ContainerImage.Pinniped/internal/oidc/idpdiscovery/idp_discovery_handler_test.go

// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package idpdiscovery

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/stretchr/testify/require"

	"go.pinniped.dev/internal/here"
	"go.pinniped.dev/internal/oidc"
	"go.pinniped.dev/internal/testutil/oidctestutil"
)

func TestIDPDiscovery(t *testing.T) {
	tests := []struct {
		name string

		method string
		path   string

		wantStatus                 int
		wantContentType            string
		wantFirstResponseBodyJSON  string
		wantSecondResponseBodyJSON string
		wantBodyString             string
	}{
		{
			name:            "happy path",
			method:          http.MethodGet,
			path:            "/some/path" + oidc.WellKnownEndpointPath,
			wantStatus:      http.StatusOK,
			wantContentType: "application/json",
			wantFirstResponseBodyJSON: here.Doc(`{
				"pinniped_identity_providers": [
					{"name": "a-some-ldap-idp", "type": "ldap",            "flows": ["cli_password", "browser_authcode"]},
					{"name": "a-some-oidc-idp", "type": "oidc",            "flows": ["browser_authcode"]},
					{"name": "x-some-idp",      "type": "ldap",            "flows": ["cli_password", "browser_authcode"]},
					{"name": "x-some-idp",      "type": "oidc",            "flows": ["browser_authcode"]},
					{"name": "y-some-ad-idp",   "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},
					{"name": "z-some-ad-idp",   "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},
					{"name": "z-some-ldap-idp", "type": "ldap",            "flows": ["cli_password", "browser_authcode"]},
					{"name": "z-some-oidc-idp", "type": "oidc",            "flows": ["browser_authcode", "cli_password"]}
				]
			}`),
			wantSecondResponseBodyJSON: here.Doc(`{
				"pinniped_identity_providers": [
					{"name": "some-other-ad-idp-1",   "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},
					{"name": "some-other-ad-idp-2",   "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},
					{"name": "some-other-ldap-idp-1", "type": "ldap",            "flows": ["cli_password", "browser_authcode"]},
					{"name": "some-other-ldap-idp-2", "type": "ldap",            "flows": ["cli_password", "browser_authcode"]},
					{"name": "some-other-oidc-idp-1", "type": "oidc",            "flows": ["browser_authcode", "cli_password"]},
					{"name": "some-other-oidc-idp-2", "type": "oidc",            "flows": ["browser_authcode"]}
				]
			}`),
		},
		{
			name:            "bad method",
			method:          http.MethodPost,
			path:            oidc.WellKnownEndpointPath,
			wantStatus:      http.StatusMethodNotAllowed,
			wantContentType: "text/plain; charset=utf-8",
			wantBodyString:  "Method not allowed (try GET)\n",
		},
	}
	for _, test := range tests {
		test := test
		t.Run(test.name, func(t *testing.T) {
			idpLister := oidctestutil.NewUpstreamIDPListerBuilder().
				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("z-some-oidc-idp").WithAllowPasswordGrant(true).Build()).
				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("x-some-idp").Build()).
				WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("a-some-ldap-idp").Build()).
				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("a-some-oidc-idp").Build()).
				WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("z-some-ldap-idp").Build()).
				WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("x-some-idp").Build()).
				WithActiveDirectory(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("z-some-ad-idp").Build()).
				WithActiveDirectory(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("y-some-ad-idp").Build()).
				BuildFederationDomainIdentityProvidersListerFinder()

			handler := NewHandler(idpLister)
			req := httptest.NewRequest(test.method, test.path, nil)
			rsp := httptest.NewRecorder()
			handler.ServeHTTP(rsp, req)

			require.Equal(t, test.wantStatus, rsp.Code)

			require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))

			if test.wantFirstResponseBodyJSON != "" {
				require.JSONEq(t, test.wantFirstResponseBodyJSON, rsp.Body.String())
			}

			if test.wantBodyString != "" {
				require.Equal(t, test.wantBodyString, rsp.Body.String())
			}

			// Change the list of IDPs in the cache.
			idpLister.SetLDAPIdentityProviders([]*oidctestutil.TestUpstreamLDAPIdentityProvider{
				oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("some-other-ldap-idp-1").Build(),
				oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("some-other-ldap-idp-2").Build(),
			})
			idpLister.SetOIDCIdentityProviders([]*oidctestutil.TestUpstreamOIDCIdentityProvider{
				oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("some-other-oidc-idp-1").WithAllowPasswordGrant(true).Build(),
				oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("some-other-oidc-idp-2").Build(),
			})
			idpLister.SetActiveDirectoryIdentityProviders([]*oidctestutil.TestUpstreamLDAPIdentityProvider{
				oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("some-other-ad-idp-2").Build(),
				oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("some-other-ad-idp-1").Build(),
			})

