Commit Graph

143 Commits

Author SHA1 Message Date
Matt Moyer
5a43a5d53a
Remove library.AssertNoRestartsDuringTest and make that assertion implicit in library.IntegrationEnv.
This means we (hopefully) can't forget to include these assertions in any integration test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 11:18:10 -05:00
Ryan Richard
c82f568b2c certauthority.go: Refactor issuing client versus server certs
We were previously issuing both client certs and server certs with
both extended key usages included. Split the Issue*() methods into
separate methods for issuing server certs versus client certs so
they can have different extended key usages tailored for each use
case.

Also took the opportunity to clean up the parameters of the Issue*()
methods and New() methods to more closely match how we prefer to call
them. We were always only passing the common name part of the
pkix.Name to New(), so now the New() method just takes the common name
as a string. When making a server cert, we don't need to set the
deprecated common name field, so remove that param. When making a client
cert, we're always making it in the format expected by the Kube API
server, so just accept the username and group as parameters directly.
2021-03-12 16:09:37 -08:00
Ryan Richard
d8c6894cbc All controller unit tests should not cancel context until test is over
All controller unit tests were accidentally using a timeout context
for the informers, instead of a cancel context which stays alive until
each test is completely finished. There is no reason to risk
unpredictable behavior of a timeout being reached during an individual
test, even though with the previous 3 second timeout it could only be
reached on a machine which is running orders of magnitude slower than
usual, since each test usually runs in about 100-300 ms. Unfortunately,
sometimes our CI workers might get that slow.

This sparked a review of other usages of timeout contexts in other
tests, and all of them were increased to a minimum value of 1 minute,
under the rule of thumb that our tests will be more reliable on slow
machines if they "pass fast and fail slow".
2021-03-04 17:26:01 -08:00
Matt Moyer
6565265bee
Use new 'go.pinniped.dev/generated/latest' package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-02-16 13:00:08 -06:00
Andrew Keesler
ae498f14b4
test/integration: ensure no pods restart during integration tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-04 10:24:33 -05:00
Matt Moyer
04c4cd9534
Upgrade to github.com/coreos/go-oidc v3.0.0.
See https://github.com/coreos/go-oidc/releases/tag/v3.0.0 for release notes.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-21 12:08:14 -06:00
Andrew Keesler
6fce1bd6bb
Allow arrays of type interface
and always set the groups claim to an
array in the downstream token

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-01-14 17:21:41 -05:00
Margo Crawford
5611212ea9 Changing references from 1.19 to 1.20 2021-01-07 15:25:47 -08:00
Ryan Richard
2f518b8b7c TLSCertObserverController Syncs less often by adjusting its filters
- Only watches Secrets of type "kubernetes.io/tls"

Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-18 15:10:48 -08:00
Ryan Richard
4c6e1e5fb3 supervisor_login_test.go: wait for the /jwks.json endpoint to be ready
- Also fail in a more obvious way if the token exchanged failed by
  adding an assertion about its status code
2020-12-16 17:59:39 -08:00
Margo Crawford
196e43aa48 Rename off of main
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-16 14:27:09 -08:00
Matt Moyer
7dae166a69
Merge branch 'main' into username-and-subject-claims 2020-12-16 15:23:19 -06:00
Matt Moyer
72ce69410e
Merge pull request #273 from vmware-tanzu/secret-generation
Generate secrets for Pinniped Supervisor
2020-12-16 15:22:23 -06:00
Andrew Keesler
095ba14cc8
Merge remote-tracking branch 'upstream/main' into secret-generation 2020-12-16 15:40:34 -05:00
Matt Moyer
8527c363bb
Rename the "pinniped.sts.unrestricted" scope to "pinniped:request-audience".
This is a bit more clear. We're changing this now because it is a non-backwards-compatible change that we can make now since none of this RFC8693 token exchange stuff has been released yet.

There is also a small typo fix in some flag usages (s/RF8693/RFC8693/)

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 14:24:13 -06:00
Matt Moyer
24c01d3e54
Add an integration test to verify security headers on the supervisor authorize endpoint.
It would be great to do this for the supervisor's callback endpoint as well, but it's difficult to get at those since the request happens inside the spawned browser.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-16 12:41:06 -06:00
Andrew Keesler
fec80113c7
Revert "Retry a couple of times if we fail to get a token from the Supervisor"
This reverts commit be4e34d0c0.

