djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix more integration tests for multiple IDPs

Browse Source
This commit is contained in:
Ryan Richard 2023-06-27 09:37:43 -07:00
parent 514f9964c1
commit e4f43683d4
5 changed files with 72 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
test/integration/e2e_test.go
View File

@ -140,7 +140,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
}) })
// Create upstream OIDC provider and wait for it to become ready. // Create upstream OIDC provider and wait for it to become ready.
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorUpstreamOIDC.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
@ -191,7 +191,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
// If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for // If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for
@ -221,7 +222,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
}) })
// Create upstream OIDC provider and wait for it to become ready. // Create upstream OIDC provider and wait for it to become ready.
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorUpstreamOIDC.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
@ -276,8 +277,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
// The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted // The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted
// scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will // scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will
// assert that the expected username and groups claims/values are in the downstream ID token. // assert that the expected username and groups claims/values are in the downstream ID token.
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"}) sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"})
}) })
t.Run("with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) { t.Run("with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) {
@ -305,7 +306,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
}) })
// Create upstream OIDC provider and wait for it to become ready. // Create upstream OIDC provider and wait for it to become ready.
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorUpstreamOIDC.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
@ -388,7 +389,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
t.Logf("first kubectl command took %s", time.Since(start).String()) t.Logf("first kubectl command took %s", time.Since(start).String())
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
t.Run("access token based refresh with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) { t.Run("access token based refresh with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) {
@ -424,7 +426,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
} }
// Create upstream OIDC provider and wait for it to become ready. // Create upstream OIDC provider and wait for it to become ready.
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorUpstreamOIDC.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
@ -524,7 +526,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
t.Logf("first kubectl command took %s", time.Since(start).String()) t.Logf("first kubectl command took %s", time.Since(start).String())
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
t.Run("with Supervisor OIDC upstream IDP and CLI password flow without web browser", func(t *testing.T) { t.Run("with Supervisor OIDC upstream IDP and CLI password flow without web browser", func(t *testing.T) {
@ -549,7 +552,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
}) })
// Create upstream OIDC provider and wait for it to become ready. // Create upstream OIDC provider and wait for it to become ready.
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorUpstreamOIDC.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
@ -607,7 +610,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
t.Logf("first kubectl command took %s", time.Since(start).String()) t.Logf("first kubectl command took %s", time.Since(start).String())
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
t.Run("with Supervisor OIDC upstream IDP and CLI password flow when OIDCIdentityProvider disallows it", func(t *testing.T) { t.Run("with Supervisor OIDC upstream IDP and CLI password flow when OIDCIdentityProvider disallows it", func(t *testing.T) {
@ -705,7 +709,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
setupClusterForEndToEndLDAPTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/test-sessions.yaml" sessionCachePath := tempDir + "/test-sessions.yaml"
@ -743,7 +747,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
t.Logf("first kubectl command took %s", time.Since(start).String()) t.Logf("first kubectl command took %s", time.Since(start).String())
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
// If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for // If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for
@ -759,7 +764,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
setupClusterForEndToEndLDAPTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/test-sessions.yaml" sessionCachePath := tempDir + "/test-sessions.yaml"
@ -801,8 +806,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
// The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted // The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted
// scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will // scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will
// assert that the expected username and groups claims/values are in the downstream ID token. // assert that the expected username and groups claims/values are in the downstream ID token.
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"}) sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"})
}) })
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands
@ -818,7 +823,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
setupClusterForEndToEndLDAPTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/test-sessions.yaml" sessionCachePath := tempDir + "/test-sessions.yaml"
@ -868,7 +873,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
require.NoError(t, os.Unsetenv(usernameEnvVar)) require.NoError(t, os.Unsetenv(usernameEnvVar))
