2022-01-07 23:04:58 +00:00
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
2020-11-04 00:17:38 +00:00
// SPDX-License-Identifier: Apache-2.0
package auth
import (
2021-04-09 00:28:01 +00:00
"context"
2021-08-13 00:53:14 +00:00
"errors"
2020-11-04 00:17:38 +00:00
"fmt"
2020-11-04 20:19:07 +00:00
"html"
2020-11-04 00:17:38 +00:00
"net/http"
"net/http/httptest"
"net/url"
2020-11-12 23:36:59 +00:00
"regexp"
2020-11-04 00:17:38 +00:00
"strings"
"testing"
2022-01-18 23:34:19 +00:00
"time"
2020-11-04 00:17:38 +00:00
2020-11-11 01:58:00 +00:00
"github.com/gorilla/securecookie"
2021-04-09 00:28:01 +00:00
"github.com/ory/fosite"
2020-11-04 00:17:38 +00:00
"github.com/stretchr/testify/require"
2022-07-20 20:55:56 +00:00
"golang.org/x/crypto/bcrypt"
2021-08-16 21:27:40 +00:00
"golang.org/x/oauth2"
2022-01-18 23:34:19 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2021-04-09 00:28:01 +00:00
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/client-go/kubernetes/fake"
v1 "k8s.io/client-go/kubernetes/typed/core/v1"
2021-05-12 20:20:00 +00:00
"k8s.io/utils/pointer"
2020-11-04 00:17:38 +00:00
2022-07-14 16:51:11 +00:00
supervisorfake "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/fake"
"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
2021-11-03 17:33:22 +00:00
"go.pinniped.dev/internal/authenticators"
2020-11-04 15:15:19 +00:00
"go.pinniped.dev/internal/here"
2020-11-04 23:04:50 +00:00
"go.pinniped.dev/internal/oidc"
2020-11-11 01:58:00 +00:00
"go.pinniped.dev/internal/oidc/csrftoken"
2020-12-04 15:06:55 +00:00
"go.pinniped.dev/internal/oidc/jwks"
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
2020-11-04 00:17:38 +00:00
"go.pinniped.dev/internal/oidc/provider"
2021-10-08 22:48:21 +00:00
"go.pinniped.dev/internal/psession"
2020-12-04 15:06:55 +00:00
"go.pinniped.dev/internal/testutil"
2021-04-09 00:28:01 +00:00
"go.pinniped.dev/internal/testutil/oidctestutil"
2020-11-17 18:46:54 +00:00
"go.pinniped.dev/pkg/oidcclient/nonce"
"go.pinniped.dev/pkg/oidcclient/pkce"
2020-11-04 00:17:38 +00:00
)
func TestAuthorizationEndpoint ( t * testing . T ) {
2020-11-04 15:15:19 +00:00
const (
2021-10-08 22:48:21 +00:00
oidcUpstreamName = "some-oidc-idp"
oidcUpstreamResourceUID = "oidc-resource-uid"
oidcPasswordGrantUpstreamName = "some-password-granting-oidc-idp"
oidcPasswordGrantUpstreamResourceUID = "some-password-granting-resource-uid"
ldapUpstreamName = "some-ldap-idp"
ldapUpstreamResourceUID = "ldap-resource-uid"
activeDirectoryUpstreamName = "some-active-directory-idp"
activeDirectoryUpstreamResourceUID = "active-directory-resource-uid"
oidcUpstreamIssuer = "https://my-upstream-issuer.com"
oidcUpstreamSubject = "abc123-some guid" // has a space character which should get escaped in URL
oidcUpstreamSubjectQueryEscaped = "abc123-some+guid"
oidcUpstreamUsername = "test-oidc-pinniped-username"
2022-08-24 21:45:55 +00:00
oidcUpstreamPassword = "test-oidc-pinniped-password" //nolint:gosec
2021-10-08 22:48:21 +00:00
oidcUpstreamUsernameClaim = "the-user-claim"
oidcUpstreamGroupsClaim = "the-groups-claim"
2022-08-24 21:45:55 +00:00
oidcPasswordGrantUpstreamRefreshToken = "some-opaque-token" //nolint:gosec
2022-01-11 01:03:31 +00:00
oidcUpstreamAccessToken = "some-access-token"
2021-08-13 00:53:14 +00:00
2020-11-19 16:35:23 +00:00
downstreamIssuer = "https://my-downstream-issuer.com/some-path"
2020-11-11 20:29:14 +00:00
downstreamRedirectURI = "http://127.0.0.1/callback"
downstreamRedirectURIWithDifferentPort = "http://127.0.0.1:42/callback"
2021-04-09 00:28:01 +00:00
downstreamNonce = "some-nonce-value"
downstreamPKCEChallenge = "some-challenge"
downstreamPKCEChallengeMethod = "S256"
2020-12-12 01:39:58 +00:00
happyState = "8b-state"
2021-05-27 00:04:20 +00:00
upstreamLDAPURL = "ldaps://some-ldap-host:123?base=ou%3Dusers%2Cdc%3Dpinniped%2Cdc%3Ddev"
2021-04-09 00:28:01 +00:00
htmlContentType = "text/html; charset=utf-8"
2022-04-29 23:01:51 +00:00
jsonContentType = "application/json; charset=utf-8"
formContentType = "application/x-www-form-urlencoded"
2022-07-14 16:51:11 +00:00
pinnipedCLIClientID = "pinniped-cli"
dynamicClientID = "client.oauth.pinniped.dev-test-name"
dynamicClientUID = "fake-client-uid"
2020-11-04 15:15:19 +00:00
)
2020-12-12 01:39:58 +00:00
require . Len ( t , happyState , 8 , "we expect fosite to allow 8 byte state params, so we want to test that boundary case" )
2020-11-04 15:15:19 +00:00
var (
2021-08-13 00:53:14 +00:00
oidcUpstreamGroupMembership = [ ] string { "test-pinniped-group-0" , "test-pinniped-group-1" }
2020-11-04 15:15:19 +00:00
fositeInvalidClientErrorBody = here . Doc ( `
2020-11-04 16:29:33 +00:00
{
"error" : "invalid_client" ,
2020-12-17 20:09:19 +00:00
"error_description" : "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist."
2020-11-04 16:29:33 +00:00
}
2020-11-04 16:43:45 +00:00
` )
2020-11-04 15:30:53 +00:00
fositeInvalidRedirectURIErrorBody = here . Doc ( `
2020-11-04 16:29:33 +00:00
{
"error" : "invalid_request" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The 'redirect_uri' parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls."
2020-11-04 16:29:33 +00:00
}
2020-11-04 16:43:45 +00:00
` )
2020-11-04 16:12:26 +00:00
2020-11-06 22:44:58 +00:00
fositePromptHasNoneAndOtherValueErrorQuery = map [ string ] string {
"error" : "invalid_request" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Parameter 'prompt' was set to 'none', but contains other values as well which is not allowed." ,
2020-12-12 01:39:58 +00:00
"state" : happyState ,
2020-11-06 22:44:58 +00:00
}
2020-11-04 20:19:07 +00:00
fositeMissingCodeChallengeErrorQuery = map [ string ] string {
"error" : "invalid_request" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a code_challenge when performing the authorize code flow, but it is missing." ,
2020-12-12 01:39:58 +00:00
"state" : happyState ,
2020-11-04 20:19:07 +00:00
}
fositeMissingCodeChallengeMethodErrorQuery = map [ string ] string {
"error" : "invalid_request" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must use code_challenge_method=S256, plain is not allowed." ,
2020-12-12 01:39:58 +00:00
"state" : happyState ,
2020-11-04 20:19:07 +00:00
}
2020-11-04 20:29:43 +00:00
fositeInvalidCodeChallengeErrorQuery = map [ string ] string {
"error" : "invalid_request" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The code_challenge_method is not supported, use S256 instead." ,
2020-12-12 01:39:58 +00:00
"state" : happyState ,
2020-11-04 20:29:43 +00:00
}
2020-11-04 17:58:40 +00:00
fositeUnsupportedResponseTypeErrorQuery = map [ string ] string {
"error" : "unsupported_response_type" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The authorization server does not support obtaining a token using this method. The client is not allowed to request response_type 'unsupported'." ,
2020-12-12 01:39:58 +00:00
"state" : happyState ,
2020-11-04 17:58:40 +00:00
}
fositeInvalidScopeErrorQuery = map [ string ] string {
"error" : "invalid_scope" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'tuna'." ,
2020-12-12 01:39:58 +00:00
"state" : happyState ,
2020-11-04 17:58:40 +00:00
}
fositeInvalidStateErrorQuery = map [ string ] string {
"error" : "invalid_state" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy." ,
2020-11-04 17:58:40 +00:00
"state" : "short" ,
}
fositeMissingResponseTypeErrorQuery = map [ string ] string {
"error" : "unsupported_response_type" ,
2020-12-17 20:09:19 +00:00
"error_description" : "The authorization server does not support obtaining a token using this method. `The request is missing the 'response_type' parameter." ,
2020-12-12 01:39:58 +00:00
"state" : happyState ,
2020-11-04 17:58:40 +00:00
}
2020-11-04 15:15:19 +00:00
2021-08-16 21:27:40 +00:00
fositeAccessDeniedErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Make sure that the request you are making is valid. Maybe the credential or request parameters you are using are limited in scope or otherwise restricted." ,
"state" : happyState ,
}
2021-04-09 00:28:01 +00:00
fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Username/password not accepted by LDAP provider." ,
"state" : happyState ,
}
fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Missing or blank username or password." ,
"state" : happyState ,
}
2021-08-16 21:27:40 +00:00
2022-01-05 18:31:38 +00:00
fositeAccessDeniedWithMissingAccessTokenErrorQuery = map [ string ] string {
"error" : "access_denied" ,
2022-01-11 19:00:54 +00:00
"error_description" : "The resource owner or authorization server denied the request. Reason: neither access token nor refresh token returned by upstream provider." ,
2022-01-05 18:31:38 +00:00
"state" : happyState ,
}
2022-01-11 23:40:38 +00:00
fositeAccessDeniedWithMissingUserInfoEndpointErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Reason: access token was returned by upstream provider but there was no userinfo endpoint." ,
"state" : happyState ,
}
2021-08-16 21:27:40 +00:00
fositeAccessDeniedWithPasswordGrantDisallowedHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Resource owner password credentials grant is not allowed for this upstream provider according to its configuration." ,
"state" : happyState ,
}
2021-08-18 19:06:46 +00:00
2022-07-14 16:51:11 +00:00
fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. This client is not allowed to submit username or password headers to this endpoint." ,
"state" : happyState ,
}
2021-08-18 19:06:46 +00:00
fositeAccessDeniedWithInvalidEmailVerifiedHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Reason: email_verified claim in upstream ID token has invalid format." ,
"state" : happyState ,
}
fositeAccessDeniedWithFalseEmailVerifiedHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Reason: email_verified claim in upstream ID token has false value." ,
"state" : happyState ,
}
fositeAccessDeniedWithRequiredClaimMissingHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Reason: required claim in upstream ID token missing." ,
"state" : happyState ,
}
fositeAccessDeniedWithRequiredClaimEmptyHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Reason: required claim in upstream ID token is empty." ,
"state" : happyState ,
}
fositeAccessDeniedWithRequiredClaimInvalidFormatHintErrorQuery = map [ string ] string {
"error" : "access_denied" ,
"error_description" : "The resource owner or authorization server denied the request. Reason: required claim in upstream ID token has invalid format." ,
"state" : happyState ,
}
2021-10-06 23:30:30 +00:00
fositeLoginRequiredErrorQuery = map [ string ] string {
"error" : "login_required" ,
"error_description" : "The Authorization Server requires End-User authentication." ,
"state" : happyState ,
}
2021-04-09 00:28:01 +00:00
)
2021-04-08 00:05:25 +00:00
hmacSecretFunc := func ( ) [ ] byte { return [ ] byte ( "some secret - must have at least 32 bytes" ) }
require . GreaterOrEqual ( t , len ( hmacSecretFunc ( ) ) , 32 , "fosite requires that hmac secrets have at least 32 bytes" )
jwksProviderIsUnused := jwks . NewDynamicJWKSProvider ( )
timeoutsConfiguration := oidc . DefaultOIDCTimeoutsConfiguration ( )
2021-04-09 00:28:01 +00:00
2022-07-14 16:51:11 +00:00
createOauthHelperWithRealStorage := func ( secretsClient v1 . SecretInterface , oidcClientsClient v1alpha1 . OIDCClientInterface ) ( fosite . OAuth2Provider , * oidc . KubeStorage ) {
2021-04-09 00:28:01 +00:00
// Configure fosite the same way that the production code would when using Kube storage.
// Inject this into our test subject at the last second so we get a fresh storage for every test.
2022-07-20 20:55:56 +00:00
// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
kubeOauthStore := oidc . NewKubeStorage ( secretsClient , oidcClientsClient , timeoutsConfiguration , bcrypt . MinCost )
2021-04-09 00:28:01 +00:00
return oidc . FositeOauth2Helper ( kubeOauthStore , downstreamIssuer , hmacSecretFunc , jwksProviderIsUnused , timeoutsConfiguration ) , kubeOauthStore
}
2021-04-08 00:05:25 +00:00
2022-07-14 16:51:11 +00:00
createOauthHelperWithNullStorage := func ( secretsClient v1 . SecretInterface , oidcClientsClient v1alpha1 . OIDCClientInterface ) ( fosite . OAuth2Provider , * oidc . NullStorage ) {
// Configure fosite the same way that the production code would, using NullStorage to turn off storage.
2022-07-20 20:55:56 +00:00
// Use lower minimum required bcrypt cost than we would use in production to keep unit the tests fast.
nullOauthStore := oidc . NewNullStorage ( secretsClient , oidcClientsClient , bcrypt . MinCost )
2022-07-14 16:51:11 +00:00
return oidc . FositeOauth2Helper ( nullOauthStore , downstreamIssuer , hmacSecretFunc , jwksProviderIsUnused , timeoutsConfiguration ) , nullOauthStore
}
2021-04-08 00:05:25 +00:00
2020-11-04 00:17:38 +00:00
upstreamAuthURL , err := url . Parse ( "https://some-upstream-idp:8443/auth" )
require . NoError ( t , err )
2021-10-08 22:48:21 +00:00
upstreamOIDCIdentityProviderBuilder := func ( ) * oidctestutil . TestUpstreamOIDCIdentityProviderBuilder {
2021-08-16 21:27:40 +00:00
return oidctestutil . NewTestUpstreamOIDCIdentityProviderBuilder ( ) .
WithName ( oidcUpstreamName ) .
2021-10-08 22:48:21 +00:00
WithResourceUID ( oidcUpstreamResourceUID ) .
2021-08-16 21:27:40 +00:00
WithClientID ( "some-client-id" ) .
WithAuthorizationURL ( * upstreamAuthURL ) .
WithScopes ( [ ] string { "scope1" , "scope2" } ) . // the scopes to request when starting the upstream authorization flow
WithAllowPasswordGrant ( false ) .
