ContainerImage.Pinniped/internal/testutil/oidcclientsecretstorage.go

// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package testutil

import (
	"encoding/base32"
	"encoding/json"
	"strings"
	"testing"

	"github.com/stretchr/testify/require"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func secretNameForUID(uid string) string {
	// See GetName() in OIDCClientSecretStorage for how the production code determines the Secret name.
	// This test helper is intended to choose the same name.
	return "pinniped-storage-oidc-client-secret-" +
		strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString([]byte(uid)))
}

func OIDCClientSecretStorageSecretWithoutName(t *testing.T, namespace string, hashes []string) *corev1.Secret {
	hashesJSON, err := json.Marshal(hashes)
	require.NoError(t, err) // this shouldn't really happen since we can always encode a slice of strings

	return &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Namespace: namespace,
			Labels:    map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"},
		},
		Type: "storage.pinniped.dev/oidc-client-secret",
		Data: map[string][]byte{
			"pinniped-storage-data":    []byte(`{"version":"1","hashes":` + string(hashesJSON) + `}`),
			"pinniped-storage-version": []byte("1"),
		},
	}
}

func OIDCClientSecretStorageSecretForUID(t *testing.T, namespace string, oidcClientUID string, hashes []string) *corev1.Secret {
	secret := OIDCClientSecretStorageSecretWithoutName(t, namespace, hashes)
	secret.Name = secretNameForUID(oidcClientUID)
	return secret
}

func OIDCClientSecretStorageSecretForUIDWithWrongVersion(t *testing.T, namespace string, oidcClientUID string) *corev1.Secret {
	secret := OIDCClientSecretStorageSecretForUID(t, namespace, oidcClientUID, []string{})
	secret.Data["pinniped-storage-data"] = []byte(`{"version":"wrong-version","hashes":[]}`)
	return secret
}
Allow dynamic clients to be used in downstream OIDC flows This is only a first commit towards making this feature work. - Hook dynamic clients into fosite by returning them from the storage interface (after finding and validating them) - In the auth endpoint, prevent the use of the username and password headers for dynamic clients to force them to use the browser-based login flows for all the upstream types - Add happy path integration tests in supervisor_login_test.go - Add lots of comments (and some small refactors) in supervisor_login_test.go to make it much easier to understand - Add lots of unit tests for the auth endpoint regarding dynamic clients (more unit tests to be added for other endpoints in follow-up commits) - Enhance crud.go to make lifetime=0 mean never garbage collect, since we want client secret storage Secrets to last forever - Move the OIDCClient validation code to a package where it can be shared between the controller and the fosite storage interface - Make shared test helpers for tests that need to create OIDC client secret storage Secrets - Create a public const for "pinniped-cli" now that we are using that string in several places in the production code 2022-07-14 16:51:11 +00:00			`// Copyright 2022 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package testutil`

			`import (`
			`"encoding/base32"`
			`"encoding/json"`
			`"strings"`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`corev1 "k8s.io/api/core/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`)`

			`func secretNameForUID(uid string) string {`
			`// See GetName() in OIDCClientSecretStorage for how the production code determines the Secret name.`
			`// This test helper is intended to choose the same name.`
			`return "pinniped-storage-oidc-client-secret-" +`
			`strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString([]byte(uid)))`
			`}`

			`func OIDCClientSecretStorageSecretWithoutName(t testing.T, namespace string, hashes []string) corev1.Secret {`
			`hashesJSON, err := json.Marshal(hashes)`
			`require.NoError(t, err) // this shouldn't really happen since we can always encode a slice of strings`

			`return &corev1.Secret{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Namespace: namespace,`
			`Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"},`
			`},`
			`Type: "storage.pinniped.dev/oidc-client-secret",`
			`Data: map[string][]byte{`
			"pinniped-storage-data": []byte(`{"version":"1","hashes":` + string(hashesJSON) + `}`),
			`"pinniped-storage-version": []byte("1"),`
			`},`
			`}`
			`}`

			`func OIDCClientSecretStorageSecretForUID(t testing.T, namespace string, oidcClientUID string, hashes []string) corev1.Secret {`
			`secret := OIDCClientSecretStorageSecretWithoutName(t, namespace, hashes)`
			`secret.Name = secretNameForUID(oidcClientUID)`
			`return secret`
			`}`

			`func OIDCClientSecretStorageSecretForUIDWithWrongVersion(t testing.T, namespace string, oidcClientUID string) corev1.Secret {`
			`secret := OIDCClientSecretStorageSecretForUID(t, namespace, oidcClientUID, []string{})`
			secret.Data["pinniped-storage-data"] = []byte(`{"version":"wrong-version","hashes":[]}`)
			`return secret`
			`}`