Merge branch 'main' into proposal_process

This commit is contained in:
Ryan Richard 2022-02-17 10:07:37 -08:00
commit 9dbf7d6bf5
12 changed files with 484 additions and 196 deletions

View File

@ -72,7 +72,7 @@ Please follow the procedure described in [SECURITY.md](SECURITY.md).
## CLA ## CLA
We welcome contributions from everyone but we can only accept them if you sign We welcome contributions from everyone, but we can only accept them if you sign
our Contributor License Agreement (CLA). If you would like to contribute and you our Contributor License Agreement (CLA). If you would like to contribute and you
have not signed it, our CLA-bot will walk you through the process when you open have not signed it, our CLA-bot will walk you through the process when you open
a Pull Request. For questions about the CLA process, see the a Pull Request. For questions about the CLA process, see the
@ -82,13 +82,21 @@ tracker.
## Building ## Building
The [Dockerfile](Dockerfile) at the root of the repo can be used to build and The [Dockerfile](Dockerfile) at the root of the repo can be used to build and
package the code. After making a change to the code, rebuild the docker image with the following command. package the server-side code. After making a change to the code, rebuild the
docker image with the following command.
```bash ```bash
# From the root directory of the repo... # From the root directory of the repo...
docker build . docker build .
``` ```
The Pinniped CLI client can be built for local use with the following command.
```bash
# From the root directory of the repo...
go build -o pinniped ./cmd/pinniped
```
## Testing ## Testing
### Running Lint ### Running Lint
@ -122,7 +130,7 @@ docker build .
brew install kind k14s/tap/ytt k14s/tap/kapp kubectl chromedriver nmap && brew cask install docker brew install kind k14s/tap/ytt k14s/tap/kapp kubectl chromedriver nmap && brew cask install docker
``` ```
1. Create a kind cluster, compile, create container images, and install Pinniped and supporting dependencies using: 1. Create a kind cluster, compile, create container images, and install Pinniped and supporting test dependencies using:
```bash ```bash
./hack/prepare-for-integration-tests.sh ./hack/prepare-for-integration-tests.sh

View File

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. # Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# #
@ -420,6 +420,7 @@ EOF
log_note log_note
log_note "🚀 Ready to run integration tests! For example..." log_note "🚀 Ready to run integration tests! For example..."
log_note " cd $pinniped_path" log_note " cd $pinniped_path"
log_note " ulimit -n 512"
log_note ' source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration' log_note ' source /tmp/integration-test-env && go test -v -race -count 1 -timeout 0 ./test/integration'
log_note log_note
log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"." log_note "Using GoLand? Paste the result of this command into GoLand's run configuration \"Environment\"."

View File

@ -53,8 +53,8 @@ window.onload = () => {
// Requests made using "no-cors" mode will hide the real response.status by making it 0 // Requests made using "no-cors" mode will hide the real response.status by making it 0
// and the real response.ok by making it false. // and the real response.ok by making it false.
// If the real response was success, then we would like to show the success state. // If the real response was success, then we would like to show the success state.
// If the real response was an error, then we wish we could show the manual // If the real response was an error, then we wish we could do something else (maybe show the error?),
// state, but we have no way to know that, as long as we are making "no-cors" requests. // but we have no way to know the real response as long as we are making "no-cors" requests.
// For now, show the success status for all responses. // For now, show the success status for all responses.
// In the future, we could make this request in "cors" mode once old versions of our CLI // In the future, we could make this request in "cors" mode once old versions of our CLI
// which did not handle CORS are upgraded out by our users. That would allow us to use // which did not handle CORS are upgraded out by our users. That would allow us to use

View File

@ -704,6 +704,11 @@ func (h *handlerState) initOIDCDiscovery() error {
return nil return nil
} }
// Validate that the issuer URL uses https, or else we cannot trust its discovery endpoint to get the other URLs.
if err := validateURLUsesHTTPS(h.issuer, "issuer"); err != nil {
return err
}
h.logger.V(debugLogLevel).Info("Pinniped: Performing OIDC discovery", "issuer", h.issuer) h.logger.V(debugLogLevel).Info("Pinniped: Performing OIDC discovery", "issuer", h.issuer)
var err error var err error
h.provider, err = oidc.NewProvider(h.ctx, h.issuer) h.provider, err = oidc.NewProvider(h.ctx, h.issuer)
@ -718,6 +723,18 @@ func (h *handlerState) initOIDCDiscovery() error {
Scopes: h.scopes, Scopes: h.scopes,
} }
// Validate that the discovered auth and token URLs use https. The OIDC spec for the authcode flow says:
// "Communication with the Authorization Endpoint MUST utilize TLS"
// (see https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint), and
// "Communication with the Token Endpoint MUST utilize TLS"
// (see https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
if err := validateURLUsesHTTPS(h.provider.Endpoint().AuthURL, "discovered authorize URL from issuer"); err != nil {
return err
}
if err := validateURLUsesHTTPS(h.provider.Endpoint().TokenURL, "discovered token URL from issuer"); err != nil {
return err
}
// Use response_mode=form_post if the provider supports it. // Use response_mode=form_post if the provider supports it.
var discoveryClaims struct { var discoveryClaims struct {
ResponseModesSupported []string `json:"response_modes_supported"` ResponseModesSupported []string `json:"response_modes_supported"`
@ -729,6 +746,17 @@ func (h *handlerState) initOIDCDiscovery() error {
return nil return nil
} }
func validateURLUsesHTTPS(uri string, uriName string) error {
parsed, err := url.Parse(uri)
if err != nil {
return fmt.Errorf("%s is not a valid URL: %w", uriName, err)
}
if parsed.Scheme != "https" {
return fmt.Errorf("%s must be an https URL, but had scheme %q instead", uriName, parsed.Scheme)
}
return nil
}
func stringSliceContains(slice []string, s string) bool { func stringSliceContains(slice []string, s string) bool {
for _, item := range slice { for _, item := range slice {
if item == s { if item == s {

