djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
38bfdd6b70
ContainerImage.Pinniped/test/integration/supervisor_login_test.go

1826 lines
88 KiB
Go
Raw Normal View History

Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
// SPDX-License-Identifier: Apache-2.0
package integration
import (
"context"
"crypto/tls"
"encoding/base64"
Start extending TestSupervisorLogin to test the token exchange flow (WIP). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 16:23:10 +00:00
"encoding/json"
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
"errors"
supervisor_login_test.go: wait for the `/jwks.json` endpoint to be ready - Also fail in a more obvious way if the token exchanged failed by adding an assertion about its status code
2020-12-17 01:59:39 +00:00
"fmt"
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
"io/ioutil"
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
"net/http"
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
"net/http/httptest"
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
"net/url"
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
"regexp"
test/integration: get downstream issuer path from upstream redirect See comment in the code. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 14:58:08 +00:00
"strings"
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
"testing"
"time"
Upgrade to github.com/coreos/go-oidc v3.0.0. See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 17:54:44 +00:00
coreosoidc "github.com/coreos/go-oidc/v3/oidc"
In TestSupervisorLogin, wrap the discovery request in an `Eventually()`. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 00:07:52 +00:00
"github.com/stretchr/testify/assert"
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
"github.com/stretchr/testify/require"
"golang.org/x/oauth2"
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
v1 "k8s.io/api/core/v1"
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
Use new 'go.pinniped.dev/generated/latest' package. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 19:00:08 +00:00
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
"go.pinniped.dev/internal/certauthority"
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
"go.pinniped.dev/internal/oidc"
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
"go.pinniped.dev/internal/psession"
Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-05 01:07:04 +00:00
"go.pinniped.dev/internal/testutil"
Move `./internal/oidcclient` to `./pkg/oidcclient`. This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 18:46:54 +00:00
"go.pinniped.dev/pkg/oidcclient/nonce"
"go.pinniped.dev/pkg/oidcclient/pkce"
"go.pinniped.dev/pkg/oidcclient/state"
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
"go.pinniped.dev/test/testlib"
"go.pinniped.dev/test/testlib/browsertest"
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
)
Enforce naming convention for browser based tests This allows us to target browser based tests with the regex: go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser' New tests that call browsertest.Open will automatically be forced to follow this convention. Signed-off-by: Monis Khan <mok@vmware.com>
2022-02-16 14:20:28 +00:00
func TestSupervisorLogin_Browser(t *testing.T) {
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
env := testlib.IntegrationEnv(t)
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
skipNever := func(t *testing.T) {
// never need to skip this test
}
skipLDAPTests := func(t *testing.T) {
t.Helper()
if len(env.ToolsNamespace) == 0 && !env.HasCapability(testlib.CanReachInternetLDAPPorts) {
t.Skip("LDAP integration test requires connectivity to an LDAP server")
}
}
skipActiveDirectoryTests := func(t *testing.T) {
t.Helper()
skipLDAPTests(t)
if env.SupervisorUpstreamActiveDirectory.Host == "" {
t.Skip("Active Directory hostname not specified")
}
}
basicOIDCIdentityProviderSpec := func() idpv1alpha1.OIDCIdentityProviderSpec {
return idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
},
Client: idpv1alpha1.OIDCClient{
SecretName: testlib.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
},
}
}
createActiveDirectoryIdentityProvider := func(t *testing.T, edit func(spec *idpv1alpha1.ActiveDirectoryIdentityProviderSpec)) (*idpv1alpha1.ActiveDirectoryIdentityProvider, *v1.Secret) {
t.Helper()
secret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ad-service-account", v1.SecretTypeBasicAuth,
map[string]string{
v1.BasicAuthUsernameKey: env.SupervisorUpstreamActiveDirectory.BindUsername,
v1.BasicAuthPasswordKey: env.SupervisorUpstreamActiveDirectory.BindPassword,
},
)
spec := idpv1alpha1.ActiveDirectoryIdentityProviderSpec{
Host: env.SupervisorUpstreamActiveDirectory.Host,
TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.CABundle)),
},
Bind: idpv1alpha1.ActiveDirectoryIdentityProviderBind{
SecretName: secret.Name,
},
}
if edit != nil {
edit(&spec)
}
adIDP := testlib.CreateTestActiveDirectoryIdentityProvider(t, spec, idpv1alpha1.ActiveDirectoryPhaseReady)
expectedMsg := fmt.Sprintf(
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
spec.Host, env.SupervisorUpstreamActiveDirectory.BindUsername,
secret.Name, secret.ResourceVersion,
)
requireSuccessfulActiveDirectoryIdentityProviderConditions(t, adIDP, expectedMsg)
return adIDP, secret
}
createLDAPIdentityProvider := func(t *testing.T, edit func(spec *idpv1alpha1.LDAPIdentityProviderSpec)) (*idpv1alpha1.LDAPIdentityProvider, *v1.Secret) {
t.Helper()
secret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
map[string]string{
v1.BasicAuthUsernameKey: env.SupervisorUpstreamLDAP.BindUsername,
v1.BasicAuthPasswordKey: env.SupervisorUpstreamLDAP.BindPassword,
},
)
spec := idpv1alpha1.LDAPIdentityProviderSpec{
Host: env.SupervisorUpstreamLDAP.Host,
TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
},
Bind: idpv1alpha1.LDAPIdentityProviderBind{
SecretName: secret.Name,
},
UserSearch: idpv1alpha1.LDAPIdentityProviderUserSearch{
Base: env.SupervisorUpstreamLDAP.UserSearchBase,
Filter: "",
Attributes: idpv1alpha1.LDAPIdentityProviderUserSearchAttributes{
Username: env.SupervisorUpstreamLDAP.TestUserMailAttributeName,
UID: env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName,
},
},
GroupSearch: idpv1alpha1.LDAPIdentityProviderGroupSearch{
Base: env.SupervisorUpstreamLDAP.GroupSearchBase,
Filter: "",
Attributes: idpv1alpha1.LDAPIdentityProviderGroupSearchAttributes{
GroupName: "dn",
},
},
}
if edit != nil {
edit(&spec)
}
ldapIDP := testlib.CreateTestLDAPIdentityProvider(t, spec, idpv1alpha1.LDAPPhaseReady)
expectedMsg := fmt.Sprintf(
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
spec.Host, env.SupervisorUpstreamLDAP.BindUsername,
secret.Name, secret.ResourceVersion,
)
requireSuccessfulLDAPIdentityProviderConditions(t, ldapIDP, expectedMsg)
return ldapIDP, secret
}
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
tests := []struct {
Add integration test
2022-02-01 17:03:52 +00:00
name string
maybeSkip func(t *testing.T)
createTestUser func(t *testing.T) (string, string)
deleteTestUser func(t *testing.T, username string)
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization func(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, username, password string, httpClient *http.Client)
Add integration test
2022-02-01 17:03:52 +00:00
createIDP func(t *testing.T) string
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
wantLocalhostCallbackToNeverHappen bool
Add integration test
2022-02-01 17:03:52 +00:00
wantDownstreamIDTokenSubjectToMatch string
wantDownstreamIDTokenUsernameToMatch func(username string) string
wantDownstreamIDTokenGroups []string
wantErrorDescription string
wantErrorType string
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
// Either revoke the user's session on the upstream provider, or manipulate the user's session
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
// data in such a way that it should cause the next upstream refresh attempt to fail.
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData func(t *testing.T, sessionData *psession.PinnipedSession, idpName, username string)
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
// Edit the refresh session data between the initial login and the refresh, which is expected to
// succeed.
Add integration test
2022-02-01 17:03:52 +00:00
editRefreshSessionDataWithoutBreaking func(t *testing.T, sessionData *psession.PinnipedSession, idpName, username string) []string
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
}{
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "oidc with default username and groups claim settings",
maybeSkip: skipNever,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC,
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
pinnipedSessionData := pinnipedSession.Custom
pinnipedSessionData.OIDC.UpstreamIssuer = "wrong-issuer"
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
},
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
// the ID token Subject should include the upstream user ID after the upstream issuer name
Change sAMAccountName env vars to userPrincipalName and add E2E ActiveDirectory test also fixed regexes in supervisor_login_test to be anchored to the beginning and end
2021-08-26 23:18:05 +00:00
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+",
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
// the ID token Username should include the upstream user ID after the upstream issuer name
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" },
Fix OIDC assertion bug in TestSupervisorLogin introduced by LDAP branch
2021-05-28 17:37:46 +00:00
},
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "oidc with custom username and groups claim settings",
maybeSkip: skipNever,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
spec := basicOIDCIdentityProviderSpec()
spec.Claims = idpv1alpha1.OIDCClaims{
Username: env.SupervisorUpstreamOIDC.UsernameClaim,
Groups: env.SupervisorUpstreamOIDC.GroupsClaim,
}
spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{
AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
}
return testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseReady).Name
Fix OIDC assertion bug in TestSupervisorLogin introduced by LDAP branch
2021-05-28 17:37:46 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC,
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Check username claim is unchanged for oidc. Also add integration tests for claims changing.
2021-12-14 19:59:52 +00:00
fositeSessionData := pinnipedSession.Fosite
fositeSessionData.Claims.Extra["username"] = "some-incorrect-username"
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
},
Change sAMAccountName env vars to userPrincipalName and add E2E ActiveDirectory test also fixed regexes in supervisor_login_test to be anchored to the beginning and end
2021-08-26 23:18:05 +00:00
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+",
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Username) + "$" },
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantDownstreamIDTokenGroups: env.SupervisorUpstreamOIDC.ExpectedGroups,
Add integration test
2022-02-01 17:03:52 +00:00
editRefreshSessionDataWithoutBreaking: func(t *testing.T, sessionData *psession.PinnipedSession, _, _ string) []string {
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
// even if we update this group to the wrong thing, we expect that it will return to the correct
// value after we refresh.
