Use a random password for the dex integration test user

Signed-off-by: Ryan Richard <richardry@vmware.com>
2021-03-25 15:12:17 -07:00 · 2021-03-25 15:12:17 -07:00 · cd6e48bfa8
parent c0361645e2
commit cd6e48bfa8
3 changed files with 8 additions and 3 deletions
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@ -210,12 +210,14 @@ if ! tilt_mode; then
  #
  # Deploy dex
  #
+  dex_test_password="$(openssl rand -hex 16)"
  pushd test/deploy/dex >/dev/null

  log_note "Deploying Dex to the cluster..."
  ytt --file . >"$manifest"
  ytt --file . \
    --data-value-yaml "supervisor_redirect_uris=[https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback]" \
+    --data-value "pinny_bcrypt_passwd_hash=$(htpasswd -nbBC 10 x "$dex_test_password" | sed -e "s/^x://")" \
    >"$manifest"

  kubectl apply --dry-run=client -f "$manifest" # Validate manifest schema.
@ -328,7 +330,7 @@ export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}"
 export PINNIPED_TEST_CLI_OIDC_CLIENT_ID=pinniped-cli
 export PINNIPED_TEST_CLI_OIDC_CALLBACK_URL=http://127.0.0.1:48095/callback
 export PINNIPED_TEST_CLI_OIDC_USERNAME=pinny@example.com
-export PINNIPED_TEST_CLI_OIDC_PASSWORD=password
+export PINNIPED_TEST_CLI_OIDC_PASSWORD=${dex_test_password}
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER=https://dex.dex.svc.cluster.local/dex
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ISSUER_CA_BUNDLE="${test_ca_bundle_pem}"
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES=email
@ -338,7 +340,7 @@ export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_ID=pinniped-supervisor
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CLIENT_SECRET=pinniped-supervisor-secret
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CALLBACK_URL=https://pinniped-supervisor-clusterip.supervisor.svc.cluster.local/some/path/callback
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME=pinny@example.com
-export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD=password
+export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_PASSWORD=${dex_test_password}
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_EXPECTED_GROUPS= # Dex's local user store does not let us configure groups.
 export PINNIPED_TEST_API_GROUP_SUFFIX='${api_group_suffix}'

--- a/test/deploy/dex/dex.yaml
+++ b/test/deploy/dex/dex.yaml
@ -32,7 +32,7 @@ enablePasswordDB: true
 staticPasswords:
 - username: "pinny"
  email: "pinny@example.com"
-  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" #! bcrypt("password")
+  hash: #@ data.values.pinny_bcrypt_passwd_hash
  userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa"
 #@ end

--- a/test/deploy/dex/values.yaml
+++ b/test/deploy/dex/values.yaml
@ -19,3 +19,6 @@ ports:
 #! supervisor_redirect_uris is an array of redirect uris that dex will use for its pinniped-supervisor client.
 #! usage: --data-value-yaml "supervisor_redirect_uris=[some-redirect.com,some-other-redirect.com]"
 supervisor_redirect_uris: []
+
+#! The bcrypt-hashed password of the pinny test user account.
+pinny_bcrypt_passwd_hash: