Accept both old and new cert error strings on MacOS in test assertions
Used this as an opportunity to refactor how some tests were making assertions about error strings. New test helpers make it easy for an error string to be expected as an exact string, as a string built using sprintf, as a regexp, or as a string built to include the platform-specific x509 error string. All of these helpers can be used in a single `wantErr` field of a test table. They can be used for both unit tests and integration tests. Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
This commit is contained in:
parent
044cbd0325
commit
c6e4133c5e
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package cmd
|
package cmd
|
||||||
@ -107,7 +107,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
wantLogs func(string, string) []string
|
wantLogs func(string, string) []string
|
||||||
wantError bool
|
wantError bool
|
||||||
wantStdout func(string, string) string
|
wantStdout func(string, string) string
|
||||||
wantStderr func(string, string) string
|
wantStderr func(string, string) testutil.RequireErrorStringFunc
|
||||||
wantOptionsCount int
|
wantOptionsCount int
|
||||||
wantAPIGroupSuffix string
|
wantAPIGroupSuffix string
|
||||||
}{
|
}{
|
||||||
@ -164,8 +164,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: invalid argument "./does/not/exist" for "--oidc-ca-bundle" flag: could not read CA bundle path: open ./does/not/exist: no such file or directory` + "\n"
|
return testutil.WantExactErrorString(`Error: invalid argument "./does/not/exist" for "--oidc-ca-bundle" flag: could not read CA bundle path: open ./does/not/exist: no such file or directory` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -177,8 +177,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: invalid argument "./does/not/exist" for "--concierge-ca-bundle" flag: could not read CA bundle path: open ./does/not/exist: no such file or directory` + "\n"
|
return testutil.WantExactErrorString(`Error: invalid argument "./does/not/exist" for "--concierge-ca-bundle" flag: could not read CA bundle path: open ./does/not/exist: no such file or directory` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -189,8 +189,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: could not load --kubeconfig: stat ./does/not/exist: no such file or directory` + "\n"
|
return testutil.WantExactErrorString(`Error: could not load --kubeconfig: stat ./does/not/exist: no such file or directory` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -202,8 +202,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: could not load --kubeconfig/--kubeconfig-context: no such context "invalid"` + "\n"
|
return testutil.WantExactErrorString(`Error: could not load --kubeconfig/--kubeconfig-context: no such context "invalid"` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -215,8 +215,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: could not load --kubeconfig/--kubeconfig-context: no such cluster "invalid-cluster"` + "\n"
|
return testutil.WantExactErrorString(`Error: could not load --kubeconfig/--kubeconfig-context: no such cluster "invalid-cluster"` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -228,8 +228,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: could not load --kubeconfig/--kubeconfig-context: no such user "invalid-user"` + "\n"
|
return testutil.WantExactErrorString(`Error: could not load --kubeconfig/--kubeconfig-context: no such user "invalid-user"` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -241,8 +241,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
},
|
},
|
||||||
getClientsetErr: fmt.Errorf("some kube error"),
|
getClientsetErr: fmt.Errorf("some kube error"),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: could not configure Kubernetes client: some kube error` + "\n"
|
return testutil.WantExactErrorString(`Error: could not configure Kubernetes client: some kube error` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -253,8 +253,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: no CredentialIssuers were found` + "\n"
|
return testutil.WantExactErrorString(`Error: no CredentialIssuers were found` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -271,8 +271,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: credentialissuers.config.concierge.pinniped.dev "does-not-exist" not found` + "\n"
|
return testutil.WantExactErrorString(`Error: credentialissuers.config.concierge.pinniped.dev "does-not-exist" not found` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -295,8 +295,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: webhookauthenticators.authentication.concierge.pinniped.dev "test-authenticator" not found` + "\n"
|
return testutil.WantExactErrorString(`Error: webhookauthenticators.authentication.concierge.pinniped.dev "test-authenticator" not found` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -319,8 +319,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: jwtauthenticators.authentication.concierge.pinniped.dev "test-authenticator" not found` + "\n"
|
return testutil.WantExactErrorString(`Error: jwtauthenticators.authentication.concierge.pinniped.dev "test-authenticator" not found` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -343,8 +343,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: invalid authenticator type "invalid", supported values are "webhook" and "jwt"` + "\n"
|
return testutil.WantExactErrorString(`Error: invalid authenticator type "invalid", supported values are "webhook" and "jwt"` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -374,8 +374,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: failed to list JWTAuthenticator objects for autodiscovery: some list error` + "\n"
|
return testutil.WantExactErrorString(`Error: failed to list JWTAuthenticator objects for autodiscovery: some list error` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -405,8 +405,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: failed to list WebhookAuthenticator objects for autodiscovery: some list error` + "\n"
|
return testutil.WantExactErrorString(`Error: failed to list WebhookAuthenticator objects for autodiscovery: some list error` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -427,8 +427,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: no authenticators were found` + "\n"
|
return testutil.WantExactErrorString(`Error: no authenticators were found` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -457,8 +457,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified` + "\n"
|
return testutil.WantExactErrorString(`Error: multiple authenticators were found, so the --concierge-authenticator-type/--concierge-authenticator-name flags must be specified` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -491,8 +491,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: could not autodiscover --concierge-mode` + "\n"
|
return testutil.WantExactErrorString(`Error: could not autodiscover --concierge-mode` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -553,8 +553,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: autodiscovered Concierge CA bundle is invalid: illegal base64 data at input byte 7` + "\n"
|
return testutil.WantExactErrorString(`Error: autodiscovered Concierge CA bundle is invalid: illegal base64 data at input byte 7` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -580,8 +580,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: could not autodiscover --oidc-issuer and none was provided` + "\n"
|
return testutil.WantExactErrorString(`Error: could not autodiscover --oidc-issuer and none was provided` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -635,8 +635,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7` + "\n"
|
return testutil.WantExactErrorString(`Error: tried to autodiscover --oidc-ca-bundle, but JWTAuthenticator test-authenticator has invalid spec.tls.certificateAuthorityData: illegal base64 data at input byte 7` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -675,8 +675,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: request audience is not allowed to include the substring '.pinniped.dev': some-test-audience.pinniped.dev-invalid-substring` + "\n"
|
return testutil.WantExactErrorString(`Error: request audience is not allowed to include the substring '.pinniped.dev': some-test-audience.pinniped.dev-invalid-substring` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -706,8 +706,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: request audience is not allowed to include the substring '.pinniped.dev': some-test-audience.pinniped.dev-invalid-substring` + "\n"
|
return testutil.WantExactErrorString(`Error: request audience is not allowed to include the substring '.pinniped.dev': some-test-audience.pinniped.dev-invalid-substring` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -738,8 +738,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: could not determine the Pinniped executable path: some OS error` + "\n"
|
return testutil.WantExactErrorString(`Error: could not determine the Pinniped executable path: some OS error` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -767,8 +767,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: only one of --static-token and --static-token-env can be specified` + "\n"
|
return testutil.WantExactErrorString(`Error: only one of --static-token and --static-token-env can be specified` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -779,8 +779,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: invalid API group suffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')` + "\n"
|
return testutil.WantExactErrorString(`Error: invalid API group suffix: a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -811,8 +811,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return "Error: while fetching OIDC discovery data from issuer: 400 Bad Request: {}\n"
|
return testutil.WantExactErrorString("Error: while fetching OIDC discovery data from issuer: 400 Bad Request: {}\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -847,8 +847,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return fmt.Sprintf(
|
return testutil.WantSprintfErrorString(
|
||||||
"Error: while fetching OIDC discovery data from issuer: oidc: issuer did not match the issuer returned by provider, expected \"%s\" got \"https://wrong-issuer.com\"\n",
|
"Error: while fetching OIDC discovery data from issuer: oidc: issuer did not match the issuer returned by provider, expected \"%s\" got \"https://wrong-issuer.com\"\n",
|
||||||
issuerURL)
|
issuerURL)
|
||||||
},
|
},
|
||||||
@ -882,8 +882,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return "Error: unable to fetch IDP discovery data from issuer: unexpected http response status: 400 Bad Request\n"
|
return testutil.WantExactErrorString("Error: unable to fetch IDP discovery data from issuer: unexpected http response status: 400 Bad Request\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -920,10 +920,10 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: multiple Supervisor upstream identity providers were found, ` +
|
return testutil.WantExactErrorString(`Error: multiple Supervisor upstream identity providers were found, ` +
|
||||||
`so the --upstream-identity-provider-name/--upstream-identity-provider-type flags must be specified. ` +
|
`so the --upstream-identity-provider-name/--upstream-identity-provider-type flags must be specified. ` +
|
||||||
`Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-oidc-idp","type":"oidc"}]` + "\n"
|
`Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-oidc-idp","type":"oidc"}]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -956,8 +956,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return "Error: while fetching OIDC discovery data from issuer: oidc: failed to decode provider discovery object: got Content-Type = application/json, but could not unmarshal as JSON: invalid character 'h' in literal true (expecting 'r')\n"
