2023-01-20 23:01:36 +00:00
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
2020-12-08 01:39:51 +00:00
// SPDX-License-Identifier: Apache-2.0
package jwtcachefiller
import (
2021-04-22 15:25:44 +00:00
2020-12-08 01:39:51 +00:00
2020-12-08 16:08:53 +00:00
2020-12-08 01:39:51 +00:00
2020-12-15 22:37:38 +00:00
2020-12-08 01:39:51 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2021-04-22 15:25:44 +00:00
2020-12-08 01:39:51 +00:00
2021-02-16 19:00:08 +00:00
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
pinnipedfake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
pinnipedinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"
2020-12-08 01:39:51 +00:00
2021-10-20 11:59:24 +00:00
2020-12-08 16:08:53 +00:00
2022-04-15 00:37:36 +00:00
2020-12-08 01:39:51 +00:00
2021-10-20 11:59:24 +00:00
2020-12-08 01:39:51 +00:00
func TestController ( t * testing . T ) {
t . Parallel ( )
2020-12-15 21:33:49 +00:00
const (
goodECSigningKeyID = "some-ec-key-id"
goodRSASigningKeyID = "some-rsa-key-id"
goodAudience = "some-audience"
goodECSigningKey , err := ecdsa . GenerateKey ( elliptic . P256 ( ) , rand . Reader )
goodECSigningAlgo := jose . ES256
require . NoError ( t , err )
goodRSASigningKey , err := rsa . GenerateKey ( rand . Reader , 2048 )
require . NoError ( t , err )
goodRSASigningAlgo := jose . RS256
2022-04-18 18:46:33 +00:00
customGroupsClaim := "my-custom-groups-claim"
distributedGroups := [ ] string { "some-distributed-group-1" , "some-distributed-group-2" }
2020-12-15 21:33:49 +00:00
mux := http . NewServeMux ( )
2021-10-20 11:59:24 +00:00
server := tlsserver . TLSTestServer ( t , http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
tlsserver . AssertTLS ( t , r , ptls . Default )
mux . ServeHTTP ( w , r )
} ) , tlsserver . RecordTLSHello )
2020-12-15 21:33:49 +00:00
mux . Handle ( "/.well-known/openid-configuration" , http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
w . Header ( ) . Set ( "Content-Type" , "application/json" )
_ , err := fmt . Fprintf ( w , ` { "issuer": "%s", "jwks_uri": "%s"} ` , server . URL , server . URL + "/jwks.json" )
require . NoError ( t , err )
} ) )
mux . Handle ( "/jwks.json" , http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
ecJWK := jose . JSONWebKey {
Key : goodECSigningKey ,
KeyID : goodECSigningKeyID ,
Algorithm : string ( goodECSigningAlgo ) ,
Use : "sig" ,
rsaJWK := jose . JSONWebKey {
Key : goodRSASigningKey ,
KeyID : goodRSASigningKeyID ,
Algorithm : string ( goodRSASigningAlgo ) ,
Use : "sig" ,
jwks := jose . JSONWebKeySet {
Keys : [ ] jose . JSONWebKey { ecJWK . Public ( ) , rsaJWK . Public ( ) } ,
require . NoError ( t , json . NewEncoder ( w ) . Encode ( jwks ) )
} ) )
2022-04-18 18:46:33 +00:00
// Claims without the subject, to be used distributed claims tests.
// OIDC 1.0 section 5.6.2:
// A sub (subject) Claim SHOULD NOT be returned from the Claims Provider unless its value
// is an identifier for the End-User at the Claims Provider (and not for the OpenID Provider or another party);
// this typically means that a sub Claim SHOULD NOT be provided.
claimsWithoutSubject := jwt . Claims {
Issuer : server . URL ,
Audience : [ ] string { goodAudience } ,
Expiry : jwt . NewNumericDate ( time . Now ( ) . Add ( time . Hour ) ) ,
NotBefore : jwt . NewNumericDate ( time . Now ( ) . Add ( - time . Hour ) ) ,
IssuedAt : jwt . NewNumericDate ( time . Now ( ) . Add ( - time . Hour ) ) ,
mux . Handle ( "/claim_source" , http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
// Unfortunately we have to set this up pretty early in the test because we can't redeclare
// mux.Handle. This means that we can't return a different groups claim per test; we have to
// return both and predecide which groups are returned.