View File

@ -6,6 +6,7 @@ package oidcclient
import ( import (
"bytes" "bytes"
"context" "context"
"crypto/x509"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
@ -19,6 +20,10 @@ import (
"testing" "testing"
"time" "time"
"go.pinniped.dev/internal/net/phttp"
"go.pinniped.dev/internal/testutil/tlsserver"
"github.com/coreos/go-oidc/v3/oidc" "github.com/coreos/go-oidc/v3/oidc"
"github.com/golang/mock/gomock" "github.com/golang/mock/gomock"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -61,6 +66,13 @@ func (m *mockSessionCache) PutToken(key SessionCacheKey, token *oidctypes.Token)
m.sawPutTokens = append(m.sawPutTokens, token) m.sawPutTokens = append(m.sawPutTokens, token)
} }
func newClientForServer(server *httptest.Server) *http.Client {
pool := x509.NewCertPool()
caPEMData := tlsserver.TLSTestServerCA(server)
pool.AppendCertsFromPEM(caPEMData)
return phttp.Default(pool)
}
func TestLogin(t *testing.T) { // nolint:gocyclo func TestLogin(t *testing.T) { // nolint:gocyclo
time1 := time.Date(2035, 10, 12, 13, 14, 15, 16, time.UTC) time1 := time.Date(2035, 10, 12, 13, 14, 15, 16, time.UTC)
time1Unix := int64(2075807775) time1Unix := int64(2075807775)
@ -76,31 +88,33 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
IDToken: &oidctypes.IDToken{Token: "test-id-token-with-requested-audience", Expiry: metav1.NewTime(time1.Add(3 * time.Minute))}, IDToken: &oidctypes.IDToken{Token: "test-id-token-with-requested-audience", Expiry: metav1.NewTime(time1.Add(3 * time.Minute))},
} }
// Start a test server that returns 500 errors // Start a test server that returns 500 errors.
errorServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { errorServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Error(w, "some discovery error", http.StatusInternalServerError) http.Error(w, "some discovery error", http.StatusInternalServerError)
})) }), nil)
t.Cleanup(errorServer.Close)
// Start a test server that returns discovery data with a broken response_modes_supported value. // Start a test server that returns discovery data with a broken response_modes_supported value.
brokenResponseModeMux := http.NewServeMux() brokenResponseModeMux := http.NewServeMux()
brokenResponseModeServer := httptest.NewServer(brokenResponseModeMux) brokenResponseModeServer := tlsserver.TLSTestServer(t, brokenResponseModeMux, nil)
brokenResponseModeMux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) { brokenResponseModeMux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json") w.Header().Set("content-type", "application/json")
type providerJSON struct { type providerJSON struct {
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"`
TokenURL string `json:"token_endpoint"`
ResponseModesSupported string `json:"response_modes_supported"` // Wrong type (should be []string). ResponseModesSupported string `json:"response_modes_supported"` // Wrong type (should be []string).
} }
_ = json.NewEncoder(w).Encode(&providerJSON{ _ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: brokenResponseModeServer.URL, Issuer: brokenResponseModeServer.URL,
AuthURL: brokenResponseModeServer.URL + "/authorize",
TokenURL: brokenResponseModeServer.URL + "/token",
ResponseModesSupported: "invalid", ResponseModesSupported: "invalid",
}) })
}) })
t.Cleanup(brokenResponseModeServer.Close)
// Start a test server that returns discovery data with a broken token URL // Start a test server that returns discovery data with a broken token URL.
brokenTokenURLMux := http.NewServeMux() brokenTokenURLMux := http.NewServeMux()
brokenTokenURLServer := httptest.NewServer(brokenTokenURLMux) brokenTokenURLServer := tlsserver.TLSTestServer(t, brokenTokenURLMux, nil)
brokenTokenURLMux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) { brokenTokenURLMux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json") w.Header().Set("content-type", "application/json")
type providerJSON struct { type providerJSON struct {
@ -116,7 +130,63 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
JWKSURL: brokenTokenURLServer.URL + "/keys", JWKSURL: brokenTokenURLServer.URL + "/keys",
}) })
}) })
t.Cleanup(brokenTokenURLServer.Close)
// Start a test server that returns discovery data with an insecure token URL.
insecureTokenURLMux := http.NewServeMux()
insecureTokenURLServer := tlsserver.TLSTestServer(t, insecureTokenURLMux, nil)
insecureTokenURLMux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
type providerJSON struct {
Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"`
TokenURL string `json:"token_endpoint"`
JWKSURL string `json:"jwks_uri"`
}
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: insecureTokenURLServer.URL,
AuthURL: insecureTokenURLServer.URL + "/authorize",
TokenURL: "http://insecure-issuer.com",
JWKSURL: insecureTokenURLServer.URL + "/keys",
})
})
// Start a test server that returns discovery data with a broken authorize URL.
brokenAuthURLMux := http.NewServeMux()
brokenAuthURLServer := tlsserver.TLSTestServer(t, brokenAuthURLMux, nil)
brokenAuthURLMux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
type providerJSON struct {
Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"`
TokenURL string `json:"token_endpoint"`
JWKSURL string `json:"jwks_uri"`
}
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: brokenAuthURLServer.URL,
AuthURL: `%`,
TokenURL: brokenAuthURLServer.URL + "/token",
JWKSURL: brokenAuthURLServer.URL + "/keys",
})
})
// Start a test server that returns discovery data with an insecure authorize URL.
insecureAuthURLMux := http.NewServeMux()
insecureAuthURLServer := tlsserver.TLSTestServer(t, insecureAuthURLMux, nil)
insecureAuthURLMux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("content-type", "application/json")
type providerJSON struct {
Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"`
TokenURL string `json:"token_endpoint"`
JWKSURL string `json:"jwks_uri"`
}
_ = json.NewEncoder(w).Encode(&providerJSON{
Issuer: insecureAuthURLServer.URL,
AuthURL: "http://insecure-issuer.com",
TokenURL: insecureAuthURLServer.URL + "/token",
JWKSURL: insecureAuthURLServer.URL + "/keys",
})
})
discoveryHandler := func(server *httptest.Server, responseModes []string) http.HandlerFunc { discoveryHandler := func(server *httptest.Server, responseModes []string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
@ -225,15 +295,13 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
// Start a test server that returns a real discovery document and answers refresh requests. // Start a test server that returns a real discovery document and answers refresh requests.
providerMux := http.NewServeMux() providerMux := http.NewServeMux()
successServer := httptest.NewServer(providerMux) successServer := tlsserver.TLSTestServer(t, providerMux, nil)
t.Cleanup(successServer.Close)
providerMux.HandleFunc("/.well-known/openid-configuration", discoveryHandler(successServer, nil)) providerMux.HandleFunc("/.well-known/openid-configuration", discoveryHandler(successServer, nil))
providerMux.HandleFunc("/token", tokenHandler) providerMux.HandleFunc("/token", tokenHandler)
