2020-10-06 19:20:29 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package integration
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2020-10-20 23:46:33 +00:00
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2020-10-27 21:57:25 +00:00
|
|
|
"crypto/x509/pkix"
|
2020-10-19 19:21:18 +00:00
|
|
|
"encoding/json"
|
2020-10-07 00:53:29 +00:00
|
|
|
"fmt"
|
|
|
|
"io/ioutil"
|
2020-10-27 21:57:25 +00:00
|
|
|
"net"
|
2020-10-07 00:53:29 +00:00
|
|
|
"net/http"
|
2020-10-20 21:00:36 +00:00
|
|
|
"net/url"
|
|
|
|
"strings"
|
2020-10-06 19:20:29 +00:00
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2020-10-07 00:53:29 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2020-10-06 19:20:29 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2020-10-27 21:57:25 +00:00
|
|
|
corev1 "k8s.io/api/core/v1"
|
2020-10-06 19:20:29 +00:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2020-10-27 21:57:25 +00:00
|
|
|
"k8s.io/client-go/kubernetes"
|
2020-10-07 00:53:29 +00:00
|
|
|
|
|
|
|
"go.pinniped.dev/generated/1.19/apis/config/v1alpha1"
|
2020-10-08 02:18:34 +00:00
|
|
|
pinnipedclientset "go.pinniped.dev/generated/1.19/client/clientset/versioned"
|
2020-10-27 21:57:25 +00:00
|
|
|
"go.pinniped.dev/internal/certauthority"
|
2020-10-07 00:53:29 +00:00
|
|
|
"go.pinniped.dev/internal/here"
|
|
|
|
"go.pinniped.dev/test/library"
|
2020-10-06 19:20:29 +00:00
|
|
|
)
|
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
func TestSupervisorTLSTerminationWithSNI(t *testing.T) {
|
2020-10-06 19:20:29 +00:00
|
|
|
env := library.IntegrationEnv(t)
|
2020-10-27 21:57:25 +00:00
|
|
|
pinnipedClient := library.NewPinnipedClientset(t)
|
|
|
|
kubeClient := library.NewClientset(t)
|
2020-10-06 19:20:29 +00:00
|
|
|
|
2020-10-07 00:53:29 +00:00
|
|
|
ns := env.SupervisorNamespace
|
2020-10-27 21:57:25 +00:00
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
2020-10-06 19:20:29 +00:00
|
|
|
defer cancel()
|
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
temporarilyRemoveAllOIDCProviderConfigs(ctx, t, ns, pinnipedClient)
|
|
|
|
|
|
|
|
scheme := "https"
|
|
|
|
address := env.SupervisorHTTPSAddress // hostname and port for direct access to the supervisor's port 443
|
|
|
|
|
|
|
|
hostname1 := strings.Split(address, ":")[0]
|
|
|
|
issuer1 := fmt.Sprintf("%s://%s/issuer1", scheme, address)
|
|
|
|
sniCertificateSecretName1 := "integration-test-sni-cert-1"
|
|
|
|
|
|
|
|
// Create an OIDCProviderConfig with an sniCertificateSecretName.
|
|
|
|
oidcProviderConfig1 := library.CreateTestOIDCProvider(ctx, t, issuer1, sniCertificateSecretName1)
|
|
|
|
requireStatus(t, pinnipedClient, oidcProviderConfig1.Namespace, oidcProviderConfig1.Name, v1alpha1.SuccessOIDCProviderStatus)
|
|
|
|
|
|
|
|
// The sniCertificateSecretName Secret does not exist, so the endpoints should fail with TLS errors.
|
|
|
|
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
|
|
|
|
|
|
|
|
// Create the Secret.
|
2020-10-27 23:33:08 +00:00
|
|
|
ca1 := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1, kubeClient)
|
2020-10-27 21:57:25 +00:00
|
|
|
|
|
|
|
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
|
|
|
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1.Bundle()), issuer1, nil)
|
|
|
|
|
|
|
|
// Update the config to take away the sniCertificateSecretName.
|
|
|
|
sniCertificateSecretName1update := "integration-test-sni-cert-1-update"
|
|
|
|
oidcProviderConfig1LatestVersion, err := pinnipedClient.ConfigV1alpha1().OIDCProviderConfigs(ns).Get(ctx, oidcProviderConfig1.Name, metav1.GetOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
oidcProviderConfig1LatestVersion.Spec.SNICertificateSecretName = sniCertificateSecretName1update
|
|
|
|
_, err = pinnipedClient.ConfigV1alpha1().OIDCProviderConfigs(ns).Update(ctx, oidcProviderConfig1LatestVersion, metav1.UpdateOptions{})
|
2020-10-07 00:53:29 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
// The the endpoints should fail with TLS errors again.
|
|
|
|
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuer1)
|
2020-10-07 14:53:05 +00:00
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
// Create a Secret at the updated name.