sig , err := jose . NewSigner (
jose . SigningKey { Algorithm : goodECSigningAlgo , Key : goodECSigningKey } ,
( & jose . SignerOptions { } ) . WithType ( "JWT" ) . WithHeader ( "kid" , goodECSigningKeyID ) ,
require . NoError ( t , err )
builder := jwt . Signed ( sig ) . Claims ( claimsWithoutSubject )
builder = builder . Claims ( map [ string ] interface { } { customGroupsClaim : distributedGroups } )
builder = builder . Claims ( map [ string ] interface { } { "groups" : distributedGroups } )
distributedClaimsJwt , err := builder . CompactSerialize ( )
require . NoError ( t , err )
_ , err = w . Write ( [ ] byte ( distributedClaimsJwt ) )
require . NoError ( t , err )
} ) )
mux . Handle ( "/wrong_claim_source" , http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
// Unfortunately we have to set this up pretty early in the test because we can't redeclare
// mux.Handle. This means that we can't return a different groups claim per test; we have to
// return both and predecide which groups are returned.
sig , err := jose . NewSigner (
jose . SigningKey { Algorithm : goodECSigningAlgo , Key : goodECSigningKey } ,
( & jose . SignerOptions { } ) . WithType ( "JWT" ) . WithHeader ( "kid" , goodECSigningKeyID ) ,
require . NoError ( t , err )
builder := jwt . Signed ( sig ) . Claims ( claimsWithoutSubject )
builder = builder . Claims ( map [ string ] interface { } { "some-other-claim" : distributedGroups } )
distributedClaimsJwt , err := builder . CompactSerialize ( )
require . NoError ( t , err )
_ , err = w . Write ( [ ] byte ( distributedClaimsJwt ) )
require . NoError ( t , err )
} ) )
2020-12-15 21:33:49 +00:00
goodIssuer := server . URL
2020-12-08 20:14:05 +00:00
someJWTAuthenticatorSpec := & auth1alpha1 . JWTAuthenticatorSpec {
2020-12-15 21:33:49 +00:00
Issuer : goodIssuer ,
Audience : goodAudience ,
TLS : tlsSpecFromTLSConfig ( server . TLS ) ,
2020-12-08 20:14:05 +00:00
2020-12-16 00:11:53 +00:00
someJWTAuthenticatorSpecWithUsernameClaim := & auth1alpha1 . JWTAuthenticatorSpec {
2020-12-16 17:42:19 +00:00
Issuer : goodIssuer ,
Audience : goodAudience ,
TLS : tlsSpecFromTLSConfig ( server . TLS ) ,
Claims : auth1alpha1 . JWTTokenClaims {
Username : "my-custom-username-claim" ,
} ,
2020-12-16 00:11:53 +00:00
someJWTAuthenticatorSpecWithGroupsClaim := & auth1alpha1 . JWTAuthenticatorSpec {
2020-12-16 17:42:19 +00:00
Issuer : goodIssuer ,
Audience : goodAudience ,
TLS : tlsSpecFromTLSConfig ( server . TLS ) ,
Claims : auth1alpha1 . JWTTokenClaims {
2022-04-18 18:46:33 +00:00
Groups : customGroupsClaim ,
2020-12-16 17:42:19 +00:00
} ,
2020-12-16 00:11:53 +00:00
2020-12-08 20:14:05 +00:00
otherJWTAuthenticatorSpec := & auth1alpha1 . JWTAuthenticatorSpec {
Issuer : "https://some-other-issuer.com" ,
2020-12-15 21:33:49 +00:00
Audience : goodAudience ,
2020-12-08 20:14:05 +00:00
missingTLSJWTAuthenticatorSpec := & auth1alpha1 . JWTAuthenticatorSpec {
2020-12-15 21:33:49 +00:00
Issuer : goodIssuer ,
Audience : goodAudience ,
2020-12-08 20:14:05 +00:00
invalidTLSJWTAuthenticatorSpec := & auth1alpha1 . JWTAuthenticatorSpec {
Issuer : "https://some-other-issuer.com" ,
2020-12-15 21:33:49 +00:00
Audience : goodAudience ,
2020-12-08 20:14:05 +00:00
TLS : & auth1alpha1 . TLSSpec { CertificateAuthorityData : "invalid base64-encoded data" } ,
2020-12-08 01:39:51 +00:00
tests := [ ] struct {
2020-12-15 21:33:49 +00:00
name string
cache func ( * testing . T , * authncache . Cache , bool )
syncKey controllerlib . Key
jwtAuthenticators [ ] runtime . Object
wantClose bool
2023-01-20 23:01:36 +00:00
wantErr testutil . RequireErrorStringFunc
2020-12-15 21:33:49 +00:00
wantLogs [ ] string
wantCacheEntries int
2020-12-16 00:11:53 +00:00
wantUsernameClaim string
wantGroupsClaim string
2020-12-15 21:33:49 +00:00
runTestsOnResultingAuthenticator bool
2020-12-08 01:39:51 +00:00
} {
name : "not found" ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-08 01:39:51 +00:00
wantLogs : [ ] string {
` jwtcachefiller-controller "level"=0 "msg"="Sync() found that the JWTAuthenticator does not exist yet or was deleted" ` ,