|
return testutil.WantExactErrorString("Error: while fetching OIDC discovery data from issuer: oidc: failed to decode provider discovery object: got Content-Type = application/json, but could not unmarshal as JSON: invalid character 'h' in literal true (expecting 'r')\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -989,8 +989,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return "Error: unable to fetch IDP discovery data from issuer: could not parse response JSON: invalid character 'h' in literal true (expecting 'r')\n"
|
return testutil.WantExactErrorString("Error: unable to fetch IDP discovery data from issuer: could not parse response JSON: invalid character 'h' in literal true (expecting 'r')\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1025,8 +1025,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return fmt.Sprintf("Error: while fetching OIDC discovery data from issuer: Get \"%s/.well-known/openid-configuration\": %s\n", issuerURL, testutil.X509UntrustedCertError("Acme Co"))
|
return testutil.WantX509UntrustedCertErrorString(fmt.Sprintf("Error: while fetching OIDC discovery data from issuer: Get \"%s/.well-known/openid-configuration\": %%s\n", issuerURL), "Acme Co")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1063,8 +1063,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: while fetching OIDC discovery data from issuer: parse "https%://bad-issuer-url/.well-known/openid-configuration": first path segment in URL cannot contain colon` + "\n"
|
return testutil.WantExactErrorString(`Error: while fetching OIDC discovery data from issuer: parse "https%://bad-issuer-url/.well-known/openid-configuration": first path segment in URL cannot contain colon` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1102,8 +1102,8 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: while forming request to IDP discovery URL: parse "https%://illegal_url": first path segment in URL cannot contain colon` + "\n"
|
return testutil.WantExactErrorString(`Error: while forming request to IDP discovery URL: parse "https%://illegal_url": first path segment in URL cannot contain colon` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1128,9 +1128,9 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
]
|
]
|
||||||
}`),
|
}`),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: no Supervisor upstream identity providers with name "does-not-exist-idp" of type "ldap" were found.` +
|
return testutil.WantExactErrorString(`Error: no Supervisor upstream identity providers with name "does-not-exist-idp" of type "ldap" were found.` +
|
||||||
` Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-other-ldap-idp","type":"ldap"}]` + "\n"
|
` Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-other-ldap-idp","type":"ldap"}]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1156,10 +1156,10 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
]
|
]
|
||||||
}`),
|
}`),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: multiple Supervisor upstream identity providers of type "ldap" were found,` +
|
return testutil.WantExactErrorString(`Error: multiple Supervisor upstream identity providers of type "ldap" were found,` +
|
||||||
` so the --upstream-identity-provider-name flag must be specified.` +
|
` so the --upstream-identity-provider-name flag must be specified.` +
|
||||||
` Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-other-ldap-idp","type":"ldap"},{"name":"some-oidc-idp","type":"oidc"},{"name":"some-other-oidc-idp","type":"oidc"}]` + "\n"
|
` Found these upstreams: [{"name":"some-ldap-idp","type":"ldap"},{"name":"some-other-ldap-idp","type":"ldap"},{"name":"some-oidc-idp","type":"oidc"},{"name":"some-other-oidc-idp","type":"oidc"}]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1184,10 +1184,10 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
]
|
]
|
||||||
}`),
|
}`),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: multiple Supervisor upstream identity providers with name "my-idp" were found,` +
|
return testutil.WantExactErrorString(`Error: multiple Supervisor upstream identity providers with name "my-idp" were found,` +
|
||||||
` so the --upstream-identity-provider-type flag must be specified.` +
|
` so the --upstream-identity-provider-type flag must be specified.` +
|
||||||
` Found these upstreams: [{"name":"my-idp","type":"ldap"},{"name":"my-idp","type":"oidc"},{"name":"some-other-oidc-idp","type":"oidc"}]` + "\n"
|
` Found these upstreams: [{"name":"my-idp","type":"ldap"},{"name":"my-idp","type":"oidc"},{"name":"some-other-oidc-idp","type":"oidc"}]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1211,9 +1211,9 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
]
|
]
|
||||||
}`),
|
}`),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: no Supervisor upstream identity providers of type "ldap" were found.` +
|
return testutil.WantExactErrorString(`Error: no Supervisor upstream identity providers of type "ldap" were found.` +
|
||||||
` Found these upstreams: [{"name":"some-oidc-idp","type":"oidc"},{"name":"some-other-oidc-idp","type":"oidc"}]` + "\n"
|
` Found these upstreams: [{"name":"some-oidc-idp","type":"oidc"},{"name":"some-other-oidc-idp","type":"oidc"}]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1236,9 +1236,9 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
]
|
]
|
||||||
}`),
|
}`),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: no Supervisor upstream identity providers of type "ldap" were found.` +
|
return testutil.WantExactErrorString(`Error: no Supervisor upstream identity providers of type "ldap" were found.` +
|
||||||
` Found these upstreams: [{"name":"some-oidc-idp","type":"oidc"}]` + "\n"
|
` Found these upstreams: [{"name":"some-oidc-idp","type":"oidc"}]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1262,9 +1262,9 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
]
|
]
|
||||||
}`),
|
}`),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: no Supervisor upstream identity providers with name "my-nonexistent-idp" were found.` +
|
return testutil.WantExactErrorString(`Error: no Supervisor upstream identity providers with name "my-nonexistent-idp" were found.` +
|
||||||
` Found these upstreams: [{"name":"some-oidc-idp","type":"oidc"},{"name":"some-other-oidc-idp","type":"oidc"}]` + "\n"
|
` Found these upstreams: [{"name":"some-oidc-idp","type":"oidc"},{"name":"some-other-oidc-idp","type":"oidc"}]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1287,9 +1287,9 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
]
|
]
|
||||||
}`),
|
}`),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: no Supervisor upstream identity providers with name "my-nonexistent-idp" were found.` +
|
return testutil.WantExactErrorString(`Error: no Supervisor upstream identity providers with name "my-nonexistent-idp" were found.` +
|
||||||
` Found these upstreams: [{"name":"some-oidc-idp","type":"oidc"}]` + "\n"
|
` Found these upstreams: [{"name":"some-oidc-idp","type":"oidc"}]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1312,9 +1312,9 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
]
|
]
|
||||||
}`),
|
}`),
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc {
|
||||||
return `Error: no client flow "my-nonexistent-flow" for Supervisor upstream identity provider "some-oidc-idp" of type "oidc" were found.` +
|
return testutil.WantExactErrorString(`Error: no client flow "my-nonexistent-flow" for Supervisor upstream identity provider "some-oidc-idp" of type "oidc" were found.` +
|
||||||
` Found these flows: [non-matching-flow-1 non-matching-flow-2]` + "\n"
|
` Found these flows: [non-matching-flow-1 non-matching-flow-2]` + "\n")
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -3015,11 +3015,12 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
require.Equal(t, expectedStdout, stdout.String(), "unexpected stdout")
|
require.Equal(t, expectedStdout, stdout.String(), "unexpected stdout")
|
||||||
|
|
||||||
expectedStderr := ""
|
actualStderr := stderr.String()
|
||||||
if tt.wantStderr != nil {
|
if tt.wantStderr != nil {
|
||||||
expectedStderr = tt.wantStderr(issuerCABundle, issuerEndpoint)
|
testutil.RequireErrorString(t, actualStderr, tt.wantStderr(issuerCABundle, issuerEndpoint))
|
||||||
|
} else {
|
||||||
|
require.Empty(t, actualStderr, "unexpected stderr")
|
||||||
}
|
}
|
||||||
require.Equal(t, expectedStderr, stderr.String(), "unexpected stderr")
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
1
go.mod
1
go.mod
@ -124,7 +124,6 @@ require (
|
|||||||
github.com/spf13/cast v1.5.0 // indirect
|
github.com/spf13/cast v1.5.0 // indirect
|
||||||
github.com/spf13/jwalterweatherman v1.1.0 // indirect
|
github.com/spf13/jwalterweatherman v1.1.0 // indirect
|
||||||
github.com/stoewer/go-strcase v1.2.0 // indirect
|
github.com/stoewer/go-strcase v1.2.0 // indirect
|
||||||
github.com/stretchr/objx v0.5.0 // indirect
|
|
||||||
github.com/subosito/gotenv v1.4.0 // indirect
|
github.com/subosito/gotenv v1.4.0 // indirect
|
||||||
github.com/tdewolff/parse/v2 v2.6.4 // indirect
|
github.com/tdewolff/parse/v2 v2.6.4 // indirect
|
||||||
go.etcd.io/etcd/api/v3 v3.5.5 // indirect
|
go.etcd.io/etcd/api/v3 v3.5.5 // indirect
|
||||||
|
1
go.sum
1
go.sum
@ -537,7 +537,6 @@ github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag
|
|||||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
|
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
|
||||||
github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
|
|
||||||
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
|
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
|
||||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package jwtcachefiller
|
package jwtcachefiller
|
||||||
@ -188,7 +188,7 @@ func TestController(t *testing.T) {
|
|||||||
syncKey controllerlib.Key
|
syncKey controllerlib.Key
|
||||||
jwtAuthenticators []runtime.Object
|
jwtAuthenticators []runtime.Object
|
||||||
wantClose bool
|
wantClose bool
|
||||||
wantErr string
|
wantErr testutil.RequireErrorStringFunc
|
||||||
wantLogs []string
|
wantLogs []string
|
||||||
wantCacheEntries int
|
wantCacheEntries int
|
||||||
wantUsernameClaim string
|
wantUsernameClaim string
|
||||||
@ -350,7 +350,7 @@ func TestController(t *testing.T) {
|
|||||||
Spec: *missingTLSJWTAuthenticatorSpec,
|
Spec: *missingTLSJWTAuthenticatorSpec,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantErr: `failed to build jwt authenticator: could not initialize provider: Get "` + goodIssuer + `/.well-known/openid-configuration": ` + testutil.X509UntrustedCertError("Acme Co"),
|
wantErr: testutil.WantX509UntrustedCertErrorString(`failed to build jwt authenticator: could not initialize provider: Get "`+goodIssuer+`/.well-known/openid-configuration": %s`, "Acme Co"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid jwt authenticator CA",
|
name: "invalid jwt authenticator CA",
|
||||||
@ -363,7 +363,7 @@ func TestController(t *testing.T) {
|
|||||||
Spec: *invalidTLSJWTAuthenticatorSpec,
|
Spec: *invalidTLSJWTAuthenticatorSpec,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantErr: "failed to build jwt authenticator: invalid TLS configuration: illegal base64 data at input byte 7",
|
wantErr: testutil.WantExactErrorString("failed to build jwt authenticator: invalid TLS configuration: illegal base64 data at input byte 7"),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -391,8 +391,8 @@ func TestController(t *testing.T) {
|
|||||||
|
|
||||||
syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey}