|
2020-10-27 23:33:08 +00:00
|
|
|
ca1update := createTLSCertificateSecret(ctx, t, ns, hostname1, nil, sniCertificateSecretName1update, kubeClient)
|
2020-10-27 21:57:25 +00:00
|
|
|
|
|
|
|
// Now that the Secret exists at the new name, we should be able to access the endpoints by hostname using the CA.
|
|
|
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(ca1update.Bundle()), issuer1, nil)
|
|
|
|
|
|
|
|
// To test SNI virtual hosting, send requests to discovery endpoints when the public address is different from the issuer name.
|
|
|
|
hostname2 := "some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com"
|
|
|
|
hostnamePort2 := "2684"
|
|
|
|
issuer2 := fmt.Sprintf("%s://%s:%s/issuer2", scheme, hostname2, hostnamePort2)
|
|
|
|
sniCertificateSecretName2 := "integration-test-sni-cert-2"
|
|
|
|
|
|
|
|
// Create an OIDCProviderConfig with an sniCertificateSecretName.
|
|
|
|
oidcProviderConfig2 := library.CreateTestOIDCProvider(ctx, t, issuer2, sniCertificateSecretName2)
|
|
|
|
requireStatus(t, pinnipedClient, oidcProviderConfig2.Namespace, oidcProviderConfig2.Name, v1alpha1.SuccessOIDCProviderStatus)
|
|
|
|
|
|
|
|
// Create the Secret.
|
2020-10-27 23:33:08 +00:00
|
|
|
ca2 := createTLSCertificateSecret(ctx, t, ns, hostname2, nil, sniCertificateSecretName2, kubeClient)
|
2020-10-27 21:57:25 +00:00
|
|
|
|
|
|
|
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA.
|
|
|
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, hostname2+":"+hostnamePort2, string(ca2.Bundle()), issuer2, map[string]string{
|
|
|
|
hostname2 + ":" + hostnamePort2: address,
|
2020-10-07 00:53:29 +00:00
|
|
|
})
|
2020-10-27 21:57:25 +00:00
|
|
|
}
|
|
|
|
|
2020-10-28 15:58:50 +00:00
|
|
|
func TestSupervisorTLSTerminationWithDefaultCerts(t *testing.T) {
|
|
|
|
env := library.IntegrationEnv(t)
|
|
|
|
pinnipedClient := library.NewPinnipedClientset(t)
|
|
|
|
kubeClient := library.NewClientset(t)
|
|
|
|
|
|
|
|
ns := env.SupervisorNamespace
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
temporarilyRemoveAllOIDCProviderConfigs(ctx, t, ns, pinnipedClient)
|
|
|
|
|
|
|
|
scheme := "https"
|
|
|
|
address := env.SupervisorHTTPSAddress // hostname and port for direct access to the supervisor's port 443
|
|
|
|
|
|
|
|
hostAndPortSegments := strings.Split(address, ":")
|
|
|
|
hostname := hostAndPortSegments[0]
|
|
|
|
port := "443"
|
|
|
|
if len(hostAndPortSegments) > 1 {
|
|
|
|
port = hostAndPortSegments[1]
|
|
|
|
}
|
|
|
|
ips, err := net.DefaultResolver.LookupIP(ctx, "ip4", hostname)
|
|
|
|
require.NoError(t, err)
|
|
|
|
ip := ips[0]
|
|
|
|
ipAsString := ip.String()
|
|
|
|
ipWithPort := ipAsString + ":" + port
|
|
|
|
|
|
|
|
issuerUsingIPAddress := fmt.Sprintf("%s://%s/issuer1", scheme, ipWithPort)
|
|
|
|
issuerUsingHostname := fmt.Sprintf("%s://%s/issuer1", scheme, address)
|
|
|
|
|
|
|
|
// Create an OIDCProviderConfig without an sniCertificateSecretName.
|
|
|
|
oidcProviderConfig1 := library.CreateTestOIDCProvider(ctx, t, issuerUsingIPAddress, "")
|
|
|
|
requireStatus(t, pinnipedClient, oidcProviderConfig1.Namespace, oidcProviderConfig1.Name, v1alpha1.SuccessOIDCProviderStatus)
|
|
|
|
|
|
|
|
// There is no default TLS cert and the sniCertificateSecretName was not set, so the endpoints should fail with TLS errors.
|
|
|
|
requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t, issuerUsingIPAddress)
|
|
|
|
|
|
|
|
// Create a Secret at the special name which represents the default TLS cert.
|
|
|
|
specialNameForDefaultTLSCertSecret := "default-tls-certificate" //nolint:gosec // this is not a hardcoded credential
|
|
|
|
defaultCA := createTLSCertificateSecret(ctx, t, ns, "cert-hostname-doesnt-matter", []net.IP{ip}, specialNameForDefaultTLSCertSecret, kubeClient)
|
|
|
|
|
|
|
|
// Now that the Secret exists, we should be able to access the endpoints by IP address using the CA.
|
|
|
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
|
|
|
|
|
|
|
|
// Create an OIDCProviderConfig with an sniCertificateSecretName.