} ,
} ,
name : "valid jwt authenticator with CA" ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-08 01:39:51 +00:00
jwtAuthenticators : [ ] runtime . Object {
& auth1alpha1 . JWTAuthenticator {
ObjectMeta : metav1 . ObjectMeta {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-08 20:14:05 +00:00
Spec : * someJWTAuthenticatorSpec ,
} ,
} ,
wantLogs : [ ] string {
2021-02-09 18:59:32 +00:00
` jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"=" ` + goodIssuer + ` " "jwtAuthenticator"= { "name":"test-name"} ` ,
2020-12-08 20:14:05 +00:00
} ,
2020-12-15 21:33:49 +00:00
wantCacheEntries : 1 ,
runTestsOnResultingAuthenticator : true ,
2020-12-08 20:14:05 +00:00
} ,
2020-12-16 00:11:53 +00:00
name : "valid jwt authenticator with custom username claim" ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-16 00:11:53 +00:00
jwtAuthenticators : [ ] runtime . Object {
& auth1alpha1 . JWTAuthenticator {
ObjectMeta : metav1 . ObjectMeta {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
2020-12-16 00:11:53 +00:00
} ,
Spec : * someJWTAuthenticatorSpecWithUsernameClaim ,
} ,
} ,
wantLogs : [ ] string {
2021-02-09 18:59:32 +00:00
` jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"=" ` + goodIssuer + ` " "jwtAuthenticator"= { "name":"test-name"} ` ,
2020-12-16 00:11:53 +00:00
} ,
wantCacheEntries : 1 ,
2020-12-16 17:42:19 +00:00
wantUsernameClaim : someJWTAuthenticatorSpecWithUsernameClaim . Claims . Username ,
2020-12-16 00:11:53 +00:00
runTestsOnResultingAuthenticator : true ,
} ,
name : "valid jwt authenticator with custom groups claim" ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-16 00:11:53 +00:00
jwtAuthenticators : [ ] runtime . Object {
& auth1alpha1 . JWTAuthenticator {
ObjectMeta : metav1 . ObjectMeta {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
2020-12-16 00:11:53 +00:00
} ,
Spec : * someJWTAuthenticatorSpecWithGroupsClaim ,
} ,
} ,
wantLogs : [ ] string {
2021-02-09 18:59:32 +00:00
` jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"=" ` + goodIssuer + ` " "jwtAuthenticator"= { "name":"test-name"} ` ,
2020-12-16 00:11:53 +00:00
} ,
wantCacheEntries : 1 ,
2020-12-16 17:42:19 +00:00
wantGroupsClaim : someJWTAuthenticatorSpecWithGroupsClaim . Claims . Groups ,
2020-12-16 00:11:53 +00:00
runTestsOnResultingAuthenticator : true ,
} ,
2020-12-08 20:14:05 +00:00
name : "updating jwt authenticator with new fields closes previous instance" ,
cache : func ( t * testing . T , cache * authncache . Cache , wantClose bool ) {
cache . Store (
authncache . Key {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
Kind : "JWTAuthenticator" ,
APIGroup : auth1alpha1 . SchemeGroupVersion . Group ,
2020-12-08 20:14:05 +00:00
} ,
newCacheValue ( t , * otherJWTAuthenticatorSpec , wantClose ) ,
} ,
wantClose : true ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-08 20:14:05 +00:00
jwtAuthenticators : [ ] runtime . Object {
& auth1alpha1 . JWTAuthenticator {
ObjectMeta : metav1 . ObjectMeta {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-08 20:14:05 +00:00
Spec : * someJWTAuthenticatorSpec ,
2020-12-08 01:39:51 +00:00
} ,
} ,
wantLogs : [ ] string {
2021-02-09 18:59:32 +00:00
` jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"=" ` + goodIssuer + ` " "jwtAuthenticator"= { "name":"test-name"} ` ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-15 21:33:49 +00:00
wantCacheEntries : 1 ,
runTestsOnResultingAuthenticator : true ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-08 16:08:53 +00:00
2020-12-08 20:14:05 +00:00
name : "updating jwt authenticator with the same value does nothing" ,
cache : func ( t * testing . T , cache * authncache . Cache , wantClose bool ) {
2020-12-08 16:08:53 +00:00
cache . Store (
authncache . Key {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
Kind : "JWTAuthenticator" ,
APIGroup : auth1alpha1 . SchemeGroupVersion . Group ,
2020-12-08 16:08:53 +00:00
} ,
2020-12-08 20:14:05 +00:00
newCacheValue ( t , * someJWTAuthenticatorSpec , wantClose ) ,
