d8c6894cbc
All controller unit tests were accidentally using a timeout context for the informers, instead of a cancel context which stays alive until each test is completely finished. There is no reason to risk unpredictable behavior of a timeout being reached during an individual test, even though with the previous 3 second timeout it could only be reached on a machine which is running orders of magnitude slower than usual, since each test usually runs in about 100-300 ms. Unfortunately, sometimes our CI workers might get that slow. This sparked a review of other usages of timeout contexts in other tests, and all of them were increased to a minimum value of 1 minute, under the rule of thumb that our tests will be more reliable on slow machines if they "pass fast and fail slow".
122 lines
4.8 KiB
Go
122 lines
4.8 KiB
Go
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package integration
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
stderrors "errors"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/ory/fosite"
|
|
"github.com/ory/fosite/compose"
|
|
"github.com/stretchr/testify/require"
|
|
v1 "k8s.io/api/core/v1"
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"go.pinniped.dev/internal/fositestorage/authorizationcode"
|
|
"go.pinniped.dev/internal/testutil"
|
|
"go.pinniped.dev/test/library"
|
|
)
|
|
|
|
func TestAuthorizeCodeStorage(t *testing.T) {
|
|
env := library.IntegrationEnv(t)
|
|
client := library.NewKubernetesClientset(t)
|
|
|
|
const (
|
|
// randomly generated HMAC authorization code (see below)
|
|
code = "TQ72B8YjdEOZyxridYbTLE-pzoK4hpdkZxym5j4EmSc.TKRTgQG41IBQ16FDKTthRdhXfLlNaErcMd9Fy47uXAw"
|
|
// name of the secret that will be created in Kube
|
|
name = "pinniped-storage-authcode-jssfhaibxdkiaugxufbsso3bixmfo7fzjvuevxbr35c4xdxolqga"
|
|
)
|
|
|
|
hmac := compose.NewOAuth2HMACStrategy(&compose.Config{}, []byte("super-secret-32-byte-for-testing"), nil)
|
|
// test data generation via:
|
|
// code, signature, err := hmac.GenerateAuthorizeCode(ctx, nil)
|
|
signature := hmac.AuthorizeCodeSignature(code)
|
|
|
|
secrets := client.CoreV1().Secrets(env.SupervisorNamespace)
|
|
|
|
t.Cleanup(func() {
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
defer cancel()
|
|
err := secrets.Delete(ctx, name, metav1.DeleteOptions{})
|
|
require.NoError(t, err)
|
|
})
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
defer cancel()
|
|
|
|
// get a session with most of the data filled out
|
|
session := authorizationcode.NewValidEmptyAuthorizeCodeSession()
|
|
err := json.Unmarshal([]byte(authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing), session)
|
|
require.NoError(t, err)
|
|
|
|
sessionStorageLifetime := 5 * time.Minute
|
|
storage := authorizationcode.New(secrets, time.Now, sessionStorageLifetime)
|
|
|
|
// the session for this signature should not exist yet
|
|
notFoundRequest, err := storage.GetAuthorizeCodeSession(ctx, signature, nil)
|
|
require.Error(t, err)
|
|
require.True(t, stderrors.Is(err, fosite.ErrNotFound))
|
|
require.Nil(t, notFoundRequest)
|
|
|
|
err = storage.CreateAuthorizeCodeSession(ctx, signature, session.Request)
|
|
require.NoError(t, err)
|
|
|
|
// trying to create the session again fails because it already exists
|
|
err = storage.CreateAuthorizeCodeSession(ctx, signature, session.Request)
|
|
require.Error(t, err)
|
|
require.True(t, errors.IsAlreadyExists(err))
|
|
|
|
// check that the data stored in Kube matches what we put in
|
|
initialSecret, err := secrets.Get(ctx, name, metav1.GetOptions{})
|
|
require.NoError(t, err)
|
|
require.JSONEq(t, authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing, string(initialSecret.Data["pinniped-storage-data"]))
|
|
|
|
// check that the Secret got the expected annotations
|
|
actualGCAfterValue := initialSecret.Annotations["storage.pinniped.dev/garbage-collect-after"]
|
|
require.NotEmpty(t, actualGCAfterValue)
|
|
parsedActualGCAfterValue, err := time.Parse(time.RFC3339, actualGCAfterValue)
|
|
require.NoError(t, err)
|
|
testutil.RequireTimeInDelta(t, time.Now().Add(sessionStorageLifetime), parsedActualGCAfterValue, 30*time.Second)
|
|
|
|
// check that the Secret got the right labels
|
|
require.Equal(t, map[string]string{"storage.pinniped.dev/type": "authcode"}, initialSecret.Labels)
|
|
|
|
// check that the Secret got the right type
|
|
require.Equal(t, v1.SecretType("storage.pinniped.dev/authcode"), initialSecret.Type)
|
|
|
|
// we should be able to get the session now and the request should be the same as what we put in
|
|
request, err := storage.GetAuthorizeCodeSession(ctx, signature, nil)
|
|
require.NoError(t, err)
|
|
require.Equal(t, session.Request, request)
|
|
|
|
// simulate the authorization code being exchanged
|
|
err = storage.InvalidateAuthorizeCodeSession(ctx, signature)
|
|
require.NoError(t, err)
|
|
|
|
// trying to use the code session more than once should fail
|
|
// getting an invalidated session should return an error and the request
|
|
invalidatedRequest, err := storage.GetAuthorizeCodeSession(ctx, signature, nil)
|
|
require.Error(t, err)
|
|
require.True(t, stderrors.Is(err, fosite.ErrInvalidatedAuthorizeCode))
|
|
require.Equal(t, session.Request, invalidatedRequest)
|
|
|
|
// trying to use the code session more than once should fail
|
|
err = storage.InvalidateAuthorizeCodeSession(ctx, signature)
|
|
require.Error(t, err)
|
|
require.True(t, stderrors.Is(err, fosite.ErrInvalidatedAuthorizeCode))
|
|
|
|
// the data stored in Kube should be exactly the same but it should be marked as used
|
|
invalidatedSecret, err := secrets.Get(ctx, name, metav1.GetOptions{})
|
|
require.NoError(t, err)
|
|
expectedInvalidatedJSON := strings.Replace(authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing,
|
|
`"active": true,`, `"active": false,`, 1)
|
|
require.JSONEq(t, expectedInvalidatedJSON, string(invalidatedSecret.Data["pinniped-storage-data"]))
|
|
}
|