|
|
|
|
sniCertificateSecretName := "integration-test-sni-cert-1"
|
|
|
|
oidcProviderConfig2 := library.CreateTestOIDCProvider(ctx, t, issuerUsingHostname, sniCertificateSecretName)
|
|
|
|
requireStatus(t, pinnipedClient, oidcProviderConfig2.Namespace, oidcProviderConfig2.Name, v1alpha1.SuccessOIDCProviderStatus)
|
|
|
|
|
|
|
|
// Create the Secret.
|
|
|
|
sniCA := createTLSCertificateSecret(ctx, t, ns, hostname, nil, sniCertificateSecretName, kubeClient)
|
|
|
|
|
|
|
|
// Now that the Secret exists, we should be able to access the endpoints by hostname using the CA from the SNI cert.
|
|
|
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, address, string(sniCA.Bundle()), issuerUsingHostname, nil)
|
|
|
|
|
|
|
|
// And we can still access the other issuer using the default cert.
|
|
|
|
_ = requireDiscoveryEndpointsAreWorking(t, scheme, ipWithPort, string(defaultCA.Bundle()), issuerUsingIPAddress, nil)
|
|
|
|
}
|
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
func TestSupervisorOIDCDiscovery(t *testing.T) {
|
|
|
|
env := library.IntegrationEnv(t)
|
|
|
|
client := library.NewPinnipedClientset(t)
|
|
|
|
|
|
|
|
ns := env.SupervisorNamespace
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
temporarilyRemoveAllOIDCProviderConfigs(ctx, t, ns, client)
|
2020-10-07 00:53:29 +00:00
|
|
|
|
2020-10-20 22:57:10 +00:00
|
|
|
tests := []struct {
|
2020-10-20 23:46:33 +00:00
|
|
|
Scheme string
|
|
|
|
Address string
|
|
|
|
CABundle string
|
2020-10-20 22:57:10 +00:00
|
|
|
}{
|
|
|
|
{Scheme: "http", Address: env.SupervisorHTTPAddress},
|
2020-10-27 21:57:25 +00:00
|
|
|
{Scheme: "https", Address: env.SupervisorHTTPSIngressAddress, CABundle: env.SupervisorHTTPSIngressCABundle},
|
2020-10-20 22:57:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, test := range tests {
|
2020-10-20 23:46:33 +00:00
|
|
|
scheme := test.Scheme
|
|
|
|
addr := test.Address
|
|
|
|
caBundle := test.CABundle
|
2020-10-20 22:57:10 +00:00
|
|
|
|
2020-10-20 23:46:33 +00:00
|
|
|
if addr == "" {
|
2020-10-20 22:57:10 +00:00
|
|
|
// Both cases are not required, so when one is empty skip it.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// Test that there is no default discovery endpoint available when there are no OIDCProviderConfigs.
|
2020-10-20 23:46:33 +00:00
|
|
|
requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, fmt.Sprintf("%s://%s", scheme, addr))
|
2020-10-20 22:57:10 +00:00
|
|
|
|
|
|
|
// Define several unique issuer strings.
|
2020-10-20 23:46:33 +00:00
|
|
|
issuer1 := fmt.Sprintf("%s://%s/nested/issuer1", scheme, addr)
|
|
|
|
issuer2 := fmt.Sprintf("%s://%s/nested/issuer2", scheme, addr)
|
|
|
|
issuer3 := fmt.Sprintf("%s://%s/issuer3", scheme, addr)
|
|
|
|
issuer4 := fmt.Sprintf("%s://%s/issuer4", scheme, addr)
|
|
|
|
issuer5 := fmt.Sprintf("%s://%s/issuer5", scheme, addr)
|
|
|
|
issuer6 := fmt.Sprintf("%s://%s/issuer6", scheme, addr)
|
|
|
|
badIssuer := fmt.Sprintf("%s://%s/badIssuer?cannot-use=queries", scheme, addr)
|
2020-10-20 22:57:10 +00:00
|
|
|
|
|
|
|
// When OIDCProviderConfig are created in sequence they each cause a discovery endpoint to appear only for as long as the OIDCProviderConfig exists.
|
2020-10-20 23:46:33 +00:00
|
|
|
config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer1, client)
|
|
|
|
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config1, client, ns, scheme, addr, caBundle, issuer1)
|
|
|
|
config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer2, client)
|
|
|
|
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config2, client, ns, scheme, addr, caBundle, issuer2)
|
2020-10-20 22:57:10 +00:00
|
|
|
// The auto-created JWK's were different from each other.
|
|
|
|
require.NotEqual(t, jwks1.Keys[0]["x"], jwks2.Keys[0]["x"])
|
|
|
|
require.NotEqual(t, jwks1.Keys[0]["y"], jwks2.Keys[0]["y"])
|
|
|
|
|
|
|
|
// When multiple OIDCProviderConfigs exist at the same time they each serve a unique discovery endpoint.
