17 00:15:58 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2020-11-17 00:15:58 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-17 00:15:58 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-17 00:15:58 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "loaded client credentials" ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "InvalidTLSConfig" ,
Message : ` spec.certificateAuthorityData is invalid: no certificates found ` ,
} ,
} ,
} ,
} } ,
} ,
2020-11-11 23:10:06 +00:00
{
name : "issuer is invalid URL" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2021-09-29 13:26:29 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
` oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="Get \"invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": unsupported protocol scheme \"\"" "issuer"="invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "name"="test-name" "namespace"="test-namespace" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \"invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": unsupported protocol [truncated 9 chars]" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-09-29 13:26:29 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \"invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \"invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": unsupported protocol [truncated 9 chars]" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded" ` ,
} ,
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
Status : v1alpha1 . OIDCIdentityProviderStatus {
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2021-09-29 13:26:29 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "loaded client credentials" ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "Unreachable" ,
Message : ` failed to perform OIDC discovery against "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" :
Get "invalid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration" : unsupported protocol [ truncated 9 chars ] ` ,
} ,
} ,
} ,
} } ,
} ,
{
name : "really long issuer with invalid CA bundle" ,
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : testIssuerURL + "/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : wrongCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2020-11-11 23:10:06 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-09-29 13:26:29 +00:00
` oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="Get \" ` + testIssuerURL + ` /valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": x509: certificate signed by unknown authority" "issuer"=" ` + testIssuerURL + ` /valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "name"="test-name" "namespace"="test-namespace" ` ,
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
2021-09-29 13:26:29 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \" ` + testIssuerURL + ` /valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \" ` + testIssuerURL + ` /valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": x509: certificate signed by unknown authority" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-09-29 13:26:29 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \" ` + testIssuerURL + ` /valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \" ` + testIssuerURL + ` /valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": x509: certificate signed by unknown authority" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded" ` ,
2020-11-11 23:10:06 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-11 23:10:06 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "loaded client credentials" ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "Unreachable" ,
2021-09-29 13:26:29 +00:00
Message : ` failed to perform OIDC discovery against " ` + testIssuerURL + ` / valid - url - that - is - really - really - long - nanananananananannanananan - batman - nanananananananananananananana - batman - lalalalalalalalalal - batman - weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee " :
Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration" : x509 : certificate signed by unknown authority ` ,
2020-11-11 23:10:06 +00:00
} ,
} ,
} ,
} } ,
} ,
{