2021-10-08 22:48:21 +00:00
WithAdditionalAuthcodeParams ( map [ string ] string { } ) .
WithPasswordGrantError ( errors . New ( "should not have used password grant on this instance" ) )
2021-08-16 21:27:40 +00:00
}
2021-08-13 00:53:14 +00:00
passwordGrantUpstreamOIDCIdentityProviderBuilder := func ( ) * oidctestutil . TestUpstreamOIDCIdentityProviderBuilder {
return oidctestutil . NewTestUpstreamOIDCIdentityProviderBuilder ( ) .
2021-08-16 21:27:40 +00:00
WithName ( oidcPasswordGrantUpstreamName ) .
2021-10-08 22:48:21 +00:00
WithResourceUID ( oidcPasswordGrantUpstreamResourceUID ) .
2021-08-13 00:53:14 +00:00
WithClientID ( "some-client-id" ) .
WithAuthorizationURL ( * upstreamAuthURL ) .
WithScopes ( [ ] string { "scope1" , "scope2" } ) . // the scopes to request when starting the upstream authorization flow
WithAllowPasswordGrant ( false ) .
WithUsernameClaim ( oidcUpstreamUsernameClaim ) .
WithGroupsClaim ( oidcUpstreamGroupsClaim ) .
WithIDTokenClaim ( "iss" , oidcUpstreamIssuer ) .
WithIDTokenClaim ( "sub" , oidcUpstreamSubject ) .
WithIDTokenClaim ( oidcUpstreamUsernameClaim , oidcUpstreamUsername ) .
WithIDTokenClaim ( oidcUpstreamGroupsClaim , oidcUpstreamGroupMembership ) .
WithIDTokenClaim ( "other-claim" , "should be ignored" ) .
WithAllowPasswordGrant ( true ) .
2021-10-08 22:48:21 +00:00
WithRefreshToken ( oidcPasswordGrantUpstreamRefreshToken ) .
WithAdditionalAuthcodeParams ( map [ string ] string { "should-be-ignored" : "doesn't apply to password grant" } ) .
2021-08-13 00:53:14 +00:00
WithUpstreamAuthcodeExchangeError ( errors . New ( "should not have tried to exchange upstream authcode on this instance" ) )
2020-11-04 00:17:38 +00:00
}
2021-08-18 19:06:46 +00:00
happyUpstreamPasswordGrantMockExpectation := & expectedPasswordGrant {
performedByUpstreamName : oidcPasswordGrantUpstreamName ,
args : & oidctestutil . PasswordCredentialsGrantAndValidateTokensArgs {
Username : oidcUpstreamUsername ,
Password : oidcUpstreamPassword ,
} ,
2020-11-04 00:17:38 +00:00
}
2021-04-09 00:28:01 +00:00
happyLDAPUsername := "some-ldap-user"
happyLDAPUsernameFromAuthenticator := "some-mapped-ldap-username"
happyLDAPPassword := "some-ldap-password" //nolint:gosec
happyLDAPUID := "some-ldap-uid"
2021-10-22 20:57:30 +00:00
happyLDAPUserDN := "cn=foo,dn=bar"
2021-04-09 00:28:01 +00:00
happyLDAPGroups := [ ] string { "group1" , "group2" , "group3" }
2021-12-09 22:02:40 +00:00
happyLDAPExtraRefreshAttribute := "some-refresh-attribute"
happyLDAPExtraRefreshValue := "some-refresh-attribute-value"
2021-04-09 00:28:01 +00:00
2021-05-27 00:04:20 +00:00
parsedUpstreamLDAPURL , err := url . Parse ( upstreamLDAPURL )
require . NoError ( t , err )
2021-11-03 17:33:22 +00:00
ldapAuthenticateFunc := func ( ctx context . Context , username , password string ) ( * authenticators . Response , bool , error ) {
2021-10-08 22:48:21 +00:00
if username == "" || password == "" {
return nil , false , fmt . Errorf ( "should not have passed empty username or password to the authenticator" )
}
if username == happyLDAPUsername && password == happyLDAPPassword {
2021-11-03 17:33:22 +00:00
return & authenticators . Response {
2021-10-08 22:48:21 +00:00
User : & user . DefaultInfo {
Name : happyLDAPUsernameFromAuthenticator ,
UID : happyLDAPUID ,
Groups : happyLDAPGroups ,
} ,
2021-11-03 17:33:22 +00:00
DN : happyLDAPUserDN ,
2021-12-09 22:02:40 +00:00
ExtraRefreshAttributes : map [ string ] string {
happyLDAPExtraRefreshAttribute : happyLDAPExtraRefreshValue ,
} ,
2021-10-08 22:48:21 +00:00
} , true , nil
}
return nil , false , nil
}
2021-04-09 00:28:01 +00:00
upstreamLDAPIdentityProvider := oidctestutil . TestUpstreamLDAPIdentityProvider {
2021-10-08 22:48:21 +00:00
Name : ldapUpstreamName ,
ResourceUID : ldapUpstreamResourceUID ,
URL : parsedUpstreamLDAPURL ,
AuthenticateFunc : ldapAuthenticateFunc ,
}
upstreamActiveDirectoryIdentityProvider := oidctestutil . TestUpstreamLDAPIdentityProvider {
Name : activeDirectoryUpstreamName ,
ResourceUID : activeDirectoryUpstreamResourceUID ,
URL : parsedUpstreamLDAPURL ,
AuthenticateFunc : ldapAuthenticateFunc ,
2021-04-09 00:28:01 +00:00
}
erroringUpstreamLDAPIdentityProvider := oidctestutil . TestUpstreamLDAPIdentityProvider {
2021-10-08 22:48:21 +00:00
Name : ldapUpstreamName ,
ResourceUID : ldapUpstreamResourceUID ,
2021-11-03 17:33:22 +00:00
AuthenticateFunc : func ( ctx context . Context , username , password string ) ( * authenticators . Response , bool , error ) {
2021-04-09 00:28:01 +00:00
return nil , false , fmt . Errorf ( "some ldap upstream auth error" )
} ,
}
2020-11-11 01:58:00 +00:00
happyCSRF := "test-csrf"
happyPKCE := "test-pkce"
2020-12-12 01:39:58 +00:00
happyNonce := "test-nonce"
2020-11-11 01:58:00 +00:00
happyCSRFGenerator := func ( ) ( csrftoken . CSRFToken , error ) { return csrftoken . CSRFToken ( happyCSRF ) , nil }
happyPKCEGenerator := func ( ) ( pkce . Code , error ) { return pkce . Code ( happyPKCE ) , nil }
happyNonceGenerator := func ( ) ( nonce . Nonce , error ) { return nonce . Nonce ( happyNonce ) , nil }
2021-04-08 00:05:25 +00:00
sadCSRFGenerator := func ( ) ( csrftoken . CSRFToken , error ) { return "" , fmt . Errorf ( "some csrf generator error" ) }
sadPKCEGenerator := func ( ) ( pkce . Code , error ) { return "" , fmt . Errorf ( "some PKCE generator error" ) }
sadNonceGenerator := func ( ) ( nonce . Nonce , error ) { return "" , fmt . Errorf ( "some nonce generator error" ) }
2020-11-04 00:17:38 +00:00
// This is the PKCE challenge which is calculated as base64(sha256("test-pkce")). For example:
// $ echo -n test-pkce | shasum -a 256 | cut -d" " -f1 | xxd -r -p | base64 | cut -d"=" -f1
2020-11-04 20:19:07 +00:00
expectedUpstreamCodeChallenge := "VVaezYqum7reIhoavCHD1n2d-piN3r_mywoYj7fCR7g"
2020-11-04 00:17:38 +00:00
2020-11-12 23:36:59 +00:00
var stateEncoderHashKey = [ ] byte ( "fake-hash-secret" )
var stateEncoderBlockKey = [ ] byte ( "0123456789ABCDEF" ) // block encryption requires 16/24/32 bytes for AES
var cookieEncoderHashKey = [ ] byte ( "fake-hash-secret2" )
var cookieEncoderBlockKey = [ ] byte ( "0123456789ABCDE2" ) // block encryption requires 16/24/32 bytes for AES
require . NotEqual ( t , stateEncoderHashKey , cookieEncoderHashKey )
require . NotEqual ( t , stateEncoderBlockKey , cookieEncoderBlockKey )
var happyStateEncoder = securecookie . New ( stateEncoderHashKey , stateEncoderBlockKey )
happyStateEncoder . SetSerializer ( securecookie . JSONEncoder { } )
var happyCookieEncoder = securecookie . New ( cookieEncoderHashKey , cookieEncoderBlockKey )
happyCookieEncoder . SetSerializer ( securecookie . JSONEncoder { } )
2020-11-11 01:58:00 +00:00
encodeQuery := func ( query map [ string ] string ) string {
2020-11-04 17:58:40 +00:00
values := url . Values { }
for k , v := range query {
values [ k ] = [ ] string { v }
}
2020-11-11 01:58:00 +00:00
return values . Encode ( )
}
pathWithQuery := func ( path string , query map [ string ] string ) string {
pathToReturn := fmt . Sprintf ( "%s?%s" , path , encodeQuery ( query ) )
2020-11-04 17:58:40 +00:00
require . NotRegexp ( t , "^http" , pathToReturn , "pathWithQuery helper was used to create a URL" )
return pathToReturn
}
urlWithQuery := func ( baseURL string , query map [ string ] string ) string {
2020-11-11 01:58:00 +00:00
urlToReturn := fmt . Sprintf ( "%s?%s" , baseURL , encodeQuery ( query ) )
2020-11-04 17:58:40 +00:00
_ , err := url . Parse ( urlToReturn )
require . NoError ( t , err , "urlWithQuery helper was used to create an illegal URL" )
return urlToReturn
}
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
happyDownstreamScopesRequested := [ ] string { "openid" , "profile" , "email" , "username" , "groups" }
happyDownstreamScopesGranted := [ ] string { "openid" , "username" , "groups" }
2021-04-09 00:28:01 +00:00
2020-11-11 21:13:57 +00:00
happyGetRequestQueryMap := map [ string ] string {
"response_type" : "code" ,
2021-04-09 00:28:01 +00:00
"scope" : strings . Join ( happyDownstreamScopesRequested , " " ) ,
2022-07-14 16:51:11 +00:00
"client_id" : pinnipedCLIClientID ,
2020-12-12 01:39:58 +00:00
"state" : happyState ,
2021-04-09 00:28:01 +00:00
"nonce" : downstreamNonce ,
"code_challenge" : downstreamPKCEChallenge ,
"code_challenge_method" : downstreamPKCEChallengeMethod ,
2020-11-11 21:13:57 +00:00
"redirect_uri" : downstreamRedirectURI ,
2020-11-04 17:58:40 +00:00
}
2020-11-11 21:13:57 +00:00
happyGetRequestPath := pathWithQuery ( "/some/path" , happyGetRequestQueryMap )
2020-11-04 17:58:40 +00:00
2020-11-11 21:13:57 +00:00
modifiedHappyGetRequestQueryMap := func ( queryOverrides map [ string ] string ) map [ string ] string {
2020-11-04 17:58:40 +00:00
copyOfHappyGetRequestQueryMap := map [ string ] string { }
2020-11-11 21:13:57 +00:00
for k , v := range happyGetRequestQueryMap {
2020-11-04 17:58:40 +00:00
copyOfHappyGetRequestQueryMap [ k ] = v
}
for k , v := range queryOverrides {
_ , hasKey := copyOfHappyGetRequestQueryMap [ k ]
if v == "" && hasKey {
delete ( copyOfHappyGetRequestQueryMap , k )
} else {
copyOfHappyGetRequestQueryMap [ k ] = v
}
}
2020-11-11 21:13:57 +00:00
return copyOfHappyGetRequestQueryMap
}
modifiedHappyGetRequestPath := func ( queryOverrides map [ string ] string ) string {
return pathWithQuery ( "/some/path" , modifiedHappyGetRequestQueryMap ( queryOverrides ) )
2020-11-04 17:58:40 +00:00
}
2022-04-26 19:51:56 +00:00
expectedUpstreamStateParam := func ( queryOverrides map [ string ] string , csrfValueOverride , upstreamName , upstreamType string ) string {
2020-11-12 23:36:59 +00:00
csrf := happyCSRF
if csrfValueOverride != "" {
csrf = csrfValueOverride
}
encoded , err := happyStateEncoder . Encode ( "s" ,
2020-11-20 01:57:07 +00:00
oidctestutil . ExpectedUpstreamStateParamFormat {
2020-11-11 21:13:57 +00:00
P : encodeQuery ( modifiedHappyGetRequestQueryMap ( queryOverrides ) ) ,
2020-11-20 21:14:45 +00:00
U : upstreamName ,
2022-04-26 19:51:56 +00:00
T : upstreamType ,
2020-11-11 20:29:14 +00:00
N : happyNonce ,
2020-11-12 23:36:59 +00:00
C : csrf ,
2020-11-11 20:29:14 +00:00
K : happyPKCE ,
2022-04-26 19:51:56 +00:00
V : "2" ,
2020-11-11 20:29:14 +00:00
} ,
)
require . NoError ( t , err )
return encoded
}
2020-11-11 01:58:00 +00:00
2021-10-08 22:48:21 +00:00
expectedRedirectLocationForUpstreamOIDC := func ( expectedUpstreamState string , expectedAdditionalParams map [ string ] string ) string {
2020-12-12 01:13:27 +00:00
query := map [ string ] string {
2020-11-04 17:58:40 +00:00
"response_type" : "code" ,
"scope" : "scope1 scope2" ,
"client_id" : "some-client-id" ,
2020-11-11 21:13:57 +00:00
"state" : expectedUpstreamState ,
2020-11-11 01:58:00 +00:00
"nonce" : happyNonce ,
2020-11-04 20:19:07 +00:00
"code_challenge" : expectedUpstreamCodeChallenge ,
2021-04-09 00:28:01 +00:00
"code_challenge_method" : downstreamPKCEChallengeMethod ,
2020-11-20 21:14:45 +00:00
"redirect_uri" : downstreamIssuer + "/callback" ,
2020-12-12 01:13:27 +00:00
}
2021-10-08 22:48:21 +00:00
for key , val := range expectedAdditionalParams {
query [ key ] = val
2020-12-12 01:13:27 +00:00
}
return urlWithQuery ( upstreamAuthURL . String ( ) , query )
2020-11-11 20:29:14 +00:00
}
2020-11-04 00:17:38 +00:00
2021-10-08 22:48:21 +00:00
expectedHappyActiveDirectoryUpstreamCustomSession := & psession . CustomSessionData {
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
Username : happyLDAPUsernameFromAuthenticator ,
2021-10-08 22:48:21 +00:00
ProviderUID : activeDirectoryUpstreamResourceUID ,
ProviderName : activeDirectoryUpstreamName ,
ProviderType : psession . ProviderTypeActiveDirectory ,
OIDC : nil ,
2021-10-22 20:57:30 +00:00
LDAP : nil ,
ActiveDirectory : & psession . ActiveDirectorySessionData {
2021-12-08 23:03:57 +00:00
UserDN : happyLDAPUserDN ,
2021-12-09 22:02:40 +00:00
ExtraRefreshAttributes : map [ string ] string { happyLDAPExtraRefreshAttribute : happyLDAPExtraRefreshValue } ,
2021-10-22 20:57:30 +00:00
} ,
2021-10-08 22:48:21 +00:00
}
expectedHappyLDAPUpstreamCustomSession := & psession . CustomSessionData {
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
Username : happyLDAPUsernameFromAuthenticator ,
2021-10-08 22:48:21 +00:00
ProviderUID : ldapUpstreamResourceUID ,
ProviderName : ldapUpstreamName ,
ProviderType : psession . ProviderTypeLDAP ,
OIDC : nil ,
2021-10-22 20:57:30 +00:00
LDAP : & psession . LDAPSessionData {
2021-12-08 23:03:57 +00:00
UserDN : happyLDAPUserDN ,
2021-12-09 22:02:40 +00:00
ExtraRefreshAttributes : map [ string ] string { happyLDAPExtraRefreshAttribute : happyLDAPExtraRefreshValue } ,
2021-10-22 20:57:30 +00:00
} ,
ActiveDirectory : nil ,
2021-10-08 22:48:21 +00:00
}
expectedHappyOIDCPasswordGrantCustomSession := & psession . CustomSessionData {
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
Username : oidcUpstreamUsername ,
2021-10-08 22:48:21 +00:00
ProviderUID : oidcPasswordGrantUpstreamResourceUID ,
ProviderName : oidcPasswordGrantUpstreamName ,
ProviderType : psession . ProviderTypeOIDC ,
OIDC : & psession . OIDCSessionData {
UpstreamRefreshToken : oidcPasswordGrantUpstreamRefreshToken ,
2022-01-07 23:04:58 +00:00
UpstreamSubject : oidcUpstreamSubject ,
UpstreamIssuer : oidcUpstreamIssuer ,
2021-10-08 22:48:21 +00:00
} ,
}
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
expectedHappyOIDCPasswordGrantCustomSessionWithUsername := func ( wantUsername string ) * psession . CustomSessionData {
copyOfCustomSession := * expectedHappyOIDCPasswordGrantCustomSession
copyOfOIDC := * ( expectedHappyOIDCPasswordGrantCustomSession . OIDC )
copyOfCustomSession . OIDC = & copyOfOIDC
copyOfCustomSession . Username = wantUsername
return & copyOfCustomSession
}
2022-01-05 18:31:38 +00:00
expectedHappyOIDCPasswordGrantCustomSessionWithAccessToken := & psession . CustomSessionData {
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
Username : oidcUpstreamUsername ,
2022-01-05 18:31:38 +00:00
ProviderUID : oidcPasswordGrantUpstreamResourceUID ,
ProviderName : oidcPasswordGrantUpstreamName ,
ProviderType : psession . ProviderTypeOIDC ,
OIDC : & psession . OIDCSessionData {
2022-01-11 01:03:31 +00:00
UpstreamAccessToken : oidcUpstreamAccessToken ,
UpstreamSubject : oidcUpstreamSubject ,
