2020-09-16 14:19:51 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
2020-07-09 19:30:59 +00:00
|
|
|
|
|
|
|
package library
|
|
|
|
|
|
|
|
import (
|
2020-09-22 00:55:04 +00:00
|
|
|
"context"
|
2020-10-14 20:41:16 +00:00
|
|
|
"crypto/rand"
|
|
|
|
"encoding/hex"
|
|
|
|
"fmt"
|
|
|
|
"io"
|
2020-08-12 21:29:46 +00:00
|
|
|
"io/ioutil"
|
|
|
|
"os"
|
2020-07-09 19:30:59 +00:00
|
|
|
"testing"
|
2020-09-22 00:55:04 +00:00
|
|
|
"time"
|
2020-07-09 19:30:59 +00:00
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2020-09-22 00:55:04 +00:00
|
|
|
corev1 "k8s.io/api/core/v1"
|
2020-10-15 13:09:49 +00:00
|
|
|
k8serrors "k8s.io/apimachinery/pkg/api/errors"
|
2020-09-22 00:55:04 +00:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2020-07-09 19:30:59 +00:00
|
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
"k8s.io/client-go/rest"
|
|
|
|
"k8s.io/client-go/tools/clientcmd"
|
2020-08-11 17:14:57 +00:00
|
|
|
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
2020-07-23 15:05:21 +00:00
|
|
|
|
2020-10-30 16:03:25 +00:00
|
|
|
auth1alpha1 "go.pinniped.dev/generated/1.19/apis/concierge/authentication/v1alpha1"
|
2020-10-30 20:09:14 +00:00
|
|
|
configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
|
2020-12-02 21:32:54 +00:00
|
|
|
idpv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/idp/v1alpha1"
|
2020-10-30 20:09:14 +00:00
|
|
|
conciergeclientset "go.pinniped.dev/generated/1.19/client/concierge/clientset/versioned"
|
|
|
|
supervisorclientset "go.pinniped.dev/generated/1.19/client/supervisor/clientset/versioned"
|
2020-08-27 13:12:34 +00:00
|
|
|
|
|
|
|
// Import to initialize client auth plugins - the kubeconfig that we use for
|
|
|
|
// testing may use gcloud, az, oidc, etc.
|
|
|
|
_ "k8s.io/client-go/plugin/pkg/client/auth"
|
2020-07-09 19:30:59 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func NewClientConfig(t *testing.T) *rest.Config {
|
|
|
|
t.Helper()
|
|
|
|
|
2020-07-24 15:40:08 +00:00
|
|
|
return newClientConfigWithOverrides(t, &clientcmd.ConfigOverrides{})
|
|
|
|
}
|
|
|
|
|
2020-08-12 21:29:46 +00:00
|
|
|
func NewClientset(t *testing.T) kubernetes.Interface {
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
return newClientsetWithConfig(t, NewClientConfig(t))
|
|
|
|
}
|
|
|
|
|
2020-09-15 15:00:38 +00:00
|
|
|
func NewClientsetForKubeConfig(t *testing.T, kubeConfig string) kubernetes.Interface {
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
kubeConfigFile, err := ioutil.TempFile("", "pinniped-cli-test-*")
|
|
|
|
require.NoError(t, err)
|
|
|
|
defer os.Remove(kubeConfigFile.Name())
|
|
|
|
|
|
|
|
_, err = kubeConfigFile.Write([]byte(kubeConfig))
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
restConfig, err := clientcmd.BuildConfigFromFlags("", kubeConfigFile.Name())
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
return newClientsetWithConfig(t, restConfig)
|
|
|
|
}
|
|
|
|
|
2020-08-12 21:29:46 +00:00
|
|
|
func NewClientsetWithCertAndKey(t *testing.T, clientCertificateData, clientKeyData string) kubernetes.Interface {
|
|
|
|
t.Helper()
|
|
|
|
|
2020-08-24 15:52:47 +00:00
|
|
|
return newClientsetWithConfig(t, newAnonymousClientRestConfigWithCertAndKeyAdded(t, clientCertificateData, clientKeyData))
|
2020-08-12 21:29:46 +00:00
|
|
|
}
|
|
|
|
|
2020-10-30 20:09:14 +00:00
|
|
|
func NewSupervisorClientset(t *testing.T) supervisorclientset.Interface {
|
2020-07-24 15:40:08 +00:00