// However if there are no expected groups then they will not update, so we should skip this.
if len(env.SupervisorUpstreamOIDC.ExpectedGroups) > 0 {
sessionData.Fosite.Claims.Extra["groups"] = []string{"some-wrong-group", "some-other-group"}
}
Add integration test
2022-02-01 17:03:52 +00:00
return env.SupervisorUpstreamOIDC.ExpectedGroups
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
},
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
},
WIP adding access token to storage upon login
2022-01-05 18:31:38 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "oidc without refresh token",
maybeSkip: skipNever,
WIP adding access token to storage upon login
2022-01-05 18:31:38 +00:00
createIDP: func(t *testing.T) string {
Keep all scopes except offline_access in integration test
2022-01-19 21:29:26 +00:00
var additionalScopes []string
// keep all the scopes except for offline access so we can test the access token based refresh flow.
if len(env.ToolsNamespace) == 0 {
additionalScopes = env.SupervisorUpstreamOIDC.AdditionalScopes
} else {
for _, additionalScope := range env.SupervisorUpstreamOIDC.AdditionalScopes {
if additionalScope != "offline_access" {
additionalScopes = append(additionalScopes, additionalScope)
}
}
}
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
spec := basicOIDCIdentityProviderSpec()
spec.Claims = idpv1alpha1.OIDCClaims{
Username: env.SupervisorUpstreamOIDC.UsernameClaim,
Groups: env.SupervisorUpstreamOIDC.GroupsClaim,
}
spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{
AdditionalScopes: additionalScopes,
}
return testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseReady).Name
WIP adding access token to storage upon login
2022-01-05 18:31:38 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC,
WIP adding access token to storage upon login
2022-01-05 18:31:38 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
fositeSessionData := pinnipedSession.Fosite
fositeSessionData.Claims.Extra["username"] = "some-incorrect-username"
},
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+",
wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Username) + "$" },
wantDownstreamIDTokenGroups: env.SupervisorUpstreamOIDC.ExpectedGroups,
},
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "oidc with CLI password flow",
maybeSkip: skipNever,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
spec := basicOIDCIdentityProviderSpec()
spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{
AllowPasswordGrant: true, // allow the CLI password flow for this OIDCIdentityProvider
}
return testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseReady).Name
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamOIDC.Username, // username to present to server during login
env.SupervisorUpstreamOIDC.Password, // password to present to server during login
httpClient,
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider
2021-08-24 19:19:29 +00:00
false,
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
require.Equal(t, psession.ProviderTypeOIDC, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.OIDC.UpstreamRefreshToken)
customSessionData.OIDC.UpstreamRefreshToken = "invalid-updated-refresh-token"
},
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// the ID token Subject should include the upstream user ID after the upstream issuer name
Change sAMAccountName env vars to userPrincipalName and add E2E ActiveDirectory test also fixed regexes in supervisor_login_test to be anchored to the beginning and end
2021-08-26 23:18:05 +00:00
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+",
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
// the ID token Username should include the upstream user ID after the upstream issuer name
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" },
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
},
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "ldap with email as username and groups names as DNs and using an LDAP provider which supports TLS",
maybeSkip: skipLDAPTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createLDAPIdentityProvider(t, nil)
return idp.Name
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
downstreamAuthorizeURL,
Changed TestLDAPUpstream.TestUsernameAttributeName back to TestUserMailAttributeName Also added TestUserSAMAccountNameValue Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-07-15 23:58:26 +00:00
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
false,
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
)
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
},
Add integration test
2022-02-01 17:03:52 +00:00
editRefreshSessionDataWithoutBreaking: func(t *testing.T, sessionData *psession.PinnipedSession, _, _ string) []string {
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
// even if we update this group to the wrong thing, we expect that it will return to the correct
// value after we refresh.
sessionData.Fosite.Claims.Extra["groups"] = []string{"some-wrong-group", "some-other-group"}
Add integration test
2022-02-01 17:03:52 +00:00
return env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
},
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
customSessionData := pinnipedSession.Custom
require.Equal(t, psession.ProviderTypeLDAP, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.LDAP.UserDN)
fositeSessionData := pinnipedSession.Fosite
fositeSessionData.Claims.Subject = "not-right"
},
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs,
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "ldap with browser flow",
maybeSkip: skipLDAPTests,
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createLDAPIdentityProvider(t, nil)
return idp.Name
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
},
createTestUser: func(t *testing.T) (string, string) {
// return the username and password of the existing user that we want to use for this test
return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login
},
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAP,
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs,
},
Add integration test
2022-02-01 17:03:52 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "ldap with browser flow with wrong password",
maybeSkip: skipLDAPTests,
createIDP: func(t *testing.T) string {
idp, _ := createLDAPIdentityProvider(t, nil)
return idp.Name
},
createTestUser: func(t *testing.T) (string, string) {
// return the username and password of the existing user that we want to use for this test
return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
"this is the wrong password" // password to present to server during login
Add integration test
2022-02-01 17:03:52 +00:00
},
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAPWithBadCredentials,
wantLocalhostCallbackToNeverHappen: true, // we should have been sent back to the login page to retry login
},
{
name: "ldap with browser flow with wrong username",
maybeSkip: skipLDAPTests,
Add integration test
2022-02-01 17:03:52 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createLDAPIdentityProvider(t, nil)
return idp.Name
},
createTestUser: func(t *testing.T) (string, string) {
// return the username and password of the existing user that we want to use for this test
return "this is the wrong username", // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login
},
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAPWithBadCredentials,
wantLocalhostCallbackToNeverHappen: true, // we should have been sent back to the login page to retry login
},
{
name: "ldap with browser flow with wrong password and then correct password",
maybeSkip: skipLDAPTests,
createIDP: func(t *testing.T) string {
idp, _ := createLDAPIdentityProvider(t, nil)
return idp.Name
},
createTestUser: func(t *testing.T) (string, string) {
// return the username and password of the existing user that we want to use for this test
return env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword // password to present to server during login
},
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowLDAPWithBadCredentialsAndThenGoodCredentials,
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs,
},
{
name: "ldap skip group refresh",
maybeSkip: skipLDAPTests,
createIDP: func(t *testing.T) string {
idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) {
spec.GroupSearch.SkipGroupRefresh = true
})
return idp.Name
Add integration test
2022-02-01 17:03:52 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Add integration test
2022-02-01 17:03:52 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
editRefreshSessionDataWithoutBreaking: func(t *testing.T, sessionData *psession.PinnipedSession, _, _ string) []string {
// update the list of groups to the wrong thing and see that they do not get updated because
// skip group refresh is set
wrongGroups := []string{"some-wrong-group", "some-other-group"}
sessionData.Fosite.Claims.Extra["groups"] = wrongGroups
return wrongGroups
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, psession.ProviderTypeLDAP, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.LDAP.UserDN)
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
fositeSessionData := pinnipedSession.Fosite
fositeSessionData.Claims.Subject = "not-right"
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
},
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
Change sAMAccountName env vars to userPrincipalName and add E2E ActiveDirectory test also fixed regexes in supervisor_login_test to be anchored to the beginning and end
2021-08-26 23:18:05 +00:00
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs,
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
},
Add integration test where we don't get groups back
2022-02-11 18:23:44 +00:00
{
name: "ldap with email as username and group search base that doesn't return anything, and using an LDAP provider which supports TLS",
maybeSkip: func(t *testing.T) {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
skipLDAPTests(t)
Add integration test where we don't get groups back
2022-02-11 18:23:44 +00:00
if env.SupervisorUpstreamLDAP.UserSearchBase == env.SupervisorUpstreamLDAP.GroupSearchBase {
// This test relies on using the user search base as the group search base, to simulate
// searching for groups and not finding any.
// If the users and groups are stored in the same place, then we will get groups
// back, so this test wouldn't make sense.
t.Skip("must have a different user search base than group search base")
}
},
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) {
spec.GroupSearch.Base = env.SupervisorUpstreamLDAP.UserSearchBase // groups not stored at the user search base
})
return idp.Name
Add integration test where we don't get groups back
2022-02-11 18:23:44 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Add integration test where we don't get groups back
2022-02-11 18:23:44 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
Add integration test
2022-02-01 17:03:52 +00:00
editRefreshSessionDataWithoutBreaking: func(t *testing.T, sessionData *psession.PinnipedSession, _, _ string) []string {
Add integration test where we don't get groups back
2022-02-11 18:23:44 +00:00
// even if we update this group to the wrong thing, we expect that it will return to the correct
Add integration test
2022-02-01 17:03:52 +00:00
// value (no groups) after we refresh.
Add integration test where we don't get groups back
2022-02-11 18:23:44 +00:00
sessionData.Fosite.Claims.Extra["groups"] = []string{"some-wrong-group", "some-other-group"}
Add integration test
2022-02-01 17:03:52 +00:00
return []string{}
Add integration test where we don't get groups back
2022-02-11 18:23:44 +00:00
},
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
customSessionData := pinnipedSession.Custom
require.Equal(t, psession.ProviderTypeLDAP, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.LDAP.UserDN)
fositeSessionData := pinnipedSession.Fosite
fositeSessionData.Claims.Subject = "not-right"
},
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: []string{},
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "ldap with CN as username and group names as CNs and using an LDAP provider which only supports StartTLS", // try another variation of configuration options
maybeSkip: skipLDAPTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) {
spec.Host = env.SupervisorUpstreamLDAP.StartTLSOnlyHost
spec.UserSearch.Filter = "cn={}" // try using a non-default search filter
spec.UserSearch.Attributes.Username = "dn" // try using the user's DN as the downstream username
spec.GroupSearch.Attributes.GroupName = "cn"
})
return idp.Name
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Optionally allow OIDC password grant for CLI-based login experience - Add `AllowPasswordGrant` boolean field to OIDCIdentityProvider's spec - The oidc upstream watcher controller copies the value of `AllowPasswordGrant` into the configuration of the cached provider - Add password grant to the UpstreamOIDCIdentityProviderI interface which is implemented by the cached provider instance for use in the authorization endpoint - Enhance the IDP discovery endpoint to return the supported "flows" for each IDP ("cli_password" and/or "browser_authcode") - Enhance `pinniped get kubeconfig` to help the user choose the desired flow for the selected IDP, and to write the flow into the resulting kubeconfg - Enhance `pinniped login oidc` to have a flow flag to tell it which client-side flow it should use for auth (CLI-based or browser-based) - In the Dex config, allow the resource owner password grant, which Dex implements to also return ID tokens, for use in integration tests - Enhance the authorize endpoint to perform password grant when requested by the incoming headers. This commit does not include unit tests for the enhancements to the authorize endpoint, which will come in the next commit - Extract some shared helpers from the callback endpoint to share the code with the authorize endpoint - Add new integration tests
2021-08-12 17:00:18 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserCN, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
false,
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, psession.ProviderTypeLDAP, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.LDAP.UserDN)
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
fositeSessionData := pinnipedSession.Fosite
fositeSessionData.Claims.Extra["username"] = "not-the-same"
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
},
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
Change sAMAccountName env vars to userPrincipalName and add E2E ActiveDirectory test also fixed regexes in supervisor_login_test to be anchored to the beginning and end
2021-08-26 23:18:05 +00:00
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.StartTLSOnlyHost+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserDN) + "$" },
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsCNs,
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
},
Add integration test for wrong password with ldap
2021-07-26 23:32:46 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "logging in to ldap with the wrong password fails",
maybeSkip: skipLDAPTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createLDAPIdentityProvider(t, nil)
return idp.Name
Add integration test for wrong password with ldap
2021-07-26 23:32:46 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider
2021-08-24 19:19:29 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
Add integration test for wrong password with ldap
2021-07-26 23:32:46 +00:00
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
"incorrect", // password to present to server during login
httpClient,
true,
)
},
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
wantErrorDescription: "The resource owner or authorization server denied the request. Username/password not accepted by LDAP provider.",
wantErrorType: "access_denied",
Add integration test for wrong password with ldap
2021-07-26 23:32:46 +00:00
},
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "ldap login still works after updating bind secret",
maybeSkip: skipLDAPTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
t.Helper()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, secret := createLDAPIdentityProvider(t, nil)
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
secret.Annotations = map[string]string{"pinniped.dev/test": "", "another-label": "another-key"}
// update that secret, which will cause the cache to recheck tls and search base values
client := testlib.NewKubernetesClientset(t)
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
updatedSecret, err := client.CoreV1().Secrets(env.SupervisorNamespace).Update(ctx, secret, metav1.UpdateOptions{})
require.NoError(t, err)
expectedMsg := fmt.Sprintf(
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
env.SupervisorUpstreamLDAP.Host, env.SupervisorUpstreamLDAP.BindUsername,
updatedSecret.Name, updatedSecret.ResourceVersion,
)
supervisorClient := testlib.NewSupervisorClientset(t)
testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, err = supervisorClient.IDPV1alpha1().LDAPIdentityProviders(env.SupervisorNamespace).Get(ctx, idp.Name, metav1.GetOptions{})
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
requireEventually.NoError(err)
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
requireEventuallySuccessfulLDAPIdentityProviderConditions(t, requireEventually, idp, expectedMsg)
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
}, time.Minute, 500*time.Millisecond)
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
return idp.Name
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, psession.ProviderTypeLDAP, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.LDAP.UserDN)
customSessionData.LDAP.UserDN = "cn=not-a-user,dc=pinniped,dc=dev"
},
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs,
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
},
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "ldap login still works after deleting and recreating the bind secret",
maybeSkip: skipLDAPTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
t.Helper()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, secret := createLDAPIdentityProvider(t, nil)
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
// delete, then recreate that secret, which will cause the cache to recheck tls and search base values
client := testlib.NewKubernetesClientset(t)
deleteCtx, deleteCancel := context.WithTimeout(context.Background(), time.Minute)
defer deleteCancel()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
err := client.CoreV1().Secrets(env.SupervisorNamespace).Delete(deleteCtx, secret.Name, metav1.DeleteOptions{})
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
require.NoError(t, err)
// create the secret again
recreateCtx, recreateCancel := context.WithTimeout(context.Background(), time.Minute)
defer recreateCancel()
recreatedSecret, err := client.CoreV1().Secrets(env.SupervisorNamespace).Create(recreateCtx, &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
Name: secret.Name,
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
Namespace: env.SupervisorNamespace,
},
Type: v1.SecretTypeBasicAuth,
StringData: map[string]string{
v1.BasicAuthUsernameKey: env.SupervisorUpstreamLDAP.BindUsername,
v1.BasicAuthPasswordKey: env.SupervisorUpstreamLDAP.BindPassword,
},
}, metav1.CreateOptions{})
require.NoError(t, err)
expectedMsg := fmt.Sprintf(
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
env.SupervisorUpstreamLDAP.Host, env.SupervisorUpstreamLDAP.BindUsername,
recreatedSecret.Name, recreatedSecret.ResourceVersion,
)
supervisorClient := testlib.NewSupervisorClientset(t)
testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, err = supervisorClient.IDPV1alpha1().LDAPIdentityProviders(env.SupervisorNamespace).Get(ctx, idp.Name, metav1.GetOptions{})
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
requireEventually.NoError(err)
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
requireEventuallySuccessfulLDAPIdentityProviderConditions(t, requireEventually, idp, expectedMsg)
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
}, time.Minute, 500*time.Millisecond)
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
return idp.Name
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, psession.ProviderTypeLDAP, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.LDAP.UserDN)
customSessionData.LDAP.UserDN = "cn=not-a-user,dc=pinniped,dc=dev"
},
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs,
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
},
Active Directory cli options
2021-07-06 18:34:54 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "active directory with all default options",
maybeSkip: skipActiveDirectoryTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createActiveDirectoryIdentityProvider(t, nil)
return idp.Name
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider
2021-08-24 19:19:29 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
downstreamAuthorizeURL,
Update test assertions to reflect userPrincipalName as username
2021-08-18 20:18:53 +00:00
env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue, // username to present to server during login
env.SupervisorUpstreamActiveDirectory.TestUserPassword, // password to present to server during login
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
httpClient,
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
false,
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, psession.ProviderTypeActiveDirectory, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.ActiveDirectory.UserDN)
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
fositeSessionData := pinnipedSession.Fosite
fositeSessionData.Claims.Extra["username"] = "not-the-same"
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
},
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
Change sAMAccountName env vars to userPrincipalName and add E2E ActiveDirectory test also fixed regexes in supervisor_login_test to be anchored to the beginning and end
2021-08-26 23:18:05 +00:00
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamActiveDirectory.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamActiveDirectory.DefaultNamingContextSearchBase)+
"&sub="+env.SupervisorUpstreamActiveDirectory.TestUserUniqueIDAttributeValue,
) + "$",
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames,
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
},
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "active directory with custom options",
maybeSkip: skipActiveDirectoryTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createActiveDirectoryIdentityProvider(t, func(spec *idpv1alpha1.ActiveDirectoryIdentityProviderSpec) {
spec.UserSearch = idpv1alpha1.ActiveDirectoryIdentityProviderUserSearch{
PR feedback
2021-07-26 23:03:12 +00:00
Base: env.SupervisorUpstreamActiveDirectory.UserSearchBase,
Filter: env.SupervisorUpstreamActiveDirectory.TestUserMailAttributeName + "={}",
Attributes: idpv1alpha1.ActiveDirectoryIdentityProviderUserSearchAttributes{
Username: env.SupervisorUpstreamActiveDirectory.TestUserMailAttributeName,
},
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
}
spec.GroupSearch = idpv1alpha1.ActiveDirectoryIdentityProviderGroupSearch{
PR feedback
2021-07-26 23:03:12 +00:00
Filter: "member={}", // excluding nested groups
Base: env.SupervisorUpstreamActiveDirectory.GroupSearchBase,
Attributes: idpv1alpha1.ActiveDirectoryIdentityProviderGroupSearchAttributes{
GroupName: "dn",
},
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
}
})
return idp.Name
PR feedback
2021-07-26 23:03:12 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider
2021-08-24 19:19:29 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
PR feedback
2021-07-26 23:03:12 +00:00
downstreamAuthorizeURL,
env.SupervisorUpstreamActiveDirectory.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamActiveDirectory.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, psession.ProviderTypeActiveDirectory, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.ActiveDirectory.UserDN)
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
fositeSessionData := pinnipedSession.Fosite
fositeSessionData.Claims.Subject = "not-right"
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
},
PR feedback
2021-07-26 23:03:12 +00:00
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
Change sAMAccountName env vars to userPrincipalName and add E2E ActiveDirectory test also fixed regexes in supervisor_login_test to be anchored to the beginning and end
2021-08-26 23:18:05 +00:00
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamActiveDirectory.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamActiveDirectory.UserSearchBase)+
"&sub="+env.SupervisorUpstreamActiveDirectory.TestUserUniqueIDAttributeValue,
) + "$",
PR feedback
2021-07-26 23:03:12 +00:00
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamActiveDirectory.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamActiveDirectory.TestUserDirectGroupsDNs,
Active Directory cli options
2021-07-06 18:34:54 +00:00
},
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "active directory login still works after updating bind secret",
maybeSkip: skipActiveDirectoryTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
t.Helper()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, secret := createActiveDirectoryIdentityProvider(t, nil)
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
secret.Annotations = map[string]string{"pinniped.dev/test": "", "another-label": "another-key"}
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
// update that secret, which will cause the cache to recheck tls and search base values
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
client := testlib.NewKubernetesClientset(t)
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
updatedSecret, err := client.CoreV1().Secrets(env.SupervisorNamespace).Update(ctx, secret, metav1.UpdateOptions{})
require.NoError(t, err)
expectedMsg := fmt.Sprintf(
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
env.SupervisorUpstreamActiveDirectory.Host, env.SupervisorUpstreamActiveDirectory.BindUsername,
updatedSecret.Name, updatedSecret.ResourceVersion,
)
supervisorClient := testlib.NewSupervisorClientset(t)
testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, err = supervisorClient.IDPV1alpha1().ActiveDirectoryIdentityProviders(env.SupervisorNamespace).Get(ctx, idp.Name, metav1.GetOptions{})
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
requireEventually.NoError(err)
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
requireEventuallySuccessfulActiveDirectoryIdentityProviderConditions(t, requireEventually, idp, expectedMsg)
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
}, time.Minute, 500*time.Millisecond)
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
return idp.Name
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue, // username to present to server during login
env.SupervisorUpstreamActiveDirectory.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, psession.ProviderTypeActiveDirectory, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.ActiveDirectory.UserDN)
customSessionData.ActiveDirectory.UserDN = "cn=not-a-user,dc=pinniped,dc=dev"
},
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamActiveDirectory.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamActiveDirectory.DefaultNamingContextSearchBase)+
"&sub="+env.SupervisorUpstreamActiveDirectory.TestUserUniqueIDAttributeValue,
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames,
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
},
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "active directory login still works after deleting and recreating bind secret",
maybeSkip: skipActiveDirectoryTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
t.Helper()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, secret := createActiveDirectoryIdentityProvider(t, nil)
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
// delete the secret
client := testlib.NewKubernetesClientset(t)
deleteCtx, deleteCancel := context.WithTimeout(context.Background(), time.Minute)
defer deleteCancel()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
err := client.CoreV1().Secrets(env.SupervisorNamespace).Delete(deleteCtx, secret.Name, metav1.DeleteOptions{})
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
require.NoError(t, err)
// create the secret again
recreateCtx, recreateCancel := context.WithTimeout(context.Background(), time.Minute)
defer recreateCancel()
recreatedSecret, err := client.CoreV1().Secrets(env.SupervisorNamespace).Create(recreateCtx, &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
Name: secret.Name,
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
Namespace: env.SupervisorNamespace,
},
Type: v1.SecretTypeBasicAuth,
StringData: map[string]string{
v1.BasicAuthUsernameKey: env.SupervisorUpstreamActiveDirectory.BindUsername,
v1.BasicAuthPasswordKey: env.SupervisorUpstreamActiveDirectory.BindPassword,
},
}, metav1.CreateOptions{})
require.NoError(t, err)
expectedMsg := fmt.Sprintf(
`successfully able to connect to "%s" and bind as user "%s" [validated with Secret "%s" at version "%s"]`,
env.SupervisorUpstreamActiveDirectory.Host, env.SupervisorUpstreamActiveDirectory.BindUsername,
recreatedSecret.Name, recreatedSecret.ResourceVersion,
)
supervisorClient := testlib.NewSupervisorClientset(t)
testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, err = supervisorClient.IDPV1alpha1().ActiveDirectoryIdentityProviders(env.SupervisorNamespace).Get(ctx, idp.Name, metav1.GetOptions{})
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
requireEventually.NoError(err)
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
requireEventuallySuccessfulActiveDirectoryIdentityProviderConditions(t, requireEventually, idp, expectedMsg)
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
}, time.Minute, 500*time.Millisecond)
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
return idp.Name
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue, // username to present to server during login
env.SupervisorUpstreamActiveDirectory.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, _, _ string) {
Test for change to stored username or subject. All of this is still done staticly.
2021-10-26 23:24:02 +00:00
customSessionData := pinnipedSession.Custom
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
require.Equal(t, psession.ProviderTypeActiveDirectory, customSessionData.ProviderType)
require.NotEmpty(t, customSessionData.ActiveDirectory.UserDN)
customSessionData.ActiveDirectory.UserDN = "cn=not-a-user,dc=pinniped,dc=dev"
},
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamActiveDirectory.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamActiveDirectory.DefaultNamingContextSearchBase)+
"&sub="+env.SupervisorUpstreamActiveDirectory.TestUserUniqueIDAttributeValue,
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames,
},
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "active directory login fails after the user password is changed",
maybeSkip: skipActiveDirectoryTests,
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createActiveDirectoryIdentityProvider(t, nil)
return idp.Name
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
createTestUser: func(t *testing.T) (string, string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
return testlib.CreateFreshADTestUser(t, env)
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
deleteTestUser: func(t *testing.T, username string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
testlib.DeleteTestADUser(t, env, username)
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, testUserName, testUserPassword string, httpClient *http.Client) {
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
testUserName, // username to present to server during login
testUserPassword, // password to present to server during login
httpClient,
false,
)
},
breakRefreshSessionData: func(t *testing.T, sessionData *psession.PinnipedSession, _, username string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
testlib.ChangeADTestUserPassword(t, env, username)
Active directory checks for deactivated user Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 18:53:07 +00:00
},
// we can't know the subject ahead of time because we created a new user and don't know their uid,
// so skip wantDownstreamIDTokenSubjectToMatch
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: func(username string) string {
return "^" + regexp.QuoteMeta(username+"@"+env.SupervisorUpstreamActiveDirectory.Domain) + "$"
},
wantDownstreamIDTokenGroups: []string{}, // none for now.
},
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "active directory login fails after the user is deactivated",
maybeSkip: skipActiveDirectoryTests,
Active directory checks for deactivated user Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 18:53:07 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createActiveDirectoryIdentityProvider(t, nil)
return idp.Name
Active directory checks for deactivated user Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 18:53:07 +00:00
},
createTestUser: func(t *testing.T) (string, string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
return testlib.CreateFreshADTestUser(t, env)
Active directory checks for deactivated user Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 18:53:07 +00:00
},
deleteTestUser: func(t *testing.T, username string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
testlib.DeleteTestADUser(t, env, username)
Active directory checks for deactivated user Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 18:53:07 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, testUserName, testUserPassword string, httpClient *http.Client) {
Active directory checks for deactivated user Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-05 18:53:07 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
testUserName, // username to present to server during login
testUserPassword, // password to present to server during login
httpClient,
false,
)
},
breakRefreshSessionData: func(t *testing.T, sessionData *psession.PinnipedSession, _, username string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
testlib.DeactivateADTestUser(t, env, username)
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
},
// we can't know the subject ahead of time because we created a new user and don't know their uid,
// so skip wantDownstreamIDTokenSubjectToMatch
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: func(username string) string {
return "^" + regexp.QuoteMeta(username+"@"+env.SupervisorUpstreamActiveDirectory.Domain) + "$"
},
wantDownstreamIDTokenGroups: []string{}, // none for now.
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
},
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "active directory login fails after the user is locked",
maybeSkip: skipActiveDirectoryTests,
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createActiveDirectoryIdentityProvider(t, nil)
return idp.Name
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
},
createTestUser: func(t *testing.T) (string, string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
return testlib.CreateFreshADTestUser(t, env)
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
},
deleteTestUser: func(t *testing.T, username string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
testlib.DeleteTestADUser(t, env, username)
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, testUserName, testUserPassword string, httpClient *http.Client) {
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
testUserName, // username to present to server during login
testUserPassword, // password to present to server during login
httpClient,
false,
)
},
breakRefreshSessionData: func(t *testing.T, sessionData *psession.PinnipedSession, _, username string) {
Add group change warning test for Active Directory Also refactor some of the AD test helper functions Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-02 17:50:07 +00:00
testlib.LockADTestUser(t, env, username)
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
},
// we can't know the subject ahead of time because we created a new user and don't know their uid,
// so skip wantDownstreamIDTokenSubjectToMatch
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: func(username string) string {
return "^" + regexp.QuoteMeta(username+"@"+env.SupervisorUpstreamActiveDirectory.Domain) + "$"
},
wantDownstreamIDTokenGroups: []string{},
},
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "logging in to active directory with a deactivated user fails",
maybeSkip: skipActiveDirectoryTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createActiveDirectoryIdentityProvider(t, nil)
return idp.Name
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider
2021-08-24 19:19:29 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
downstreamAuthorizeURL,
env.SupervisorUpstreamActiveDirectory.TestDeactivatedUserSAMAccountNameValue, // username to present to server during login
env.SupervisorUpstreamActiveDirectory.TestDeactivatedUserPassword, // password to present to server during login
httpClient,
true,
)
},
Basic upstream LDAP/AD refresh This stores the user DN in the session data upon login and checks that the entry still exists upon refresh. It doesn't check anything else about the entry yet.
2021-10-22 20:57:30 +00:00
breakRefreshSessionData: nil,
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
wantErrorDescription: "The resource owner or authorization server denied the request. Username/password not accepted by LDAP provider.",
wantErrorType: "access_denied",
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
},
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "ldap refresh fails when username changes from email as username to dn as username",
maybeSkip: skipLDAPTests,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createLDAPIdentityProvider(t, nil)
return idp.Name
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData: func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, _ string) {
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
// get the idp, update the config.
client := testlib.NewSupervisorClientset(t)
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel()
upstreams := client.IDPV1alpha1().LDAPIdentityProviders(env.SupervisorNamespace)
ldapIDP, err := upstreams.Get(ctx, idpName, metav1.GetOptions{})
require.NoError(t, err)
ldapIDP.Spec.UserSearch.Attributes.Username = "dn"
_, err = upstreams.Update(ctx, ldapIDP, metav1.UpdateOptions{})
require.NoError(t, err)
time.Sleep(10 * time.Second) // wait for controllers to pick up the change
},
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
Check for locked users on ad upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-17 00:31:32 +00:00
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
},
Integration test for updating group search base Also a small change to a comment
2022-02-15 21:52:33 +00:00
{
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
name: "ldap refresh updates groups to be empty after deleting the group search base",
maybeSkip: skipLDAPTests,
Integration test for updating group search base Also a small change to a comment
2022-02-15 21:52:33 +00:00
createIDP: func(t *testing.T) string {
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
idp, _ := createLDAPIdentityProvider(t, nil)
return idp.Name
Integration test for updating group search base Also a small change to a comment
2022-02-15 21:52:33 +00:00
},
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization: func(t *testing.T, _, downstreamAuthorizeURL, _, _, _ string, httpClient *http.Client) {
Integration test for updating group search base Also a small change to a comment
2022-02-15 21:52:33 +00:00
requestAuthorizationUsingCLIPasswordFlow(t,
downstreamAuthorizeURL,
env.SupervisorUpstreamLDAP.TestUserMailAttributeValue, // username to present to server during login
env.SupervisorUpstreamLDAP.TestUserPassword, // password to present to server during login
httpClient,
false,
)
},
Add integration test
2022-02-01 17:03:52 +00:00
editRefreshSessionDataWithoutBreaking: func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, _ string) []string {
Integration test for updating group search base Also a small change to a comment
2022-02-15 21:52:33 +00:00
// get the idp, update the config.
client := testlib.NewSupervisorClientset(t)
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel()
upstreams := client.IDPV1alpha1().LDAPIdentityProviders(env.SupervisorNamespace)
ldapIDP, err := upstreams.Get(ctx, idpName, metav1.GetOptions{})
require.NoError(t, err)
ldapIDP.Spec.GroupSearch.Base = ""
_, err = upstreams.Update(ctx, ldapIDP, metav1.UpdateOptions{})
require.NoError(t, err)
time.Sleep(10 * time.Second) // wait for controllers to pick up the change
Add integration test
2022-02-01 17:03:52 +00:00
return []string{}
Integration test for updating group search base Also a small change to a comment
2022-02-15 21:52:33 +00:00
},
// the ID token Subject should be the Host URL plus the value pulled from the requested UserSearch.Attributes.UID attribute
wantDownstreamIDTokenSubjectToMatch: "^" + regexp.QuoteMeta(
"ldaps://"+env.SupervisorUpstreamLDAP.Host+
"?base="+url.QueryEscape(env.SupervisorUpstreamLDAP.UserSearchBase)+
"&sub="+base64.RawURLEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeValue)),
) + "$",
// the ID token Username should have been pulled from the requested UserSearch.Attributes.Username attribute
wantDownstreamIDTokenUsernameToMatch: func(_ string) string {
return "^" + regexp.QuoteMeta(env.SupervisorUpstreamLDAP.TestUserMailAttributeValue) + "$"
},
Add integration test
2022-02-01 17:03:52 +00:00
wantDownstreamIDTokenGroups: env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs,
Integration test for updating group search base Also a small change to a comment
2022-02-15 21:52:33 +00:00
},
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
}
for _, test := range tests {
Enable skipping of LDAP int tests when a firewall will block them
2021-05-28 23:12:57 +00:00
tt := test
t.Run(tt.name, func(t *testing.T) {
tt.maybeSkip(t)
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
testSupervisorLogin(t,
Enable skipping of LDAP int tests when a firewall will block them
2021-05-28 23:12:57 +00:00
tt.createIDP,
tt.requestAuthorization,
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
tt.editRefreshSessionDataWithoutBreaking,
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
tt.breakRefreshSessionData,
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
tt.createTestUser,
tt.deleteTestUser,
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
tt.wantLocalhostCallbackToNeverHappen,
Enable skipping of LDAP int tests when a firewall will block them
2021-05-28 23:12:57 +00:00
tt.wantDownstreamIDTokenSubjectToMatch,
tt.wantDownstreamIDTokenUsernameToMatch,
tt.wantDownstreamIDTokenGroups,
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
tt.wantErrorDescription,
tt.wantErrorType,
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
)
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
})
}
}
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
func requireSuccessfulLDAPIdentityProviderConditions(t *testing.T, ldapIDP *idpv1alpha1.LDAPIdentityProvider, expectedLDAPConnectionValidMessage string) {
require.Len(t, ldapIDP.Status.Conditions, 3)
conditionsSummary := [][]string{}
for _, condition := range ldapIDP.Status.Conditions {
conditionsSummary = append(conditionsSummary, []string{condition.Type, string(condition.Status), condition.Reason})
t.Logf("Saw LDAPIdentityProvider Status.Condition Type=%s Status=%s Reason=%s Message=%s",
condition.Type, string(condition.Status), condition.Reason, condition.Message)
switch condition.Type {
case "BindSecretValid":
require.Equal(t, "loaded bind secret", condition.Message)
case "TLSConfigurationValid":
require.Equal(t, "loaded TLS configuration", condition.Message)
case "LDAPConnectionValid":
require.Equal(t, expectedLDAPConnectionValidMessage, condition.Message)
}
}
require.ElementsMatch(t, [][]string{
{"BindSecretValid", "True", "Success"},
{"TLSConfigurationValid", "True", "Success"},
{"LDAPConnectionValid", "True", "Success"},
}, conditionsSummary)
}
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
func requireSuccessfulActiveDirectoryIdentityProviderConditions(t *testing.T, adIDP *idpv1alpha1.ActiveDirectoryIdentityProvider, expectedActiveDirectoryConnectionValidMessage string) {
Fetch AD search base from defaultNamingContext when not specified
2021-07-21 20:24:54 +00:00
require.Len(t, adIDP.Status.Conditions, 4)
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
conditionsSummary := [][]string{}
for _, condition := range adIDP.Status.Conditions {
conditionsSummary = append(conditionsSummary, []string{condition.Type, string(condition.Status), condition.Reason})
t.Logf("Saw ActiveDirectoryIdentityProvider Status.Condition Type=%s Status=%s Reason=%s Message=%s",
condition.Type, string(condition.Status), condition.Reason, condition.Message)
switch condition.Type {
case "BindSecretValid":
require.Equal(t, "loaded bind secret", condition.Message)
case "TLSConfigurationValid":
require.Equal(t, "loaded TLS configuration", condition.Message)
Refactor active directory and ldap controllers to share almost everything Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-07-19 20:54:07 +00:00
case "LDAPConnectionValid":
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
require.Equal(t, expectedActiveDirectoryConnectionValidMessage, condition.Message)
}
}
PR feedback
2021-07-26 23:03:12 +00:00
expectedUserSearchReason := ""
if adIDP.Spec.UserSearch.Base == "" || adIDP.Spec.GroupSearch.Base == "" {
expectedUserSearchReason = "Success"
} else {
expectedUserSearchReason = "UsingConfigurationFromSpec"
}
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
require.ElementsMatch(t, [][]string{
{"BindSecretValid", "True", "Success"},
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
{"TLSConfigurationValid", "True", "Success"},
{"LDAPConnectionValid", "True", "Success"},
{"SearchBaseFound", "True", expectedUserSearchReason},
}, conditionsSummary)
}
ValidatedSettings is all or nothing If either the search base or the tls settings is invalid, just recheck everything.
2021-09-07 18:45:32 +00:00
func requireEventuallySuccessfulLDAPIdentityProviderConditions(t *testing.T, requireEventually *require.Assertions, ldapIDP *idpv1alpha1.LDAPIdentityProvider, expectedLDAPConnectionValidMessage string) {
t.Helper()
requireEventually.Len(ldapIDP.Status.Conditions, 3)
conditionsSummary := [][]string{}
for _, condition := range ldapIDP.Status.Conditions {
conditionsSummary = append(conditionsSummary, []string{condition.Type, string(condition.Status), condition.Reason})
t.Logf("Saw ActiveDirectoryIdentityProvider Status.Condition Type=%s Status=%s Reason=%s Message=%s",
condition.Type, string(condition.Status), condition.Reason, condition.Message)
switch condition.Type {
case "BindSecretValid":
requireEventually.Equal("loaded bind secret", condition.Message)
case "TLSConfigurationValid":
requireEventually.Equal("loaded TLS configuration", condition.Message)
case "LDAPConnectionValid":
requireEventually.Equal(expectedLDAPConnectionValidMessage, condition.Message)
}
}
requireEventually.ElementsMatch([][]string{
{"BindSecretValid", "True", "Success"},
{"TLSConfigurationValid", "True", "Success"},
{"LDAPConnectionValid", "True", "Success"},
}, conditionsSummary)
}
Make sure search base in the validatedSettings cache is properly updated when the bind secret changes
2021-09-03 00:17:15 +00:00
func requireEventuallySuccessfulActiveDirectoryIdentityProviderConditions(t *testing.T, requireEventually *require.Assertions, adIDP *idpv1alpha1.ActiveDirectoryIdentityProvider, expectedActiveDirectoryConnectionValidMessage string) {
t.Helper()
requireEventually.Len(adIDP.Status.Conditions, 4)
conditionsSummary := [][]string{}
for _, condition := range adIDP.Status.Conditions {
conditionsSummary = append(conditionsSummary, []string{condition.Type, string(condition.Status), condition.Reason})
t.Logf("Saw ActiveDirectoryIdentityProvider Status.Condition Type=%s Status=%s Reason=%s Message=%s",
condition.Type, string(condition.Status), condition.Reason, condition.Message)
switch condition.Type {
case "BindSecretValid":
requireEventually.Equal("loaded bind secret", condition.Message)
case "TLSConfigurationValid":
requireEventually.Equal("loaded TLS configuration", condition.Message)
case "LDAPConnectionValid":
requireEventually.Equal(expectedActiveDirectoryConnectionValidMessage, condition.Message)
}
}
expectedUserSearchReason := ""
if adIDP.Spec.UserSearch.Base == "" || adIDP.Spec.GroupSearch.Base == "" {
expectedUserSearchReason = "Success"
} else {
expectedUserSearchReason = "UsingConfigurationFromSpec"
}
requireEventually.ElementsMatch([][]string{
{"BindSecretValid", "True", "Success"},
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
{"TLSConfigurationValid", "True", "Success"},
Refactor active directory and ldap controllers to share almost everything Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-07-19 20:54:07 +00:00
{"LDAPConnectionValid", "True", "Success"},
PR feedback
2021-07-26 23:03:12 +00:00
{"SearchBaseFound", "True", expectedUserSearchReason},
WIP on active directory integration test
2021-07-07 16:23:32 +00:00
}, conditionsSummary)
}
Add authentication dry run validation to LDAPIdentityProvider Also force the LDAP server pod to restart whenever the LDIF file changes, so whenever you redeploy the tools deployment with a new test user password the server will be updated.
2021-04-16 21:04:05 +00:00
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
func testSupervisorLogin(
t *testing.T,
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
createIDP func(t *testing.T) string,
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization func(t *testing.T, downstreamIssuer string, downstreamAuthorizeURL string, downstreamCallbackURL string, username string, password string, httpClient *http.Client),
Add integration test
2022-02-01 17:03:52 +00:00
editRefreshSessionDataWithoutBreaking func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, username string) []string,
Integration test for updating group search base Also a small change to a comment
2022-02-15 21:52:33 +00:00
breakRefreshSessionData func(t *testing.T, pinnipedSession *psession.PinnipedSession, idpName, username string),
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
createTestUser func(t *testing.T) (string, string),
deleteTestUser func(t *testing.T, username string),
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
wantLocalhostCallbackToNeverHappen bool,
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
wantDownstreamIDTokenSubjectToMatch string,
wantDownstreamIDTokenUsernameToMatch func(username string) string,
wantDownstreamIDTokenGroups []string,
wantErrorDescription string,
wantErrorType string,
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
) {
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
env := testlib.IntegrationEnv(t)
Try to capture more logs from the TestSupervisorLogin test. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 15:35:28 +00:00
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel()
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Infer the downstream issuer URL from the callback associated with the upstream test client registration.
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
issuerURL, err := url.Parse(env.SupervisorUpstreamOIDC.CallbackURL)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
require.NoError(t, err)
require.True(t, strings.HasSuffix(issuerURL.Path, "/callback"))
issuerURL.Path = strings.TrimSuffix(issuerURL.Path, "/callback")
t.Logf("testing with downstream issuer URL %s", issuerURL.String())
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Generate a CA bundle with which to serve this provider.
t.Logf("generating test CA")
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue*() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue*() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly.
2021-03-13 00:09:16 +00:00
ca, err := certauthority.New("Downstream Test CA", 1*time.Hour)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
require.NoError(t, err)
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Create an HTTP client that can reach the downstream discovery endpoint using the CA certs.
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
httpClient := &http.Client{
Transport: &http.Transport{
Update to github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2 - Two of the linters changed their names - Updated code and nolint comments to make all linters pass with 1.44.2 - Added a new hack/install-linter.sh script to help developers install the expected version of the linter for local development
2022-03-08 20:28:09 +00:00
TLSClientConfig: &tls.Config{RootCAs: ca.Pool()}, //nolint:gosec // not concerned with TLS MinVersion here
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
Proxy: func(req *http.Request) (*url.URL, error) {
Passing integration test for LDAP login! 🚀
2021-04-14 01:11:16 +00:00
if strings.HasPrefix(req.URL.Host, "127.0.0.1") {
// don't proxy requests to localhost to avoid proxying calls to our local callback listener
return nil, nil
}
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
if env.Proxy == "" {
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
t.Logf("passing request for %s with no proxy", testlib.RedactURLParams(req.URL))
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
return nil, nil
}
proxyURL, err := url.Parse(env.Proxy)
require.NoError(t, err)
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
t.Logf("passing request for %s through proxy %s", testlib.RedactURLParams(req.URL), proxyURL.String())
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
return proxyURL, nil
},
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
},
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
// Don't follow redirects automatically.
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
oidcHTTPClientContext := coreosoidc.ClientContext(ctx, httpClient)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Use the CA to issue a TLS server cert.
t.Logf("issuing test certificate")
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue*() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue*() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly.
2021-03-13 00:09:16 +00:00
tlsCert, err := ca.IssueServerCert([]string{issuerURL.Hostname()}, nil, 1*time.Hour)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
require.NoError(t, err)
certPEM, keyPEM, err := certauthority.ToPEM(tlsCert)
test/integration: get downstream issuer path from upstream redirect See comment in the code. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 14:58:08 +00:00
require.NoError(t, err)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Write the serving cert to a secret.
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
certSecret := testlib.CreateTestSecret(t,
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
env.SupervisorNamespace,
"oidc-provider-tls",
TLSCertObserverController Syncs less often by adjusting its filters - Only watches Secrets of type "kubernetes.io/tls" Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-18 23:10:17 +00:00
v1.SecretTypeTLS,
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)},
test/integration: get downstream issuer path from upstream redirect See comment in the code. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 14:58:08 +00:00
)
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
// Create the downstream FederationDomain and expect it to go into the success status condition.
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
downstream := testlib.CreateTestFederationDomain(ctx, t,
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
issuerURL.String(),
certSecret.Name,
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 22:27:09 +00:00
configv1alpha1.SuccessFederationDomainStatusCondition,
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
)
test/integration: get downstream issuer path from upstream redirect See comment in the code. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 14:58:08 +00:00
supervisor_login_test.go: wait for the `/jwks.json` endpoint to be ready - Also fail in a more obvious way if the token exchanged failed by adding an assertion about its status code
2020-12-17 01:59:39 +00:00
// Ensure the the JWKS data is created and ready for the new FederationDomain by waiting for
// the `/jwks.json` endpoint to succeed, because there is no point in proceeding and eventually
// calling the token endpoint from this test until the JWKS data has been loaded into
// the server's in-memory JWKS cache for the token endpoint to use.
requestJWKSEndpoint, err := http.NewRequestWithContext(
ctx,
http.MethodGet,
fmt.Sprintf("%s/jwks.json", issuerURL.String()),
nil,
)
require.NoError(t, err)
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
supervisor_login_test.go: wait for the `/jwks.json` endpoint to be ready - Also fail in a more obvious way if the token exchanged failed by adding an assertion about its status code
2020-12-17 01:59:39 +00:00
rsp, err := httpClient.Do(requestJWKSEndpoint)
Improve our integration test "Eventually" assertions. This fixes some rare test flakes caused by a data race inherent in the way we use `assert.Eventually()` with extra variables for followup assertions. This function is tricky to use correctly because it runs the passed function in a separate goroutine, and you have no guarantee that any shared variables are in a coherent state when the `assert.Eventually()` call returns. Even if you add manual mutexes, it's tricky to get the semantics right. This has been a recurring pain point and the cause of several test flakes. This change introduces a new `library.RequireEventually()` that works by internally constructing a per-loop `*require.Assertions` and running everything on a single goroutine (using `wait.PollImmediate()`). This makes it very easy to write eventual assertions. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-16 22:51:23 +00:00
requireEventually.NoError(err)
requireEventually.NoError(rsp.Body.Close())
requireEventually.Equal(http.StatusOK, rsp.StatusCode)
supervisor_login_test.go: wait for the `/jwks.json` endpoint to be ready - Also fail in a more obvious way if the token exchanged failed by adding an assertion about its status code
2020-12-17 01:59:39 +00:00
}, 30*time.Second, 200*time.Millisecond)
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
// Create upstream IDP and wait for it to become ready.
extract ldap refresh search into helper function also added an integration test for refresh failing after updating the username attribute
2021-11-05 21:18:54 +00:00
idpName := createIDP(t)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
username, password := "", ""
if createTestUser != nil {
username, password = createTestUser(t)
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
if deleteTestUser != nil {
defer deleteTestUser(t, username)
}
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
}
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Perform OIDC discovery for our downstream.
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
var discovery *coreosoidc.Provider
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
Improve our integration test "Eventually" assertions. This fixes some rare test flakes caused by a data race inherent in the way we use `assert.Eventually()` with extra variables for followup assertions. This function is tricky to use correctly because it runs the passed function in a separate goroutine, and you have no guarantee that any shared variables are in a coherent state when the `assert.Eventually()` call returns. Even if you add manual mutexes, it's tricky to get the semantics right. This has been a recurring pain point and the cause of several test flakes. This change introduces a new `library.RequireEventually()` that works by internally constructing a per-loop `*require.Assertions` and running everything on a single goroutine (using `wait.PollImmediate()`). This makes it very easy to write eventual assertions. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-16 22:51:23 +00:00
var err error
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
discovery, err = coreosoidc.NewProvider(oidcHTTPClientContext, downstream.Spec.Issuer)
Improve our integration test "Eventually" assertions. This fixes some rare test flakes caused by a data race inherent in the way we use `assert.Eventually()` with extra variables for followup assertions. This function is tricky to use correctly because it runs the passed function in a separate goroutine, and you have no guarantee that any shared variables are in a coherent state when the `assert.Eventually()` call returns. Even if you add manual mutexes, it's tricky to get the semantics right. This has been a recurring pain point and the cause of several test flakes. This change introduces a new `library.RequireEventually()` that works by internally constructing a per-loop `*require.Assertions` and running everything on a single goroutine (using `wait.PollImmediate()`). This makes it very easy to write eventual assertions. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-16 22:51:23 +00:00
requireEventually.NoError(err)
Tweak these timeouts to be a bit faster (and retrigger CI). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 19:22:27 +00:00
}, 30*time.Second, 200*time.Millisecond)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Start a callback server on localhost.
localCallbackServer := startLocalCallbackServer(t)
test/integration: get downstream issuer path from upstream redirect See comment in the code. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 14:58:08 +00:00
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Form the OAuth2 configuration corresponding to our CLI client.
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
// Note that this is not using response_type=form_post, so the Supervisor will redirect to the callback endpoint
// directly, without using the Javascript form_post HTML page to POST back to the callback endpoint. The e2e
// tests which use the Pinniped CLI are testing the form_post part of the flow, so that is covered elsewhere.
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
downstreamOAuth2Config := oauth2.Config{
// This is the hardcoded public client that the supervisor supports.
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
ClientID: "pinniped-cli",
Endpoint: discovery.Endpoint(),
RedirectURL: localCallbackServer.URL,
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience". This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet. There is also a small typo fix in some flag usages (s/RF8693/RFC8693/) Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:59:57 +00:00
Scopes: []string{"openid", "pinniped:request-audience", "offline_access"},
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
}
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Build a valid downstream authorize URL for the supervisor.
stateParam, err := state.Generate()
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
require.NoError(t, err)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
nonceParam, err := nonce.Generate()
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
require.NoError(t, err)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
pkceParam, err := pkce.Generate()
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
require.NoError(t, err)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
downstreamAuthorizeURL := downstreamOAuth2Config.AuthCodeURL(
stateParam.String(),
nonceParam.Param(),
pkceParam.Challenge(),
pkceParam.Method(),
)
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
// Perform parameterized auth code acquisition.
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
requestAuthorization(t, downstream.Spec.Issuer, downstreamAuthorizeURL, localCallbackServer.URL, username, password, httpClient)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
// Expect that our callback handler was invoked.
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
callback, err := localCallbackServer.waitForCallback(10 * time.Second)
if wantLocalhostCallbackToNeverHappen {
require.Error(t, err)
// When we want the localhost callback to have never happened, then this is the end of the test. The login was
// unable to finish so there is nothing to assert about what should have happened with the callback, and there
// won't be any error sent to the callback either.
return
}
// Else, no error.
require.NoError(t, err)
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
t.Logf("got callback request: %s", testlib.MaskTokens(callback.URL.String()))
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
if wantErrorType == "" {
require.Equal(t, stateParam.String(), callback.URL.Query().Get("state"))
require.ElementsMatch(t, []string{"openid", "pinniped:request-audience", "offline_access"}, strings.Split(callback.URL.Query().Get("scope"), " "))
authcode := callback.URL.Query().Get("code")
require.NotEmpty(t, authcode)
Add custom prefix to downstream access and refresh tokens and authcodes
2022-04-13 17:13:27 +00:00
// Authcodes should start with the custom prefix "pin_ac_" to make them identifiable as authcodes when seen by a user out of context.
require.True(t, strings.HasPrefix(authcode, "pin_ac_"), "token %q did not have expected prefix 'pin_ac_'", authcode)
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
// Call the token endpoint to get tokens.
tokenResponse, err := downstreamOAuth2Config.Exchange(oidcHTTPClientContext, authcode, pkceParam.Verifier())
require.NoError(t, err)
expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username", "groups"}
verifyTokenResponse(t,
tokenResponse, discovery, downstreamOAuth2Config, nonceParam,
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
expectedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), wantDownstreamIDTokenGroups)
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
// token exchange on the original token
doTokenExchange(t, &downstreamOAuth2Config, tokenResponse, httpClient, discovery)
Add integration test
2022-02-01 17:03:52 +00:00
refreshedGroups := wantDownstreamIDTokenGroups
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
if editRefreshSessionDataWithoutBreaking != nil {
latestRefreshToken := tokenResponse.RefreshToken
signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken)
// First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage.
kubeClient := testlib.NewKubernetesClientset(t)
supervisorSecretsClient := kubeClient.CoreV1().Secrets(env.SupervisorNamespace)
oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, oidc.DefaultOIDCTimeoutsConfiguration())
storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil)
require.NoError(t, err)
// Next mutate the part of the session that is used during upstream refresh.
pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession)
require.True(t, ok, "should have been able to cast session data to PinnipedSession")
Add integration test
2022-02-01 17:03:52 +00:00
refreshedGroups = editRefreshSessionDataWithoutBreaking(t, pinnipedSession, idpName, username)
Upstream ldap group refresh: - Doing it inline on the refresh request
2022-01-26 00:19:56 +00:00
// Then save the mutated Secret back to Kubernetes.
// There is no update function, so delete and create again at the same name.
require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, signatureOfLatestRefreshToken))
require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, signatureOfLatestRefreshToken, storedRefreshSession))
}
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
// Use the refresh token to get new tokens
refreshSource := downstreamOAuth2Config.TokenSource(oidcHTTPClientContext, &oauth2.Token{RefreshToken: tokenResponse.RefreshToken})
refreshedTokenResponse, err := refreshSource.Token()
require.NoError(t, err)
// When refreshing, expect to get an "at_hash" claim, but no "nonce" claim.
expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "username", "groups", "at_hash"}
verifyTokenResponse(t,
refreshedTokenResponse, discovery, downstreamOAuth2Config, "",
Add integration test
2022-02-01 17:03:52 +00:00
expectRefreshedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch(username), refreshedGroups)
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
require.NotEqual(t, tokenResponse.AccessToken, refreshedTokenResponse.AccessToken)
require.NotEqual(t, tokenResponse.RefreshToken, refreshedTokenResponse.RefreshToken)
require.NotEqual(t, tokenResponse.Extra("id_token"), refreshedTokenResponse.Extra("id_token"))
// token exchange on the refreshed token
doTokenExchange(t, &downstreamOAuth2Config, refreshedTokenResponse, httpClient, discovery)
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
// Now that we have successfully performed a refresh, let's test what happens when an
// upstream refresh fails during the next downstream refresh.
if breakRefreshSessionData != nil {
latestRefreshToken := refreshedTokenResponse.RefreshToken
signatureOfLatestRefreshToken := getFositeDataSignature(t, latestRefreshToken)
// First use the latest downstream refresh token to look up the corresponding session in the Supervisor's storage.
kubeClient := testlib.NewKubernetesClientset(t)
supervisorSecretsClient := kubeClient.CoreV1().Secrets(env.SupervisorNamespace)
oauthStore := oidc.NewKubeStorage(supervisorSecretsClient, oidc.DefaultOIDCTimeoutsConfiguration())
storedRefreshSession, err := oauthStore.GetRefreshTokenSession(ctx, signatureOfLatestRefreshToken, nil)
require.NoError(t, err)
// Next mutate the part of the session that is used during upstream refresh.
pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession)
require.True(t, ok, "should have been able to cast session data to PinnipedSession")
Active Directory checks whether password has changed recently during upstream refresh Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-10-28 19:00:56 +00:00
breakRefreshSessionData(t, pinnipedSession, idpName, username)
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
// Then save the mutated Secret back to Kubernetes.
// There is no update function, so delete and create again at the same name.
require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, signatureOfLatestRefreshToken))
require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, signatureOfLatestRefreshToken, storedRefreshSession))
// Now try to perform a downstream refresh again, knowing that the corresponding upstream refresh should fail.
_, err = downstreamOAuth2Config.TokenSource(oidcHTTPClientContext, &oauth2.Token{RefreshToken: latestRefreshToken}).Token()
// Should have got an error since the upstream refresh should have failed.
require.Error(t, err)
require.Regexp(t,
regexp.QuoteMeta("oauth2: cannot fetch token: 401 Unauthorized\n")+
Refactors: - pull construction of authenticators.Response into searchAndBindUser - remove information about the identity provider in the error that gets returned to users. Put it in debug instead, where it may show up in logs. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-11-03 22:17:50 +00:00
regexp.QuoteMeta(`Response: {"error":"error","error_description":"Error during upstream refresh. Upstream refresh failed`)+
"[^']+",
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
err.Error(),
)
}
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
} else {
errorDescription := callback.URL.Query().Get("error_description")
errorType := callback.URL.Query().Get("error")
require.Equal(t, errorDescription, wantErrorDescription)
require.Equal(t, errorType, wantErrorType)
}
Integration test for refresh grant Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 01:07:37 +00:00
}
Add integration test: upstream refresh failure during downstream refresh
2021-10-13 22:12:19 +00:00
// getFositeDataSignature returns the signature of the provided data. The provided data could be an auth code, access
// token, etc. It is assumed that the code is of the format "data.signature", which is how Fosite generates auth codes
// and access tokens.
func getFositeDataSignature(t *testing.T, data string) string {
split := strings.Split(data, ".")
require.Len(t, split, 2)
return split[1]
}
Integration test for refresh grant Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 01:07:37 +00:00
func verifyTokenResponse(
t *testing.T,
tokenResponse *oauth2.Token,
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
discovery *coreosoidc.Provider,
Integration test for refresh grant Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 01:07:37 +00:00
downstreamOAuth2Config oauth2.Config,
nonceParam nonce.Nonce,
expectedIDTokenClaims []string,
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch string, wantDownstreamIDTokenGroups []string,
Integration test for refresh grant Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 01:07:37 +00:00
) {
All controller unit tests should not cancel context until test is over All controller unit tests were accidentally using a timeout context for the informers, instead of a cancel context which stays alive until each test is completely finished. There is no reason to risk unpredictable behavior of a timeout being reached during an individual test, even though with the previous 3 second timeout it could only be reached on a machine which is running orders of magnitude slower than usual, since each test usually runs in about 100-300 ms. Unfortunately, sometimes our CI workers might get that slow. This sparked a review of other usages of timeout contexts in other tests, and all of them were increased to a minimum value of 1 minute, under the rule of thumb that our tests will be more reliable on slow machines if they "pass fast and fail slow".
2021-03-05 01:25:43 +00:00
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
Integration test for refresh grant Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 01:07:37 +00:00
defer cancel()
Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-05 01:07:04 +00:00
// Verify the ID Token.
rawIDToken, ok := tokenResponse.Extra("id_token").(string)
require.True(t, ok, "expected to get an ID token but did not")
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
var verifier = discovery.Verifier(&coreosoidc.Config{ClientID: downstreamOAuth2Config.ClientID})
Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-05 01:07:04 +00:00
idToken, err := verifier.Verify(ctx, rawIDToken)
require.NoError(t, err)
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
// Check the sub claim of the ID token.
require.Regexp(t, wantDownstreamIDTokenSubjectToMatch, idToken.Subject)
// Check the nonce claim of the ID token.
Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-05 01:07:04 +00:00
require.NoError(t, nonceParam.Validate(idToken))
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
// Check the exp claim of the ID token.
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
expectedIDTokenLifetime := oidc.DefaultOIDCTimeoutsConfiguration().IDTokenLifespan
testutil.RequireTimeInDelta(t, time.Now().UTC().Add(expectedIDTokenLifetime), idToken.Expiry, time.Second*30)
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
// Check the full list of claim names of the ID token.
Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-05 01:07:04 +00:00
idTokenClaims := map[string]interface{}{}
err = idToken.Claims(&idTokenClaims)
require.NoError(t, err)
idTokenClaimNames := []string{}
for k := range idTokenClaims {
idTokenClaimNames = append(idTokenClaimNames, k)
}
Integration test for refresh grant Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 01:07:37 +00:00
require.ElementsMatch(t, expectedIDTokenClaims, idTokenClaimNames)
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
// Check username claim of the ID token.
require.Regexp(t, wantDownstreamIDTokenUsernameToMatch, idTokenClaims["username"].(string))
Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-05 01:07:04 +00:00
Initial support for upstream LDAP group membership Reflect the upstream group membership into the Supervisor's downstream tokens, so they can be added to the user's identity on the workload clusters. LDAP group search is configurable on the LDAPIdentityProvider resource.
2021-05-17 18:10:26 +00:00
// Check the groups claim.
require.ElementsMatch(t, wantDownstreamIDTokenGroups, idTokenClaims["groups"])
Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-05 01:07:04 +00:00
// Some light verification of the other tokens that were returned.
require.NotEmpty(t, tokenResponse.AccessToken)
require.Equal(t, "bearer", tokenResponse.TokenType)
require.NotZero(t, tokenResponse.Expiry)
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
expectedAccessTokenLifetime := oidc.DefaultOIDCTimeoutsConfiguration().AccessTokenLifespan
testutil.RequireTimeInDelta(t, time.Now().UTC().Add(expectedAccessTokenLifetime), tokenResponse.Expiry, time.Second*30)
Add custom prefix to downstream access and refresh tokens and authcodes
2022-04-13 17:13:27 +00:00
// Access tokens should start with the custom prefix "pin_at_" to make them identifiable as access tokens when seen by a user out of context.
require.True(t, strings.HasPrefix(tokenResponse.AccessToken, "pin_at_"), "token %q did not have expected prefix 'pin_at_'", tokenResponse.AccessToken)
Integration tests call supervisor token endpoint and validate response Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-05 01:07:04 +00:00
Integration test for refresh grant Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-10 01:07:37 +00:00
require.NotEmpty(t, tokenResponse.RefreshToken)
Add custom prefix to downstream access and refresh tokens and authcodes
2022-04-13 17:13:27 +00:00
// Refresh tokens should start with the custom prefix "pin_rt_" to make them identifiable as refresh tokens when seen by a user out of context.
require.True(t, strings.HasPrefix(tokenResponse.RefreshToken, "pin_rt_"), "token %q did not have expected prefix 'pin_rt_'", tokenResponse.RefreshToken)
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
}
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
func requestAuthorizationUsingBrowserAuthcodeFlowOIDC(t *testing.T, _, downstreamAuthorizeURL, downstreamCallbackURL, _, _ string, httpClient *http.Client) {
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
t.Helper()
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
env := testlib.IntegrationEnv(t)
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
Passing integration test for LDAP login! 🚀
2021-04-14 01:11:16 +00:00
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Minute)
defer cancelFunc()
// Make the authorize request once "manually" so we can check its response security headers.
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
makeAuthorizationRequestAndRequireSecurityHeaders(ctx, t, downstreamAuthorizeURL, httpClient)
Passing integration test for LDAP login! 🚀
2021-04-14 01:11:16 +00:00
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
// Open the web browser and navigate to the downstream authorize URL.
page := browsertest.Open(t)
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
t.Logf("opening browser to downstream authorize URL %s", testlib.MaskTokens(downstreamAuthorizeURL))
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
require.NoError(t, page.Navigate(downstreamAuthorizeURL))
// Expect to be redirected to the upstream provider and log in.
Extract browsertest.LoginToUpstreamLDAP() integration test helper
2022-05-09 22:43:36 +00:00
browsertest.LoginToUpstreamOIDC(t, page, env.SupervisorUpstreamOIDC)
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
// Wait for the login to happen and us be redirected back to a localhost callback.
t.Logf("waiting for redirect to callback")
callbackURLPattern := regexp.MustCompile(`\A` + regexp.QuoteMeta(downstreamCallbackURL) + `\?.+\z`)
browsertest.WaitForURL(t, page, callbackURLPattern)
}
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
func requestAuthorizationUsingBrowserAuthcodeFlowLDAP(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, username, password string, httpClient *http.Client) {
t.Helper()
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Minute)
defer cancelFunc()
// Make the authorize request once "manually" so we can check its response security headers.
makeAuthorizationRequestAndRequireSecurityHeaders(ctx, t, downstreamAuthorizeURL, httpClient)
// Open the web browser and navigate to the downstream authorize URL.
page := browsertest.Open(t)
t.Logf("opening browser to downstream authorize URL %s", testlib.MaskTokens(downstreamAuthorizeURL))
require.NoError(t, page.Navigate(downstreamAuthorizeURL))
// Expect to be redirected to the upstream provider and log in.
browsertest.LoginToUpstreamLDAP(t, page, downstreamIssuer, username, password)
// Wait for the login to happen and us be redirected back to a localhost callback.
t.Logf("waiting for redirect to callback")
callbackURLPattern := regexp.MustCompile(`\A` + regexp.QuoteMeta(downstreamCallbackURL) + `\?.+\z`)
browsertest.WaitForURL(t, page, callbackURLPattern)
}
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
func requestAuthorizationUsingBrowserAuthcodeFlowLDAPWithBadCredentials(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, _, username, password string, _ *http.Client) {
t.Helper()
// Open the web browser and navigate to the downstream authorize URL.
page := browsertest.Open(t)
t.Logf("opening browser to downstream authorize URL %s", testlib.MaskTokens(downstreamAuthorizeURL))
require.NoError(t, page.Navigate(downstreamAuthorizeURL))
// This functions assumes that it has been passed either a bad username or a bad password, and submits the
// provided credentials. Expect to be redirected to the upstream provider and attempt to log in.
browsertest.LoginToUpstreamLDAP(t, page, downstreamIssuer, username, password)
// After failing login expect to land back on the login page again with an error message.
browsertest.WaitForUpstreamLDAPLoginPageWithError(t, page, downstreamIssuer)
}
func requestAuthorizationUsingBrowserAuthcodeFlowLDAPWithBadCredentialsAndThenGoodCredentials(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, _, username, password string, _ *http.Client) {
t.Helper()
// Open the web browser and navigate to the downstream authorize URL.
page := browsertest.Open(t)
t.Logf("opening browser to downstream authorize URL %s", testlib.MaskTokens(downstreamAuthorizeURL))
require.NoError(t, page.Navigate(downstreamAuthorizeURL))
// Expect to be redirected to the upstream provider and attempt to log in.
browsertest.LoginToUpstreamLDAP(t, page, downstreamIssuer, username, "this is the wrong password!")
// After failing login expect to land back on the login page again with an error message.
browsertest.WaitForUpstreamLDAPLoginPageWithError(t, page, downstreamIssuer)
// Already at the login page, so this time can directly submit it using the provided username and password.
browsertest.SubmitUpstreamLDAPLoginForm(t, page, username, password)
}
Add LDAP browser flow login test to supervisor_login_test.go
2022-05-10 19:54:40 +00:00
func makeAuthorizationRequestAndRequireSecurityHeaders(ctx context.Context, t *testing.T, downstreamAuthorizeURL string, httpClient *http.Client) {
authorizeRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, downstreamAuthorizeURL, nil)
require.NoError(t, err)
authorizeResp, err := httpClient.Do(authorizeRequest)
require.NoError(t, err)
require.NoError(t, authorizeResp.Body.Close())
expectSecurityHeaders(t, authorizeResp, false)
}
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider
2021-08-24 19:19:29 +00:00
func requestAuthorizationUsingCLIPasswordFlow(t *testing.T, downstreamAuthorizeURL, upstreamUsername, upstreamPassword string, httpClient *http.Client, wantErr bool) {
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
t.Helper()
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
Custom API Group overlay for AD Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-07-15 18:32:15 +00:00
ctx, cancelFunc := context.WithTimeout(context.Background(), time.Minute)
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
defer cancelFunc()
authRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, downstreamAuthorizeURL, nil)
require.NoError(t, err)
// Set the custom username/password headers for the LDAP authorize request.
