2021-03-05 01:25:43 +00:00
|
|
|
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
2020-12-11 01:34:05 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package supervisorstorage
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2021-11-10 23:34:19 +00:00
|
|
|
"encoding/json"
|
2020-12-11 01:34:05 +00:00
|
|
|
"errors"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2021-11-10 23:34:19 +00:00
|
|
|
"github.com/ory/fosite"
|
2020-12-11 01:34:05 +00:00
|
|
|
"github.com/sclevine/spec"
|
|
|
|
"github.com/sclevine/spec/report"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
2020-12-11 23:21:34 +00:00
|
|
|
"k8s.io/apimachinery/pkg/util/clock"
|
2020-12-11 01:34:05 +00:00
|
|
|
kubeinformers "k8s.io/client-go/informers"
|
2021-08-18 04:14:38 +00:00
|
|
|
"k8s.io/client-go/kubernetes"
|
2020-12-11 01:34:05 +00:00
|
|
|
kubernetesfake "k8s.io/client-go/kubernetes/fake"
|
|
|
|
kubetesting "k8s.io/client-go/testing"
|
|
|
|
|
|
|
|
"go.pinniped.dev/internal/controllerlib"
|
2021-11-10 23:34:19 +00:00
|
|
|
"go.pinniped.dev/internal/fositestorage/accesstoken"
|
|
|
|
"go.pinniped.dev/internal/fositestorage/authorizationcode"
|
|
|
|
"go.pinniped.dev/internal/fositestorage/refreshtoken"
|
|
|
|
"go.pinniped.dev/internal/oidc/clientregistry"
|
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
|
|
|
"go.pinniped.dev/internal/psession"
|
2020-12-11 01:34:05 +00:00
|
|
|
"go.pinniped.dev/internal/testutil"
|
2021-11-10 23:34:19 +00:00
|
|
|
"go.pinniped.dev/internal/testutil/oidctestutil"
|
2020-12-11 01:34:05 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestGarbageCollectorControllerInformerFilters(t *testing.T) {
|
|
|
|
spec.Run(t, "informer filters", func(t *testing.T, when spec.G, it spec.S) {
|
|
|
|
var (
|
|
|
|
r *require.Assertions
|
|
|
|
observableWithInformerOption *testutil.ObservableWithInformerOption
|
|
|
|
secretsInformerFilter controllerlib.Filter
|
|
|
|
)
|
|
|
|
|
|
|
|
it.Before(func() {
|
|
|
|
r = require.New(t)
|
|
|
|
observableWithInformerOption = testutil.NewObservableWithInformerOption()
|
|
|
|
secretsInformer := kubeinformers.NewSharedInformerFactory(nil, 0).Core().V1().Secrets()
|
|
|
|
_ = GarbageCollectorController(
|
2021-10-22 21:32:26 +00:00
|
|
|
nil,
|
2020-12-11 23:21:34 +00:00
|
|
|
clock.RealClock{},
|
2020-12-11 01:34:05 +00:00
|
|
|
nil,
|
|
|
|
secretsInformer,
|
|
|
|
observableWithInformerOption.WithInformer, // make it possible to observe the behavior of the Filters
|
|
|
|
)
|
|
|
|
secretsInformerFilter = observableWithInformerOption.GetFilterForInformer(secretsInformer)
|
|
|
|
})
|
|
|
|
|
|
|
|
when("watching Secret objects", func() {
|
|
|
|
var (
|
2020-12-18 17:36:28 +00:00
|
|
|
subject controllerlib.Filter
|
|
|
|
secretWithAnnotation, otherSecret *corev1.Secret
|
2020-12-11 01:34:05 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
it.Before(func() {
|
|
|
|
subject = secretsInformerFilter
|
2020-12-18 17:36:28 +00:00
|
|
|
secretWithAnnotation = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-name", Namespace: "any-namespace", Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": "some timestamp",
|
|
|
|
}}}
|
|
|
|
otherSecret = &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "any-other-name", Namespace: "any-namespace"}}
|
2020-12-11 01:34:05 +00:00
|
|
|
})
|
|
|
|
|
2020-12-18 17:36:28 +00:00
|
|
|
when("any Secret with the required annotation is added or updated", func() {
|
|
|
|
it("returns true to trigger the sync function", func() {
|
|
|
|
r.True(subject.Add(secretWithAnnotation))
|
|
|
|
r.True(subject.Update(secretWithAnnotation, otherSecret))
|
|
|
|
r.True(subject.Update(otherSecret, secretWithAnnotation))
|
|
|
|
})
|
2021-05-04 16:38:47 +00:00
|
|
|
|
|
|
|
it("returns the same singleton key", func() {
|
|
|
|
r.Equal(controllerlib.Key{}, subject.Parent(secretWithAnnotation))
|
|
|
|
})
|
2020-12-18 17:36:28 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
when("any Secret with the required annotation is deleted", func() {
|
|
|
|
it("returns false to skip the sync function because it does not need to worry about secrets that are already gone", func() {
|
|
|
|
r.False(subject.Delete(secretWithAnnotation))
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
when("any Secret without the required annotation changes", func() {
|
|
|
|
it("returns false to skip the sync function", func() {
|
|
|
|
r.False(subject.Add(otherSecret))
|
|
|
|
r.False(subject.Update(otherSecret, otherSecret))
|
|
|
|
r.False(subject.Delete(otherSecret))
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
when("any other type is passed", func() {
|
|
|
|
it("returns false to skip the sync function", func() {
|
|
|
|
wrongType := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "some-ns", Namespace: "some-ns"}}
|
|
|
|
|
|
|
|
r.False(subject.Add(wrongType))
|
|
|
|
r.False(subject.Update(wrongType, wrongType))
|
|
|
|
r.False(subject.Delete(wrongType))
|
2020-12-11 01:34:05 +00:00
|
|
|
})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}, spec.Parallel(), spec.Report(report.Terminal{}))
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestGarbageCollectorControllerSync(t *testing.T) {
|
|
|
|
secretsGVR := schema.GroupVersionResource{
|
|
|
|
Group: "",
|
|
|
|
Version: "v1",
|
|
|
|
Resource: "secrets",
|
|
|
|
}
|
|
|
|
|
|
|
|
spec.Run(t, "Sync", func(t *testing.T, when spec.G, it spec.S) {
|
|
|
|
const (
|
|
|
|
installedInNamespace = "some-namespace"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2021-03-05 01:25:43 +00:00
|
|
|
r *require.Assertions
|
|
|
|
subject controllerlib.Controller
|
|
|
|
kubeInformerClient *kubernetesfake.Clientset
|
|
|
|
kubeClient *kubernetesfake.Clientset
