// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package integration import ( "bytes" "context" "encoding/hex" "encoding/json" "fmt" "os/exec" "testing" "time" "github.com/stretchr/testify/require" "golang.org/x/crypto/bcrypt" k8serrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/yaml" "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1" supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1" "go.pinniped.dev/internal/here" "go.pinniped.dev/internal/oidcclientsecretstorage" "go.pinniped.dev/internal/testutil" "go.pinniped.dev/test/testlib" ) func TestKubectlOIDCClientSecretRequest_Parallel(t *testing.T) { env := testlib.IntegrationEnv(t) tests := []struct { name string oicClientSecretRequestYAML func(string) string cmdInvocation func(string) []string assertOnStdOut func(t *testing.T, oidcClientName string, stdOutString string) assertOnStdErr func(t *testing.T, oidcClientName, tempFileName, stdErrString string) wantErr string }{ { name: "kubectl create oidcclientsecretrequest file will return a simple success status message", oicClientSecretRequestYAML: func(name string) string { return here.Docf(` apiVersion: clientsecret.supervisor.%s/v1alpha1 kind: OIDCClientSecretRequest metadata: name: %s namespace: %s spec: generateNewSecret: true revokeOldSecrets: false `, env.APIGroupSuffix, name, env.SupervisorNamespace) }, cmdInvocation: func(filePath string) []string { return []string{"create", "-f", filePath} }, assertOnStdOut: func(t *testing.T, oidcClientName string, stdOutString string) { require.Equal(t, fmt.Sprintf("oidcclientsecretrequest.clientsecret.supervisor.%s/%s created\n", env.APIGroupSuffix, oidcClientName), stdOutString) }, assertOnStdErr: func(t *testing.T, oidcClientName, tempFileName, stdErrString string) { requireCleanKubectlStderr(t, stdErrString) }, }, { name: "kubectl apply an oidcclientsecretrequest file will return a simple success status message", oicClientSecretRequestYAML: func(name string) string { return here.Docf(` apiVersion: clientsecret.supervisor.%s/v1alpha1 kind: OIDCClientSecretRequest metadata: name: %s namespace: %s spec: generateNewSecret: true revokeOldSecrets: false `, env.APIGroupSuffix, name, env.SupervisorNamespace) }, cmdInvocation: func(filePath string) []string { return []string{"apply", "-f", filePath} }, assertOnStdOut: func(t *testing.T, oidcClientName string, stdOutString string) { require.Equal(t, fmt.Sprintf("oidcclientsecretrequest.clientsecret.supervisor.%s/%s created\n", env.APIGroupSuffix, oidcClientName), stdOutString) }, assertOnStdErr: func(t *testing.T, oidcClientName, tempFileName, stdErrString string) { requireCleanKubectlStderr(t, stdErrString) }, }, { name: "kubectl create an oidcclientsecretrequest -o yaml will return a yaml doc with the correct structure", oicClientSecretRequestYAML: func(name string) string { return here.Docf(` apiVersion: clientsecret.supervisor.%s/v1alpha1 kind: OIDCClientSecretRequest metadata: name: %s namespace: %s spec: generateNewSecret: true revokeOldSecrets: false `, env.APIGroupSuffix, name, env.SupervisorNamespace) }, cmdInvocation: func(filePath string) []string { return []string{"create", "-f", filePath, "-o", "yaml"} }, assertOnStdOut: func(t *testing.T, oidcClientName string, stdOutString string) { var yamlObj map[string]interface{} err := yaml.Unmarshal([]byte(stdOutString), &yamlObj) require.NoError(t, err) require.Lenf(t, yamlObj, 5, "yaml object should have 5 top level keys (apiVersion, kind, metadata, spec, status): %v", yamlObj) require.Equal(t, yamlObj["apiVersion"], fmt.Sprintf("clientsecret.supervisor.%s/v1alpha1", env.APIGroupSuffix)) require.Equal(t, yamlObj["kind"], "OIDCClientSecretRequest") metadataMap, ok := yamlObj["metadata"].(map[string]interface{}) require.True(t, ok, "metadata should be a map") require.Len(t, metadataMap, 3, "metadata should contain only 3 keys (creationTimestamp, name, namespace): %v", metadataMap) require.Equal(t, metadataMap["name"], oidcClientName) require.Equal(t, metadataMap["namespace"], env.SupervisorNamespace) timestamp, ok := metadataMap["creationTimestamp"].(string) require.Truef(t, ok, "timestamp should be a string: %v", timestamp) parsedTime, err := time.Parse(time.RFC3339, timestamp) require.NoError(t, err) testutil.RequireTimeInDelta(t, parsedTime, time.Now(), 1*time.Minute) specMap, ok := yamlObj["spec"].