ContainerImage.Pinniped/test/integration/supervisor_keys_test.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package integration

import (
	"context"
	"encoding/json"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"gopkg.in/square/go-jose.v2"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
	"go.pinniped.dev/test/library"
)

func TestSupervisorOIDCKeys(t *testing.T) {
	env := library.IntegrationEnv(t)
	kubeClient := library.NewClientset(t)
	supervisorClient := library.NewSupervisorClientset(t)

	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
	defer cancel()

	// Create our OPC under test.
	opc := library.CreateTestOIDCProvider(ctx, t, "", "")

	// Ensure a secret is created with the OPC's JWKS.
	var updatedOPC *configv1alpha1.OIDCProvider
	var err error
	assert.Eventually(t, func() bool {
		updatedOPC, err = supervisorClient.
			ConfigV1alpha1().
			OIDCProviders(env.SupervisorNamespace).
			Get(ctx, opc.Name, metav1.GetOptions{})
		return err == nil && updatedOPC.Status.JWKSSecret.Name != ""
	}, time.Second*10, time.Millisecond*500)
	require.NoError(t, err)
	require.NotEmpty(t, updatedOPC.Status.JWKSSecret.Name)

	// Ensure the secret actually exists.
	secret, err := kubeClient.
		CoreV1().
		Secrets(env.SupervisorNamespace).
		Get(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.GetOptions{})
	require.NoError(t, err)

	// Ensure that the secret was labelled.
	for k, v := range env.SupervisorCustomLabels {
		require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
	}
	require.Equal(t, env.SupervisorAppName, secret.Labels["app"])

	// Ensure the secret has an active key.
	jwkData, ok := secret.Data["activeJWK"]
	require.True(t, ok, "secret is missing active jwk")

	// Ensure the secret's active key is valid.
	var activeJWK jose.JSONWebKey
	require.NoError(t, json.Unmarshal(jwkData, &activeJWK))
	require.True(t, activeJWK.Valid(), "active jwk is invalid")
	require.False(t, activeJWK.IsPublic(), "active jwk is public")

	// Ensure the secret has a JWKS.
	jwksData, ok := secret.Data["jwks"]
	require.True(t, ok, "secret is missing jwks")

	// Ensure the secret's JWKS is valid, public, and contains the singing key.
	var jwks jose.JSONWebKeySet
	require.NoError(t, json.Unmarshal(jwksData, &jwks))
	foundActiveJWK := false
	for _, jwk := range jwks.Keys {
		require.Truef(t, jwk.Valid(), "jwk %s is invalid", jwk.KeyID)
		require.Truef(t, jwk.IsPublic(), "jwk %s is not public", jwk.KeyID)
		if jwk.KeyID == activeJWK.KeyID {
			foundActiveJWK = true
		}
	}
	require.True(t, foundActiveJWK, "could not find active JWK in JWKS: %s", jwks)

	// Ensure upon deleting the secret, it is eventually brought back.
	err = kubeClient.
		CoreV1().
		Secrets(env.SupervisorNamespace).
		Delete(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.DeleteOptions{})
	require.NoError(t, err)
	assert.Eventually(t, func() bool {
		secret, err = kubeClient.
			CoreV1().
			Secrets(env.SupervisorNamespace).
			Get(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.GetOptions{})
		return err == nil
	}, time.Second*10, time.Millisecond*500)
	require.NoError(t, err)

	// Upon deleting the OPC, the secret is deleted (we test this behavior in our uninstall tests).
}
supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 20:41:16 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package integration`

			`import (`
			`"context"`
			`"encoding/json"`
			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`"gopkg.in/square/go-jose.v2"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`

Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 20:09:14 +00:00			`configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"`
supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 20:41:16 +00:00			`"go.pinniped.dev/test/library"`
			`)`

			`func TestSupervisorOIDCKeys(t *testing.T) {`
			`env := library.IntegrationEnv(t)`
			`kubeClient := library.NewClientset(t)`
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 20:09:14 +00:00			`supervisorClient := library.NewSupervisorClientset(t)`
supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 20:41:16 +00:00
			`ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)`
			`defer cancel()`