|
syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey}
|
||||||
|
|
||||||
if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" {
|
if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != nil {
|
||||||
require.EqualError(t, err, tt.wantErr)
|
testutil.RequireErrorStringFromErr(t, err, tt.wantErr)
|
||||||
} else {
|
} else {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
}
|
}
|
||||||
@ -490,9 +490,8 @@ func TestController(t *testing.T) {
|
|||||||
rsp, authenticated, err = cachedAuthenticator.AuthenticateToken(context.Background(), jwt)
|
rsp, authenticated, err = cachedAuthenticator.AuthenticateToken(context.Background(), jwt)
|
||||||
return !isNotInitialized(err), nil
|
return !isNotInitialized(err), nil
|
||||||
})
|
})
|
||||||
if test.wantErrorRegexp != "" {
|
if test.wantErr != nil {
|
||||||
require.Error(t, err)
|
testutil.RequireErrorStringFromErr(t, err, test.wantErr)
|
||||||
require.Regexp(t, test.wantErrorRegexp, err.Error())
|
|
||||||
} else {
|
} else {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.Equal(t, test.wantResponse, rsp)
|
require.Equal(t, test.wantResponse, rsp)
|
||||||
@ -528,7 +527,7 @@ func testTableForAuthenticateTokenTests(
|
|||||||
jwtSignature func(key *interface{}, algo *jose.SignatureAlgorithm, kid *string)
|
jwtSignature func(key *interface{}, algo *jose.SignatureAlgorithm, kid *string)
|
||||||
wantResponse *authenticator.Response
|
wantResponse *authenticator.Response
|
||||||
wantAuthenticated bool
|
wantAuthenticated bool
|
||||||
wantErrorRegexp string
|
wantErr testutil.RequireErrorStringFunc
|
||||||
distributedGroupsClaimURL string
|
distributedGroupsClaimURL string
|
||||||
} {
|
} {
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
@ -537,7 +536,7 @@ func testTableForAuthenticateTokenTests(
|
|||||||
jwtSignature func(key *interface{}, algo *jose.SignatureAlgorithm, kid *string)
|
jwtSignature func(key *interface{}, algo *jose.SignatureAlgorithm, kid *string)
|
||||||
wantResponse *authenticator.Response
|
wantResponse *authenticator.Response
|
||||||
wantAuthenticated bool
|
wantAuthenticated bool
|
||||||
wantErrorRegexp string
|
wantErr testutil.RequireErrorStringFunc
|
||||||
distributedGroupsClaimURL string
|
distributedGroupsClaimURL string
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
@ -594,14 +593,14 @@ func testTableForAuthenticateTokenTests(
|
|||||||
jwtClaims: func(claims *jwt.Claims, groups *interface{}, username *string) {
|
jwtClaims: func(claims *jwt.Claims, groups *interface{}, username *string) {
|
||||||
},
|
},
|
||||||
distributedGroupsClaimURL: issuer + "/not_found_claim_source",
|
distributedGroupsClaimURL: issuer + "/not_found_claim_source",
|
||||||
wantErrorRegexp: `oidc: could not expand distributed claims: while getting distributed claim "` + expectedGroupsClaim + `": error while getting distributed claim JWT: 404 Not Found`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: could not expand distributed claims: while getting distributed claim "` + expectedGroupsClaim + `": error while getting distributed claim JWT: 404 Not Found`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "distributed groups doesn't return the right claim",
|
name: "distributed groups doesn't return the right claim",
|
||||||
jwtClaims: func(claims *jwt.Claims, groups *interface{}, username *string) {
|
jwtClaims: func(claims *jwt.Claims, groups *interface{}, username *string) {
|
||||||
},
|
},
|
||||||
distributedGroupsClaimURL: issuer + "/wrong_claim_source",
|
distributedGroupsClaimURL: issuer + "/wrong_claim_source",
|
||||||
wantErrorRegexp: `oidc: could not expand distributed claims: jwt returned by distributed claim endpoint "` + issuer + `/wrong_claim_source" did not contain claim: `,
|
wantErr: testutil.WantMatchingErrorString(`oidc: could not expand distributed claims: jwt returned by distributed claim endpoint "` + issuer + `/wrong_claim_source" did not contain claim: `),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "good token with groups as string",
|
name: "good token with groups as string",
|
||||||
@ -633,7 +632,7 @@ func testTableForAuthenticateTokenTests(
|
|||||||
jwtClaims: func(_ *jwt.Claims, groups *interface{}, username *string) {
|
jwtClaims: func(_ *jwt.Claims, groups *interface{}, username *string) {
|
||||||
*groups = map[string]string{"not an array": "or a string"}
|
*groups = map[string]string{"not an array": "or a string"}
|
||||||
},
|
},
|
||||||
wantErrorRegexp: "oidc: parse groups claim \"" + expectedGroupsClaim + "\": json: cannot unmarshal object into Go value of type string",
|
wantErr: testutil.WantMatchingErrorString("oidc: parse groups claim \"" + expectedGroupsClaim + "\": json: cannot unmarshal object into Go value of type string"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "bad token with wrong issuer",
|
name: "bad token with wrong issuer",
|
||||||
@ -648,42 +647,42 @@ func testTableForAuthenticateTokenTests(
|
|||||||
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
||||||
claims.Audience = nil
|
claims.Audience = nil
|
||||||
},
|
},
|
||||||
wantErrorRegexp: `oidc: verify token: oidc: expected audience "some-audience" got \[\]`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: verify token: oidc: expected audience "some-audience" got \[\]`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "bad token with wrong audience",
|
name: "bad token with wrong audience",
|
||||||
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
||||||
claims.Audience = []string{"wrong-audience"}
|
claims.Audience = []string{"wrong-audience"}
|
||||||
},
|
},
|
||||||
wantErrorRegexp: `oidc: verify token: oidc: expected audience "some-audience" got \["wrong-audience"\]`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: verify token: oidc: expected audience "some-audience" got \["wrong-audience"\]`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "bad token with nbf in the future",
|
name: "bad token with nbf in the future",
|
||||||
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
||||||
claims.NotBefore = jwt.NewNumericDate(time.Date(3020, 2, 3, 4, 5, 6, 7, time.UTC))
|
claims.NotBefore = jwt.NewNumericDate(time.Date(3020, 2, 3, 4, 5, 6, 7, time.UTC))
|
||||||
},
|
},
|
||||||
wantErrorRegexp: `oidc: verify token: oidc: current time .* before the nbf \(not before\) time: 3020-.*`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: verify token: oidc: current time .* before the nbf \(not before\) time: 3020-.*`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "bad token with exp in past",
|
name: "bad token with exp in past",
|
||||||
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
||||||
claims.Expiry = jwt.NewNumericDate(time.Date(1, 2, 3, 4, 5, 6, 7, time.UTC))
|
claims.Expiry = jwt.NewNumericDate(time.Date(1, 2, 3, 4, 5, 6, 7, time.UTC))
|
||||||
},
|
},
|
||||||
wantErrorRegexp: `oidc: verify token: oidc: token is expired \(Token Expiry: .+`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: verify token: oidc: token is expired \(Token Expiry: .+`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "bad token without exp",
|
name: "bad token without exp",
|
||||||
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
||||||
claims.Expiry = nil
|
claims.Expiry = nil
|
||||||
},
|
},
|
||||||
wantErrorRegexp: `oidc: verify token: oidc: token is expired \(Token Expiry: .+`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: verify token: oidc: token is expired \(Token Expiry: .+`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "token does not have username claim",
|
name: "token does not have username claim",
|
||||||
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
jwtClaims: func(claims *jwt.Claims, _ *interface{}, username *string) {
|
||||||
*username = ""
|
*username = ""
|
||||||
},
|
},
|
||||||
wantErrorRegexp: `oidc: parse username claims "` + expectedUsernameClaim + `": claim not present`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: parse username claims "` + expectedUsernameClaim + `": claim not present`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "signing key is wrong",
|
name: "signing key is wrong",
|
||||||
@ -693,7 +692,7 @@ func testTableForAuthenticateTokenTests(
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
*algo = jose.ES256
|
*algo = jose.ES256
|
||||||
},
|
},
|
||||||
wantErrorRegexp: `oidc: verify token: failed to verify signature: failed to verify id token signature`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: verify token: failed to verify signature: failed to verify id token signature`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "signing algo is unsupported",
|
name: "signing algo is unsupported",
|
||||||
@ -703,7 +702,7 @@ func testTableForAuthenticateTokenTests(
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
*algo = jose.ES384
|
*algo = jose.ES384
|
||||||
},
|
},
|
||||||
wantErrorRegexp: `oidc: verify token: oidc: id token signed with unsupported algorithm, expected \["RS256" "ES256"\] got "ES384"`,
|
wantErr: testutil.WantMatchingErrorString(`oidc: verify token: oidc: id token signed with unsupported algorithm, expected \["RS256" "ES256"\] got "ES384"`),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package testutil
|
package testutil
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"fmt"
|
||||||
"mime"
|
"mime"
|
||||||
"net/http/httptest"
|
"net/http/httptest"
|
||||||
"testing"
|
"testing"
|
||||||
@ -125,3 +126,63 @@ func requireSecurityHeaders(t *testing.T, response *httptest.ResponseRecorder) {
|
|||||||
// This check is more relaxed since Fosite can override the base header we set.
|
// This check is more relaxed since Fosite can override the base header we set.
|
||||||
require.Contains(t, response.Header().Get("Cache-Control"), "no-store")
|
require.Contains(t, response.Header().Get("Cache-Control"), "no-store")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type RequireErrorStringFunc func(t *testing.T, actualErrorStr string)
|
||||||
|
|
||||||
|
// RequireErrorStringFromErr can be used to make assertions about errors in tests.
|
||||||
|
func RequireErrorStringFromErr(t *testing.T, actualError error, requireFunc RequireErrorStringFunc) {
|
||||||
|
require.Error(t, actualError)
|
||||||
|
requireFunc(t, actualError.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
// RequireErrorString can be used to make assertions about error strings in tests.
|
||||||
|
func RequireErrorString(t *testing.T, actualErrorStr string, requireFunc RequireErrorStringFunc) {
|
||||||
|
requireFunc(t, actualErrorStr)
|
||||||
|
}
|
||||||
|
|
||||||
|
// WantExactErrorString can be used to set up an expected value for an error string in a test table.
|
||||||
|
// Use when you want to express that the expected string must be an exact match.
|
||||||
|
func WantExactErrorString(wantErrStr string) RequireErrorStringFunc {
|
||||||
|
return func(t *testing.T, actualErrorStr string) {
|
||||||
|
require.Equal(t, wantErrStr, actualErrorStr)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// WantSprintfErrorString can be used to set up an expected value for an error string in a test table.
|
||||||
|
// Use when you want to express that an expected string built using fmt.Sprintf semantics must be an exact match.
|
||||||
|
func WantSprintfErrorString(wantErrSprintfSpecifier string, a ...interface{}) RequireErrorStringFunc {
|
||||||
|
wantErrStr := fmt.Sprintf(wantErrSprintfSpecifier, a...)
|
||||||
|
return func(t *testing.T, actualErrorStr string) {
|
||||||
|
require.Equal(t, wantErrStr, actualErrorStr)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// WantMatchingErrorString can be used to set up an expected value for an error string in a test table.