|
|
|
t.Helper()
|
|
|
|
|
2020-10-30 20:09:14 +00:00
|
|
|
return supervisorclientset.NewForConfigOrDie(NewClientConfig(t))
|
2020-08-12 21:29:46 +00:00
|
|
|
}
|
|
|
|
|
2020-10-30 20:09:14 +00:00
|
|
|
func NewConciergeClientset(t *testing.T) conciergeclientset.Interface {
|
2020-08-12 21:29:46 +00:00
|
|
|
t.Helper()
|
|
|
|
|
2020-10-30 20:09:14 +00:00
|
|
|
return conciergeclientset.NewForConfigOrDie(NewClientConfig(t))
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewAnonymousConciergeClientset(t *testing.T) conciergeclientset.Interface {
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
return conciergeclientset.NewForConfigOrDie(newAnonymousClientRestConfig(t))
|
2020-08-12 21:29:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func NewAggregatedClientset(t *testing.T) aggregatorclient.Interface {
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
return aggregatorclient.NewForConfigOrDie(NewClientConfig(t))
|
2020-07-24 15:40:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func newClientConfigWithOverrides(t *testing.T, overrides *clientcmd.ConfigOverrides) *rest.Config {
|
|
|
|
t.Helper()
|
|
|
|
|
2020-07-09 19:30:59 +00:00
|
|
|
loader := clientcmd.NewDefaultClientConfigLoadingRules()
|
2020-07-24 15:40:08 +00:00
|
|
|
clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loader, overrides)
|
2020-07-09 19:30:59 +00:00
|
|
|
config, err := clientConfig.ClientConfig()
|
|
|
|
require.NoError(t, err)
|
|
|
|
return config
|
|
|
|
}
|
|
|
|
|
2020-08-12 21:29:46 +00:00
|
|
|
func newClientsetWithConfig(t *testing.T, config *rest.Config) kubernetes.Interface {
|
2020-07-24 15:40:08 +00:00
|
|
|
t.Helper()
|
|
|
|
|
2020-07-27 12:52:36 +00:00
|
|
|
result, err := kubernetes.NewForConfig(config)
|
|
|
|
require.NoError(t, err, "unexpected failure from kubernetes.NewForConfig()")
|
|
|
|
return result
|
2020-07-09 19:30:59 +00:00
|
|
|
}
|
2020-07-23 15:05:21 +00:00
|
|
|
|
2020-08-12 21:29:46 +00:00
|
|
|
// Returns a rest.Config without any user authentication info.
|
2020-08-24 15:52:47 +00:00
|
|
|
func newAnonymousClientRestConfig(t *testing.T) *rest.Config {
|
2020-07-23 15:05:21 +00:00
|
|
|
t.Helper()
|
|
|
|
|
2020-09-28 12:57:47 +00:00
|
|
|
return rest.AnonymousClientConfig(NewClientConfig(t))
|
2020-07-23 15:05:21 +00:00
|
|
|
}
|
2020-08-11 17:14:57 +00:00
|
|
|
|
2020-08-12 21:29:46 +00:00
|
|
|
// Starting with an anonymous client config, add a cert and key to use for authentication in the API server.
|
2020-08-24 15:52:47 +00:00
|
|
|
func newAnonymousClientRestConfigWithCertAndKeyAdded(t *testing.T, clientCertificateData, clientKeyData string) *rest.Config {
|
2020-08-11 17:14:57 +00:00
|
|
|
t.Helper()
|
|
|
|
|
2020-08-24 15:52:47 +00:00
|
|
|
config := newAnonymousClientRestConfig(t)
|
|
|
|
config.CertData = []byte(clientCertificateData)
|
|
|
|
config.KeyData = []byte(clientKeyData)
|
|
|
|
return config
|
2020-08-11 17:14:57 +00:00
|
|
|
}
|
2020-09-22 00:55:04 +00:00
|
|
|
|
2020-10-30 19:02:21 +00:00
|
|
|
// CreateTestWebhookAuthenticator creates and returns a test WebhookAuthenticator in $PINNIPED_TEST_CONCIERGE_NAMESPACE, which will be
|
2020-09-22 00:55:04 +00:00
|
|
|
// automatically deleted at the end of the current test's lifetime. It returns a corev1.TypedLocalObjectReference which
|
2020-10-30 19:02:21 +00:00
|
|
|
// describes the test webhook authenticator within the test namespace.
