From 9ba93d66c357194dbe4b06556c46d82ce2e351a1 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 20 Oct 2020 17:00:36 -0400 Subject: [PATCH 1/5] test/integration: prefactoring for testing virtual hosts Signed-off-by: Andrew Keesler --- hack/prepare-for-integration-tests.sh | 2 +- test/integration/supervisor_discovery_test.go | 126 ++++++++++++------ test/library/env.go | 4 +- 3 files changed, 85 insertions(+), 47 deletions(-) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index 9578efe9..5c2c77aa 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -277,7 +277,7 @@ export PINNIPED_TEST_WEBHOOK_CA_BUNDLE=${webhook_ca_bundle} export PINNIPED_TEST_SUPERVISOR_NAMESPACE=${supervisor_namespace} export PINNIPED_TEST_SUPERVISOR_APP_NAME=${supervisor_app_name} export PINNIPED_TEST_SUPERVISOR_CUSTOM_LABELS='${supervisor_custom_labels}' -export PINNIPED_TEST_SUPERVISOR_ADDRESS="127.0.0.1:12345" +export PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS="127.0.0.1:12345" export PINNIPED_TEST_CLI_OIDC_ISSUER=http://127.0.0.1:12346/dex export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli export PINNIPED_TEST_CLI_OIDC_LOCALHOST_PORT=48095 diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 4da92004..6b459aaa 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -9,6 +9,8 @@ import ( "fmt" "io/ioutil" "net/http" + "net/url" + "strings" "testing" "time" @@ -51,88 +53,106 @@ func TestSupervisorOIDCDiscovery(t *testing.T) { } }) + supervisorScheme := "http" + supervisorAddress := env.SupervisorHTTPAddress + // Test that there is no default discovery endpoint available when there are no OIDCProviderConfigs. - requireDiscoveryEndpointsAreNotFound(t, fmt.Sprintf("http://%s", env.SupervisorAddress)) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, fmt.Sprintf("%s://%s", supervisorScheme, supervisorAddress)) // Define several unique issuer strings. - issuer1 := fmt.Sprintf("http://%s/nested/issuer1", env.SupervisorAddress) - issuer2 := fmt.Sprintf("http://%s/nested/issuer2", env.SupervisorAddress) - issuer3 := fmt.Sprintf("http://%s/issuer3", env.SupervisorAddress) - issuer4 := fmt.Sprintf("http://%s/issuer4", env.SupervisorAddress) - issuer5 := fmt.Sprintf("http://%s/issuer5", env.SupervisorAddress) - issuer6 := fmt.Sprintf("http://%s/issuer6", env.SupervisorAddress) - badIssuer := fmt.Sprintf("http://%s/badIssuer?cannot-use=queries", env.SupervisorAddress) + // We add a "random" port number to this host to validate that our OIDC router works when given a + // host that has a port number in it. + // nonMatchingIssuerHost := "some-issuer-host-that-doesnt-match-supervisor-address:2684" + issuer1 := fmt.Sprintf("%s://%s/nested/issuer1", supervisorScheme, supervisorAddress) + issuer2 := fmt.Sprintf("%s://%s/nested/issuer2", supervisorScheme, supervisorAddress) + issuer3 := fmt.Sprintf("%s://%s/issuer3", supervisorScheme, supervisorAddress) + issuer4 := fmt.Sprintf("%s://%s/issuer4", supervisorScheme, supervisorAddress) + issuer5 := fmt.Sprintf("%s://%s/issuer5", supervisorScheme, supervisorAddress) + issuer6 := fmt.Sprintf("%s://%s/issuer6", supervisorScheme, supervisorAddress) + // issuer7 := fmt.Sprintf("%s://%s:%d/issuer6", supervisorScheme, nonMatchingIssuerHost) + badIssuer := fmt.Sprintf("%s://%s/badIssuer?cannot-use=queries", supervisorScheme, supervisorAddress) // When OIDCProviderConfig are created in sequence they each cause a discovery endpoint to appear only for as long as the OIDCProviderConfig exists. - config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, issuer1, client) - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config1, client, ns, issuer1) - config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, issuer2, client) - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config2, client, ns, issuer2) + config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer1, client) + requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config1, client, ns, supervisorScheme, supervisorAddress, issuer1) + config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer2, client) + requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config2, client, ns, supervisorScheme, supervisorAddress, issuer2) // The auto-created JWK's were different from each other. require.NotEqual(t, jwks1.Keys[0]["x"], jwks2.Keys[0]["x"]) require.NotEqual(t, jwks1.Keys[0]["y"], jwks2.Keys[0]["y"]) // When multiple OIDCProviderConfigs exist at the same time they each serve a unique discovery endpoint. - config3, jwks3 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, issuer3, client) - config4, jwks4 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, issuer4, client) - requireDiscoveryEndpointsAreWorking(t, issuer3) // discovery for issuer3 is still working after issuer4 started working + config3, jwks3 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer3, client) + config4, jwks4 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer4, client) + requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuer3) // discovery for issuer3 is still working after issuer4 started working // The auto-created JWK's were different from each other. require.NotEqual(t, jwks3.Keys[0]["x"], jwks4.Keys[0]["x"]) require.NotEqual(t, jwks3.Keys[0]["y"], jwks4.Keys[0]["y"]) // Editing a provider to change the issuer name updates the endpoints that are being served. updatedConfig4 := editOIDCProviderConfigIssuerName(t, config4, client, ns, issuer5) - requireDiscoveryEndpointsAreNotFound(t, issuer4) - jwks5 := requireDiscoveryEndpointsAreWorking(t, issuer5) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer4) + jwks5 := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuer5) // The JWK did not change when the issuer name was updated. require.Equal(t, jwks4.Keys[0], jwks5.Keys[0]) // When they are deleted they stop serving discovery endpoints. - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config3, client, ns, issuer3) - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, updatedConfig4, client, ns, issuer5) + requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config3, client, ns, supervisorScheme, supervisorAddress, issuer3) + requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, updatedConfig4, client, ns, supervisorScheme, supervisorAddress, issuer5) // When the same issuer is added twice, both issuers are marked as duplicates, and neither provider is serving. - config5Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, issuer6, client) + config5Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer6, client) config5Duplicate2 := library.CreateTestOIDCProvider(ctx, t, issuer6) requireStatus(t, client, ns, config5Duplicate1.Name, v1alpha1.DuplicateOIDCProviderStatus) requireStatus(t, client, ns, config5Duplicate2.Name, v1alpha1.DuplicateOIDCProviderStatus) - requireDiscoveryEndpointsAreNotFound(t, issuer6) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer6) // If we delete the first duplicate issuer, the second duplicate issuer starts serving. requireDelete(t, client, ns, config5Duplicate1.Name) - requireWellKnownEndpointIsWorking(t, issuer6) + requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuer6) requireStatus(t, client, ns, config5Duplicate2.Name, v1alpha1.SuccessOIDCProviderStatus) // When we finally delete all issuers, the endpoint should be down. - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config5Duplicate2, client, ns, issuer6) + requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config5Duplicate2, client, ns, supervisorScheme, supervisorAddress, issuer6) // When we create a provider with an invalid issuer, the status is set to invalid. badConfig := library.CreateTestOIDCProvider(ctx, t, badIssuer) requireStatus(t, client, ns, badConfig.Name, v1alpha1.InvalidOIDCProviderStatus) - requireDiscoveryEndpointsAreNotFound(t, badIssuer) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, badIssuer) } -func jwksURLForIssuer(issuerName string) string { - return fmt.Sprintf("%s/jwks.json", issuerName) +func jwksURLForIssuer(scheme, host, path string) string { + if strings.HasPrefix(path, "/") { + path = path[1:] + } + return fmt.Sprintf("%s://%s/%s/jwks.json", scheme, host, path) } -func wellKnownURLForIssuer(issuerName string) string { - return fmt.Sprintf("%s/.well-known/openid-configuration", issuerName) +func wellKnownURLForIssuer(scheme, host, path string) string { + if strings.HasPrefix(path, "/") { + path = path[1:] + } + return fmt.Sprintf("%s://%s/%s/.well-known/openid-configuration", scheme, host, path) } -func requireDiscoveryEndpointsAreNotFound(t *testing.T, issuerName string) { +func requireDiscoveryEndpointsAreNotFound(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) { t.Helper() - requireEndpointNotFound(t, wellKnownURLForIssuer(issuerName)) - requireEndpointNotFound(t, jwksURLForIssuer(issuerName)) + issuerURL, err := url.Parse(issuerName) + require.NoError(t, err) + requireEndpointNotFound(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host) + requireEndpointNotFound(t, jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host) } -func requireEndpointNotFound(t *testing.T, url string) { +func requireEndpointNotFound(t *testing.T, url, host string) { t.Helper() httpClient := &http.Client{} ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) defer cancel() requestNonExistentPath, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + require.NoError(t, err) + + requestNonExistentPath.Header.Add("Host", host) var response *http.Response assert.Eventually(t, func() bool { @@ -148,6 +168,7 @@ func requireEndpointNotFound(t *testing.T, url string) { func requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear( ctx context.Context, t *testing.T, + supervisorScheme, supervisorAddress string, issuerName string, client pinnipedclientset.Interface, ) (*v1alpha1.OIDCProviderConfig, *ExpectedJWKSResponseFormat) { @@ -155,16 +176,16 @@ func requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear( newOIDCProviderConfig := library.CreateTestOIDCProvider(ctx, t, issuerName) - jwksResult := requireDiscoveryEndpointsAreWorking(t, issuerName) + jwksResult := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuerName) requireStatus(t, client, newOIDCProviderConfig.Namespace, newOIDCProviderConfig.Name, v1alpha1.SuccessOIDCProviderStatus) return newOIDCProviderConfig, jwksResult } -func requireDiscoveryEndpointsAreWorking(t *testing.T, issuerName string) *ExpectedJWKSResponseFormat { - requireWellKnownEndpointIsWorking(t, issuerName) - jwksResult := requireJWKSEndpointIsWorking(t, issuerName) +func requireDiscoveryEndpointsAreWorking(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) *ExpectedJWKSResponseFormat { + requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuerName) + jwksResult := requireJWKSEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuerName) return jwksResult } @@ -173,6 +194,7 @@ func requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear( existingOIDCProviderConfig *v1alpha1.OIDCProviderConfig, client pinnipedclientset.Interface, ns string, + supervisorScheme, supervisorAddress string, issuerName string, ) { t.Helper() @@ -184,13 +206,15 @@ func requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear( require.NoError(t, err) // Fetch that same discovery endpoint as before, but now it should not exist anymore. Give it some time for the endpoint to go away. - requireDiscoveryEndpointsAreNotFound(t, issuerName) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuerName) } -func requireWellKnownEndpointIsWorking(t *testing.T, issuerName string) { +func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) { t.Helper() - response, responseBody := requireSuccessEndpointResponse(t, wellKnownURLForIssuer(issuerName)) //nolint:bodyclose + issuerURL, err := url.Parse(issuerName) + require.NoError(t, err) + response, responseBody := requireSuccessEndpointResponse(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerName) //nolint:bodyclose // Check that the response matches our expectations. expectedResultTemplate := here.Doc(`{ @@ -216,13 +240,15 @@ type ExpectedJWKSResponseFormat struct { Keys []map[string]string } -func requireJWKSEndpointIsWorking(t *testing.T, issuerName string) *ExpectedJWKSResponseFormat { +func requireJWKSEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) *ExpectedJWKSResponseFormat { t.Helper() - response, responseBody := requireSuccessEndpointResponse(t, jwksURLForIssuer(issuerName)) //nolint:bodyclose + issuerURL, err := url.Parse(issuerName) + require.NoError(t, err) + response, responseBody := requireSuccessEndpointResponse(t, jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerName) //nolint:bodyclose var result ExpectedJWKSResponseFormat - err := json.Unmarshal([]byte(responseBody), &result) + err = json.Unmarshal([]byte(responseBody), &result) require.NoError(t, err) require.Len(t, result.Keys, 1) @@ -241,20 +267,25 @@ func requireJWKSEndpointIsWorking(t *testing.T, issuerName string) *ExpectedJWKS return &result } -func requireSuccessEndpointResponse(t *testing.T, wellKnownURL string) (*http.Response, string) { +func requireSuccessEndpointResponse(t *testing.T, endpointURL, issuer string) (*http.Response, string) { httpClient := &http.Client{} ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) defer cancel() + issuerURL, err := url.Parse(issuer) + require.NoError(t, err) + // Define