ContainerImage.Pinniped/internal/testutil/assertions.go

// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package testutil

import (
	"context"
	"fmt"
	"mime"
	"net/http/httptest"
	"testing"
	"time"

	"github.com/stretchr/testify/require"
	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/labels"
	"k8s.io/apimachinery/pkg/selection"
	v1 "k8s.io/client-go/kubernetes/typed/core/v1"

	"go.pinniped.dev/internal/testutil/tlsassertions"
)

func RequireTimeInDelta(t *testing.T, t1 time.Time, t2 time.Time, delta time.Duration) {
	require.InDeltaf(t,
		float64(t1.UnixNano()),
		float64(t2.UnixNano()),
		float64(delta.Nanoseconds()),
		"expected %s and %s to be < %s apart, but they are %s apart",
		t1.Format(time.RFC3339Nano),
		t2.Format(time.RFC3339Nano),
		delta.String(),
		t1.Sub(t2).String(),
	)
}

func RequireEqualContentType(t *testing.T, actual string, expected string) {
	t.Helper()

	if expected == "" {
		require.Empty(t, actual)
		return
	}

	actualContentType, actualContentTypeParams, err := mime.ParseMediaType(expected)
	require.NoError(t, err)
	expectedContentType, expectedContentTypeParams, err := mime.ParseMediaType(expected)
	require.NoError(t, err)
	require.Equal(t, actualContentType, expectedContentType)
	require.Equal(t, actualContentTypeParams, expectedContentTypeParams)
}

func RequireNumberOfSecretsMatchingLabelSelector(t *testing.T, secrets v1.SecretInterface, labelSet labels.Set, expectedNumberOfSecrets int) {
	t.Helper()
	storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{
		LabelSelector: labelSet.String(),
	})
	require.NoError(t, err)
	require.Len(t, storedAuthcodeSecrets.Items, expectedNumberOfSecrets)
}

func RequireNumberOfSecretsExcludingLabelSelector(t *testing.T, secrets v1.SecretInterface, labelSet labels.Set, expectedNumberOfSecrets int) {
	t.Helper()

	selector := labels.Everything()
	for k, v := range labelSet {
		requirement, err := labels.NewRequirement(k, selection.NotEquals, []string{v})
		require.NoError(t, err)
		selector = selector.Add(*requirement)
	}

	storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{
		LabelSelector: selector.String(),
	})
	require.NoError(t, err)
	require.Len(t, storedAuthcodeSecrets.Items, expectedNumberOfSecrets)
}

func RequireSecurityHeadersWithFormPostPageCSPs(t *testing.T, response *httptest.ResponseRecorder) {
	// Loosely confirm that the unique CSPs needed for the form_post page were used.
	cspHeader := response.Header().Get("Content-Security-Policy")
	require.Contains(t, cspHeader, "script-src '") // loose assertion
	require.Contains(t, cspHeader, "style-src '")  // loose assertion
	require.Contains(t, cspHeader, "img-src data:")
	require.Contains(t, cspHeader, "connect-src *")

	// Also require all the usual security headers.
	requireSecurityHeaders(t, response)
}

func RequireSecurityHeadersWithLoginPageCSPs(t *testing.T, response *httptest.ResponseRecorder) {
	// Loosely confirm that the unique CSPs needed for the login page were used.
	cspHeader := response.Header().Get("Content-Security-Policy")
	require.Contains(t, cspHeader, "style-src '")      // loose assertion
	require.NotContains(t, cspHeader, "script-src")    // only needed by form_post page
	require.NotContains(t, cspHeader, "img-src data:") // only needed by form_post page
	require.NotContains(t, cspHeader, "connect-src *") // only needed by form_post page

	// Also require all the usual security headers.
	requireSecurityHeaders(t, response)
}

func RequireSecurityHeadersWithoutCustomCSPs(t *testing.T, response *httptest.ResponseRecorder) {
	// Confirm that the unique CSPs needed for the form_post or login page were NOT used.
	cspHeader := response.Header().Get("Content-Security-Policy")
	require.NotContains(t, cspHeader, "script-src")
	require.NotContains(t, cspHeader, "style-src")
	require.NotContains(t, cspHeader, "img-src data:")
	require.NotContains(t, cspHeader, "connect-src *")

