Update integration test helper to call new OIDCClientSecretRequest API

This commit is contained in:
Ryan Richard 2022-09-19 09:44:25 -07:00
parent ee3515f23b
commit 90f13225ef

View File

@ -14,10 +14,7 @@ import (
"testing" "testing"
"time" "time"
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"golang.org/x/crypto/bcrypt"
authorizationv1 "k8s.io/api/authorization/v1" authorizationv1 "k8s.io/api/authorization/v1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
@ -31,13 +28,13 @@ import (
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
"go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1" "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1"
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1" idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned" conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned" supervisorclientset "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned"
"go.pinniped.dev/internal/groupsuffix" "go.pinniped.dev/internal/groupsuffix"
"go.pinniped.dev/internal/kubeclient" "go.pinniped.dev/internal/kubeclient"
"go.pinniped.dev/internal/oidcclientsecretstorage"
// Import to initialize client auth plugins - the kubeconfig that we use for // Import to initialize client auth plugins - the kubeconfig that we use for
// testing may use gcloud, az, oidc, etc. // testing may use gcloud, az, oidc, etc.
@ -424,43 +421,34 @@ func CreateOIDCClient(t *testing.T, spec configv1alpha1.OIDCClientSpec, expected
} }
func createOIDCClientSecret(t *testing.T, forOIDCClient *configv1alpha1.OIDCClient) string { func createOIDCClientSecret(t *testing.T, forOIDCClient *configv1alpha1.OIDCClient) string {
// TODO Replace this with a call to the real Supervisor API for creating client secrets after that gets implemented.
// For now, just manually create a Secret with the right format so the tests can work.
t.Helper() t.Helper()
env := IntegrationEnv(t) env := IntegrationEnv(t)
kubeClient := NewKubernetesClientset(t) supervisorClient := NewSupervisorClientset(t)
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer cancel() defer cancel()
var buf [32]byte // Call the OIDCClientSecretRequest using the "create" verb to generate a new random client secret for the
_, err := io.ReadFull(rand.Reader, buf[:]) // client of the given name.
require.NoError(t, err) secretRequest, err := supervisorClient.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx,
randomSecret := hex.EncodeToString(buf[:]) &clientsecretv1alpha1.OIDCClientSecretRequest{
hashedRandomSecret, err := bcrypt.GenerateFromPassword([]byte(randomSecret), oidcclientvalidator.DefaultMinBcryptCost) ObjectMeta: metav1.ObjectMeta{
require.NoError(t, err) Name: forOIDCClient.Name,
},
created, err := kubeClient.CoreV1().Secrets(env.SupervisorNamespace).Create(ctx, &corev1.Secret{ Spec: clientsecretv1alpha1.OIDCClientSecretRequestSpec{
ObjectMeta: metav1.ObjectMeta{ GenerateNewSecret: true,
Name: oidcclientsecretstorage.New(nil).GetName(forOIDCClient.UID), // use the required name RevokeOldSecrets: false,
Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret", "pinniped.dev/test": ""}, },
Annotations: map[string]string{"pinniped.dev/testName": t.Name()},
}, },
Type: "storage.pinniped.dev/oidc-client-secret", metav1.CreateOptions{},
Data: map[string][]byte{ )
"pinniped-storage-data": []byte(`{"version":"1","hashes":["` + string(hashedRandomSecret) + `"]}`),
"pinniped-storage-version": []byte("1"),
},
}, metav1.CreateOptions{})
require.NoError(t, err) require.NoError(t, err)
t.Cleanup(func() { // The response should be present in the status.
t.Logf("cleaning up test Secret %s/%s", created.Namespace, created.Name) generatedSecret := secretRequest.Status.GeneratedSecret
err := kubeClient.CoreV1().Secrets(env.SupervisorNamespace).Delete(context.Background(), created.Name, metav1.DeleteOptions{}) require.Len(t, generatedSecret, 64) // randomly generated long secret
require.NoError(t, err) require.Equal(t, 1, secretRequest.Status.TotalClientSecrets)
})
t.Logf("created test Secret %s", created.Name) return generatedSecret
return randomSecret
} }
func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityProviderSpec, expectedPhase idpv1alpha1.OIDCIdentityProviderPhase) *idpv1alpha1.OIDCIdentityProvider { func CreateTestOIDCIdentityProvider(t *testing.T, spec idpv1alpha1.OIDCIdentityProviderSpec, expectedPhase idpv1alpha1.OIDCIdentityProviderPhase) *idpv1alpha1.OIDCIdentityProvider {