name : "issuer returns invalid authorize URL" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : testIssuerURL + "/invalid" ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2020-11-11 23:10:06 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to parse authorization endpoint URL: parse \"%\": invalid URL escape \"%\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to parse authorization endpoint URL: parse \"%\": invalid URL escape \"%\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded" ` ,
2020-11-11 23:10:06 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-11 23:10:06 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "loaded client credentials" ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "InvalidResponse" ,
Message : ` failed to parse authorization endpoint URL: parse "%": invalid URL escape "%" ` ,
} ,
} ,
} ,
} } ,
} ,
{
name : "issuer returns insecure authorize URL" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : testIssuerURL + "/insecure" ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2020-11-11 23:10:06 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="authorization endpoint URL scheme must be \"https\", not \"http\"" "reason"="InvalidResponse" "status"="False" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="authorization endpoint URL scheme must be \"https\", not \"http\"" "name"="test-name" "namespace"="test-namespace" "reason"="InvalidResponse" "type"="OIDCDiscoverySucceeded" ` ,
2020-11-11 23:10:06 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2020-11-11 23:10:06 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-11 23:10:06 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "loaded client credentials" ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "InvalidResponse" ,
Message : ` authorization endpoint URL scheme must be "https", not "http" ` ,
} ,
} ,
} ,
} } ,
} ,
{
2021-08-12 17:00:18 +00:00
name : "upstream with error becomes valid" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2021-10-08 22:48:21 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : "test-name" , UID : testUID } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-08-12 17:00:18 +00:00
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
AuthorizationConfig : v1alpha1 . OIDCAuthorizationConfig {
2021-10-18 23:41:31 +00:00
AdditionalScopes : append ( testAdditionalScopes , "xyz" , "openid" ) , // adds openid unnecessarily
2021-08-12 17:00:18 +00:00
AllowPasswordGrant : true ,
} ,
Claims : v1alpha1 . OIDCClaims { Groups : testGroupsClaim , Username : testUsernameClaim } ,
2020-11-11 23:10:06 +00:00
} ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
{ Type : "ClientCredentialsValid" , Status : "False" , LastTransitionTime : earlier , Reason : "SomeError1" , Message : "some previous error 1" } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "False" , LastTransitionTime : earlier , Reason : "SomeError2" , Message : "some previous error 2" } ,
} ,
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2020-11-11 23:10:06 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI {
& oidctestutil . TestUpstreamOIDCIdentityProvider {
2021-10-08 22:48:21 +00:00
Name : testName ,
ClientID : testClientID ,
AuthorizationURL : * testIssuerAuthorizeURL ,
2021-10-18 23:41:31 +00:00
Scopes : append ( testExpectedScopes , "xyz" ) , // includes openid only once
2021-10-08 22:48:21 +00:00
UsernameClaim : testUsernameClaim ,
GroupsClaim : testGroupsClaim ,
AllowPasswordGrant : true ,
2021-10-14 22:49:44 +00:00
AdditionalAuthcodeParams : map [ string ] string { } ,
2021-10-08 22:48:21 +00:00
ResourceUID : testUID ,
2020-11-30 20:54:11 +00:00
} ,
} ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2021-10-08 22:48:21 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , UID : testUID } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Ready" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2020-11-11 23:10:06 +00:00
{ Type : "ClientCredentialsValid" , Status : "True" , LastTransitionTime : now , Reason : "Success" , Message : "loaded client credentials" } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "True" , LastTransitionTime : now , Reason : "Success" , Message : "discovered issuer configuration" } ,