// Start a test server that returns a real discovery document and answers refresh requests, _and_ supports form_mode=post. // Start a test server that returns a real discovery document and answers refresh requests, _and_ supports form_mode=post.
formPostProviderMux := http.NewServeMux() formPostProviderMux := http.NewServeMux()
formPostSuccessServer := httptest.NewServer(formPostProviderMux) formPostSuccessServer := tlsserver.TLSTestServer(t, formPostProviderMux, nil)
t.Cleanup(formPostSuccessServer.Close)
formPostProviderMux.HandleFunc("/.well-known/openid-configuration", discoveryHandler(formPostSuccessServer, []string{"query", "form_post"})) formPostProviderMux.HandleFunc("/.well-known/openid-configuration", discoveryHandler(formPostSuccessServer, []string{"query", "form_post"}))
formPostProviderMux.HandleFunc("/token", tokenHandler) formPostProviderMux.HandleFunc("/token", tokenHandler)
@ -265,13 +333,14 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithCLISendingCredentials()(h)) require.NoError(t, WithCLISendingCredentials()(h))
require.NoError(t, WithUpstreamIdentityProvider("some-upstream-name", "ldap")(h)) require.NoError(t, WithUpstreamIdentityProvider("some-upstream-name", "ldap")(h))
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithClient(&http.Client{ require.NoError(t, WithClient(&http.Client{
Transport: roundtripper.Func(func(req *http.Request) (*http.Response, error) { Transport: roundtripper.Func(func(req *http.Request) (*http.Response, error) {
switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path { switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path {
case "http://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration": case "https://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration":
return defaultDiscoveryResponse(req) return defaultDiscoveryResponse(req)
case "http://" + successServer.Listener.Addr().String() + "/authorize": case "https://" + successServer.Listener.Addr().String() + "/authorize":
return authResponse, authError return authResponse, authError
default: default:
require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String())) require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String()))
@ -331,11 +400,36 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
wantErr: "some error generating PKCE", wantErr: "some error generating PKCE",
}, },
{ {
name: "session cache hit but token expired", name: "issuer is not https",
issuer: "test-issuer", issuer: "http://insecure-issuer.com",
clientID: "test-client-id", clientID: "test-client-id",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
return nil
}
},
wantLogs: nil,
wantErr: `issuer must be an https URL, but had scheme "http" instead`,
},
{
name: "issuer is not a valid URL",
issuer: "%",
clientID: "test-client-id",
opt: func(t *testing.T) Option {
return func(h *handlerState) error {
return nil
}
},
wantLogs: nil,
wantErr: `issuer is not a valid URL: parse "%": invalid URL escape "%"`,
},
{
name: "session cache hit but token expired",
issuer: errorServer.URL,
clientID: "test-client-id",
opt: func(t *testing.T) Option {
return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(errorServer))(h))
cache := &mockSessionCache{t: t, getReturnsToken: &oidctypes.Token{ cache := &mockSessionCache{t: t, getReturnsToken: &oidctypes.Token{
IDToken: &oidctypes.IDToken{ IDToken: &oidctypes.IDToken{
Token: "test-id-token", Token: "test-id-token",
@ -344,7 +438,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}} }}
t.Cleanup(func() { t.Cleanup(func() {
require.Equal(t, []SessionCacheKey{{ require.Equal(t, []SessionCacheKey{{
Issuer: "test-issuer", Issuer: errorServer.URL,
ClientID: "test-client-id", ClientID: "test-client-id",
Scopes: []string{"test-scope"}, Scopes: []string{"test-scope"},
RedirectURI: "http://localhost:0/callback", RedirectURI: "http://localhost:0/callback",
@ -354,8 +448,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
return WithSessionCache(cache)(h) return WithSessionCache(cache)(h)
} }
}, },
wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"test-issuer\""}, wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + errorServer.URL + "\""},
wantErr: `could not perform OIDC discovery for "test-issuer": Get "test-issuer/.well-known/openid-configuration": unsupported protocol scheme ""`, wantErr: "could not perform OIDC discovery for \"" + errorServer.URL + "\": 500 Internal Server Error: some discovery error\n",
}, },
{ {
name: "session cache hit with valid token", name: "session cache hit with valid token",
@ -382,7 +476,10 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
{ {
name: "discovery failure due to 500 error", name: "discovery failure due to 500 error",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return nil } return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(errorServer))(h))
return nil
}
}, },
issuer: errorServer.URL, issuer: errorServer.URL,
wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + errorServer.URL + "\""}, wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + errorServer.URL + "\""},
@ -391,7 +488,10 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
{ {
name: "discovery failure due to invalid response_modes_supported", name: "discovery failure due to invalid response_modes_supported",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return nil } return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(brokenResponseModeServer))(h))
return nil
}
}, },
issuer: brokenResponseModeServer.URL, issuer: brokenResponseModeServer.URL,
wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + brokenResponseModeServer.URL + "\""}, wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + brokenResponseModeServer.URL + "\""},
@ -403,6 +503,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
clientID: "test-client-id", clientID: "test-client-id",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(successServer))(h))
h.getProvider = func(config *oauth2.Config, provider *oidc.Provider, client *http.Client) provider.UpstreamOIDCIdentityProviderI { h.getProvider = func(config *oauth2.Config, provider *oidc.Provider, client *http.Client) provider.UpstreamOIDCIdentityProviderI {
mock := mockUpstream(t) mock := mockUpstream(t)
mock.EXPECT(). mock.EXPECT().
@ -450,6 +552,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
clientID: "test-client-id", clientID: "test-client-id",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(successServer))(h))
h.getProvider = func(config *oauth2.Config, provider *oidc.Provider, client *http.Client) provider.UpstreamOIDCIdentityProviderI { h.getProvider = func(config *oauth2.Config, provider *oidc.Provider, client *http.Client) provider.UpstreamOIDCIdentityProviderI {
mock := mockUpstream(t) mock := mockUpstream(t)
mock.EXPECT(). mock.EXPECT().
@ -490,6 +594,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
clientID: "not-the-test-client-id", clientID: "not-the-test-client-id",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(successServer))(h))
cache := &mockSessionCache{t: t, getReturnsToken: &oidctypes.Token{ cache := &mockSessionCache{t: t, getReturnsToken: &oidctypes.Token{
