Commit Graph

66 Commits

Author SHA1 Message Date
Matt Moyer
5527566a36
Fix TestCLILoginOIDC when running directly against Okta.
Our actual CLI code behaved correctly, but this test made some invalid assumptions about the "upstream" IDP we're testing. It assumed that the upstream didn't support `response_mode=form_post`, but Okta does. This means that when we end up on the localhost callback page, there are no URL query parameters.

Adjusting this regex makes the test pass as expected.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 16:29:42 -05:00
Matt Moyer
5029495fdb
Add manual paste flow to pinniped login oidc command.
This adds a new login flow that allows manually pasting the authorization code instead of receiving a browser-based callback.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-07-09 12:08:44 -05:00
Monis Khan
d78b845575
Fix bad test package name
Signed-off-by: Monis Khan <mok@vmware.com>
2021-06-22 11:23:19 -04:00
Ryan Richard
675bbb2aba Merge branch 'main' into initial_ldap 2021-05-11 11:09:37 -07:00
Margo Crawford
5f3eab2538 Fix expected number of log lines in TestCLILoginOIDC 2021-04-21 13:05:32 -07:00
Margo Crawford
45e4695444 Unset pinniped debug environment variable at end of integration test
Also log when setting the debug log level fails
2021-04-21 09:02:45 -07:00
Margo Crawford
6a21499ed3 Add check for number of log lines. 2021-04-21 09:02:45 -07:00
Margo Crawford
211d4fd0b6 Add more logging, integration test checks that debug flag works. 2021-04-21 09:02:45 -07:00
Ryan Richard
8d75825635 Merge branch 'main' into initial_ldap 2021-04-14 17:47:26 -07:00
Matt Moyer
b59a4f3fec
Use a temporary directory for credential cache in CLI tests.
This avoids polluting the main cache directory on developer machines.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-04-08 18:14:21 -05:00
Ryan Richard
1c55c857f4 Start to fill out LDAPIdentityProvider's fields and TestSupervisorLogin
- Add some fields to LDAPIdentityProvider that we will need to be able
  to search for users during login
- Enhance TestSupervisorLogin to test logging in using an upstream LDAP
  identity provider. Part of this new test is skipped for now because
  we haven't written the corresponding production code to make it
  pass yet.
- Some refactoring and enhancement to env.go and the corresponding env
  vars to support the new upstream LDAP provider integration tests.
- Use docker.io/bitnami/openldap for our test LDAP server instead of our
  own fork now that they have fixed the bug that we reported.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-04-07 12:56:09 -07:00
Matt Moyer
c0d32f10b2
Add some test debug logging when running the CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-23 12:07:34 -05:00
Matt Moyer
9501168265
Simplify TestCLIGetKubeconfigStaticToken now that there's only a single table case.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-23 10:26:04 -05:00
Andrew Keesler
257d69045d
Reuse internal/concierge/scheme
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:40:59 -04:00
Andrew Keesler
05a188d4cd
Merge remote-tracking branch 'upstream/main' into impersonation-proxy
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 10:36:28 -04:00
Andrew Keesler
cc8f0b623c
test/integration: add pinniped whoami tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-03-18 08:56:35 -04:00
Matt Moyer
5a43a5d53a
Remove library.AssertNoRestartsDuringTest and make that assertion implicit in library.IntegrationEnv.
This means we (hopefully) can't forget to include these assertions in any integration test.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-17 11:18:10 -05:00
Matt Moyer
a64786a728
Fix TestCLIGetKubeconfigStaticToken for new CLI log output.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-03-11 15:48:04 -06:00
Ryan Richard
49ec16038c Add integration test for using "kubectl exec" through the impersonator
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-03-05 16:14:45 -08:00
Ryan Richard
d8c6894cbc All controller unit tests should not cancel context until test is over
All controller unit tests were accidentally using a timeout context
for the informers, instead of a cancel context which stays alive until
each test is completely finished. There is no reason to risk
unpredictable behavior of a timeout being reached during an individual
test, even though with the previous 3 second timeout it could only be
reached on a machine which is running orders of magnitude slower than
usual, since each test usually runs in about 100-300 ms. Unfortunately,
sometimes our CI workers might get that slow.

This sparked a review of other usages of timeout contexts in other
tests, and all of them were increased to a minimum value of 1 minute,
under the rule of thumb that our tests will be more reliable on slow
machines if they "pass fast and fail slow".
2021-03-04 17:26:01 -08:00
Monis Khan
89b00e3702
Declare war on namespaces
Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-10 21:52:07 -05:00
Andrew Keesler
1ffe70bbea
cmd/pinniped: delete get-kubeconfig + exchange-token
These were deprecated in v0.3.0.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 17:01:57 -05:00
Andrew Keesler
ae498f14b4
test/integration: ensure no pods restart during integration tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-04 10:24:33 -05:00
Monis Khan
efe1fa89fe Allow multiple Pinnipeds to work on same cluster
Yes, this is a huge commit.

The middleware allows you to customize the API groups of all of the
*.pinniped.dev API groups.