|
2021-08-18 04:14:38 +00:00
|
|
|
deleteOptions *[]metav1.DeleteOptions
|
|
|
|
deleteOptionsRecorder kubernetes.Interface
|
2021-03-05 01:25:43 +00:00
|
|
|
kubeInformers kubeinformers.SharedInformerFactory
|
|
|
|
cancelContext context.Context
|
|
|
|
cancelContextCancelFunc context.CancelFunc
|
|
|
|
syncContext *controllerlib.Context
|
|
|
|
fakeClock *clock.FakeClock
|
|
|
|
frozenNow time.Time
|
2020-12-11 01:34:05 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Defer starting the informers until the last possible moment so that the
|
|
|
|
// nested Before's can keep adding things to the informer caches.
|
2021-11-10 23:34:19 +00:00
|
|
|
var startInformersAndController = func(idpCache provider.DynamicUpstreamIDPProvider) {
|
2020-12-11 01:34:05 +00:00
|
|
|
// Set this at the last second to allow for injection of server override.
|
|
|
|
subject = GarbageCollectorController(
|
2021-11-10 23:34:19 +00:00
|
|
|
idpCache,
|
2020-12-11 23:21:34 +00:00
|
|
|
fakeClock,
|
2021-08-18 04:14:38 +00:00
|
|
|
deleteOptionsRecorder,
|
2020-12-11 01:34:05 +00:00
|
|
|
kubeInformers.Core().V1().Secrets(),
|
|
|
|
controllerlib.WithInformer,
|
|
|
|
)
|
|
|
|
|
|
|
|
// Set this at the last second to support calling subject.Name().
|
|
|
|
syncContext = &controllerlib.Context{
|
2021-03-05 01:25:43 +00:00
|
|
|
Context: cancelContext,
|
2020-12-11 01:34:05 +00:00
|
|
|
Name: subject.Name(),
|
|
|
|
Key: controllerlib.Key{
|
2021-05-04 16:38:47 +00:00
|
|
|
Namespace: "foo",
|
|
|
|
Name: "bar",
|
2020-12-11 01:34:05 +00:00
|
|
|
},
|
2021-05-04 16:38:47 +00:00
|
|
|
Queue: &testQueue{t: t},
|
2020-12-11 01:34:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Must start informers before calling TestRunSynchronously()
|
2021-03-05 01:25:43 +00:00
|
|
|
kubeInformers.Start(cancelContext.Done())
|
2020-12-11 01:34:05 +00:00
|
|
|
controllerlib.TestRunSynchronously(t, subject)
|
|
|
|
}
|
|
|
|
|
|
|
|
it.Before(func() {
|
|
|
|
r = require.New(t)
|
|
|
|
|
2021-03-05 01:25:43 +00:00
|
|
|
cancelContext, cancelContextCancelFunc = context.WithCancel(context.Background())
|
2020-12-11 01:34:05 +00:00
|
|
|
|
|
|
|
kubeInformerClient = kubernetesfake.NewSimpleClientset()
|
|
|
|
kubeClient = kubernetesfake.NewSimpleClientset()
|
2021-08-18 04:14:38 +00:00
|
|
|
deleteOptions = &[]metav1.DeleteOptions{}
|
|
|
|
deleteOptionsRecorder = testutil.NewDeleteOptionsRecorder(kubeClient, deleteOptions)
|
2020-12-11 01:34:05 +00:00
|
|
|
kubeInformers = kubeinformers.NewSharedInformerFactory(kubeInformerClient, 0)
|
2020-12-11 23:21:34 +00:00
|
|
|
frozenNow = time.Now().UTC()
|
|
|
|
fakeClock = clock.NewFakeClock(frozenNow)
|
2020-12-11 01:34:05 +00:00
|
|
|
|
|
|
|
unrelatedSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "some other unrelated secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(unrelatedSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(unrelatedSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it.After(func() {
|
2021-03-05 01:25:43 +00:00
|
|
|
cancelContextCancelFunc()
|
2020-12-11 01:34:05 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
when("there are secrets without the garbage-collect-after annotation", func() {
|
|
|
|
it("does not delete those secrets", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
startInformersAndController(nil)
|
2020-12-11 01:34:05 +00:00
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
require.Empty(t, kubeClient.Actions())
|
|
|
|
list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{})
|
|
|
|
r.NoError(err)
|
|
|
|
r.Len(list.Items, 1)
|
|
|
|
r.Equal("some other unrelated secret", list.Items[0].Name)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-11-10 23:34:19 +00:00
|
|
|
when("there are any secrets with the garbage-collect-after annotation", func() {
|
2020-12-11 01:34:05 +00:00
|
|
|
it.Before(func() {
|
|
|
|
firstExpiredSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2021-08-18 04:14:38 +00:00
|
|
|
Name: "first expired secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-456",
|
2020-12-11 01:34:05 +00:00
|
|
|
Annotations: map[string]string{
|
2020-12-11 23:21:34 +00:00
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
2020-12-11 01:34:05 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(firstExpiredSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(firstExpiredSecret))
|
|
|
|
secondExpiredSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2021-08-18 04:14:38 +00:00
|
|
|
Name: "second expired secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-789",
|
|
|
|
ResourceVersion: "rv-555",
|
2020-12-11 01:34:05 +00:00
|
|
|
Annotations: map[string]string{
|
2020-12-11 23:21:34 +00:00
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-2 * time.Second).Format(time.RFC3339),
|
2020-12-11 01:34:05 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(secondExpiredSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(secondExpiredSecret))
|
|
|
|
unexpiredSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "unexpired secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
Annotations: map[string]string{
|
2020-12-11 23:21:34 +00:00
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(time.Second).Format(time.RFC3339),
|
2020-12-11 01:34:05 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(unexpiredSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(unexpiredSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should delete any that are past their expiration", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
startInformersAndController(nil)
|
2020-12-11 01:34:05 +00:00
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "first expired secret"),
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "second expired secret"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
2021-08-18 04:14:38 +00:00
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-456"),
|
|
|
|
testutil.NewPreconditions("uid-789", "rv-555"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
2020-12-11 01:34:05 +00:00
|
|
|
list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{})
|
|
|
|
r.NoError(err)
|
|
|
|
r.Len(list.Items, 2)
|
|
|
|
r.ElementsMatch([]string{"unexpired secret", "some other unrelated secret"}, []string{list.Items[0].Name, list.Items[1].Name})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-12-08 22:29:25 +00:00
|
|
|
when("there are valid, expired authcode secrets which contain upstream refresh tokens", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
it.Before(func() {
|
|
|
|
activeOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: true,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
activeOIDCAuthcodeSessionJSON, err := json.Marshal(activeOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
activeOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "activeOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": activeOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = authorizationcode.ReadFromSecret(activeOIDCAuthcodeSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid authcode secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
|
|
|
|
|
|
|
inactiveOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: false,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-2",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "other-fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
inactiveOIDCAuthcodeSessionJSON, err := json.Marshal(inactiveOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
inactiveOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "inactiveOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-456",
|
|
|
|
ResourceVersion: "rv-456",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": inactiveOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = authorizationcode.ReadFromSecret(inactiveOIDCAuthcodeSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid authcode secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(inactiveOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(inactiveOIDCAuthcodeSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should revoke upstream tokens only from the active authcode secrets and delete them all", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
2021-12-03 21:44:24 +00:00
|
|
|
WithRevokeTokenError(nil)
|
2021-11-10 23:34:19 +00:00
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// The upstream refresh token is only revoked for the active authcode session.
|
2021-12-03 21:44:24 +00:00
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
2021-11-10 23:34:19 +00:00
|
|
|
"upstream-oidc-provider-name",
|
2021-12-03 21:44:24 +00:00
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-refresh-token",
|
|
|
|
TokenType: provider.RefreshTokenType,
|
2021-11-10 23:34:19 +00:00
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
// Both authcode session secrets are deleted.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "activeOIDCAuthcodeSession"),
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "inactiveOIDCAuthcodeSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
testutil.NewPreconditions("uid-456", "rv-456"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-12-08 22:29:25 +00:00
|
|
|
when("there are valid, expired authcode secrets which contain upstream access tokens", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
activeOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: true,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamAccessToken: "fake-upstream-access-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
activeOIDCAuthcodeSessionJSON, err := json.Marshal(activeOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
activeOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "activeOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": activeOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = authorizationcode.ReadFromSecret(activeOIDCAuthcodeSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid authcode secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
|
|
|
|
|
|
|
inactiveOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: false,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-2",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamAccessToken: "other-fake-upstream-access-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
inactiveOIDCAuthcodeSessionJSON, err := json.Marshal(inactiveOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
inactiveOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "inactiveOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-456",
|
|
|
|
ResourceVersion: "rv-456",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": inactiveOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = authorizationcode.ReadFromSecret(inactiveOIDCAuthcodeSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid authcode secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(inactiveOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(inactiveOIDCAuthcodeSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should revoke upstream tokens only from the active authcode secrets and delete them all", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
|
|
|
WithRevokeTokenError(nil)
|
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// The upstream refresh token is only revoked for the active authcode session.
