Joshua Casey
1707995378
Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy
2023-08-08 20:17:21 -05:00
Joshua Casey
dc61d132cf
Address PR feedback, especially to check that the CA bundle is some kind of valid cert
2023-08-03 14:57:21 -05:00
Joshua Casey
959f18b67b
Add integration test to verify that the impersonation proxy will use an external TLS serving cert
2023-08-03 14:57:21 -05:00
Joshua Casey
bd035a180e
Impersonation proxy detects when the user has configured an externally provided TLS secret to serve TLS
...
- https://github.com/vmware-tanzu/pinniped/tree/main/proposals/1547_impersonation-proxy-external-certs
- https://joshuatcasey.medium.com/k8s-mtls-auth-with-tls-passthrough-1bc25e750f52
2023-08-03 14:57:21 -05:00
Ryan Richard
4512eeca9a
Replace agouti and chromedriver with chromedp across the whole project
2023-08-01 11:27:09 -07:00
Joshua Casey
63b5f921e1
Use k8s.io/utils/ptr instead of k8s.io/utils/pointer, which is deprecated
2023-07-28 09:16:02 -05:00
Ryan Richard
6c65fd910e
Improve performance of supervisor_oidcclientsecret_test.go
...
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-07-13 12:48:46 -07:00
Ryan Richard
914861c5da
Increase a test timeout in supervisor_secrets_test.go
2023-06-01 12:54:45 -07:00
Ryan Richard
86e360dc14
Increase a test timeout for when pulling container image is slow
2023-06-01 10:04:59 -07:00
Ryan Richard
d30d76b7ac
Increase some test timeouts
2023-05-31 17:41:36 -07:00
Ryan Richard
020e04baf8
Merge branch 'main' into ldap_userAttributeForFilter
2023-05-31 16:42:30 -07:00
Ryan Richard
b6b11a6d0c
increase timeout in a test
2023-05-31 15:59:44 -07:00
Ryan Richard
d4710cb16e
Add integration test for AD UserAttributeForFilter group search setting
2023-05-31 11:36:49 -07:00
Ryan Richard
0a1f966886
Add ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter
...
Add the field to the tmpl file and run codegen.
Also update the count of the fields of our APIs in an integration test.
2023-05-31 11:09:08 -07:00
Ryan Richard
552eceabdb
Add integration test for UserAttributeForFilter group search setting
...
Also adds new integration test env var to support the new test:
PINNIPED_TEST_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN
2023-05-31 10:29:44 -07:00
Ryan Richard
e3b7ba3677
Add group search tests for UserAttributeForFilter in ldap_client_test.go
2023-05-31 10:29:44 -07:00
Ryan Richard
bad5e60a8e
Add LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter
...
Add the field to the tmpl file and run codegen.
Also update the count of the fields of our APIs in an integration test.
2023-05-25 09:52:15 -07:00
Ryan Richard
e4dc810bff
Add some posixGroups to the openldap server for use in integration tests
2023-05-23 16:47:39 -07:00
Ryan Richard
187ee80ee3
Handle the new output of kubectl explain
which indents differently
2023-05-10 19:56:59 -07:00
Ryan Richard
484f134a98
Handle the new output of kubectl explain
which shows GROUP separately
2023-05-10 18:03:40 -07:00
Ryan Richard
1e6e9e0c0e
Change tests to expect new error format from pkg golang.org/x/oauth2
2023-05-10 16:52:09 -07:00
Ryan Richard
bc9afc4554
Aggregated API endpoints now must implement rest.SingularNameProvider
...
This was a change in the interface requirements introduced in Kube 1.27.
2023-05-10 16:50:50 -07:00
Ryan Richard
a1a99b9eeb
Replace usages of deprecated funcs from the wait pkg
2023-05-10 11:41:11 -07:00
Ryan Richard
19b60fe563
Clarify audience value in Concierge-only auth doc, and other doc updates
...
Also renamed a couple of integration test files to make their names
more clear.
2023-04-03 16:54:10 -07:00
Ryan Richard
7cd16b179c
Fix integration tests to pass with Kube 1.27/1.28 pre-release builds
...
Fix test failures that occurred in the k8s-main integration test CI job
when using Kube 1.27 and 1.28 pre-release builds.
2023-04-03 14:16:47 -07:00
Ryan Richard
a04129548f
Increase some test timeouts that failed once on Kind jobs in CI
2023-04-03 11:46:11 -07:00
Joshua Casey
fc0f9d959a
Bump golangci-lint to 1.51.2 and fix lint issues
2023-03-16 14:55:37 -05:00
Joshua Casey
24cf7c5bcd
Remove internal/psets in favor of k8s.io/apimachinery/pkg/util/sets
2023-01-31 10:10:44 -06:00
Ryan Richard
2d3e53e6ac
Increase timeouts in supervisor_oidcclientsecret_test.go
...
