Update integration test helper to call new OIDCClientSecretRequest API
This commit is contained in:
parent
ee3515f23b
commit
90f13225ef
@ -14,10 +14,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
|
|
||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"golang.org/x/crypto/bcrypt"
|
|
||||||
authorizationv1 "k8s.io/api/authorization/v1"
|
authorizationv1 "k8s.io/api/authorization/v1"
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
rbacv1 "k8s.io/api/rbac/v1"
|
rbacv1 "k8s.io/api/rbac/v1"
|
||||||
@ -31,13 +28,13 @@ import (
|
|||||||
|
|
||||||
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||||
"go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
|
"go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
|
||||||
|
clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1"
|
||||||
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
||||||
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
|
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
|
||||||
conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
|
conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
|
||||||
supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
|
supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
|
||||||
"go.pinniped.dev/internal/groupsuffix"
|
"go.pinniped.dev/internal/groupsuffix"
|
||||||
"go.pinniped.dev/internal/kubeclient"
|
"go.pinniped.dev/internal/kubeclient"
|
||||||
"go.pinniped.dev/internal/oidcclientsecretstorage"
|
|
||||||
|
|
||||||
// Import to initialize client auth plugins - the kubeconfig that we use for
|
// Import to initialize client auth plugins - the kubeconfig that we use for
|
||||||
// testing may use gcloud, az, oidc, etc.
|
// testing may use gcloud, az, oidc, etc.
|
||||||
@ -424,43 +421,34 @@ func CreateOIDCClient(t *testing.T, spec configv1alpha1.OIDCClientSpec, expected
|
|||||||
}
|
}
|
||||||
|
|
||||||
func createOIDCClientSecret(t *testing.T, forOIDCClient *configv1alpha1.OIDCClient) string {
|
func createOIDCClientSecret(t *testing.T, forOIDCClient *configv1alpha1.OIDCClient) string {
|
||||||
// TODO Replace this with a call to the real Supervisor API for creating client secrets after that gets implemented.
|
|
||||||
// For now, just manually create a Secret with the right format so the tests can work.
|
|
||||||
t.Helper()
|
t.Helper()
|
||||||
env := IntegrationEnv(t)
|
env := IntegrationEnv(t)
|
||||||
kubeClient := NewKubernetesClientset(t)
|
supervisorClient := NewSupervisorClientset(t)
|
||||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
var buf [32]byte
|
// Call the OIDCClientSecretRequest using the "create" verb to generate a new random client secret for the
|
||||||
_, err := io.ReadFull(rand.Reader, buf[:])
|
// client of the given name.
|
||||||
require.NoError(t, err)
|
secretRequest, err := supervisorClient.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx,
|
||||||
randomSecret := hex.EncodeToString(buf[:])
|
&clientsecretv1alpha1.OIDCClientSecretRequest{
|
||||||
hashedRandomSecret, err := bcrypt.GenerateFromPassword([]byte(randomSecret), oidcclientvalidator.DefaultMinBcryptCost)
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
require.NoError(t, err)
|
Name: forOIDCClient.Name,
|
||||||
|
},
|
||||||
created, err := kubeClient.CoreV1().Secrets(env.SupervisorNamespace).Create(ctx, &corev1.Secret{
|
Spec: clientsecretv1alpha1.OIDCClientSecretRequestSpec{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
GenerateNewSecret: true,
|
||||||
Name: oidcclientsecretstorage.New(nil).GetName(forOIDCClient.UID), // use the required name
|
RevokeOldSecrets: false,
|
||||||
Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret", "pinniped.dev/test": ""},
|
},
|
||||||
Annotations: map[string]string{"pinniped.dev/testName": t.Name()},
|
|
||||||
},
|
},
|
||||||
Type: "storage.pinniped.dev/oidc-client-secret",
|
metav1.CreateOptions{},
|
||||||
Data: map[string][]byte{
|
)
|
||||||
"pinniped-storage-data": []byte(`{"version":"1","hashes":["` + string(hashedRandomSecret) + `"]}`),
|
|
||||||
"pinniped-storage-version": []byte("1"),
|
|
||||||
},
|
|
||||||
}, metav1.CreateOptions{})
|
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
t.Cleanup(func() {
|
// The response should be present in the status.
|
||||||
t.Logf("cleaning up test Secret %s/%s", created.Namespace, created.Name)
|
generatedSecret := secretRequest.Status.GeneratedSecret
|
||||||
err := kubeClient.CoreV1().Secrets(env.SupervisorNamespace).Delete(context.Background(), created.Name, metav1.DeleteOptions{})
|
require.Len(t, generatedSecret, 64) // randomly generated long secret
|
||||||
require.NoError(t, err)
|
require.Equal(t, 1, secretRequest.Status.TotalClientSecrets)
|
||||||
})
|
|
||||||
|
|
||||||
t.Logf("created test Secret %s", created.Name)
|
return generatedSecret
|
||||||
return randomSecret
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityProviderSpec, expectedPhase idpv1alpha1.OIDCIdentityProviderPhase) *idpv1alpha1.OIDCIdentityProvider {
|
func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityProviderSpec, expectedPhase idpv1alpha1.OIDCIdentityProviderPhase) *idpv1alpha1.OIDCIdentityProvider {
|
||||||
|
Loading…
Reference in New Issue
Block a user