require.NoError(t, os.Unsetenv(passwordEnvVar)) require.NoError(t, os.Unsetenv(passwordEnvVar))
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
// Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands // Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands
@ -884,7 +890,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/test-sessions.yaml" sessionCachePath := tempDir + "/test-sessions.yaml"
@ -922,7 +928,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
t.Logf("first kubectl command took %s", time.Since(start).String()) t.Logf("first kubectl command took %s", time.Since(start).String())
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
// Add an ActiveDirectory upstream IDP and try using it to authenticate during kubectl commands // Add an ActiveDirectory upstream IDP and try using it to authenticate during kubectl commands
@ -938,7 +945,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/test-sessions.yaml" sessionCachePath := tempDir + "/test-sessions.yaml"
@ -988,7 +995,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
require.NoError(t, os.Unsetenv(usernameEnvVar)) require.NoError(t, os.Unsetenv(usernameEnvVar))
require.NoError(t, os.Unsetenv(passwordEnvVar)) require.NoError(t, os.Unsetenv(passwordEnvVar))
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the browser flow. // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the browser flow.
@ -1006,7 +1014,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
setupClusterForEndToEndLDAPTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/test-sessions.yaml" sessionCachePath := tempDir + "/test-sessions.yaml"
@ -1038,7 +1046,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
// Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands, using the browser flow. // Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands, using the browser flow.
@ -1056,7 +1065,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/test-sessions.yaml" sessionCachePath := tempDir + "/test-sessions.yaml"
@ -1088,7 +1097,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the env var to choose the browser flow. // Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the env var to choose the browser flow.
@ -1106,7 +1116,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
setupClusterForEndToEndLDAPTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/test-sessions.yaml" sessionCachePath := tempDir + "/test-sessions.yaml"
@ -1144,7 +1154,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan)) requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes) requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
}) })
} }
@ -1241,7 +1252,7 @@ func waitForKubectlOutput(t *testing.T, kubectlOutputChan chan string) string {
return kubectlOutput return kubectlOutput
} }
func setupClusterForEndToEndLDAPTest(t *testing.T, username string, env *testlib.TestEnv) { func setupClusterForEndToEndLDAPTest(t *testing.T, username string, env *testlib.TestEnv) *idpv1alpha1.LDAPIdentityProvider {
// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster. // Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
testlib.CreateTestClusterRoleBinding(t, testlib.CreateTestClusterRoleBinding(t,
rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: username}, rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: username},
@ -1263,7 +1274,7 @@ func setupClusterForEndToEndLDAPTest(t *testing.T, username string, env *testlib
) )
// Create upstream LDAP provider and wait for it to become ready. // Create upstream LDAP provider and wait for it to become ready.
testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{ return testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
Host: env.SupervisorUpstreamLDAP.Host, Host: env.SupervisorUpstreamLDAP.Host,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
@ -1289,7 +1300,7 @@ func setupClusterForEndToEndLDAPTest(t *testing.T, username string, env *testlib
}, idpv1alpha1.LDAPPhaseReady) }, idpv1alpha1.LDAPPhaseReady)
} }
func setupClusterForEndToEndActiveDirectoryTest(t *testing.T, username string, env *testlib.TestEnv) { func setupClusterForEndToEndActiveDirectoryTest(t *testing.T, username string, env *testlib.TestEnv) *idpv1alpha1.ActiveDirectoryIdentityProvider {
// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster. // Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
testlib.CreateTestClusterRoleBinding(t, testlib.CreateTestClusterRoleBinding(t,
rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: username}, rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: username},
@ -1311,7 +1322,7 @@ func setupClusterForEndToEndActiveDirectoryTest(t *testing.T, username string, e
) )
// Create upstream LDAP provider and wait for it to become ready. // Create upstream LDAP provider and wait for it to become ready.
testlib.CreateTestActiveDirectoryIdentityProvider(t, idpv1alpha1.ActiveDirectoryIdentityProviderSpec{ return testlib.CreateTestActiveDirectoryIdentityProvider(t, idpv1alpha1.ActiveDirectoryIdentityProviderSpec{
Host: env.SupervisorUpstreamActiveDirectory.Host, Host: env.SupervisorUpstreamActiveDirectory.Host,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.CABundle)),
@ -1369,6 +1380,7 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain(
t *testing.T, t *testing.T,
env *testlib.TestEnv, env *testlib.TestEnv,
downstream *configv1alpha1.FederationDomain, downstream *configv1alpha1.FederationDomain,
upstreamProviderName string,
kubeconfigPath string, kubeconfigPath string,
sessionCachePath string, sessionCachePath string,
pinnipedExe string, pinnipedExe string,
@ -1392,10 +1404,11 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain(
sort.Strings(downstreamScopes) sort.Strings(downstreamScopes)
token := cache.GetToken(oidcclient.SessionCacheKey{ token := cache.GetToken(oidcclient.SessionCacheKey{
Issuer: downstream.Spec.Issuer, Issuer: downstream.Spec.Issuer,
ClientID: "pinniped-cli", ClientID: "pinniped-cli",
Scopes: downstreamScopes, Scopes: downstreamScopes,
RedirectURI: "http://localhost:0/callback", RedirectURI: "http://localhost:0/callback",
UpstreamProviderName: upstreamProviderName,
}) })
require.NotNil(t, token) require.NotNil(t, token)