2020-12-08 16:08:53 +00:00
} ,
2020-12-08 20:14:05 +00:00
wantClose : false ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-08 16:08:53 +00:00
jwtAuthenticators : [ ] runtime . Object {
& auth1alpha1 . JWTAuthenticator {
ObjectMeta : metav1 . ObjectMeta {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
2020-12-08 16:08:53 +00:00
} ,
2020-12-08 20:14:05 +00:00
Spec : * someJWTAuthenticatorSpec ,
} ,
} ,
wantLogs : [ ] string {
2021-02-09 18:59:32 +00:00
` jwtcachefiller-controller "level"=0 "msg"="actual jwt authenticator and desired jwt authenticator are the same" "issuer"=" ` + goodIssuer + ` " "jwtAuthenticator"= { "name":"test-name"} ` ,
2020-12-08 20:14:05 +00:00
} ,
2020-12-15 21:33:49 +00:00
wantCacheEntries : 1 ,
runTestsOnResultingAuthenticator : false , // skip the tests because the authenticator left in the cache is the mock version that was added above
2020-12-08 20:14:05 +00:00
} ,
name : "updating jwt authenticator when cache value is wrong type" ,
cache : func ( t * testing . T , cache * authncache . Cache , wantClose bool ) {
cache . Store (
authncache . Key {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
Kind : "JWTAuthenticator" ,
APIGroup : auth1alpha1 . SchemeGroupVersion . Group ,
2020-12-08 20:14:05 +00:00
} ,
struct { authenticator . Token } { } ,
} ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-08 20:14:05 +00:00
jwtAuthenticators : [ ] runtime . Object {
& auth1alpha1 . JWTAuthenticator {
ObjectMeta : metav1 . ObjectMeta {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
2020-12-08 16:08:53 +00:00
} ,
2020-12-08 20:14:05 +00:00
Spec : * someJWTAuthenticatorSpec ,
2020-12-08 16:08:53 +00:00
} ,
} ,
wantLogs : [ ] string {
2020-12-08 20:14:05 +00:00
` jwtcachefiller-controller "level"=0 "msg"="wrong JWT authenticator type in cache" "actualType"="struct { authenticator.Token }" ` ,
2021-02-09 18:59:32 +00:00
` jwtcachefiller-controller "level"=0 "msg"="added new jwt authenticator" "issuer"=" ` + goodIssuer + ` " "jwtAuthenticator"= { "name":"test-name"} ` ,
2020-12-08 16:08:53 +00:00
} ,
2020-12-15 21:33:49 +00:00
wantCacheEntries : 1 ,
runTestsOnResultingAuthenticator : true ,
2020-12-08 16:08:53 +00:00
} ,
2020-12-08 01:39:51 +00:00
name : "valid jwt authenticator without CA" ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-08 01:39:51 +00:00
jwtAuthenticators : [ ] runtime . Object {
& auth1alpha1 . JWTAuthenticator {
ObjectMeta : metav1 . ObjectMeta {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-08 20:14:05 +00:00
Spec : * missingTLSJWTAuthenticatorSpec ,
2020-12-08 01:39:51 +00:00
} ,
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantX509UntrustedCertErrorString ( ` failed to build jwt authenticator: could not initialize provider: Get " ` + goodIssuer + ` /.well-known/openid-configuration": %s ` , "Acme Co" ) ,
2020-12-08 01:39:51 +00:00
} ,
name : "invalid jwt authenticator CA" ,
2021-02-09 18:59:32 +00:00
syncKey : controllerlib . Key { Name : "test-name" } ,
2020-12-08 01:39:51 +00:00
jwtAuthenticators : [ ] runtime . Object {
& auth1alpha1 . JWTAuthenticator {
ObjectMeta : metav1 . ObjectMeta {
2021-02-09 18:59:32 +00:00
Name : "test-name" ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-08 20:14:05 +00:00
Spec : * invalidTLSJWTAuthenticatorSpec ,
2020-12-08 01:39:51 +00:00
} ,
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantExactErrorString ( "failed to build jwt authenticator: invalid TLS configuration: illegal base64 data at input byte 7" ) ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-15 21:33:49 +00:00
2020-12-08 01:39:51 +00:00
for _ , tt := range tests {
tt := tt
t . Run ( tt . name , func ( t * testing . T ) {
t . Parallel ( )
fakeClient := pinnipedfake . NewSimpleClientset ( tt . jwtAuthenticators ... )
informers := pinnipedinformers . NewSharedInformerFactory ( fakeClient , 0 )
2021-02-09 20:51:35 +00:00
cache := authncache . New ( )
2022-08-24 21:45:55 +00:00
testLog := testlogger . NewLegacy ( t ) //nolint:staticcheck // old test with lots of log statements