UpstreamIssuer : oidcUpstreamIssuer ,
2022-01-05 18:31:38 +00:00
} ,
}
2022-07-14 16:51:11 +00:00
addFullyCapableDynamicClientAndSecretToKubeResources := func ( t * testing . T , supervisorClient * supervisorfake . Clientset , kubeClient * fake . Clientset ) {
2022-07-20 20:55:56 +00:00
oidcClient , secret := testutil . FullyCapableOIDCClientAndStorageSecret ( t ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
"some-namespace" , dynamicClientID , dynamicClientUID , downstreamRedirectURI ,
[ ] string { testutil . HashedPassword1AtGoMinCost } , oidcclientvalidator . Validate )
2022-07-20 20:55:56 +00:00
require . NoError ( t , supervisorClient . Tracker ( ) . Add ( oidcClient ) )
require . NoError ( t , kubeClient . Tracker ( ) . Add ( secret ) )
2022-07-14 16:51:11 +00:00
}
2021-04-09 00:28:01 +00:00
// Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
happyAuthcodeDownstreamRedirectLocationRegexp := downstreamRedirectURI + ` \?code=([^&]+)&scope=openid\+username\+groups&state= ` + happyState
2021-04-09 00:28:01 +00:00
2020-11-12 23:36:59 +00:00
incomingCookieCSRFValue := "csrf-value-from-cookie"
encodedIncomingCookieCSRFValue , err := happyCookieEncoder . Encode ( "csrf" , incomingCookieCSRFValue )
require . NoError ( t , err )
2020-11-11 01:58:00 +00:00
2020-11-04 00:17:38 +00:00
type testCase struct {
name string
2021-08-13 00:53:14 +00:00
idps * oidctestutil . UpstreamIDPListerBuilder
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
kubeResources func ( t * testing . T , supervisorClient * supervisorfake . Clientset , kubeClient * fake . Clientset )
2021-04-09 00:28:01 +00:00
generateCSRF func ( ) ( csrftoken . CSRFToken , error )
generatePKCE func ( ) ( pkce . Code , error )
generateNonce func ( ) ( nonce . Nonce , error )
stateEncoder oidc . Codec
cookieEncoder oidc . Codec
method string
path string
contentType string
body string
csrfCookie string
customUsernameHeader * string // nil means do not send header, empty means send header with empty value
customPasswordHeader * string // nil means do not send header, empty means send header with empty value
wantStatus int
wantContentType string
wantBodyString string
2022-06-02 16:23:34 +00:00
wantBodyRegex string
2021-04-09 00:28:01 +00:00
wantBodyJSON string
wantCSRFValueInCookieHeader string
2020-11-12 17:13:58 +00:00
wantBodyStringWithLocationInHref bool
2021-04-09 00:28:01 +00:00
wantLocationHeader string
wantUpstreamStateParamInLocationHeader bool
2021-08-13 00:53:14 +00:00
// Assertions for when an authcode should be returned, i.e. the request was authenticated by an
// upstream LDAP provider or an upstream OIDC password grant flow.
2021-04-09 00:28:01 +00:00
wantRedirectLocationRegexp string
wantDownstreamRedirectURI string
wantDownstreamGrantedScopes [ ] string
wantDownstreamIDTokenSubject string
wantDownstreamIDTokenUsername string
wantDownstreamIDTokenGroups [ ] string
wantDownstreamRequestedScopes [ ] string
wantDownstreamPKCEChallenge string
wantDownstreamPKCEChallengeMethod string
wantDownstreamNonce string
2022-07-14 16:51:11 +00:00
wantDownstreamClientID string // defaults to wanting "pinniped-cli" when not set
2021-04-09 00:28:01 +00:00
wantUnnecessaryStoredRecords int
2021-08-13 00:53:14 +00:00
wantPasswordGrantCall * expectedPasswordGrant
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData * psession . CustomSessionData
2023-01-04 17:42:50 +00:00
wantAdditionalClaims map [ string ] interface { }
2020-11-11 20:29:14 +00:00
}
2020-11-04 00:17:38 +00:00
tests := [ ] testCase {
{
2021-08-13 00:53:14 +00:00
name : "OIDC upstream browser flow happy path using GET without a CSRF cookie" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-12 17:13:58 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-12 17:13:58 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2021-04-09 00:28:01 +00:00
wantContentType : htmlContentType ,
2020-11-12 23:36:59 +00:00
wantCSRFValueInCookieHeader : happyCSRF ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( nil , "" , oidcUpstreamName , "oidc" ) , nil ) ,
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "OIDC upstream browser flow happy path using GET without a CSRF cookie using a dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantCSRFValueInCookieHeader : happyCSRF ,
2022-07-20 20:55:56 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } , "" , oidcUpstreamName , "oidc" ) , nil ) ,
2022-07-14 16:51:11 +00:00
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2022-04-26 19:51:56 +00:00
{
name : "LDAP upstream browser flow happy path using GET without a CSRF cookie" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantCSRFValueInCookieHeader : happyCSRF ,
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( nil , "" , ldapUpstreamName , "ldap" ) } ) ,
2020-11-12 23:36:59 +00:00
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "LDAP upstream browser flow happy path using GET without a CSRF cookie using a dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantCSRFValueInCookieHeader : happyCSRF ,
2022-07-20 20:55:56 +00:00
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } , "" , ldapUpstreamName , "ldap" ) } ) ,
2022-07-14 16:51:11 +00:00
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2022-04-26 23:46:58 +00:00
{
name : "Active Directory upstream browser flow happy path using GET without a CSRF cookie" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantCSRFValueInCookieHeader : happyCSRF ,
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( nil , "" , activeDirectoryUpstreamName , "activedirectory" ) } ) ,
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "Active Directory upstream browser flow happy path using GET without a CSRF cookie using a dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantCSRFValueInCookieHeader : happyCSRF ,
2022-07-20 20:55:56 +00:00
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } , "" , activeDirectoryUpstreamName , "activedirectory" ) } ) ,
2022-07-14 16:51:11 +00:00
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2021-08-13 00:53:14 +00:00
{
2021-08-18 19:06:46 +00:00
name : "OIDC upstream password grant happy path using GET" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-13 00:53:14 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
2021-08-13 00:53:14 +00:00
} ,
2023-01-04 17:42:50 +00:00
{
name : "OIDC upstream password grant happy path using GET with additional claim mappings" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithAdditionalClaimMappings ( map [ string ] string {
"downstreamCustomClaim" : "upstreamCustomClaim" ,
"downstreamOtherClaim" : "upstreamOtherClaim" ,
"downstreamMissingClaim" : "upstreamMissingClaim" ,
} ) .
WithIDTokenClaim ( "upstreamCustomClaim" , "i am a claim value" ) .
WithIDTokenClaim ( "upstreamOtherClaim" , "other claim value" ) .
Build ( ) ) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
wantAdditionalClaims : map [ string ] interface { } {
"downstreamCustomClaim" : "i am a claim value" ,
"downstreamOtherClaim" : "other claim value" ,
} ,
} ,
2023-01-11 18:55:37 +00:00
{
name : "OIDC upstream password grant happy path using GET with additional claim mappings, when upstream claims are not available" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithAdditionalClaimMappings ( map [ string ] string {
"downstream" : "upstream" ,
} ) .
WithIDTokenClaim ( "not-upstream" , "value" ) .
Build ( ) ) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
wantAdditionalClaims : nil , // downstream claims are empty
} ,
2021-04-09 00:28:01 +00:00
{
2022-04-26 23:46:58 +00:00
name : "LDAP cli upstream happy path using GET" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
2021-05-27 00:04:20 +00:00
wantDownstreamIDTokenSubject : upstreamLDAPURL + "&sub=" + happyLDAPUID ,
2021-04-09 00:28:01 +00:00
wantDownstreamIDTokenUsername : happyLDAPUsernameFromAuthenticator ,
wantDownstreamIDTokenGroups : happyLDAPGroups ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
2021-07-02 22:30:27 +00:00
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyLDAPUpstreamCustomSession ,
2021-07-02 22:30:27 +00:00
} ,
{
2022-04-26 23:46:58 +00:00
name : "ActiveDirectory cli upstream happy path using GET" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-07-02 22:30:27 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-07-02 22:30:27 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : upstreamLDAPURL + "&sub=" + happyLDAPUID ,
wantDownstreamIDTokenUsername : happyLDAPUsernameFromAuthenticator ,
wantDownstreamIDTokenGroups : happyLDAPGroups ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
2021-04-09 00:28:01 +00:00
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyActiveDirectoryUpstreamCustomSession ,
2021-04-09 00:28:01 +00:00
} ,
2020-11-12 23:36:59 +00:00
{
2021-08-16 21:27:40 +00:00
name : "OIDC upstream browser flow happy path using GET with a CSRF cookie" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-12 23:36:59 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2020-12-01 23:01:22 +00:00
csrfCookie : "__Host-pinniped-csrf=" + encodedIncomingCookieCSRFValue + " " ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2021-04-09 00:28:01 +00:00
wantContentType : htmlContentType ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( nil , incomingCookieCSRFValue , oidcUpstreamName , "oidc" ) , nil ) ,
2020-11-11 20:29:14 +00:00
wantUpstreamStateParamInLocationHeader : true ,
2020-11-12 17:13:58 +00:00
wantBodyStringWithLocationInHref : true ,
2020-11-11 20:29:14 +00:00
} ,
2022-04-26 23:46:58 +00:00
{
name : "LDAP upstream browser flow happy path using GET with a CSRF cookie" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : happyGetRequestPath ,
csrfCookie : "__Host-pinniped-csrf=" + encodedIncomingCookieCSRFValue + " " ,
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( nil , incomingCookieCSRFValue , ldapUpstreamName , "ldap" ) } ) ,
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
{
name : "Active Directory upstream browser flow happy path using GET with a CSRF cookie" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : happyGetRequestPath ,
csrfCookie : "__Host-pinniped-csrf=" + encodedIncomingCookieCSRFValue + " " ,
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( nil , incomingCookieCSRFValue , activeDirectoryUpstreamName , "activedirectory" ) } ) ,
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2020-11-11 20:29:14 +00:00
{
2021-08-16 21:27:40 +00:00
name : "OIDC upstream browser flow happy path using POST" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 20:29:14 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-11 20:29:14 +00:00
method : http . MethodPost ,
path : "/some/path" ,
2022-04-29 23:01:51 +00:00
contentType : formContentType ,
2020-11-11 21:13:57 +00:00
body : encodeQuery ( happyGetRequestQueryMap ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2020-11-11 20:29:14 +00:00
wantContentType : "" ,
wantBodyString : "" ,
2020-11-12 23:36:59 +00:00
wantCSRFValueInCookieHeader : happyCSRF ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( nil , "" , oidcUpstreamName , "oidc" ) , nil ) ,
2020-12-12 01:13:27 +00:00
wantUpstreamStateParamInLocationHeader : true ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "OIDC upstream browser flow happy path using POST with a dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodPost ,
path : "/some/path" ,
contentType : formContentType ,
2022-07-20 20:55:56 +00:00
body : encodeQuery ( modifiedHappyGetRequestQueryMap ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : "" ,
wantBodyString : "" ,
wantCSRFValueInCookieHeader : happyCSRF ,
2022-07-20 20:55:56 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } , "" , oidcUpstreamName , "oidc" ) , nil ) ,
2022-07-14 16:51:11 +00:00
wantUpstreamStateParamInLocationHeader : true ,
} ,
2022-04-26 23:46:58 +00:00
{
name : "LDAP upstream browser flow happy path using POST" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodPost ,
path : "/some/path" ,
2022-04-29 23:01:51 +00:00
contentType : formContentType ,
2022-04-26 23:46:58 +00:00
body : encodeQuery ( happyGetRequestQueryMap ) ,
wantStatus : http . StatusSeeOther ,
wantContentType : "" ,
wantBodyString : "" ,
wantCSRFValueInCookieHeader : happyCSRF ,
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( nil , "" , ldapUpstreamName , "ldap" ) } ) ,
wantUpstreamStateParamInLocationHeader : true ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "LDAP upstream browser flow happy path using POST with a dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodPost ,
path : "/some/path" ,
contentType : formContentType ,
2022-07-20 20:55:56 +00:00
body : encodeQuery ( modifiedHappyGetRequestQueryMap ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : "" ,
wantBodyString : "" ,
wantCSRFValueInCookieHeader : happyCSRF ,
2022-07-20 20:55:56 +00:00
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } , "" , ldapUpstreamName , "ldap" ) } ) ,
2022-07-14 16:51:11 +00:00
wantUpstreamStateParamInLocationHeader : true ,
} ,
2022-04-26 23:46:58 +00:00
{
name : "Active Directory upstream browser flow happy path using POST" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodPost ,
path : "/some/path" ,
2022-04-29 23:01:51 +00:00
contentType : formContentType ,
2022-04-26 23:46:58 +00:00
body : encodeQuery ( happyGetRequestQueryMap ) ,
wantStatus : http . StatusSeeOther ,
wantContentType : "" ,
wantBodyString : "" ,
wantCSRFValueInCookieHeader : happyCSRF ,
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( nil , "" , activeDirectoryUpstreamName , "activedirectory" ) } ) ,
wantUpstreamStateParamInLocationHeader : true ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "Active Directory upstream browser flow happy path using POST with a dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodPost ,
path : "/some/path" ,
contentType : formContentType ,
2022-07-20 20:55:56 +00:00
body : encodeQuery ( modifiedHappyGetRequestQueryMap ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : "" ,
wantBodyString : "" ,
wantCSRFValueInCookieHeader : happyCSRF ,
2022-07-20 20:55:56 +00:00