	// Also require all the usual security headers.
	requireSecurityHeaders(t, response)
}

func requireSecurityHeaders(t *testing.T, response *httptest.ResponseRecorder) {
	// Loosely confirm that the generic default CSPs were used.
	cspHeader := response.Header().Get("Content-Security-Policy")
	require.Contains(t, cspHeader, "default-src 'none'")
	require.Contains(t, cspHeader, "frame-ancestors 'none'")

	require.Equal(t, "DENY", response.Header().Get("X-Frame-Options"))
	require.Equal(t, "1; mode=block", response.Header().Get("X-XSS-Protection"))
	require.Equal(t, "nosniff", response.Header().Get("X-Content-Type-Options"))
	require.Equal(t, "no-referrer", response.Header().Get("Referrer-Policy"))
	require.Equal(t, "off", response.Header().Get("X-DNS-Prefetch-Control"))
	require.Equal(t, "no-cache", response.Header().Get("Pragma"))
	require.Equal(t, "0", response.Header().Get("Expires"))

	// This check is more relaxed since Fosite can override the base header we set.
	require.Contains(t, response.Header().Get("Cache-Control"), "no-store")
}

type RequireErrorStringFunc func(t *testing.T, actualErrorStr string)

// RequireErrorStringFromErr can be used to make assertions about errors in tests.
func RequireErrorStringFromErr(t *testing.T, actualError error, requireFunc RequireErrorStringFunc) {
	require.Error(t, actualError)
	requireFunc(t, actualError.Error())
}

// RequireErrorString can be used to make assertions about error strings in tests.
func RequireErrorString(t *testing.T, actualErrorStr string, requireFunc RequireErrorStringFunc) {
	requireFunc(t, actualErrorStr)
}

// WantExactErrorString can be used to set up an expected value for an error string in a test table.
// Use when you want to express that the expected string must be an exact match.
func WantExactErrorString(wantErrStr string) RequireErrorStringFunc {
	return func(t *testing.T, actualErrorStr string) {
		require.Equal(t, wantErrStr, actualErrorStr)
	}
}

// WantSprintfErrorString can be used to set up an expected value for an error string in a test table.
// Use when you want to express that an expected string built using fmt.Sprintf semantics must be an exact match.
func WantSprintfErrorString(wantErrSprintfSpecifier string, a ...interface{}) RequireErrorStringFunc {
	wantErrStr := fmt.Sprintf(wantErrSprintfSpecifier, a...)
	return func(t *testing.T, actualErrorStr string) {
		require.Equal(t, wantErrStr, actualErrorStr)
	}
}

// WantMatchingErrorString can be used to set up an expected value for an error string in a test table.
// Use when you want to express that the expected regexp must be a match.
func WantMatchingErrorString(wantErrRegexp string) RequireErrorStringFunc {
	return func(t *testing.T, actualErrorStr string) {
		require.Regexp(t, wantErrRegexp, actualErrorStr)
	}
}

// WantX509UntrustedCertErrorString can be used to set up an expected value for an error string in a test table.
// expectedErrorFormatString must contain exactly one formatting verb, which should usually be %s, which will
// be replaced by the platform-specific X509 untrusted certs error string and then compared against expectedCommonName.
func WantX509UntrustedCertErrorString(expectedErrorFormatSpecifier string, expectedCommonName string) RequireErrorStringFunc {
	// Starting in Go 1.18.1, and until it was fixed in Go 1.19.5, Go on MacOS had an incorrect error string.
	// We don't care which error string was returned, as long as it is either the normal error string from
	// the Go x509 library, or the error string that was accidentally returned from the Go x509 library in
	// those versions of Go on MacOS which had the bug.
	return func(t *testing.T, actualErrorStr string) {
		// This is the MacOS error string starting in Go 1.18.1, and until it was fixed in Go 1.19.5.
		macOSErr := fmt.Sprintf(`x509: “%s” certificate is not trusted`, expectedCommonName)
		// This is the normal Go x509 library error string.
		standardErr := `x509: certificate signed by unknown authority`
		allowedErrorStrings := []string{
			fmt.Sprintf(expectedErrorFormatSpecifier, tlsassertions.GetTLSErrorPrefix()+macOSErr),
			fmt.Sprintf(expectedErrorFormatSpecifier, tlsassertions.GetTLSErrorPrefix()+standardErr),
		}
		// Allow either.
		require.Contains(t, allowedErrorStrings, actualErrorStr)
	}
}
Accept both old and new cert error strings on MacOS in test assertions Used this as an opportunity to refactor how some tests were making assertions about error strings. New test helpers make it easy for an error string to be expected as an exact string, as a string built using sprintf, as a regexp, or as a string built to include the platform-specific x509 error string. All of these helpers can be used in a single `wantErr` field of a test table. They can be used for both unit tests and integration tests. Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me> 2023-01-20 23:01:36 +00:00			`// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.`
callback_handler.go: Prepend iss to sub when making default username - Also handle several more error cases - Move RequireTimeInDelta to shared testutils package so other tests can also use it - Move all of the oidc test helpers into a new oidc/oidctestutils package to break a circular import dependency. The shared testutil package can't depend on any of our other packages or else we end up with circular dependencies. - Lots more assertions about what was stored at the end of the request to build confidence that we are going to pass all of the right settings over to the token endpoint through the storage, and also to avoid accidental regressions in that area in the future Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-20 01:57:07 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package testutil`

