Merge branch 'main' into do-not-log-usernames-that-might-be-passwords

2021-05-28 16:16:01 -07:00 · 2021-05-28 16:16:01 -07:00 · 5263e0bae5
commit 5263e0bae5
parent 7ee1f8c441 b8205006ca
8 changed files with 42 additions and 7 deletions
--- a/test/cluster_capabilities/aks.yaml
+++ b/test/cluster_capabilities/aks.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: false
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: true
--- a/test/cluster_capabilities/eks.yaml
+++ b/test/cluster_capabilities/eks.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: true
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: true
--- a/test/cluster_capabilities/gke.yaml
+++ b/test/cluster_capabilities/gke.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: true
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: true
--- a/test/cluster_capabilities/kind.yaml
+++ b/test/cluster_capabilities/kind.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: true
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: true
--- a/test/cluster_capabilities/tkgs.yaml
+++ b/test/cluster_capabilities/tkgs.yaml
@ -13,3 +13,6 @@ capabilities:
  # Does the cluster allow requests without authentication?
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
  anonymousAuthenticationSupported: true
+
+  # Are LDAP ports on the Internet reachable without interference from network firewalls or proxies?
+  canReachInternetLDAPPorts: false
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@ -277,6 +277,10 @@ func TestE2EFullIntegration(t *testing.T) {

 	// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands.
 	t.Run("with Supervisor LDAP upstream IDP", func(t *testing.T) {
+		if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+			t.Skip("LDAP integration test requires connectivity to an LDAP server")
+		}
+
 		expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
 		expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs

--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@ -41,6 +41,7 @@ func TestSupervisorLogin(t *testing.T) {

 	tests := []struct {
 		name                                 string
+		maybeSkip                            func(t *testing.T)
 		createIDP                            func(t *testing.T)
 		requestAuthorization                 func(t *testing.T, downstreamAuthorizeURL, downstreamCallbackURL string, httpClient *http.Client)
 		wantDownstreamIDTokenSubjectToMatch  string
@ -95,6 +96,12 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 		{
 			name: "ldap with email as username and groups names as DNs and using an LDAP provider which supports TLS",
+			maybeSkip: func(t *testing.T) {
+				t.Helper()
+				if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+					t.Skip("LDAP integration test requires connectivity to an LDAP server")
+				}
+			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
 				secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
@ -154,6 +161,12 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 		{
 			name: "ldap with CN as username and group names as CNs and using an LDAP provider which only supports StartTLS", // try another variation of configuration options
+			maybeSkip: func(t *testing.T) {
+				t.Helper()
+				if len(env.ToolsNamespace) == 0 && !env.HasCapability(library.CanReachInternetLDAPPorts) {
+					t.Skip("LDAP integration test requires connectivity to an LDAP server")
+				}
+			},
 			createIDP: func(t *testing.T) {
 				t.Helper()
 				secret := library.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", v1.SecretTypeBasicAuth,
@ -213,14 +226,16 @@ func TestSupervisorLogin(t *testing.T) {
 		},
 	}
 	for _, test := range tests {
-		test := test
-		t.Run(test.name, func(t *testing.T) {
+		tt := test
+		t.Run(tt.name, func(t *testing.T) {
+			tt.maybeSkip(t)
+
 			testSupervisorLogin(t,
-				test.createIDP,
-				test.requestAuthorization,
-				test.wantDownstreamIDTokenSubjectToMatch,
-				test.wantDownstreamIDTokenUsernameToMatch,
-				test.wantDownstreamIDTokenGroups,
+				tt.createIDP,
+				tt.requestAuthorization,
+				tt.wantDownstreamIDTokenSubjectToMatch,
+				tt.wantDownstreamIDTokenUsernameToMatch,
+				tt.wantDownstreamIDTokenGroups,
 			)
 		})
 	}
--- a/test/library/env.go
+++ b/test/library/env.go
@ -24,6 +24,7 @@ const (
 	ClusterSigningKeyIsAvailable     Capability = "clusterSigningKeyIsAvailable"
 	AnonymousAuthenticationSupported Capability = "anonymousAuthenticationSupported"
 	HasExternalLoadBalancerProvider  Capability = "hasExternalLoadBalancerProvider"
+	CanReachInternetLDAPPorts        Capability = "canReachInternetLDAPPorts"
 )

 // TestEnv captures all the external parameters consumed by our integration tests.