Roll back this change that was supposed to make the test more robust. If we
retry multiple token exchanges with the same auth code, of course we are going
to get failures on the second try onwards because the auth code was invalidated
on the first try.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-16 09:04:29 -05:00
Ryan Richard
40c6a67631 Merge branch 'main' into username-and-subject-claims 2020-12-15 18:09:44 -08:00
Ryan Richard
91af51d38e Fix integration tests to work with the username and sub claims
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-15 17:16:08 -08:00
Aram Price
0bd428e45d
test/integration: more logging to track down flakes
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 16:52:57 -05:00
Andrew Keesler
be4e34d0c0
Retry a couple of times if we fail to get a token from the Supervisor
I hope this will make TestSupervisorLogin less flaky. There are some instances
where the front half of the OIDC login flow happens so fast that the JWKS
controller doesn't have time to properly generate an asymmetric key.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-15 11:53:58 -05:00
Ryan Richard
a561fd21d9 Consolidate the supervisor's timeout settings into a single struct
- This struct represents the configuration of all timeouts. These
  timeouts are all interrelated to declare them all in one place.
  This should also make it easier to allow the user to override
  our defaults if we would like to implement such a feature in the
  future.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-10 10:14:54 -08:00
Margo Crawford
218f27306c Integration test for refresh grant
Signed-off-by: Ryan Richard <rrichard@vmware.com>
2020-12-09 17:07:37 -08:00
Matt Moyer
f1aff2faab
Start extending TestSupervisorLogin to test the token exchange flow (WIP).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-09 10:23:10 -06:00
Aram Price
648fa4b9ba Backfill test for token endpoint error when JWK is not yet available
Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-12-07 11:53:24 -08:00
Ryan Richard
e0b6133bf1 Integration tests call supervisor token endpoint and validate response
Signed-off-by: Aram Price <pricear@vmware.com>
2020-12-04 17:07:04 -08:00
Matt Moyer
c8abc79d9b
Fix this comment (and retrigger CI).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 14:24:26 -06:00
Matt Moyer
8563c05baf
Tweak these timeouts to be a bit faster (and retrigger CI).
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 13:22:27 -06:00
Matt Moyer
cb5e494815
Dump out proxy access logs in TestSupervisorLogin.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 11:28:48 -06:00
Matt Moyer
954591d2db
Add some debugging logs to our proxy client code.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 10:25:26 -06:00
Matt Moyer
d7b1ab8e43
Try to capture more logs from the TestSupervisorLogin test.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-03 09:39:33 -06:00
Matt Moyer
64ef53402d
In TestSupervisorLogin, wrap the discovery request in an Eventually().
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 18:07:52 -06:00
Matt Moyer
ae9bdc1d61
Fix a lint warning by simplifying this append operation.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:11:40 -06:00
Matt Moyer
f40144e1a9
Update TestSupervisorLogin to test the callback flow using a browser.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:35 -06:00
Matt Moyer
273ac62ec2
Extend the test client helpers in ./test/library/client.go.
This adds a few new "create test object" helpers and extends `CreateTestOIDCProvider()` to optionally wait for the created OIDCProvider to enter some expected status condition.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
Andrew Keesler
58a3e35c51
Revert "test/integration: skip TestSupervisorLogin until new callback logic is on main"
This reverts commit eae6d355f8.

We have added the new callback path logic (see b21f003), so we can stop skipping
this test.
2020-11-30 11:07:25 -05:00
Andrew Keesler
eae6d355f8
test/integration: skip TestSupervisorLogin until new callback logic is on main
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 10:12:03 -05:00
Andrew Keesler
5be46d0bb7
test/integration: get downstream issuer path from upstream redirect
See comment in the code.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 09:58:08 -05:00
Andrew Keesler
5b04192945
Run TestSupervisorLogin only on valid HTTP/HTTPS supervisor addresses
We were assuming that env.SupervisorHTTPAddress was set, but it might not be
depending on the environment on which the integration tests are being run. For
example, in our acceptance environments, we don't currently set
env.SupervisorHTTPAddress.

I tried to follow the pattern from TestSupervisorOIDCDiscovery here.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-30 09:23:12 -05:00
Matt Moyer
bc700d58ae
Split test environment variables so there's a specific supervisor upstream client.
Prior to this we re-used the CLI testing client to test the authorize flow of the supervisor, but they really need to be separate upstream clients. For example, the supervisor client should be a non-public client with a client secret and a different callback endpoint.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-20 08:03:06 -06:00
Matt Moyer
7520dadbdd
Use omitempty on UpstreamOIDCProvider spec.authorizationConfig field.
This allows you to omit the field in creation requests, which was annoying.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-18 17:14:35 -06:00
Matt Moyer
e0a9bef6ce
Move ./internal/oidcclient to ./pkg/oidcclient.
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 14:53:32 -06:00
Matt Moyer
d6d808d185
Re-add the TestSupervisorLogin integration test.
This is 99% Andrew's code from 4032ed32ae, but tweaked to work with the new UpstreamOIDCProvider setup.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 09:21:17 -06:00