|
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
|
|
|
"upstream-oidc-provider-name",
|
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-access-token",
|
|
|
|
TokenType: provider.AccessTokenType,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
// Both authcode session secrets are deleted.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "activeOIDCAuthcodeSession"),
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "inactiveOIDCAuthcodeSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
testutil.NewPreconditions("uid-456", "rv-456"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-11-10 23:34:19 +00:00
|
|
|
when("there is an invalid, expired authcode secret", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
invalidOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: true,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "", // it is invalid for there to be a missing request ID
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
invalidOIDCAuthcodeSessionJSON, err := json.Marshal(invalidOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
invalidOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "invalidOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": invalidOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(invalidOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(invalidOIDCAuthcodeSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should remove the secret without revoking any upstream tokens", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
2021-12-03 21:44:24 +00:00
|
|
|
WithRevokeTokenError(nil)
|
2021-11-10 23:34:19 +00:00
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// Nothing to revoke since we couldn't read the invalid secret.
|
2021-12-03 21:44:24 +00:00
|
|
|
idpListerBuilder.RequireExactlyZeroCallsToRevokeToken(t)
|
2021-11-10 23:34:19 +00:00
|
|
|
|
|
|
|
// The invalid authcode session secrets is still deleted because it is expired.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "invalidOIDCAuthcodeSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
when("there is a valid, expired authcode secret but its upstream name does not match any existing upstream", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: true,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name-will-not-match",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
wrongProviderNameOIDCAuthcodeSessionJSON, err := json.Marshal(wrongProviderNameOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
wrongProviderNameOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "wrongProviderNameOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": wrongProviderNameOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = authorizationcode.ReadFromSecret(wrongProviderNameOIDCAuthcodeSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid authcode secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(wrongProviderNameOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(wrongProviderNameOIDCAuthcodeSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should remove the secret without revoking any upstream tokens", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
2021-12-03 21:44:24 +00:00
|
|
|
WithRevokeTokenError(nil)
|
2021-11-10 23:34:19 +00:00
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// Nothing to revoke since we couldn't find the upstream in the cache.
|
2021-12-03 21:44:24 +00:00
|
|
|
idpListerBuilder.RequireExactlyZeroCallsToRevokeToken(t)
|
2021-11-10 23:34:19 +00:00
|
|
|
|
|
|
|
// The authcode session secrets is still deleted because it is expired.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "wrongProviderNameOIDCAuthcodeSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
when("there is a valid, expired authcode secret but its upstream UID does not match any existing upstream", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
wrongProviderNameOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: true,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid-will-not-match",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
wrongProviderNameOIDCAuthcodeSessionJSON, err := json.Marshal(wrongProviderNameOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
wrongProviderNameOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "wrongProviderNameOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": wrongProviderNameOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = authorizationcode.ReadFromSecret(wrongProviderNameOIDCAuthcodeSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid authcode secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(wrongProviderNameOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(wrongProviderNameOIDCAuthcodeSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should remove the secret without revoking any upstream tokens", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
2021-12-03 21:44:24 +00:00
|
|
|
WithRevokeTokenError(nil)
|
2021-11-10 23:34:19 +00:00
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// Nothing to revoke since we couldn't find the upstream in the cache.
|
2021-12-03 21:44:24 +00:00
|
|
|
idpListerBuilder.RequireExactlyZeroCallsToRevokeToken(t)
|
2021-11-10 23:34:19 +00:00
|
|
|
|
|
|
|
// The authcode session secrets is still deleted because it is expired.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "wrongProviderNameOIDCAuthcodeSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-11-17 23:58:44 +00:00
|
|
|
when("there is a valid, recently expired authcode secret but the upstream revocation fails", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
it.Before(func() {
|
|
|
|
activeOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: true,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
activeOIDCAuthcodeSessionJSON, err := json.Marshal(activeOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
activeOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "activeOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
2021-11-17 23:58:44 +00:00
|
|
|
// expired almost 4 hours ago, but not quite 4 hours
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add((-time.Hour * 4) + time.Second).Format(time.RFC3339),
|
2021-11-10 23:34:19 +00:00
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": activeOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = authorizationcode.ReadFromSecret(activeOIDCAuthcodeSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid authcode secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
|
|
|
})
|
|
|
|
|
2021-12-08 22:29:25 +00:00
|
|
|
it("keeps the secret for a while longer so the revocation can be retried on a future sync for retryable errors", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
2021-12-08 22:29:25 +00:00
|
|
|
// make the upstream revocation fail in a retryable way
|
|
|
|
WithRevokeTokenError(provider.NewRetryableRevocationError(errors.New("some retryable upstream revocation error")))
|
2021-11-10 23:34:19 +00:00
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// Tried to revoke it, although this revocation will fail.