|
||||||
|
// Use when you want to express that the expected regexp must be a match.
|
||||||
|
func WantMatchingErrorString(wantErrRegexp string) RequireErrorStringFunc {
|
||||||
|
return func(t *testing.T, actualErrorStr string) {
|
||||||
|
require.Regexp(t, wantErrRegexp, actualErrorStr)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// WantX509UntrustedCertErrorString can be used to set up an expected value for an error string in a test table.
|
||||||
|
// expectedErrorFormatString must contain exactly one formatting verb, which should usually be %s, which will
|
||||||
|
// be replaced by the platform-specific X509 untrusted certs error string and then compared against expectedCommonName.
|
||||||
|
func WantX509UntrustedCertErrorString(expectedErrorFormatSpecifier string, expectedCommonName string) RequireErrorStringFunc {
|
||||||
|
// Starting in Go 1.18.1, and until it was fixed in Go 1.19.5, Go on MacOS had an incorrect error string.
|
||||||
|
// We don't care which error string was returned, as long as it is either the normal error string from
|
||||||
|
// the Go x509 library, or the error string that was accidentally returned from the Go x509 library in
|
||||||
|
// those versions of Go on MacOS which had the bug.
|
||||||
|
return func(t *testing.T, actualErrorStr string) {
|
||||||
|
// This is the MacOS error string starting in Go 1.18.1, and until it was fixed in Go 1.19.5.
|
||||||
|
macOSErr := fmt.Sprintf(`x509: “%s” certificate is not trusted`, expectedCommonName)
|
||||||
|
// This is the normal Go x509 library error string.
|
||||||
|
standardErr := `x509: certificate signed by unknown authority`
|
||||||
|
allowedErrorStrings := []string{
|
||||||
|
fmt.Sprintf(expectedErrorFormatSpecifier, macOSErr),
|
||||||
|
fmt.Sprintf(expectedErrorFormatSpecifier, standardErr),
|
||||||
|
}
|
||||||
|
// Allow either.
|
||||||
|
require.Contains(t, allowedErrorStrings, actualErrorStr)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -1,19 +0,0 @@
|
|||||||
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
|
||||||
|
|
||||||
package testutil
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"runtime"
|
|
||||||
)
|
|
||||||
|
|
||||||
func X509UntrustedCertError(commonName string) string {
|
|
||||||
if runtime.GOOS == "darwin" {
|
|
||||||
// Golang use's macos' x509 verification APIs on darwin.
|
|
||||||
// This output slightly different error messages than golang's
|
|
||||||
// own x509 verification.
|
|
||||||
return fmt.Sprintf(`x509: “%s” certificate is not trusted`, commonName)
|
|
||||||
}
|
|
||||||
return `x509: certificate signed by unknown authority`
|
|
||||||
}
|
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package upstreamldap
|
package upstreamldap
|
||||||
@ -179,7 +179,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
searchMocks func(conn *mockldapconn.MockConn)
|
searchMocks func(conn *mockldapconn.MockConn)
|
||||||
bindEndUserMocks func(conn *mockldapconn.MockConn)
|
bindEndUserMocks func(conn *mockldapconn.MockConn)
|
||||||
dialError error
|
dialError error
|
||||||
wantError string
|
wantError testutil.RequireErrorStringFunc
|
||||||
wantToSkipDial bool
|
wantToSkipDial bool
|
||||||
wantAuthResponse *authenticators.Response
|
wantAuthResponse *authenticators.Response
|
||||||
wantUnauthenticated bool
|
wantUnauthenticated bool
|
||||||
@ -711,7 +711,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
Return(exampleGroupSearchResult, nil).Times(1)
|
Return(exampleGroupSearchResult, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: "found 0 values for attribute \"some-attribute-to-check-during-refresh\" while searching for user \"some-upstream-username\", but expected 1 result",
|
wantError: testutil.WantExactErrorString("found 0 values for attribute \"some-attribute-to-check-during-refresh\" while searching for user \"some-upstream-username\", but expected 1 result"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when dial fails",
|
name: "when dial fails",
|
||||||
@ -719,7 +719,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
password: testUpstreamPassword,
|
password: testUpstreamPassword,
|
||||||
providerConfig: providerConfig(nil),
|
providerConfig: providerConfig(nil),
|
||||||
dialError: errors.New("some dial error"),
|
dialError: errors.New("some dial error"),
|
||||||
wantError: fmt.Sprintf(`error dialing host "%s": some dial error`, testHost),
|
wantError: testutil.WantSprintfErrorString(`error dialing host "%s": some dial error`, testHost),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UsernameAttribute is dn and there is not a user search filter provided",
|
name: "when the UsernameAttribute is dn and there is not a user search filter provided",
|
||||||
@ -730,7 +730,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
p.UserSearch.Filter = ""
|
p.UserSearch.Filter = ""
|
||||||
}),
|
}),
|
||||||
wantToSkipDial: true,
|
wantToSkipDial: true,
|
||||||
wantError: `must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`,
|
wantError: testutil.WantExactErrorString(`must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when binding as the bind user returns an error",
|
name: "when binding as the bind user returns an error",
|
||||||
@ -741,7 +741,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
|
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(`error binding as "%s" before user search: some bind error`, testBindUsername),
|
wantError: testutil.WantSprintfErrorString(`error binding as "%s" before user search: some bind error`, testBindUsername),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when searching for the user returns an error",
|
name: "when searching for the user returns an error",
|
||||||
@ -753,7 +753,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
conn.EXPECT().Search(expectedUserSearch(nil)).Return(nil, errors.New("some user search error")).Times(1)
|
conn.EXPECT().Search(expectedUserSearch(nil)).Return(nil, errors.New("some user search error")).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: `error searching for user: some user search error`,
|
wantError: testutil.WantExactErrorString(`error searching for user: some user search error`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when searching for the user's groups returns an error",
|
name: "when searching for the user's groups returns an error",
|
||||||
@ -767,7 +767,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
Return(nil, errors.New("some group search error")).Times(1)
|
Return(nil, errors.New("some group search error")).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(`error searching for group memberships for user with DN "%s": some group search error`, testUserSearchResultDNValue),
|
wantError: testutil.WantSprintfErrorString(`error searching for group memberships for user with DN "%s": some group search error`, testUserSearchResultDNValue),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when searching for the user returns no results",
|
name: "when searching for the user returns no results",
|
||||||
@ -798,7 +798,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(`searching for user "%s" resulted in 2 search results, but expected 1 result`, testUpstreamUsername),
|
wantError: testutil.WantSprintfErrorString(`searching for user "%s" resulted in 2 search results, but expected 1 result`, testUpstreamUsername),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when searching for the user returns a user without a DN",
|
name: "when searching for the user returns a user without a DN",
|
||||||
@ -814,7 +814,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(`searching for user "%s" resulted in search result without DN`, testUpstreamUsername),
|
wantError: testutil.WantSprintfErrorString(`searching for user "%s" resulted in search result without DN`, testUpstreamUsername),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when searching for the user's groups returns a group without a DN",
|
name: "when searching for the user's groups returns a group without a DN",
|
||||||
@ -845,7 +845,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(
|
wantError: testutil.WantSprintfErrorString(
|
||||||
`searching for group memberships for user with DN "%s" resulted in search result without DN`,
|
`searching for group memberships for user with DN "%s" resulted in search result without DN`,
|
||||||
testUserSearchResultDNValue),
|
testUserSearchResultDNValue),
|
||||||
},
|
},
|
||||||
@ -868,7 +868,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(
|
wantError: testutil.WantSprintfErrorString(
|
||||||
`found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`,
|
`found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`,
|
||||||
testUserSearchUsernameAttribute, testUpstreamUsername),
|
testUserSearchUsernameAttribute, testUpstreamUsername),
|
||||||
},
|
},
|
||||||
@ -901,7 +901,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(
|
wantError: testutil.WantSprintfErrorString(
|
||||||
`error searching for group memberships for user with DN "%s": found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`,
|
`error searching for group memberships for user with DN "%s": found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`,
|
||||||
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
|
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
|
||||||
},
|
},
|
||||||
@ -928,7 +928,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(
|
wantError: testutil.WantSprintfErrorString(
|
||||||
`found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`,
|
`found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`,
|
||||||
testUserSearchUsernameAttribute, testUpstreamUsername),
|
testUserSearchUsernameAttribute, testUpstreamUsername),
|
||||||
},
|
},
|
||||||
@ -964,7 +964,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(
|
wantError: testutil.WantSprintfErrorString(
|
||||||
`error searching for group memberships for user with DN "%s": found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`,
|
`error searching for group memberships for user with DN "%s": found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`,
|
||||||
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
|
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
|
||||||
},
|
},
|
||||||
@ -988,7 +988,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(
|
wantError: testutil.WantSprintfErrorString(
|
||||||
`found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`,
|
`found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`,
|
||||||
testUserSearchUsernameAttribute, testUpstreamUsername),
|
testUserSearchUsernameAttribute, testUpstreamUsername),
|
||||||
},
|
},
|
||||||
@ -1021,7 +1021,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(
|
wantError: testutil.WantSprintfErrorString(
|
||||||
`error searching for group memberships for user with DN "%s": found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`,
|
`error searching for group memberships for user with DN "%s": found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`,
|
||||||
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
|
testUserSearchResultDNValue, testGroupSearchGroupNameAttribute, testUserSearchResultDNValue),
|
||||||
},
|
},
|
||||||
@ -1044,7 +1044,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(`found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`, testUserSearchUIDAttribute, testUpstreamUsername),
|
wantError: testutil.WantSprintfErrorString(`found 0 values for attribute "%s" while searching for user "%s", but expected 1 result`, testUserSearchUIDAttribute, testUpstreamUsername),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when searching for the user returns a user with too many values for the expected UID attribute",