|
|
|
|
func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
|
2020-09-22 00:55:04 +00:00
|
|
|
t.Helper()
|
2020-09-24 22:51:43 +00:00
|
|
|
testEnv := IntegrationEnv(t)
|
2020-09-22 00:55:04 +00:00
|
|
|
|
2020-10-30 20:09:14 +00:00
|
|
|
client := NewConciergeClientset(t)
|
2020-10-30 16:39:26 +00:00
|
|
|
webhooks := client.AuthenticationV1alpha1().WebhookAuthenticators(testEnv.ConciergeNamespace)
|
2020-09-22 00:55:04 +00:00
|
|
|
|
|
|
|
createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
|
|
|
|
defer cancel()
|
2020-09-22 16:23:34 +00:00
|
|
|
|
2020-10-30 19:02:21 +00:00
|
|
|
webhook, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{
|
2020-12-02 21:32:54 +00:00
|
|
|
ObjectMeta: testObjectMeta(t, "webhook"),
|
|
|
|
Spec: testEnv.TestWebhook,
|
2020-09-22 00:55:04 +00:00
|
|
|
}, metav1.CreateOptions{})
|
2020-10-30 16:39:26 +00:00
|
|
|
require.NoError(t, err, "could not create test WebhookAuthenticator")
|
2020-10-30 19:02:21 +00:00
|
|
|
t.Logf("created test WebhookAuthenticator %s/%s", webhook.Namespace, webhook.Name)
|
2020-09-22 00:55:04 +00:00
|
|
|
|
|
|
|
t.Cleanup(func() {
|
2020-09-22 15:02:32 +00:00
|
|
|
t.Helper()
|
2020-10-30 19:02:21 +00:00
|
|
|
t.Logf("cleaning up test WebhookAuthenticator %s/%s", webhook.Namespace, webhook.Name)
|
2020-09-22 00:55:04 +00:00
|
|
|
deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
|
|
defer cancel()
|
2020-10-30 19:02:21 +00:00
|
|
|
err := webhooks.Delete(deleteCtx, webhook.Name, metav1.DeleteOptions{})
|
|
|
|
require.NoErrorf(t, err, "could not cleanup test WebhookAuthenticator %s/%s", webhook.Namespace, webhook.Name)
|
2020-09-22 00:55:04 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
return corev1.TypedLocalObjectReference{
|
2020-10-30 16:03:25 +00:00
|
|
|
APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
|
2020-10-30 16:39:26 +00:00
|
|
|
Kind: "WebhookAuthenticator",
|
2020-10-30 19:02:21 +00:00
|
|
|
Name: webhook.Name,
|
2020-09-22 00:55:04 +00:00
|
|
|
}
|
|
|
|
}
|
2020-10-14 20:41:16 +00:00
|
|
|
|
2020-11-02 22:24:55 +00:00
|
|
|
// CreateTestOIDCProvider creates and returns a test OIDCProvider in
|
2020-10-14 20:41:16 +00:00
|
|
|
// $PINNIPED_TEST_SUPERVISOR_NAMESPACE, which will be automatically deleted at the end of the
|
2020-11-02 22:24:55 +00:00
|
|
|
// current test's lifetime. It generates a random, valid, issuer for the OIDCProvider.
|
2020-10-15 13:09:49 +00:00
|
|
|
//
|
|
|
|
// If the provided issuer is not the empty string, then it will be used for the
|
2020-11-02 22:24:55 +00:00
|
|
|
// OIDCProvider.Spec.Issuer field. Else, a random issuer will be generated.