|
2020-10-20 23:46:33 +00:00
|
|
|
config3, jwks3 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer3, client)
|
|
|
|
config4, jwks4 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer4, client)
|
2020-10-27 21:57:25 +00:00
|
|
|
requireDiscoveryEndpointsAreWorking(t, scheme, addr, caBundle, issuer3, nil) // discovery for issuer3 is still working after issuer4 started working
|
2020-10-20 22:57:10 +00:00
|
|
|
// The auto-created JWK's were different from each other.
|
|
|
|
require.NotEqual(t, jwks3.Keys[0]["x"], jwks4.Keys[0]["x"])
|
|
|
|
require.NotEqual(t, jwks3.Keys[0]["y"], jwks4.Keys[0]["y"])
|
|
|
|
|
|
|
|
// Editing a provider to change the issuer name updates the endpoints that are being served.
|
|
|
|
updatedConfig4 := editOIDCProviderConfigIssuerName(t, config4, client, ns, issuer5)
|
2020-10-20 23:46:33 +00:00
|
|
|
requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, issuer4)
|
2020-10-27 21:57:25 +00:00
|
|
|
jwks5 := requireDiscoveryEndpointsAreWorking(t, scheme, addr, caBundle, issuer5, nil)
|
2020-10-20 22:57:10 +00:00
|
|
|
// The JWK did not change when the issuer name was updated.
|
|
|
|
require.Equal(t, jwks4.Keys[0], jwks5.Keys[0])
|
|
|
|
|
|
|
|
// When they are deleted they stop serving discovery endpoints.
|
2020-10-20 23:46:33 +00:00
|
|
|
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config3, client, ns, scheme, addr, caBundle, issuer3)
|
|
|
|
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, updatedConfig4, client, ns, scheme, addr, caBundle, issuer5)
|
2020-10-20 22:57:10 +00:00
|
|
|
|
|
|
|
// When the same issuer is added twice, both issuers are marked as duplicates, and neither provider is serving.
|
2020-10-20 23:46:33 +00:00
|
|
|
config6Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer6, client)
|
2020-10-27 21:57:25 +00:00
|
|
|
config6Duplicate2 := library.CreateTestOIDCProvider(ctx, t, issuer6, "")
|
2020-10-20 22:57:10 +00:00
|
|
|
requireStatus(t, client, ns, config6Duplicate1.Name, v1alpha1.DuplicateOIDCProviderStatus)
|
|
|
|
requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.DuplicateOIDCProviderStatus)
|
2020-10-20 23:46:33 +00:00
|
|
|
requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, issuer6)
|
2020-10-20 22:57:10 +00:00
|
|
|
|
|
|
|
// If we delete the first duplicate issuer, the second duplicate issuer starts serving.
|
|
|
|
requireDelete(t, client, ns, config6Duplicate1.Name)
|
2020-10-27 21:57:25 +00:00
|
|
|
requireWellKnownEndpointIsWorking(t, scheme, addr, caBundle, issuer6, nil)
|
2020-10-20 22:57:10 +00:00
|
|
|
requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.SuccessOIDCProviderStatus)
|
|
|
|
|
|
|
|
// When we finally delete all issuers, the endpoint should be down.
|
2020-10-20 23:46:33 +00:00
|
|
|
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config6Duplicate2, client, ns, scheme, addr, caBundle, issuer6)
|
2020-10-20 22:57:10 +00:00
|
|
|
|
|
|
|
// "Host" headers can be used to send requests to discovery endpoints when the public address is different from the issuer name.
|
2020-10-20 23:46:33 +00:00
|
|
|
issuer7 := fmt.Sprintf("%s://some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com:2684/issuer7", scheme)
|
|
|
|
config7, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer7, client)
|
|
|
|
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config7, client, ns, scheme, addr, caBundle, issuer7)
|
2020-10-20 22:57:10 +00:00
|
|
|
|
|
|
|
// When we create a provider with an invalid issuer, the status is set to invalid.
|
2020-10-27 21:57:25 +00:00
|
|
|
badConfig := library.CreateTestOIDCProvider(ctx, t, badIssuer, "")
|
2020-10-20 22:57:10 +00:00
|
|
|
requireStatus(t, client, ns, badConfig.Name, v1alpha1.InvalidOIDCProviderStatus)
|
2020-10-20 23:46:33 +00:00
|
|
|
requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, badIssuer)
|
|
|
|
requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, badConfig, client, ns, scheme, addr, caBundle, badIssuer)
|
2020-10-20 22:57:10 +00:00
|
|
|
}
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
|
|
|
|
2020-10-27 23:33:08 +00:00
|
|
|
func createTLSCertificateSecret(ctx context.Context, t *testing.T, ns string, hostname string, ips []net.IP, secretName string, kubeClient kubernetes.Interface) *certauthority.CA {
|
2020-10-27 21:57:25 +00:00
|
|
|
// Create a CA.
|
|
|
|
ca, err := certauthority.New(pkix.Name{CommonName: "Acme Corp"}, 1000*time.Hour)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Using the CA, create a TLS server cert.