wantLocationHeader : urlWithQuery ( downstreamIssuer + "/login" , map [ string ] string { "state" : expectedUpstreamStateParam ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } , "" , activeDirectoryUpstreamName , "activedirectory" ) } ) ,
2022-07-14 16:51:11 +00:00
wantUpstreamStateParamInLocationHeader : true ,
} ,
2021-08-16 21:27:40 +00:00
{
2021-08-18 19:06:46 +00:00
name : "OIDC upstream password grant happy path using POST" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodPost ,
path : "/some/path" ,
2022-04-29 23:01:51 +00:00
contentType : formContentType ,
2021-08-18 19:06:46 +00:00
body : encodeQuery ( happyGetRequestQueryMap ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
2021-08-16 21:27:40 +00:00
} ,
2021-04-09 00:28:01 +00:00
{
2022-04-26 23:46:58 +00:00
name : "LDAP cli upstream happy path using POST" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodPost ,
path : "/some/path" ,
2022-04-29 23:01:51 +00:00
contentType : formContentType ,
2021-04-09 00:28:01 +00:00
body : encodeQuery ( happyGetRequestQueryMap ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-07-12 20:29:37 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : upstreamLDAPURL + "&sub=" + happyLDAPUID ,
wantDownstreamIDTokenUsername : happyLDAPUsernameFromAuthenticator ,
wantDownstreamIDTokenGroups : happyLDAPGroups ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyLDAPUpstreamCustomSession ,
2021-07-12 20:29:37 +00:00
} ,
{
2022-04-26 23:46:58 +00:00
name : "Active Directory cli upstream happy path using POST" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-07-12 20:29:37 +00:00
method : http . MethodPost ,
path : "/some/path" ,
2022-04-29 23:01:51 +00:00
contentType : formContentType ,
2021-07-12 20:29:37 +00:00
body : encodeQuery ( happyGetRequestQueryMap ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
2021-05-27 00:04:20 +00:00
wantDownstreamIDTokenSubject : upstreamLDAPURL + "&sub=" + happyLDAPUID ,
2021-04-09 00:28:01 +00:00
wantDownstreamIDTokenUsername : happyLDAPUsernameFromAuthenticator ,
wantDownstreamIDTokenGroups : happyLDAPGroups ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyActiveDirectoryUpstreamCustomSession ,
2021-04-09 00:28:01 +00:00
} ,
2020-12-12 01:13:27 +00:00
{
2021-10-06 23:30:30 +00:00
name : "OIDC upstream browser flow happy path with prompt param other than none that gets ignored" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-12-12 01:13:27 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "login" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2021-04-09 00:28:01 +00:00
wantContentType : htmlContentType ,
2020-12-12 01:13:27 +00:00
wantBodyStringWithLocationInHref : true ,
wantCSRFValueInCookieHeader : happyCSRF ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( map [ string ] string { "prompt" : "login" } , "" , oidcUpstreamName , "oidc" ) , nil ) ,
2021-10-08 22:48:21 +00:00
wantUpstreamStateParamInLocationHeader : true ,
} ,
2022-05-06 19:00:46 +00:00
{
name : "OIDC upstream browser flow happy path with custom IDP name and type query params, which are excluded from the query params in the upstream state" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "pinniped_idp_name" : "currently-ignored" , "pinniped_idp_type" : "oidc" } ) ,
contentType : formContentType ,
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantBodyStringWithLocationInHref : true ,
wantCSRFValueInCookieHeader : happyCSRF ,
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( nil , "" , oidcUpstreamName , "oidc" ) , nil ) ,
wantUpstreamStateParamInLocationHeader : true ,
} ,
2021-10-08 22:48:21 +00:00
{
name : "OIDC upstream browser flow happy path with extra params that get passed through" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . WithAdditionalAuthcodeParams ( map [ string ] string { "prompt" : "consent" , "abc" : "123" , "def" : "456" } ) . Build ( ) ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "login" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2021-10-08 22:48:21 +00:00
wantContentType : htmlContentType ,
wantBodyStringWithLocationInHref : true ,
wantCSRFValueInCookieHeader : happyCSRF ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( map [ string ] string { "prompt" : "login" } , "" , oidcUpstreamName , "oidc" ) , map [ string ] string { "prompt" : "consent" , "abc" : "123" , "def" : "456" } ) ,
2020-11-11 20:29:14 +00:00
wantUpstreamStateParamInLocationHeader : true ,
2020-11-04 00:17:38 +00:00
} ,
2021-10-06 23:30:30 +00:00
{
name : "OIDC upstream browser flow with prompt param none throws an error because we want to independently decide the upstream prompt param" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2021-10-06 23:30:30 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "none" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-10-06 23:30:30 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeLoginRequiredErrorQuery ) ,
wantBodyString : "" ,
} ,
2020-11-20 21:56:35 +00:00
{
2021-08-16 21:27:40 +00:00
name : "OIDC upstream browser flow with error while decoding CSRF cookie just generates a new cookie and succeeds as usual" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-20 21:56:35 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : happyGetRequestPath ,
csrfCookie : "__Host-pinniped-csrf=this-value-was-not-signed-by-pinniped" ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2021-04-09 00:28:01 +00:00
wantContentType : htmlContentType ,
2020-11-20 21:56:35 +00:00
// Generated a new CSRF cookie and set it in the response.
wantCSRFValueInCookieHeader : happyCSRF ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( nil , "" , oidcUpstreamName , "oidc" ) , nil ) ,
2020-11-20 21:56:35 +00:00
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2020-11-04 00:17:38 +00:00
{
2021-08-16 21:27:40 +00:00
name : "OIDC upstream browser flow happy path when downstream redirect uri matches what is configured for client except for the port number" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 00:17:38 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-11 20:29:14 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : downstreamRedirectURIWithDifferentPort , // not the same port number that is registered for the client
} ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2021-04-09 00:28:01 +00:00
wantContentType : htmlContentType ,
2020-11-12 23:36:59 +00:00
wantCSRFValueInCookieHeader : happyCSRF ,
2021-04-08 00:05:25 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( map [ string ] string {
2020-11-11 21:13:57 +00:00
"redirect_uri" : downstreamRedirectURIWithDifferentPort , // not the same port number that is registered for the client
2022-04-26 19:51:56 +00:00
} , "" , oidcUpstreamName , "oidc" ) , nil ) ,
2020-11-11 20:29:14 +00:00
wantUpstreamStateParamInLocationHeader : true ,
2020-11-12 17:13:58 +00:00
wantBodyStringWithLocationInHref : true ,
2020-11-04 15:30:53 +00:00
} ,
2022-07-14 16:51:11 +00:00
{
name : "OIDC upstream browser flow happy path using dynamic client when downstream redirect uri matches what is configured for client except for the port number" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : downstreamRedirectURIWithDifferentPort , // not the same port number that is registered for the client
"client_id" : dynamicClientID ,
2022-07-20 20:55:56 +00:00
"scope" : testutil . AllDynamicClientScopesSpaceSep ,
2022-07-14 16:51:11 +00:00
} ) ,
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantCSRFValueInCookieHeader : happyCSRF ,
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( map [ string ] string {
"redirect_uri" : downstreamRedirectURIWithDifferentPort , // not the same port number that is registered for the client
"client_id" : dynamicClientID ,
2022-07-20 20:55:56 +00:00
"scope" : testutil . AllDynamicClientScopesSpaceSep ,
2022-07-14 16:51:11 +00:00
} , "" , oidcUpstreamName , "oidc" ) , nil ) ,
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-16 21:27:40 +00:00
name : "OIDC upstream password grant happy path when downstream redirect uri matches what is configured for client except for the port number" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : downstreamRedirectURIWithDifferentPort , // not the same port number that is registered for the client
} ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantRedirectLocationRegexp : downstreamRedirectURIWithDifferentPort + ` \?code=([^&]+)&scope=openid\+username\+groups&state= ` + happyState ,
2021-08-16 21:27:40 +00:00
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURIWithDifferentPort ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
2021-08-16 21:27:40 +00:00
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-13 00:53:14 +00:00
name : "LDAP upstream happy path when downstream redirect uri matches what is configured for client except for the port number" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
method : http . MethodGet ,
2021-04-09 00:28:01 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : downstreamRedirectURIWithDifferentPort , // not the same port number that is registered for the client
} ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantRedirectLocationRegexp : downstreamRedirectURIWithDifferentPort + ` \?code=([^&]+)&scope=openid\+username\+groups&state= ` + happyState ,
2021-05-27 00:04:20 +00:00
wantDownstreamIDTokenSubject : upstreamLDAPURL + "&sub=" + happyLDAPUID ,
2021-04-09 00:28:01 +00:00
wantDownstreamIDTokenUsername : happyLDAPUsernameFromAuthenticator ,
wantDownstreamIDTokenGroups : happyLDAPGroups ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURIWithDifferentPort ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyLDAPUpstreamCustomSession ,
2021-04-09 00:28:01 +00:00
} ,
2020-12-08 01:22:34 +00:00
{
2021-08-16 21:27:40 +00:00
name : "OIDC upstream browser flow happy path when downstream requested scopes include offline_access" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-12-08 01:22:34 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "scope" : "openid offline_access" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2021-04-09 00:28:01 +00:00
wantContentType : htmlContentType ,
2020-12-08 01:22:34 +00:00
wantCSRFValueInCookieHeader : happyCSRF ,
2021-04-08 00:05:25 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam ( map [ string ] string {
2020-12-08 01:22:34 +00:00
"scope" : "openid offline_access" ,
2022-04-26 19:51:56 +00:00
} , "" , oidcUpstreamName , "oidc" ) , nil ) ,
2020-12-08 01:22:34 +00:00
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2022-01-05 18:31:38 +00:00
{
2022-01-11 23:40:38 +00:00
name : "OIDC password grant happy path when upstream IDP returned empty refresh token but it did return an access token and has a userinfo endpoint" ,
2022-01-18 23:34:19 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithEmptyRefreshToken ( ) . WithAccessToken ( oidcUpstreamAccessToken , metav1 . NewTime ( time . Now ( ) . Add ( 9 * time . Hour ) ) ) . WithUserInfoURL ( ) . Build ( ) ) ,
2022-01-11 01:03:31 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-01-11 01:03:31 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSessionWithAccessToken ,
} ,
2022-01-18 23:34:19 +00:00
{
name : "OIDC password grant happy path when upstream IDP returned empty refresh token and an access token that has a short lifetime" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithEmptyRefreshToken ( ) . WithAccessToken ( oidcUpstreamAccessToken , metav1 . NewTime ( time . Now ( ) . Add ( 1 * time . Hour ) ) ) . WithUserInfoURL ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-01-18 23:34:19 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
wantDownstreamCustomSessionData : & psession . CustomSessionData {
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
Username : oidcUpstreamUsername ,
2022-01-18 23:34:19 +00:00
ProviderUID : oidcPasswordGrantUpstreamResourceUID ,
ProviderName : oidcPasswordGrantUpstreamName ,
ProviderType : psession . ProviderTypeOIDC ,
Warnings : [ ] string { "Access token from identity provider has lifetime of less than 3 hours. Expect frequent prompts to log in." } ,
OIDC : & psession . OIDCSessionData {
UpstreamAccessToken : oidcUpstreamAccessToken ,
UpstreamSubject : oidcUpstreamSubject ,
UpstreamIssuer : oidcUpstreamIssuer ,
} ,
} ,
} ,
2022-01-11 01:03:31 +00:00
{
2022-01-11 23:40:38 +00:00
name : "OIDC password grant happy path when upstream IDP did not return a refresh token but it did return an access token and has a userinfo endpoint" ,
2022-01-18 23:34:19 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutRefreshToken ( ) . WithAccessToken ( oidcUpstreamAccessToken , metav1 . NewTime ( time . Now ( ) . Add ( 9 * time . Hour ) ) ) . WithUserInfoURL ( ) . Build ( ) ) ,
2022-01-05 18:31:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-01-05 18:31:38 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSessionWithAccessToken ,
} ,
2020-11-04 15:30:53 +00:00
{
2021-04-09 00:28:01 +00:00
name : "error during upstream LDAP authentication" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & erroringUpstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusBadGateway ,
wantContentType : htmlContentType ,
wantBodyString : "Bad Gateway: unexpected error during upstream authentication\n" ,
} ,
2021-07-26 23:03:12 +00:00
{
name : "error during upstream Active Directory authentication" ,
2021-08-24 19:19:29 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & erroringUpstreamLDAPIdentityProvider ) ,
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-07-26 23:03:12 +00:00
wantStatus : http . StatusBadGateway ,
wantContentType : htmlContentType ,
wantBodyString : "Bad Gateway: unexpected error during upstream authentication\n" ,
} ,
2021-08-16 21:27:40 +00:00
{
name : "wrong upstream credentials for OIDC password grant authentication" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
// This is similar to the error that would be returned by the underlying call to oauth2.PasswordCredentialsToken()
WithPasswordGrantError ( & oauth2 . RetrieveError { Response : & http . Response { Status : "fake status" } , Body : [ ] byte ( "fake body" ) } ) .
Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( "wrong-password" ) ,
2021-08-16 21:27:40 +00:00
wantPasswordGrantCall : & expectedPasswordGrant {
performedByUpstreamName : oidcPasswordGrantUpstreamName ,
args : & oidctestutil . PasswordCredentialsGrantAndValidateTokensArgs {
Username : oidcUpstreamUsername ,
Password : "wrong-password" ,
} } ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
name : "wrong upstream password for LDAP authentication" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( "wrong-password" ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-07-26 23:03:12 +00:00
{
name : "wrong upstream password for Active Directory authentication" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( "wrong-password" ) ,
2021-07-26 23:03:12 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-07-26 23:03:12 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
name : "wrong upstream username for LDAP authentication" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( "wrong-username" ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-07-26 23:03:12 +00:00
{
name : "wrong upstream username for Active Directory authentication" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( "wrong-username" ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-07-26 23:03:12 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-07-26 23:03:12 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithBadUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-04-26 23:46:58 +00:00
{
name : "missing upstream username but has password on request for OIDC password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
customUsernameHeader : nil , // do not send header
2022-12-14 01:04:30 +00:00
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-04-26 23:46:58 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-04-26 23:46:58 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
2022-04-26 19:51:56 +00:00
name : "missing upstream username but has password on request for LDAP authentication" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
customUsernameHeader : nil , // do not send header
2022-12-14 01:04:30 +00:00
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-07-26 23:03:12 +00:00
{
name : "missing upstream username on request for Active Directory authentication" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
customUsernameHeader : nil , // do not send header
2022-12-14 01:04:30 +00:00
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-07-26 23:03:12 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-07-26 23:03:12 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
name : "missing upstream password on request for LDAP authentication" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
2021-04-09 00:28:01 +00:00
customPasswordHeader : nil , // do not send header
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-07-26 23:03:12 +00:00
{
name : "missing upstream password on request for Active Directory authentication" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
2021-07-26 23:03:12 +00:00
customPasswordHeader : nil , // do not send header
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-07-26 23:03:12 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-10-08 22:48:21 +00:00
{
2022-01-11 23:40:38 +00:00
name : "password grant returns an error when upstream IDP returns no refresh token with an access token but has no userinfo endpoint" ,
2022-01-18 23:34:19 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutRefreshToken ( ) . WithAccessToken ( oidcUpstreamAccessToken , metav1 . NewTime ( time . Now ( ) . Add ( 9 * time . Hour ) ) ) . WithoutUserInfoURL ( ) . Build ( ) ) ,
2022-01-11 23:40:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-01-11 23:40:38 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-01-11 23:40:38 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingUserInfoEndpointErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "password grant returns an error when upstream IDP returns empty refresh token with an access token but has no userinfo endpoint" ,
2022-01-18 23:34:19 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithEmptyRefreshToken ( ) . WithAccessToken ( oidcUpstreamAccessToken , metav1 . NewTime ( time . Now ( ) . Add ( 9 * time . Hour ) ) ) . WithoutUserInfoURL ( ) . Build ( ) ) ,
2022-01-11 23:40:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-01-11 23:40:38 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-01-11 23:40:38 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingUserInfoEndpointErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "password grant returns an error when upstream IDP returns empty refresh token and empty access token" ,
2022-01-11 01:03:31 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithEmptyRefreshToken ( ) . WithEmptyAccessToken ( ) . Build ( ) ) ,
2021-10-08 22:48:21 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-10-08 22:48:21 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-01-11 01:03:31 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingAccessTokenErrorQuery ) ,
2021-10-08 22:48:21 +00:00
wantBodyString : "" ,
} ,
{
2022-01-11 23:40:38 +00:00
name : "password grant returns an error when upstream IDP returns no refresh and no access token" ,
2022-01-11 01:03:31 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutRefreshToken ( ) . WithoutAccessToken ( ) . Build ( ) ) ,
2021-10-08 22:48:21 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-10-08 22:48:21 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-01-11 01:03:31 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingAccessTokenErrorQuery ) ,
2021-10-08 22:48:21 +00:00
wantBodyString : "" ,
} ,
2022-01-05 18:31:38 +00:00
{
2022-01-11 23:40:38 +00:00
name : "password grant returns an error when upstream IDP returns no refresh token and empty access token" ,
2022-01-11 01:03:31 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutRefreshToken ( ) . WithEmptyAccessToken ( ) . Build ( ) ) ,
2022-01-05 18:31:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-01-05 18:31:38 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-01-05 18:31:38 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingAccessTokenErrorQuery ) ,
wantBodyString : "" ,
} ,
{
2022-01-11 23:40:38 +00:00
name : "password grant returns an error when upstream IDP returns empty refresh token and no access token" ,
2022-01-11 01:03:31 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithEmptyRefreshToken ( ) . WithoutAccessToken ( ) . Build ( ) ) ,
2022-01-05 18:31:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-01-05 18:31:38 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-01-05 18:31:38 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingAccessTokenErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-16 21:27:40 +00:00
name : "missing upstream password on request for OIDC password grant authentication" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
2021-08-16 21:27:40 +00:00
customPasswordHeader : nil , // do not send header
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithMissingUsernamePasswordHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "using the custom username header on request for OIDC password grant authentication when OIDCIdentityProvider does not allow password grants" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2021-08-16 21:27:40 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithPasswordGrantDisallowedHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "dynamic clients are not allowed to use OIDC password grant because we don't want them to handle user credentials" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusFound ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "dynamic clients are not allowed to use LDAP CLI-flow authentication because we don't want them to handle user credentials" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusFound ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "dynamic clients are not allowed to use Active Directory CLI-flow authentication because we don't want them to handle user credentials" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusFound ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithUsernamePasswordHeadersDisallowedHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
name : "downstream redirect uri does not match what is configured for client when using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 15:30:53 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 15:30:53 +00:00
method : http . MethodGet ,
2020-11-04 17:58:40 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : "http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client" ,
} ) ,
2020-11-04 15:30:53 +00:00
wantStatus : http . StatusBadRequest ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 15:30:53 +00:00
wantBodyJSON : fositeInvalidRedirectURIErrorBody ,
2020-11-04 15:15:19 +00:00
} ,
2022-07-14 16:51:11 +00:00
{
name : "downstream redirect uri does not match what is configured for client when using OIDC upstream browser flow with a dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : "http://127.0.0.1/does-not-match-what-is-configured-for-dynamic-client" ,
"client_id" : dynamicClientID ,
2022-07-20 20:55:56 +00:00
"scope" : testutil . AllDynamicClientScopesSpaceSep ,
2022-07-14 16:51:11 +00:00
} ) ,
wantStatus : http . StatusBadRequest ,
wantContentType : jsonContentType ,
wantBodyJSON : fositeInvalidRedirectURIErrorBody ,
} ,
2020-11-04 23:04:50 +00:00
{
2021-08-16 21:27:40 +00:00
name : "downstream redirect uri does not match what is configured for client when using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : "http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client" ,
} ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusBadRequest ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantBodyJSON : fositeInvalidRedirectURIErrorBody ,
} ,
2021-08-25 18:33:42 +00:00
{
2021-08-13 00:53:14 +00:00
name : "downstream redirect uri does not match what is configured for client when using LDAP upstream" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
method : http . MethodGet ,
2021-04-09 00:28:01 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : "http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client" ,
} ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusBadRequest ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantBodyJSON : fositeInvalidRedirectURIErrorBody ,
} ,
2021-08-25 18:33:42 +00:00
{
name : "downstream redirect uri does not match what is configured for client when using active directory upstream" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-08-25 18:33:42 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"redirect_uri" : "http://127.0.0.1/does-not-match-what-is-configured-for-pinniped-cli-client" ,
} ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-08-25 18:33:42 +00:00
wantStatus : http . StatusBadRequest ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-25 18:33:42 +00:00
wantBodyJSON : fositeInvalidRedirectURIErrorBody ,
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-16 21:27:40 +00:00
name : "downstream client does not exist when using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 20:29:14 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-11 20:29:14 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : "invalid-client" } ) ,
wantStatus : http . StatusUnauthorized ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-11 20:29:14 +00:00
wantBodyJSON : fositeInvalidClientErrorBody ,
2020-11-04 23:04:50 +00:00
} ,
2021-08-16 21:27:40 +00:00
{
name : "downstream client does not exist when using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : "invalid-client" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusUnauthorized ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantBodyJSON : fositeInvalidClientErrorBody ,
} ,
2020-11-04 16:12:26 +00:00
{
2021-04-09 00:28:01 +00:00
name : "downstream client does not exist when using LDAP upstream" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : "invalid-client" } ) ,
wantStatus : http . StatusUnauthorized ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantBodyJSON : fositeInvalidClientErrorBody ,
} ,
2021-08-25 18:33:42 +00:00
{
name : "downstream client does not exist when using active directory upstream" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-08-25 18:33:42 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : "invalid-client" } ) ,
wantStatus : http . StatusUnauthorized ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-25 18:33:42 +00:00
wantBodyJSON : fositeInvalidClientErrorBody ,
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-16 21:27:40 +00:00
name : "response type is unsupported when using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 17:58:40 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 17:58:40 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "unsupported" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 17:58:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
2020-11-04 20:19:07 +00:00
wantBodyString : "" ,
2020-11-04 16:12:26 +00:00
} ,
2022-07-14 16:51:11 +00:00
{
name : "response type is unsupported when using OIDC upstream browser flow with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"response_type" : "unsupported" ,
"client_id" : dynamicClientID ,
2022-07-20 20:55:56 +00:00
"scope" : testutil . AllDynamicClientScopesSpaceSep ,
2022-07-14 16:51:11 +00:00
} ) ,
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
name : "response type is unsupported when using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "unsupported" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2020-11-04 16:12:26 +00:00
{
2022-04-26 19:51:56 +00:00
name : "response type is unsupported when using LDAP cli upstream" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "unsupported" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2022-04-26 19:51:56 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "response type is unsupported when using LDAP browser upstream" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "unsupported" } ) ,
2022-04-26 19:51:56 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "response type is unsupported when using LDAP browser upstream with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"response_type" : "unsupported" ,
"client_id" : dynamicClientID ,
2022-07-20 20:55:56 +00:00
"scope" : testutil . AllDynamicClientScopesSpaceSep ,
2022-07-14 16:51:11 +00:00
} ) ,
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-25 18:33:42 +00:00
{
2022-04-26 19:51:56 +00:00
name : "response type is unsupported when using active directory cli upstream" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "unsupported" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-04-26 19:51:56 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "response type is unsupported when using active directory browser upstream" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-08-25 18:33:42 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "unsupported" } ) ,
2022-04-26 19:51:56 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-25 18:33:42 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "response type is unsupported when using active directory browser upstream with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string {
"response_type" : "unsupported" ,
"client_id" : dynamicClientID ,
2022-07-20 20:55:56 +00:00
"scope" : testutil . AllDynamicClientScopesSpaceSep ,
2022-07-14 16:51:11 +00:00
} ) ,
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeUnsupportedResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-16 21:27:40 +00:00
name : "downstream scopes do not match what is configured for client using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 17:58:40 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 17:58:40 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "scope" : "openid profile email tuna" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 17:58:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidScopeErrorQuery ) ,
2020-11-04 20:19:07 +00:00
wantBodyString : "" ,
2020-11-04 16:12:26 +00:00
} ,
2022-07-14 16:51:11 +00:00
{
name : "downstream scopes do not match what is configured for client using OIDC upstream browser flow with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : "openid tuna" } ) ,
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidScopeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
name : "downstream scopes do not match what is configured for client using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "scope" : "openid profile email tuna" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidScopeErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-06-02 16:23:34 +00:00
{
name : "form_post page is used to send errors to client using OIDC upstream browser flow with response_mode=form_post" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_mode" : "form_post" , "scope" : "openid profile email tuna" } ) ,
wantStatus : http . StatusOK ,
wantContentType : htmlContentType ,
wantBodyRegex : ` <input type="hidden" name="encoded_params" value="error=invalid_scope&error_description=The+requested+scope+is+invalid ` ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "response_mode form_post is not allowed for dynamic clients" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_mode" : "form_post" , "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusOK , // this is weird, but fosite uses a form_post response to tell the client that it is not allowed to use form_post responses
wantContentType : htmlContentType ,
wantBodyRegex : ` <input type="hidden" name="encoded_params" value="error=unsupported_response_mode&error_description=The+authorization+server+does+not+support+obtaining+a+response+using+this+response+mode. ` ,
} ,
2020-11-04 16:12:26 +00:00
{
2021-04-09 00:28:01 +00:00
name : "downstream scopes do not match what is configured for client using LDAP upstream" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "scope" : "openid tuna" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidScopeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-07-26 23:03:12 +00:00
{
2021-08-24 19:19:29 +00:00
name : "downstream scopes do not match what is configured for client using Active Directory upstream" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "scope" : "openid tuna" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-07-26 23:03:12 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-07-26 23:03:12 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidScopeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-16 21:27:40 +00:00
name : "missing response type in request using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 17:58:40 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 17:58:40 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 17:58:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
2020-11-04 20:19:07 +00:00
wantBodyString : "" ,
2020-11-04 16:12:26 +00:00
} ,
2022-07-14 16:51:11 +00:00
{
name : "missing response type in request using OIDC upstream browser flow with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "response_type" : "" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
name : "missing response type in request using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2020-11-04 16:12:26 +00:00
{
2022-04-26 19:51:56 +00:00
name : "missing response type in request using LDAP cli upstream" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-04-26 19:51:56 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "missing response type in request using LDAP browser upstream" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "" } ) ,
2022-04-26 19:51:56 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "missing response type in request using LDAP browser upstream with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "response_type" : "" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-07-26 23:03:12 +00:00
{
2022-04-26 19:51:56 +00:00
name : "missing response type in request using Active Directory cli upstream" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2022-04-26 19:51:56 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2022-04-26 19:51:56 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "missing response type in request using Active Directory browser upstream" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "response_type" : "" } ) ,
2022-04-26 19:51:56 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-07-26 23:03:12 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "missing response type in request using Active Directory browser upstream with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "response_type" : "" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingResponseTypeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-16 21:27:40 +00:00
name : "missing client id in request using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 17:58:40 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 17:58:40 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : "" } ) ,
2020-11-04 16:12:26 +00:00
wantStatus : http . StatusUnauthorized ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 16:12:26 +00:00
wantBodyJSON : fositeInvalidClientErrorBody ,
} ,
2021-08-16 21:27:40 +00:00
{
name : "missing client id in request using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : "" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusUnauthorized ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantBodyJSON : fositeInvalidClientErrorBody ,
} ,
2020-11-04 20:19:07 +00:00
{
2021-04-09 00:28:01 +00:00
name : "missing client id in request using LDAP upstream" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : "" } ) ,
wantStatus : http . StatusUnauthorized ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantBodyJSON : fositeInvalidClientErrorBody ,
} ,
{
2021-08-16 21:27:40 +00:00
name : "missing PKCE code_challenge in request using OIDC upstream browser flow" , // See https://tools.ietf.org/html/rfc7636#section-4.4.1
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 20:19:07 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 20:19:07 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge" : "" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 20:19:07 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "missing PKCE code_challenge in request using OIDC upstream browser flow with dynamic client" , // See https://tools.ietf.org/html/rfc7636#section-4.4.1
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "code_challenge" : "" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
2021-08-18 19:06:46 +00:00
name : "missing PKCE code_challenge in request using OIDC upstream password grant" , // See https://tools.ietf.org/html/rfc7636#section-4.4.1
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge" : "" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 2 , // fosite already stored the authcode and oidc session before it noticed the error
} ,
2020-11-04 20:29:43 +00:00
{
2021-04-09 00:28:01 +00:00
name : "missing PKCE code_challenge in request using LDAP upstream" , // See https://tools.ietf.org/html/rfc7636#section-4.4.1
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge" : "" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 2 , // fosite already stored the authcode and oidc session before it noticed the error
} ,
{
2021-08-16 21:27:40 +00:00
name : "invalid value for PKCE code_challenge_method in request using OIDC upstream browser flow" , // https://tools.ietf.org/html/rfc7636#section-4.3
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 20:29:43 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 20:29:43 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "this-is-not-a-valid-pkce-alg" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 20:29:43 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidCodeChallengeErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "invalid value for PKCE code_challenge_method in request using OIDC upstream browser flow with dynamic client" , // https://tools.ietf.org/html/rfc7636#section-4.3
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "code_challenge_method" : "this-is-not-a-valid-pkce-alg" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidCodeChallengeErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
2021-08-18 19:06:46 +00:00
name : "invalid value for PKCE code_challenge_method in request using OIDC upstream password grant" , // https://tools.ietf.org/html/rfc7636#section-4.3
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "this-is-not-a-valid-pkce-alg" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidCodeChallengeErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 2 , // fosite already stored the authcode and oidc session before it noticed the error
} ,
2020-11-04 20:29:43 +00:00
{
2021-04-09 00:28:01 +00:00
name : "invalid value for PKCE code_challenge_method in request using LDAP upstream" , // https://tools.ietf.org/html/rfc7636#section-4.3
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "this-is-not-a-valid-pkce-alg" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidCodeChallengeErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 2 , // fosite already stored the authcode and oidc session before it noticed the error
} ,
{
2021-08-16 21:27:40 +00:00
name : "when PKCE code_challenge_method in request is `plain` using OIDC upstream browser flow" , // https://tools.ietf.org/html/rfc7636#section-4.3
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 20:29:43 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 20:29:43 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "plain" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 20:29:43 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeMethodErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "when PKCE code_challenge_method in request is `plain` using OIDC upstream browser flow with dynamic client" , // https://tools.ietf.org/html/rfc7636#section-4.3
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "code_challenge_method" : "plain" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeMethodErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
2021-08-18 19:06:46 +00:00
name : "when PKCE code_challenge_method in request is `plain` using OIDC upstream password grant" , // https://tools.ietf.org/html/rfc7636#section-4.3
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "plain" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeMethodErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 2 , // fosite already stored the authcode and oidc session before it noticed the error
} ,
2020-11-04 20:19:07 +00:00
{
2021-04-09 00:28:01 +00:00
name : "when PKCE code_challenge_method in request is `plain` using LDAP upstream" , // https://tools.ietf.org/html/rfc7636#section-4.3
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "plain" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeMethodErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 2 , // fosite already stored the authcode and oidc session before it noticed the error
} ,
{
2021-08-16 21:27:40 +00:00
name : "missing PKCE code_challenge_method in request using OIDC upstream browser flow" , // See https://tools.ietf.org/html/rfc7636#section-4.4.1
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 20:19:07 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 20:19:07 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 20:19:07 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeMethodErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
name : "missing PKCE code_challenge_method in request using OIDC upstream browser flow with dynamic client" , // See https://tools.ietf.org/html/rfc7636#section-4.4.1
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "code_challenge_method" : "" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeMethodErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
2021-08-18 19:06:46 +00:00
name : "missing PKCE code_challenge_method in request using OIDC upstream password grant" , // See https://tools.ietf.org/html/rfc7636#section-4.4.1
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeMethodErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 2 , // fosite already stored the authcode and oidc session before it noticed the error
} ,
2021-04-09 00:28:01 +00:00
{
name : "missing PKCE code_challenge_method in request using LDAP upstream" , // See https://tools.ietf.org/html/rfc7636#section-4.4.1
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "code_challenge_method" : "" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeMissingCodeChallengeMethodErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 2 , // fosite already stored the authcode and oidc session before it noticed the error
} ,
2020-11-06 22:44:58 +00:00
{
// This is just one of the many OIDC validations run by fosite. This test is to ensure that we are running
2021-08-16 21:27:40 +00:00
// through that part of the fosite library when using an OIDC upstream browser flow.