|
2020-12-02 21:32:54 +00:00
|
|
|
func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer string, certSecretName string, expectStatus configv1alpha1.OIDCProviderStatusCondition) *configv1alpha1.OIDCProvider {
|
2020-10-14 20:41:16 +00:00
|
|
|
t.Helper()
|
|
|
|
testEnv := IntegrationEnv(t)
|
|
|
|
|
|
|
|
createContext, cancel := context.WithTimeout(ctx, 5*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
|
2020-10-15 13:09:49 +00:00
|
|
|
if issuer == "" {
|
2020-12-02 21:32:54 +00:00
|
|
|
issuer = randomIssuer(t)
|
2020-10-15 13:09:49 +00:00
|
|
|
}
|
2020-10-14 20:41:16 +00:00
|
|
|
|
2020-11-02 22:24:55 +00:00
|
|
|
opcs := NewSupervisorClientset(t).ConfigV1alpha1().OIDCProviders(testEnv.SupervisorNamespace)
|
|
|
|
opc, err := opcs.Create(createContext, &configv1alpha1.OIDCProvider{
|
2020-12-02 21:32:54 +00:00
|
|
|
ObjectMeta: testObjectMeta(t, "oidc-provider"),
|
2020-11-02 22:24:55 +00:00
|
|
|
Spec: configv1alpha1.OIDCProviderSpec{
|
2020-11-02 22:55:29 +00:00
|
|
|
Issuer: issuer,
|
|
|
|
TLS: &configv1alpha1.OIDCProviderTLSSpec{SecretName: certSecretName},
|
2020-10-14 20:41:16 +00:00
|
|
|
},
|
|
|
|
}, metav1.CreateOptions{})
|
2020-11-02 22:24:55 +00:00
|
|
|
require.NoError(t, err, "could not create test OIDCProvider")
|
|
|
|
t.Logf("created test OIDCProvider %s/%s", opc.Namespace, opc.Name)
|
2020-10-14 20:41:16 +00:00
|
|
|
|
|
|
|
t.Cleanup(func() {
|
|
|
|
t.Helper()
|
2020-11-02 22:24:55 +00:00
|
|
|
t.Logf("cleaning up test OIDCProvider %s/%s", opc.Namespace, opc.Name)
|
2020-10-14 20:41:16 +00:00
|
|
|
deleteCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
err := opcs.Delete(deleteCtx, opc.Name, metav1.DeleteOptions{})
|
2020-10-15 13:09:49 +00:00
|
|
|
notFound := k8serrors.IsNotFound(err)
|
|
|
|
// It's okay if it is not found, because it might have been deleted by another part of this test.
|
|
|
|
if !notFound {
|
2020-11-02 22:24:55 +00:00
|
|
|
require.NoErrorf(t, err, "could not cleanup test OIDCProvider %s/%s", opc.Namespace, opc.Name)
|
2020-10-15 13:09:49 +00:00
|
|
|
}
|
2020-10-14 20:41:16 +00:00
|
|
|
})
|
|
|
|
|
2020-12-02 21:32:54 +00:00
|
|
|
// If we're not expecting any particular status, just return the new OIDCProvider immediately.
|
|
|
|
if expectStatus == "" {
|
|
|
|
return opc
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wait for the OIDCProvider to enter the expected phase (or time out).