a request to the new discovery endpoint which should have been created by an OIDCProviderConfig. requestDiscoveryEndpoint, err := http.NewRequestWithContext( ctx, http.MethodGet, - wellKnownURL, + endpointURL, nil, ) require.NoError(t, err) + requestDiscoveryEndpoint.Header.Add("Host", issuerURL.Host) + // Fetch that discovery endpoint. Give it some time for the endpoint to come into existence. var response *http.Response assert.Eventually(t, func() bool { @@ -315,3 +346,10 @@ func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name st require.NoError(t, err) require.Equalf(t, status, opc.Status.Status, "unexpected status (message = '%s')", opc.Status.Message) } + +func getHostFromIssuer(t *testing.T, issuerName string) string { + t.Helper() + issuerURL, err := url.Parse(issuerName) + require.NoError(t, err) + return issuerURL.Host +} diff --git a/test/library/env.go b/test/library/env.go index 2d1b4a3b..6dfe460f 100644 --- a/test/library/env.go +++ b/test/library/env.go @@ -34,7 +34,7 @@ type TestEnv struct { ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"` Capabilities map[Capability]bool `json:"capabilities"` TestWebhook idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"` - SupervisorAddress string `json:"supervisorAddress"` + SupervisorHTTPAddress string `json:"supervisorAddress"` TestUser struct { Token string `json:"token"` @@ -88,7 +88,7 @@ func IntegrationEnv(t *testing.T) *TestEnv { result.TestWebhook.Endpoint = needEnv("PINNIPED_TEST_WEBHOOK_ENDPOINT") result.SupervisorNamespace = needEnv("PINNIPED_TEST_SUPERVISOR_NAMESPACE") result.SupervisorAppName = needEnv("PINNIPED_TEST_SUPERVISOR_APP_NAME") - result.SupervisorAddress = needEnv("PINNIPED_TEST_SUPERVISOR_ADDRESS") + result.SupervisorHTTPAddress = needEnv("PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS") result.TestWebhook.TLS = &idpv1alpha1.TLSSpec{CertificateAuthorityData: needEnv("PINNIPED_TEST_WEBHOOK_CA_BUNDLE")} conciergeCustomLabelsYAML := needEnv("PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS") From 90235418b994845c8e7b0767d80e0321d489d117 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 20 Oct 2020 15:22:03 -0700 Subject: [PATCH 2/5] Add a test for when issuer hostname and supervisor public address differ --- test/integration/supervisor_discovery_test.go | 60 ++++++++----------- 1 file changed, 25 insertions(+), 35 deletions(-) diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 6b459aaa..efe0bd72 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -60,23 +60,19 @@ func TestSupervisorOIDCDiscovery(t *testing.T) { requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, fmt.Sprintf("%s://%s", supervisorScheme, supervisorAddress)) // Define several unique issuer strings. - // We add a "random" port number to this host to validate that our OIDC router works when given a - // host that has a port number in it. - // nonMatchingIssuerHost := "some-issuer-host-that-doesnt-match-supervisor-address:2684" issuer1 := fmt.Sprintf("%s://%s/nested/issuer1", supervisorScheme, supervisorAddress) issuer2 := fmt.Sprintf("%s://%s/nested/issuer2", supervisorScheme, supervisorAddress) issuer3 := fmt.Sprintf("%s://%s/issuer3", supervisorScheme, supervisorAddress) issuer4 := fmt.Sprintf("%s://%s/issuer4", supervisorScheme, supervisorAddress) issuer5 := fmt.Sprintf("%s://%s/issuer5", supervisorScheme, supervisorAddress) issuer6 := fmt.Sprintf("%s://%s/issuer6", supervisorScheme, supervisorAddress) - // issuer7 := fmt.Sprintf("%s://%s:%d/issuer6", supervisorScheme, nonMatchingIssuerHost) badIssuer := fmt.Sprintf("%s://%s/badIssuer?cannot-use=queries", supervisorScheme, supervisorAddress) // When OIDCProviderConfig are created in sequence they each cause a discovery endpoint to appear only for as long as the OIDCProviderConfig exists. config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer1, client) - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config1, client, ns, supervisorScheme, supervisorAddress, issuer1) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config1, client, ns, supervisorScheme, supervisorAddress, issuer1) config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer2, client) - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config2, client, ns, supervisorScheme, supervisorAddress, issuer2) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config2, client, ns, supervisorScheme, supervisorAddress, issuer2) // The auto-created JWK's were different from each other. require.NotEqual(t, jwks1.Keys[0]["x"], jwks2.Keys[0]["x"]) require.NotEqual(t, jwks1.Keys[0]["y"], jwks2.Keys[0]["y"]) @@ -97,23 +93,28 @@ func TestSupervisorOIDCDiscovery(t *testing.T) { require.Equal(t, jwks4.Keys[0], jwks5.Keys[0]) // When they are deleted they stop serving discovery endpoints. - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config3, client, ns, supervisorScheme, supervisorAddress, issuer3) - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, updatedConfig4, client, ns, supervisorScheme, supervisorAddress, issuer5) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config3, client, ns, supervisorScheme, supervisorAddress, issuer3) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, updatedConfig4, client, ns, supervisorScheme, supervisorAddress, issuer5) // When the same issuer is added twice, both issuers are marked as duplicates, and neither provider is serving. - config5Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer6, client) - config5Duplicate2 := library.CreateTestOIDCProvider(ctx, t, issuer6) - requireStatus(t, client, ns, config5Duplicate1.Name, v1alpha1.DuplicateOIDCProviderStatus) - requireStatus(t, client, ns, config5Duplicate2.Name, v1alpha1.DuplicateOIDCProviderStatus) + config6Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer6, client) + config6Duplicate2 := library.CreateTestOIDCProvider(ctx, t, issuer6) + requireStatus(t, client, ns, config6Duplicate1.Name, v1alpha1.DuplicateOIDCProviderStatus) + requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.DuplicateOIDCProviderStatus) requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer6) // If we delete the first duplicate issuer, the second duplicate issuer starts serving. - requireDelete(t, client, ns, config5Duplicate1.Name) + requireDelete(t, client, ns, config6Duplicate1.Name) requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuer6) - requireStatus(t, client, ns, config5Duplicate2.Name, v1alpha1.SuccessOIDCProviderStatus) + requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.SuccessOIDCProviderStatus) // When we finally delete all issuers, the endpoint should be down. - requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear(t, config5Duplicate2, client, ns, supervisorScheme, supervisorAddress, issuer6) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config6Duplicate2, client, ns, supervisorScheme, supervisorAddress, issuer6) + + // "Host" headers can be used to send requests to discovery endpoints when the public address is different from the issuer name. + issuer7 := fmt.Sprintf("%s://some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com:2684/issuer7", supervisorScheme) + config7, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer7, client) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config7, client, ns, supervisorScheme, supervisorAddress, issuer7) // When we create a provider with an invalid issuer, the status is set to invalid. badConfig := library.CreateTestOIDCProvider(ctx, t, badIssuer) @@ -122,17 +123,11 @@ func TestSupervisorOIDCDiscovery(t *testing.T) { } func jwksURLForIssuer(scheme, host, path string) string { - if strings.HasPrefix(path, "/") { - path = path[1:] - } - return fmt.Sprintf("%s://%s/%s/jwks.json", scheme, host, path) + return fmt.Sprintf("%s://%s/%s/jwks.json", scheme, host, strings.TrimPrefix(path, "/")) } func wellKnownURLForIssuer(scheme, host, path string) string { - if strings.HasPrefix(path, "/") { - path = path[1:] - } - return fmt.Sprintf("%s://%s/%s/.well-known/openid-configuration", scheme, host, path) + return fmt.Sprintf("%s://%s/%s/.well-known/openid-configuration", scheme, host, strings.TrimPrefix(path, "/")) } func requireDiscoveryEndpointsAreNotFound(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) { @@ -189,7 +184,7 @@ func requireDiscoveryEndpointsAreWorking(t *testing.T, supervisorScheme, supervi return jwksResult } -func requireDeletingOIDCProviderConfigCausesWellKnownEndpointToDisappear( +func requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear( t *testing.T, existingOIDCProviderConfig *v1alpha1.OIDCProviderConfig, client pinnipedclientset.Interface, @@ -272,9 +267,6 @@ func requireSuccessEndpointResponse(t *testing.T, endpointURL, issuer string) (* ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) defer cancel() - issuerURL, err := url.Parse(issuer) - require.NoError(t, err) - // Define a request to the new discovery endpoint which should have been created by an OIDCProviderConfig. requestDiscoveryEndpoint, err := http.NewRequestWithContext( ctx, @@ -284,7 +276,12 @@ func requireSuccessEndpointResponse(t *testing.T, endpointURL, issuer string) (* ) require.NoError(t, err) - requestDiscoveryEndpoint.Header.Add("Host", issuerURL.Host) + issuerURL, err := url.Parse(issuer) + require.NoError(t, err) + // Set the host header on the request to match the issuer's hostname, which could potentially be different + // from the public ingress address, e.g. when a load balancer is used, so we want to test here that the host + // header is respected by the supervisor server. + requestDiscoveryEndpoint.Host = issuerURL.Host // Fetch that discovery endpoint. Give it some time for the endpoint to come into existence. var response *http.Response @@ -346,10 +343,3 @@ func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name st require.NoError(t, err) require.Equalf(t, status, opc.Status.Status, "unexpected status (message = '%s')", opc.Status.Message) } - -func getHostFromIssuer(t *testing.T, issuerName string) string { - t.Helper() - issuerURL, err := url.Parse(issuerName) - require.NoError(t, err) - return issuerURL.Host -} From 276dff5772e74cf4197db83dc46a4c18eebd9d7a Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 20 Oct 2020 15:57:10 -0700 Subject: [PATCH 3/5] Introduce PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS - We plan to use this on acceptance clusters - We also plan to use this for a future story in the kind-based tests, but not yet --- test/integration/supervisor_discovery_test.go | 127 ++++++++++-------- test/library/env.go | 11 +- 2 files changed, 80 insertions(+), 58 deletions(-) diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index efe0bd72..61edcc3b 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -53,73 +53,88 @@ func TestSupervisorOIDCDiscovery(t *testing.T) { } }) - supervisorScheme := "http" - supervisorAddress := env.SupervisorHTTPAddress + tests := []struct { + Scheme string + Address string + }{ + {Scheme: "http", Address: env.SupervisorHTTPAddress}, + {Scheme: "https", Address: env.SupervisorHTTPSAddress}, + } - // Test that there is no default discovery endpoint available when there are no OIDCProviderConfigs. - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, fmt.Sprintf("%s://%s", supervisorScheme, supervisorAddress)) + for _, test := range tests { + supervisorScheme := test.Scheme + supervisorAddress := test.Address - // Define several unique issuer strings. - issuer1 := fmt.Sprintf("%s://%s/nested/issuer1", supervisorScheme, supervisorAddress) - issuer2 := fmt.Sprintf("%s://%s/nested/issuer2", supervisorScheme, supervisorAddress) - issuer3 := fmt.Sprintf("%s://%s/issuer3", supervisorScheme, supervisorAddress) - issuer4 := fmt.Sprintf("%s://%s/issuer4", supervisorScheme, supervisorAddress) - issuer5 := fmt.Sprintf("%s://%s/issuer5", supervisorScheme, supervisorAddress) - issuer6 := fmt.Sprintf("%s://%s/issuer6", supervisorScheme, supervisorAddress) - badIssuer := fmt.Sprintf("%s://%s/badIssuer?cannot-use=queries", supervisorScheme, supervisorAddress) + if supervisorAddress == "" { + // Both cases are not required, so when one is empty skip it. + continue + } - // When OIDCProviderConfig are created in sequence they each cause a discovery endpoint to appear only for as long as the OIDCProviderConfig exists. - config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer1, client) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config1, client, ns, supervisorScheme, supervisorAddress, issuer1) - config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer2, client) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config2, client, ns, supervisorScheme, supervisorAddress, issuer2) - // The auto-created JWK's were different from each other. - require.NotEqual(t, jwks1.Keys[0]["x"], jwks2.Keys[0]["x"]) - require.NotEqual(t, jwks1.Keys[0]["y"], jwks2.Keys[0]["y"]) + // Test that there is no default discovery endpoint available when there are no OIDCProviderConfigs. + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, fmt.Sprintf("%s://%s", supervisorScheme, supervisorAddress)) - // When multiple OIDCProviderConfigs exist at the same time they each serve a unique discovery endpoint. - config3, jwks3 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer3, client) - config4, jwks4 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer4, client) - requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuer3) // discovery