Some notes about other small things in this commit:
- We removed the internal/client package in favor of pkg/conciergeclient. The
  two packages do basically the same thing. I don't think we use the former
  anymore.
- We re-enabled cluster-scoped owner assertions in the integration tests.
  This code was added in internal/ownerref. See a0546942 for when this
  assertion was removed.
- Note: the middlware code is in charge of restoring the GV of a request object,
  so we should never need to write mutations that do that.
- We updated the supervisor secret generation to no longer manually set an owner
  reference to the deployment since the middleware code now does this. I think we
  still need some way to make an initial event for the secret generator
  controller, which involves knowing the namespace and the name of the generated
  secret, so I still wired the deployment through. We could use a namespace/name
  tuple here, but I was lazy.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
2021-02-02 15:18:41 -08:00
Andrew Keesler
906bfa023c
test: wire API group suffix through to tests
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 17:23:20 -05:00
Matt Moyer
5ad3c65ae1
Close the right pipe output in runPinnipedLoginOIDC.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:50 -06:00
Matt Moyer
aca9af748b
Cleanup TestSuccessfulCredentialRequest and TestCLILoginOIDC a little.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
8cdcb89cef
Add a library.PinnipedCLIPath() test helper, with caching.
Caching saves us a little bit of time now that we're using the CLI in more and more tests.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:34:49 -06:00
Matt Moyer
4088793cc5
Add a .ProxyEnv() helper on the test environment.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:04 -06:00
Matt Moyer
b6edc3dc08
Replace TestCLIGetKubeconfig with TestCLIGetKubeconfigStaticToken.
It now tests both the deprecated `pinniped get-kubeconfig` and the new `pinniped get kubeconfig --static-token` flows.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Matt Moyer
fe4e2d620d
Update TestCLIGetKubeconfig to ignore stderr output from get-kubeconfig.
This will now have a deprecation warning, so we can't treat is as part of the YAML output.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-15 12:28:03 -06:00
Andrew Keesler
57103e0a9f
Add JWTAuthenticator controller
See https://github.com/vmware-tanzu/pinniped/issues/260 for UX bummer.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-12-08 15:41:48 -05:00
Matt Moyer
c6ead9d7dd
Remove "email" and "profile" from default scopes requested by CLI.
We decided that we don't really need these in every case, since we'll be returning username and groups in a custom claim.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 16:02:16 -06:00
Matt Moyer
c0f13ef4ac
Merge remote-tracking branch 'origin/main' into callback-endpoint
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:09:08 -06:00
Matt Moyer
545c26e5fe
Refactor browser-related test functions to a ./test/library/browsertest package.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 15:55:34 -06:00
Matt Moyer
24c4bc0dd4
Tweak some stdlib usage so we compile under Go 1.14.
Mainly, avoid using some `testing` helpers that were added in 1.14, as well as a couple of other niceties we can live without.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-30 10:11:41 -06:00
Matt Moyer
bc700d58ae
Split test environment variables so there's a specific supervisor upstream client.
Prior to this we re-used the CLI testing client to test the authorize flow of the supervisor, but they really need to be separate upstream clients. For example, the supervisor client should be a non-public client with a client secret and a different callback endpoint.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-20 08:03:06 -06:00
Matt Moyer
e0a9bef6ce
Move ./internal/oidcclient to ./pkg/oidcclient.
This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 14:53:32 -06:00
Matt Moyer
b17ac6ec0b
Update integration tests to run Dex over HTTPS.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00
Matt Moyer
c8b17978a9
Convert CLI tests to work through an HTTP forward proxy.
This change deploys a small Squid-based proxy into the `dex` namespace in our integration test environment. This lets us use the cluster-local DNS name (`http://dex.dex.svc.cluster.local/dex`) as the OIDC issuer. It will make generating certificates easier, and most importantly it will mean that our CLI can see Dex at the same name/URL as the supervisor running inside the cluster.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 17:16:58 -06:00
Matt Moyer
34da8c7877
Rename existing references to "IDP" and "Identity Provider".
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-30 15:12:01 -05:00
Matt Moyer
7615667b9b
Update TestCLILoginOIDC to use new non-alpha login command.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-23 14:44:42 -05:00
Matt Moyer
07001e5ee3
Extend TestCLILoginOIDC to test refresh flow.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 17:54:31 -05:00
Matt Moyer
ce598eb58e
Fix a timeout in TestCLILoginOIDC that was accidentally shortened in 0adbb5234e.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 11:49:04 -05:00
Matt Moyer
fe3b44b134
Add some verbose logging to TestCLILoginOIDC.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-22 10:33:37 -05:00
Matt Moyer
0adbb5234e
Extend TestCLILoginOIDC to test ID token caching behavior.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-21 15:02:42 -05:00
Matt Moyer
68d20298f2
Fix chromedriver usage inside our test container.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-14 13:18:11 -05:00
Matt Moyer
19a1d569c9
Restructure this test to avoid data races.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-14 12:28:08 -05:00
Matt Moyer
33fcc74417
Add Dex to our integration test environment and use it to test the CLI.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 16:50:38 -05:00
Matt Moyer
50d80489be
Add initial CLI integration test for OIDC login.
This is our first test using a real browser to interact with an upstream provider.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-10-13 10:41:53 -05:00