fix more integration tests for multiple IDPs
This commit is contained in:
parent
514f9964c1
commit
e4f43683d4
@ -140,7 +140,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Create upstream OIDC provider and wait for it to become ready.
|
// Create upstream OIDC provider and wait for it to become ready.
|
||||||
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||||
TLS: &idpv1alpha1.TLSSpec{
|
TLS: &idpv1alpha1.TLSSpec{
|
||||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
||||||
@ -191,7 +191,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
|
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
// If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for
|
// If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for
|
||||||
@ -221,7 +222,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Create upstream OIDC provider and wait for it to become ready.
|
// Create upstream OIDC provider and wait for it to become ready.
|
||||||
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||||
TLS: &idpv1alpha1.TLSSpec{
|
TLS: &idpv1alpha1.TLSSpec{
|
||||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
||||||
@ -276,8 +277,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
// The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted
|
// The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted
|
||||||
// scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will
|
// scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will
|
||||||
// assert that the expected username and groups claims/values are in the downstream ID token.
|
// assert that the expected username and groups claims/values are in the downstream ID token.
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath,
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"})
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"})
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) {
|
t.Run("with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) {
|
||||||
@ -305,7 +306,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Create upstream OIDC provider and wait for it to become ready.
|
// Create upstream OIDC provider and wait for it to become ready.
|
||||||
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||||
TLS: &idpv1alpha1.TLSSpec{
|
TLS: &idpv1alpha1.TLSSpec{
|
||||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
||||||
@ -388,7 +389,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
t.Logf("first kubectl command took %s", time.Since(start).String())
|
t.Logf("first kubectl command took %s", time.Since(start).String())
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("access token based refresh with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) {
|
t.Run("access token based refresh with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) {
|
||||||
@ -424,7 +426,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Create upstream OIDC provider and wait for it to become ready.
|
// Create upstream OIDC provider and wait for it to become ready.
|
||||||
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||||
TLS: &idpv1alpha1.TLSSpec{
|
TLS: &idpv1alpha1.TLSSpec{
|
||||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
||||||
@ -524,7 +526,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
t.Logf("first kubectl command took %s", time.Since(start).String())
|
t.Logf("first kubectl command took %s", time.Since(start).String())
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("with Supervisor OIDC upstream IDP and CLI password flow without web browser", func(t *testing.T) {
|
t.Run("with Supervisor OIDC upstream IDP and CLI password flow without web browser", func(t *testing.T) {
|
||||||
@ -549,7 +552,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Create upstream OIDC provider and wait for it to become ready.
|
// Create upstream OIDC provider and wait for it to become ready.
|
||||||
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||||
TLS: &idpv1alpha1.TLSSpec{
|
TLS: &idpv1alpha1.TLSSpec{
|
||||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
||||||
@ -607,7 +610,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
t.Logf("first kubectl command took %s", time.Since(start).String())
|
t.Logf("first kubectl command took %s", time.Since(start).String())
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
t.Run("with Supervisor OIDC upstream IDP and CLI password flow when OIDCIdentityProvider disallows it", func(t *testing.T) {
|
t.Run("with Supervisor OIDC upstream IDP and CLI password flow when OIDCIdentityProvider disallows it", func(t *testing.T) {
|
||||||
@ -705,7 +709,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
||||||
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
||||||
|
|
||||||
setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||||
@ -743,7 +747,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
t.Logf("first kubectl command took %s", time.Since(start).String())
|
t.Logf("first kubectl command took %s", time.Since(start).String())
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
// If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for
|
// If the username and groups scope are not requested by the CLI, then the CLI still gets them, to allow for
|
||||||
@ -759,7 +764,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
||||||
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
||||||
|
|
||||||
setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||||
@ -801,8 +806,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
// The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted
|
// The scopes portion of the cache key is made up of the requested scopes from the CLI flag, not the granted
|
||||||
// scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will
|
// scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will
|
||||||
// assert that the expected username and groups claims/values are in the downstream ID token.
|
// assert that the expected username and groups claims/values are in the downstream ID token.