} ,
} ,
} } ,
} ,
{
2021-10-18 23:41:31 +00:00
name : "existing valid upstream with default authorizationConfig" ,
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , Generation : 1234 , UID : testUID } ,
Spec : v1alpha1 . OIDCIdentityProviderSpec {
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
Claims : v1alpha1 . OIDCClaims { Groups : testGroupsClaim , Username : testUsernameClaim } ,
} ,
Status : v1alpha1 . OIDCIdentityProviderStatus {
Phase : "Ready" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidConditionEarlier ,
2021-10-18 23:41:31 +00:00
{ Type : "ClientCredentialsValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "loaded client credentials" } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "discovered issuer configuration" } ,
} ,
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantLogs : [ ] string {
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-10-18 23:41:31 +00:00
} ,
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI {
& oidctestutil . TestUpstreamOIDCIdentityProvider {
Name : testName ,
ClientID : testClientID ,
AuthorizationURL : * testIssuerAuthorizeURL ,
Scopes : testDefaultExpectedScopes ,
UsernameClaim : testUsernameClaim ,
GroupsClaim : testGroupsClaim ,
AllowPasswordGrant : false ,
AdditionalAuthcodeParams : map [ string ] string { } ,
ResourceUID : testUID ,
} ,
} ,
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , Generation : 1234 , UID : testUID } ,
Status : v1alpha1 . OIDCIdentityProviderStatus {
Phase : "Ready" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
{ Type : "AdditionalAuthorizeParametersValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "additionalAuthorizeParameters parameter names are allowed" , ObservedGeneration : 1234 } ,
2021-10-18 23:41:31 +00:00
{ Type : "ClientCredentialsValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "loaded client credentials" , ObservedGeneration : 1234 } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "discovered issuer configuration" , ObservedGeneration : 1234 } ,
} ,
} ,
} } ,
} ,
{
name : "existing valid upstream with additionalScopes set to override the default" ,
2020-12-16 22:27:09 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2021-10-08 22:48:21 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , Generation : 1234 , UID : testUID } ,
2020-12-16 22:27:09 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-08-12 17:00:18 +00:00
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2021-10-14 22:49:44 +00:00
Claims : v1alpha1 . OIDCClaims { Groups : testGroupsClaim , Username : testUsernameClaim } ,
2021-08-12 17:00:18 +00:00
AuthorizationConfig : v1alpha1 . OIDCAuthorizationConfig {
2021-10-18 23:41:31 +00:00
AdditionalScopes : testAdditionalScopes ,
2021-08-12 17:00:18 +00:00
} ,
2020-11-11 23:10:06 +00:00
} ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Ready" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidConditionEarlier ,
2020-11-11 23:10:06 +00:00
{ Type : "ClientCredentialsValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "loaded client credentials" } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "discovered issuer configuration" } ,
} ,
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantLogs : [ ] string {
2021-04-09 15:43:09 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2020-11-11 23:10:06 +00:00
} ,
2020-11-30 20:54:11 +00:00
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI {
& oidctestutil . TestUpstreamOIDCIdentityProvider {
2021-10-08 22:48:21 +00:00
Name : testName ,
ClientID : testClientID ,
AuthorizationURL : * testIssuerAuthorizeURL ,
2021-10-18 23:41:31 +00:00
Scopes : testExpectedScopes ,
2021-10-08 22:48:21 +00:00
UsernameClaim : testUsernameClaim ,
GroupsClaim : testGroupsClaim ,
AllowPasswordGrant : false ,
2021-10-14 22:49:44 +00:00
AdditionalAuthcodeParams : map [ string ] string { } ,
2021-10-08 22:48:21 +00:00
ResourceUID : testUID ,
2020-11-30 20:54:11 +00:00
} ,
} ,
2020-12-16 22:27:09 +00:00
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2021-10-08 22:48:21 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , Generation : 1234 , UID : testUID } ,