Rename `X-Pinniped-Idp-*` headers to `Pinniped-*` See RFC6648 which asks that people stop using `X-` on header names. Also Matt preferred not mentioning "IDP" in the header name. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-12 20:06:08 +00:00
authRequest.Header.Set("Pinniped-Username", upstreamUsername)
authRequest.Header.Set("Pinniped-Password", upstreamPassword)
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
Avoid a rare flake in TestSupervisorLogin. There was nothing to guarantee that _all_ Supervisor pods would be ready to handle this request. We saw a rare test flake where the LDAPIdentityProvider was marked as ready but one of the Supervisor pods didn't have it loaded yet and returned an HTTP 422 error (`Unprocessable Entity: No upstream providers are configured`). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 18:36:48 +00:00
// At this point in the test, we've already waited for the LDAPIdentityProvider to be loaded and marked healthy by
// at least one Supervisor pod, but we can't be sure that _all_ of them have loaded the provider, so we may need
// to retry this request multiple times until we get the expected 302 status response.
var authResponse *http.Response
var responseBody []byte
Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 15:23:19 +00:00
testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
Avoid a rare flake in TestSupervisorLogin. There was nothing to guarantee that _all_ Supervisor pods would be ready to handle this request. We saw a rare test flake where the LDAPIdentityProvider was marked as ready but one of the Supervisor pods didn't have it loaded yet and returned an HTTP 422 error (`Unprocessable Entity: No upstream providers are configured`). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 18:36:48 +00:00
authResponse, err = httpClient.Do(authRequest)
if err != nil {
t.Logf("got authorization response with error %v", err)
return false, nil
}
defer func() { _ = authResponse.Body.Close() }()
responseBody, err = ioutil.ReadAll(authResponse.Body)
if err != nil {
return false, nil
}
t.Logf("got authorization response with code %d (%d byte body)", authResponse.StatusCode, len(responseBody))
if authResponse.StatusCode != http.StatusFound {
return false, nil
}
return true, nil
Increase timeout for activedirectoryidentityprovider to be loaded
2021-08-18 23:24:05 +00:00
}, 60*time.Second, 200*time.Millisecond)
Avoid a rare flake in TestSupervisorLogin. There was nothing to guarantee that _all_ Supervisor pods would be ready to handle this request. We saw a rare test flake where the LDAPIdentityProvider was marked as ready but one of the Supervisor pods didn't have it loaded yet and returned an HTTP 422 error (`Unprocessable Entity: No upstream providers are configured`). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-02 18:36:48 +00:00
Passing integration test for LDAP login! 🚀
2021-04-14 01:11:16 +00:00
expectSecurityHeaders(t, authResponse, true)
// A successful authorize request results in a redirect to our localhost callback listener with an authcode param.
require.Equalf(t, http.StatusFound, authResponse.StatusCode, "response body was: %s", string(responseBody))
redirectLocation := authResponse.Header.Get("Location")
require.Contains(t, redirectLocation, "127.0.0.1")
require.Contains(t, redirectLocation, "/callback")
Integration test deactivated ad account
2021-07-22 23:15:44 +00:00
if wantErr {
require.Contains(t, redirectLocation, "error_description")
} else {
require.Contains(t, redirectLocation, "code=")
}
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
Passing integration test for LDAP login! 🚀
2021-04-14 01:11:16 +00:00
// Follow the redirect.
callbackRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, redirectLocation, nil)
require.NoError(t, err)
Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin - Add some fields to LDAPIdentityProvider that we will need to be able to search for users during login - Enhance TestSupervisorLogin to test logging in using an upstream LDAP identity provider. Part of this new test is skipped for now because we haven't written the corresponding production code to make it pass yet. - Some refactoring and enhancement to env.go and the corresponding env vars to support the new upstream LDAP provider integration tests. - Use docker.io/bitnami/openldap for our test LDAP server instead of our own fork now that they have fixed the bug that we reported. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 19:56:09 +00:00
Passing integration test for LDAP login! 🚀
2021-04-14 01:11:16 +00:00
// Our localhost callback listener should have returned 200 OK.
callbackResponse, err := httpClient.Do(callbackRequest)
require.NoError(t, err)
defer callbackResponse.Body.Close()
require.Equal(t, http.StatusOK, callbackResponse.StatusCode)
Add stub LDAP API type and integration test The goal here was to start on an integration test to get us closer to the red test that we want so we can start working on LDAP. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-06 17:10:01 +00:00
}
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
func startLocalCallbackServer(t *testing.T) *localCallbackServer {
// Handle the callback by sending the *http.Request object back through a channel.
callbacks := make(chan *http.Request, 1)
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
callbacks <- r
}))
Fix a lint warning by simplifying this append operation. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 22:11:22 +00:00
server.URL += "/callback"
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
t.Cleanup(server.Close)
t.Cleanup(func() { close(callbacks) })
return &localCallbackServer{Server: server, t: t, callbacks: callbacks}
}
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
type localCallbackServer struct {
*httptest.Server
t *testing.T
callbacks <-chan *http.Request
}
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
func (s *localCallbackServer) waitForCallback(timeout time.Duration) (*http.Request, error) {
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
select {
case callback := <-s.callbacks:
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
return callback, nil
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
case <-time.After(timeout):
Add LDAP browser flow login failure tests to supervisor_login_test.go Also do some refactoring to share more common test setup code in supervisor_login_test.go.
2022-05-10 23:22:07 +00:00
return nil, errors.New("timed out waiting for callback request")
Update TestSupervisorLogin to test the callback flow using a browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 21:50:42 +00:00
}
Re-add the TestSupervisorLogin integration test. This is 99% Andrew's code from 4032ed32aebde02786a51ed9800330d1b8705211, but tweaked to work with the new UpstreamOIDCProvider setup. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 15:21:17 +00:00
}
Start extending TestSupervisorLogin to test the token exchange flow (WIP). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 16:23:10 +00:00
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
func doTokenExchange(t *testing.T, config *oauth2.Config, tokenResponse *oauth2.Token, httpClient *http.Client, provider *coreosoidc.Provider) {
All controller unit tests should not cancel context until test is over All controller unit tests were accidentally using a timeout context for the informers, instead of a cancel context which stays alive until each test is completely finished. There is no reason to risk unpredictable behavior of a timeout being reached during an individual test, even though with the previous 3 second timeout it could only be reached on a machine which is running orders of magnitude slower than usual, since each test usually runs in about 100-300 ms. Unfortunately, sometimes our CI workers might get that slow. This sparked a review of other usages of timeout contexts in other tests, and all of them were increased to a minimum value of 1 minute, under the rule of thumb that our tests will be more reliable on slow machines if they "pass fast and fail slow".
2021-03-05 01:25:43 +00:00
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
Start extending TestSupervisorLogin to test the token exchange flow (WIP). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 16:23:10 +00:00
defer cancel()
// Form the HTTP POST request with the parameters specified by RFC8693.
reqBody := strings.NewReader(url.Values{
"grant_type": []string{"urn:ietf:params:oauth:grant-type:token-exchange"},
"audience": []string{"cluster-1234"},
"client_id": []string{config.ClientID},
"subject_token": []string{tokenResponse.AccessToken},
"subject_token_type": []string{"urn:ietf:params:oauth:token-type:access_token"},
"requested_token_type": []string{"urn:ietf:params:oauth:token-type:jwt"},
}.Encode())
req, err := http.NewRequestWithContext(ctx, http.MethodPost, config.Endpoint.TokenURL, reqBody)
require.NoError(t, err)
req.Header.Set("content-type", "application/x-www-form-urlencoded")
resp, err := httpClient.Do(req)
require.NoError(t, err)
supervisor_login_test.go: wait for the `/jwks.json` endpoint to be ready - Also fail in a more obvious way if the token exchanged failed by adding an assertion about its status code
2020-12-17 01:59:39 +00:00
require.Equal(t, resp.StatusCode, http.StatusOK)
Start extending TestSupervisorLogin to test the token exchange flow (WIP). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 16:23:10 +00:00
defer func() { _ = resp.Body.Close() }()
var respBody struct {
AccessToken string `json:"access_token"`
IssuedTokenType string `json:"issued_token_type"`
TokenType string `json:"token_type"`
}
require.NoError(t, json.NewDecoder(resp.Body).Decode(&respBody))
Consolidate the supervisor's timeout settings into a single struct - This struct represents the configuration of all timeouts. These timeouts are all interrelated to declare them all in one place. This should also make it easier to allow the user to override our defaults if we would like to implement such a feature in the future. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 18:14:54 +00:00
var clusterVerifier = provider.Verifier(&coreosoidc.Config{ClientID: "cluster-1234"})
Start extending TestSupervisorLogin to test the token exchange flow (WIP). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 16:23:10 +00:00
exchangedToken, err := clusterVerifier.Verify(ctx, respBody.AccessToken)
require.NoError(t, err)
var claims map[string]interface{}
require.NoError(t, exchangedToken.Claims(&claims))
indentedClaims, err := json.MarshalIndent(claims, " ", " ")
require.NoError(t, err)
t.Logf("exchanged token claims:\n%s", string(indentedClaims))
}
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
Passing integration test for LDAP login! 🚀
2021-04-14 01:11:16 +00:00
func expectSecurityHeaders(t *testing.T, response *http.Response, expectFositeToOverrideSome bool) {
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
h := response.Header
assert.Equal(t, "default-src 'none'; frame-ancestors 'none'", h.Get("Content-Security-Policy"))
assert.Equal(t, "DENY", h.Get("X-Frame-Options"))
assert.Equal(t, "1; mode=block", h.Get("X-XSS-Protection"))
assert.Equal(t, "nosniff", h.Get("X-Content-Type-Options"))
assert.Equal(t, "no-referrer", h.Get("Referrer-Policy"))
assert.Equal(t, "off", h.Get("X-DNS-Prefetch-Control"))
Passing integration test for LDAP login! 🚀
2021-04-14 01:11:16 +00:00
if expectFositeToOverrideSome {
assert.Equal(t, "no-store", h.Get("Cache-Control"))
} else {
assert.Equal(t, "no-cache,no-store,max-age=0,must-revalidate", h.Get("Cache-Control"))
}
Add an integration test to verify security headers on the supervisor authorize endpoint. It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 03:42:11 +00:00
assert.Equal(t, "no-cache", h.Get("Pragma"))
assert.Equal(t, "0", h.Get("Expires"))
}
Reference in New Issue Copy Permalink