for issuer3 is still working after issuer4 started working - // The auto-created JWK's were different from each other. - require.NotEqual(t, jwks3.Keys[0]["x"], jwks4.Keys[0]["x"]) - require.NotEqual(t, jwks3.Keys[0]["y"], jwks4.Keys[0]["y"]) + // Define several unique issuer strings. + issuer1 := fmt.Sprintf("%s://%s/nested/issuer1", supervisorScheme, supervisorAddress) + issuer2 := fmt.Sprintf("%s://%s/nested/issuer2", supervisorScheme, supervisorAddress) + issuer3 := fmt.Sprintf("%s://%s/issuer3", supervisorScheme, supervisorAddress) + issuer4 := fmt.Sprintf("%s://%s/issuer4", supervisorScheme, supervisorAddress) + issuer5 := fmt.Sprintf("%s://%s/issuer5", supervisorScheme, supervisorAddress) + issuer6 := fmt.Sprintf("%s://%s/issuer6", supervisorScheme, supervisorAddress) + badIssuer := fmt.Sprintf("%s://%s/badIssuer?cannot-use=queries", supervisorScheme, supervisorAddress) - // Editing a provider to change the issuer name updates the endpoints that are being served. - updatedConfig4 := editOIDCProviderConfigIssuerName(t, config4, client, ns, issuer5) - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer4) - jwks5 := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuer5) - // The JWK did not change when the issuer name was updated. - require.Equal(t, jwks4.Keys[0], jwks5.Keys[0]) + // When OIDCProviderConfig are created in sequence they each cause a discovery endpoint to appear only for as long as the OIDCProviderConfig exists. + config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer1, client) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config1, client, ns, supervisorScheme, supervisorAddress, issuer1) + config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer2, client) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config2, client, ns, supervisorScheme, supervisorAddress, issuer2) + // The auto-created JWK's were different from each other. + require.NotEqual(t, jwks1.Keys[0]["x"], jwks2.Keys[0]["x"]) + require.NotEqual(t, jwks1.Keys[0]["y"], jwks2.Keys[0]["y"]) - // When they are deleted they stop serving discovery endpoints. - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config3, client, ns, supervisorScheme, supervisorAddress, issuer3) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, updatedConfig4, client, ns, supervisorScheme, supervisorAddress, issuer5) + // When multiple OIDCProviderConfigs exist at the same time they each serve a unique discovery endpoint. + config3, jwks3 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer3, client) + config4, jwks4 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer4, client) + requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuer3) // discovery for issuer3 is still working after issuer4 started working + // The auto-created JWK's were different from each other. + require.NotEqual(t, jwks3.Keys[0]["x"], jwks4.Keys[0]["x"]) + require.NotEqual(t, jwks3.Keys[0]["y"], jwks4.Keys[0]["y"]) - // When the same issuer is added twice, both issuers are marked as duplicates, and neither provider is serving. - config6Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer6, client) - config6Duplicate2 := library.CreateTestOIDCProvider(ctx, t, issuer6) - requireStatus(t, client, ns, config6Duplicate1.Name, v1alpha1.DuplicateOIDCProviderStatus) - requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.DuplicateOIDCProviderStatus) - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer6) + // Editing a provider to change the issuer name updates the endpoints that are being served. + updatedConfig4 := editOIDCProviderConfigIssuerName(t, config4, client, ns, issuer5) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer4) + jwks5 := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuer5) + // The JWK did not change when the issuer name was updated. + require.Equal(t, jwks4.Keys[0], jwks5.Keys[0]) - // If we delete the first duplicate issuer, the second duplicate issuer starts serving. - requireDelete(t, client, ns, config6Duplicate1.Name) - requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuer6) - requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.SuccessOIDCProviderStatus) + // When they are deleted they stop serving discovery endpoints. + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config3, client, ns, supervisorScheme, supervisorAddress, issuer3) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, updatedConfig4, client, ns, supervisorScheme, supervisorAddress, issuer5) - // When we finally delete all issuers, the endpoint should be down. - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config6Duplicate2, client, ns, supervisorScheme, supervisorAddress, issuer6) + // When the same issuer is added twice, both issuers are marked as duplicates, and neither provider is serving. + config6Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer6, client) + config6Duplicate2 := library.CreateTestOIDCProvider(ctx, t, issuer6) + requireStatus(t, client, ns, config6Duplicate1.Name, v1alpha1.DuplicateOIDCProviderStatus) + requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.DuplicateOIDCProviderStatus) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer6) - // "Host" headers can be used to send requests to discovery endpoints when the public address is different from the issuer name. - issuer7 := fmt.Sprintf("%s://some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com:2684/issuer7", supervisorScheme) - config7, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer7, client) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config7, client, ns, supervisorScheme, supervisorAddress, issuer7) + // If we delete the first duplicate issuer, the second duplicate issuer starts serving. + requireDelete(t, client, ns, config6Duplicate1.Name) + requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuer6) + requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.SuccessOIDCProviderStatus) - // When we create a provider with an invalid issuer, the status is set to invalid. - badConfig := library.CreateTestOIDCProvider(ctx, t, badIssuer) - requireStatus(t, client, ns, badConfig.Name, v1alpha1.InvalidOIDCProviderStatus) - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, badIssuer) + // When we finally delete all issuers, the endpoint should be down. + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config6Duplicate2, client, ns, supervisorScheme, supervisorAddress, issuer6) + + // "Host" headers can be used to send requests to discovery endpoints when the public address is different from the issuer name. + issuer7 := fmt.Sprintf("%s://some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com:2684/issuer7", supervisorScheme) + config7, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer7, client) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config7, client, ns, supervisorScheme, supervisorAddress, issuer7) + + // When we create a provider with an invalid issuer, the status is set to invalid. + badConfig := library.CreateTestOIDCProvider(ctx, t, badIssuer) + requireStatus(t, client, ns, badConfig.Name, v1alpha1.InvalidOIDCProviderStatus) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, badIssuer) + } } func jwksURLForIssuer(scheme, host, path string) string { diff --git a/test/library/env.go b/test/library/env.go index 6dfe460f..77609415 100644 --- a/test/library/env.go +++ b/test/library/env.go @@ -34,7 +34,8 @@ type TestEnv struct { ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"` Capabilities map[Capability]bool `json:"capabilities"` TestWebhook idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"` - SupervisorHTTPAddress string `json:"supervisorAddress"` + SupervisorHTTPAddress string `json:"supervisorHttpAddress"` + SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"` TestUser struct { Token string `json:"token"` @@ -88,9 +89,15 @@ func IntegrationEnv(t *testing.T) *TestEnv { result.TestWebhook.Endpoint = needEnv("PINNIPED_TEST_WEBHOOK_ENDPOINT") result.SupervisorNamespace = needEnv("PINNIPED_TEST_SUPERVISOR_NAMESPACE") result.SupervisorAppName = needEnv("PINNIPED_TEST_SUPERVISOR_APP_NAME") - result.SupervisorHTTPAddress = needEnv("PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS") result.TestWebhook.TLS = &idpv1alpha1.TLSSpec{CertificateAuthorityData: needEnv("PINNIPED_TEST_WEBHOOK_CA_BUNDLE")} + result.SupervisorHTTPAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS") + result.SupervisorHTTPSAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS") + require.NotEmptyf(t, + result.SupervisorHTTPAddress+result.SupervisorHTTPSAddress, + "must specify either PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS or PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS env var (or both) for integration tests", + ) + conciergeCustomLabelsYAML := needEnv("PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS") var conciergeCustomLabels map[string]string err = yaml.Unmarshal([]byte(conciergeCustomLabelsYAML), &conciergeCustomLabels) From ec21fc8595cfb82abf863bea1590908284f0f25d Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 20 Oct 2020 15:59:25 -0700 Subject: [PATCH 4/5] Also delete the final OIDCProviderConfig made by an integration test - It didn't matter before because it would be cleaned up by a t.Cleanup() function, but now that we might loop twice it will matter during the second time through the loop --- test/integration/supervisor_discovery_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 61edcc3b..6125703a 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -134,6 +134,7 @@ func TestSupervisorOIDCDiscovery(t *testing.T) { badConfig := library.CreateTestOIDCProvider(ctx, t, badIssuer) requireStatus(t, client, ns, badConfig.Name, v1alpha1.InvalidOIDCProviderStatus) requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, badIssuer) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, badConfig, client, ns, supervisorScheme, supervisorAddress, badIssuer) } } From 52ebd77527491ee67c14c8ee0217f1d67f1dd41e Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 20 Oct 2020 16:46:33 -0700 Subject: [PATCH 5/5] Add optional PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE for integration tests - Not used by any of our integration test clusters yet - Planning to use it later for the kind clusters and maybe for the acceptance clusters too (although the acceptance clusters might not need to use self-signed certs so maybe not) --- test/integration/supervisor_discovery_test.go | 124 ++++++++++-------- test/library/env.go | 22 ++-- 2 files changed, 79 insertions(+), 67 deletions(-) diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 6125703a..b536429c 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -5,6 +5,8 @@ package integration import ( "context" + "crypto/tls" + "crypto/x509" "encoding/json" "fmt" "io/ioutil" @@ -54,87 +56,89 @@ func TestSupervisorOIDCDiscovery(t *testing.T) { }) tests := []struct { - Scheme string - Address string + Scheme string + Address string + CABundle string }{ {Scheme: "http", Address: env.SupervisorHTTPAddress}, - {Scheme: "https", Address: env.SupervisorHTTPSAddress}, + {Scheme: "https", Address: env.SupervisorHTTPSAddress, CABundle: env.SupervisorHTTPSCABundle}, } for _, test := range tests { - supervisorScheme := test.Scheme - supervisorAddress := test.Address + scheme := test.Scheme + addr := test.Address + caBundle := test.CABundle - if supervisorAddress == "" { + if addr == "" { // Both cases are not required, so when one is empty skip it. continue } // Test that there is no default discovery endpoint available when there are no OIDCProviderConfigs. - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, fmt.Sprintf("%s://%s", supervisorScheme, supervisorAddress)) + requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, fmt.Sprintf("%s://%s", scheme, addr)) // Define several unique issuer strings. - issuer1 := fmt.Sprintf("%s://%s/nested/issuer1", supervisorScheme, supervisorAddress) - issuer2 := fmt.Sprintf("%s://%s/nested/issuer2", supervisorScheme, supervisorAddress) - issuer3 := fmt.Sprintf("%s://%s/issuer3", supervisorScheme, supervisorAddress) - issuer4 := fmt.Sprintf("%s://%s/issuer4", supervisorScheme, supervisorAddress) - issuer5 := fmt.Sprintf("%s://%s/issuer5", supervisorScheme, supervisorAddress) - issuer6 := fmt.Sprintf("%s://%s/issuer6", supervisorScheme, supervisorAddress) - badIssuer := fmt.Sprintf("%s://%s/badIssuer?cannot-use=queries", supervisorScheme, supervisorAddress) + issuer1 := fmt.Sprintf("%s://%s/nested/issuer1", scheme, addr) + issuer2 := fmt.Sprintf("%s://%s/nested/issuer2", scheme, addr) + issuer3 := fmt.Sprintf("%s://%s/issuer3", scheme, addr) + issuer4 := fmt.Sprintf("%s://%s/issuer4", scheme, addr) + issuer5 := fmt.Sprintf("%s://%s/issuer5", scheme, addr) + issuer6 := fmt.Sprintf("%s://%s/issuer6", scheme, addr) + badIssuer := fmt.Sprintf("%s://%s/badIssuer?cannot-use=queries", scheme, addr) // When OIDCProviderConfig are created in sequence they each cause a discovery endpoint to appear only for as long as the OIDCProviderConfig exists. - config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer1, client) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config1, client, ns, supervisorScheme, supervisorAddress, issuer1) - config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer2, client) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config2, client, ns, supervisorScheme, supervisorAddress, issuer2) + config1, jwks1 