			`import (`
Make assertions about how many secrets were stored by fosite in tests In both callback_handler_test.go and token_handler_test.go Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-04 23:40:17 +00:00			`"context"`
Accept both old and new cert error strings on MacOS in test assertions Used this as an opportunity to refactor how some tests were making assertions about error strings. New test helpers make it easy for an error string to be expected as an exact string, as a string built using sprintf, as a regexp, or as a string built to include the platform-specific x509 error string. All of these helpers can be used in a single `wantErr` field of a test table. They can be used for both unit tests and integration tests. Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me> 2023-01-20 23:01:36 +00:00			`"fmt"`
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00			`"mime"`
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-14 23:28:32 +00:00			`"net/http/httptest"`
callback_handler.go: Prepend iss to sub when making default username - Also handle several more error cases - Move RequireTimeInDelta to shared testutils package so other tests can also use it - Move all of the oidc test helpers into a new oidc/oidctestutils package to break a circular import dependency. The shared testutil package can't depend on any of our other packages or else we end up with circular dependencies. - Lots more assertions about what was stored at the end of the request to build confidence that we are going to pass all of the right settings over to the token endpoint through the storage, and also to avoid accidental regressions in that area in the future Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-20 01:57:07 +00:00			`"testing"`
			`"time"`

			`"github.com/stretchr/testify/require"`
Make assertions about how many secrets were stored by fosite in tests In both callback_handler_test.go and token_handler_test.go Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-04 23:40:17 +00:00			`v12 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/labels"`
Add more unit tests for dynamic clients and enhance token exchange - Enhance the token exchange to check that the same client is used compared to the client used during the original authorization and token requests, and also check that the client has the token-exchange grant type allowed in its configuration. - Reduce the minimum required bcrypt cost for OIDCClient secrets because 15 is too slow for real-life use, especially considering that every login and every refresh flow will require two client auths. - In unit tests, use bcrypt hashes with a cost of 4, because bcrypt slows down by 13x when run with the race detector, and we run our tests with the race detector enabled, causing the tests to be unacceptably slow. The production code uses a higher minimum cost. - Centralize all pre-computed bcrypt hashes used by unit tests to a single place. Also extract some other useful test helpers for unit tests related to OIDCClients. - Add tons of unit tests for the token endpoint related to dynamic clients for authcode exchanges, token exchanges, and refreshes. 2022-07-20 20:55:56 +00:00			`"k8s.io/apimachinery/pkg/selection"`
Make assertions about how many secrets were stored by fosite in tests In both callback_handler_test.go and token_handler_test.go Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-04 23:40:17 +00:00			`v1 "k8s.io/client-go/kubernetes/typed/core/v1"`
Bump golangci-lint to 1.51.2 and fix lint issues 2023-03-16 18:13:49 +00:00
			`"go.pinniped.dev/internal/testutil/tlsassertions"`
callback_handler.go: Prepend iss to sub when making default username - Also handle several more error cases - Move RequireTimeInDelta to shared testutils package so other tests can also use it - Move all of the oidc test helpers into a new oidc/oidctestutils package to break a circular import dependency. The shared testutil package can't depend on any of our other packages or else we end up with circular dependencies. - Lots more assertions about what was stored at the end of the request to build confidence that we are going to pass all of the right settings over to the token endpoint through the storage, and also to avoid accidental regressions in that area in the future Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-20 01:57:07 +00:00			`)`

