56d316e8d3
This change makes it easier to understand misconfigurations caused by issuers with extraneous trailing slashes. Signed-off-by: Mo Khan <mok@vmware.com>
120 lines
3.9 KiB
Go
120 lines
3.9 KiB
Go
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package integration
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
|
|
"go.pinniped.dev/test/library"
|
|
)
|
|
|
|
func TestSupervisorUpstreamOIDCDiscovery(t *testing.T) {
|
|
env := library.IntegrationEnv(t)
|
|
|
|
t.Run("invalid missing secret and bad issuer", func(t *testing.T) {
|
|
t.Parallel()
|
|
spec := v1alpha1.OIDCIdentityProviderSpec{
|
|
Issuer: "https://127.0.0.1:444444/issuer",
|
|
Client: v1alpha1.OIDCClient{
|
|
SecretName: "does-not-exist",
|
|
},
|
|
}
|
|
upstream := library.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)
|
|
expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
|
|
{
|
|
Type: "ClientCredentialsValid",
|
|
Status: v1alpha1.ConditionFalse,
|
|
Reason: "SecretNotFound",
|
|
Message: `secret "does-not-exist" not found`,
|
|
},
|
|
{
|
|
Type: "OIDCDiscoverySucceeded",
|
|
Status: v1alpha1.ConditionFalse,
|
|
Reason: "Unreachable",
|
|
Message: `failed to perform OIDC discovery against "https://127.0.0.1:444444/issuer":
|
|
Get "https://127.0.0.1:444444/issuer/.well-known/openid-configuration": dial tcp: address 444444: in [truncated 10 chars]`,
|
|
},
|
|
})
|
|
})
|
|
|
|
t.Run("invalid issuer with trailing slash", func(t *testing.T) {
|
|
t.Parallel()
|
|
spec := v1alpha1.OIDCIdentityProviderSpec{
|
|
Issuer: env.SupervisorTestUpstream.Issuer + "/",
|
|
TLS: &v1alpha1.TLSSpec{
|
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorTestUpstream.CABundle)),
|
|
},
|
|
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
|
|
AdditionalScopes: []string{"email", "profile"},
|
|
},
|
|
Client: v1alpha1.OIDCClient{
|
|
SecretName: library.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
|
|
},
|
|
}
|
|
upstream := library.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseError)
|
|
expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
|
|
{
|
|
Type: "ClientCredentialsValid",
|
|
Status: v1alpha1.ConditionTrue,
|
|
Reason: "Success",
|
|
Message: "loaded client credentials",
|
|
},
|
|
{
|
|
Type: "OIDCDiscoverySucceeded",
|
|
Status: v1alpha1.ConditionFalse,
|
|
Reason: "Unreachable",
|
|
Message: `failed to perform OIDC discovery against "` + env.SupervisorTestUpstream.Issuer + `/":
|
|
oidc: issuer did not match the issuer returned by provider, expected "` + env.SupervisorTestUpstream.Issuer + `/" got "` + env.SupervisorTestUpstream.Issuer + `"`,
|
|
},
|
|
})
|
|
})
|
|
|
|
t.Run("valid", func(t *testing.T) {
|
|
t.Parallel()
|
|
spec := v1alpha1.OIDCIdentityProviderSpec{
|
|
Issuer: env.SupervisorTestUpstream.Issuer,
|
|
TLS: &v1alpha1.TLSSpec{
|
|
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorTestUpstream.CABundle)),
|
|
},
|
|
AuthorizationConfig: v1alpha1.OIDCAuthorizationConfig{
|
|
AdditionalScopes: []string{"email", "profile"},
|
|
},
|
|
Client: v1alpha1.OIDCClient{
|
|
SecretName: library.CreateClientCredsSecret(t, "test-client-id", "test-client-secret").Name,
|
|
},
|
|
}
|
|
upstream := library.CreateTestOIDCIdentityProvider(t, spec, v1alpha1.PhaseReady)
|
|
expectUpstreamConditions(t, upstream, []v1alpha1.Condition{
|
|
{
|
|
Type: "ClientCredentialsValid",
|
|
Status: v1alpha1.ConditionTrue,
|
|
Reason: "Success",
|
|
Message: "loaded client credentials",
|
|
},
|
|
{
|
|
Type: "OIDCDiscoverySucceeded",
|
|
Status: v1alpha1.ConditionTrue,
|
|
Reason: "Success",
|
|
Message: "discovered issuer configuration",
|
|
},
|
|
})
|
|
})
|
|
}
|
|
|
|
func expectUpstreamConditions(t *testing.T, upstream *v1alpha1.OIDCIdentityProvider, expected []v1alpha1.Condition) {
|
|
t.Helper()
|
|
normalized := make([]v1alpha1.Condition, 0, len(upstream.Status.Conditions))
|
|
for _, c := range upstream.Status.Conditions {
|
|
c.ObservedGeneration = 0
|
|
c.LastTransitionTime = metav1.Time{}
|
|
normalized = append(normalized, c)
|
|
}
|
|
require.ElementsMatch(t, expected, normalized)
|
|
}
|