name : "prompt param is not allowed to have none and another legal value at the same time using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-06 22:44:58 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-06 22:44:58 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "none login" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-06 22:44:58 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositePromptHasNoneAndOtherValueErrorQuery ) ,
wantBodyString : "" ,
} ,
2022-07-14 16:51:11 +00:00
{
// This is just one of the many OIDC validations run by fosite. This test is to ensure that we are running
// through that part of the fosite library when using an OIDC upstream browser flow with a dynamic client.
name : "prompt param is not allowed to have none and another legal value at the same time using OIDC upstream browser flow with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "prompt" : "none login" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositePromptHasNoneAndOtherValueErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
// This is just one of the many OIDC validations run by fosite. This test is to ensure that we are running
// through that part of the fosite library when using an OIDC upstream password grant.
2021-08-18 19:06:46 +00:00
name : "prompt param is not allowed to have none and another legal value at the same time using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "none login" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositePromptHasNoneAndOtherValueErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 1 , // fosite already stored the authcode before it noticed the error
} ,
2020-11-11 21:13:57 +00:00
{
2021-04-09 00:28:01 +00:00
// This is just one of the many OIDC validations run by fosite. This test is to ensure that we are running
// through that part of the fosite library when using an LDAP upstream.
name : "prompt param is not allowed to have none and another legal value at the same time using LDAP upstream" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "none login" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositePromptHasNoneAndOtherValueErrorQuery ) ,
wantBodyString : "" ,
wantUnnecessaryStoredRecords : 1 , // fosite already stored the authcode before it noticed the error
} ,
{
2021-08-16 21:27:40 +00:00
name : "happy path: downstream OIDC validations are skipped when the openid scope was not requested using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 21:13:57 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-11 21:13:57 +00:00
method : http . MethodGet ,
// The following prompt value is illegal when openid is requested, but note that openid is not requested.
2020-11-12 23:36:59 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "none login" , "scope" : "email" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2021-04-09 00:28:01 +00:00
wantContentType : htmlContentType ,
2020-11-12 23:36:59 +00:00
wantCSRFValueInCookieHeader : happyCSRF ,
2021-04-08 00:05:25 +00:00
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam (
2022-04-26 19:51:56 +00:00
map [ string ] string { "prompt" : "none login" , "scope" : "email" } , "" , oidcUpstreamName , "oidc" ,
2021-10-08 22:48:21 +00:00
) , nil ) ,
2020-11-11 21:13:57 +00:00
wantUpstreamStateParamInLocationHeader : true ,
2020-11-12 17:13:58 +00:00
wantBodyStringWithLocationInHref : true ,
2020-11-11 21:13:57 +00:00
} ,
2022-07-14 16:51:11 +00:00
{
name : "happy path: downstream OIDC validations are skipped when the openid scope was not requested using OIDC upstream browser flow with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
// The following prompt value is illegal when openid is requested, but note that openid is not requested.
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : "groups" , "prompt" : "none login" } ) ,
wantStatus : http . StatusSeeOther ,
wantContentType : htmlContentType ,
wantCSRFValueInCookieHeader : happyCSRF ,
wantLocationHeader : expectedRedirectLocationForUpstreamOIDC ( expectedUpstreamStateParam (
map [ string ] string { "client_id" : dynamicClientID , "scope" : "groups" , "prompt" : "none login" } , "" , oidcUpstreamName , "oidc" ,
) , nil ) ,
wantUpstreamStateParamInLocationHeader : true ,
wantBodyStringWithLocationInHref : true ,
} ,
2020-11-04 16:12:26 +00:00
{
2021-08-16 21:27:40 +00:00
name : "happy path: downstream OIDC validations are skipped when the openid scope was not requested using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
// The following prompt value is illegal when openid is requested, but note that openid is not requested.
2021-08-18 19:06:46 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "none login" , "scope" : "email" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantRedirectLocationRegexp : downstreamRedirectURI + ` \?code=([^&]+)&scope=username\+groups&state= ` + happyState , // username and groups scopes were not requested, but are granted anyway for backwards compatibility
2021-08-16 21:27:40 +00:00
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamIDTokenUsername : oidcUpstreamUsername , // username scope was not requested, but is granted anyway for backwards compatibility
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership , // groups scope was not requested, but is granted anyway for backwards compatibility
wantDownstreamRequestedScopes : [ ] string { "email" } , // only email was requested
2021-08-16 21:27:40 +00:00
wantDownstreamRedirectURI : downstreamRedirectURI ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamGrantedScopes : [ ] string { "username" , "groups" } , // username and groups scopes were not requested, but are granted anyway for backwards compatibility
2021-08-16 21:27:40 +00:00
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
2021-08-16 21:27:40 +00:00
} ,
2020-11-04 16:12:26 +00:00
{
2021-08-13 00:53:14 +00:00
name : "happy path: downstream OIDC validations are skipped when the openid scope was not requested using LDAP upstream" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
method : http . MethodGet ,
2021-04-09 00:28:01 +00:00
// The following prompt value is illegal when openid is requested, but note that openid is not requested.
path : modifiedHappyGetRequestPath ( map [ string ] string { "prompt" : "none login" , "scope" : "email" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantRedirectLocationRegexp : downstreamRedirectURI + ` \?code=([^&]+)&scope=username\+groups&state= ` + happyState , // username and groups scopes were not requested, but are granted anyway for backwards compatibility
2021-05-27 00:04:20 +00:00
wantDownstreamIDTokenSubject : upstreamLDAPURL + "&sub=" + happyLDAPUID ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamIDTokenUsername : happyLDAPUsernameFromAuthenticator , // username scope was not requested, but is granted anyway for backwards compatibility
wantDownstreamIDTokenGroups : happyLDAPGroups , // groups scope was not requested, but is granted anyway for backwards compatibility
wantDownstreamRequestedScopes : [ ] string { "email" } , // only email was requested
2021-04-09 00:28:01 +00:00
wantDownstreamRedirectURI : downstreamRedirectURI ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamGrantedScopes : [ ] string { "username" , "groups" } , // username and groups scopes were not requested, but are granted anyway for backwards compatibility
2021-04-09 00:28:01 +00:00
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyLDAPUpstreamCustomSession ,
2021-04-09 00:28:01 +00:00
} ,
{
2021-08-18 19:06:46 +00:00
name : "OIDC upstream password grant: upstream IDP provides no username or group claim configuration, so we use default username claim and skip groups" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutUsernameClaim ( ) . WithoutGroupsClaim ( ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenGroups : [ ] string { } ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSessionWithUsername ( oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ) ,
2021-08-18 19:06:46 +00:00
} ,
{
name : "OIDC upstream password grant: upstream IDP configures username claim as special claim `email` and `email_verified` upstream claim is missing" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithUsernameClaim ( "email" ) .
WithIDTokenClaim ( "email" , "joe@whitehouse.gov" ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : "joe@whitehouse.gov" ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSessionWithUsername ( "joe@whitehouse.gov" ) ,
2021-08-18 19:06:46 +00:00
} ,
{
name : "OIDC upstream password grant: upstream IDP configures username claim as special claim `email` and `email_verified` upstream claim is present with true value" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithUsernameClaim ( "email" ) .
WithIDTokenClaim ( "email" , "joe@whitehouse.gov" ) .
WithIDTokenClaim ( "email_verified" , true ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : "joe@whitehouse.gov" ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSessionWithUsername ( "joe@whitehouse.gov" ) ,
2021-08-18 19:06:46 +00:00
} ,
{
name : "OIDC upstream password grant: upstream IDP configures username claim as anything other than special claim `email` and `email_verified` upstream claim is present with false value" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithUsernameClaim ( "some-claim" ) .
WithIDTokenClaim ( "some-claim" , "joe" ) .
WithIDTokenClaim ( "email" , "joe@whitehouse.gov" ) .
WithIDTokenClaim ( "email_verified" , false ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : "joe" ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSessionWithUsername ( "joe" ) ,
2021-08-18 19:06:46 +00:00
} ,
{
name : "OIDC upstream password grant: upstream IDP configures username claim as special claim `email` and `email_verified` upstream claim is present with illegal value" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithUsernameClaim ( "email" ) .
WithIDTokenClaim ( "email" , "joe@whitehouse.gov" ) .
WithIDTokenClaim ( "email_verified" , "supposed to be boolean" ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithInvalidEmailVerifiedHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream IDP configures username claim as special claim `email` and `email_verified` upstream claim is present with false value" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithUsernameClaim ( "email" ) .
WithIDTokenClaim ( "email" , "joe@whitehouse.gov" ) .
WithIDTokenClaim ( "email_verified" , false ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithFalseEmailVerifiedHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream IDP provides username claim configuration as `sub`, so the downstream token subject should be exactly what they asked for" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithUsernameClaim ( "sub" ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamSubject ,
wantDownstreamIDTokenGroups : oidcUpstreamGroupMembership ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
Create username scope, required for clients to get username in ID token
- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
client does not need to request the username or groups scopes for them
to be granted. For dynamic clients, the usual OAuth2 rules apply:
the client must be allowed to request the scopes according to its
configuration, and the client must actually request the scopes in the
authorization request.
- If the username scope was not granted, then there will be no username
in the ID token, and the cluster-scoped token exchange will fail since
there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
scopes in the scopes_supported list, and lists the username and groups
claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
put into kubeconfig files by "pinniped get kubeconfig" CLI command,
and the default list of scopes used by "pinniped login oidc" when
no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
refresh will only be sent to the pinniped-cli client, since it is
only intended for kubectl and it could leak the username to the
client (which may not have the username scope granted) through the
warning message text.
- Add the user's username to the session storage as a new field, so that
during upstream refresh we can compare the original username from the
initial authorization to the refreshed username, even in the case when
the username scope was not granted (and therefore the username is not
stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
package.
- Change some import names to make them consistent:
- Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
- Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
as "oidcapi"
- Always import go.pinniped.dev/internal/oidc as "oidc"
2022-08-08 23:29:22 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSessionWithUsername ( oidcUpstreamSubject ) ,
2021-08-18 19:06:46 +00:00
} ,
{
name : "OIDC upstream password grant: upstream IDP's configured groups claim in the ID token has a non-array value" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithIDTokenClaim ( oidcUpstreamGroupsClaim , "notAnArrayGroup1 notAnArrayGroup2" ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : [ ] string { "notAnArrayGroup1 notAnArrayGroup2" } ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
2021-08-18 19:06:46 +00:00
} ,
{
name : "OIDC upstream password grant: upstream IDP's configured groups claim in the ID token is a slice of interfaces" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) .