(map[string]interface{}) require.True(t, ok, "spec should be a map") require.Len(t, specMap, 2, "spec should contain only 2 keys (generateNewSecret, revokeOldSecrets): %v", specMap) require.Equal(t, specMap["generateNewSecret"], true) require.Equal(t, specMap["revokeOldSecrets"], false) statusMap, ok := yamlObj["status"].(map[string]interface{}) require.True(t, ok, "status should be a map") require.Len(t, specMap, 2, "status should contain only 2 keys (generatedSecret, totalClientSecrets): %v", statusMap) require.Regexp(t, "^[0-9a-z]{64}$", statusMap["generatedSecret"], "generated secret must be precisely 40 hex encoded characters") require.Equal(t, statusMap["totalClientSecrets"], float64(1)) }, assertOnStdErr: func(t *testing.T, oidcClientName, tempFileName, stdErrString string) { requireCleanKubectlStderr(t, stdErrString) }, }, { name: "kubectl get oidcclientsecretrequest should return an empty list", oicClientSecretRequestYAML: func(s string) string { return `` }, cmdInvocation: func(filePath string) []string { return []string{"get", "oidcclientsecretrequest", "-n", env.SupervisorNamespace} }, assertOnStdOut: func(t *testing.T, oidcClientName string, stdOutString string) { require.Empty(t, stdOutString) }, assertOnStdErr: func(t *testing.T, oidcClientName, tempFileName, stdErrString string) { require.Contains(t, stdErrString, fmt.Sprintf("No resources found in %s namespace.", env.SupervisorNamespace)) }, }, { name: "kubectl delete oidcclientsecretrequest will return a not found error", oicClientSecretRequestYAML: func(name string) string { return here.Docf(` apiVersion: clientsecret.supervisor.%s/v1alpha1 kind: OIDCClientSecretRequest metadata: name: %s namespace: %s `, env.APIGroupSuffix, name, env.SupervisorNamespace) }, cmdInvocation: func(filePath string) []string { return []string{"delete", "-f", filePath} }, assertOnStdOut: func(t *testing.T, oidcClientName string, stdOutString string) { require.Empty(t, stdOutString) }, assertOnStdErr: func(t *testing.T, oidcClientName, tempFileName, stdErrString string) { require.Contains(t, stdErrString, fmt.Sprintf("Error from server (NotFound): error when deleting \"%s\": the server could not find the requested resource\n", tempFileName)) }, wantErr: `exit status 1`, }, { name: "kubectl create oidcclientsecretrequest with bad data (incorrect namespace: concierge instead of supervisor) will return an error with a reasonable formatting", oicClientSecretRequestYAML: func(name string) string { return here.Docf(` apiVersion: clientsecret.supervisor.%s/v1alpha1 kind: OIDCClientSecretRequest metadata: name: %s namespace: %s spec: generateNewSecret: true revokeOldSecrets: false `, env.APIGroupSuffix, name, env.ConciergeNamespace) }, cmdInvocation: func(filePath string) []string { return []string{"create", "-f", filePath, "-o", "yaml"} }, assertOnStdOut: func(t *testing.T, oidcClientName string, stdOutString string) { require.Equal(t, "", stdOutString) }, assertOnStdErr: func(t *testing.T, oidcClientName, tempFileName, stdErrString string) { require.Contains(t, stdErrString, fmt.Sprintf( `Error from server (BadRequest): error when creating "%s": namespace must be %s on OIDCClientSecretRequest, was %s`, tempFileName, env.SupervisorNamespace, env.ConciergeNamespace), ) }, wantErr: `exit status 1`, }, } for _, tt := range tests { tt := tt t.Run(tt.name, func(t *testing.T) { t.Parallel() ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) t.Cleanup(cancel) supervisorClient := testlib.NewSupervisorClientset(t) oidcClient, err := supervisorClient.ConfigV1alpha1().OIDCClients(env.SupervisorNamespace).Create(ctx, &supervisorconfigv1alpha1.OIDCClient{ ObjectMeta: metav1.ObjectMeta{ GenerateName: "client.oauth.pinniped.dev-", }, Spec: supervisorconfigv1alpha1.OIDCClientSpec{ AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ "https://example.com", "http://127.0.0.1/yoyo", }, AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange", }, AllowedScopes: []supervisorconfigv1alpha1.Scope{ "openid", "offline_access", "username", "groups", "pinniped:request-audience", }, }, }, metav1.CreateOptions{}, ) t.Cleanup(func() { err := supervisorClient.ConfigV1alpha1().OIDCClients(env.SupervisorNamespace).Delete(ctx, oidcClient.Name, metav1.DeleteOptions{}) require.NoError(t, err) }) require.NoError(t, err) clientSecretRequestYAML := tt.oicClientSecretRequestYAML(oidcClient.Name) secretReqFile := testutil.WriteStringToTempFile(t, "clientsecretrequest-*.yaml", clientSecretRequestYAML) //nolint:gosec // not worried about these potentially tainted inputs cmd := exec.CommandContext(ctx, "kubectl", tt.cmdInvocation(secretReqFile.Name())...) var stdOut, stdErr bytes.Buffer cmd.Stdout = &stdOut cmd.Stderr = &stdErr err = cmd.Run() if tt.wantErr != "" { require.EqualError(t, err, tt.wantErr) } else { require.NoError(t, err) } tt.assertOnStdOut(t, oidcClient.Name, stdOut.String()) tt.assertOnStdErr(t, oidcClient.Name, secretReqFile.Name(), stdErr.String()) }) } } func TestCreateOIDCClientSecretRequest_Parallel(t *testing.T) { env := testlib.IntegrationEnv(t) type testRequest struct { secretRequest *v1alpha1.OIDCClientSecretRequest wantSecretCount int wantErr func(string) string } type StoredClientSecret struct { SecretHashes []string `json:"hashes"` Version string `json:"version"` } tests := []struct { name string clientSecretRequests func(name string) []testRequest }{ { name: "create 1st client secret", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, } }, }, { name: "create 2 client secrets, count increases to 2", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, RevokeOldSecrets: false, }, }, wantSecretCount: 2, }, } }, }, { name: "create 2nd client secret, revoke original client secret, storage secret should count remains 1", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, RevokeOldSecrets: true, }, }, wantSecretCount: 1, }, } }, }, { name: "when no secret exists, revoking without generating results in noop without errors", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: true, }, }, wantSecretCount: 0, }, } }, }, { name: "when no secret exists, not generating and not revoking results in noop without errors", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: false, }, }, wantSecretCount: 0, }, } }, }, { name: "having created a first secret, do not generate a new secret and do not revoke old secrets results in noop without errors", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: false, }, }, wantSecretCount: 1, }, } }, }, { name: "having created a first secret, on a 2nd request do not create a new secret but also revoke old secrets, result is existing secret remains (safety net, disallow deletion of final secret)", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: true, }, }, wantSecretCount: 1, }, } }, }, { name: "having created a first secret, on a 2nd request that creates a new secret and also revoke old secrets, result is a single new client secret", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, RevokeOldSecrets: true, }, }, wantSecretCount: 1, }, } }, }, { name: "having created a first client secret, on subsequent secret requests (up to 5) stored secret hashes should increase, " + "and when a sixth secret request is made which revokes all old secrets, the result will be one final new secret hash", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 2, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 3, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 4, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 5, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, RevokeOldSecrets: true, }, }, wantSecretCount: 1, }, } }, }, { name: "having created a first client secret, on subsequent secret requests (up to 5) stored secret hashes should increase, " + "and when a sixth secret request is made without creating a new client secret but revoking all old secrets, the result " + "will be that the last created secret will remain (safety net)", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 2, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 3, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 4, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 5, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: true, }, }, wantSecretCount: 1, }, } }, }, { name: "having already created 5 client secrets, generating a 5th secret should error when revokeOldSecrets is false", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 1, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 2, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 3, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 4, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 5, }, { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: env.SupervisorNamespace, }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, RevokeOldSecrets: false, }, }, wantSecretCount: 5, wantErr: func(name string) string { return fmt.Sprintf("OIDCClient %s has too many secrets, spec.revokeOldSecrets must be true", name) }, }, } }, }, { name: "generateName is unsupported on OIDCClientSecretRequest objects", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ GenerateName: "some-generate-name-prefix-", }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: true, }, }, wantSecretCount: 0, wantErr: func(name string) string { return fmt.Sprintf( `OIDCClientSecretRequest.clientsecret.supervisor.