IDToken: &oidctypes.IDToken{ IDToken: &oidctypes.IDToken{
Token: "expired-test-id-token", Token: "expired-test-id-token",
@ -517,10 +623,59 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
// Expect this to fall through to the authorization code flow, so it fails here. // Expect this to fall through to the authorization code flow, so it fails here.
wantErr: "login failed: must have either a localhost listener or stdin must be a TTY", wantErr: "login failed: must have either a localhost listener or stdin must be a TTY",
}, },
{
name: "issuer has invalid token URL",
opt: func(t *testing.T) Option {
return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(brokenTokenURLServer))(h))
return nil
}
},
issuer: brokenTokenURLServer.URL,
wantLogs: []string{`"level"=4 "msg"="Pinniped: Performing OIDC discovery" "issuer"="` + brokenTokenURLServer.URL + `"`},
wantErr: `discovered token URL from issuer is not a valid URL: parse "%": invalid URL escape "%"`,
},
{
name: "issuer has insecure token URL",
opt: func(t *testing.T) Option {
return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(insecureTokenURLServer))(h))
return nil
}
},
issuer: insecureTokenURLServer.URL,
wantLogs: []string{`"level"=4 "msg"="Pinniped: Performing OIDC discovery" "issuer"="` + insecureTokenURLServer.URL + `"`},
wantErr: `discovered token URL from issuer must be an https URL, but had scheme "http" instead`,
},
{
name: "issuer has invalid authorize URL",
opt: func(t *testing.T) Option {
return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(brokenAuthURLServer))(h))
return nil
}
},
issuer: brokenAuthURLServer.URL,
wantLogs: []string{`"level"=4 "msg"="Pinniped: Performing OIDC discovery" "issuer"="` + brokenAuthURLServer.URL + `"`},
wantErr: `discovered authorize URL from issuer is not a valid URL: parse "%": invalid URL escape "%"`,
},
{
name: "issuer has insecure authorize URL",
opt: func(t *testing.T) Option {
return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(insecureAuthURLServer))(h))
return nil
}
},
issuer: insecureAuthURLServer.URL,
wantLogs: []string{`"level"=4 "msg"="Pinniped: Performing OIDC discovery" "issuer"="` + insecureAuthURLServer.URL + `"`},
wantErr: `discovered authorize URL from issuer must be an https URL, but had scheme "http" instead`,
},
{ {
name: "listen failure and non-tty stdin", name: "listen failure and non-tty stdin",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(successServer))(h))
h.listen = func(net string, addr string) (net.Listener, error) { h.listen = func(net string, addr string) (net.Listener, error) {
assert.Equal(t, "tcp", net) assert.Equal(t, "tcp", net)
assert.Equal(t, "localhost:0", addr) assert.Equal(t, "localhost:0", addr)
@ -544,6 +699,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
name: "listening disabled and manual prompt fails", name: "listening disabled and manual prompt fails",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(formPostSuccessServer))(h))
require.NoError(t, WithSkipListen()(h)) require.NoError(t, WithSkipListen()(h))
h.isTTY = func(fd int) bool { return true } h.isTTY = func(fd int) bool { return true }
h.openURL = func(authorizeURL string) error { h.openURL = func(authorizeURL string) error {
@ -570,6 +726,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
name: "listen success and manual prompt succeeds", name: "listen success and manual prompt succeeds",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(formPostSuccessServer))(h))
h.listen = func(string, string) (net.Listener, error) { return nil, fmt.Errorf("some listen error") } h.listen = func(string, string) (net.Listener, error) { return nil, fmt.Errorf("some listen error") }
h.isTTY = func(fd int) bool { return true } h.isTTY = func(fd int) bool { return true }
h.openURL = func(authorizeURL string) error { h.openURL = func(authorizeURL string) error {
@ -596,6 +753,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
name: "timeout waiting for callback", name: "timeout waiting for callback",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(successServer))(h))
ctx, cancel := context.WithCancel(h.ctx) ctx, cancel := context.WithCancel(h.ctx)
h.ctx = ctx h.ctx = ctx
@ -614,6 +773,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
name: "callback returns error", name: "callback returns error",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(successServer))(h))
h.openURL = func(_ string) error { h.openURL = func(_ string) error {
go func() { go func() {
h.callbacks <- callbackResult{err: fmt.Errorf("some callback error")} h.callbacks <- callbackResult{err: fmt.Errorf("some callback error")}
@ -649,7 +809,10 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.Equal(t, []*oidctypes.Token{&testToken}, cache.sawPutTokens) require.Equal(t, []*oidctypes.Token{&testToken}, cache.sawPutTokens)
}) })
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithClient(&http.Client{Timeout: 10 * time.Second})(h))
client := newClientForServer(successServer)
client.Timeout = 10 * time.Second
require.NoError(t, WithClient(client)(h))
h.openURL = func(actualURL string) error { h.openURL = func(actualURL string) error {
parsedActualURL, err := url.Parse(actualURL) parsedActualURL, err := url.Parse(actualURL)
@ -710,7 +873,10 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.Equal(t, []*oidctypes.Token{&testToken}, cache.sawPutTokens) require.Equal(t, []*oidctypes.Token{&testToken}, cache.sawPutTokens)
}) })
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithClient(&http.Client{Timeout: 10 * time.Second})(h))
client := newClientForServer(formPostSuccessServer)
client.Timeout = 10 * time.Second
require.NoError(t, WithClient(client)(h))
h.openURL = func(actualURL string) error { h.openURL = func(actualURL string) error {
parsedActualURL, err := url.Parse(actualURL) parsedActualURL, err := url.Parse(actualURL)
@ -772,9 +938,12 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.Equal(t, []*oidctypes.Token{&testToken}, cache.sawPutTokens) require.Equal(t, []*oidctypes.Token{&testToken}, cache.sawPutTokens)
}) })
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithClient(&http.Client{Timeout: 10 * time.Second})(h))
require.NoError(t, WithUpstreamIdentityProvider("some-upstream-name", "oidc")(h)) require.NoError(t, WithUpstreamIdentityProvider("some-upstream-name", "oidc")(h))
client := newClientForServer(successServer)
client.Timeout = 10 * time.Second
require.NoError(t, WithClient(client)(h))
h.openURL = func(actualURL string) error { h.openURL = func(actualURL string) error {
parsedActualURL, err := url.Parse(actualURL) parsedActualURL, err := url.Parse(actualURL)
require.NoError(t, err) require.NoError(t, err)
@ -851,10 +1020,11 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
_ = defaultLDAPTestOpts(t, h, nil, nil) _ = defaultLDAPTestOpts(t, h, nil, nil)
require.NoError(t, WithClient(&http.Client{
Transport: roundtripper.Func(func(req *http.Request) (*http.Response, error) { client := newClientForServer(successServer)
client.Transport = roundtripper.Func(func(req *http.Request) (*http.Response, error) {
switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path { switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path {
case "http://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration": case "https://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration":
type providerJSON struct { type providerJSON struct {
Issuer string `json:"issuer"` Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"` AuthURL string `json:"authorization_endpoint"`
@ -877,14 +1047,15 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String())) require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String()))
return nil, nil return nil, nil
} }
}), })
})(h)) require.NoError(t, WithClient(client)(h))
return nil return nil
} }
}, },
issuer: successServer.URL, issuer: successServer.URL,
wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + successServer.URL + "\""}, wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + successServer.URL + "\""},
wantErr: `could not build authorize request: parse "%?access_type=offline&client_id=test-client-id&code_challenge=VVaezYqum7reIhoavCHD1n2d-piN3r_mywoYj7fCR7g&code_challenge_method=S256&nonce=test-nonce&pinniped_idp_name=some-upstream-name&pinniped_idp_type=ldap&redirect_uri=http%3A%2F%2F127.0.0.1%3A0%2Fcallback&response_type=code&scope=test-scope&state=test-state": invalid URL escape "%"`, wantErr: `discovered authorize URL from issuer is not a valid URL: parse "%": invalid URL escape "%"`,
}, },
{ {
name: "ldap login when there is an error calling the authorization endpoint", name: "ldap login when there is an error calling the authorization endpoint",
@ -896,7 +1067,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}, },
issuer: successServer.URL, issuer: successServer.URL,
wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + successServer.URL + "\""}, wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + successServer.URL + "\""},
wantErr: `authorization response error: Get "http://` + successServer.Listener.Addr().String() + wantErr: `authorization response error: Get "https://` + successServer.Listener.Addr().String() +
`/authorize?access_type=offline&client_id=test-client-id&code_challenge=VVaezYqum7reIhoavCHD1n2d-piN3r_mywoYj7fCR7g&code_challenge_method=S256&nonce=test-nonce&pinniped_idp_name=some-upstream-name&pinniped_idp_type=ldap&redirect_uri=http%3A%2F%2F127.0.0.1%3A0%2Fcallback&response_type=code&scope=test-scope&state=test-state": some error fetching authorize endpoint`, `/authorize?access_type=offline&client_id=test-client-id&code_challenge=VVaezYqum7reIhoavCHD1n2d-piN3r_mywoYj7fCR7g&code_challenge_method=S256&nonce=test-nonce&pinniped_idp_name=some-upstream-name&pinniped_idp_type=ldap&redirect_uri=http%3A%2F%2F127.0.0.1%3A0%2Fcallback&response_type=code&scope=test-scope&state=test-state": some error fetching authorize endpoint`,
}, },
{ {
@ -1058,13 +1229,13 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.True(t, authorizeRequestWasMade, "should have made an authorize request") require.True(t, authorizeRequestWasMade, "should have made an authorize request")
}) })
require.NoError(t, WithClient(&http.Client{ client := newClientForServer(successServer)
Transport: roundtripper.Func(func(req *http.Request) (*http.Response, error) { client.Transport = roundtripper.Func(func(req *http.Request) (*http.Response, error) {
switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path { switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path {
case "http://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration": case "https://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration":
discoveryRequestWasMade = true discoveryRequestWasMade = true
return defaultDiscoveryResponse(req) return defaultDiscoveryResponse(req)
case "http://" + successServer.Listener.Addr().String() + "/authorize": case "https://" + successServer.Listener.Addr().String() + "/authorize":
authorizeRequestWasMade = true authorizeRequestWasMade = true
require.Equal(t, "some-upstream-username", req.Header.Get("Pinniped-Username")) require.Equal(t, "some-upstream-username", req.Header.Get("Pinniped-Username"))
require.Equal(t, "some-upstream-password", req.Header.Get("Pinniped-Password")) require.Equal(t, "some-upstream-password", req.Header.Get("Pinniped-Password"))
@ -1095,8 +1266,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String())) require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String()))
return nil, nil return nil, nil
} }
}), })
})(h)) require.NoError(t, WithClient(client)(h))
return nil return nil
} }
}, },
@ -1165,13 +1336,13 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.True(t, authorizeRequestWasMade, "should have made an authorize request") require.True(t, authorizeRequestWasMade, "should have made an authorize request")
}) })
require.NoError(t, WithClient(&http.Client{ client := newClientForServer(successServer)
Transport: roundtripper.Func(func(req *http.Request) (*http.Response, error) { client.Transport = roundtripper.Func(func(req *http.Request) (*http.Response, error) {
switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path { switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path {
case "http://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration": case "https://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration":
discoveryRequestWasMade = true discoveryRequestWasMade = true
return defaultDiscoveryResponse(req) return defaultDiscoveryResponse(req)
case "http://" + successServer.Listener.Addr().String() + "/authorize": case "https://" + successServer.Listener.Addr().String() + "/authorize":
authorizeRequestWasMade = true authorizeRequestWasMade = true
require.Equal(t, "some-upstream-username", req.Header.Get("Pinniped-Username")) require.Equal(t, "some-upstream-username", req.Header.Get("Pinniped-Username"))
require.Equal(t, "some-upstream-password", req.Header.Get("Pinniped-Password")) require.Equal(t, "some-upstream-password", req.Header.Get("Pinniped-Password"))
@ -1202,8 +1373,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String())) require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String()))
return nil, nil return nil, nil
} }
}), })
})(h)) require.NoError(t, WithClient(client)(h))
return nil return nil
} }
}, },
@ -1276,13 +1447,13 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.True(t, authorizeRequestWasMade, "should have made an authorize request") require.True(t, authorizeRequestWasMade, "should have made an authorize request")
}) })
require.NoError(t, WithClient(&http.Client{ client := newClientForServer(successServer)
Transport: roundtripper.Func(func(req *http.Request) (*http.Response, error) { client.Transport = roundtripper.Func(func(req *http.Request) (*http.Response, error) {
switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path { switch req.URL.Scheme + "://" + req.URL.Host + req.URL.Path {
case "http://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration": case "https://" + successServer.Listener.Addr().String() + "/.well-known/openid-configuration":
discoveryRequestWasMade = true discoveryRequestWasMade = true