			`func RequireTimeInDelta(t *testing.T, t1 time.Time, t2 time.Time, delta time.Duration) {`
			`require.InDeltaf(t,`
			`float64(t1.UnixNano()),`
			`float64(t2.UnixNano()),`
			`float64(delta.Nanoseconds()),`
			`"expected %s and %s to be < %s apart, but they are %s apart",`
			`t1.Format(time.RFC3339Nano),`
			`t2.Format(time.RFC3339Nano),`
			`delta.String(),`
			`t1.Sub(t2).String(),`
			`)`
			`}`
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00
			`func RequireEqualContentType(t *testing.T, actual string, expected string) {`
			`t.Helper()`

			`if expected == "" {`
			`require.Empty(t, actual)`
			`return`
			`}`

			`actualContentType, actualContentTypeParams, err := mime.ParseMediaType(expected)`
			`require.NoError(t, err)`
			`expectedContentType, expectedContentTypeParams, err := mime.ParseMediaType(expected)`
			`require.NoError(t, err)`
			`require.Equal(t, actualContentType, expectedContentType)`
			`require.Equal(t, actualContentTypeParams, expectedContentTypeParams)`
			`}`
Make assertions about how many secrets were stored by fosite in tests In both callback_handler_test.go and token_handler_test.go Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-04 23:40:17 +00:00
			`func RequireNumberOfSecretsMatchingLabelSelector(t *testing.T, secrets v1.SecretInterface, labelSet labels.Set, expectedNumberOfSecrets int) {`
			`t.Helper()`
			`storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{`
			`LabelSelector: labelSet.String(),`
			`})`
			`require.NoError(t, err)`
			`require.Len(t, storedAuthcodeSecrets.Items, expectedNumberOfSecrets)`
			`}`
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-14 23:28:32 +00:00
Add more unit tests for dynamic clients and enhance token exchange - Enhance the token exchange to check that the same client is used compared to the client used during the original authorization and token requests, and also check that the client has the token-exchange grant type allowed in its configuration. - Reduce the minimum required bcrypt cost for OIDCClient secrets because 15 is too slow for real-life use, especially considering that every login and every refresh flow will require two client auths. - In unit tests, use bcrypt hashes with a cost of 4, because bcrypt slows down by 13x when run with the race detector, and we run our tests with the race detector enabled, causing the tests to be unacceptably slow. The production code uses a higher minimum cost. - Centralize all pre-computed bcrypt hashes used by unit tests to a single place. Also extract some other useful test helpers for unit tests related to OIDCClients. - Add tons of unit tests for the token endpoint related to dynamic clients for authcode exchanges, token exchanges, and refreshes. 2022-07-20 20:55:56 +00:00			`func RequireNumberOfSecretsExcludingLabelSelector(t *testing.T, secrets v1.SecretInterface, labelSet labels.Set, expectedNumberOfSecrets int) {`
			`t.Helper()`

			`selector := labels.Everything()`
			`for k, v := range labelSet {`
			`requirement, err := labels.NewRequirement(k, selection.NotEquals, []string{v})`
			`require.NoError(t, err)`
			`selector = selector.Add(*requirement)`
			`}`

			`storedAuthcodeSecrets, err := secrets.List(context.Background(), v12.ListOptions{`
			`LabelSelector: selector.String(),`
			`})`
			`require.NoError(t, err)`
			`require.Len(t, storedAuthcodeSecrets.Items, expectedNumberOfSecrets)`
			`}`

Login page styling/structure for users, screen readers, passwd managers Also: - Add CSS to login page - Refactor login page HTML and CSS into a new package - New custom CSP headers for the login page, because the requirements are different from the form_post page 2022-05-05 20:12:06 +00:00			`func RequireSecurityHeadersWithFormPostPageCSPs(t testing.T, response httptest.ResponseRecorder) {`
Use security headers for the form_post page in the POST /login endpoint Also use more specific test assertions where security headers are expected. And run the unit tests for the login package in parallel. 2022-05-03 23:46:09 +00:00			`// Loosely confirm that the unique CSPs needed for the form_post page were used.`
			`cspHeader := response.Header().Get("Content-Security-Policy")`
			`require.Contains(t, cspHeader, "script-src '") // loose assertion`
			`require.Contains(t, cspHeader, "style-src '") // loose assertion`
			`require.Contains(t, cspHeader, "img-src data:")`
			`require.Contains(t, cspHeader, "connect-src *")`