WithIDTokenClaim ( oidcUpstreamGroupsClaim , [ ] interface { } { "group1" , "group2" } ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : [ ] string { "group1" , "group2" } ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
2021-08-18 19:06:46 +00:00
} ,
{
name : "OIDC upstream password grant: upstream ID token does not contain requested username claim" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutIDTokenClaim ( oidcUpstreamUsernameClaim ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimMissingHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token does not contain requested groups claim" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutIDTokenClaim ( oidcUpstreamGroupsClaim ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
wantContentType : htmlContentType ,
wantRedirectLocationRegexp : happyAuthcodeDownstreamRedirectLocationRegexp ,
wantDownstreamIDTokenSubject : oidcUpstreamIssuer + "?sub=" + oidcUpstreamSubjectQueryEscaped ,
wantDownstreamIDTokenUsername : oidcUpstreamUsername ,
wantDownstreamIDTokenGroups : [ ] string { } ,
wantDownstreamRequestedScopes : happyDownstreamScopesRequested ,
wantDownstreamRedirectURI : downstreamRedirectURI ,
wantDownstreamGrantedScopes : happyDownstreamScopesGranted ,
wantDownstreamNonce : downstreamNonce ,
wantDownstreamPKCEChallenge : downstreamPKCEChallenge ,
wantDownstreamPKCEChallengeMethod : downstreamPKCEChallengeMethod ,
2021-10-08 22:48:21 +00:00
wantDownstreamCustomSessionData : expectedHappyOIDCPasswordGrantCustomSession ,
2021-08-18 19:06:46 +00:00
} ,
{
name : "OIDC upstream password grant: upstream ID token contains username claim with weird format" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( oidcUpstreamUsernameClaim , 42 ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimInvalidFormatHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token contains username claim with empty string value" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( oidcUpstreamUsernameClaim , "" ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimEmptyHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token does not contain iss claim when using default username claim config" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutIDTokenClaim ( "iss" ) . WithoutUsernameClaim ( ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimMissingHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token does has an empty string value for iss claim when using default username claim config" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( "iss" , "" ) . WithoutUsernameClaim ( ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimEmptyHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token has an non-string iss claim when using default username claim config" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( "iss" , 42 ) . WithoutUsernameClaim ( ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimInvalidFormatHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token does not contain sub claim when using default username claim config" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithoutIDTokenClaim ( "sub" ) . WithoutUsernameClaim ( ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimMissingHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token does has an empty string value for sub claim when using default username claim config" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( "sub" , "" ) . WithoutUsernameClaim ( ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimEmptyHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token has an non-string sub claim when using default username claim config" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( "sub" , 42 ) . WithoutUsernameClaim ( ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimInvalidFormatHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token contains groups claim with weird format" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( oidcUpstreamGroupsClaim , 42 ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimInvalidFormatHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token contains groups claim where one element is invalid" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( oidcUpstreamGroupsClaim , [ ] interface { } { "foo" , 7 } ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimInvalidFormatHintErrorQuery ) ,
wantBodyString : "" ,
} ,
{
name : "OIDC upstream password grant: upstream ID token contains groups claim with invalid null type" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC (
passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . WithIDTokenClaim ( oidcUpstreamGroupsClaim , nil ) . Build ( ) ,
) ,
method : http . MethodGet ,
path : happyGetRequestPath ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-18 19:06:46 +00:00
wantPasswordGrantCall : happyUpstreamPasswordGrantMockExpectation ,
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-18 19:06:46 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeAccessDeniedWithRequiredClaimInvalidFormatHintErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-04-09 00:28:01 +00:00
{
2021-08-16 21:27:40 +00:00
name : "downstream state does not have enough entropy using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 17:58:40 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 17:58:40 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "state" : "short" } ) ,
2021-12-10 22:22:36 +00:00
wantStatus : http . StatusSeeOther ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2020-11-04 17:58:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidStateErrorQuery ) ,
2020-11-04 20:19:07 +00:00
wantBodyString : "" ,
2020-11-04 16:12:26 +00:00
} ,
2022-07-14 16:51:11 +00:00
{
name : "downstream state does not have enough entropy using OIDC upstream browser flow with dynamic client" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
kubeResources : addFullyCapableDynamicClientAndSecretToKubeResources ,
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
method : http . MethodGet ,
2022-07-20 20:55:56 +00:00
path : modifiedHappyGetRequestPath ( map [ string ] string { "client_id" : dynamicClientID , "scope" : testutil . AllDynamicClientScopesSpaceSep , "state" : "short" } ) ,
2022-07-14 16:51:11 +00:00
wantStatus : http . StatusSeeOther ,
wantContentType : jsonContentType ,
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidStateErrorQuery ) ,
wantBodyString : "" ,
} ,
2021-08-16 21:27:40 +00:00
{
name : "downstream state does not have enough entropy using OIDC upstream password grant" ,
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( passwordGrantUpstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "state" : "short" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( oidcUpstreamUsername ) ,
customPasswordHeader : pointer . String ( oidcUpstreamPassword ) ,
2021-08-16 21:27:40 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-08-16 21:27:40 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidStateErrorQuery ) ,
wantBodyString : "" ,
} ,
2020-11-11 20:29:14 +00:00
{
2021-04-09 00:28:01 +00:00
name : "downstream state does not have enough entropy using LDAP upstream" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider ) ,
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : modifiedHappyGetRequestPath ( map [ string ] string { "state" : "short" } ) ,
2022-12-14 01:04:30 +00:00
customUsernameHeader : pointer . String ( happyLDAPUsername ) ,
customPasswordHeader : pointer . String ( happyLDAPPassword ) ,
2021-04-09 00:28:01 +00:00
wantStatus : http . StatusFound ,
2022-04-29 23:01:51 +00:00
wantContentType : jsonContentType ,
2021-04-09 00:28:01 +00:00
wantLocationHeader : urlWithQuery ( downstreamRedirectURI , fositeInvalidStateErrorQuery ) ,
wantBodyString : "" ,
} ,
{
2021-08-16 21:27:40 +00:00
name : "error while encoding upstream state param using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 20:29:14 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : & errorReturningEncoder { } ,
cookieEncoder : happyCookieEncoder ,
2020-11-11 20:29:14 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusInternalServerError ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Internal Server Error: error encoding upstream state param\n" ,
} ,
2020-11-12 23:36:59 +00:00
{
2021-08-16 21:27:40 +00:00
name : "error while encoding CSRF cookie value for new cookie using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-12 23:36:59 +00:00
generateCSRF : happyCSRFGenerator ,
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
stateEncoder : happyStateEncoder ,
cookieEncoder : & errorReturningEncoder { } ,
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusInternalServerError ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Internal Server Error: error encoding CSRF cookie\n" ,
} ,
2020-11-04 00:17:38 +00:00
{
2021-08-16 21:27:40 +00:00
name : "error while generating CSRF token using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2021-04-08 00:05:25 +00:00
generateCSRF : sadCSRFGenerator ,
2020-11-04 00:17:38 +00:00
generatePKCE : happyPKCEGenerator ,
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 00:17:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusInternalServerError ,
wantContentType : "text/plain; charset=utf-8" ,
2020-11-11 01:58:00 +00:00
wantBodyString : "Internal Server Error: error generating CSRF token\n" ,
2020-11-04 00:17:38 +00:00
} ,
{
2021-08-16 21:27:40 +00:00
name : "error while generating nonce using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2020-11-04 00:17:38 +00:00
generatePKCE : happyPKCEGenerator ,
2021-04-08 00:05:25 +00:00
generateNonce : sadNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 00:17:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusInternalServerError ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Internal Server Error: error generating nonce param\n" ,
} ,
{
2021-08-16 21:27:40 +00:00
name : "error while generating PKCE using OIDC upstream browser flow" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-11 01:58:00 +00:00
generateCSRF : happyCSRFGenerator ,
2021-04-08 00:05:25 +00:00
generatePKCE : sadPKCEGenerator ,
2020-11-04 00:17:38 +00:00
generateNonce : happyNonceGenerator ,
2020-11-12 23:36:59 +00:00
stateEncoder : happyStateEncoder ,
cookieEncoder : happyCookieEncoder ,
2020-11-04 00:17:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusInternalServerError ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Internal Server Error: error generating PKCE param\n" ,
} ,
{
name : "no upstream providers are configured" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( ) , // empty
2020-11-04 00:17:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusUnprocessableEntity ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Unprocessable Entity: No upstream providers are configured\n" ,
} ,
{
2021-04-09 00:28:01 +00:00
name : "too many upstream providers are configured: multiple OIDC" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) , upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) , // more than one not allowed
2020-11-04 00:17:38 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusUnprocessableEntity ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Unprocessable Entity: Too many upstream providers are configured (support for multiple upstreams is not yet implemented)\n" ,
} ,
2021-04-09 00:28:01 +00:00
{
name : "too many upstream providers are configured: multiple LDAP" ,
2021-08-13 00:53:14 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithLDAP ( & upstreamLDAPIdentityProvider , & upstreamLDAPIdentityProvider ) , // more than one not allowed
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusUnprocessableEntity ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Unprocessable Entity: Too many upstream providers are configured (support for multiple upstreams is not yet implemented)\n" ,
} ,
2021-07-26 23:03:12 +00:00
{
name : "too many upstream providers are configured: multiple Active Directory" ,
2021-08-24 19:19:29 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithActiveDirectory ( & upstreamLDAPIdentityProvider , & upstreamLDAPIdentityProvider ) , // more than one not allowed
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusUnprocessableEntity ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Unprocessable Entity: Too many upstream providers are configured (support for multiple upstreams is not yet implemented)\n" ,
} ,
2021-04-09 00:28:01 +00:00
{
name : "too many upstream providers are configured: both OIDC and LDAP" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) . WithLDAP ( & upstreamLDAPIdentityProvider ) , // more than one not allowed
2021-04-09 00:28:01 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusUnprocessableEntity ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Unprocessable Entity: Too many upstream providers are configured (support for multiple upstreams is not yet implemented)\n" ,
} ,
2021-07-26 23:03:12 +00:00
{
name : "too many upstream providers are configured: OIDC, LDAP and AD" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) . WithLDAP ( & upstreamLDAPIdentityProvider ) . WithActiveDirectory ( & upstreamActiveDirectoryIdentityProvider ) , // more than one not allowed
2021-07-26 23:03:12 +00:00
method : http . MethodGet ,
path : happyGetRequestPath ,
wantStatus : http . StatusUnprocessableEntity ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Unprocessable Entity: Too many upstream providers are configured (support for multiple upstreams is not yet implemented)\n" ,
} ,
2020-11-04 00:17:38 +00:00
{
name : "PUT is a bad method" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-04 00:17:38 +00:00
method : http . MethodPut ,
path : "/some/path" ,
wantStatus : http . StatusMethodNotAllowed ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Method Not Allowed: PUT (try GET or POST)\n" ,
} ,
{
name : "PATCH is a bad method" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-04 00:17:38 +00:00
method : http . MethodPatch ,
path : "/some/path" ,
wantStatus : http . StatusMethodNotAllowed ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Method Not Allowed: PATCH (try GET or POST)\n" ,
} ,
{
name : "DELETE is a bad method" ,
2021-10-08 22:48:21 +00:00
idps : oidctestutil . NewUpstreamIDPListerBuilder ( ) . WithOIDC ( upstreamOIDCIdentityProviderBuilder ( ) . Build ( ) ) ,
2020-11-04 00:17:38 +00:00
method : http . MethodDelete ,
path : "/some/path" ,
wantStatus : http . StatusMethodNotAllowed ,
wantContentType : "text/plain; charset=utf-8" ,
wantBodyString : "Method Not Allowed: DELETE (try GET or POST)\n" ,
} ,
}
2022-07-14 16:51:11 +00:00
runOneTestCase := func ( t * testing . T , test testCase , subject http . Handler , kubeOauthStore * oidc . KubeStorage , supervisorClient * supervisorfake . Clientset , kubeClient * fake . Clientset , secretsClient v1 . SecretInterface ) {
if test . kubeResources != nil {
test . kubeResources ( t , supervisorClient , kubeClient )
}
2021-08-13 00:53:14 +00:00
reqContext := context . WithValue ( context . Background ( ) , struct { name string } { name : "test" } , "request-context" )
req := httptest . NewRequest ( test . method , test . path , strings . NewReader ( test . body ) ) . WithContext ( reqContext )
2020-11-04 15:15:19 +00:00
req . Header . Set ( "Content-Type" , test . contentType )
2020-11-12 23:36:59 +00:00
if test . csrfCookie != "" {
req . Header . Set ( "Cookie" , test . csrfCookie )
}
2021-04-09 00:28:01 +00:00
if test . customUsernameHeader != nil {
2021-05-12 20:06:08 +00:00
req . Header . Set ( "Pinniped-Username" , * test . customUsernameHeader )
2021-04-09 00:28:01 +00:00
}
if test . customPasswordHeader != nil {
2021-05-12 20:06:08 +00:00
req . Header . Set ( "Pinniped-Password" , * test . customPasswordHeader )
2021-04-09 00:28:01 +00:00
}
2020-11-04 00:17:38 +00:00
rsp := httptest . NewRecorder ( )
subject . ServeHTTP ( rsp , req )
2020-11-19 14:28:56 +00:00
t . Logf ( "response: %#v" , rsp )
t . Logf ( "response body: %q" , rsp . Body . String ( ) )
2020-11-04 00:17:38 +00:00
require . Equal ( t , test . wantStatus , rsp . Code )
2020-12-04 15:06:55 +00:00
testutil . RequireEqualContentType ( t , rsp . Header ( ) . Get ( "Content-Type" ) , test . wantContentType )
2022-06-02 16:23:34 +00:00
// Use form_post page's CSPs because sometimes errors are sent to the client via the form_post page.
testutil . RequireSecurityHeadersWithFormPostPageCSPs ( t , rsp )
2020-11-04 00:17:38 +00:00
2021-08-13 00:53:14 +00:00
if test . wantPasswordGrantCall != nil {
test . wantPasswordGrantCall . args . Ctx = reqContext
test . idps . RequireExactlyOneCallToPasswordCredentialsGrantAndValidateTokens ( t ,
test . wantPasswordGrantCall . performedByUpstreamName , test . wantPasswordGrantCall . args ,
)
} else {
test . idps . RequireExactlyZeroCallsToPasswordCredentialsGrantAndValidateTokens ( t )
}
2020-11-12 17:13:58 +00:00
actualLocation := rsp . Header ( ) . Get ( "Location" )
2021-04-09 00:28:01 +00:00
switch {
case test . wantLocationHeader != "" :
2020-11-11 20:29:14 +00:00
if test . wantUpstreamStateParamInLocationHeader {
2020-11-12 23:36:59 +00:00
requireEqualDecodedStateParams ( t , actualLocation , test . wantLocationHeader , test . stateEncoder )
2020-11-11 20:29:14 +00:00
}
2020-11-12 17:13:58 +00:00
// The upstream state param is encoded using a timestamp at the beginning so we don't want to
// compare those states since they may be different, but we do want to compare the downstream
// state param that should be exactly the same.
requireEqualURLs ( t , actualLocation , test . wantLocationHeader , test . wantUpstreamStateParamInLocationHeader )
2021-04-09 00:28:01 +00:00
// Authorization requests for either a successful OIDC upstream or for an error with any upstream
// should never use Kube storage. There is only one exception to this rule, which is that certain
// OIDC validations are checked in fosite after the OAuth authcode (and sometimes the OIDC session)
// is stored, so it is possible with an LDAP upstream to store objects and then return an error to
// the client anyway (which makes the stored objects useless, but oh well).
