Update supervisor_storage_test.go to avoid using fuzzed value
The fuzzed value depends on which Go compiler is used. This breaks the fips tests in CI as long as the fips compiler is a version behind (we are still waiting for the 1.19 fips compiler to come out). The fuzzing is still being tested by a separate unit test, so we are not losing fuzzing test coverage.
This commit is contained in:
Ryan Richard
parent
1e05012bdb
commit
36dbc7c9bf
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package integration
|
package integration
|
||||||
@ -7,7 +7,6 @@ import (
|
|||||||
"context"
|
"context"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
stderrors "errors"
|
stderrors "errors"
|
||||||
"strings"
|
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -19,6 +18,7 @@ import (
|
|||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
|
||||||
"go.pinniped.dev/internal/fositestorage/authorizationcode"
|
"go.pinniped.dev/internal/fositestorage/authorizationcode"
|
||||||
|
"go.pinniped.dev/internal/oidc/clientregistry"
|
||||||
"go.pinniped.dev/internal/testutil"
|
"go.pinniped.dev/internal/testutil"
|
||||||
"go.pinniped.dev/test/testlib"
|
"go.pinniped.dev/test/testlib"
|
||||||
)
|
)
|
||||||
@ -51,11 +51,6 @@ func TestAuthorizeCodeStorage(t *testing.T) {
|
|||||||
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
// get a session with most of the data filled out
|
|
||||||
session := authorizationcode.NewValidEmptyAuthorizeCodeSession()
|
|
||||||
err := json.Unmarshal([]byte(authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing), session)
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
sessionStorageLifetime := 5 * time.Minute
|
sessionStorageLifetime := 5 * time.Minute
|
||||||
storage := authorizationcode.New(secrets, time.Now, sessionStorageLifetime)
|
storage := authorizationcode.New(secrets, time.Now, sessionStorageLifetime)
|
||||||
|
|
||||||
@ -65,6 +60,23 @@ func TestAuthorizeCodeStorage(t *testing.T) {
|
|||||||
require.True(t, stderrors.Is(err, fosite.ErrNotFound))
|
require.True(t, stderrors.Is(err, fosite.ErrNotFound))
|
||||||
require.Nil(t, notFoundRequest)
|
require.Nil(t, notFoundRequest)
|
||||||
|
|
||||||
|
// Create a fake session to store below. Fill in a few fields to make sure we can get them back.
|
||||||
|
session := authorizationcode.NewValidEmptyAuthorizeCodeSession()
|
||||||
|
session.Request = &fosite.Request{
|
||||||
|
ID: "abcd-1",
|
||||||
|
RequestedAt: time.Time{},
|
||||||
|
Client: &clientregistry.Client{
|
||||||
|
DefaultOpenIDConnectClient: fosite.DefaultOpenIDConnectClient{
|
||||||
|
DefaultClient: &fosite.DefaultClient{
|
||||||
|
ID: "pinny",
|
||||||
|
},
|
||||||
|
JSONWebKeysURI: "where",
|
||||||
|
TokenEndpointAuthMethod: "something",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
Session: testutil.NewFakePinnipedSession(),
|
||||||
|
}
|
||||||
|
|
||||||
err = storage.CreateAuthorizeCodeSession(ctx, signature, session.Request)
|
err = storage.CreateAuthorizeCodeSession(ctx, signature, session.Request)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
@ -76,7 +88,13 @@ func TestAuthorizeCodeStorage(t *testing.T) {
|
|||||||
// check that the data stored in Kube matches what we put in
|
// check that the data stored in Kube matches what we put in
|
||||||
initialSecret, err := secrets.Get(ctx, name, metav1.GetOptions{})
|
initialSecret, err := secrets.Get(ctx, name, metav1.GetOptions{})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.JSONEq(t, authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing, string(initialSecret.Data["pinniped-storage-data"]))
|
// Note that CreateAuthorizeCodeSession() sets Active to true and also sets the Version before storing the session,
|
||||||
|
// so expect those here.
|
||||||
|
session.Active = true
|
||||||
|
session.Version = "3" // this is the value of the authorizationcode.authorizeCodeStorageVersion constant
|
||||||
|
expectedSessionStorageJSON, err := json.Marshal(session)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.JSONEq(t, string(expectedSessionStorageJSON), string(initialSecret.Data["pinniped-storage-data"]))
|
||||||
|
|
||||||
// check that the Secret got the expected annotations
|
// check that the Secret got the expected annotations
|
||||||
actualGCAfterValue := initialSecret.Annotations["storage.pinniped.dev/garbage-collect-after"]
|
actualGCAfterValue := initialSecret.Annotations["storage.pinniped.dev/garbage-collect-after"]
|
||||||
@ -100,8 +118,7 @@ func TestAuthorizeCodeStorage(t *testing.T) {
|
|||||||
err = storage.InvalidateAuthorizeCodeSession(ctx, signature)
|
err = storage.InvalidateAuthorizeCodeSession(ctx, signature)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
// trying to use the code session more than once should fail
|
// trying to get the authcode session after it was invalidated should fail
|
||||||
// getting an invalidated session should return an error and the request
|
|
||||||
invalidatedRequest, err := storage.GetAuthorizeCodeSession(ctx, signature, nil)
|
invalidatedRequest, err := storage.GetAuthorizeCodeSession(ctx, signature, nil)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
require.True(t, stderrors.Is(err, fosite.ErrInvalidatedAuthorizeCode))
|
require.True(t, stderrors.Is(err, fosite.ErrInvalidatedAuthorizeCode))
|
||||||
@ -115,7 +132,9 @@ func TestAuthorizeCodeStorage(t *testing.T) {
|
|||||||
// the data stored in Kube should be exactly the same but it should be marked as used
|
// the data stored in Kube should be exactly the same but it should be marked as used
|
||||||
invalidatedSecret, err := secrets.Get(ctx, name, metav1.GetOptions{})
|
invalidatedSecret, err := secrets.Get(ctx, name, metav1.GetOptions{})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
expectedInvalidatedJSON := strings.Replace(authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing,
|
// InvalidateAuthorizeCodeSession() sets Active to false, so update the expected value accordingly.
|
||||||
`"active": true,`, `"active": false,`, 1)
|
session.Active = false
|
||||||
require.JSONEq(t, expectedInvalidatedJSON, string(invalidatedSecret.Data["pinniped-storage-data"]))
|
expectedInvalidatedJSON, err := json.Marshal(session)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.JSONEq(t, string(expectedInvalidatedJSON), string(invalidatedSecret.Data["pinniped-storage-data"]))
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user