2020-12-16 22:27:09 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
2020-11-11 23:10:06 +00:00
Phase : "Ready" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
{ Type : "AdditionalAuthorizeParametersValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "additionalAuthorizeParameters parameter names are allowed" , ObservedGeneration : 1234 } ,
2020-11-11 23:10:06 +00:00
{ Type : "ClientCredentialsValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "loaded client credentials" , ObservedGeneration : 1234 } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "discovered issuer configuration" , ObservedGeneration : 1234 } ,
} ,
} ,
} } ,
} ,
2021-05-10 04:22:34 +00:00
{
2021-10-14 22:49:44 +00:00
name : "existing valid upstream with trailing slash and more optional settings" ,
2021-05-10 04:22:34 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
2021-10-08 22:48:21 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , Generation : 1234 , UID : testUID } ,
2021-05-10 04:22:34 +00:00
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : testIssuerURL + "/ends-with-slash/" ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
AuthorizationConfig : v1alpha1 . OIDCAuthorizationConfig {
AdditionalScopes : testAdditionalScopes ,
AdditionalAuthorizeParameters : testAdditionalParams ,
AllowPasswordGrant : true ,
} ,
Claims : v1alpha1 . OIDCClaims { Groups : testGroupsClaim , Username : testUsernameClaim } ,
2021-05-10 04:22:34 +00:00
} ,
Status : v1alpha1 . OIDCIdentityProviderStatus {
Phase : "Ready" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidConditionEarlier ,
2021-05-10 04:22:34 +00:00
{ Type : "ClientCredentialsValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "loaded client credentials" } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "discovered issuer configuration" } ,
} ,
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantLogs : [ ] string {
2021-05-11 18:09:37 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-05-10 04:22:34 +00:00
} ,
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI {
& oidctestutil . TestUpstreamOIDCIdentityProvider {
2021-10-08 22:48:21 +00:00
Name : testName ,
ClientID : testClientID ,
AuthorizationURL : * testIssuerAuthorizeURL ,
2021-10-18 23:41:31 +00:00
Scopes : testExpectedScopes , // does not include the default scopes
2021-10-08 22:48:21 +00:00
UsernameClaim : testUsernameClaim ,
GroupsClaim : testGroupsClaim ,
2021-10-14 22:49:44 +00:00
AllowPasswordGrant : true ,
2021-10-08 22:48:21 +00:00
AdditionalAuthcodeParams : testExpectedAdditionalParams ,
ResourceUID : testUID ,
2021-05-10 04:22:34 +00:00
} ,
} ,
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
2021-10-08 22:48:21 +00:00
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , Generation : 1234 , UID : testUID } ,
2021-05-10 04:22:34 +00:00
Status : v1alpha1 . OIDCIdentityProviderStatus {
Phase : "Ready" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
{ Type : "AdditionalAuthorizeParametersValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "additionalAuthorizeParameters parameter names are allowed" , ObservedGeneration : 1234 } ,
2021-05-10 04:22:34 +00:00
{ Type : "ClientCredentialsValid" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "loaded client credentials" , ObservedGeneration : 1234 } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "True" , LastTransitionTime : earlier , Reason : "Success" , Message : "discovered issuer configuration" , ObservedGeneration : 1234 } ,
} ,
} ,
} } ,
} ,
2021-10-14 22:49:44 +00:00
{
name : "has disallowed additionalAuthorizeParams keys" ,
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , Generation : 1234 , UID : testUID } ,
Spec : v1alpha1 . OIDCIdentityProviderSpec {
Issuer : testIssuerURL ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
AuthorizationConfig : v1alpha1 . OIDCAuthorizationConfig {
AdditionalAuthorizeParameters : [ ] v1alpha1 . Parameter {
{ Name : "response_type" , Value : "foo" } ,
{ Name : "scope" , Value : "foo" } ,
{ Name : "client_id" , Value : "foo" } ,
{ Name : "state" , Value : "foo" } ,