|
2021-12-03 21:44:24 +00:00
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
2021-11-10 23:34:19 +00:00
|
|
|
"upstream-oidc-provider-name",
|
2021-12-03 21:44:24 +00:00
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-refresh-token",
|
|
|
|
TokenType: provider.RefreshTokenType,
|
2021-11-10 23:34:19 +00:00
|
|
|
},
|
|
|
|
)
|
|
|
|
|
2021-11-17 23:58:44 +00:00
|
|
|
// The authcode session secrets is not deleted.
|
|
|
|
r.Empty(kubeClient.Actions())
|
|
|
|
})
|
2021-12-08 22:29:25 +00:00
|
|
|
|
|
|
|
it("deletes the secret for non-retryable errors", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
|
|
|
// make the upstream revocation fail in a non-retryable way
|
|
|
|
WithRevokeTokenError(errors.New("some upstream revocation error not worth retrying"))
|
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// Tried to revoke it, although this revocation will fail.
|
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
|
|
|
"upstream-oidc-provider-name",
|
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-refresh-token",
|
|
|
|
TokenType: provider.RefreshTokenType,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
// The authcode session secrets is still deleted because it is expired and the revocation error is not retryable.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "activeOIDCAuthcodeSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
2021-11-17 23:58:44 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
when("there is a valid, long-since expired authcode secret but the upstream revocation fails", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
activeOIDCAuthcodeSession := &authorizationcode.Session{
|
|
|
|
Version: "2",
|
|
|
|
Active: true,
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
activeOIDCAuthcodeSessionJSON, err := json.Marshal(activeOIDCAuthcodeSession)
|
|
|
|
r.NoError(err)
|
|
|
|
activeOIDCAuthcodeSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "activeOIDCAuthcodeSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
// expired just over 4 hours ago
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add((-time.Hour * 4) - time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": authorizationcode.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": activeOIDCAuthcodeSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + authorizationcode.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = authorizationcode.ReadFromSecret(activeOIDCAuthcodeSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid authcode secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(activeOIDCAuthcodeSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("deletes the secret because it has probably been retrying revocation for hours without success", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
2021-12-03 21:44:24 +00:00
|
|
|
WithRevokeTokenError(errors.New("some upstream revocation error")) // the upstream revocation will fail
|
2021-11-17 23:58:44 +00:00
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// Tried to revoke it, although this revocation will fail.
|
2021-12-03 21:44:24 +00:00
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
2021-11-17 23:58:44 +00:00
|
|
|
"upstream-oidc-provider-name",
|
2021-12-03 21:44:24 +00:00
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-refresh-token",
|
|
|
|
TokenType: provider.RefreshTokenType,
|
2021-11-17 23:58:44 +00:00
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
// The authcode session secrets is deleted.
|
2021-11-10 23:34:19 +00:00
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "activeOIDCAuthcodeSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-12-08 22:29:25 +00:00
|
|
|
when("there are valid, expired access token secrets which contain upstream refresh tokens", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
it.Before(func() {
|
|
|
|
offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{
|
|
|
|
Version: "2",
|
|
|
|
Request: &fosite.Request{
|
|
|
|
GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"},
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "offline-access-granted-fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
offlineAccessGrantedOIDCAccessTokenSessionJSON, err := json.Marshal(offlineAccessGrantedOIDCAccessTokenSession)
|
|
|
|
r.NoError(err)
|
|
|
|
offlineAccessGrantedOIDCAccessTokenSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "offlineAccessGrantedOIDCAccessTokenSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": accesstoken.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": offlineAccessGrantedOIDCAccessTokenSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + accesstoken.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = accesstoken.ReadFromSecret(offlineAccessGrantedOIDCAccessTokenSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid accesstoken secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret))
|
|
|
|
|
|
|
|
offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{
|
|
|
|
Version: "2",
|
|
|
|
Request: &fosite.Request{
|
|
|
|
GrantedScope: fosite.Arguments{"scope1", "scope2"},
|
|
|
|
ID: "request-id-2",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
offlineAccessNotGrantedOIDCAccessTokenSessionJSON, err := json.Marshal(offlineAccessNotGrantedOIDCAccessTokenSession)
|
|
|
|
r.NoError(err)
|
|
|
|
offlineAccessNotGrantedOIDCAccessTokenSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "offlineAccessNotGrantedOIDCAccessTokenSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-456",
|
|
|
|
ResourceVersion: "rv-456",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": accesstoken.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": offlineAccessNotGrantedOIDCAccessTokenSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + accesstoken.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = accesstoken.ReadFromSecret(offlineAccessNotGrantedOIDCAccessTokenSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid accesstoken secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(offlineAccessNotGrantedOIDCAccessTokenSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(offlineAccessNotGrantedOIDCAccessTokenSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should revoke upstream tokens only from the active authcode secrets and delete them all", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
2021-12-03 21:44:24 +00:00
|
|
|
WithRevokeTokenError(nil)
|
2021-11-10 23:34:19 +00:00
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// The upstream refresh token is only revoked for the downstream session which had offline_access granted.