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer1, client) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config1, client, ns, scheme, addr, caBundle, issuer1) + config2, jwks2 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer2, client) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config2, client, ns, scheme, addr, caBundle, issuer2) // The auto-created JWK's were different from each other. require.NotEqual(t, jwks1.Keys[0]["x"], jwks2.Keys[0]["x"]) require.NotEqual(t, jwks1.Keys[0]["y"], jwks2.Keys[0]["y"]) // When multiple OIDCProviderConfigs exist at the same time they each serve a unique discovery endpoint. - config3, jwks3 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer3, client) - config4, jwks4 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer4, client) - requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuer3) // discovery for issuer3 is still working after issuer4 started working + config3, jwks3 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer3, client) + config4, jwks4 := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer4, client) + requireDiscoveryEndpointsAreWorking(t, scheme, addr, caBundle, issuer3) // discovery for issuer3 is still working after issuer4 started working // The auto-created JWK's were different from each other. require.NotEqual(t, jwks3.Keys[0]["x"], jwks4.Keys[0]["x"]) require.NotEqual(t, jwks3.Keys[0]["y"], jwks4.Keys[0]["y"]) // Editing a provider to change the issuer name updates the endpoints that are being served. updatedConfig4 := editOIDCProviderConfigIssuerName(t, config4, client, ns, issuer5) - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer4) - jwks5 := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuer5) + requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, issuer4) + jwks5 := requireDiscoveryEndpointsAreWorking(t, scheme, addr, caBundle, issuer5) // The JWK did not change when the issuer name was updated. require.Equal(t, jwks4.Keys[0], jwks5.Keys[0]) // When they are deleted they stop serving discovery endpoints. - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config3, client, ns, supervisorScheme, supervisorAddress, issuer3) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, updatedConfig4, client, ns, supervisorScheme, supervisorAddress, issuer5) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config3, client, ns, scheme, addr, caBundle, issuer3) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, updatedConfig4, client, ns, scheme, addr, caBundle, issuer5) // When the same issuer is added twice, both issuers are marked as duplicates, and neither provider is serving. - config6Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer6, client) + config6Duplicate1, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer6, client) config6Duplicate2 := library.CreateTestOIDCProvider(ctx, t, issuer6) requireStatus(t, client, ns, config6Duplicate1.Name, v1alpha1.DuplicateOIDCProviderStatus) requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.DuplicateOIDCProviderStatus) - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuer6) + requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, issuer6) // If we delete the first duplicate issuer, the second duplicate issuer starts serving. requireDelete(t, client, ns, config6Duplicate1.Name) - requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuer6) + requireWellKnownEndpointIsWorking(t, scheme, addr, caBundle, issuer6) requireStatus(t, client, ns, config6Duplicate2.Name, v1alpha1.SuccessOIDCProviderStatus) // When we finally delete all issuers, the endpoint should be down. - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config6Duplicate2, client, ns, supervisorScheme, supervisorAddress, issuer6) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config6Duplicate2, client, ns, scheme, addr, caBundle, issuer6) // "Host" headers can be used to send requests to discovery endpoints when the public address is different from the issuer name. - issuer7 := fmt.Sprintf("%s://some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com:2684/issuer7", supervisorScheme) - config7, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, supervisorScheme, supervisorAddress, issuer7, client) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config7, client, ns, supervisorScheme, supervisorAddress, issuer7) + issuer7 := fmt.Sprintf("%s://some-issuer-host-and-port-that-doesnt-match-public-supervisor-address.com:2684/issuer7", scheme) + config7, _ := requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear(ctx, t, scheme, addr, caBundle, issuer7, client) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, config7, client, ns, scheme, addr, caBundle, issuer7) // When we create a provider with an invalid issuer, the status is set to invalid. badConfig := library.CreateTestOIDCProvider(ctx, t, badIssuer) requireStatus(t, client, ns, badConfig.Name, v1alpha1.InvalidOIDCProviderStatus) - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, badIssuer) - requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, badConfig, client, ns, supervisorScheme, supervisorAddress, badIssuer) + requireDiscoveryEndpointsAreNotFound(t, scheme, addr, caBundle, badIssuer) + requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear(t, badConfig, client, ns, scheme, addr, caBundle, badIssuer) } } @@ -146,17 +150,17 @@ func wellKnownURLForIssuer(scheme, host, path string) string { return fmt.Sprintf("%s://%s/%s/.well-known/openid-configuration", scheme, host, strings.TrimPrefix(path, "/")) } -func requireDiscoveryEndpointsAreNotFound(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) { +func requireDiscoveryEndpointsAreNotFound(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string) { t.Helper() issuerURL, err := url.Parse(issuerName) require.NoError(t, err) - requireEndpointNotFound(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host) - requireEndpointNotFound(t, jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host) + requireEndpointNotFound(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host, supervisorCABundle) + requireEndpointNotFound(t, jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerURL.Host, supervisorCABundle) } -func requireEndpointNotFound(t *testing.T, url, host string) { +func requireEndpointNotFound(t *testing.T, url, host, caBundle string) { t.Helper() - httpClient := &http.Client{} + httpClient := newHTTPClient(caBundle) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) defer cancel() @@ -179,24 +183,20 @@ func requireEndpointNotFound(t *testing.T, url, host string) { func requireCreatingOIDCProviderConfigCausesDiscoveryEndpointsToAppear( ctx context.Context, t *testing.T, - supervisorScheme, supervisorAddress string, + supervisorScheme, supervisorAddress, supervisorCABundle string, issuerName string, client pinnipedclientset.Interface, ) (*v1alpha1.OIDCProviderConfig, *ExpectedJWKSResponseFormat) { t.Helper() - newOIDCProviderConfig := library.CreateTestOIDCProvider(ctx, t, issuerName) - - jwksResult := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, issuerName) - + jwksResult := requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName) requireStatus(t, client, newOIDCProviderConfig.Namespace, newOIDCProviderConfig.Name, v1alpha1.SuccessOIDCProviderStatus) - return newOIDCProviderConfig, jwksResult } -func requireDiscoveryEndpointsAreWorking(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) *ExpectedJWKSResponseFormat { - requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuerName) - jwksResult := requireJWKSEndpointIsWorking(t, supervisorScheme, supervisorAddress, issuerName) +func requireDiscoveryEndpointsAreWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string) *ExpectedJWKSResponseFormat { + requireWellKnownEndpointIsWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName) + jwksResult := requireJWKSEndpointIsWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName) return jwksResult } @@ -205,7 +205,7 @@ func requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear( existingOIDCProviderConfig *v1alpha1.OIDCProviderConfig, client pinnipedclientset.Interface, ns string, - supervisorScheme, supervisorAddress string, + supervisorScheme, supervisorAddress, supervisorCABundle string, issuerName string, ) { t.Helper() @@ -217,15 +217,14 @@ func requireDeletingOIDCProviderConfigCausesDiscoveryEndpointsToDisappear( require.NoError(t, err) // Fetch that same discovery endpoint as before, but now it should not exist anymore. Give it some time for the endpoint to go away. - requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, issuerName) + requireDiscoveryEndpointsAreNotFound(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName) } -func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) { +func requireWellKnownEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string) { t.Helper() - issuerURL, err := url.Parse(issuerName) require.NoError(t, err) - response, responseBody := requireSuccessEndpointResponse(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerName) //nolint:bodyclose + response, responseBody := requireSuccessEndpointResponse(t, wellKnownURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerName, supervisorCABundle) //nolint:bodyclose // Check that the response matches our expectations. expectedResultTemplate := here.Doc(`{ @@ -251,12 +250,12 @@ type ExpectedJWKSResponseFormat struct { Keys []map[string]string } -func requireJWKSEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, issuerName string) *ExpectedJWKSResponseFormat { +func requireJWKSEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName string) *ExpectedJWKSResponseFormat { t.Helper() issuerURL, err := url.Parse(issuerName) require.NoError(t, err) - response, responseBody := requireSuccessEndpointResponse(t, jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerName) //nolint:bodyclose + response, responseBody := requireSuccessEndpointResponse(t, jwksURLForIssuer(supervisorScheme, supervisorAddress, issuerURL.Path), issuerName, supervisorCABundle) //nolint:bodyclose var result ExpectedJWKSResponseFormat err = json.Unmarshal([]byte(responseBody), &result) @@ -278,8 +277,9 @@ func requireJWKSEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddr return &result } -func requireSuccessEndpointResponse(t *testing.T, endpointURL, issuer string) (*http.Response, string) { - httpClient := &http.Client{} +func requireSuccessEndpointResponse(t *testing.T, endpointURL, issuer, caBundle string) (*http.Response, string) { + t.Helper() + httpClient := newHTTPClient(caBundle) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) defer cancel() @@ -359,3 +359,13 @@ func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name st require.NoError(t, err) require.Equalf(t, status, opc.Status.Status, "unexpected status (message = '%s')", opc.Status.Message) } + +func newHTTPClient(caBundle string) *http.Client { + c := &http.Client{} + if caBundle != "" { // CA bundle is optional + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM([]byte(caBundle)) + c.Transport = &http.Transport{TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS13, RootCAs: caCertPool}} + } + return c +} diff --git a/test/library/env.go b/test/library/env.go index 77609415..ed39a193 100644 --- a/test/library/env.go +++ b/test/library/env.go @@ -26,16 +26,17 @@ const ( type TestEnv struct { t *testing.T - ConciergeNamespace string `json:"conciergeNamespace"` - SupervisorNamespace string `json:"supervisorNamespace"` - ConciergeAppName string `json:"conciergeAppName"` - SupervisorAppName string `json:"supervisorAppName"` - SupervisorCustomLabels map[string]string `json:"supervisorCustomLabels"` - ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"` - Capabilities map[Capability]bool `json:"capabilities"` - TestWebhook idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"` - SupervisorHTTPAddress string `json:"supervisorHttpAddress"` - SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"` + ConciergeNamespace string `json:"conciergeNamespace"` + SupervisorNamespace string `json:"supervisorNamespace"` + ConciergeAppName string `json:"conciergeAppName"` + SupervisorAppName string `json:"supervisorAppName"` + SupervisorCustomLabels map[string]string `json:"supervisorCustomLabels"` + ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"` + Capabilities map[Capability]bool `json:"capabilities"` + TestWebhook idpv1alpha1.WebhookIdentityProviderSpec `json:"testWebhook"` + SupervisorHTTPAddress string `json:"supervisorHttpAddress"` + SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"` + SupervisorHTTPSCABundle string `json:"supervisorHttpsCABundle"` TestUser struct { Token string `json:"token"` @@ -97,6 +98,7 @@ func IntegrationEnv(t *testing.T) *TestEnv { result.SupervisorHTTPAddress+result.SupervisorHTTPSAddress, "must specify either PINNIPED_TEST_SUPERVISOR_HTTP_ADDRESS or PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS env var (or both) for integration tests", ) + result.SupervisorHTTPSCABundle = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTPS_CA_BUNDLE") // optional conciergeCustomLabelsYAML := needEnv("PINNIPED_TEST_CONCIERGE_CUSTOM_LABELS") var conciergeCustomLabels map[string]string