|
2020-10-27 23:33:08 +00:00
|
|
|
tlsCert, err := ca.Issue(pkix.Name{CommonName: hostname}, []string{hostname}, ips, 1000*time.Hour)
|
2020-10-27 21:57:25 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Write the serving cert to the SNI secret.
|
|
|
|
tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(tlsCert)
|
|
|
|
require.NoError(t, err)
|
|
|
|
secret := corev1.Secret{
|
|
|
|
TypeMeta: metav1.TypeMeta{},
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2020-10-27 23:33:08 +00:00
|
|
|
Name: secretName,
|
2020-10-27 21:57:25 +00:00
|
|
|
Namespace: ns,
|
|
|
|
},
|
|
|
|
StringData: map[string]string{
|
|
|
|
"tls.crt": string(tlsCertChainPEM),
|
|
|
|
"tls.key": string(tlsPrivateKeyPEM),
|
|
|
|
},
|
|
|
|
}
|
|
|
|
_, err = kubeClient.CoreV1().Secrets(ns).Create(ctx, &secret, metav1.CreateOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Delete the Secret when the test ends.
|
|
|
|
t.Cleanup(func() {
|
|
|
|
t.Helper()
|
|
|
|
deleteCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
|
|
defer cancel()
|
2020-10-27 23:33:08 +00:00
|
|
|
err := kubeClient.CoreV1().Secrets(ns).Delete(deleteCtx, secretName, metav1.DeleteOptions{})
|
2020-10-27 21:57:25 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
})
|
|
|
|
|
|
|
|
return ca
|
|
|
|
}
|
|
|
|
|
|
|
|
func temporarilyRemoveAllOIDCProviderConfigs(ctx context.Context, t *testing.T, ns string, client pinnipedclientset.Interface) {
|
|
|
|
// Temporarily remove any existing OIDCProviderConfigs from the cluster so we can test from a clean slate.
|
|
|
|
originalConfigList, err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).List(ctx, metav1.ListOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
for _, config := range originalConfigList.Items {
|
|
|
|
err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Delete(ctx, config.Name, metav1.DeleteOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// When this test has finished, recreate any OIDCProviderConfigs that had existed on the cluster before this test.
|
|
|
|
t.Cleanup(func() {
|
|
|
|
cleanupCtx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
for _, config := range originalConfigList.Items {
|
|
|
|
thisConfig := config
|
|
|
|
thisConfig.ResourceVersion = "" // Get rid of resource version since we can't create an object with one.
|
|
|
|
_, err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Create(cleanupCtx, &thisConfig, metav1.CreateOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2020-10-20 21:00:36 +00:00
|
|
|
func jwksURLForIssuer(scheme, host, path string) string {
|
2020-10-20 22:22:03 +00:00
|
|
|
return fmt.Sprintf("%s://%s/%s/jwks.json", scheme, host, strings.TrimPrefix(path, "/"))
|
2020-10-19 19:21:18 +00:00
|
|
|
}
|
|
|
|
|
2020-10-20 21:00:36 +00:00
|
|
|
func wellKnownURLForIssuer(scheme, host, path string) string {
|
2020-10-20 22:22:03 +00:00
|
|
|
return fmt.Sprintf("%s://%s/%s/.well-known/openid-configuration", scheme, host, strings.TrimPrefix(path, "/"))
|
2020-10-19 19:21:18 +00:00
|
|
|
}
|
|
|
|
|
2020-10-20 23:46:33 +00:00
|
|
|
func requireDiscoveryEndpointsAreNotFound(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string) {
|
2020-10-19 19:21:18 +00:00
|
|
|
t.Helper()
|
2020-10-20 21:00:36 +00:00
|
|
|
issuerURL, err := url.Parse(issuerName)
|
|
|
|
require.NoError(t, err)
|
2020-10-20 23:46:33 +00:00
|
|
|
requireEndpointNotFound(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host, supervisorCABundle)
|
|
|
|
requireEndpointNotFound(t, jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host, supervisorCABundle)
|
2020-10-19 19:21:18 +00:00
|
|
|
}
|
|
|
|
|
2020-10-20 23:46:33 +00:00
|
|
|
func requireEndpointNotFound(t *testing.T, url, host, caBundle string) {
|
2020-10-08 02:18:34 +00:00
|
|
|
t.Helper()
|
2020-10-27 21:57:25 +00:00
|
|
|
httpClient := newHTTPClient(t, caBundle, nil)
|
2020-10-08 02:18:34 +00:00
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
|
|
|
|
defer cancel()
|
|
|
|
|
2020-10-19 19:21:18 +00:00
|
|
|
requestNonExistentPath, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
|
2020-10-20 21:00:36 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
requestNonExistentPath.Host = host
|
2020-10-08 02:18:34 +00:00
|
|
|
|
|
|
|
var response *http.Response
|
|
|
|
assert.Eventually(t, func() bool {
|
|
