Fix integration tests to work with the username and sub claims
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
parent
a10d219049
commit
91af51d38e
@ -62,18 +62,19 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
|
||||
{
|
||||
name: "jwt authenticator",
|
||||
authenticator: func(t *testing.T) corev1.TypedLocalObjectReference {
|
||||
return library.CreateTestJWTAuthenticator(ctx, t)
|
||||
return library.CreateTestJWTAuthenticator(ctx, t, "email")
|
||||
},
|
||||
token: func(t *testing.T) (string, string, []string) {
|
||||
pinnipedExe := buildPinnipedCLI(t)
|
||||
credOutput, _ := runPinniedLoginOIDC(ctx, t, pinnipedExe)
|
||||
token := credOutput.Status.Token
|
||||
|
||||
// By default, the JWTAuthenticator expects the username to be in the "sub" claim and the
|
||||
// By default, the JWTAuthenticator expects the username to be in the "username" claim and the
|
||||
// groups to be in the "groups" claim.
|
||||
username, groups := getJWTSubAndGroupsClaims(t, token)
|
||||
// We are configuring pinniped to set the username to be the "email" claim from the token.
|
||||
username, groups := getJWTEmailAndGroupsClaims(t, token)
|
||||
|
||||
return credOutput.Status.Token, username, groups
|
||||
return token, username, groups
|
||||
},
|
||||
},
|
||||
}
|
||||
@ -233,18 +234,18 @@ func safeDerefStringPtr(s *string) string {
|
||||
return *s
|
||||
}
|
||||
|
||||
func getJWTSubAndGroupsClaims(t *testing.T, jwt string) (string, []string) {
|
||||
func getJWTEmailAndGroupsClaims(t *testing.T, jwt string) (string, []string) {
|
||||
t.Helper()
|
||||
|
||||
token, err := jwtpkg.ParseSigned(jwt)
|
||||
require.NoError(t, err)
|
||||
|
||||
var claims struct {
|
||||
Sub string `json:"sub"`
|
||||
Email string `json:"email"`
|
||||
Groups []string `json:"groups"`
|
||||
}
|
||||
err = token.UnsafeClaimsWithoutVerification(&claims)
|
||||
require.NoError(t, err)
|
||||
|
||||
return claims.Sub, claims.Groups
|
||||
return claims.Email, claims.Groups
|
||||
}
|
||||
|
@ -169,7 +169,7 @@ func TestSupervisorLogin(t *testing.T) {
|
||||
tokenResponse, err := downstreamOAuth2Config.Exchange(oidcHTTPClientContext, authcode, pkceParam.Verifier())
|
||||
require.NoError(t, err)
|
||||
|
||||
expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat"}
|
||||
expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat", "username"}
|
||||
verifyTokenResponse(t, tokenResponse, discovery, downstreamOAuth2Config, env.SupervisorTestUpstream.Issuer, nonceParam, expectedIDTokenClaims)
|
||||
|
||||
// token exchange on the original token
|
||||
@ -226,6 +226,10 @@ func verifyTokenResponse(
|
||||
idTokenClaimNames = append(idTokenClaimNames, k)
|
||||
}
|
||||
require.ElementsMatch(t, expectedIDTokenClaims, idTokenClaimNames)
|
||||
expectedUsernamePrefix := upstreamIssuerName + "?sub="
|
||||
require.True(t, strings.HasPrefix(idTokenClaims["username"].(string), expectedUsernamePrefix))
|
||||
require.Greater(t, len(idTokenClaims["username"].(string)), len(expectedUsernamePrefix),
|
||||
"the ID token Username should include the upstream user ID after the upstream issuer name")
|
||||
|
||||
// Some light verification of the other tokens that were returned.
|
||||
require.NotEmpty(t, tokenResponse.AccessToken)
|
||||
|
@ -170,7 +170,7 @@ func CreateTestWebhookAuthenticator(ctx context.Context, t *testing.T) corev1.Ty
|
||||
// authenticator within the test namespace.
|
||||
//
|
||||
// CreateTestJWTAuthenticator gets the OIDC issuer info from IntegrationEnv().CLITestUpstream.
|
||||
func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
|
||||
func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T, usernameClaim string) corev1.TypedLocalObjectReference {
|
||||
t.Helper()
|
||||
testEnv := IntegrationEnv(t)
|
||||
|
||||
@ -196,6 +196,7 @@ func CreateTestJWTAuthenticator(ctx context.Context, t *testing.T) corev1.TypedL
|
||||
Issuer: testEnv.CLITestUpstream.Issuer,
|
||||
Audience: testEnv.CLITestUpstream.ClientID,
|
||||
TLS: tlsSpec,
|
||||
UsernameClaim: usernameClaim,
|
||||
},
|
||||
}, metav1.CreateOptions{})
|
||||
require.NoError(t, err, "could not create test JWTAuthenticator")
|
||||
|
Loading…
Reference in New Issue
Block a user