{ Name : "nonce" , Value : "foo" } ,
{ Name : "code_challenge" , Value : "foo" } ,
{ Name : "code_challenge_method" , Value : "foo" } ,
{ Name : "redirect_uri" , Value : "foo" } ,
2021-10-18 23:41:31 +00:00
{ Name : "hd" , Value : "foo" } ,
2021-10-14 22:49:44 +00:00
{ Name : "this_one_is_allowed" , Value : "foo" } ,
} ,
} ,
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="discovered issuer configuration" "reason"="Success" "status"="True" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-18 23:41:31 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri,hd" "reason"="DisallowedParameterName" "status"="False" "type"="AdditionalAuthorizeParametersValid" ` ,
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="the following additionalAuthorizeParameters are not allowed: response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri,hd" "name"="test-name" "namespace"="test-namespace" "reason"="DisallowedParameterName" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-10-14 22:49:44 +00:00
} ,
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName , Generation : 1234 , UID : testUID } ,
Status : v1alpha1 . OIDCIdentityProviderStatus {
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
{ Type : "AdditionalAuthorizeParametersValid" , Status : "False" , LastTransitionTime : now , Reason : "DisallowedParameterName" ,
Message : "the following additionalAuthorizeParameters are not allowed: " +
2021-10-18 23:41:31 +00:00
"response_type,scope,client_id,state,nonce,code_challenge,code_challenge_method,redirect_uri,hd" , ObservedGeneration : 1234 } ,
2021-10-14 22:49:44 +00:00
{ Type : "ClientCredentialsValid" , Status : "True" , LastTransitionTime : now , Reason : "Success" , Message : "loaded client credentials" , ObservedGeneration : 1234 } ,
{ Type : "OIDCDiscoverySucceeded" , Status : "True" , LastTransitionTime : now , Reason : "Success" , Message : "discovered issuer configuration" , ObservedGeneration : 1234 } ,
} ,
} ,
} } ,
} ,
2021-05-10 04:22:34 +00:00
{
2021-10-18 23:41:31 +00:00
name : "issuer is invalid URL, missing trailing slash when the OIDC discovery endpoint returns the URL with a trailing slash" ,
2021-05-10 04:22:34 +00:00
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-18 23:41:31 +00:00
Issuer : testIssuerURL + "/ends-with-slash" , // this does not end with slash when it should, thus this is an error case
2021-10-14 22:49:44 +00:00
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2021-05-10 04:22:34 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-05-11 18:09:37 +00:00
` oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="oidc: issuer did not match the issuer returned by provider, expected \" ` + testIssuerURL + ` /ends-with-slash\" got \" ` + testIssuerURL + ` /ends-with-slash/\"" "issuer"=" ` + testIssuerURL + ` /ends-with-slash" "name"="test-name" "namespace"="test-namespace" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \" ` + testIssuerURL + ` /ends-with-slash\":\noidc: issuer did not match the issuer returned by provider, expected \" ` + testIssuerURL + ` /ends-with-slash\" got \" ` + testIssuerURL + ` /ends-with-slash/\"" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-05-11 18:09:37 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \" ` + testIssuerURL + ` /ends-with-slash\":\noidc: issuer did not match the issuer returned by provider, expected \" ` + testIssuerURL + ` /ends-with-slash\" got \" ` + testIssuerURL + ` /ends-with-slash/\"" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded" ` ,
2021-05-10 04:22:34 +00:00
} ,
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
Status : v1alpha1 . OIDCIdentityProviderStatus {
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2021-05-10 04:22:34 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "loaded client credentials" ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "Unreachable" ,
Message : ` failed to perform OIDC discovery against " ` + testIssuerURL + ` / ends - with - slash " :
oidc : issuer did not match the issuer returned by provider , expected "` + testIssuerURL + `/ends-with-slash" got "` + testIssuerURL + `/ends-with-slash/" ` ,
} ,