|
|
response, err = httpClient.Do(requestNonExistentPath) //nolint:bodyclose
|
|
|
|
return err == nil && response.StatusCode == http.StatusNotFound
|
|
|
|
}, 10*time.Second, 200*time.Millisecond)
|
2020-10-07 00:53:29 +00:00
|
|
|
require.NoError(t, err)
|
2020-10-08 02:18:34 +00:00
|
|
|
require.Equal(t, http.StatusNotFound, response.StatusCode)
|
|
|
|
err = response.Body.Close()
|
2020-10-07 00:53:29 +00:00
|
|
|
require.NoError(t, err)
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
2020-10-07 00:53:29 +00:00
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
func requireEndpointHasTLSErrorBecauseCertificatesAreNotReady(t *testing.T, url string) {
|
|
|
|
t.Helper()
|
|
|
|
httpClient := newHTTPClient(t, "", nil)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
assert.Eventually(t, func() bool {
|
|
|
|
_, err = httpClient.Do(request) //nolint:bodyclose
|
|
|
|
return err != nil && strings.Contains(err.Error(), "tls: unrecognized name")
|
|
|
|
}, 10*time.Second, 200*time.Millisecond)
|
|
|
|
require.Error(t, err)
|
2020-10-27 23:33:08 +00:00
|
|
|
require.EqualError(t, err, fmt.Sprintf(`Get "%s": remote error: tls: unrecognized name`, url))
|
2020-10-27 21:57:25 +00:00
|
|
|
}
|
|
|
|
|
2020-10-19 19:21:18 +00:00
|
|
|
func requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(
|
2020-10-15 13:09:49 +00:00
|
|
|
ctx context.Context,
|
|
|
|
t *testing.T,
|
2020-10-20 23:46:33 +00:00
|
|
|
supervisorScheme, supervisorAddress, supervisorCABundle string,
|
2020-10-15 13:09:49 +00:00
|
|
|
issuerName string,
|
|
|
|
client pinnipedclientset.Interface,
|
2020-10-19 19:21:18 +00:00
|
|
|
) (*v1alpha1.OIDCProviderConfig, *ExpectedJWKSResponseFormat) {
|
2020-10-08 02:18:34 +00:00
|
|
|
t.Helper()
|
2020-10-27 21:57:25 +00:00
|
|
|
newOIDCProviderConfig := library.CreateTestOIDCProvider(ctx, t, issuerName, "")
|
|
|
|
jwksResult := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, nil)
|
2020-10-15 13:09:49 +00:00
|
|
|
requireStatus(t, client, newOIDCProviderConfig.Namespace, newOIDCProviderConfig.Name, v1alpha1.SuccessOIDCProviderStatus)
|
2020-10-19 19:21:18 +00:00
|
|
|
return newOIDCProviderConfig, jwksResult
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
func requireDiscoveryEndpointsAreWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string, dnsOverrides map[string]string) *ExpectedJWKSResponseFormat {
|
|
|
|
requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, dnsOverrides)
|
|
|
|
jwksResult := requireJWKSEndpointIsWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, dnsOverrides)
|
2020-10-19 19:21:18 +00:00
|
|
|
return jwksResult
|
|
|
|
}
|
|
|
|
|
2020-10-20 22:22:03 +00:00
|
|
|
func requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(
|
2020-10-19 19:21:18 +00:00
|
|
|
t *testing.T,
|
|
|
|
existingOIDCProviderConfig *v1alpha1.OIDCProviderConfig,
|
|
|
|
client pinnipedclientset.Interface,
|
|
|
|
ns string,
|
2020-10-20 23:46:33 +00:00
|
|
|
supervisorScheme, supervisorAddress, supervisorCABundle string,
|
2020-10-19 19:21:18 +00:00
|
|
|
issuerName string,
|
|
|
|
) {
|
2020-10-08 02:18:34 +00:00
|
|
|
t.Helper()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
// Delete the OIDCProviderConfig.
|
|
|
|
err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Delete(ctx, existingOIDCProviderConfig.Name, metav1.DeleteOptions{})
|
2020-10-07 00:53:29 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-10-08 02:18:34 +00:00
|
|
|
// Fetch that same discovery endpoint as before, but now it should not exist anymore. Give it some time for the endpoint to go away.
|
2020-10-20 23:46:33 +00:00
|
|
|
requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName)
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
2020-10-07 14:53:05 +00:00
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string, dnsOverrides map[string]string) {
|
2020-10-08 02:18:34 +00:00
|
|
|
t.Helper()
|
2020-10-20 21:00:36 +00:00
|
|
|
issuerURL, err := url.Parse(issuerName)
|
|
|
|
require.NoError(t, err)
|
2020-10-27 21:57:25 +00:00
|
|
|
response, responseBody := requireSuccessEndpointResponse(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerName, supervisorCABundle, dnsOverrides) //nolint:bodyclose
|
2020-10-19 19:21:18 +00:00
|
|
|
|
|
|
|
// Check that the response matches our expectations.