|
name: "when searching for the user returns a user with too many values for the expected UID attribute",
|
||||||
@ -1069,7 +1069,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(`found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`, testUserSearchUIDAttribute, testUpstreamUsername),
|
wantError: testutil.WantSprintfErrorString(`found 2 values for attribute "%s" while searching for user "%s", but expected 1 result`, testUserSearchUIDAttribute, testUpstreamUsername),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when searching for the user returns a user with an empty value for the expected UID attribute",
|
name: "when searching for the user returns a user with an empty value for the expected UID attribute",
|
||||||
@ -1091,7 +1091,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
}, nil).Times(1)
|
}, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(`found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`, testUserSearchUIDAttribute, testUpstreamUsername),
|
wantError: testutil.WantSprintfErrorString(`found empty value for attribute "%s" while searching for user "%s", but expected value to be non-empty`, testUserSearchUIDAttribute, testUpstreamUsername),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the group search has an override func that errors",
|
name: "when the group search has an override func that errors",
|
||||||
@ -1109,7 +1109,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
Return(exampleGroupSearchResult, nil).Times(1)
|
Return(exampleGroupSearchResult, nil).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf("error finding groups for user %s: some error", testUserSearchResultDNValue),
|
wantError: testutil.WantSprintfErrorString("error finding groups for user %s: some error", testUserSearchResultDNValue),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when binding as the found user returns an error",
|
name: "when binding as the found user returns an error",
|
||||||
@ -1127,7 +1127,7 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Return(errors.New("some bind error")).Times(1)
|
conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Return(errors.New("some bind error")).Times(1)
|
||||||
},
|
},
|
||||||
skipDryRunAuthenticateUser: true,
|
skipDryRunAuthenticateUser: true,
|
||||||
wantError: fmt.Sprintf(`error binding for user "%s" using provided password against DN "%s": some bind error`, testUpstreamUsername, testUserSearchResultDNValue),
|
wantError: testutil.WantSprintfErrorString(`error binding for user "%s" using provided password against DN "%s": some bind error`, testUpstreamUsername, testUserSearchResultDNValue),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when binding as the found user returns a specific invalid credentials error",
|
name: "when binding as the found user returns a specific invalid credentials error",
|
||||||
@ -1194,8 +1194,8 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
authResponse, authenticated, err := ldapProvider.AuthenticateUser(context.Background(), tt.username, tt.password, tt.grantedScopes)
|
authResponse, authenticated, err := ldapProvider.AuthenticateUser(context.Background(), tt.username, tt.password, tt.grantedScopes)
|
||||||
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
|
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
|
||||||
switch {
|
switch {
|
||||||
case tt.wantError != "":
|
case tt.wantError != nil:
|
||||||
require.EqualError(t, err, tt.wantError)
|
testutil.RequireErrorStringFromErr(t, err, tt.wantError)
|
||||||
require.False(t, authenticated)
|
require.False(t, authenticated)
|
||||||
require.Nil(t, authResponse)
|
require.Nil(t, authResponse)
|
||||||
case tt.wantUnauthenticated:
|
case tt.wantUnauthenticated:
|
||||||
@ -1226,8 +1226,8 @@ func TestEndUserAuthentication(t *testing.T) {
|
|||||||
authResponse, authenticated, err = ldapProvider.DryRunAuthenticateUser(context.Background(), tt.username, tt.grantedScopes)
|
authResponse, authenticated, err = ldapProvider.DryRunAuthenticateUser(context.Background(), tt.username, tt.grantedScopes)
|
||||||
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
|
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
|
||||||
switch {
|
switch {
|
||||||
case tt.wantError != "":
|
case tt.wantError != nil:
|
||||||
require.EqualError(t, err, tt.wantError)
|
testutil.RequireErrorStringFromErr(t, err, tt.wantError)
|
||||||
require.False(t, authenticated)
|
require.False(t, authenticated)
|
||||||
require.Nil(t, authResponse)
|
require.Nil(t, authResponse)
|
||||||
case tt.wantUnauthenticated:
|
case tt.wantUnauthenticated:
|
||||||
@ -1852,7 +1852,7 @@ func TestTestConnection(t *testing.T) {
|
|||||||
providerConfig *ProviderConfig
|
providerConfig *ProviderConfig
|
||||||
setupMocks func(conn *mockldapconn.MockConn)
|
setupMocks func(conn *mockldapconn.MockConn)
|
||||||
dialError error
|
dialError error
|
||||||
wantError string
|
wantError testutil.RequireErrorStringFunc
|
||||||
wantToSkipDial bool
|
wantToSkipDial bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
@ -1867,7 +1867,7 @@ func TestTestConnection(t *testing.T) {
|
|||||||
name: "when dial fails",
|
name: "when dial fails",
|
||||||
providerConfig: providerConfig(nil),
|
providerConfig: providerConfig(nil),
|
||||||
dialError: errors.New("some dial error"),
|
dialError: errors.New("some dial error"),
|
||||||
wantError: fmt.Sprintf(`error dialing host "%s": some dial error`, testHost),
|
wantError: testutil.WantSprintfErrorString(`error dialing host "%s": some dial error`, testHost),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when binding as the bind user returns an error",
|
name: "when binding as the bind user returns an error",
|
||||||
@ -1876,7 +1876,7 @@ func TestTestConnection(t *testing.T) {
|
|||||||
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
|
conn.EXPECT().Bind(testBindUsername, testBindPassword).Return(errors.New("some bind error")).Times(1)
|
||||||
conn.EXPECT().Close().Times(1)
|
conn.EXPECT().Close().Times(1)
|
||||||
},
|
},
|
||||||
wantError: fmt.Sprintf(`error binding as "%s": some bind error`, testBindUsername),
|
wantError: testutil.WantSprintfErrorString(`error binding as "%s": some bind error`, testBindUsername),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the config is invalid",
|
name: "when the config is invalid",
|
||||||
@ -1886,7 +1886,7 @@ func TestTestConnection(t *testing.T) {
|
|||||||
p.UserSearch.Filter = ""
|
p.UserSearch.Filter = ""
|
||||||
}),
|
}),
|
||||||
wantToSkipDial: true,
|
wantToSkipDial: true,
|
||||||
wantError: `must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`,
|
wantError: testutil.WantExactErrorString(`must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1917,8 +1917,8 @@ func TestTestConnection(t *testing.T) {
|
|||||||
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
|
require.Equal(t, !tt.wantToSkipDial, dialWasAttempted)
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
case tt.wantError != "":
|
case tt.wantError != nil:
|
||||||
require.EqualError(t, err, tt.wantError)
|
testutil.RequireErrorStringFromErr(t, err, tt.wantError)
|
||||||
default:
|
default:
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
}
|
}
|
||||||
@ -2010,7 +2010,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
connProto LDAPConnectionProtocol
|
connProto LDAPConnectionProtocol
|
||||||
caBundle []byte
|
caBundle []byte
|
||||||
context context.Context
|
context context.Context
|
||||||
wantError string
|
wantError testutil.RequireErrorStringFunc
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
name: "happy path",
|
name: "happy path",
|
||||||
@ -2025,7 +2025,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: caForTestServerWithBadCertName.Bundle(),
|
caBundle: caForTestServerWithBadCertName.Bundle(),
|
||||||
connProto: TLS,
|
connProto: TLS,
|
||||||
context: context.Background(),
|
context: context.Background(),
|
||||||
wantError: `LDAP Result Code 200 "Network Error": x509: certificate is valid for 10.2.3.4, not 127.0.0.1`,
|
wantError: testutil.WantExactErrorString(`LDAP Result Code 200 "Network Error": x509: certificate is valid for 10.2.3.4, not 127.0.0.1`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid CA bundle with TLS",
|
name: "invalid CA bundle with TLS",
|
||||||
@ -2033,7 +2033,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: []byte("not a ca bundle"),
|
caBundle: []byte("not a ca bundle"),
|
||||||
connProto: TLS,
|
connProto: TLS,
|
||||||
context: context.Background(),
|
context: context.Background(),
|
||||||
wantError: `LDAP Result Code 200 "Network Error": could not parse CA bundle`,
|
wantError: testutil.WantExactErrorString(`LDAP Result Code 200 "Network Error": could not parse CA bundle`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid CA bundle with StartTLS",
|
name: "invalid CA bundle with StartTLS",
|
||||||
@ -2041,7 +2041,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: []byte("not a ca bundle"),
|
caBundle: []byte("not a ca bundle"),
|
||||||
connProto: StartTLS,
|
connProto: StartTLS,
|
||||||
context: context.Background(),
|
context: context.Background(),
|
||||||
wantError: `LDAP Result Code 200 "Network Error": could not parse CA bundle`,
|
wantError: testutil.WantExactErrorString(`LDAP Result Code 200 "Network Error": could not parse CA bundle`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid host with TLS",
|
name: "invalid host with TLS",
|
||||||
@ -2049,7 +2049,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: testServerCABundle,
|
caBundle: testServerCABundle,
|
||||||
connProto: TLS,
|
connProto: TLS,
|
||||||
context: context.Background(),
|
context: context.Background(),
|
||||||
wantError: `LDAP Result Code 200 "Network Error": host "this:is:not:a:valid:hostname" is not a valid hostname or IP address`,
|
wantError: testutil.WantExactErrorString(`LDAP Result Code 200 "Network Error": host "this:is:not:a:valid:hostname" is not a valid hostname or IP address`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid host with StartTLS",
|
name: "invalid host with StartTLS",
|
||||||
@ -2057,7 +2057,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: testServerCABundle,
|
caBundle: testServerCABundle,
|
||||||
connProto: StartTLS,
|
connProto: StartTLS,
|
||||||
context: context.Background(),
|
context: context.Background(),
|
||||||
wantError: `LDAP Result Code 200 "Network Error": host "this:is:not:a:valid:hostname" is not a valid hostname or IP address`,
|
wantError: testutil.WantExactErrorString(`LDAP Result Code 200 "Network Error": host "this:is:not:a:valid:hostname" is not a valid hostname or IP address`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "missing CA bundle when it is required because the host is not using a trusted CA",
|
name: "missing CA bundle when it is required because the host is not using a trusted CA",
|
||||||
@ -2065,7 +2065,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: nil,
|
caBundle: nil,
|
||||||
connProto: TLS,
|
connProto: TLS,
|
||||||
context: context.Background(),
|
context: context.Background(),
|
||||||
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": %s`, testutil.X509UntrustedCertError("Acme Co")),
|
wantError: testutil.WantX509UntrustedCertErrorString(`LDAP Result Code 200 "Network Error": %s`, "Acme Co"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "cannot connect to host",
|
name: "cannot connect to host",
|
||||||
@ -2074,7 +2074,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: testServerCABundle,
|
caBundle: testServerCABundle,
|
||||||
connProto: TLS,
|
connProto: TLS,
|
||||||
context: context.Background(),
|
context: context.Background(),
|
||||||