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath,
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"})
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"})
|
||||||
})
|
})
|
||||||
|
|
||||||
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands
|
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands
|
||||||
@ -818,7 +823,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
||||||
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
||||||
|
|
||||||
setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||||
@ -868,7 +873,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
require.NoError(t, os.Unsetenv(usernameEnvVar))
|
require.NoError(t, os.Unsetenv(usernameEnvVar))
|
||||||
require.NoError(t, os.Unsetenv(passwordEnvVar))
|
require.NoError(t, os.Unsetenv(passwordEnvVar))
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
// Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands
|
// Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands
|
||||||
@ -884,7 +890,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
|
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
|
||||||
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
|
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
|
||||||
|
|
||||||
setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||||
@ -922,7 +928,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
t.Logf("first kubectl command took %s", time.Since(start).String())
|
t.Logf("first kubectl command took %s", time.Since(start).String())
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
// Add an ActiveDirectory upstream IDP and try using it to authenticate during kubectl commands
|
// Add an ActiveDirectory upstream IDP and try using it to authenticate during kubectl commands
|
||||||
@ -938,7 +945,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
|
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
|
||||||
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
|
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
|
||||||
|
|
||||||
setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||||
@ -988,7 +995,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
require.NoError(t, os.Unsetenv(usernameEnvVar))
|
require.NoError(t, os.Unsetenv(usernameEnvVar))
|
||||||
require.NoError(t, os.Unsetenv(passwordEnvVar))
|
require.NoError(t, os.Unsetenv(passwordEnvVar))
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the browser flow.
|
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the browser flow.
|
||||||
@ -1006,7 +1014,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
||||||
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
||||||
|
|
||||||
setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||||
@ -1038,7 +1046,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
|
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
// Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands, using the browser flow.
|
// Add an Active Directory upstream IDP and try using it to authenticate during kubectl commands, using the browser flow.
|
||||||
@ -1056,7 +1065,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
|
expectedUsername := env.SupervisorUpstreamActiveDirectory.TestUserPrincipalNameValue
|
||||||
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
|
expectedGroups := env.SupervisorUpstreamActiveDirectory.TestUserIndirectGroupsSAMAccountPlusDomainNames
|
||||||
|
|
||||||
setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||||
@ -1088,7 +1097,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
|
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
|
|
||||||
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the env var to choose the browser flow.
|
// Add an LDAP upstream IDP and try using it to authenticate during kubectl commands, using the env var to choose the browser flow.
|
||||||
@ -1106,7 +1116,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
||||||
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
expectedGroups := env.SupervisorUpstreamLDAP.TestUserDirectGroupsDNs
|
||||||
|
|
||||||
setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||||
@ -1144,7 +1154,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
|||||||
|
|
||||||
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
|
requireKubectlGetNamespaceOutput(t, env, waitForKubectlOutput(t, kubectlOutputChan))
|
||||||
|
|
||||||
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, createdProvider.Name, kubeconfigPath,
|
||||||
|
sessionCachePath, pinnipedExe, expectedUsername, expectedGroups, allScopes)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1241,7 +1252,7 @@ func waitForKubectlOutput(t *testing.T, kubectlOutputChan chan string) string {
|
|||||||
return kubectlOutput
|
return kubectlOutput
|
||||||
}
|
}
|
||||||
|
|
||||||
func setupClusterForEndToEndLDAPTest(t *testing.T, username string, env *testlib.TestEnv) {
|
func setupClusterForEndToEndLDAPTest(t *testing.T, username string, env *testlib.TestEnv) *idpv1alpha1.LDAPIdentityProvider {
|
||||||
// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
|
// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
|
||||||
testlib.CreateTestClusterRoleBinding(t,
|
testlib.CreateTestClusterRoleBinding(t,
|
||||||
rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: username},
|
rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: username},
|
||||||
@ -1263,7 +1274,7 @@ func setupClusterForEndToEndLDAPTest(t *testing.T, username string, env *testlib
|
|||||||
)
|
)
|
||||||
|
|
||||||
// Create upstream LDAP provider and wait for it to become ready.
|
// Create upstream LDAP provider and wait for it to become ready.
|
||||||
testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
|
return testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
|
||||||
Host: env.SupervisorUpstreamLDAP.Host,
|
Host: env.SupervisorUpstreamLDAP.Host,
|
||||||
TLS: &idpv1alpha1.TLSSpec{
|
TLS: &idpv1alpha1.TLSSpec{
|
||||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
|
||||||
@ -1289,7 +1300,7 @@ func setupClusterForEndToEndLDAPTest(t *testing.T, username string, env *testlib
|
|||||||
}, idpv1alpha1.LDAPPhaseReady)
|
}, idpv1alpha1.LDAPPhaseReady)
|
||||||
}
|
}
|
||||||
|
|
||||||
func setupClusterForEndToEndActiveDirectoryTest(t *testing.T, username string, env *testlib.TestEnv) {
|
func setupClusterForEndToEndActiveDirectoryTest(t *testing.T, username string, env *testlib.TestEnv) *idpv1alpha1.ActiveDirectoryIdentityProvider {
|
||||||
// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
|
// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
|
||||||
testlib.CreateTestClusterRoleBinding(t,
|
testlib.CreateTestClusterRoleBinding(t,
|
||||||
rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: username},
|
rbacv1.Subject{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: username},
|
||||||
@ -1311,7 +1322,7 @@ func setupClusterForEndToEndActiveDirectoryTest(t *testing.T, username string, e
|
|||||||
)
|
)
|
||||||
|
|
||||||
// Create upstream LDAP provider and wait for it to become ready.