|
|
|
|
expectedResultTemplate := here.Doc(`{
|
|
|
|
"issuer": "%s",
|
|
|
|
"authorization_endpoint": "%s/oauth2/authorize",
|
|
|
|
"token_endpoint": "%s/oauth2/token",
|
|
|
|
"token_endpoint_auth_methods_supported": ["client_secret_basic"],
|
|
|
|
"token_endpoint_auth_signing_alg_values_supported": ["RS256"],
|
|
|
|
"jwks_uri": "%s/jwks.json",
|
|
|
|
"scopes_supported": ["openid", "offline"],
|
|
|
|
"response_types_supported": ["code"],
|
|
|
|
"claims_supported": ["groups"],
|
|
|
|
"subject_types_supported": ["public"],
|
|
|
|
"id_token_signing_alg_values_supported": ["RS256"]
|
|
|
|
}`)
|
|
|
|
expectedJSON := fmt.Sprintf(expectedResultTemplate, issuerName, issuerName, issuerName, issuerName)
|
|
|
|
|
|
|
|
require.Equal(t, "application/json", response.Header.Get("content-type"))
|
|
|
|
require.JSONEq(t, expectedJSON, responseBody)
|
|
|
|
}
|
|
|
|
|
|
|
|
type ExpectedJWKSResponseFormat struct {
|
|
|
|
Keys []map[string]string
|
|
|
|
}
|
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
func requireJWKSEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string, dnsOverrides map[string]string) *ExpectedJWKSResponseFormat {
|
2020-10-19 19:21:18 +00:00
|
|
|
t.Helper()
|
|
|
|
|
2020-10-20 21:00:36 +00:00
|
|
|
issuerURL, err := url.Parse(issuerName)
|
|
|
|
require.NoError(t, err)
|
2020-10-27 21:57:25 +00:00
|
|
|
response, responseBody := requireSuccessEndpointResponse(t, //nolint:bodyclose
|
|
|
|
jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path),
|
|
|
|
issuerName,
|
|
|
|
supervisorCABundle,
|
|
|
|
dnsOverrides,
|
|
|
|
)
|
2020-10-19 19:21:18 +00:00
|
|
|
|
|
|
|
var result ExpectedJWKSResponseFormat
|
2020-10-20 21:00:36 +00:00
|
|
|
err = json.Unmarshal([]byte(responseBody), &result)
|
2020-10-19 19:21:18 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.Len(t, result.Keys, 1)
|
|
|
|
jwk := result.Keys[0]
|
|
|
|
require.Len(t, jwk, 7) // make sure there are no extra values, i.e. does not include private key
|
|
|
|
require.NotEmpty(t, jwk["kid"])
|
|
|
|
require.Equal(t, "sig", jwk["use"])
|
|
|
|
require.Equal(t, "EC", jwk["kty"])
|
|
|
|
require.Equal(t, "P-256", jwk["crv"])
|
|
|
|
require.Equal(t, "ES256", jwk["alg"])
|
|
|
|
require.NotEmpty(t, jwk["x"])
|
|
|
|
require.NotEmpty(t, jwk["y"])
|
|
|
|
|
|
|
|
require.Equal(t, "application/json", response.Header.Get("content-type"))
|
|
|
|
|
|
|
|
return &result
|
|
|
|
}
|
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
func requireSuccessEndpointResponse(t *testing.T, endpointURL, issuer, caBundle string, dnsOverrides map[string]string) (*http.Response, string) {
|
2020-10-20 23:46:33 +00:00
|
|
|
t.Helper()
|
2020-10-27 21:57:25 +00:00
|
|
|
httpClient := newHTTPClient(t, caBundle, dnsOverrides)
|
|
|
|
|
2020-10-08 02:18:34 +00:00
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
|
|
|
|
defer cancel()
|
2020-10-07 00:53:29 +00:00
|
|
|
|
2020-10-08 02:18:34 +00:00
|
|
|
// Define a request to the new discovery endpoint which should have been created by an OIDCProviderConfig.
|
2020-10-07 00:53:29 +00:00
|
|
|
requestDiscoveryEndpoint, err := http.NewRequestWithContext(
|
|
|
|
ctx,
|
|
|
|
http.MethodGet,
|
2020-10-20 21:00:36 +00:00
|
|
|
endpointURL,
|
2020-10-07 00:53:29 +00:00
|
|
|
nil,
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
2020-10-20 22:22:03 +00:00
|
|
|
issuerURL, err := url.Parse(issuer)
|
|
|
|
require.NoError(t, err)
|
|
|
|
// Set the host header on the request to match the issuer's hostname, which could potentially be different
|
|
|
|
// from the public ingress address, e.g. when a load balancer is used, so we want to test here that the host
|
|
|
|
// header is respected by the supervisor server.
|
|
|
|
requestDiscoveryEndpoint.Host = issuerURL.Host
|
2020-10-20 21:00:36 +00:00
|
|
|
|
2020-10-07 00:53:29 +00:00
|
|
|
// Fetch that discovery endpoint. Give it some time for the endpoint to come into existence.