			`// Also require all the usual security headers.`
			`requireSecurityHeaders(t, response)`
			`}`

Login page styling/structure for users, screen readers, passwd managers Also: - Add CSS to login page - Refactor login page HTML and CSS into a new package - New custom CSP headers for the login page, because the requirements are different from the form_post page 2022-05-05 20:12:06 +00:00			`func RequireSecurityHeadersWithLoginPageCSPs(t testing.T, response httptest.ResponseRecorder) {`
			`// Loosely confirm that the unique CSPs needed for the login page were used.`
			`cspHeader := response.Header().Get("Content-Security-Policy")`
			`require.Contains(t, cspHeader, "style-src '") // loose assertion`
			`require.NotContains(t, cspHeader, "script-src") // only needed by form_post page`
			`require.NotContains(t, cspHeader, "img-src data:") // only needed by form_post page`
			`require.NotContains(t, cspHeader, "connect-src *") // only needed by form_post page`

			`// Also require all the usual security headers.`
			`requireSecurityHeaders(t, response)`
			`}`

			`func RequireSecurityHeadersWithoutCustomCSPs(t testing.T, response httptest.ResponseRecorder) {`
			`// Confirm that the unique CSPs needed for the form_post or login page were NOT used.`
Use security headers for the form_post page in the POST /login endpoint Also use more specific test assertions where security headers are expected. And run the unit tests for the login package in parallel. 2022-05-03 23:46:09 +00:00			`cspHeader := response.Header().Get("Content-Security-Policy")`
			`require.NotContains(t, cspHeader, "script-src")`
			`require.NotContains(t, cspHeader, "style-src")`
			`require.NotContains(t, cspHeader, "img-src data:")`
			`require.NotContains(t, cspHeader, "connect-src *")`

			`// Also require all the usual security headers.`
			`requireSecurityHeaders(t, response)`
			`}`

			`func requireSecurityHeaders(t testing.T, response httptest.ResponseRecorder) {`
Login page styling/structure for users, screen readers, passwd managers Also: - Add CSS to login page - Refactor login page HTML and CSS into a new package - New custom CSP headers for the login page, because the requirements are different from the form_post page 2022-05-05 20:12:06 +00:00			`// Loosely confirm that the generic default CSPs were used.`
Use security headers for the form_post page in the POST /login endpoint Also use more specific test assertions where security headers are expected. And run the unit tests for the login package in parallel. 2022-05-03 23:46:09 +00:00			`cspHeader := response.Header().Get("Content-Security-Policy")`
			`require.Contains(t, cspHeader, "default-src 'none'")`
			`require.Contains(t, cspHeader, "frame-ancestors 'none'")`
Add custom response_mode=form_post HTML template. This is a new pacakge internal/oidc/provider/formposthtml containing a number of static files embedded using the relatively recent Go "//go:embed" functionality introduced in Go 1.16 (https://blog.golang.org/go1.16). The Javascript and CSS files are minifiied and injected to make a single self-contained HTML response. There is a special Content-Security-Policy helper to calculate hash-based script-src and style-src rules. This new code is covered by a new integration test that exercises the JS/HTML functionality in a real browser outside of the rest of the Supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-06-30 16:50:01 +00:00
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-14 23:28:32 +00:00			`require.Equal(t, "DENY", response.Header().Get("X-Frame-Options"))`
			`require.Equal(t, "1; mode=block", response.Header().Get("X-XSS-Protection"))`
			`require.Equal(t, "nosniff", response.Header().Get("X-Content-Type-Options"))`
			`require.Equal(t, "no-referrer", response.Header().Get("Referrer-Policy"))`
			`require.Equal(t, "off", response.Header().Get("X-DNS-Prefetch-Control"))`
			`require.Equal(t, "no-cache", response.Header().Get("Pragma"))`
			`require.Equal(t, "0", response.Header().Get("Expires"))`
Be more lax in some of our test assertions. Fosite overrides the `Cache-Control` header we set, which is basically fine even though it's not exactly what we want. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-16 19:15:38 +00:00
			`// This check is more relaxed since Fosite can override the base header we set.`
			`require.Contains(t, response.Header().Get("Cache-Control"), "no-store")`
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-14 23:28:32 +00:00			`}`
Accept both old and new cert error strings on MacOS in test assertions Used this as an opportunity to refactor how some tests were making assertions about error strings. New test helpers make it easy for an error string to be expected as an exact string, as a string built using sprintf, as a regexp, or as a string built to include the platform-specific x509 error string. All of these helpers can be used in a single `wantErr` field of a test table. They can be used for both unit tests and integration tests. Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me> 2023-01-20 23:01:36 +00:00
			`type RequireErrorStringFunc func(t *testing.T, actualErrorStr string)`

