From cd6e48bfa8476a8ded74eec53bca821c4b7d626c Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Thu, 25 Mar 2021 15:12:17 -0700 Subject: [PATCH] Use a random password for the dex integration test user Signed-off-by: Ryan Richard --- hack/prepare-for-integration-tests.sh | 6 ++++-- test/deploy/dex/dex.yaml | 2 +- test/deploy/dex/values.yaml | 3 +++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh index e317c8f9..6c6d522d 100755 --- a/hack/prepare-for-integration-tests.sh +++ b/hack/prepare-for-integration-tests.sh @@ -210,12 +210,14 @@ if ! tilt_mode; then # # Deploy dex # + dex_test_password="$(openssl rand -hex 16)" pushd test/deploy/dex >/dev/null log_note "Deploying Dex to the cluster..." ytt --file . >"$manifest" ytt --file . \ --data-value-yaml "supervisor_redirect_uris=[https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback]" \ + --data-value "pinny_bcrypt_passwd_hash=$(htpasswd -nbBC 10 x "$dex_test_password" | sed -e "s/^x://")" \ >"$manifest" kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema. @@ -328,7 +330,7 @@ export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}" export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli export PINNIPED_TEST_CLI_OIDC_CALLBACK_URL=http://127.0.0.1:48095/callback export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com -export PINNIPED_TEST_CLI_OIDC_PASSWORD=password +export PINNIPED_TEST_CLI_OIDC_PASSWORD=${dex_test_password} export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER=https://dex.dex.svc.cluster.local/dex export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}" export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES=email @@ -338,7 +340,7 @@ export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_ID=pinniped-supervisor export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_SECRET=pinniped-supervisor-secret export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CALLBACK_URL=https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME=pinny@example.com -export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD=password +export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD=${dex_test_password} export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_EXPECTED_GROUPS= # Dex's local user store does not let us configure groups. export PINNIPED_TEST_API_GROUP_SUFFIX='${api_group_suffix}' diff --git a/test/deploy/dex/dex.yaml b/test/deploy/dex/dex.yaml index 624e14c9..5ca41cb7 100644 --- a/test/deploy/dex/dex.yaml +++ b/test/deploy/dex/dex.yaml @@ -32,7 +32,7 @@ enablePasswordDB: true staticPasswords: - username: "pinny" email: "pinny@example.com" - hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" #! bcrypt("password") + hash: #@ data.values.pinny_bcrypt_passwd_hash userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa" #@ end diff --git a/test/deploy/dex/values.yaml b/test/deploy/dex/values.yaml index 56e72c36..1f15c85e 100644 --- a/test/deploy/dex/values.yaml +++ b/test/deploy/dex/values.yaml @@ -19,3 +19,6 @@ ports: #! supervisor_redirect_uris is an array of redirect uris that dex will use for its pinniped-supervisor client. #! usage: --data-value-yaml "supervisor_redirect_uris=[some-redirect.com,some-other-redirect.com]" supervisor_redirect_uris: [] + +#! The bcrypt-hashed password of the pinny test user account. +pinny_bcrypt_passwd_hash: