djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
24cf7c5bcd
ContainerImage.Pinniped/internal/testutil/oidcclientsecretstorage.go
Ryan Richard e0ecdc004b Allow dynamic clients to be used in downstream OIDC flows 
This is only a first commit towards making this feature work.
- Hook dynamic clients into fosite by returning them from the storage
  interface (after finding and validating them)
- In the auth endpoint, prevent the use of the username and password
  headers for dynamic clients to force them to use the browser-based
  login flows for all the upstream types
- Add happy path integration tests in supervisor_login_test.go
- Add lots of comments (and some small refactors) in
  supervisor_login_test.go to make it much easier to understand
- Add lots of unit tests for the auth endpoint regarding dynamic clients
  (more unit tests to be added for other endpoints in follow-up commits)
- Enhance crud.go to make lifetime=0 mean never garbage collect,
  since we want client secret storage Secrets to last forever
- Move the OIDCClient validation code to a package where it can be
  shared between the controller and the fosite storage interface
- Make shared test helpers for tests that need to create OIDC client
  secret storage Secrets
- Create a public const for "pinniped-cli" now that we are using that
  string in several places in the production code
2022-07-14 09:51:11 -07:00

52 lines
1.9 KiB
Go
Raw Blame History

// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package testutil
import (
"encoding/base32"
"encoding/json"
"strings"
"testing"
"github.com/stretchr/testify/require"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func secretNameForUID(uid string) string {
// See GetName() in OIDCClientSecretStorage for how the production code determines the Secret name.
// This test helper is intended to choose the same name.
return "pinniped-storage-oidc-client-secret-" +
strings.ToLower(base32.StdEncoding.WithPadding(base32.NoPadding).EncodeToString([]byte(uid)))
}
func OIDCClientSecretStorageSecretWithoutName(t *testing.T, namespace string, hashes []string) *corev1.Secret {
hashesJSON, err := json.Marshal(hashes)
require.NoError(t, err) // this shouldn't really happen since we can always encode a slice of strings
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
Labels: map[string]string{"storage.pinniped.dev/type": "oidc-client-secret"},
},
Type: "storage.pinniped.dev/oidc-client-secret",
Data: map[string][]byte{
"pinniped-storage-data": []byte(`{"version":"1","hashes":` + string(hashesJSON) + `}`),
"pinniped-storage-version": []byte("1"),
},
}
}
func OIDCClientSecretStorageSecretForUID(t *testing.T, namespace string, oidcClientUID string, hashes []string) *corev1.Secret {
secret := OIDCClientSecretStorageSecretWithoutName(t, namespace, hashes)
secret.Name = secretNameForUID(oidcClientUID)
return secret
}
func OIDCClientSecretStorageSecretForUIDWithWrongVersion(t *testing.T, namespace string, oidcClientUID string) *corev1.Secret {
secret := OIDCClientSecretStorageSecretForUID(t, namespace, oidcClientUID, []string{})
secret.Data["pinniped-storage-data"] = []byte(`{"version":"wrong-version","hashes":[]}`)
return secret
}
Reference in New Issue View Git Blame Copy Permalink