} ,
} ,
} } ,
} ,
{
name : "issuer is invalid URL, extra trailing slash" ,
inputUpstreams : [ ] runtime . Object { & v1alpha1 . OIDCIdentityProvider {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
Spec : v1alpha1 . OIDCIdentityProviderSpec {
2021-10-14 22:49:44 +00:00
Issuer : testIssuerURL + "/" ,
TLS : & v1alpha1 . TLSSpec { CertificateAuthorityData : testIssuerCABase64 } ,
Client : v1alpha1 . OIDCClient { SecretName : testSecretName } ,
2021-05-10 04:22:34 +00:00
} ,
} } ,
inputSecrets : [ ] runtime . Object { & corev1 . Secret {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testSecretName } ,
Type : "secrets.pinniped.dev/oidc-client" ,
Data : testValidSecretData ,
} } ,
wantErr : controllerlib . ErrSyntheticRequeue . Error ( ) ,
wantLogs : [ ] string {
2021-05-11 18:09:37 +00:00
` oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="oidc: issuer did not match the issuer returned by provider, expected \" ` + testIssuerURL + ` /\" got \" ` + testIssuerURL + ` \"" "issuer"=" ` + testIssuerURL + ` /" "name"="test-name" "namespace"="test-namespace" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid" ` ,
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \" ` + testIssuerURL + ` /\":\noidc: issuer did not match the issuer returned by provider, expected \" ` + testIssuerURL + ` /\" got \" ` + testIssuerURL + ` \"" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded" ` ,
2021-10-22 17:23:21 +00:00
` oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid" ` ,
2021-05-11 18:09:37 +00:00
` oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \" ` + testIssuerURL + ` /\":\noidc: issuer did not match the issuer returned by provider, expected \" ` + testIssuerURL + ` /\" got \" ` + testIssuerURL + ` \"" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded" ` ,
2021-05-10 04:22:34 +00:00
} ,
wantResultingCache : [ ] provider . UpstreamOIDCIdentityProviderI { } ,
wantResultingUpstreams : [ ] v1alpha1 . OIDCIdentityProvider { {
ObjectMeta : metav1 . ObjectMeta { Namespace : testNamespace , Name : testName } ,
Status : v1alpha1 . OIDCIdentityProviderStatus {
Phase : "Error" ,
Conditions : [ ] v1alpha1 . Condition {
2021-10-22 17:23:21 +00:00
happyAdditionalAuthorizeParametersValidCondition ,
2021-05-10 04:22:34 +00:00
{
Type : "ClientCredentialsValid" ,
Status : "True" ,
LastTransitionTime : now ,
Reason : "Success" ,
Message : "loaded client credentials" ,
} ,
{
Type : "OIDCDiscoverySucceeded" ,
Status : "False" ,
LastTransitionTime : now ,
Reason : "Unreachable" ,
Message : ` failed to perform OIDC discovery against " ` + testIssuerURL + ` / " :
oidc : issuer did not match the issuer returned by provider , expected "` + testIssuerURL + `/" got "` + testIssuerURL + `" ` ,
} ,
} ,
} ,
} } ,
} ,
2020-11-11 23:10:06 +00:00
}
for _ , tt := range tests {
tt := tt
t . Run ( tt . name , func ( t * testing . T ) {
t . Parallel ( )
fakePinnipedClient := pinnipedfake . NewSimpleClientset ( tt . inputUpstreams ... )
pinnipedInformers := pinnipedinformers . NewSharedInformerFactory ( fakePinnipedClient , 0 )
fakeKubeClient := fake . NewSimpleClientset ( tt . inputSecrets ... )
kubeInformers := informers . NewSharedInformerFactory ( fakeKubeClient , 0 )
testLog := testlogger . New ( t )
cache := provider . NewDynamicUpstreamIDPProvider ( )
2021-04-07 23:12:13 +00:00
cache . SetOIDCIdentityProviders ( [ ] provider . UpstreamOIDCIdentityProviderI {
2020-11-30 20:54:11 +00:00
& upstreamoidc . ProviderConfig { Name : "initial-entry" } ,
} )
2020-11-11 23:10:06 +00:00
2021-05-12 21:00:39 +00:00
controller := New (
2020-11-11 23:10:06 +00:00
cache ,
fakePinnipedClient ,
2020-12-16 22:27:09 +00:00
pinnipedInformers . IDP ( ) . V1alpha1 ( ) . OIDCIdentityProviders ( ) ,
2020-11-11 23:10:06 +00:00
kubeInformers . Core ( ) . V1 ( ) . Secrets ( ) ,
2020-12-18 23:41:07 +00:00
testLog ,
controllerlib . WithInformer ,
)
2020-11-11 23:10:06 +00:00
2021-03-05 01:25:43 +00:00
ctx , cancel := context . WithCancel ( context . Background ( ) )
2020-11-11 23:10:06 +00:00
defer cancel ( )
pinnipedInformers . Start ( ctx . Done ( ) )
kubeInformers . Start ( ctx . Done ( ) )
controllerlib . TestRunSynchronously ( t , controller )