return defaultDiscoveryResponse(req) return defaultDiscoveryResponse(req)
case "http://" + successServer.Listener.Addr().String() + "/authorize": case "https://" + successServer.Listener.Addr().String() + "/authorize":
authorizeRequestWasMade = true authorizeRequestWasMade = true
require.Equal(t, "some-upstream-username", req.Header.Get("Pinniped-Username")) require.Equal(t, "some-upstream-username", req.Header.Get("Pinniped-Username"))
require.Equal(t, "some-upstream-password", req.Header.Get("Pinniped-Password")) require.Equal(t, "some-upstream-password", req.Header.Get("Pinniped-Password"))
@ -1313,8 +1484,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String())) require.FailNow(t, fmt.Sprintf("saw unexpected http call from the CLI: %s", req.URL.String()))
return nil, nil return nil, nil
} }
}), })
})(h)) require.NoError(t, WithClient(client)(h))
return nil return nil
} }
}, },
@ -1342,6 +1513,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(errorServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("cluster-1234")(h)) require.NoError(t, WithRequestAudience("cluster-1234")(h))
return nil return nil
@ -1352,6 +1524,33 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + errorServer.URL + "\""}, "\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + errorServer.URL + "\""},
wantErr: fmt.Sprintf("failed to exchange token: could not perform OIDC discovery for %q: 500 Internal Server Error: some discovery error\n", errorServer.URL), wantErr: fmt.Sprintf("failed to exchange token: could not perform OIDC discovery for %q: 500 Internal Server Error: some discovery error\n", errorServer.URL),
}, },
{
name: "with requested audience, session cache hit with valid token, but token URL is insecure",
issuer: insecureTokenURLServer.URL,
clientID: "test-client-id",
opt: func(t *testing.T) Option {
return func(h *handlerState) error {
cache := &mockSessionCache{t: t, getReturnsToken: &testToken}
t.Cleanup(func() {
require.Equal(t, []SessionCacheKey{{
Issuer: insecureTokenURLServer.URL,
ClientID: "test-client-id",
Scopes: []string{"test-scope"},
RedirectURI: "http://localhost:0/callback",
}}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens)
})
require.NoError(t, WithClient(newClientForServer(insecureTokenURLServer))(h))
require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("cluster-1234")(h))
return nil
}
},
wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Found unexpired cached token.\"",
"\"level\"=4 \"msg\"=\"Pinniped: Performing RFC8693 token exchange\" \"requestedAudience\"=\"cluster-1234\"",
"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + insecureTokenURLServer.URL + "\""},
wantErr: `failed to exchange token: discovered token URL from issuer must be an https URL, but had scheme "http" instead`,
},
{ {
name: "with requested audience, session cache hit with valid token, but token URL is invalid", name: "with requested audience, session cache hit with valid token, but token URL is invalid",
issuer: brokenTokenURLServer.URL, issuer: brokenTokenURLServer.URL,
@ -1368,6 +1567,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(brokenTokenURLServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("cluster-1234")(h)) require.NoError(t, WithRequestAudience("cluster-1234")(h))
return nil return nil
@ -1376,7 +1576,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Found unexpired cached token.\"", wantLogs: []string{"\"level\"=4 \"msg\"=\"Pinniped: Found unexpired cached token.\"",
"\"level\"=4 \"msg\"=\"Pinniped: Performing RFC8693 token exchange\" \"requestedAudience\"=\"cluster-1234\"", "\"level\"=4 \"msg\"=\"Pinniped: Performing RFC8693 token exchange\" \"requestedAudience\"=\"cluster-1234\"",
"\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + brokenTokenURLServer.URL + "\""}, "\"level\"=4 \"msg\"=\"Pinniped: Performing OIDC discovery\" \"issuer\"=\"" + brokenTokenURLServer.URL + "\""},
wantErr: `failed to exchange token: could not build RFC8693 request: parse "%": invalid URL escape "%"`, wantErr: `failed to exchange token: discovered token URL from issuer is not a valid URL: parse "%": invalid URL escape "%"`,
}, },
{ {
name: "with requested audience, session cache hit with valid token, but token exchange request fails", name: "with requested audience, session cache hit with valid token, but token exchange request fails",
@ -1394,6 +1594,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience-produce-invalid-http-response")(h)) require.NoError(t, WithRequestAudience("test-audience-produce-invalid-http-response")(h))
return nil return nil
@ -1420,6 +1621,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience-produce-http-400")(h)) require.NoError(t, WithRequestAudience("test-audience-produce-http-400")(h))
return nil return nil
@ -1446,6 +1648,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience-produce-invalid-content-type")(h)) require.NoError(t, WithRequestAudience("test-audience-produce-invalid-content-type")(h))
return nil return nil
@ -1472,6 +1675,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience-produce-wrong-content-type")(h)) require.NoError(t, WithRequestAudience("test-audience-produce-wrong-content-type")(h))
return nil return nil
@ -1498,6 +1702,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience-produce-invalid-json")(h)) require.NoError(t, WithRequestAudience("test-audience-produce-invalid-json")(h))
return nil return nil
@ -1524,6 +1729,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience-produce-invalid-tokentype")(h)) require.NoError(t, WithRequestAudience("test-audience-produce-invalid-tokentype")(h))
return nil return nil
@ -1550,6 +1756,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience-produce-invalid-issuedtokentype")(h)) require.NoError(t, WithRequestAudience("test-audience-produce-invalid-issuedtokentype")(h))
return nil return nil
@ -1576,6 +1783,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience-produce-invalid-jwt")(h)) require.NoError(t, WithRequestAudience("test-audience-produce-invalid-jwt")(h))
return nil return nil
@ -1602,6 +1810,7 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
}}, cache.sawGetKeys) }}, cache.sawGetKeys)
require.Empty(t, cache.sawPutTokens) require.Empty(t, cache.sawPutTokens)
}) })
require.NoError(t, WithClient(newClientForServer(successServer))(h))
require.NoError(t, WithSessionCache(cache)(h)) require.NoError(t, WithSessionCache(cache)(h))
require.NoError(t, WithRequestAudience("test-audience")(h)) require.NoError(t, WithRequestAudience("test-audience")(h))
@ -1624,6 +1833,8 @@ func TestLogin(t *testing.T) { // nolint:gocyclo
clientID: "test-client-id", clientID: "test-client-id",
opt: func(t *testing.T) Option { opt: func(t *testing.T) Option {
return func(h *handlerState) error { return func(h *handlerState) error {
require.NoError(t, WithClient(newClientForServer(successServer))(h))
cache := &mockSessionCache{t: t, getReturnsToken: &oidctypes.Token{ cache := &mockSessionCache{t: t, getReturnsToken: &oidctypes.Token{
IDToken: &oidctypes.IDToken{ IDToken: &oidctypes.IDToken{
Token: "expired-test-id-token", Token: "expired-test-id-token",