|
2021-12-03 21:44:24 +00:00
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
2021-11-10 23:34:19 +00:00
|
|
|
"upstream-oidc-provider-name",
|
2021-12-03 21:44:24 +00:00
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-refresh-token",
|
|
|
|
TokenType: provider.RefreshTokenType,
|
2021-11-10 23:34:19 +00:00
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
// Both session secrets are deleted.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "offlineAccessGrantedOIDCAccessTokenSession"),
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "offlineAccessNotGrantedOIDCAccessTokenSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
testutil.NewPreconditions("uid-456", "rv-456"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-12-08 22:29:25 +00:00
|
|
|
when("there are valid, expired access token secrets which contain upstream access tokens", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
offlineAccessGrantedOIDCAccessTokenSession := &accesstoken.Session{
|
|
|
|
Version: "2",
|
|
|
|
Request: &fosite.Request{
|
|
|
|
GrantedScope: fosite.Arguments{"scope1", "scope2", "offline_access"},
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamAccessToken: "offline-access-granted-fake-upstream-access-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
offlineAccessGrantedOIDCAccessTokenSessionJSON, err := json.Marshal(offlineAccessGrantedOIDCAccessTokenSession)
|
|
|
|
r.NoError(err)
|
|
|
|
offlineAccessGrantedOIDCAccessTokenSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "offlineAccessGrantedOIDCAccessTokenSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": accesstoken.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": offlineAccessGrantedOIDCAccessTokenSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + accesstoken.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = accesstoken.ReadFromSecret(offlineAccessGrantedOIDCAccessTokenSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid accesstoken secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(offlineAccessGrantedOIDCAccessTokenSessionSecret))
|
|
|
|
|
|
|
|
offlineAccessNotGrantedOIDCAccessTokenSession := &accesstoken.Session{
|
|
|
|
Version: "2",
|
|
|
|
Request: &fosite.Request{
|
|
|
|
GrantedScope: fosite.Arguments{"scope1", "scope2"},
|
|
|
|
ID: "request-id-2",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamAccessToken: "fake-upstream-access-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
offlineAccessNotGrantedOIDCAccessTokenSessionJSON, err := json.Marshal(offlineAccessNotGrantedOIDCAccessTokenSession)
|
|
|
|
r.NoError(err)
|
|
|
|
offlineAccessNotGrantedOIDCAccessTokenSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "offlineAccessNotGrantedOIDCAccessTokenSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-456",
|
|
|
|
ResourceVersion: "rv-456",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": accesstoken.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": offlineAccessNotGrantedOIDCAccessTokenSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + accesstoken.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = accesstoken.ReadFromSecret(offlineAccessNotGrantedOIDCAccessTokenSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid accesstoken secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(offlineAccessNotGrantedOIDCAccessTokenSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(offlineAccessNotGrantedOIDCAccessTokenSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should revoke upstream tokens only from the active authcode secrets and delete them all", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
|
|
|
WithRevokeTokenError(nil)
|
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// The upstream refresh token is only revoked for the downstream session which had offline_access granted.
|
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
|
|
|
"upstream-oidc-provider-name",
|
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-access-token",
|
|
|
|
TokenType: provider.AccessTokenType,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
// Both session secrets are deleted.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "offlineAccessGrantedOIDCAccessTokenSession"),
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "offlineAccessNotGrantedOIDCAccessTokenSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
testutil.NewPreconditions("uid-456", "rv-456"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
when("there are valid, expired refresh secrets which contain upstream refresh tokens", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
it.Before(func() {
|
|
|
|
oidcRefreshSession := &refreshtoken.Session{
|
|
|
|
Version: "2",
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamRefreshToken: "fake-upstream-refresh-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
oidcRefreshSessionJSON, err := json.Marshal(oidcRefreshSession)
|
|
|
|
r.NoError(err)
|
|
|
|
oidcRefreshSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "oidcRefreshSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": refreshtoken.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": oidcRefreshSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + refreshtoken.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = refreshtoken.ReadFromSecret(oidcRefreshSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid refresh token secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(oidcRefreshSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(oidcRefreshSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should revoke upstream tokens from the secrets and delete them all", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
2021-12-03 21:44:24 +00:00
|
|
|
WithRevokeTokenError(nil)
|
2021-11-10 23:34:19 +00:00
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// The upstream refresh token is revoked.
|
2021-12-03 21:44:24 +00:00
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
2021-11-10 23:34:19 +00:00
|
|
|
"upstream-oidc-provider-name",
|
2021-12-03 21:44:24 +00:00
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-refresh-token",
|
|
|
|
TokenType: provider.RefreshTokenType,
|
2021-11-10 23:34:19 +00:00
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
// The secret is deleted.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "oidcRefreshSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2021-12-08 22:29:25 +00:00
|
|
|
when("there are valid, expired refresh secrets which contain upstream access tokens", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
oidcRefreshSession := &refreshtoken.Session{
|
|
|
|
Version: "2",
|
|
|
|
Request: &fosite.Request{
|
|
|
|
ID: "request-id-1",
|
|
|
|
Client: &clientregistry.Client{},
|
|
|
|
Session: &psession.PinnipedSession{
|
|
|
|
Custom: &psession.CustomSessionData{
|
|
|
|
ProviderUID: "upstream-oidc-provider-uid",
|
|
|
|
ProviderName: "upstream-oidc-provider-name",
|
|
|
|
ProviderType: psession.ProviderTypeOIDC,
|
|
|
|
OIDC: &psession.OIDCSessionData{
|
|
|
|
UpstreamAccessToken: "fake-upstream-access-token",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
oidcRefreshSessionJSON, err := json.Marshal(oidcRefreshSession)
|
|
|
|
r.NoError(err)
|
|
|
|
oidcRefreshSessionSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "oidcRefreshSession",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
UID: "uid-123",
|
|
|
|
ResourceVersion: "rv-123",
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
Labels: map[string]string{
|
|
|
|
"storage.pinniped.dev/type": refreshtoken.TypeLabelValue,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string][]byte{
|
|
|
|
"pinniped-storage-data": oidcRefreshSessionJSON,
|
|
|
|
"pinniped-storage-version": []byte("1"),
|
|
|
|
},
|
|
|
|
Type: "storage.pinniped.dev/" + refreshtoken.TypeLabelValue,
|
|
|
|
}
|
|
|
|
_, err = refreshtoken.ReadFromSecret(oidcRefreshSessionSecret)
|
|
|
|
r.NoError(err, "the test author accidentally formed an invalid refresh token secret")
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(oidcRefreshSessionSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(oidcRefreshSessionSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should revoke upstream tokens from the secrets and delete them all", func() {
|
|
|
|
happyOIDCUpstream := oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
|
|
|
|
WithName("upstream-oidc-provider-name").
|
|
|
|
WithResourceUID("upstream-oidc-provider-uid").
|
|
|
|
WithRevokeTokenError(nil)
|
|
|
|
idpListerBuilder := oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(happyOIDCUpstream.Build())
|
|
|
|
|
|
|
|
startInformersAndController(idpListerBuilder.Build())
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
// The upstream refresh token is revoked.
|
|
|
|
idpListerBuilder.RequireExactlyOneCallToRevokeToken(t,
|
|
|
|
"upstream-oidc-provider-name",
|
|
|
|
&oidctestutil.RevokeTokenArgs{
|
|
|
|
Ctx: syncContext.Context,
|
|
|
|
Token: "fake-upstream-access-token",
|
|
|
|
TokenType: provider.AccessTokenType,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
// The secret is deleted.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "oidcRefreshSession"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]metav1.DeleteOptions{
|
|
|
|
testutil.NewPreconditions("uid-123", "rv-123"),
|
|
|
|
},
|
|
|
|
*deleteOptions,
|
|
|
|
)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-12-11 23:21:34 +00:00
|
|
|
when("very little time has passed since the previous sync call", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
// Add a secret that will expire in 20 seconds.
|
|
|
|
expiredSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "expired secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(20 * time.Second).Format(time.RFC3339),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(expiredSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(expiredSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("should do nothing to avoid being super chatty since it is called for every change to any Secret, until more time has passed", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
startInformersAndController(nil)
|
2020-12-11 23:21:34 +00:00
|
|
|
require.Empty(t, kubeClient.Actions())
|
|
|
|
|
|
|
|
// Run sync once with the current time set to frozenTime.
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
require.Empty(t, kubeClient.Actions())
|
2021-05-04 16:38:47 +00:00
|
|
|
r.False(syncContext.Queue.(*testQueue).called)
|
2020-12-11 23:21:34 +00:00
|
|
|
|
|
|
|
// Run sync again when not enough time has passed since the most recent run, so no delete
|
2021-12-03 21:44:24 +00:00
|
|
|
// operations should happen even though there is an expired secret now.
|
2020-12-11 23:21:34 +00:00
|
|
|
fakeClock.Step(29 * time.Second)
|
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
require.Empty(t, kubeClient.Actions())
|
2021-05-04 16:38:47 +00:00
|
|
|
r.True(syncContext.Queue.(*testQueue).called)
|
|
|
|
r.Equal(controllerlib.Key{Namespace: "foo", Name: "bar"}, syncContext.Queue.(*testQueue).key) // assert key is passed through
|
|
|
|
r.Equal(time.Second, syncContext.Queue.(*testQueue).duration) // assert that we get the exact requeue time
|
|
|
|
|
|
|
|
syncContext.Queue = &testQueue{t: t} // reset the queue for the next sync
|
2020-12-11 23:21:34 +00:00
|
|
|
|
|
|
|
// Step to the exact threshold and run Sync again. Now we are past the rate limiting period.
|
2021-05-04 16:38:47 +00:00
|
|
|
fakeClock.Step(time.Second)
|
2020-12-11 23:21:34 +00:00
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
2021-05-04 16:38:47 +00:00
|
|
|
r.False(syncContext.Queue.(*testQueue).called)
|
2020-12-11 23:21:34 +00:00
|
|
|
|
|
|
|
// It should have deleted the expired secret.