2
test/integration/kube_api_discovery_test.go
View File

@ -441,7 +441,7 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr
// over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all // over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all
// Pinniped API resources. Without this, the test could accidentally skip parts of the tree if the // Pinniped API resources. Without this, the test could accidentally skip parts of the tree if the
// format has changed. // format has changed.
require.Equal(t, 230, foundFieldNames, require.Equal(t, 254, foundFieldNames,
"Expected to find all known fields of all Pinniped API resources. "+ "Expected to find all known fields of all Pinniped API resources. "+
"You may will need to update this expectation if you added new fields to the API types.", "You may will need to update this expectation if you added new fields to the API types.",
) )

7
test/integration/supervisor_login_test.go
View File

@ -2539,7 +2539,14 @@ func makeAuthorizationRequestAndRequireSecurityHeaders(ctx context.Context, t *t
require.NoError(t, err) require.NoError(t, err)
authorizeResp, err := httpClient.Do(authorizeRequest) authorizeResp, err := httpClient.Do(authorizeRequest)
require.NoError(t, err) require.NoError(t, err)
body, err := io.ReadAll(authorizeResp.Body)
require.NoError(t, err)
require.NoError(t, authorizeResp.Body.Close()) require.NoError(t, authorizeResp.Body.Close())
if authorizeResp.StatusCode >= 400 {
// The request should not have failed, so print the response for debugging purposes.
t.Logf("makeAuthorizationRequestAndRequireSecurityHeaders authorization response: %#v", authorizeResp)
t.Logf("makeAuthorizationRequestAndRequireSecurityHeaders authorization response body: %q", body)
}
expectSecurityHeaders(t, authorizeResp, false) expectSecurityHeaders(t, authorizeResp, false)
} }

2
test/integration/supervisor_storage_test.go
View File

@ -91,7 +91,7 @@ func TestAuthorizeCodeStorage(t *testing.T) {
// Note that CreateAuthorizeCodeSession() sets Active to true and also sets the Version before storing the session, // Note that CreateAuthorizeCodeSession() sets Active to true and also sets the Version before storing the session,
// so expect those here. // so expect those here.
session.Active = true session.Active = true
session.Version = "4" // this is the value of the authorizationcode.authorizeCodeStorageVersion constant session.Version = "5" // this is the value of the authorizationcode.authorizeCodeStorageVersion constant
expectedSessionStorageJSON, err := json.Marshal(session) expectedSessionStorageJSON, err := json.Marshal(session)
require.NoError(t, err) require.NoError(t, err)
require.JSONEq(t, string(expectedSessionStorageJSON), string(initialSecret.Data["pinniped-storage-data"])) require.JSONEq(t, string(expectedSessionStorageJSON), string(initialSecret.Data["pinniped-storage-data"]))

25
test/integration/supervisor_warnings_test.go
View File

@ -106,7 +106,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
setupClusterForEndToEndLDAPTest(t, expectedUsername, env) createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
// Use a specific session cache for this test. // Use a specific session cache for this test.
sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml" sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
@ -174,10 +174,11 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"} downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"}
sort.Strings(downstreamScopes) sort.Strings(downstreamScopes)
sessionCacheKey := oidcclient.SessionCacheKey{ sessionCacheKey := oidcclient.SessionCacheKey{
Issuer: downstream.Spec.Issuer, Issuer: downstream.Spec.Issuer,
ClientID: "pinniped-cli", ClientID: "pinniped-cli",
Scopes: downstreamScopes, Scopes: downstreamScopes,
RedirectURI: "http://localhost:0/callback", RedirectURI: "http://localhost:0/callback",
UpstreamProviderName: createdProvider.Name,
} }
// use it to get the cache entry // use it to get the cache entry
token := cache.GetToken(sessionCacheKey) token := cache.GetToken(sessionCacheKey)
@ -195,7 +196,8 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
// change the groups to simulate them changing in the IDP. // change the groups to simulate them changing in the IDP.
pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession) pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession)
require.True(t, ok, "should have been able to cast session data to PinnipedSession") require.True(t, ok, "should have been able to cast session data to PinnipedSession")
pinnipedSession.Fosite.Claims.Extra["groups"] = []string{"some-wrong-group", "some-other-group"} pinnipedSession.Custom.UpstreamGroups = []string{"some-wrong-group", "some-other-group"} // update upstream groups
pinnipedSession.Fosite.Claims.Extra["groups"] = []string{"some-wrong-group", "some-other-group"} // update downstream groups
require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, refreshTokenSignature)) require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, refreshTokenSignature))
require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, refreshTokenSignature, storedRefreshSession)) require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, refreshTokenSignature, storedRefreshSession))
@ -372,7 +374,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
}) })
// Create upstream OIDC provider and wait for it to become ready. // Create upstream OIDC provider and wait for it to become ready.
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{ createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
Issuer: env.SupervisorUpstreamOIDC.Issuer, Issuer: env.SupervisorUpstreamOIDC.Issuer,
TLS: &idpv1alpha1.TLSSpec{ TLS: &idpv1alpha1.TLSSpec{
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
@ -482,10 +484,11 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"} downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"}
sort.Strings(downstreamScopes) sort.Strings(downstreamScopes)
sessionCacheKey := oidcclient.SessionCacheKey{ sessionCacheKey := oidcclient.SessionCacheKey{
Issuer: downstream.Spec.Issuer, Issuer: downstream.Spec.Issuer,
ClientID: "pinniped-cli", ClientID: "pinniped-cli",
Scopes: downstreamScopes, Scopes: downstreamScopes,
RedirectURI: "http://localhost:0/callback", RedirectURI: "http://localhost:0/callback",
UpstreamProviderName: createdProvider.Name,
} }
// use it to get the cache entry // use it to get the cache entry
token := cache.GetToken(sessionCacheKey) token := cache.GetToken(sessionCacheKey)