View File

@ -95,8 +95,7 @@ spec:
# If you would also like to allow your end users to authenticate using # If you would also like to allow your end users to authenticate using
# a password grant, then change this to true. # a password grant, then change this to true.
# Password grants with Dex will only work in Dex versions that include # Password grant requires Dex v2.31.0 or later
# this bug fix: https://github.com/dexidp/dex/pull/2234
allowPasswordGrant: false allowPasswordGrant: false
# Specify how Dex claims are mapped to Kubernetes identities. # Specify how Dex claims are mapped to Kubernetes identities.

View File

@ -170,7 +170,7 @@ func deserializeWhoAmIRequest(t *testing.T, data string, apiGroupSuffix string)
return obj.(*identityv1alpha1.WhoAmIRequest) return obj.(*identityv1alpha1.WhoAmIRequest)
} }
func TestCLILoginOIDC(t *testing.T) { func TestCLILoginOIDC_Browser(t *testing.T) {
env := testlib.IntegrationEnv(t) env := testlib.IntegrationEnv(t)
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)

View File

@ -1,4 +1,4 @@
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. // Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
package integration package integration
@ -45,10 +45,10 @@ func TestUnsuccessfulCredentialRequest_Parallel(t *testing.T) {
require.Equal(t, "authentication failed", *response.Status.Message) require.Equal(t, "authentication failed", *response.Status.Message)
} }
// TestSuccessfulCredentialRequest cannot run in parallel because runPinnipedLoginOIDC uses a fixed port // TestSuccessfulCredentialRequest_Browser cannot run in parallel because runPinnipedLoginOIDC uses a fixed port
// for its localhost listener via --listen-port=env.CLIUpstreamOIDC.CallbackURL.Port() per oidcLoginCommand. // for its localhost listener via --listen-port=env.CLIUpstreamOIDC.CallbackURL.Port() per oidcLoginCommand.
// Since ports are global to the process, tests using oidcLoginCommand must be run serially. // Since ports are global to the process, tests using oidcLoginCommand must be run serially.
func TestSuccessfulCredentialRequest(t *testing.T) { func TestSuccessfulCredentialRequest_Browser(t *testing.T) {
env := testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable) env := testlib.IntegrationEnv(t).WithCapability(testlib.ClusterSigningKeyIsAvailable)
ctx, cancel := context.WithTimeout(context.Background(), 6*time.Minute) ctx, cancel := context.WithTimeout(context.Background(), 6*time.Minute)

