ContainerImage.Pinniped/test/integration/supervisor_upstream_test.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package integration

import (
	"encoding/base64"
	"testing"

	"github.com/stretchr/testify/require"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
	"go.pinniped.dev/test/library"
)

func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {
	env := library.IntegrationEnv(t)

	t.Run("invalid missing secret and bad issuer", func(t *testing.T) {
		t.Parallel()
		spec := v1alpha1.UpstreamOIDCProviderSpec{
			Issuer: "https://127.0.0.1:444444/issuer",
			Client: v1alpha1.OIDCClient{
				SecretName: "does-not-exist",
			},
		}
		upstream := library.CreateTestUpstreamOIDCProvider(t, spec, v1alpha1.PhaseError)
		expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
			{
				Type:    "ClientCredentialsValid",
				Status:  v1alpha1.ConditionFalse,
				Reason:  "SecretNotFound",
				Message: `secret "does-not-exist" not found`,
			},
			{
				Type:    "OIDCDiscoverySucceeded",
				Status:  v1alpha1.ConditionFalse,
				Reason:  "Unreachable",
				Message: `failed to perform OIDC discovery against "https://127.0.0.1:444444/issuer"`,
			},
		})
	})

	t.Run("valid", func(t *testing.T) {
		t.Parallel()
		spec := v1alpha1.UpstreamOIDCProviderSpec{
			Issuer: env.SupervisorTestUpstream.Issuer,
			TLS: &v1alpha1.TLSSpec{
				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorTestUpstream.CABundle)),
			},
			AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
				AdditionalScopes: []string{"email", "profile"},
			},
			Client: v1alpha1.OIDCClient{
				SecretName: library.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
			},
		}
		upstream := library.CreateTestUpstreamOIDCProvider(t, spec, v1alpha1.PhaseReady)
		expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
			{
				Type:    "ClientCredentialsValid",
				Status:  v1alpha1.ConditionTrue,
				Reason:  "Success",
				Message: "loaded client credentials",
			},
			{
				Type:    "OIDCDiscoverySucceeded",
				Status:  v1alpha1.ConditionTrue,
				Reason:  "Success",
				Message: "discovered issuer configuration",
			},
		})
	})
}

func expectUpstreamConditions(t *testing.T, upstream *v1alpha1.UpstreamOIDCProvider, expected []v1alpha1.Condition) {
	t.Helper()
	normalized := make([]v1alpha1.Condition, 0, len(upstream.Status.Conditions))
	for _, c := range upstream.Status.Conditions {
		c.ObservedGeneration = 0
		c.LastTransitionTime = metav1.Time{}
		normalized = append(normalized, c)
	}
	require.ElementsMatch(t, expected, normalized)
}
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package integration`

			`import (`
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 00:16:16 +00:00			`"encoding/base64"`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`"testing"`

			`"github.com/stretchr/testify/require"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`

			`"go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"`
			`"go.pinniped.dev/test/library"`
			`)`

			`func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {`
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 00:16:16 +00:00			`env := library.IntegrationEnv(t)`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00
			`t.Run("invalid missing secret and bad issuer", func(t *testing.T) {`
			`t.Parallel()`
			`spec := v1alpha1.UpstreamOIDCProviderSpec{`
			`Issuer: "https://127.0.0.1:444444/issuer",`
			`Client: v1alpha1.OIDCClient{`
			`SecretName: "does-not-exist",`
			`},`
			`}`
Extend the test client helpers in ./test/library/client.go. This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 21:32:54 +00:00			`upstream := library.CreateTestUpstreamOIDCProvider(t, spec, v1alpha1.PhaseError)`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`expectUpstreamConditions(t, upstream, []v1alpha1.Condition{`
			`{`
			`Type: "ClientCredentialsValid",`
			`Status: v1alpha1.ConditionFalse,`
			`Reason: "SecretNotFound",`
			Message: `secret "does-not-exist" not found`,
			`},`
			`{`
			`Type: "OIDCDiscoverySucceeded",`
			`Status: v1alpha1.ConditionFalse,`
			`Reason: "Unreachable",`
Mask the raw error messages from go-oidc, since they are dangerous. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-13 21:29:32 +00:00			Message: `failed to perform OIDC discovery against "https://127.0.0.1:444444/issuer"`,
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`},`
			`})`
			`})`

			`t.Run("valid", func(t *testing.T) {`
			`t.Parallel()`
			`spec := v1alpha1.UpstreamOIDCProviderSpec{`
Split test environment variables so there's a specific supervisor upstream client. Prior to this we re-used the CLI testing client to test the authorize flow of the supervisor, but they really need to be separate upstream clients. For example, the supervisor client should be a non-public client with a client secret and a different callback endpoint. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-19 21:05:31 +00:00			`Issuer: env.SupervisorTestUpstream.Issuer,`
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 00:16:16 +00:00			`TLS: &v1alpha1.TLSSpec{`
Split test environment variables so there's a specific supervisor upstream client. Prior to this we re-used the CLI testing client to test the authorize flow of the supervisor, but they really need to be separate upstream clients. For example, the supervisor client should be a non-public client with a client secret and a different callback endpoint. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-19 21:05:31 +00:00			`CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorTestUpstream.CABundle)),`
Update integration tests to use HTTPS Dex for UpstreamOIDCProvider testing. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-17 00:16:16 +00:00			`},`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{`
			`AdditionalScopes: []string{"email", "profile"},`
			`},`
			`Client: v1alpha1.OIDCClient{`
Extend the test client helpers in ./test/library/client.go. This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 21:32:54 +00:00			`SecretName: library.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`},`
			`}`
Extend the test client helpers in ./test/library/client.go. This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 21:32:54 +00:00			`upstream := library.CreateTestUpstreamOIDCProvider(t, spec, v1alpha1.PhaseReady)`
Add integration tests for UpstreamOIDCProvider status. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-12 00:28:42 +00:00			`expectUpstreamConditions(t, upstream, []v1alpha1.Condition{`
			`{`
			`Type: "ClientCredentialsValid",`
			`Status: v1alpha1.ConditionTrue,`
			`Reason: "Success",`
			`Message: "loaded client credentials",`
			`},`
			`{`
			`Type: "OIDCDiscoverySucceeded",`
			`Status: v1alpha1.ConditionTrue,`
			`Reason: "Success",`
			`Message: "discovered issuer configuration",`
			`},`
			`})`
			`})`
			`}`

			`func expectUpstreamConditions(t testing.T, upstream v1alpha1.UpstreamOIDCProvider, expected []v1alpha1.Condition) {`
			`t.Helper()`
			`normalized := make([]v1alpha1.Condition, 0, len(upstream.Status.Conditions))`
			`for _, c := range upstream.Status.Conditions {`
			`c.ObservedGeneration = 0`
			`c.LastTransitionTime = metav1.Time{}`
			`normalized = append(normalized, c)`
			`}`
			`require.ElementsMatch(t, expected, normalized)`
			`}`