%s "" is invalid: [metadata.generateName: Invalid value: "some-generate-name-prefix-": generateName is not supported, metadata.name: Required value: name or generateName is required]`, env.APIGroupSuffix) }, }, } }, }, { name: "name must not equal client.oauth.pinniped.dev-", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: "client.oauth.pinniped.dev-", }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: true, }, }, wantSecretCount: 0, wantErr: func(name string) string { return fmt.Sprintf( `OIDCClientSecretRequest.clientsecret.supervisor.%s "client.oauth.pinniped.dev-" is invalid: metadata.name: Invalid value: "client.oauth.pinniped.dev-": must not equal 'client.oauth.pinniped.dev-'`, env.APIGroupSuffix) }, }, } }, }, { name: "name must contain client.oauth.pinniped.dev-", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: "doesnt-contain-prefix", }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: true, }, }, wantSecretCount: 0, wantErr: func(name string) string { return fmt.Sprintf( `OIDCClientSecretRequest.clientsecret.supervisor.%s "doesnt-contain-prefix" is invalid: metadata.name: Invalid value: "doesnt-contain-prefix": must start with 'client.oauth.pinniped.dev-'`, env.APIGroupSuffix) }, }, } }, }, { name: "namespace on the OIDCClientSecretRequest object does not match the namespace on the associated OIDCClient", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: name, Namespace: "some-other-namespace", }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, wantSecretCount: 0, wantErr: func(name string) string { return `the namespace of the provided object does not match the namespace sent on the request` }, }, } }, }, { name: "client secret request created for an oidc client that does not exist should error", clientSecretRequests: func(name string) []testRequest { return []testRequest{ { secretRequest: &v1alpha1.OIDCClientSecretRequest{ ObjectMeta: metav1.ObjectMeta{ Name: "client.oauth.pinniped.dev-client-that-does-not-exist", }, Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: false, RevokeOldSecrets: true, }, }, wantSecretCount: 0, wantErr: func(name string) string { return fmt.Sprintf( `OIDCClientSecretRequest.clientsecret.supervisor.%s "client.oauth.pinniped.dev-client-that-does-not-exist" is invalid: metadata.name: Not found: "client.oauth.pinniped.dev-client-that-does-not-exist"`, env.APIGroupSuffix) }, }, } }, }, } for _, tt := range tests { tt := tt t.Run(tt.name, func(t *testing.T) { t.Parallel() ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) t.Cleanup(cancel) kubeClient := testlib.NewKubernetesClientset(t) supervisorClient := testlib.NewSupervisorClientset(t) oidcClient, err := supervisorClient.ConfigV1alpha1().OIDCClients(env.SupervisorNamespace).Create(ctx, &supervisorconfigv1alpha1.OIDCClient{ ObjectMeta: metav1.ObjectMeta{ GenerateName: "client.oauth.pinniped.dev-", }, Spec: supervisorconfigv1alpha1.OIDCClientSpec{ AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{ "https://example.com", "http://127.0.0.1/yoyo", }, AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:token-exchange", }, AllowedScopes: []supervisorconfigv1alpha1.Scope{ "openid", "offline_access", "username", "groups", "pinniped:request-audience", }, }, }, metav1.CreateOptions{}, ) require.NoError(t, err) t.Cleanup(func() { deleteErr := supervisorClient.ConfigV1alpha1(). OIDCClients(env.SupervisorNamespace).Delete(ctx, oidcClient.Name, metav1.DeleteOptions{}) require.NoError(t, deleteErr) testlib.RequireEventually(t, func(requireEventually *require.Assertions) { _, err := kubeClient.CoreV1().Secrets(oidcClient.Namespace). Get(ctx, oidcclientsecretstorage.New(nil).GetName(oidcClient.UID), metav1.GetOptions{}) requireEventually.Error(err, "deleting OIDCClient should result in deleting storage secrets") requireEventually.True(k8serrors.IsNotFound(err), "deleting OIDCClient should result in deleting storage secrets") }, 2*time.Minute, 250*time.Millisecond) }) cacheOfGeneratedSecrets := []string{} hasSecretBeenGenerated := false for n, ttt := range tt.clientSecretRequests(oidcClient.Name) { clientSecretRequestResponse, err := supervisorClient.ClientsecretV1alpha1(). OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, ttt.secretRequest, metav1.CreateOptions{}) if ttt.wantErr != nil { //nolint:nestif require.EqualError(t, err, ttt.wantErr(oidcClient.Name)) } else { require.NoError(t, err) require.Equal(t, ttt.secretRequest.ObjectMeta.Name, clientSecretRequestResponse.ObjectMeta.Name, "name in response should match name in sent request") require.Equal(t, ttt.secretRequest.ObjectMeta.Namespace, clientSecretRequestResponse.ObjectMeta.Namespace, "namespace in response should match namespace in sent request") testutil.RequireTimeInDelta(t, clientSecretRequestResponse.ObjectMeta.CreationTimestamp.Time, time.Now(), 1*time.Minute) require.Equalf(t, ttt.secretRequest.TypeMeta, clientSecretRequestResponse.TypeMeta, "type meta of response should match the sent request") require.Equalf(t, ttt.secretRequest.Spec, clientSecretRequestResponse.Spec, "spec of response should match the sent request") require.Equalf(t, clientSecretRequestResponse.Status.TotalClientSecrets, ttt.wantSecretCount, "expected secret count is incorrect on iteration %d", n) if ttt.secretRequest.Spec.GenerateNewSecret { require.Len(t, clientSecretRequestResponse.Status.GeneratedSecret, hex.EncodedLen(32), "generated secret is not a hex encoded string") } else { require.Empty(t, clientSecretRequestResponse.Status.GeneratedSecret, "when GenerateSecret is false no secret should be generated") } // api will not let you revoke your last secret unless you are also generating a new secret if ttt.secretRequest.Spec.RevokeOldSecrets { if ttt.secretRequest.Spec.GenerateNewSecret { // we will add the newly generated secret below cacheOfGeneratedSecrets = []string{} } else { // if we aren't creating a new secret, we need to keep the most recent secret cacheOfGeneratedSecrets = retainOnlyMostRecentSecret(cacheOfGeneratedSecrets) } } if ttt.secretRequest.Spec.GenerateNewSecret { cacheOfGeneratedSecrets = prependSecret(cacheOfGeneratedSecrets, clientSecretRequestResponse.Status.GeneratedSecret) hasSecretBeenGenerated = true } require.Len(t, cacheOfGeneratedSecrets, ttt.wantSecretCount, "number of generated secrets should match number of hashed secrets") } // even if we got an error, we want to get the storage secret and make assertions about its state storageSecret, getStorageSecretError := kubeClient.CoreV1().Secrets(oidcClient.Namespace). Get(ctx, oidcclientsecretstorage.New(nil).GetName(oidcClient.UID), metav1.GetOptions{}) if !hasSecretBeenGenerated { require.Error(t, getStorageSecretError, "expected not found error") require.True(t, k8serrors.IsNotFound(getStorageSecretError), "expected not found error") // no storage secret was created, so no reason to continue making assertions continue } require.NoError(t, getStorageSecretError) storedClientSecret := StoredClientSecret{} err = json.Unmarshal(storageSecret.Data["pinniped-storage-data"], &storedClientSecret) require.NoError(t, err) require.Len(t, storedClientSecret.SecretHashes, ttt.wantSecretCount) for i, storedSecretHash := range storedClientSecret.SecretHashes { require.NoErrorf(t, bcrypt.CompareHashAndPassword([]byte(storedSecretHash), []byte(cacheOfGeneratedSecrets[i])), "hash %q at index %d is not the hash of secret %q at (%s)", storedSecretHash, i, cacheOfGeneratedSecrets[i]) } } }) } } func retainOnlyMostRecentSecret(list []string) []string { if len(list) == 0 { return []string{} } return []string{list[0]} } func prependSecret(list []string, newItem string) []string { newList := make([]string, 0, len(list)+1) newList = append(newList, newItem) newList = append(newList, list...) return newList } func TestOIDCClientSecretRequestUnauthenticated_Parallel(t *testing.T) { env := testlib.IntegrationEnv(t) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) t.Cleanup(cancel) client := testlib.NewAnonymousSupervisorClientset(t) _, err := client.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx, &v1alpha1.OIDCClientSecretRequest{ Spec: v1alpha1.OIDCClientSecretRequestSpec{ GenerateNewSecret: true, }, }, metav1.CreateOptions{}) require.Error(t, err) if env.KubernetesDistribution == testlib.AKSDistro { // On AKS the error just says "Unauthorized". require.Contains(t, err.Error(), "Unauthorized") } else { // Clusters which allow anonymous auth will give a more detailed error. require.Contains(t, err.Error(), `User "system:anonymous" cannot create resource "oidcclientsecretrequests"`) } }