View File

@ -17,6 +17,7 @@ import (
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"regexp" "regexp"
"runtime"
"sort" "sort"
"strings" "strings"
"sync/atomic" "sync/atomic"
@ -47,8 +48,8 @@ import (
"go.pinniped.dev/test/testlib/browsertest" "go.pinniped.dev/test/testlib/browsertest"
) )
// TestE2EFullIntegration tests a full integration scenario that combines the supervisor, concierge, and CLI. // TestE2EFullIntegration_Browser tests a full integration scenario that combines the supervisor, concierge, and CLI.
func TestE2EFullIntegration(t *testing.T) { // nolint:gocyclo func TestE2EFullIntegration_Browser(t *testing.T) { // nolint:gocyclo
env := testlib.IntegrationEnv(t) env := testlib.IntegrationEnv(t)
ctx, cancelFunc := context.WithTimeout(context.Background(), 10*time.Minute) ctx, cancelFunc := context.WithTimeout(context.Background(), 10*time.Minute)
@ -449,8 +450,13 @@ func TestE2EFullIntegration(t *testing.T) { // nolint:gocyclo
start := time.Now() start := time.Now()
kubectlCmd := exec.CommandContext(ctx, "kubectl", "get", "namespace", "--kubeconfig", kubeconfigPath) kubectlCmd := exec.CommandContext(ctx, "kubectl", "get", "namespace", "--kubeconfig", kubeconfigPath)
kubectlCmd.Env = append(os.Environ(), env.ProxyEnv()...) kubectlCmd.Env = append(os.Environ(), env.ProxyEnv()...)
stdoutPipe, err := kubectlCmd.StdoutPipe() var kubectlStdoutPipe io.ReadCloser
if runtime.GOOS != "darwin" {
// For some unknown reason this breaks the pty library on some MacOS machines.
// The problem doesn't reproduce for everyone, so this is just a workaround.
kubectlStdoutPipe, err = kubectlCmd.StdoutPipe()
require.NoError(t, err) require.NoError(t, err)
}
ptyFile, err := pty.Start(kubectlCmd) ptyFile, err := pty.Start(kubectlCmd)
require.NoError(t, err) require.NoError(t, err)
@ -492,10 +498,19 @@ func TestE2EFullIntegration(t *testing.T) { // nolint:gocyclo
t.Logf("waiting for kubectl to output namespace list") t.Logf("waiting for kubectl to output namespace list")
// Read all output from the subprocess until EOF. // Read all output from the subprocess until EOF.
// Ignore any errors returned because there is always an error on linux. // Ignore any errors returned because there is always an error on linux.
kubectlStdOutOutputBytes, _ := ioutil.ReadAll(stdoutPipe) kubectlPtyOutputBytes, _ := ioutil.ReadAll(ptyFile)
kubectlStdErrOutputBytes, _ := ioutil.ReadAll(ptyFile) if kubectlStdoutPipe != nil {
// On non-MacOS check that stdout of the CLI contains the expected output.
kubectlStdOutOutputBytes, _ := ioutil.ReadAll(kubectlStdoutPipe)
requireKubectlGetNamespaceOutput(t, env, string(kubectlStdOutOutputBytes)) requireKubectlGetNamespaceOutput(t, env, string(kubectlStdOutOutputBytes))
require.Contains(t, string(kubectlStdErrOutputBytes), "Access token from identity provider has lifetime of less than 3 hours. Expect frequent prompts to log in.") } else {
// On MacOS check that the pty (stdout+stderr+stdin) of the CLI contains the expected output.
requireKubectlGetNamespaceOutput(t, env, string(kubectlPtyOutputBytes))
}
// Due to the GOOS check in the code above, on MacOS the pty will include stdout, and other platforms it will not.
// This warning message is supposed to be printed by the CLI on stderr.
require.Contains(t, string(kubectlPtyOutputBytes),
"Access token from identity provider has lifetime of less than 3 hours. Expect frequent prompts to log in.")
t.Logf("first kubectl command took %s", time.Since(start).String()) t.Logf("first kubectl command took %s", time.Since(start).String())
@ -1013,7 +1028,7 @@ func readFromFileUntilStringIsSeen(t *testing.T, f *os.File, until string) strin
return true, nil // found it! finished. return true, nil // found it! finished.
} }
if foundEOF { if foundEOF {
return false, fmt.Errorf("reached EOF of subcommand's output without seeing expected string %q", until) return false, fmt.Errorf("reached EOF of subcommand's output without seeing expected string %q. Output read so far was:\n%s", until, readFromFile)
} }
return false, nil // keep waiting and reading return false, nil // keep waiting and reading
}, 1*time.Minute, 1*time.Second) }, 1*time.Minute, 1*time.Second)

View File

@ -25,7 +25,7 @@ import (
) )
// safe to run in parallel with serial tests since it only interacts with a test local server, see main_test.go. // safe to run in parallel with serial tests since it only interacts with a test local server, see main_test.go.
func TestFormPostHTML_Parallel(t *testing.T) { func TestFormPostHTML_Browser_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t) _ = testlib.IntegrationEnv(t)
// Run a mock callback handler, simulating the one running in the CLI. // Run a mock callback handler, simulating the one running in the CLI.

View File

@ -47,7 +47,7 @@ import (
) )
// nolint:gocyclo // nolint:gocyclo
func TestSupervisorLogin(t *testing.T) { func TestSupervisorLogin_Browser(t *testing.T) {
env := testlib.IntegrationEnv(t) env := testlib.IntegrationEnv(t)
tests := []struct { tests := []struct {

View File

@ -6,6 +6,7 @@ package browsertest
import ( import (
"regexp" "regexp"
"strings"
"testing" "testing"
"time" "time"
@ -24,6 +25,12 @@ const (
// closed at the end of the current test. It is configured for test purposes with the correct HTTP proxy and // closed at the end of the current test. It is configured for test purposes with the correct HTTP proxy and
// in a mode that ignore certificate errors. // in a mode that ignore certificate errors.
func Open(t *testing.T) *agouti.Page { func Open(t *testing.T) *agouti.Page {
t.Helper()
// make it trivial to run all browser based tests via:
// go test -v -race -count 1 -timeout 0 ./test/integration -run '/_Browser'
require.Contains(t, rootTestName(t), "_Browser", "browser based tests must contain the string _Browser in their name")
t.Logf("opening browser driver") t.Logf("opening browser driver")
env := testlib.IntegrationEnv(t) env := testlib.IntegrationEnv(t)
caps := agouti.NewCapabilities() caps := agouti.NewCapabilities()
@ -58,6 +65,25 @@ func Open(t *testing.T) *agouti.Page {
return page return page
} }
func rootTestName(t *testing.T) string {
switch names := strings.SplitN(t.Name(), "/", 3); len(names) {
case 0:
panic("impossible")
case 1:
return names[0]
case 2, 3:
if strings.HasPrefix(names[0], "TestIntegration") {
return names[1]
}
return names[0]
default:
panic("impossible")
}
}
// WaitForVisibleElements expects the page to contain all the the elements specified by the selectors. It waits for this // WaitForVisibleElements expects the page to contain all the the elements specified by the selectors. It waits for this
// to occur and times out, failing the test, if they never appear. // to occur and times out, failing the test, if they never appear.
func WaitForVisibleElements(t *testing.T, page *agouti.Page, selectors ...string) { func WaitForVisibleElements(t *testing.T, page *agouti.Page, selectors ...string) {