			`// RequireErrorStringFromErr can be used to make assertions about errors in tests.`
			`func RequireErrorStringFromErr(t *testing.T, actualError error, requireFunc RequireErrorStringFunc) {`
			`require.Error(t, actualError)`
			`requireFunc(t, actualError.Error())`
			`}`

			`// RequireErrorString can be used to make assertions about error strings in tests.`
			`func RequireErrorString(t *testing.T, actualErrorStr string, requireFunc RequireErrorStringFunc) {`
			`requireFunc(t, actualErrorStr)`
			`}`

			`// WantExactErrorString can be used to set up an expected value for an error string in a test table.`
			`// Use when you want to express that the expected string must be an exact match.`
			`func WantExactErrorString(wantErrStr string) RequireErrorStringFunc {`
			`return func(t *testing.T, actualErrorStr string) {`
			`require.Equal(t, wantErrStr, actualErrorStr)`
			`}`
			`}`

			`// WantSprintfErrorString can be used to set up an expected value for an error string in a test table.`
			`// Use when you want to express that an expected string built using fmt.Sprintf semantics must be an exact match.`
			`func WantSprintfErrorString(wantErrSprintfSpecifier string, a ...interface{}) RequireErrorStringFunc {`
			`wantErrStr := fmt.Sprintf(wantErrSprintfSpecifier, a...)`
			`return func(t *testing.T, actualErrorStr string) {`
			`require.Equal(t, wantErrStr, actualErrorStr)`
			`}`
			`}`

			`// WantMatchingErrorString can be used to set up an expected value for an error string in a test table.`
			`// Use when you want to express that the expected regexp must be a match.`
			`func WantMatchingErrorString(wantErrRegexp string) RequireErrorStringFunc {`
			`return func(t *testing.T, actualErrorStr string) {`
			`require.Regexp(t, wantErrRegexp, actualErrorStr)`
			`}`
			`}`

			`// WantX509UntrustedCertErrorString can be used to set up an expected value for an error string in a test table.`
			`// expectedErrorFormatString must contain exactly one formatting verb, which should usually be %s, which will`
			`// be replaced by the platform-specific X509 untrusted certs error string and then compared against expectedCommonName.`
			`func WantX509UntrustedCertErrorString(expectedErrorFormatSpecifier string, expectedCommonName string) RequireErrorStringFunc {`
			`// Starting in Go 1.18.1, and until it was fixed in Go 1.19.5, Go on MacOS had an incorrect error string.`
			`// We don't care which error string was returned, as long as it is either the normal error string from`
			`// the Go x509 library, or the error string that was accidentally returned from the Go x509 library in`
			`// those versions of Go on MacOS which had the bug.`
			`return func(t *testing.T, actualErrorStr string) {`
			`// This is the MacOS error string starting in Go 1.18.1, and until it was fixed in Go 1.19.5.`
			macOSErr := fmt.Sprintf(`x509: “%s” certificate is not trusted`, expectedCommonName)
			`// This is the normal Go x509 library error string.`
			standardErr := `x509: certificate signed by unknown authority`
			`allowedErrorStrings := []string{`
Bump golangci-lint to 1.51.2 and fix lint issues 2023-03-16 18:13:49 +00:00			`fmt.Sprintf(expectedErrorFormatSpecifier, tlsassertions.GetTLSErrorPrefix()+macOSErr),`
			`fmt.Sprintf(expectedErrorFormatSpecifier, tlsassertions.GetTLSErrorPrefix()+standardErr),`
Accept both old and new cert error strings on MacOS in test assertions Used this as an opportunity to refactor how some tests were making assertions about error strings. New test helpers make it easy for an error string to be expected as an exact string, as a string built using sprintf, as a regexp, or as a string built to include the platform-specific x509 error string. All of these helpers can be used in a single `wantErr` field of a test table. They can be used for both unit tests and integration tests. Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me> 2023-01-20 23:01:36 +00:00			`}`
			`// Allow either.`
			`require.Contains(t, allowedErrorStrings, actualErrorStr)`
			`}`
			`}`