They were too short after enabling the race detector for integration
tests in CI.
2023-01-27 14:23:04 -08:00
Ryan Richard
c6e4133c5e
Accept both old and new cert error strings on MacOS in test assertions
...
Used this as an opportunity to refactor how some tests were
making assertions about error strings.
New test helpers make it easy for an error string to be expected as an
exact string, as a string built using sprintf, as a regexp, or as a
string built to include the platform-specific x509 error string.
All of these helpers can be used in a single `wantErr` field of a test
table. They can be used for both unit tests and integration tests.
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-20 15:01:36 -08:00
Ryan Richard
7ff3b3d9cb
Code changes to support Kube 0.26 deps
2023-01-18 14:39:22 -08:00
Ryan Richard
2f9b8b105d
update copyright to 2023 in files changed by this PR
2023-01-17 15:54:16 -08:00
Ryan Richard
3d20fa79a7
Two more integration tests for additionalClaimMappings
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-17 15:36:39 -08:00
Ryan Richard
74c3156059
Assert more cluster-scoped ID token claims in supervisor_login_test.go
2023-01-17 13:10:51 -08:00
Joshua Casey
6156fdf175
Expect complex subclaims of additionalClaims to have type interface{}
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
2023-01-17 13:27:40 -06:00
Joshua Casey
f494c61790
additionalClaims claim should not be present when no sub claims are expected
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-17 11:58:08 -06:00
Joshua Casey
a94bbe70c7
Add integration test to verify that additionalClaims are present in an ID Token
...
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
2023-01-13 14:59:59 -08:00
Ryan Richard
8ff6ef32e9
Allow additional claims to map into an ID token issued by the supervisor
...
- Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings
- Advertise additionalClaims in the OIDC discovery endpoint under claims_supported
Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>
2023-01-13 14:59:50 -08:00
Ryan Richard
976035115e
Stop using pointer pkg functions that were deprecated by dependency bump
2022-12-14 08:47:16 -08:00
Ryan Richard
e1a0367b03
Upgrade project Go dependencies
...
Most of the changes in this commit are because of these fosite PRs
which changed behavior and/or APIs in fosite:
- https://github.com/ory/fosite/pull/667
- https://github.com/ory/fosite/pull/679 (from me!)
- https://github.com/ory/fosite/pull/675
- https://github.com/ory/fosite/pull/688
Due to the changes in fosite PR #688 , we need to bump our storage
version for anything which stores the DefaultSession struct as JSON.
2022-12-14 08:47:16 -08:00
Ryan Richard
66f4ee8a1b
Update more tests to notice different var for external ldap server
2022-09-28 14:32:10 -07:00
Benjamin A. Petersen
09b9075abb
Update TestLDAPSearch_Parallel to notice different var for external ldap server
2022-09-28 16:02:56 -04:00
Ryan Richard
563c193499
Fix integration test expectation for AKS clusters
2022-09-26 17:00:11 -07:00
Ryan Richard
0d215566d8
Yet another integration test fix for dynamic clients feature with Okta
2022-09-26 16:41:52 -07:00
Ryan Richard
23185d55a5
Another integration test fix for dynamic clients feature with Okta
...
Also increase the timeout in an integration test because it is flaking
on one of the GKE environments sometimes, probably because the
Concierge controllers aren't ready fast enough before the integration
tests start.
2022-09-26 14:43:50 -07:00
Ryan Richard
f302e71b0f
Fix some integration tests' handling of groups to work with Okta
2022-09-26 12:40:07 -07:00
Ryan Richard
36dbc7c9bf
Update supervisor_storage_test.go to avoid using fuzzed value
...
The fuzzed value depends on which Go compiler is used. This breaks
the fips tests in CI as long as the fips compiler is a version behind
(we are still waiting for the 1.19 fips compiler to come out).
The fuzzing is still being tested by a separate unit test, so we are
not losing fuzzing test coverage.
2022-09-26 11:19:39 -07:00
Ryan Richard
208a566bdf
Merge branch 'main' into dynamic_clients
2022-09-23 14:01:11 -07:00
Ryan Richard
66b1df2dd9
Fix a test assertion in supervisor_oidcclientsecret_test.go
2022-09-23 07:59:05 -07:00
Ryan Richard
31716358a9
Make the assertNoRestartsDuringTest() helper ignore terminating pods
2022-09-21 21:27:02 -07:00