syncCtx := controllerlib . Context { Context : ctx , Key : controllerlib . Key { } }
if err := controllerlib . TestSync ( t , controller , syncCtx ) ; tt . wantErr != "" {
require . EqualError ( t , err , tt . wantErr )
} else {
require . NoError ( t , err )
}
require . Equal ( t , strings . Join ( tt . wantLogs , "\n" ) , strings . Join ( testLog . Lines ( ) , "\n" ) )
2020-11-18 21:38:13 +00:00
2021-04-07 23:12:13 +00:00
actualIDPList := cache . GetOIDCIdentityProviders ( )
2020-11-18 21:38:13 +00:00
require . Equal ( t , len ( tt . wantResultingCache ) , len ( actualIDPList ) )
for i := range actualIDPList {
2020-11-30 20:54:11 +00:00
actualIDP := actualIDPList [ i ] . ( * upstreamoidc . ProviderConfig )
require . Equal ( t , tt . wantResultingCache [ i ] . GetName ( ) , actualIDP . GetName ( ) )
require . Equal ( t , tt . wantResultingCache [ i ] . GetClientID ( ) , actualIDP . GetClientID ( ) )
require . Equal ( t , tt . wantResultingCache [ i ] . GetAuthorizationURL ( ) . String ( ) , actualIDP . GetAuthorizationURL ( ) . String ( ) )
require . Equal ( t , tt . wantResultingCache [ i ] . GetUsernameClaim ( ) , actualIDP . GetUsernameClaim ( ) )
require . Equal ( t , tt . wantResultingCache [ i ] . GetGroupsClaim ( ) , actualIDP . GetGroupsClaim ( ) )
2021-08-12 17:00:18 +00:00
require . Equal ( t , tt . wantResultingCache [ i ] . AllowsPasswordGrant ( ) , actualIDP . AllowsPasswordGrant ( ) )
2021-10-08 22:48:21 +00:00
require . Equal ( t , tt . wantResultingCache [ i ] . GetAdditionalAuthcodeParams ( ) , actualIDP . GetAdditionalAuthcodeParams ( ) )
require . Equal ( t , tt . wantResultingCache [ i ] . GetResourceUID ( ) , actualIDP . GetResourceUID ( ) )
2020-11-30 20:54:11 +00:00
require . ElementsMatch ( t , tt . wantResultingCache [ i ] . GetScopes ( ) , actualIDP . GetScopes ( ) )
2021-07-07 19:50:13 +00:00
// We always want to use the proxy from env on these clients, so although the following assertions
// are a little hacky, this is a cheap way to test that we are using it.
actualTransport , ok := actualIDP . Client . Transport . ( * http . Transport )
require . True ( t , ok , "expected cached provider to have client with Transport of type *http.Transport" )
httpProxyFromEnvFunction := reflect . ValueOf ( http . ProxyFromEnvironment ) . Pointer ( )
actualTransportProxyFunction := reflect . ValueOf ( actualTransport . Proxy ) . Pointer ( )
require . Equal ( t , httpProxyFromEnvFunction , actualTransportProxyFunction ,
"Transport should have used http.ProxyFromEnvironment as its Proxy func" )
2021-07-08 18:47:49 +00:00
// We also want a reasonable timeout on each request/response cycle for OIDC discovery and JWKS.
require . Equal ( t , time . Minute , actualIDP . Client . Timeout )
2020-11-18 21:38:13 +00:00
}
2020-11-11 23:10:06 +00:00
2020-12-16 22:27:09 +00:00
actualUpstreams , err := fakePinnipedClient . IDPV1alpha1 ( ) . OIDCIdentityProviders ( testNamespace ) . List ( ctx , metav1 . ListOptions { } )
2020-11-11 23:10:06 +00:00
require . NoError ( t , err )
2021-04-12 20:53:21 +00:00
// Assert on the expected Status of the upstreams. Preprocess the upstreams a bit so that they're easier to assert against.
require . ElementsMatch ( t , tt . wantResultingUpstreams , normalizeOIDCUpstreams ( actualUpstreams . Items , now ) )
2020-11-11 23:10:06 +00:00
// Running the sync() a second time should be idempotent except for logs, and should return the same error.
// This also helps exercise code paths where the OIDC provider discovery hits cache.
if err := controllerlib . TestSync ( t , controller , syncCtx ) ; tt . wantErr != "" {
require . EqualError ( t , err , tt . wantErr )
} else {
require . NoError ( t , err )
}
} )
}
}
2021-04-12 20:53:21 +00:00
func normalizeOIDCUpstreams ( upstreams [ ] v1alpha1 . OIDCIdentityProvider , now metav1 . Time ) [ ] v1alpha1 . OIDCIdentityProvider {
2020-12-16 22:27:09 +00:00
result := make ( [ ] v1alpha1 . OIDCIdentityProvider , 0 , len ( upstreams ) )
2020-11-11 23:10:06 +00:00
for _ , u := range upstreams {
normalized := u . DeepCopy ( )
// We're only interested in comparing the status, so zero out the spec.