|
// Create upstream LDAP provider and wait for it to become ready.
|
||||||
testlib.CreateTestActiveDirectoryIdentityProvider(t, idpv1alpha1.ActiveDirectoryIdentityProviderSpec{
|
return testlib.CreateTestActiveDirectoryIdentityProvider(t, idpv1alpha1.ActiveDirectoryIdentityProviderSpec{
|
||||||
Host: env.SupervisorUpstreamActiveDirectory.Host,
|
Host: env.SupervisorUpstreamActiveDirectory.Host,
|
||||||
TLS: &idpv1alpha1.TLSSpec{
|
TLS: &idpv1alpha1.TLSSpec{
|
||||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.CABundle)),
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.CABundle)),
|
||||||
@ -1369,6 +1380,7 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain(
|
|||||||
t *testing.T,
|
t *testing.T,
|
||||||
env *testlib.TestEnv,
|
env *testlib.TestEnv,
|
||||||
downstream *configv1alpha1.FederationDomain,
|
downstream *configv1alpha1.FederationDomain,
|
||||||
|
upstreamProviderName string,
|
||||||
kubeconfigPath string,
|
kubeconfigPath string,
|
||||||
sessionCachePath string,
|
sessionCachePath string,
|
||||||
pinnipedExe string,
|
pinnipedExe string,
|
||||||
@ -1392,10 +1404,11 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain(
|
|||||||
|
|
||||||
sort.Strings(downstreamScopes)
|
sort.Strings(downstreamScopes)
|
||||||
token := cache.GetToken(oidcclient.SessionCacheKey{
|
token := cache.GetToken(oidcclient.SessionCacheKey{
|
||||||
Issuer: downstream.Spec.Issuer,
|
Issuer: downstream.Spec.Issuer,
|
||||||
ClientID: "pinniped-cli",
|
ClientID: "pinniped-cli",
|
||||||
Scopes: downstreamScopes,
|
Scopes: downstreamScopes,
|
||||||
RedirectURI: "http://localhost:0/callback",
|
RedirectURI: "http://localhost:0/callback",
|
||||||
|
UpstreamProviderName: upstreamProviderName,
|
||||||
})
|
})
|
||||||
require.NotNil(t, token)
|
require.NotNil(t, token)
|
||||||
|
|
||||||
|
@ -441,7 +441,7 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr
|
|||||||
// over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all
|
// over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all
|
||||||
// Pinniped API resources. Without this, the test could accidentally skip parts of the tree if the
|
// Pinniped API resources. Without this, the test could accidentally skip parts of the tree if the
|
||||||
// format has changed.
|
// format has changed.
|
||||||
require.Equal(t, 230, foundFieldNames,
|
require.Equal(t, 254, foundFieldNames,
|
||||||
"Expected to find all known fields of all Pinniped API resources. "+
|
"Expected to find all known fields of all Pinniped API resources. "+
|
||||||
"You may will need to update this expectation if you added new fields to the API types.",
|
"You may will need to update this expectation if you added new fields to the API types.",
|
||||||
)
|
)
|
||||||
|
@ -2539,7 +2539,14 @@ func makeAuthorizationRequestAndRequireSecurityHeaders(ctx context.Context, t *t
|
|||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
authorizeResp, err := httpClient.Do(authorizeRequest)
|
authorizeResp, err := httpClient.Do(authorizeRequest)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
body, err := io.ReadAll(authorizeResp.Body)
|
||||||
|
require.NoError(t, err)
|
||||||
require.NoError(t, authorizeResp.Body.Close())
|
require.NoError(t, authorizeResp.Body.Close())
|
||||||
|
if authorizeResp.StatusCode >= 400 {
|
||||||
|
// The request should not have failed, so print the response for debugging purposes.
|
||||||
|
t.Logf("makeAuthorizationRequestAndRequireSecurityHeaders authorization response: %#v", authorizeResp)
|
||||||
|
t.Logf("makeAuthorizationRequestAndRequireSecurityHeaders authorization response body: %q", body)
|
||||||
|
}
|
||||||
expectSecurityHeaders(t, authorizeResp, false)
|
expectSecurityHeaders(t, authorizeResp, false)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -91,7 +91,7 @@ func TestAuthorizeCodeStorage(t *testing.T) {
|
|||||||
// Note that CreateAuthorizeCodeSession() sets Active to true and also sets the Version before storing the session,
|
// Note that CreateAuthorizeCodeSession() sets Active to true and also sets the Version before storing the session,
|
||||||
// so expect those here.
|
// so expect those here.