2020-12-08 01:39:51 +00:00
2020-12-08 16:08:53 +00:00
if tt . cache != nil {
2020-12-08 20:14:05 +00:00
tt . cache ( t , cache , tt . wantClose )
2020-12-08 16:08:53 +00:00
2021-12-10 22:22:36 +00:00
controller := New ( cache , informers . Authentication ( ) . V1alpha1 ( ) . JWTAuthenticators ( ) , testLog . Logger )
2020-12-08 01:39:51 +00:00
2021-03-05 01:25:43 +00:00
ctx , cancel := context . WithCancel ( context . Background ( ) )
2020-12-08 01:39:51 +00:00
defer cancel ( )
informers . Start ( ctx . Done ( ) )
controllerlib . TestRunSynchronously ( t , controller )
syncCtx := controllerlib . Context { Context : ctx , Key : tt . syncKey }
2023-01-20 23:01:36 +00:00
if err := controllerlib . TestSync ( t , controller , syncCtx ) ; tt . wantErr != nil {
testutil . RequireErrorStringFromErr ( t , err , tt . wantErr )
2020-12-08 01:39:51 +00:00
} else {
require . NoError ( t , err )
require . Equal ( t , tt . wantLogs , testLog . Lines ( ) )
require . Equal ( t , tt . wantCacheEntries , len ( cache . Keys ( ) ) )
2020-12-15 21:33:49 +00:00
if ! tt . runTestsOnResultingAuthenticator {
return // end of test unless we wanted to run tests on the resulting authenticator from the cache
2020-12-08 01:39:51 +00:00
2020-12-15 21:33:49 +00:00
// We expected the cache to have an entry, so pull that entry from the cache and test it.
expectedCacheKey := authncache . Key {
2021-02-09 23:16:22 +00:00
APIGroup : auth1alpha1 . GroupName ,
Kind : "JWTAuthenticator" ,
Name : syncCtx . Key . Name ,
2020-12-15 21:33:49 +00:00
cachedAuthenticator := cache . Get ( expectedCacheKey )
require . NotNil ( t , cachedAuthenticator )
2020-12-08 01:39:51 +00:00
2020-12-15 21:33:49 +00:00
// Schedule it to be closed at the end of the test.
t . Cleanup ( cachedAuthenticator . ( * jwtAuthenticator ) . Close )
2020-12-08 01:39:51 +00:00
2020-12-15 21:33:49 +00:00
const (
2020-12-15 22:37:38 +00:00
goodSubject = "some-subject"
group0 = "some-group-0"
group1 = "some-group-1"
goodUsername = "pinny123"
2020-12-15 21:33:49 +00:00
2020-12-08 01:39:51 +00:00
2020-12-16 00:11:53 +00:00
if tt . wantUsernameClaim == "" {
tt . wantUsernameClaim = "username"
if tt . wantGroupsClaim == "" {
tt . wantGroupsClaim = "groups"
2020-12-15 21:33:49 +00:00
for _ , test := range testTableForAuthenticateTokenTests (
t ,
goodRSASigningKey ,
goodRSASigningAlgo ,
goodRSASigningKeyID ,
group0 ,
group1 ,
2020-12-15 22:37:38 +00:00
goodUsername ,
2020-12-16 00:11:53 +00:00
tt . wantUsernameClaim ,
tt . wantGroupsClaim ,
2022-04-18 18:46:33 +00:00
goodIssuer ,
2020-12-15 21:33:49 +00:00
) {
test := test
t . Run ( test . name , func ( t * testing . T ) {
t . Parallel ( )
2020-12-08 01:39:51 +00:00
2020-12-15 21:33:49 +00:00
wellKnownClaims := jwt . Claims {
Issuer : goodIssuer ,
Subject : goodSubject ,
Audience : [ ] string { goodAudience } ,
Expiry : jwt . NewNumericDate ( time . Now ( ) . Add ( time . Hour ) ) ,
NotBefore : jwt . NewNumericDate ( time . Now ( ) . Add ( - time . Hour ) ) ,
IssuedAt : jwt . NewNumericDate ( time . Now ( ) . Add ( - time . Hour ) ) ,
var groups interface { }
2020-12-15 22:37:38 +00:00
username := goodUsername
2020-12-15 21:33:49 +00:00
if test . jwtClaims != nil {
2020-12-15 22:37:38 +00:00
test . jwtClaims ( & wellKnownClaims , & groups , & username )
2020-12-15 21:33:49 +00:00
2020-12-08 01:39:51 +00:00
2020-12-15 21:33:49 +00:00
var signingKey interface { } = goodECSigningKey
signingAlgo := goodECSigningAlgo
signingKID := goodECSigningKeyID
if test . jwtSignature != nil {
test . jwtSignature ( & signingKey , & signingAlgo , & signingKID )
2020-12-16 00:11:53 +00:00
jwt := createJWT (
t ,
signingKey ,
signingAlgo ,
signingKID ,
& wellKnownClaims ,
tt . wantGroupsClaim ,
groups ,
2022-04-18 18:46:33 +00:00
test . distributedGroupsClaimURL ,
2020-12-16 00:11:53 +00:00
tt . wantUsernameClaim ,
username ,
2021-04-22 15:25:44 +00:00
// Loop for a while here to allow the underlying OIDC authenticator to initialize itself asynchronously.
var (
rsp * authenticator . Response
authenticated bool
err error
2023-05-10 18:41:11 +00:00
_ = wait . PollUntilContextTimeout ( context . Background ( ) , 10 * time . Millisecond , 5 * time . Second , true , func ( ctx context . Context ) ( bool , error ) {
2021-04-22 15:25:44 +00:00
rsp , authenticated , err = cachedAuthenticator . AuthenticateToken ( context . Background ( ) , jwt )
return ! isNotInitialized ( err ) , nil
} )
2023-01-20 23:01:36 +00:00
if test . wantErr != nil {
testutil . RequireErrorStringFromErr ( t , err , test . wantErr )
2020-12-15 21:33:49 +00:00
} else {
require . NoError ( t , err )
require . Equal ( t , test . wantResponse , rsp )
require . Equal ( t , test . wantAuthenticated , authenticated )
} )
} )
2020-12-08 01:39:51 +00:00
2020-12-15 21:33:49 +00:00
2020-12-08 01:39:51 +00:00
2021-04-22 15:25:44 +00:00
// isNotInitialized checks if the error is the internally-defined "oidc: authenticator not initialized" error from
2022-04-18 18:46:33 +00:00
// the underlying OIDC authenticator or "verifier is not initialized" from verifying distributed claims,
// both of which are initialized asynchronously.
2021-04-22 15:25:44 +00:00
func isNotInitialized ( err error ) bool {
2022-04-18 18:46:33 +00:00
return err != nil && ( strings . Contains ( err . Error ( ) , "authenticator not initialized" ) || strings . Contains ( err . Error ( ) , "verifier not initialized" ) )
2021-04-22 15:25:44 +00:00
2020-12-15 21:33:49 +00:00
func testTableForAuthenticateTokenTests (
t * testing . T ,
goodRSASigningKey * rsa . PrivateKey ,
goodRSASigningAlgo jose . SignatureAlgorithm ,
goodRSASigningKeyID string ,
group0 string ,
group1 string ,
2020-12-15 22:37:38 +00:00
goodUsername string ,
2020-12-16 00:11:53 +00:00
expectedUsernameClaim string ,
expectedGroupsClaim string ,
2022-04-18 18:46:33 +00:00
issuer string ,
2020-12-15 21:33:49 +00:00
) [ ] struct {
2022-04-18 18:46:33 +00:00
name string
jwtClaims func ( wellKnownClaims * jwt . Claims , groups * interface { } , username * string )
jwtSignature func ( key * interface { } , algo * jose . SignatureAlgorithm , kid * string )
wantResponse * authenticator . Response
wantAuthenticated bool
2023-01-20 23:01:36 +00:00
wantErr testutil . RequireErrorStringFunc
2022-04-18 18:46:33 +00:00
distributedGroupsClaimURL string
2020-12-15 21:33:49 +00:00
} {
tests := [ ] struct {
2022-04-18 18:46:33 +00:00
name string
jwtClaims func ( wellKnownClaims * jwt . Claims , groups * interface { } , username * string )
jwtSignature func ( key * interface { } , algo * jose . SignatureAlgorithm , kid * string )
wantResponse * authenticator . Response
wantAuthenticated bool
2023-01-20 23:01:36 +00:00
wantErr testutil . RequireErrorStringFunc
2022-04-18 18:46:33 +00:00
distributedGroupsClaimURL string
2020-12-08 01:39:51 +00:00
} {
name : "good token without groups and with EC signature" ,
wantResponse : & authenticator . Response {
User : & user . DefaultInfo {
2020-12-15 22:37:38 +00:00
Name : goodUsername ,
2020-12-08 01:39:51 +00:00
} ,
} ,
wantAuthenticated : true ,
} ,
name : "good token without groups and with RSA signature" ,
jwtSignature : func ( key * interface { } , algo * jose . SignatureAlgorithm , kid * string ) {
* key = goodRSASigningKey
* algo = goodRSASigningAlgo
* kid = goodRSASigningKeyID
} ,
wantResponse : & authenticator . Response {
User : & user . DefaultInfo {
2020-12-15 22:37:38 +00:00
Name : goodUsername ,
2020-12-08 01:39:51 +00:00
} ,
} ,
wantAuthenticated : true ,
} ,
name : "good token with groups as array" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( _ * jwt . Claims , groups * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
* groups = [ ] string { group0 , group1 }
} ,
wantResponse : & authenticator . Response {
User : & user . DefaultInfo {
2020-12-15 22:37:38 +00:00
Name : goodUsername ,
2020-12-08 01:39:51 +00:00
G roups : [ ] string { group0 , group1 } ,
} ,
} ,
wantAuthenticated : true ,
} ,
2022-04-18 18:46:33 +00:00
name : "good token with good distributed groups" ,
jwtClaims : func ( claims * jwt . Claims , groups * interface { } , username * string ) {
} ,
distributedGroupsClaimURL : issuer + "/claim_source" ,
wantResponse : & authenticator . Response {
User : & user . DefaultInfo {