2020-12-16 22:27:09 +00:00
normalized . Spec = v1alpha1 . OIDCIdentityProviderSpec { }
2020-11-11 23:10:06 +00:00
// Round down the LastTransitionTime values to `now` if they were just updated. This makes
// it much easier to encode assertions about the expected timestamps.
for i := range normalized . Status . Conditions {
if time . Since ( normalized . Status . Conditions [ i ] . LastTransitionTime . Time ) < 5 * time . Second {
normalized . Status . Conditions [ i ] . LastTransitionTime = now
}
}
result = append ( result , * normalized )
}
return result
}
2020-11-17 00:15:58 +00:00
func newTestIssuer ( t * testing . T ) ( string , string ) {
2020-11-11 23:10:06 +00:00
mux := http . NewServeMux ( )
2020-11-17 00:15:58 +00:00
caBundlePEM , testURL := testutil . TLSTestServer ( t , mux . ServeHTTP )
2020-11-11 23:10:06 +00:00
type providerJSON struct {
Issuer string ` json:"issuer" `
AuthURL string ` json:"authorization_endpoint" `
TokenURL string ` json:"token_endpoint" `
JWKSURL string ` json:"jwks_uri" `
}
// At the root of the server, serve an issuer with a valid discovery response.
mux . HandleFunc ( "/.well-known/openid-configuration" , func ( w http . ResponseWriter , r * http . Request ) {
w . Header ( ) . Set ( "content-type" , "application/json" )
_ = json . NewEncoder ( w ) . Encode ( & providerJSON {
2020-11-17 00:15:58 +00:00
Issuer : testURL ,
2020-11-11 23:10:06 +00:00
AuthURL : "https://example.com/authorize" ,
} )
} )
// At "/invalid", serve an issuer that returns an invalid authorization URL (not parseable).
mux . HandleFunc ( "/invalid/.well-known/openid-configuration" , func ( w http . ResponseWriter , r * http . Request ) {
w . Header ( ) . Set ( "content-type" , "application/json" )
_ = json . NewEncoder ( w ) . Encode ( & providerJSON {
2020-11-17 00:15:58 +00:00
Issuer : testURL + "/invalid" ,
2020-11-11 23:10:06 +00:00
AuthURL : "%" ,
} )
} )
// At "/insecure", serve an issuer that returns an insecure authorization URL (not https://).
mux . HandleFunc ( "/insecure/.well-known/openid-configuration" , func ( w http . ResponseWriter , r * http . Request ) {
w . Header ( ) . Set ( "content-type" , "application/json" )
_ = json . NewEncoder ( w ) . Encode ( & providerJSON {
2020-11-17 00:15:58 +00:00
Issuer : testURL + "/insecure" ,
2020-11-11 23:10:06 +00:00
AuthURL : "http://example.com/authorize" ,
} )
} )
2021-05-10 04:22:34 +00:00
// handle the four issuer with trailing slash configs
// valid case in= out=
// handled above at the root of testURL
// valid case in=/ out=/
mux . HandleFunc ( "/ends-with-slash/.well-known/openid-configuration" , func ( w http . ResponseWriter , r * http . Request ) {
w . Header ( ) . Set ( "content-type" , "application/json" )
_ = json . NewEncoder ( w ) . Encode ( & providerJSON {
Issuer : testURL + "/ends-with-slash/" ,
AuthURL : "https://example.com/authorize" ,
} )
} )
// invalid case in= out=/
// can be tested using /ends-with-slash/ endpoint
// invalid case in=/ out=
// can be tested using root endpoint
2020-11-17 00:15:58 +00:00
return caBundlePEM , testURL
2020-11-11 23:10:06 +00:00
}