Error format of untrusted certificate errors should depend on OS
Go 1.18.1 started using MacOS' x509 verification APIs on Macs rather than Go's own. The error messages are different. Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
parent
c624846eaa
commit
d5337c9c19
@ -955,7 +955,7 @@ func TestGetKubeconfig(t *testing.T) {
|
|||||||
},
|
},
|
||||||
wantError: true,
|
wantError: true,
|
||||||
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
wantStderr: func(issuerCABundle string, issuerURL string) string {
|
||||||
return fmt.Sprintf("Error: while fetching OIDC discovery data from issuer: Get \"%s/.well-known/openid-configuration\": x509: certificate signed by unknown authority\n", issuerURL)
|
return fmt.Sprintf("Error: while fetching OIDC discovery data from issuer: Get \"%s/.well-known/openid-configuration\": %s\n", issuerURL, testutil.X509UntrustedCertError("Acme Co"))
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -36,6 +36,7 @@ import (
|
|||||||
"go.pinniped.dev/internal/controllerlib"
|
"go.pinniped.dev/internal/controllerlib"
|
||||||
"go.pinniped.dev/internal/crypto/ptls"
|
"go.pinniped.dev/internal/crypto/ptls"
|
||||||
"go.pinniped.dev/internal/mocks/mocktokenauthenticatorcloser"
|
"go.pinniped.dev/internal/mocks/mocktokenauthenticatorcloser"
|
||||||
|
"go.pinniped.dev/internal/testutil"
|
||||||
"go.pinniped.dev/internal/testutil/testlogger"
|
"go.pinniped.dev/internal/testutil/testlogger"
|
||||||
"go.pinniped.dev/internal/testutil/tlsserver"
|
"go.pinniped.dev/internal/testutil/tlsserver"
|
||||||
)
|
)
|
||||||
@ -293,7 +294,7 @@ func TestController(t *testing.T) {
|
|||||||
Spec: *missingTLSJWTAuthenticatorSpec,
|
Spec: *missingTLSJWTAuthenticatorSpec,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
wantErr: `failed to build jwt authenticator: could not initialize provider: Get "` + goodIssuer + `/.well-known/openid-configuration": x509: certificate signed by unknown authority`,
|
wantErr: `failed to build jwt authenticator: could not initialize provider: Get "` + goodIssuer + `/.well-known/openid-configuration": ` + testutil.X509UntrustedCertError("Acme Co"),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "invalid jwt authenticator CA",
|
name: "invalid jwt authenticator CA",
|
||||||
|
19
internal/testutil/x509_error.go
Normal file
19
internal/testutil/x509_error.go
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
||||||
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
package testutil
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"runtime"
|
||||||
|
)
|
||||||
|
|
||||||
|
func X509UntrustedCertError(commonName string) string {
|
||||||
|
if runtime.GOOS == "darwin" {
|
||||||
|
// Golang use's macos' x509 verification APIs on darwin.
|
||||||
|
// This output slightly different error messages than golang's
|
||||||
|
// own x509 verification.
|
||||||
|
return fmt.Sprintf(`x509: “%s” certificate is not trusted`, commonName)
|
||||||
|
}
|
||||||
|
return `x509: certificate signed by unknown authority`
|
||||||
|
}
|
@ -1905,7 +1905,7 @@ func TestRealTLSDialing(t *testing.T) {
|
|||||||
caBundle: nil,
|
caBundle: nil,
|
||||||
connProto: TLS,
|
connProto: TLS,
|
||||||
context: context.Background(),
|
context: context.Background(),
|
||||||
wantError: `LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority`,
|
wantError: fmt.Sprintf(`LDAP Result Code 200 "Network Error": %s`, testutil.X509UntrustedCertError("Acme Co")),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "cannot connect to host",
|
name: "cannot connect to host",
|
||||||
|
@ -20,6 +20,7 @@ import (
|
|||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
|
|
||||||
"go.pinniped.dev/internal/authenticators"
|
"go.pinniped.dev/internal/authenticators"
|
||||||
|
"go.pinniped.dev/internal/testutil"
|
||||||
"go.pinniped.dev/internal/upstreamldap"
|
"go.pinniped.dev/internal/upstreamldap"
|
||||||
"go.pinniped.dev/test/testlib"
|
"go.pinniped.dev/test/testlib"
|
||||||
)
|
)
|
||||||
@ -467,7 +468,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
username: "pinny",
|
username: "pinny",
|
||||||
password: pinnyPassword,
|
password: pinnyPassword,
|
||||||
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.CABundle = nil })),
|
provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.CABundle = nil })),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority`, ldapsLocalhostPort),
|
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": %s`, ldapsLocalhostPort, testutil.X509UntrustedCertError("Pinniped Test")),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when the CA bundle does not cause the host to be trusted with StartTLS",
|
name: "when the CA bundle does not cause the host to be trusted with StartTLS",
|
||||||
@ -478,7 +479,7 @@ func TestLDAPSearch_Parallel(t *testing.T) {
|
|||||||
p.ConnectionProtocol = upstreamldap.StartTLS
|
p.ConnectionProtocol = upstreamldap.StartTLS
|
||||||
p.CABundle = nil
|
p.CABundle = nil
|
||||||
})),
|
})),
|
||||||
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": TLS handshake failed (x509: certificate signed by unknown authority)`, ldapLocalhostPort),
|
wantError: fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": TLS handshake failed (%s)`, ldapLocalhostPort, testutil.X509UntrustedCertError("Pinniped Test")),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "when trying to use TLS to connect to a port which only supports StartTLS",
|
name: "when trying to use TLS to connect to a port which only supports StartTLS",
|
||||||
|
Loading…
Reference in New Issue
Block a user