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "expired secret"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{})
|
|
|
|
r.NoError(err)
|
|
|
|
r.Len(list.Items, 1)
|
|
|
|
r.Equal("some other unrelated secret", list.Items[0].Name)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-12-11 01:34:05 +00:00
|
|
|
when("there is a secret with a malformed garbage-collect-after date", func() {
|
|
|
|
it.Before(func() {
|
|
|
|
malformedSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "malformed secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
Annotations: map[string]string{
|
|
|
|
"storage.pinniped.dev/garbage-collect-after": "not-a-real-date-string",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(malformedSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(malformedSecret))
|
|
|
|
expiredSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "expired secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
Annotations: map[string]string{
|
2020-12-11 23:21:34 +00:00
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
2020-12-11 01:34:05 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(expiredSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(expiredSecret))
|
|
|
|
})
|
|
|
|
|
|
|
|
it("does not delete that secret", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
startInformersAndController(nil)
|
2020-12-11 01:34:05 +00:00
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "expired secret"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{})
|
|
|
|
r.NoError(err)
|
|
|
|
r.Len(list.Items, 2)
|
|
|
|
r.ElementsMatch([]string{"malformed secret", "some other unrelated secret"}, []string{list.Items[0].Name, list.Items[1].Name})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2020-12-11 23:21:34 +00:00
|
|
|
when("the kube API delete call fails", func() {
|
2020-12-11 01:34:05 +00:00
|
|
|
it.Before(func() {
|
|
|
|
erroringSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "erroring secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
Annotations: map[string]string{
|
2020-12-11 23:21:34 +00:00
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
2020-12-11 01:34:05 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(erroringSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(erroringSecret))
|
|
|
|
kubeClient.PrependReactor("delete", "secrets", func(action kubetesting.Action) (bool, runtime.Object, error) {
|
|
|
|
if action.(kubetesting.DeleteActionImpl).Name == "erroring secret" {
|
|
|
|
return true, nil, errors.New("delete failed: some delete error")
|
|
|
|
}
|
|
|
|
return false, nil, nil
|
|
|
|
})
|
|
|
|
expiredSecret := &corev1.Secret{
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
Name: "expired secret",
|
|
|
|
Namespace: installedInNamespace,
|
|
|
|
Annotations: map[string]string{
|
2020-12-11 23:21:34 +00:00
|
|
|
"storage.pinniped.dev/garbage-collect-after": frozenNow.Add(-time.Second).Format(time.RFC3339),
|
2020-12-11 01:34:05 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
r.NoError(kubeInformerClient.Tracker().Add(expiredSecret))
|
|
|
|
r.NoError(kubeClient.Tracker().Add(expiredSecret))
|
|
|
|
})
|
|
|
|
|
2020-12-11 23:21:34 +00:00
|
|
|
it("ignores the error and continues on to delete the next expired Secret", func() {
|
2021-11-10 23:34:19 +00:00
|
|
|
startInformersAndController(nil)
|
2020-12-11 01:34:05 +00:00
|
|
|
r.NoError(controllerlib.TestSync(t, subject, *syncContext))
|
|
|
|
|
|
|
|
r.ElementsMatch(
|
|
|
|
[]kubetesting.Action{
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "erroring secret"),
|
|
|
|
kubetesting.NewDeleteAction(secretsGVR, installedInNamespace, "expired secret"),
|
|
|
|
},
|
|
|
|
kubeClient.Actions(),
|
|
|
|
)
|
|
|
|
list, err := kubeClient.CoreV1().Secrets(installedInNamespace).List(context.Background(), metav1.ListOptions{})
|
|
|
|
r.NoError(err)
|
|
|
|
r.Len(list.Items, 2)
|
|
|
|
r.ElementsMatch([]string{"erroring secret", "some other unrelated secret"}, []string{list.Items[0].Name, list.Items[1].Name})
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}, spec.Parallel(), spec.Report(report.Terminal{}))
|
|
|
|
}
|
2021-05-04 16:38:47 +00:00
|
|
|
|
|
|
|
type testQueue struct {
|
|
|
|
t *testing.T
|
|
|
|
|
|
|
|
called bool
|
|
|
|
key controllerlib.Key
|
|
|
|
duration time.Duration
|
|
|
|
|
|
|
|
controllerlib.Queue // panic if any other methods called
|
|
|
|
}
|
|
|
|
|
|
|
|
func (q *testQueue) AddAfter(key controllerlib.Key, duration time.Duration) {
|
|
|
|
q.t.Helper()
|
|
|
|
|
|
|
|
require.False(q.t, q.called, "AddAfter should only be called once")
|
|
|
|
|
|
|
|
q.called = true
|
|
|
|
q.key = key
|
|
|
|
q.duration = duration
|
|
|
|
}
|