2022-07-21 16:26:00 +00:00
require . Len ( t , oidctestutil . FilterClientSecretCreateActions ( kubeClient . Actions ( ) ) , test . wantUnnecessaryStoredRecords )
2021-04-09 00:28:01 +00:00
case test . wantRedirectLocationRegexp != "" :
2022-07-14 16:51:11 +00:00
if test . wantDownstreamClientID == "" {
test . wantDownstreamClientID = pinnipedCLIClientID // default assertion value when not provided by test case
}
2021-04-09 00:28:01 +00:00
require . Len ( t , rsp . Header ( ) . Values ( "Location" ) , 1 )
2021-06-16 18:11:07 +00:00
oidctestutil . RequireAuthCodeRegexpMatch (
2021-04-09 00:28:01 +00:00
t ,
rsp . Header ( ) . Get ( "Location" ) ,
test . wantRedirectLocationRegexp ,
kubeClient ,
secretsClient ,
kubeOauthStore ,
test . wantDownstreamGrantedScopes ,
test . wantDownstreamIDTokenSubject ,
test . wantDownstreamIDTokenUsername ,
test . wantDownstreamIDTokenGroups ,
test . wantDownstreamRequestedScopes ,
test . wantDownstreamPKCEChallenge ,
test . wantDownstreamPKCEChallengeMethod ,
test . wantDownstreamNonce ,
2022-07-14 16:51:11 +00:00
test . wantDownstreamClientID ,
2021-04-09 00:28:01 +00:00
test . wantDownstreamRedirectURI ,
2021-10-08 22:48:21 +00:00
test . wantDownstreamCustomSessionData ,
2023-01-04 17:42:50 +00:00
test . wantAdditionalClaims ,
2021-04-09 00:28:01 +00:00
)
default :
2020-11-11 01:58:00 +00:00
require . Empty ( t , rsp . Header ( ) . Values ( "Location" ) )
}
2020-11-12 17:24:40 +00:00
switch {
case test . wantBodyJSON != "" :
2020-11-11 20:29:14 +00:00
require . JSONEq ( t , test . wantBodyJSON , rsp . Body . String ( ) )
2020-11-12 17:24:40 +00:00
case test . wantBodyStringWithLocationInHref :
2021-12-10 22:22:36 +00:00
switch code := rsp . Code ; code {
case http . StatusFound :
anchorTagWithLocationHref := fmt . Sprintf ( "<a href=\"%s\">Found</a>.\n\n" , html . EscapeString ( actualLocation ) )
require . Equal ( t , anchorTagWithLocationHref , rsp . Body . String ( ) )
case http . StatusSeeOther :
anchorTagWithLocationHref := fmt . Sprintf ( "<a href=\"%s\">See Other</a>.\n\n" , html . EscapeString ( actualLocation ) )
require . Equal ( t , anchorTagWithLocationHref , rsp . Body . String ( ) )
default :
t . Errorf ( "unexpected response code: %v" , code )
}
2022-06-02 16:23:34 +00:00
case test . wantBodyRegex != "" :
require . Regexp ( t , test . wantBodyRegex , rsp . Body . String ( ) )
2020-11-12 17:24:40 +00:00
default :
2020-11-11 20:29:14 +00:00
require . Equal ( t , test . wantBodyString , rsp . Body . String ( ) )
}
2020-11-12 23:36:59 +00:00
if test . wantCSRFValueInCookieHeader != "" {
2020-11-11 01:58:00 +00:00
require . Len ( t , rsp . Header ( ) . Values ( "Set-Cookie" ) , 1 )
actualCookie := rsp . Header ( ) . Get ( "Set-Cookie" )
2020-12-04 03:23:58 +00:00
regex := regexp . MustCompile ( "__Host-pinniped-csrf=([^;]+); Path=/; HttpOnly; Secure; SameSite=Lax" )
2020-11-12 23:36:59 +00:00
submatches := regex . FindStringSubmatch ( actualCookie )
require . Len ( t , submatches , 2 )
captured := submatches [ 1 ]
var decodedCSRFCookieValue string
err := test . cookieEncoder . Decode ( "csrf" , captured , & decodedCSRFCookieValue )
require . NoError ( t , err )
require . Equal ( t , test . wantCSRFValueInCookieHeader , decodedCSRFCookieValue )
2020-11-11 01:58:00 +00:00
} else {
require . Empty ( t , rsp . Header ( ) . Values ( "Set-Cookie" ) )
2020-11-04 00:17:38 +00:00
}
}
for _ , test := range tests {
test := test
t . Run ( test . name , func ( t * testing . T ) {
2021-04-09 00:28:01 +00:00
kubeClient := fake . NewSimpleClientset ( )
2022-07-14 16:51:11 +00:00
supervisorClient := supervisorfake . NewSimpleClientset ( )
2021-04-09 00:28:01 +00:00
secretsClient := kubeClient . CoreV1 ( ) . Secrets ( "some-namespace" )
2022-07-14 16:51:11 +00:00
oidcClientsClient := supervisorClient . ConfigV1alpha1 ( ) . OIDCClients ( "some-namespace" )
oauthHelperWithRealStorage , kubeOauthStore := createOauthHelperWithRealStorage ( secretsClient , oidcClientsClient )
oauthHelperWithNullStorage , _ := createOauthHelperWithNullStorage ( secretsClient , oidcClientsClient )
2023-01-04 17:42:50 +00:00
idps := test . idps . Build ( )
if len ( test . wantAdditionalClaims ) > 0 {
require . True ( t , len ( idps . GetOIDCIdentityProviders ( ) ) > 0 , "wantAdditionalClaims requires at least one OIDC IDP" )
}
2021-04-08 00:05:25 +00:00
subject := NewHandler (
downstreamIssuer ,
2023-01-04 17:42:50 +00:00
idps ,
2021-04-08 00:05:25 +00:00
oauthHelperWithNullStorage , oauthHelperWithRealStorage ,
test . generateCSRF , test . generatePKCE , test . generateNonce ,
test . stateEncoder , test . cookieEncoder ,
)
2022-07-14 16:51:11 +00:00
runOneTestCase ( t , test , subject , kubeOauthStore , supervisorClient , kubeClient , secretsClient )
2020-11-04 00:17:38 +00:00
} )
}
t . Run ( "allows upstream provider configuration to change between requests" , func ( t * testing . T ) {
test := tests [ 0 ]
2021-08-13 00:53:14 +00:00
// Double-check that we are re-using the happy path test case here as we intend.
require . Equal ( t , "OIDC upstream browser flow happy path using GET without a CSRF cookie" , test . name )
2021-04-08 00:05:25 +00:00
2021-04-09 00:28:01 +00:00
kubeClient := fake . NewSimpleClientset ( )
2022-07-14 16:51:11 +00:00
supervisorClient := supervisorfake . NewSimpleClientset ( )
2021-04-09 00:28:01 +00:00
secretsClient := kubeClient . CoreV1 ( ) . Secrets ( "some-namespace" )
2022-07-14 16:51:11 +00:00
oidcClientsClient := supervisorClient . ConfigV1alpha1 ( ) . OIDCClients ( "some-namespace" )
oauthHelperWithRealStorage , kubeOauthStore := createOauthHelperWithRealStorage ( secretsClient , oidcClientsClient )
oauthHelperWithNullStorage , _ := createOauthHelperWithNullStorage ( secretsClient , oidcClientsClient )
2021-08-13 00:53:14 +00:00
idpLister := test . idps . Build ( )
2021-04-08 00:05:25 +00:00
subject := NewHandler (
downstreamIssuer ,
2021-08-13 00:53:14 +00:00
idpLister ,
2021-04-08 00:05:25 +00:00
oauthHelperWithNullStorage , oauthHelperWithRealStorage ,
test . generateCSRF , test . generatePKCE , test . generateNonce ,
test . stateEncoder , test . cookieEncoder ,
)
2020-11-04 00:17:38 +00:00
2022-07-14 16:51:11 +00:00
runOneTestCase ( t , test , subject , kubeOauthStore , supervisorClient , kubeClient , secretsClient )
2020-11-04 00:17:38 +00:00
2021-08-13 00:53:14 +00:00
// Call the idpLister's setter to change the upstream IDP settings.
newProviderSettings := oidctestutil . NewTestUpstreamOIDCIdentityProviderBuilder ( ) .
WithName ( "some-other-new-idp-name" ) .
WithClientID ( "some-other-new-client-id" ) .
WithAuthorizationURL ( * upstreamAuthURL ) .
WithScopes ( [ ] string { "some-other-new-scope1" , "some-other-new-scope2" } ) .
2021-10-08 22:48:21 +00:00
WithAdditionalAuthcodeParams ( map [ string ] string { "prompt" : "consent" , "abc" : "123" } ) .
2021-08-13 00:53:14 +00:00
Build ( )
idpLister . SetOIDCIdentityProviders ( [ ] provider . UpstreamOIDCIdentityProviderI { provider . UpstreamOIDCIdentityProviderI ( newProviderSettings ) } )
2020-11-04 00:17:38 +00:00
// Update the expectations of the test case to match the new upstream IDP settings.
2020-11-04 17:58:40 +00:00
test . wantLocationHeader = urlWithQuery ( upstreamAuthURL . String ( ) ,
map [ string ] string {
2021-08-13 00:53:14 +00:00
"response_type" : "code" ,
2021-10-08 22:48:21 +00:00
"prompt" : "consent" ,
"abc" : "123" ,
2021-08-13 00:53:14 +00:00
"scope" : "some-other-new-scope1 some-other-new-scope2" , // updated expectation
"client_id" : "some-other-new-client-id" , // updated expectation
"state" : expectedUpstreamStateParam (
2022-04-26 19:51:56 +00:00
nil , "" , "some-other-new-idp-name" , "oidc" ,
2021-08-13 00:53:14 +00:00
) , // updated expectation
2020-11-11 01:58:00 +00:00
"nonce" : happyNonce ,
2020-11-04 20:19:07 +00:00
"code_challenge" : expectedUpstreamCodeChallenge ,
2021-04-09 00:28:01 +00:00
"code_challenge_method" : downstreamPKCEChallengeMethod ,
2020-11-20 21:14:45 +00:00
"redirect_uri" : downstreamIssuer + "/callback" ,
2020-11-04 17:58:40 +00:00
} ,
2020-11-04 00:17:38 +00:00
)
2020-11-04 20:19:07 +00:00
test . wantBodyString = fmt . Sprintf ( ` <a href="%s">Found</a>.%s ` ,
html . EscapeString ( test . wantLocationHeader ) ,
"\n\n" ,
)
2020-11-04 00:17:38 +00:00
// Run again on the same instance of the subject with the modified upstream IDP settings and the
// modified expectations. This should ensure that the implementation is using the in-memory cache
// of upstream IDP settings appropriately in terms of always getting the values from the cache
// on every request.
2022-07-14 16:51:11 +00:00
runOneTestCase ( t , test , subject , kubeOauthStore , supervisorClient , kubeClient , secretsClient )
2020-11-04 00:17:38 +00:00
} )
}
2020-11-11 20:29:14 +00:00
type errorReturningEncoder struct {
2020-11-16 19:41:00 +00:00
oidc . Codec
2020-11-11 20:29:14 +00:00
}
func ( * errorReturningEncoder ) Encode ( _ string , _ interface { } ) ( string , error ) {
return "" , fmt . Errorf ( "some encoding error" )
}
2021-08-13 00:53:14 +00:00
type expectedPasswordGrant struct {
performedByUpstreamName string
args * oidctestutil . PasswordCredentialsGrantAndValidateTokensArgs
}
2020-11-16 19:41:00 +00:00
func requireEqualDecodedStateParams ( t * testing . T , actualURL string , expectedURL string , stateParamDecoder oidc . Codec ) {
2020-11-11 20:29:14 +00:00
t . Helper ( )
actualLocationURL , err := url . Parse ( actualURL )
require . NoError ( t , err )
expectedLocationURL , err := url . Parse ( expectedURL )
require . NoError ( t , err )
expectedQueryStateParam := expectedLocationURL . Query ( ) . Get ( "state" )
require . NotEmpty ( t , expectedQueryStateParam )
2020-11-20 01:57:07 +00:00
var expectedDecodedStateParam oidctestutil . ExpectedUpstreamStateParamFormat
2020-11-11 20:29:14 +00:00
err = stateParamDecoder . Decode ( "s" , expectedQueryStateParam , & expectedDecodedStateParam )
require . NoError ( t , err )
actualQueryStateParam := actualLocationURL . Query ( ) . Get ( "state" )
require . NotEmpty ( t , actualQueryStateParam )
2020-11-20 01:57:07 +00:00
var actualDecodedStateParam oidctestutil . ExpectedUpstreamStateParamFormat
2020-11-11 20:29:14 +00:00
err = stateParamDecoder . Decode ( "s" , actualQueryStateParam , & actualDecodedStateParam )
require . NoError ( t , err )
require . Equal ( t , expectedDecodedStateParam , actualDecodedStateParam )
}
2020-11-12 17:13:58 +00:00
func requireEqualURLs ( t * testing . T , actualURL string , expectedURL string , ignoreState bool ) {
2020-11-04 15:15:19 +00:00
t . Helper ( )
2020-11-04 00:17:38 +00:00
actualLocationURL , err := url . Parse ( actualURL )
require . NoError ( t , err )
expectedLocationURL , err := url . Parse ( expectedURL )
require . NoError ( t , err )
2020-11-20 21:56:35 +00:00
require . Equal ( t , expectedLocationURL . Scheme , actualLocationURL . Scheme ,
"schemes were not equal: expected %s but got %s" , expectedURL , actualURL ,
)
require . Equal ( t , expectedLocationURL . User , actualLocationURL . User ,
"users were not equal: expected %s but got %s" , expectedURL , actualURL ,
)
require . Equal ( t , expectedLocationURL . Host , actualLocationURL . Host ,
"hosts were not equal: expected %s but got %s" , expectedURL , actualURL ,
)
require . Equal ( t , expectedLocationURL . Path , actualLocationURL . Path ,
"paths were not equal: expected %s but got %s" , expectedURL , actualURL ,
)
2020-11-12 17:13:58 +00:00
expectedLocationQuery := expectedLocationURL . Query ( )
actualLocationQuery := actualLocationURL . Query ( )
// Let the caller ignore the state, since it may contain a digest at the end that is difficult to
// predict because it depends on a time.Now() timestamp.
if ignoreState {
expectedLocationQuery . Del ( "state" )
actualLocationQuery . Del ( "state" )
}
require . Equal ( t , expectedLocationQuery , actualLocationQuery )
2020-11-04 00:17:38 +00:00
}