|
|
|
|
var response *http.Response
|
|
|
|
assert.Eventually(t, func() bool {
|
2020-10-08 02:18:34 +00:00
|
|
|
response, err = httpClient.Do(requestDiscoveryEndpoint) //nolint:bodyclose
|
2020-10-07 14:53:05 +00:00
|
|
|
return err == nil && response.StatusCode == http.StatusOK
|
2020-10-07 00:53:29 +00:00
|
|
|
}, 10*time.Second, 200*time.Millisecond)
|
|
|
|
require.NoError(t, err)
|
2020-10-07 14:53:05 +00:00
|
|
|
require.Equal(t, http.StatusOK, response.StatusCode)
|
|
|
|
|
2020-10-07 00:53:29 +00:00
|
|
|
responseBody, err := ioutil.ReadAll(response.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
err = response.Body.Close()
|
|
|
|
require.NoError(t, err)
|
2020-10-19 19:21:18 +00:00
|
|
|
return response, string(responseBody)
|
|
|
|
}
|
2020-10-07 00:53:29 +00:00
|
|
|
|
2020-10-19 19:21:18 +00:00
|
|
|
func editOIDCProviderConfigIssuerName(
|
|
|
|
t *testing.T,
|
|
|
|
existingOIDCProviderConfig *v1alpha1.OIDCProviderConfig,
|
|
|
|
client pinnipedclientset.Interface,
|
|
|
|
ns string,
|
|
|
|
newIssuerName string,
|
|
|
|
) *v1alpha1.OIDCProviderConfig {
|
|
|
|
t.Helper()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
|
|
|
|
defer cancel()
|
2020-10-06 19:20:29 +00:00
|
|
|
|
2020-10-19 19:21:18 +00:00
|
|
|
mostRecentVersion, err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Get(ctx, existingOIDCProviderConfig.Name, metav1.GetOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
mostRecentVersion.Spec.Issuer = newIssuerName
|
|
|
|
updated, err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Update(ctx, mostRecentVersion, metav1.UpdateOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return updated
|
2020-10-06 19:20:29 +00:00
|
|
|
}
|
2020-10-08 02:18:34 +00:00
|
|
|
|
2020-10-08 17:27:45 +00:00
|
|
|
func requireDelete(t *testing.T, client pinnipedclientset.Interface, ns, name string) {
|
|
|
|
t.Helper()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
err := client.ConfigV1alpha1().OIDCProviderConfigs(ns).Delete(ctx, name, metav1.DeleteOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name string, status v1alpha1.OIDCProviderStatus) {
|
|
|
|
t.Helper()
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
var opc *v1alpha1.OIDCProviderConfig
|
|
|
|
var err error
|
|
|
|
assert.Eventually(t, func() bool {
|
|
|
|
opc, err = client.ConfigV1alpha1().OIDCProviderConfigs(ns).Get(ctx, name, metav1.GetOptions{})
|
|
|
|
return err == nil && opc.Status.Status == status
|
|
|
|
}, 10*time.Second, 200*time.Millisecond)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equalf(t, status, opc.Status.Status, "unexpected status (message = '%s')", opc.Status.Message)
|
|
|
|
}
|
2020-10-20 23:46:33 +00:00
|
|
|
|
2020-10-27 21:57:25 +00:00
|
|
|
func newHTTPClient(t *testing.T, caBundle string, dnsOverrides map[string]string) *http.Client {
|
2020-10-20 23:46:33 +00:00
|
|
|
c := &http.Client{}
|
2020-10-27 21:57:25 +00:00
|
|
|
|
|
|
|
realDialer := &net.Dialer{}
|
|
|
|
overrideDialContext := func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
|
|
replacementAddr, hasKey := dnsOverrides[addr]
|
|
|
|
if hasKey {
|
|
|
|
t.Logf("DialContext replacing addr %s with %s", addr, replacementAddr)
|
|
|
|
addr = replacementAddr
|
|
|
|
} else if dnsOverrides != nil {
|
|
|
|
t.Fatal("dnsOverrides was provided but not used, which was probably a mistake")
|
|
|
|
}
|
|
|
|
return realDialer.DialContext(ctx, network, addr)
|
|
|
|
}
|
|
|
|
|
2020-10-20 23:46:33 +00:00
|
|
|
if caBundle != "" { // CA bundle is optional
|
|
|
|
caCertPool := x509.NewCertPool()
|
|
|
|
caCertPool.AppendCertsFromPEM([]byte(caBundle))
|
2020-10-27 21:57:25 +00:00
|
|
|
c.Transport = &http.Transport{
|
|
|
|
DialContext: overrideDialContext,
|
|
|
|
TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS13, RootCAs: caCertPool},
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
c.Transport = &http.Transport{
|
|
|
|
DialContext: overrideDialContext,
|
|
|
|
}
|
2020-10-20 23:46:33 +00:00
|
|
|
}
|
2020-10-27 21:57:25 +00:00
|
|
|
|
2020-10-20 23:46:33 +00:00
|
|
|
return c
|
|
|
|
}
|