Commit Graph

876 Commits

Author SHA1 Message Date
Ryan Richard
0501159ac0 Show an IDP chooser UI when appropriate from authorize endpoint 2023-10-30 11:05:53 -07:00
Ryan Richard
bbf4412ff3 tolerate arm64 in tools deployments and jobs 2023-10-09 10:00:34 -07:00
Ryan Richard
826d8236d9 Use bitnami/openldap in integration tests instead of our old fork 2023-10-04 10:11:46 -07:00
Ryan Richard
62c597eb3b Show errors from the form_post POST request on the page 2023-10-02 09:53:53 -07:00
Ryan Richard
87b7ea14d5 fix flake seen in pod_shutdown_test.go 2023-09-26 14:06:04 -07:00
Ryan Richard
5e06c6d5ad add integration test for graceful shutdowns which release leader leases 2023-09-25 09:51:17 -07:00
Ryan Richard
cd1e4bacf8 trying to avoid flake on Okta login page in browser 2023-09-19 08:58:22 -07:00
Joshua Casey
4a89a9fa16 Update LDAP integration tests for changes in github.com/go-ldap/ldap/v3 2023-09-18 10:45:32 -05:00
Ryan Richard
5573c629b5 remove extra timeoutCtx for exec.CommandContext invocations in e2e test
These extra timeout contexts were only in the new multiple IDPs e2e
test. Remove this possible cause of test cleanup flakes where the test
runs slow enough in CI that this timeout context has already expired
and then the cleanup function fails with context deadline exceeded
errors.
2023-09-13 12:48:10 -07:00
Ryan Richard
a7bd494ec3 update FederationDomain.status.conditions to come from metav1 2023-09-11 13:06:52 -07:00
Ryan Richard
b6f0dc3ba7 Fix conflicts caused from rebasing main into multiple IDPs branch 2023-09-11 11:15:40 -07:00
Ryan Richard
e2bdab9e2d add the IDP display name to the downstream ID token's sub claim
To make the subject of the downstream ID token more unique when
there are multiple IDPs. It is possible to define two IDPs in a
FederationDomain using the same identity provider CR, in which
case the only thing that would make the subject claim different
is adding the IDP display name into the values of the subject claim.
2023-09-11 11:15:40 -07:00
Ryan Richard
b2656b9cb1 add new unit tests in auth_handler_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
2eb82cc1d7 Add more tests with identity transformations in supervisor_login_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
0a21cb6d08 Replace more pointer.String() with the new ptr.To() 2023-09-11 11:14:06 -07:00
Ryan Richard
519aece8a5 Start adding identity transformations tests to supervisor_login_test.go 2023-09-11 11:14:06 -07:00
Ryan Richard
e6c78facfc Fix expectations in FederationDomains status test for old Kube versions
Also try to avoid flakes by using RetryOnConflict when calling Update
on the FederationDomain.
2023-09-11 11:14:05 -07:00
Ryan Richard
01ab7758d8 Add e2e test for rejecting auth using identity transformation policy 2023-09-11 11:14:05 -07:00
Ryan Richard
957892b677 handle old versions of k8s in supervisor_federationdomain_status_test.go 2023-09-11 11:14:05 -07:00
Ryan Richard
c701a4a344 remove expectation about TransformsConstantsNamesUnique status condition
Forgot to remove this in the previous commit which removed writing that
condition from the controller code.
2023-09-11 11:14:05 -07:00
Ryan Richard
92bf826ec5 rename a local variable in an integration test 2023-09-11 11:14:05 -07:00
Ryan Richard
446384a7f5 add an e2e test for a FederationDomain with multiple IDPs and transforms 2023-09-11 11:14:05 -07:00
Ryan Richard
6d82a11645 CRD already validates that IDP transform constant names are unique
- Remove that validation from the controller since the CRD already
  validates it during creates and updates.
- Also finish the supervisor_federationdomain_status_test.go by adding
  more tests for both controller validations and CRD validations
2023-09-11 11:14:05 -07:00
Ryan Richard
bd5cabf0ff fix some here.Doc string indents in federation_domain_watcher_test.go
To make things visually line up better.
2023-09-11 11:14:05 -07:00
Ryan Richard
51742366fe wordsmith some FederationDomain status messages 2023-09-11 11:14:05 -07:00
Ryan Richard
5341322071 add integration test for FederationDomain status updates
- Also fix small bug in controller where it used Sprintf wrong
- Rename WaitForTestFederationDomainStatus test helper to
  WaitForFederationDomainStatusPhase
2023-09-11 11:14:05 -07:00
Ryan Richard
23ed2856ce small refactor in supervisor_discovery_test.go 2023-09-11 11:14:05 -07:00
Ryan Richard
c771328bb1 Validate transforms examples in federation_domain_watcher.go
Also changes the transformation pipeline code to sort and uniq
the transformed group names at the end of the pipeline. This makes
the results more predicable without changing the semantics.
2023-09-11 11:14:05 -07:00
Ryan Richard
52925a2a46 Validate transforms expressions in federation_domain_watcher.go 2023-09-11 11:14:05 -07:00
Ryan Richard
617f57e1c9 Validate transforms const names in federation_domain_watcher.go 2023-09-11 11:14:05 -07:00
Ryan Richard
8e169f9702 Validate IDP objectRef kind names in federation_domain_watcher.go
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:14:05 -07:00
Ryan Richard
40dcc8a7f1 Update integration tests for new FederationDomain phase behavior
- Refactor testlib.CreateTestFederationDomain helper
- Call testlib.WaitForTestFederationDomainStatus after each integration
  test creates an IDP and expects the FederationDomain to become ready
- Create an IDP for some tests which want the FederationDomain to be
  ready but were previously not creating any IDP
- Expect the new FederationDomain condition type
  "IdentityProvidersFound" in those tests where it is needed