Name : goodUsername ,
Groups : [ ] string { "some-distributed-group-1" , "some-distributed-group-2" } ,
} ,
} ,
wantAuthenticated : true ,
} ,
name : "distributed groups returns a 404" ,
jwtClaims : func ( claims * jwt . Claims , groups * interface { } , username * string ) {
} ,
distributedGroupsClaimURL : issuer + "/not_found_claim_source" ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: could not expand distributed claims: while getting distributed claim " ` + expectedGroupsClaim + ` ": error while getting distributed claim JWT: 404 Not Found ` ) ,
2022-04-18 18:46:33 +00:00
} ,
name : "distributed groups doesn't return the right claim" ,
jwtClaims : func ( claims * jwt . Claims , groups * interface { } , username * string ) {
} ,
distributedGroupsClaimURL : issuer + "/wrong_claim_source" ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: could not expand distributed claims: jwt returned by distributed claim endpoint " ` + issuer + ` /wrong_claim_source" did not contain claim: ` ) ,
2022-04-18 18:46:33 +00:00
} ,
2020-12-08 01:39:51 +00:00
name : "good token with groups as string" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( _ * jwt . Claims , groups * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
* groups = group0
} ,
wantResponse : & authenticator . Response {
User : & user . DefaultInfo {
2020-12-15 22:37:38 +00:00
Name : goodUsername ,
2020-12-08 01:39:51 +00:00
Groups : [ ] string { group0 } ,
} ,
} ,
wantAuthenticated : true ,
} ,
name : "good token with nbf unset" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( claims * jwt . Claims , _ * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
claims . NotBefore = nil
} ,
wantResponse : & authenticator . Response {
User : & user . DefaultInfo {
2020-12-15 22:37:38 +00:00
Name : goodUsername ,
2020-12-08 01:39:51 +00:00
} ,
} ,
wantAuthenticated : true ,
} ,
name : "bad token with groups as map" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( _ * jwt . Claims , groups * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
* groups = map [ string ] string { "not an array" : "or a string" }
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( "oidc: parse groups claim \"" + expectedGroupsClaim + "\": json: cannot unmarshal object into Go value of type string" ) ,
2020-12-08 01:39:51 +00:00
} ,
name : "bad token with wrong issuer" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( claims * jwt . Claims , _ * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
claims . Issuer = "wrong-issuer"
} ,
wantResponse : nil ,
wantAuthenticated : false ,
} ,
name : "bad token with no audience" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( claims * jwt . Claims , _ * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
claims . Audience = nil
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: verify token: oidc: expected audience "some-audience" got \[\] ` ) ,
2020-12-08 01:39:51 +00:00
} ,
name : "bad token with wrong audience" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( claims * jwt . Claims , _ * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
claims . Audience = [ ] string { "wrong-audience" }
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: verify token: oidc: expected audience "some-audience" got \["wrong-audience"\] ` ) ,
2020-12-08 01:39:51 +00:00
} ,
name : "bad token with nbf in the future" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( claims * jwt . Claims , _ * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
claims . NotBefore = jwt . NewNumericDate ( time . Date ( 3020 , 2 , 3 , 4 , 5 , 6 , 7 , time . UTC ) )
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: verify token: oidc: current time .* before the nbf \(not before\) time: 3020-.* ` ) ,
2020-12-08 01:39:51 +00:00
} ,
name : "bad token with exp in past" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( claims * jwt . Claims , _ * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
claims . Expiry = jwt . NewNumericDate ( time . Date ( 1 , 2 , 3 , 4 , 5 , 6 , 7 , time . UTC ) )
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: verify token: oidc: token is expired \(Token Expiry: .+ ` ) ,
2020-12-08 01:39:51 +00:00
} ,
name : "bad token without exp" ,
2020-12-15 22:37:38 +00:00