|
||||||
session.Active = true
|
session.Active = true
|
||||||
session.Version = "4" // this is the value of the authorizationcode.authorizeCodeStorageVersion constant
|
session.Version = "5" // this is the value of the authorizationcode.authorizeCodeStorageVersion constant
|
||||||
expectedSessionStorageJSON, err := json.Marshal(session)
|
expectedSessionStorageJSON, err := json.Marshal(session)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
require.JSONEq(t, string(expectedSessionStorageJSON), string(initialSecret.Data["pinniped-storage-data"]))
|
require.JSONEq(t, string(expectedSessionStorageJSON), string(initialSecret.Data["pinniped-storage-data"]))
|
||||||
|
@ -106,7 +106,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
|||||||
|
|
||||||
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
expectedUsername := env.SupervisorUpstreamLDAP.TestUserMailAttributeValue
|
||||||
|
|
||||||
setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||||
|
|
||||||
// Use a specific session cache for this test.
|
// Use a specific session cache for this test.
|
||||||
sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
|
sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
|
||||||
@ -174,10 +174,11 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
|||||||
downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"}
|
downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"}
|
||||||
sort.Strings(downstreamScopes)
|
sort.Strings(downstreamScopes)
|
||||||
sessionCacheKey := oidcclient.SessionCacheKey{
|
sessionCacheKey := oidcclient.SessionCacheKey{
|
||||||
Issuer: downstream.Spec.Issuer,
|
Issuer: downstream.Spec.Issuer,
|
||||||
ClientID: "pinniped-cli",
|
ClientID: "pinniped-cli",
|
||||||
Scopes: downstreamScopes,
|
Scopes: downstreamScopes,
|
||||||
RedirectURI: "http://localhost:0/callback",
|
RedirectURI: "http://localhost:0/callback",
|
||||||
|
UpstreamProviderName: createdProvider.Name,
|
||||||
}
|
}
|
||||||
// use it to get the cache entry
|
// use it to get the cache entry
|
||||||
token := cache.GetToken(sessionCacheKey)
|
token := cache.GetToken(sessionCacheKey)
|
||||||
@ -195,7 +196,8 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
|||||||
// change the groups to simulate them changing in the IDP.
|
// change the groups to simulate them changing in the IDP.
|
||||||
pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession)
|
pinnipedSession, ok := storedRefreshSession.GetSession().(*psession.PinnipedSession)
|
||||||
require.True(t, ok, "should have been able to cast session data to PinnipedSession")
|
require.True(t, ok, "should have been able to cast session data to PinnipedSession")
|
||||||
pinnipedSession.Fosite.Claims.Extra["groups"] = []string{"some-wrong-group", "some-other-group"}
|
pinnipedSession.Custom.UpstreamGroups = []string{"some-wrong-group", "some-other-group"} // update upstream groups
|
||||||
|
pinnipedSession.Fosite.Claims.Extra["groups"] = []string{"some-wrong-group", "some-other-group"} // update downstream groups
|
||||||
|
|
||||||
require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, refreshTokenSignature))
|
require.NoError(t, oauthStore.DeleteRefreshTokenSession(ctx, refreshTokenSignature))
|
||||||
require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, refreshTokenSignature, storedRefreshSession))
|
require.NoError(t, oauthStore.CreateRefreshTokenSession(ctx, refreshTokenSignature, storedRefreshSession))
|
||||||
@ -372,7 +374,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
|||||||
})
|
})
|
||||||
|
|
||||||
// Create upstream OIDC provider and wait for it to become ready.
|
// Create upstream OIDC provider and wait for it to become ready.
|
||||||
testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||||
TLS: &idpv1alpha1.TLSSpec{
|
TLS: &idpv1alpha1.TLSSpec{
|
||||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
|
||||||
@ -482,10 +484,11 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
|||||||
downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"}
|
downstreamScopes := []string{"offline_access", "openid", "pinniped:request-audience", "groups"}
|
||||||
sort.Strings(downstreamScopes)
|
sort.Strings(downstreamScopes)
|
||||||
sessionCacheKey := oidcclient.SessionCacheKey{
|
sessionCacheKey := oidcclient.SessionCacheKey{
|
||||||
Issuer: downstream.Spec.Issuer,
|
Issuer: downstream.Spec.Issuer,
|
||||||
ClientID: "pinniped-cli",
|
ClientID: "pinniped-cli",
|
||||||
Scopes: downstreamScopes,
|
Scopes: downstreamScopes,
|
||||||
RedirectURI: "http://localhost:0/callback",
|
RedirectURI: "http://localhost:0/callback",
|
||||||
|
UpstreamProviderName: createdProvider.Name,
|
||||||
}
|
}
|
||||||
// use it to get the cache entry
|
// use it to get the cache entry
|
||||||
token := cache.GetToken(sessionCacheKey)
|
token := cache.GetToken(sessionCacheKey)
|
||||||
|
Loading…
Reference in New Issue
Block a user