			`// Create our OPC under test.`
Add integration test: supervisor TLS termination and SNI virtual hosting - Also reduce the minimum allowed TLS version to v1.2, because v1.3 is not yet supported by some common clients, e.g. the default MacOS curl command 2020-10-27 21:57:25 +00:00			`opc := library.CreateTestOIDCProvider(ctx, t, "", "")`
supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 20:41:16 +00:00
			`// Ensure a secret is created with the OPC's JWKS.`
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-02 22:24:55 +00:00			`var updatedOPC *configv1alpha1.OIDCProvider`
supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 20:41:16 +00:00			`var err error`
			`assert.Eventually(t, func() bool {`
Split the config CRDs into two API groups. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-10-30 20:09:14 +00:00			`updatedOPC, err = supervisorClient.`
supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 20:41:16 +00:00			`ConfigV1alpha1().`
Rename OIDCProviderConfig to OIDCProvider. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-02 22:24:55 +00:00			`OIDCProviders(env.SupervisorNamespace).`
supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 20:41:16 +00:00			`Get(ctx, opc.Name, metav1.GetOptions{})`
			`return err == nil && updatedOPC.Status.JWKSSecret.Name != ""`
			`}, time.Second10, time.Millisecond500)`
			`require.NoError(t, err)`
			`require.NotEmpty(t, updatedOPC.Status.JWKSSecret.Name)`

			`// Ensure the secret actually exists.`
			`secret, err := kubeClient.`
			`CoreV1().`
			`Secrets(env.SupervisorNamespace).`
			`Get(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.GetOptions{})`
			`require.NoError(t, err)`

Supervisor controllers apply custom labels to JWKS secrets Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-15 19:40:56 +00:00			`// Ensure that the secret was labelled.`
			`for k, v := range env.SupervisorCustomLabels {`
			require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
			`}`
			`require.Equal(t, env.SupervisorAppName, secret.Labels["app"])`

supervisor-generate-key: unit and integration tests Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-14 20:41:16 +00:00			`// Ensure the secret has an active key.`
			`jwkData, ok := secret.Data["activeJWK"]`
			`require.True(t, ok, "secret is missing active jwk")`

			`// Ensure the secret's active key is valid.`
			`var activeJWK jose.JSONWebKey`
			`require.NoError(t, json.Unmarshal(jwkData, &activeJWK))`
			`require.True(t, activeJWK.Valid(), "active jwk is invalid")`
			`require.False(t, activeJWK.IsPublic(), "active jwk is public")`

			`// Ensure the secret has a JWKS.`
			`jwksData, ok := secret.Data["jwks"]`
			`require.True(t, ok, "secret is missing jwks")`

			`// Ensure the secret's JWKS is valid, public, and contains the singing key.`
			`var jwks jose.JSONWebKeySet`
			`require.NoError(t, json.Unmarshal(jwksData, &jwks))`
			`foundActiveJWK := false`
			`for _, jwk := range jwks.Keys {`
			`require.Truef(t, jwk.Valid(), "jwk %s is invalid", jwk.KeyID)`
			`require.Truef(t, jwk.IsPublic(), "jwk %s is not public", jwk.KeyID)`
			`if jwk.KeyID == activeJWK.KeyID {`
			`foundActiveJWK = true`
			`}`
			`}`
			`require.True(t, foundActiveJWK, "could not find active JWK in JWKS: %s", jwks)`

			`// Ensure upon deleting the secret, it is eventually brought back.`
			`err = kubeClient.`
			`CoreV1().`
			`Secrets(env.SupervisorNamespace).`
			`Delete(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.DeleteOptions{})`
			`require.NoError(t, err)`
			`assert.Eventually(t, func() bool {`
			`secret, err = kubeClient.`
			`CoreV1().`
			`Secrets(env.SupervisorNamespace).`
			`Get(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.GetOptions{})`
			`return err == nil`
			`}, time.Second10, time.Millisecond500)`
			`require.NoError(t, err)`

			`// Upon deleting the OPC, the secret is deleted (we test this behavior in our uninstall tests).`
			`}`