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": dial tcp %s: connect: connection refused`, recentlyClaimedHostAndPort),
|
wantError: testutil.WantSprintfErrorString(`LDAP Result Code 200 "Network Error": dial tcp %s: connect: connection refused`, recentlyClaimedHostAndPort),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "pays attention to the passed context",
|
name: "pays attention to the passed context",
|
||||||
@ -2082,7 +2082,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: testServerCABundle,
|
caBundle: testServerCABundle,
|
||||||
connProto: TLS,
|
connProto: TLS,
|
||||||
context: alreadyCancelledContext,
|
context: alreadyCancelledContext,
|
||||||
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": dial tcp %s: operation was canceled`, testServerHostAndPort),
|
wantError: testutil.WantSprintfErrorString(`LDAP Result Code 200 "Network Error": dial tcp %s: operation was canceled`, testServerHostAndPort),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "unsupported connection protocol",
|
name: "unsupported connection protocol",
|
||||||
@ -2090,7 +2090,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: testServerCABundle,
|
caBundle: testServerCABundle,
|
||||||
connProto: "bad usage of this type",
|
connProto: "bad usage of this type",
|
||||||
context: alreadyCancelledContext,
|
context: alreadyCancelledContext,
|
||||||
wantError: `LDAP Result Code 200 "Network Error": did not specify valid ConnectionProtocol`,
|
wantError: testutil.WantExactErrorString(`LDAP Result Code 200 "Network Error": did not specify valid ConnectionProtocol`),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
@ -2106,9 +2106,9 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
if conn != nil {
|
if conn != nil {
|
||||||
defer conn.Close()
|
defer conn.Close()
|
||||||
}
|
}
|
||||||
if tt.wantError != "" {
|
if tt.wantError != nil {
|
||||||
require.Nil(t, conn)
|
require.Nil(t, conn)
|
||||||
require.EqualError(t, err, tt.wantError)
|
testutil.RequireErrorStringFromErr(t, err, tt.wantError)
|
||||||
} else {
|
} else {
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.NotNil(t, conn)
|
require.NotNil(t, conn)
|
||||||
|
@ -487,8 +487,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
unreachableServer bool
|
unreachableServer bool
|
||||||
returnStatusCodes []int
|
returnStatusCodes []int
|
||||||
returnErrBodies []string
|
returnErrBodies []string
|
||||||
wantErr string
|
wantErr testutil.RequireErrorStringFunc
|
||||||
wantErrRegexp string // use either wantErr or wantErrRegexp
|
|
||||||
wantRetryableErrType bool // additionally assert error type when wantErr is non-empty
|
wantRetryableErrType bool // additionally assert error type when wantErr is non-empty
|
||||||
wantNumRequests int
|
wantNumRequests int
|
||||||
wantTokenTypeHint string
|
wantTokenTypeHint string
|
||||||
@ -542,7 +541,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{http.StatusBadRequest, http.StatusBadRequest},
|
returnStatusCodes: []int{http.StatusBadRequest, http.StatusBadRequest},
|
||||||
returnErrBodies: []string{`{ "error":"invalid_client", "error_description":"unhappy" }`, `{ "error":"anything", "error_description":"unhappy" }`},
|
returnErrBodies: []string{`{ "error":"invalid_client", "error_description":"unhappy" }`, `{ "error":"anything", "error_description":"unhappy" }`},
|
||||||
wantErr: `server responded with status 400 with body: { "error":"anything", "error_description":"unhappy" }`,
|
wantErr: testutil.WantExactErrorString(`server responded with status 400 with body: { "error":"anything", "error_description":"unhappy" }`),
|
||||||
wantRetryableErrType: false,
|
wantRetryableErrType: false,
|
||||||
wantNumRequests: 2,
|
wantNumRequests: 2,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -552,7 +551,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{http.StatusBadRequest},
|
returnStatusCodes: []int{http.StatusBadRequest},
|
||||||
returnErrBodies: []string{`invalid JSON body`},
|
returnErrBodies: []string{`invalid JSON body`},
|
||||||
wantErr: `error parsing response body "invalid JSON body" on response with status code 400: invalid character 'i' looking for beginning of value`,
|
wantErr: testutil.WantExactErrorString(`error parsing response body "invalid JSON body" on response with status code 400: invalid character 'i' looking for beginning of value`),
|
||||||
wantRetryableErrType: false,
|
wantRetryableErrType: false,
|
||||||
wantNumRequests: 1,
|
wantNumRequests: 1,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -562,7 +561,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{http.StatusBadRequest},
|
returnStatusCodes: []int{http.StatusBadRequest},
|
||||||
returnErrBodies: []string{``},
|
returnErrBodies: []string{``},
|
||||||
wantErr: `error parsing response body "" on response with status code 400: unexpected end of JSON input`,
|
wantErr: testutil.WantExactErrorString(`error parsing response body "" on response with status code 400: unexpected end of JSON input`),
|
||||||
wantRetryableErrType: false,
|
wantRetryableErrType: false,
|
||||||
wantNumRequests: 1,
|
wantNumRequests: 1,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -572,7 +571,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{http.StatusBadRequest, http.StatusForbidden},
|
returnStatusCodes: []int{http.StatusBadRequest, http.StatusForbidden},
|
||||||
returnErrBodies: []string{`{ "error":"invalid_client", "error_description":"unhappy" }`, ""},
|
returnErrBodies: []string{`{ "error":"invalid_client", "error_description":"unhappy" }`, ""},
|
||||||
wantErr: "server responded with status 403",
|
wantErr: testutil.WantExactErrorString("server responded with status 403"),
|
||||||
wantRetryableErrType: false,
|
wantRetryableErrType: false,
|
||||||
wantNumRequests: 2,
|
wantNumRequests: 2,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -582,7 +581,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{http.StatusBadRequest},
|
returnStatusCodes: []int{http.StatusBadRequest},
|
||||||
returnErrBodies: []string{`{ "error":"anything_else", "error_description":"unhappy" }`},
|
returnErrBodies: []string{`{ "error":"anything_else", "error_description":"unhappy" }`},
|
||||||
wantErr: `server responded with status 400 with body: { "error":"anything_else", "error_description":"unhappy" }`,
|
wantErr: testutil.WantExactErrorString(`server responded with status 400 with body: { "error":"anything_else", "error_description":"unhappy" }`),
|
||||||
wantRetryableErrType: false,
|
wantRetryableErrType: false,
|
||||||
wantNumRequests: 1,
|
wantNumRequests: 1,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -592,7 +591,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{http.StatusForbidden},
|
returnStatusCodes: []int{http.StatusForbidden},
|
||||||
returnErrBodies: []string{""},
|
returnErrBodies: []string{""},
|
||||||
wantErr: "server responded with status 403",
|
wantErr: testutil.WantExactErrorString("server responded with status 403"),
|
||||||
wantRetryableErrType: false,
|
wantRetryableErrType: false,
|
||||||
wantNumRequests: 1,
|
wantNumRequests: 1,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -602,7 +601,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{http.StatusServiceUnavailable}, // 503
|
returnStatusCodes: []int{http.StatusServiceUnavailable}, // 503
|
||||||
returnErrBodies: []string{""},
|
returnErrBodies: []string{""},
|
||||||
wantErr: "retryable revocation error: server responded with status 503",
|
wantErr: testutil.WantExactErrorString("retryable revocation error: server responded with status 503"),
|
||||||
wantRetryableErrType: true,
|
wantRetryableErrType: true,
|
||||||
wantNumRequests: 1,
|
wantNumRequests: 1,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -612,7 +611,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.AccessTokenType,
|
tokenType: provider.AccessTokenType,
|
||||||
returnStatusCodes: []int{http.StatusBadRequest, http.StatusServiceUnavailable}, // 400, 503
|
returnStatusCodes: []int{http.StatusBadRequest, http.StatusServiceUnavailable}, // 400, 503
|
||||||
returnErrBodies: []string{`{ "error":"invalid_client", "error_description":"unhappy" }`, ""},
|
returnErrBodies: []string{`{ "error":"invalid_client", "error_description":"unhappy" }`, ""},
|
||||||
wantErr: "retryable revocation error: server responded with status 503",
|
wantErr: testutil.WantExactErrorString("retryable revocation error: server responded with status 503"),
|
||||||
wantRetryableErrType: true,
|
wantRetryableErrType: true,
|
||||||
wantNumRequests: 2,
|
wantNumRequests: 2,
|
||||||
wantTokenTypeHint: "access_token",
|
wantTokenTypeHint: "access_token",
|
||||||
@ -622,7 +621,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{http.StatusInternalServerError}, // 500
|
returnStatusCodes: []int{http.StatusInternalServerError}, // 500
|
||||||
returnErrBodies: []string{""},
|
returnErrBodies: []string{""},
|
||||||
wantErr: "retryable revocation error: server responded with status 500",
|
wantErr: testutil.WantExactErrorString("retryable revocation error: server responded with status 500"),
|
||||||
wantRetryableErrType: true,
|
wantRetryableErrType: true,
|
||||||
wantNumRequests: 1,
|
wantNumRequests: 1,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -632,7 +631,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
tokenType: provider.RefreshTokenType,
|
tokenType: provider.RefreshTokenType,
|
||||||
returnStatusCodes: []int{599}, // not defined by an RFC, but sometimes considered Network Connect Timeout Error
|
returnStatusCodes: []int{599}, // not defined by an RFC, but sometimes considered Network Connect Timeout Error
|
||||||
returnErrBodies: []string{""},
|
returnErrBodies: []string{""},
|
||||||
wantErr: "retryable revocation error: server responded with status 599",
|
wantErr: testutil.WantExactErrorString("retryable revocation error: server responded with status 599"),
|
||||||
wantRetryableErrType: true,
|
wantRetryableErrType: true,
|
||||||
wantNumRequests: 1,
|
wantNumRequests: 1,
|
||||||
wantTokenTypeHint: "refresh_token",
|
wantTokenTypeHint: "refresh_token",
|
||||||
@ -641,7 +640,7 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
name: "retryable error when the server cannot be reached",
|
name: "retryable error when the server cannot be reached",
|
||||||
tokenType: provider.AccessTokenType,
|
tokenType: provider.AccessTokenType,
|
||||||
unreachableServer: true,
|
unreachableServer: true,
|
||||||
wantErrRegexp: "^retryable revocation error: Post .*: dial tcp .*: connect: connection refused$",
|
wantErr: testutil.WantMatchingErrorString("^retryable revocation error: Post .*: dial tcp .*: connect: connection refused$"),
|
||||||
wantRetryableErrType: true,
|
wantRetryableErrType: true,
|
||||||
wantNumRequests: 0,
|
wantNumRequests: 0,
|
||||||
},
|
},
|
||||||
@ -709,13 +708,8 @@ func TestProviderConfig(t *testing.T) {
|
|||||||
require.Equal(t, tt.wantNumRequests, numRequests,
|
require.Equal(t, tt.wantNumRequests, numRequests,
|
||||||
"did not make expected number of requests to revocation endpoint")
|
"did not make expected number of requests to revocation endpoint")
|
||||||
|
|
||||||
if tt.wantErr != "" || tt.wantErrRegexp != "" { //nolint:nestif
|
if tt.wantErr != nil {
|
||||||
if tt.wantErr != "" {
|
testutil.RequireErrorStringFromErr(t, err, tt.wantErr)
|
||||||
require.EqualError(t, err, tt.wantErr)
|
|
||||||
} else {
|
|
||||||
require.Error(t, err)
|
|
||||||
require.Regexp(t, tt.wantErrRegexp, err.Error())
|
|
||||||
}
|
|
||||||
|
|
||||||
if tt.wantRetryableErrType {
|
if tt.wantRetryableErrType {
|
||||||
require.ErrorAs(t, err, &provider.RetryableRevocationError{})
|
require.ErrorAs(t, err, &provider.RetryableRevocationError{})
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