			// Make the same request to the same handler instance again, and expect different results.
			rsp = httptest.NewRecorder()
			handler.ServeHTTP(rsp, req)

			require.Equal(t, test.wantStatus, rsp.Code)

			require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))

			if test.wantFirstResponseBodyJSON != "" {
				require.JSONEq(t, test.wantSecondResponseBodyJSON, rsp.Body.String())
			}

			if test.wantBodyString != "" {
				require.Equal(t, test.wantBodyString, rsp.Body.String())
			}
		})
	}
}
First draft of implementation of multiple IDPs support 2023-05-08 21:07:38 +00:00			`// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package idpdiscovery`

			`import (`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`

			`"github.com/stretchr/testify/require"`

Extract Supervisor IDP discovery endpoint types into apis package 2021-08-17 22:23:03 +00:00			`"go.pinniped.dev/internal/here"`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`"go.pinniped.dev/internal/oidc"`
			`"go.pinniped.dev/internal/testutil/oidctestutil"`
			`)`

			`func TestIDPDiscovery(t *testing.T) {`
			`tests := []struct {`
			`name string`

			`method string`
			`path string`

			`wantStatus int`
			`wantContentType string`
Extract Supervisor IDP discovery endpoint types into apis package 2021-08-17 22:23:03 +00:00			`wantFirstResponseBodyJSON string`
			`wantSecondResponseBodyJSON string`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`wantBodyString string`
			`}{`
			`{`
			`name: "happy path",`
			`method: http.MethodGet,`
			`path: "/some/path" + oidc.WellKnownEndpointPath,`
			`wantStatus: http.StatusOK,`
			`wantContentType: "application/json",`
Extract Supervisor IDP discovery endpoint types into apis package 2021-08-17 22:23:03 +00:00			wantFirstResponseBodyJSON: here.Doc(`{
			`"pinniped_identity_providers": [`
Advertise browser_authcode flow in ldap idp discovery To keep this backwards compatible, this PR changes how the cli deals with ambiguous flows. Previously, if there was more than one flow advertised, the cli would require users to set the flag --upstream-identity-provider-flow. Now it chooses the first one in the list. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-04-20 21:58:09 +00:00			`{"name": "a-some-ldap-idp", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},`
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 19:19:29 +00:00			`{"name": "a-some-oidc-idp", "type": "oidc", "flows": ["browser_authcode"]},`
Advertise browser_authcode flow in ldap idp discovery To keep this backwards compatible, this PR changes how the cli deals with ambiguous flows. Previously, if there was more than one flow advertised, the cli would require users to set the flag --upstream-identity-provider-flow. Now it chooses the first one in the list. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-04-20 21:58:09 +00:00			`{"name": "x-some-idp", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},`
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 19:19:29 +00:00			`{"name": "x-some-idp", "type": "oidc", "flows": ["browser_authcode"]},`
Advertise browser_authcode flow in ldap idp discovery To keep this backwards compatible, this PR changes how the cli deals with ambiguous flows. Previously, if there was more than one flow advertised, the cli would require users to set the flag --upstream-identity-provider-flow. Now it chooses the first one in the list. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-04-20 21:58:09 +00:00			`{"name": "y-some-ad-idp", "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},`
			`{"name": "z-some-ad-idp", "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},`
			`{"name": "z-some-ldap-idp", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},`
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 19:19:29 +00:00			`{"name": "z-some-oidc-idp", "type": "oidc", "flows": ["browser_authcode", "cli_password"]}`
Extract Supervisor IDP discovery endpoint types into apis package 2021-08-17 22:23:03 +00:00			`]`
			}`),
			wantSecondResponseBodyJSON: here.Doc(`{
			`"pinniped_identity_providers": [`
Advertise browser_authcode flow in ldap idp discovery To keep this backwards compatible, this PR changes how the cli deals with ambiguous flows. Previously, if there was more than one flow advertised, the cli would require users to set the flag --upstream-identity-provider-flow. Now it chooses the first one in the list. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-04-20 21:58:09 +00:00			`{"name": "some-other-ad-idp-1", "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},`
			`{"name": "some-other-ad-idp-2", "type": "activedirectory", "flows": ["cli_password", "browser_authcode"]},`
			`{"name": "some-other-ldap-idp-1", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},`
			`{"name": "some-other-ldap-idp-2", "type": "ldap", "flows": ["cli_password", "browser_authcode"]},`
Merge branch 'main' of github.com:vmware-tanzu/pinniped into active-directory-identity-provider 2021-08-24 19:19:29 +00:00			`{"name": "some-other-oidc-idp-1", "type": "oidc", "flows": ["browser_authcode", "cli_password"]},`
			`{"name": "some-other-oidc-idp-2", "type": "oidc", "flows": ["browser_authcode"]}`
Extract Supervisor IDP discovery endpoint types into apis package 2021-08-17 22:23:03 +00:00			`]`
			}`),
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`},`
			`{`
			`name: "bad method",`
			`method: http.MethodPost,`
			`path: oidc.WellKnownEndpointPath,`
			`wantStatus: http.StatusMethodNotAllowed,`
			`wantContentType: "text/plain; charset=utf-8",`
			`wantBodyString: "Method not allowed (try GET)\n",`
			`},`
			`}`
			`for _, test := range tests {`
			`test := test`
			`t.Run(test.name, func(t *testing.T) {`
			`idpLister := oidctestutil.NewUpstreamIDPListerBuilder().`
Get tests to compile again and fix lint errors 2023-06-13 19:26:59 +00:00			`WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("z-some-oidc-idp").WithAllowPasswordGrant(true).Build()).`
			`WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("x-some-idp").Build()).`
			`WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("a-some-ldap-idp").Build()).`
			`WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("a-some-oidc-idp").Build()).`
			`WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("z-some-ldap-idp").Build()).`
			`WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("x-some-idp").Build()).`
			`WithActiveDirectory(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("z-some-ad-idp").Build()).`
			`WithActiveDirectory(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("y-some-ad-idp").Build()).`
			`BuildFederationDomainIdentityProvidersListerFinder()`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00
			`handler := NewHandler(idpLister)`
			`req := httptest.NewRequest(test.method, test.path, nil)`
			`rsp := httptest.NewRecorder()`
			`handler.ServeHTTP(rsp, req)`