|
|
|
|
var result *configv1alpha1.OIDCProvider
|
|
|
|
require.Eventuallyf(t, func() bool {
|
|
|
|
var err error
|
|
|
|
result, err = opcs.Get(ctx, opc.Name, metav1.GetOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
return result.Status.Status == expectStatus
|
|
|
|
}, 60*time.Second, 1*time.Second, "expected the UpstreamOIDCProvider to go into phase %s", expectStatus)
|
|
|
|
|
2020-10-14 20:41:16 +00:00
|
|
|
return opc
|
|
|
|
}
|
|
|
|
|
2020-12-02 21:32:54 +00:00
|
|
|
func randomIssuer(t *testing.T) string {
|
2020-10-14 20:41:16 +00:00
|
|
|
var buf [8]byte
|
2020-12-02 21:32:54 +00:00
|
|
|
_, err := io.ReadFull(rand.Reader, buf[:])
|
|
|
|
require.NoError(t, err)
|
|
|
|
return fmt.Sprintf("http://test-issuer-%s.pinniped.dev", hex.EncodeToString(buf[:]))
|
|
|
|
}
|
|
|
|
|
|
|
|
func CreateTestSecret(t *testing.T, namespace string, baseName string, secretType string, stringData map[string]string) *corev1.Secret {
|
|
|
|
t.Helper()
|
|
|
|
client := NewClientset(t)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
created, err := client.CoreV1().Secrets(namespace).Create(ctx, &corev1.Secret{
|
|
|
|
ObjectMeta: testObjectMeta(t, baseName),
|
|
|
|
Type: corev1.SecretType(secretType),
|
|
|
|
StringData: stringData,
|
|
|
|
}, metav1.CreateOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
t.Cleanup(func() {
|
|
|
|
err := client.CoreV1().Secrets(namespace).Delete(context.Background(), created.Name, metav1.DeleteOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
})
|
|
|
|
t.Logf("created test Secret %s", created.Name)
|
|
|
|
return created
|
|
|
|
}
|
|
|
|
|
|
|
|
func CreateClientCredsSecret(t *testing.T, clientID string, clientSecret string) *corev1.Secret {
|
|
|
|
t.Helper()
|
|
|
|
env := IntegrationEnv(t)
|
|
|
|
return CreateTestSecret(t,
|
|
|
|
env.SupervisorNamespace,
|
|
|
|
"test-client-creds-",
|
|
|
|
"secrets.pinniped.dev/oidc-client",
|
|
|
|
map[string]string{
|
|
|
|
"clientID": clientID,
|
|
|
|
"clientSecret": clientSecret,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
func CreateTestUpstreamOIDCProvider(t *testing.T, spec idpv1alpha1.UpstreamOIDCProviderSpec, expectedPhase idpv1alpha1.UpstreamOIDCProviderPhase) *idpv1alpha1.UpstreamOIDCProvider {
|
|
|
|
t.Helper()
|
|
|
|
env := IntegrationEnv(t)
|
|
|
|
client := NewSupervisorClientset(t)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
// Create the UpstreamOIDCProvider using GenerateName to get a random name.
|
|
|
|
upstreams := client.IDPV1alpha1().UpstreamOIDCProviders(env.SupervisorNamespace)
|
|
|
|
|
|
|
|
created, err := upstreams.Create(ctx, &idpv1alpha1.UpstreamOIDCProvider{
|
|
|
|
ObjectMeta: testObjectMeta(t, "upstream"),
|
|
|
|
Spec: spec,
|
|
|
|
}, metav1.CreateOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Always clean this up after this point.
|
|
|
|
t.Cleanup(func() {
|
|
|
|
err := upstreams.Delete(context.Background(), created.Name, metav1.DeleteOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
})
|
|
|
|
t.Logf("created test UpstreamOIDCProvider %s", created.Name)
|
|
|
|
|
|
|
|
// Wait for the UpstreamOIDCProvider to enter the expected phase (or time out).
|
|
|
|
var result *idpv1alpha1.UpstreamOIDCProvider
|
|
|
|
require.Eventuallyf(t, func() bool {
|
|
|
|
var err error
|
|
|
|
result, err = upstreams.Get(ctx, created.Name, metav1.GetOptions{})
|
|
|
|
require.NoError(t, err)
|
|
|
|
return result.Status.Phase == expectedPhase
|
|
|
|
}, 60*time.Second, 1*time.Second, "expected the UpstreamOIDCProvider to go into phase %s", expectedPhase)
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
func testObjectMeta(t *testing.T, baseName string) metav1.ObjectMeta {
|
|
|
|
return metav1.ObjectMeta{
|
|
|
|
GenerateName: fmt.Sprintf("test-%s-", baseName),
|
|
|
|
Labels: map[string]string{"pinniped.dev/test": ""},
|
|
|
|
Annotations: map[string]string{"pinniped.dev/testName": t.Name()},
|
2020-10-14 20:41:16 +00:00
|
|
|
}
|
|
|
|
}
|