|
||||||
// SPDX-License-Identifier: Apache-2.0
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
package integration
|
package integration
|
||||||
@ -75,7 +75,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
password string
|
password string
|
||||||
grantedScopes []string
|
grantedScopes []string
|
||||||
provider *upstreamldap.Provider
|
provider *upstreamldap.Provider
|
||||||
wantError string
|
wantError testutil.RequireErrorStringFunc
|
||||||
wantAuthResponse *authenticators.Response
|
wantAuthResponse *authenticators.Response
|
||||||
wantUnauthenticated bool
|
wantUnauthenticated bool
|
||||||
}{
|
}{
|
||||||
@ -248,7 +248,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.UserSearch.UsernameAttribute = "dn"
|
p.UserSearch.UsernameAttribute = "dn"
|
||||||
p.UserSearch.Filter = ""
|
p.UserSearch.Filter = ""
|
||||||
})),
|
})),
|
||||||
wantError: `must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`,
|
wantError: testutil.WantExactErrorString(`must specify UserSearch Filter when UserSearch UsernameAttribute is "dn"`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "group search disabled",
|
name: "group search disabled",
|
||||||
@ -352,21 +352,21 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.BindUsername = "invalid-dn" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.BindUsername = "invalid-dn" })),
|
||||||
wantError: `error binding as "invalid-dn" before user search: LDAP Result Code 34 "Invalid DN Syntax": invalid DN`,
|
wantError: testutil.WantExactErrorString(`error binding as "invalid-dn" before user search: LDAP Result Code 34 "Invalid DN Syntax": invalid DN`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the bind user username is wrong",
|
name: "when the bind user username is wrong",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.BindUsername = "cn=wrong,dc=pinniped,dc=dev" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.BindUsername = "cn=wrong,dc=pinniped,dc=dev" })),
|
||||||
wantError: `error binding as "cn=wrong,dc=pinniped,dc=dev" before user search: LDAP Result Code 49 "Invalid Credentials": `,
|
wantError: testutil.WantExactErrorString(`error binding as "cn=wrong,dc=pinniped,dc=dev" before user search: LDAP Result Code 49 "Invalid Credentials": `),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the bind user password is wrong",
|
name: "when the bind user password is wrong",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.BindPassword = "wrong-password" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.BindPassword = "wrong-password" })),
|
||||||
wantError: `error binding as "cn=admin,dc=pinniped,dc=dev" before user search: LDAP Result Code 49 "Invalid Credentials": `,
|
wantError: testutil.WantExactErrorString(`error binding as "cn=admin,dc=pinniped,dc=dev" before user search: LDAP Result Code 49 "Invalid Credentials": `),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the bind user username is wrong with StartTLS: example of an error after successful connection with StartTLS",
|
name: "when the bind user username is wrong with StartTLS: example of an error after successful connection with StartTLS",
|
||||||
@ -377,7 +377,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.ConnectionProtocol = upstreamldap.StartTLS
|
p.ConnectionProtocol = upstreamldap.StartTLS
|
||||||
p.BindUsername = "cn=wrong,dc=pinniped,dc=dev"
|
p.BindUsername = "cn=wrong,dc=pinniped,dc=dev"
|
||||||
})),
|
})),
|
||||||
wantError: `error binding as "cn=wrong,dc=pinniped,dc=dev" before user search: LDAP Result Code 49 "Invalid Credentials": `,
|
wantError: testutil.WantExactErrorString(`error binding as "cn=wrong,dc=pinniped,dc=dev" before user search: LDAP Result Code 49 "Invalid Credentials": `),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the end user password is wrong",
|
name: "when the end user password is wrong",
|
||||||
@ -405,14 +405,14 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.Filter = "*" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.Filter = "*" })),
|
||||||
wantError: `error searching for user: LDAP Result Code 201 "Filter Compile Error": ldap: error parsing filter`,
|
wantError: testutil.WantExactErrorString(`error searching for user: LDAP Result Code 201 "Filter Compile Error": ldap: error parsing filter`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the group search filter does not compile",
|
name: "when the group search filter does not compile",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.GroupSearch.Filter = "*" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.GroupSearch.Filter = "*" })),
|
||||||
wantError: `error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 201 "Filter Compile Error": ldap: error parsing filter`,
|
wantError: testutil.WantExactErrorString(`error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 201 "Filter Compile Error": ldap: error parsing filter`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when there are too many search results for the user",
|
name: "when there are too many search results for the user",
|
||||||
@ -421,14 +421,14 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
|
||||||
p.UserSearch.Filter = "objectClass=*" // overly broad search filter
|
p.UserSearch.Filter = "objectClass=*" // overly broad search filter
|
||||||
})),
|
})),
|
||||||
wantError: `error searching for user: LDAP Result Code 4 "Size Limit Exceeded": `,
|
wantError: testutil.WantExactErrorString(`error searching for user: LDAP Result Code 4 "Size Limit Exceeded": `),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the server is unreachable with TLS",
|
name: "when the server is unreachable with TLS",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.Host = "127.0.0.1:" + unusedLocalhostPort })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.Host = "127.0.0.1:" + unusedLocalhostPort })),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": dial tcp 127.0.0.1:%s: connect: connection refused`, unusedLocalhostPort, unusedLocalhostPort),
|
wantError: testutil.WantSprintfErrorString(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": dial tcp 127.0.0.1:%s: connect: connection refused`, unusedLocalhostPort, unusedLocalhostPort),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the server is unreachable with StartTLS",
|
name: "when the server is unreachable with StartTLS",
|
||||||
@ -438,14 +438,14 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.Host = "127.0.0.1:" + unusedLocalhostPort
|
p.Host = "127.0.0.1:" + unusedLocalhostPort
|
||||||
p.ConnectionProtocol = upstreamldap.StartTLS
|
p.ConnectionProtocol = upstreamldap.StartTLS
|
||||||
})),
|
})),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": dial tcp 127.0.0.1:%s: connect: connection refused`, unusedLocalhostPort, unusedLocalhostPort),
|
wantError: testutil.WantSprintfErrorString(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": dial tcp 127.0.0.1:%s: connect: connection refused`, unusedLocalhostPort, unusedLocalhostPort),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the server is not parsable with TLS",
|
name: "when the server is not parsable with TLS",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.Host = "too:many:ports" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.Host = "too:many:ports" })),
|
||||||
wantError: `error dialing host "too:many:ports": LDAP Result Code 200 "Network Error": host "too:many:ports" is not a valid hostname or IP address`,
|
wantError: testutil.WantExactErrorString(`error dialing host "too:many:ports": LDAP Result Code 200 "Network Error": host "too:many:ports" is not a valid hostname or IP address`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the server is not parsable with StartTLS",
|
name: "when the server is not parsable with StartTLS",
|
||||||
@ -456,14 +456,14 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.ConnectionProtocol = upstreamldap.StartTLS
|
p.ConnectionProtocol = upstreamldap.StartTLS
|
||||||
p.Host = "too:many:ports"
|
p.Host = "too:many:ports"
|
||||||
})),
|
})),
|
||||||
wantError: `error dialing host "too:many:ports": LDAP Result Code 200 "Network Error": host "too:many:ports" is not a valid hostname or IP address`,
|
wantError: testutil.WantExactErrorString(`error dialing host "too:many:ports": LDAP Result Code 200 "Network Error": host "too:many:ports" is not a valid hostname or IP address`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the CA bundle is not parsable with TLS",
|
name: "when the CA bundle is not parsable with TLS",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.CABundle = []byte("invalid-pem") })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.CABundle = []byte("invalid-pem") })),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": could not parse CA bundle`, ldapsLocalhostPort),
|
wantError: testutil.WantSprintfErrorString(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": could not parse CA bundle`, ldapsLocalhostPort),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the CA bundle is not parsable with StartTLS",
|
name: "when the CA bundle is not parsable with StartTLS",
|
||||||
@ -474,14 +474,14 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.ConnectionProtocol = upstreamldap.StartTLS
|
p.ConnectionProtocol = upstreamldap.StartTLS
|
||||||
p.CABundle = []byte("invalid-pem")
|
p.CABundle = []byte("invalid-pem")
|
||||||
})),
|
})),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": could not parse CA bundle`, ldapLocalhostPort),
|
wantError: testutil.WantSprintfErrorString(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": could not parse CA bundle`, ldapLocalhostPort),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the CA bundle does not cause the host to be trusted with TLS",
|
name: "when the CA bundle does not cause the host to be trusted with TLS",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.CABundle = nil })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.CABundle = nil })),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": %s`, ldapsLocalhostPort, testutil.X509UntrustedCertError("Pinniped Test")),
|
wantError: testutil.WantX509UntrustedCertErrorString(fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": %%s`, ldapsLocalhostPort), "Pinniped Test"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the CA bundle does not cause the host to be trusted with StartTLS",
|
name: "when the CA bundle does not cause the host to be trusted with StartTLS",
|
||||||
@ -492,35 +492,35 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.ConnectionProtocol = upstreamldap.StartTLS
|
p.ConnectionProtocol = upstreamldap.StartTLS
|
||||||
p.CABundle = nil
|
p.CABundle = nil
|
||||||
})),
|
})),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": TLS handshake failed (%s)`, ldapLocalhostPort, testutil.X509UntrustedCertError("Pinniped Test")),
|
wantError: testutil.WantX509UntrustedCertErrorString(fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": TLS handshake failed (%%s)`, ldapLocalhostPort), "Pinniped Test"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when trying to use TLS to connect to a port which only supports StartTLS",
|
name: "when trying to use TLS to connect to a port which only supports StartTLS",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.Host = "127.0.0.1:" + ldapLocalhostPort })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.Host = "127.0.0.1:" + ldapLocalhostPort })),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": EOF`, ldapLocalhostPort),
|
wantError: testutil.WantSprintfErrorString(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": EOF`, ldapLocalhostPort),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when trying to use StartTLS to connect to a port which only supports TLS",
|
name: "when trying to use StartTLS to connect to a port which only supports TLS",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.ConnectionProtocol = upstreamldap.StartTLS })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.ConnectionProtocol = upstreamldap.StartTLS })),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": unable to read LDAP response packet: unexpected EOF`, ldapsLocalhostPort),
|
wantError: testutil.WantSprintfErrorString(`error dialing host "127.0.0.1:%s": unable to read LDAP response packet: unexpected EOF`, ldapsLocalhostPort),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UsernameAttribute attribute has multiple values in the entry",
|
name: "when the UsernameAttribute attribute has multiple values in the entry",
|
||||||
username: "wally.ldap@example.com",
|
username: "wally.ldap@example.com",
|
||||||
password: "unused-because-error-is-before-bind",
|
password: "unused-because-error-is-before-bind",
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UsernameAttribute = "mail" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UsernameAttribute = "mail" })),
|
||||||
wantError: `found 2 values for attribute "mail" while searching for user "wally.ldap@example.com", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`found 2 values for attribute "mail" while searching for user "wally.ldap@example.com", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UIDAttribute attribute has multiple values in the entry",
|
name: "when the UIDAttribute attribute has multiple values in the entry",
|
||||||
username: "wally",
|
username: "wally",
|
||||||
password: "unused-because-error-is-before-bind",
|
password: "unused-because-error-is-before-bind",
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UIDAttribute = "mail" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UIDAttribute = "mail" })),
|
||||||
wantError: `found 2 values for attribute "mail" while searching for user "wally", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`found 2 values for attribute "mail" while searching for user "wally", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UsernameAttribute attribute is not found in the entry",
|
name: "when the UsernameAttribute attribute is not found in the entry",
|
||||||
@ -530,35 +530,35 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.UserSearch.Filter = "cn={}"
|
p.UserSearch.Filter = "cn={}"
|
||||||
p.UserSearch.UsernameAttribute = "attr-does-not-exist"
|
p.UserSearch.UsernameAttribute = "attr-does-not-exist"
|
||||||
})),
|
})),
|
||||||
wantError: `found 0 values for attribute "attr-does-not-exist" while searching for user "wally", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`found 0 values for attribute "attr-does-not-exist" while searching for user "wally", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UIDAttribute attribute is not found in the entry",
|
name: "when the UIDAttribute attribute is not found in the entry",
|
||||||
username: "wally",
|
username: "wally",
|
||||||
password: "unused-because-error-is-before-bind",
|
password: "unused-because-error-is-before-bind",
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UIDAttribute = "attr-does-not-exist" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UIDAttribute = "attr-does-not-exist" })),
|
||||||
wantError: `found 0 values for attribute "attr-does-not-exist" while searching for user "wally", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`found 0 values for attribute "attr-does-not-exist" while searching for user "wally", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UsernameAttribute has the wrong case",
|
name: "when the UsernameAttribute has the wrong case",
|
||||||
username: "Seal",
|
username: "Seal",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UsernameAttribute = "SN" })), // this is case-sensitive
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UsernameAttribute = "SN" })), // this is case-sensitive
|
||||||
wantError: `found 0 values for attribute "SN" while searching for user "Seal", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`found 0 values for attribute "SN" while searching for user "Seal", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UIDAttribute has the wrong case",
|
name: "when the UIDAttribute has the wrong case",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UIDAttribute = "SN" })), // this is case-sensitive
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.UIDAttribute = "SN" })), // this is case-sensitive
|
||||||
wantError: `found 0 values for attribute "SN" while searching for user "pinny", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`found 0 values for attribute "SN" while searching for user "pinny", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the GroupNameAttribute has the wrong case",
|
name: "when the GroupNameAttribute has the wrong case",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.GroupSearch.GroupNameAttribute = "CN" })), // this is case-sensitive
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.GroupSearch.GroupNameAttribute = "CN" })), // this is case-sensitive
|
||||||
wantError: `error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": found 0 values for attribute "CN" while searching for user "cn=pinny,ou=users,dc=pinniped,dc=dev", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": found 0 values for attribute "CN" while searching for user "cn=pinny,ou=users,dc=pinniped,dc=dev", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UsernameAttribute is DN and has the wrong case",
|
name: "when the UsernameAttribute is DN and has the wrong case",
|
||||||
@ -568,7 +568,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.UserSearch.UsernameAttribute = "DN" // dn must be lower-case
|
p.UserSearch.UsernameAttribute = "DN" // dn must be lower-case
|
||||||
p.UserSearch.Filter = "cn={}"
|
p.UserSearch.Filter = "cn={}"
|
||||||
})),
|
})),
|
||||||
wantError: `found 0 values for attribute "DN" while searching for user "pinny", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`found 0 values for attribute "DN" while searching for user "pinny", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the UIDAttribute is DN and has the wrong case",
|
name: "when the UIDAttribute is DN and has the wrong case",
|
||||||
@ -577,7 +577,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
|
||||||
p.UserSearch.UIDAttribute = "DN" // dn must be lower-case
|
p.UserSearch.UIDAttribute = "DN" // dn must be lower-case
|
||||||
})),
|
})),
|
||||||
wantError: `found 0 values for attribute "DN" while searching for user "pinny", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`found 0 values for attribute "DN" while searching for user "pinny", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the GroupNameAttribute is DN and has the wrong case",
|
name: "when the GroupNameAttribute is DN and has the wrong case",
|
||||||
@ -586,35 +586,35 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) {
|
||||||
p.GroupSearch.GroupNameAttribute = "DN" // dn must be lower-case
|
p.GroupSearch.GroupNameAttribute = "DN" // dn must be lower-case
|
||||||
})),
|
})),
|
||||||
wantError: `error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": found 0 values for attribute "DN" while searching for user "cn=pinny,ou=users,dc=pinniped,dc=dev", but expected 1 result`,
|
wantError: testutil.WantExactErrorString(`error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": found 0 values for attribute "DN" while searching for user "cn=pinny,ou=users,dc=pinniped,dc=dev", but expected 1 result`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the user search base is invalid",
|
name: "when the user search base is invalid",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.Base = "invalid-base" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.Base = "invalid-base" })),
|
||||||
wantError: `error searching for user: LDAP Result Code 34 "Invalid DN Syntax": invalid DN`,
|
wantError: testutil.WantExactErrorString(`error searching for user: LDAP Result Code 34 "Invalid DN Syntax": invalid DN`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the group search base is invalid",
|
name: "when the group search base is invalid",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.GroupSearch.Base = "invalid-base" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.GroupSearch.Base = "invalid-base" })),
|
||||||
wantError: `error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 34 "Invalid DN Syntax": invalid DN`,
|
wantError: testutil.WantExactErrorString(`error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 34 "Invalid DN Syntax": invalid DN`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the user search base does not exist",
|
name: "when the user search base does not exist",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.Base = "ou=does-not-exist,dc=pinniped,dc=dev" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.UserSearch.Base = "ou=does-not-exist,dc=pinniped,dc=dev" })),
|
||||||
wantError: `error searching for user: LDAP Result Code 32 "No Such Object": `,
|
wantError: testutil.WantExactErrorString(`error searching for user: LDAP Result Code 32 "No Such Object": `),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the group search base does not exist",
|
name: "when the group search base does not exist",
|
||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.GroupSearch.Base = "ou=does-not-exist,dc=pinniped,dc=dev" })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.GroupSearch.Base = "ou=does-not-exist,dc=pinniped,dc=dev" })),
|
||||||
wantError: `error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 32 "No Such Object": `,
|
wantError: testutil.WantExactErrorString(`error searching for group memberships for user with DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 32 "No Such Object": `),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the user search base causes no search results",
|
name: "when the user search base causes no search results",
|
||||||
@ -635,7 +635,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: "",
|
password: "",
|
||||||
provider: upstreamldap.New(*providerConfig(nil)),
|
provider: upstreamldap.New(*providerConfig(nil)),
|
||||||
wantError: `error binding for user "pinny" using provided password against DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 206 "Empty password not allowed by the client": ldap: empty password not allowed by the client`,
|
wantError: testutil.WantExactErrorString(`error binding for user "pinny" using provided password against DN "cn=pinny,ou=users,dc=pinniped,dc=dev": LDAP Result Code 206 "Empty password not allowed by the client": ldap: empty password not allowed by the client`),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the user has no password in their entry",
|
name: "when the user has no password in their entry",
|
||||||
@ -655,8 +655,8 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password, tt.grantedScopes)
|
authResponse, authenticated, err := tt.provider.AuthenticateUser(ctx, tt.username, tt.password, tt.grantedScopes)
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
case tt.wantError != "":
|
case tt.wantError != nil:
|
||||||
require.EqualError(t, err, tt.wantError)
|
testutil.RequireErrorStringFromErr(t, err, tt.wantError)
|
||||||
require.False(t, authenticated, "expected the user not to be authenticated, but they were")
|
require.False(t, authenticated, "expected the user not to be authenticated, but they were")
|
||||||
require.Nil(t, authResponse)
|
require.Nil(t, authResponse)
|
||||||
case tt.wantUnauthenticated:
|
case tt.wantUnauthenticated:
|
||||||
|
Loading…
Reference in New Issue
Block a user