			`require.Equal(t, test.wantStatus, rsp.Code)`

			`require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))`

Extract Supervisor IDP discovery endpoint types into apis package 2021-08-17 22:23:03 +00:00			`if test.wantFirstResponseBodyJSON != "" {`
			`require.JSONEq(t, test.wantFirstResponseBodyJSON, rsp.Body.String())`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`}`

			`if test.wantBodyString != "" {`
			`require.Equal(t, test.wantBodyString, rsp.Body.String())`
			`}`

			`// Change the list of IDPs in the cache.`
Get tests to compile again and fix lint errors 2023-06-13 19:26:59 +00:00			`idpLister.SetLDAPIdentityProviders([]*oidctestutil.TestUpstreamLDAPIdentityProvider{`
			`oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("some-other-ldap-idp-1").Build(),`
			`oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("some-other-ldap-idp-2").Build(),`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`})`
Get tests to compile again and fix lint errors 2023-06-13 19:26:59 +00:00			`idpLister.SetOIDCIdentityProviders([]*oidctestutil.TestUpstreamOIDCIdentityProvider{`
			`oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("some-other-oidc-idp-1").WithAllowPasswordGrant(true).Build(),`
			`oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("some-other-oidc-idp-2").Build(),`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`})`
Get tests to compile again and fix lint errors 2023-06-13 19:26:59 +00:00			`idpLister.SetActiveDirectoryIdentityProviders([]*oidctestutil.TestUpstreamLDAPIdentityProvider{`
			`oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("some-other-ad-idp-2").Build(),`
			`oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("some-other-ad-idp-1").Build(),`
Advertise Active Directory idps 2021-07-02 22:30:27 +00:00			`})`

Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`// Make the same request to the same handler instance again, and expect different results.`
			`rsp = httptest.NewRecorder()`
			`handler.ServeHTTP(rsp, req)`

			`require.Equal(t, test.wantStatus, rsp.Code)`

			`require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))`

Extract Supervisor IDP discovery endpoint types into apis package 2021-08-17 22:23:03 +00:00			`if test.wantFirstResponseBodyJSON != "" {`
			`require.JSONEq(t, test.wantSecondResponseBodyJSON, rsp.Body.String())`
Move Supervisor IDP discovery to its own new endpoint 2021-05-11 17:31:33 +00:00			`}`

			`if test.wantBodyString != "" {`
			`require.Equal(t, test.wantBodyString, rsp.Body.String())`
			`}`
			`})`
			`}`
			`}`