djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add happy path test for login oidc

Browse Source
This commit is contained in:
Margo Crawford 2021-01-26 13:34:09 -08:00
parent 07b7b743b4
commit 170b86d0c6
2 changed files with 62 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
cmd/pinniped/cmd/login_oidc.go
View File

@ -14,6 +14,7 @@ import (
"net/http" "net/http"
"os" "os"
"path/filepath" "path/filepath"
"strings"
"time" "time"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
@ -256,6 +257,16 @@ func mustGetConfigDir() string {
} }
func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLoginFlags) (*clientauthv1beta1.ExecCredential, error) { func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLoginFlags) (*clientauthv1beta1.ExecCredential, error) {
// TODO maybe de-dup this with conciergeclient.go
var kind string
switch strings.ToLower(flags.conciergeAuthenticatorType) {
case "webhook":
kind = "WebhookAuthenticator"
case "jwt":
kind = "JWTAuthenticator"
default:
return nil, fmt.Errorf(`invalid authenticator type: %q, supported values are "webhook" and "jwt"`, kind)
}
reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{ reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: flags.conciergeNamespace, Namespace: flags.conciergeNamespace,
@ -265,11 +276,11 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin
APIVersion: loginv1alpha1.GroupName + "/v1alpha1", APIVersion: loginv1alpha1.GroupName + "/v1alpha1",
}, },
Spec: loginv1alpha1.TokenCredentialRequestSpec{ Spec: loginv1alpha1.TokenCredentialRequestSpec{
Token: token.AccessToken.Token, // TODO Token: token.IDToken.Token, // TODO
Authenticator: corev1.TypedLocalObjectReference{ Authenticator: corev1.TypedLocalObjectReference{
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group, APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
Kind: os.Getenv(flags.conciergeAuthenticatorType), Kind: kind,
Name: os.Getenv(flags.conciergeAuthenticatorName), Name: flags.conciergeAuthenticatorName,
}, },
}, },
}) })
@ -277,7 +288,7 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin
return nil, err return nil, err
} }
encodedToken := base64.RawURLEncoding.EncodeToString(reqJSON) encodedToken := base64.RawURLEncoding.EncodeToString(reqJSON)
return &clientauthv1beta1.ExecCredential{ cred := &clientauthv1beta1.ExecCredential{
TypeMeta: metav1.TypeMeta{ TypeMeta: metav1.TypeMeta{
Kind: "ExecCredential", Kind: "ExecCredential",
APIVersion: "client.authentication.k8s.io/v1beta1", APIVersion: "client.authentication.k8s.io/v1beta1",
@ -285,5 +296,9 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin
Status: &clientauthv1beta1.ExecCredentialStatus{ Status: &clientauthv1beta1.ExecCredentialStatus{
Token: encodedToken, Token: encodedToken,
}, },
}, nil }
if !token.IDToken.Expiry.IsZero() {
cred.Status.ExpirationTimestamp = &token.IDToken.Expiry
}
return cred, nil
} }

42
cmd/pinniped/cmd/login_oidc_test.go
View File

@ -8,12 +8,18 @@ import (
"context" "context"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/base64" "encoding/base64"
"encoding/json"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"path/filepath" "path/filepath"
"testing" "testing"
"time" "time"
corev1 "k8s.io/api/core/v1"
authenticationv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/authentication/v1alpha1"
loginv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/login/v1alpha1"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
@ -198,6 +204,21 @@ func TestLoginOIDCCommand(t *testing.T) {
wantOptionsCount: 7, wantOptionsCount: 7,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"token":"exchanged-token"}}` + "\n", wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"token":"exchanged-token"}}` + "\n",
}, },
{
name: "success with impersonation proxy",
args: []string{
"--client-id", "test-client-id",
"--issuer", "test-issuer",
"--enable-concierge",
"--use-impersonation-proxy",
"--concierge-authenticator-type", "webhook",
"--concierge-authenticator-name", "test-authenticator",
"--concierge-endpoint", "https://127.0.0.1:1234/",
"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(testCA.Bundle()),
},
wantOptionsCount: 3,
wantStdout: `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"expirationTimestamp":"3020-10-12T13:14:15Z","token":"` + impersonationProxyToken("test-id-token") + `"}}` + "\n",
},
} }
for _, tt := range tests { for _, tt := range tests {
tt := tt tt := tt
@ -254,3 +275,24 @@ func TestLoginOIDCCommand(t *testing.T) {
}) })
} }
} }
func impersonationProxyToken(token string) string {
reqJSON, _ := json.Marshal(&loginv1alpha1.TokenCredentialRequest{
ObjectMeta: metav1.ObjectMeta{
Namespace: "pinniped-concierge",
},
TypeMeta: metav1.TypeMeta{
Kind: "TokenCredentialRequest",
APIVersion: loginv1alpha1.GroupName + "/v1alpha1",
},
Spec: loginv1alpha1.TokenCredentialRequestSpec{
Token: token,
Authenticator: corev1.TypedLocalObjectReference{
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
Kind: "WebhookAuthenticator",
Name: "test-authenticator",
},
},
})
return base64.RawURLEncoding.EncodeToString(reqJSON)
}