From 91af51d38e1b5521417e827efca02647ad77e81c Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Tue, 15 Dec 2020 17:16:08 -0800
Subject: [PATCH] Fix integration tests to work with the username and sub
 claims

Signed-off-by: Margo Crawford <margaretc@vmware.com>
---
 .../concierge_credentialrequest_test.go           | 15 ++++++++-------
 test/integration/supervisor_login_test.go         |  6 +++++-
 test/library/client.go                            |  9 +++++----
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/test/integration/concierge_credentialrequest_test.go b/test/integration/concierge_credentialrequest_test.go
index 5e2458e0..67e2574e 100644
--- a/test/integration/concierge_credentialrequest_test.go
+++ b/test/integration/concierge_credentialrequest_test.go
@@ -62,18 +62,19 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 		{
 			name: "jwt authenticator",
 			authenticator: func(t *testing.T) corev1.TypedLocalObjectReference {
-				return library.CreateTestJWTAuthenticator(ctx, t)
+				return library.CreateTestJWTAuthenticator(ctx, t, "email")
 			},
 			token: func(t *testing.T) (string, string, []string) {
 				pinnipedExe := buildPinnipedCLI(t)
 				credOutput, _ := runPinniedLoginOIDC(ctx, t, pinnipedExe)
 				token := credOutput.Status.Token
 
-				// By default, the JWTAuthenticator expects the username to be in the "sub" claim and the
+				// By default, the JWTAuthenticator expects the username to be in the "username" claim and the
 				// groups to be in the "groups" claim.
-				username, groups := getJWTSubAndGroupsClaims(t, token)
+				// We are configuring pinniped to set the username to be the "email" claim from the token.
+				username, groups := getJWTEmailAndGroupsClaims(t, token)
 
-				return credOutput.Status.Token, username, groups
+				return token, username, groups
 			},
 		},
 	}
@@ -233,18 +234,18 @@ func safeDerefStringPtr(s *string) string {
 	return *s
 }
 
-func getJWTSubAndGroupsClaims(t *testing.T, jwt string) (string, []string) {
+func getJWTEmailAndGroupsClaims(t *testing.T, jwt string) (string, []string) {
 	t.Helper()
 
 	token, err := jwtpkg.ParseSigned(jwt)
 	require.NoError(t, err)
 
 	var claims struct {
-		Sub    string   `json:"sub"`
+		Email  string   `json:"email"`
 		Groups []string `json:"groups"`
 	}
 	err = token.UnsafeClaimsWithoutVerification(&claims)
 	require.NoError(t, err)
 
-	return claims.Sub, claims.Groups
+	return claims.Email, claims.Groups
 }
diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go
index ed4ca1eb..6d934f33 100644
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -169,7 +169,7 @@ func TestSupervisorLogin(t *testing.T) {
 	tokenResponse, err := downstreamOAuth2Config.Exchange(oidcHTTPClientContext, authcode, pkceParam.Verifier())
 	require.NoError(t, err)
 
-	expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat"}
+	expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username"}
 	verifyTokenResponse(t, tokenResponse, discovery, downstreamOAuth2Config, env.SupervisorTestUpstream.Issuer, nonceParam, expectedIDTokenClaims)
 
 	// token exchange on the original token
@@ -226,6 +226,10 @@ func verifyTokenResponse(
 		idTokenClaimNames = append(idTokenClaimNames, k)
 	}
 	require.ElementsMatch(t, expectedIDTokenClaims, idTokenClaimNames)
+	expectedUsernamePrefix := upstreamIssuerName + "?sub="
+	require.True(t, strings.HasPrefix(idTokenClaims["username"].(string), expectedUsernamePrefix))
+	require.Greater(t, len(idTokenClaims["username"].(string)), len(expectedUsernamePrefix),
+		"the ID token Username should include the upstream user ID after the upstream issuer name")
 
 	// Some light verification of the other tokens that were returned.
 	require.NotEmpty(t, tokenResponse.AccessToken)
diff --git a/test/library/client.go b/test/library/client.go
index d11869d2..56c9bd22 100644
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -170,7 +170,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty
 // authenticator within the test namespace.
 //
 // CreateTestJWTAuthenticator gets the OIDC issuer info from IntegrationEnv().CLITestUpstream.
-func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
+func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, usernameClaim string) corev1.TypedLocalObjectReference {
 	t.Helper()
 	testEnv := IntegrationEnv(t)
 
@@ -193,9 +193,10 @@ func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T) corev1.TypedL
 	jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &auth1alpha1.JWTAuthenticator{
 		ObjectMeta: testObjectMeta(t, "jwt-authenticator"),
 		Spec: auth1alpha1.JWTAuthenticatorSpec{
-			Issuer:   testEnv.CLITestUpstream.Issuer,
-			Audience: testEnv.CLITestUpstream.ClientID,
-			TLS:      tlsSpec,
+			Issuer:        testEnv.CLITestUpstream.Issuer,
+			Audience:      testEnv.CLITestUpstream.ClientID,
+			TLS:           tlsSpec,
+			UsernameClaim: usernameClaim,
 		},
 	}, metav1.CreateOptions{})
 	require.NoError(t, err, "could not create test JWTAuthenticator")