From f302e71b0f9b99b3272766759a51904eca48f97c Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 26 Sep 2022 12:40:07 -0700 Subject: [PATCH] Fix some integration tests' handling of groups to work with Okta --- test/integration/e2e_test.go | 3 ++- test/integration/supervisor_login_test.go | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/test/integration/e2e_test.go b/test/integration/e2e_test.go index ff02ca60..8e517675 100644 --- a/test/integration/e2e_test.go +++ b/test/integration/e2e_test.go @@ -207,6 +207,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { page := browsertest.Open(t) expectedUsername := env.SupervisorUpstreamOIDC.Username + expectedGroups := env.SupervisorUpstreamOIDC.ExpectedGroups // Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster. testlib.CreateTestClusterRoleBinding(t, @@ -277,7 +278,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) { // scopes returned by the Supervisor, so list the requested scopes from the CLI flag here. This helper will // assert that the expected username and groups claims/values are in the downstream ID token. requireUserCanUseKubectlWithoutAuthenticatingAgain(testCtx, t, env, downstream, kubeconfigPath, sessionCachePath, - pinnipedExe, expectedUsername, []string{}, []string{"offline_access", "openid", "pinniped:request-audience"}) + pinnipedExe, expectedUsername, expectedGroups, []string{"offline_access", "openid", "pinniped:request-audience"}) }) t.Run("with Supervisor OIDC upstream IDP and manual authcode copy-paste from browser flow", func(t *testing.T) { diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index 7da23d01..a2f613e4 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -1292,6 +1292,10 @@ func TestSupervisorLogin_Browser(t *testing.T) { name: "oidc upstream with downstream dynamic client happy path, requesting all scopes", maybeSkip: skipNever, createIDP: func(t *testing.T) string { + spec := basicOIDCIdentityProviderSpec() + spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes, + } return testlib.CreateTestOIDCIdentityProvider(t, basicOIDCIdentityProviderSpec(), idpv1alpha1.PhaseReady).Name }, createOIDCClient: func(t *testing.T, callbackURL string) (string, string) {