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-09-11 11:14:05 -07:00
Ryan Richard
3521e129cd Change name of FederationDomain printer column back to "Status"
To be consistent with the name of the pinter columns on our other CRDs,
which call the Phase "Status" in the printer column names.
2023-09-11 11:14:04 -07:00
Ryan Richard
0b408f4fc0 Change FederationDomain.Status to use Phase and Conditions 2023-09-11 11:14:02 -07:00
Ryan Richard
022fdb9cfd Update a test assertion to make failure easier to understand 2023-09-11 11:12:27 -07:00
Ryan Richard
e4f43683d4 fix more integration tests for multiple IDPs 2023-09-11 11:12:27 -07:00
Ryan Richard
0f23931fe4 Fix some tests in supervisor_login_test.go 2023-09-11 11:11:56 -07:00
Ryan Richard
86c791b8a6 reorganize federation domain packages to be more intuitive
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-09-11 11:11:52 -07:00
Joshua Casey
64f1bff13f Use Conditions from apimachinery, specifically k8s.io/apimachinery/pkg/apis/meta/v1.Conditions 2023-09-11 10:13:39 -07:00
Joshua Casey
3908097c54 Run 'go fix ./...' with go1.21.0 2023-09-06 14:52:01 -05:00
Joshua Casey
12f18cbed8 Inline and remove testutil.TempDir 2023-09-06 14:52:01 -05:00
Joshua Casey
05a1187e2e Simplify build tags associated with unsupported golang versions 2023-09-06 14:52:01 -05:00
Joshua Casey
ca05969f8d Integration tests should use 'kubectl explain --output plaintext-openapiv2'
- OpenAPIV3 discovery of aggregate APIs seems to need a little more work in K8s 1.28
2023-08-28 10:50:11 -05:00
Joshua Casey
7f0d04dba6 Address PR feedback 2023-08-09 11:42:42 -05:00
Joshua Casey
1707995378 Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy 2023-08-08 20:17:21 -05:00
Joshua Casey
dc61d132cf Address PR feedback, especially to check that the CA bundle is some kind of valid cert 2023-08-03 14:57:21 -05:00
Joshua Casey
959f18b67b Add integration test to verify that the impersonation proxy will use an external TLS serving cert 2023-08-03 14:57:21 -05:00
Joshua Casey
bd035a180e Impersonation proxy detects when the user has configured an externally provided TLS secret to serve TLS
- https://github.com/vmware-tanzu/pinniped/tree/main/proposals/1547_impersonation-proxy-external-certs
- https://joshuatcasey.medium.com/k8s-mtls-auth-with-tls-passthrough-1bc25e750f52
2023-08-03 14:57:21 -05:00
Ryan Richard
4512eeca9a Replace agouti and chromedriver with chromedp across the whole project 2023-08-01 11:27:09 -07:00
Joshua Casey
63b5f921e1 Use k8s.io/utils/ptr instead of k8s.io/utils/pointer, which is deprecated 2023-07-28 09:16:02 -05:00