jwtClaims : func ( claims * jwt . Claims , _ * interface { } , username * string ) {
2020-12-08 01:39:51 +00:00
claims . Expiry = nil
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: verify token: oidc: token is expired \(Token Expiry: .+ ` ) ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-15 22:37:38 +00:00
name : "token does not have username claim" ,
jwtClaims : func ( claims * jwt . Claims , _ * interface { } , username * string ) {
* username = ""
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: parse username claims " ` + expectedUsernameClaim + ` ": claim not present ` ) ,
2020-12-15 22:37:38 +00:00
} ,
2020-12-08 01:39:51 +00:00
name : "signing key is wrong" ,
jwtSignature : func ( key * interface { } , algo * jose . SignatureAlgorithm , kid * string ) {
var err error
* key , err = ecdsa . GenerateKey ( elliptic . P256 ( ) , rand . Reader )
require . NoError ( t , err )
* algo = jose . ES256
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: verify token: failed to verify signature: failed to verify id token signature ` ) ,
2020-12-08 01:39:51 +00:00
} ,
name : "signing algo is unsupported" ,
jwtSignature : func ( key * interface { } , algo * jose . SignatureAlgorithm , kid * string ) {
var err error
* key , err = ecdsa . GenerateKey ( elliptic . P384 ( ) , rand . Reader )
require . NoError ( t , err )
* algo = jose . ES384
} ,
2023-01-20 23:01:36 +00:00
wantErr : testutil . WantMatchingErrorString ( ` oidc: verify token: oidc: id token signed with unsupported algorithm, expected \["RS256" "ES256"\] got "ES384" ` ) ,
2020-12-08 01:39:51 +00:00
} ,
2020-12-15 21:33:49 +00:00
return tests
2020-12-08 01:39:51 +00:00
func tlsSpecFromTLSConfig ( tls * tls . Config ) * auth1alpha1 . TLSSpec {
pemData := make ( [ ] byte , 0 )
for _ , certificate := range tls . Certificates {
for _ , reallyCertificate := range certificate . Certificate {
pemData = append ( pemData , pem . EncodeToMemory ( & pem . Block {
Bytes : reallyCertificate ,
} ) ... )
return & auth1alpha1 . TLSSpec {
CertificateAuthorityData : base64 . StdEncoding . EncodeToString ( pemData ) ,
func createJWT (
t * testing . T ,
signingKey interface { } ,
signingAlgo jose . SignatureAlgorithm ,
kid string ,
claims * jwt . Claims ,
2020-12-16 00:11:53 +00:00
groupsClaim string ,
groupsValue interface { } ,
2022-04-18 18:46:33 +00:00
distributedGroupsClaimURL string ,
2020-12-16 00:11:53 +00:00
usernameClaim string ,
usernameValue string ,
2020-12-08 01:39:51 +00:00
) string {
t . Helper ( )
sig , err := jose . NewSigner (
jose . SigningKey { Algorithm : signingAlgo , Key : signingKey } ,
( & jose . SignerOptions { } ) . WithType ( "JWT" ) . WithHeader ( "kid" , kid ) ,
require . NoError ( t , err )
builder := jwt . Signed ( sig ) . Claims ( claims )
2020-12-16 00:11:53 +00:00
if groupsValue != nil {
builder = builder . Claims ( map [ string ] interface { } { groupsClaim : groupsValue } )
2020-12-08 01:39:51 +00:00
2022-04-18 18:46:33 +00:00
if distributedGroupsClaimURL != "" {
builder = builder . Claims ( map [ string ] interface { } { "_claim_names" : map [ string ] string { groupsClaim : "src1" } } )
builder = builder . Claims ( map [ string ] interface { } { "_claim_sources" : map [ string ] interface { } { "src1" : map [ string ] string { "endpoint" : distributedGroupsClaimURL } } } )
2020-12-16 00:11:53 +00:00
if usernameValue != "" {
builder = builder . Claims ( map [ string ] interface { } { usernameClaim : usernameValue } )
2020-12-15 22:37:38 +00:00
2020-12-08 01:39:51 +00:00
jwt , err := builder . CompactSerialize ( )
require . NoError ( t , err )
return jwt
2020-12-08 16:08:53 +00:00
2020-12-08 20:14:05 +00:00
func newCacheValue ( t * testing . T , spec auth1alpha1 . JWTAuthenticatorSpec , wantClose bool ) authncache . Value {
2020-12-08 16:08:53 +00:00
ctrl := gomock . NewController ( t )
t . Cleanup ( ctrl . Finish )
2020-12-08 20:14:05 +00:00
tokenAuthenticatorCloser := mocktokenauthenticatorcloser . NewMockTokenAuthenticatorCloser ( ctrl )
wantCloses := 0
if wantClose {
wantCloses ++
tokenAuthenticatorCloser . EXPECT ( ) . Close ( ) . Times ( wantCloses )
return & jwtAuthenticator {
tokenAuthenticatorCloser : tokenAuthenticatorCloser ,
spec : & spec ,
2020-12-08 16:08:53 +00:00