1c296e5c4c
This commit is a WIP commit because it doesn't include many tests for the new feature. Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
91 lines
2.8 KiB
Go
91 lines
2.8 KiB
Go
// Copyright 2022 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package integration
|
|
|
|
import (
|
|
"context"
|
|
"encoding/hex"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1"
|
|
supervisorconfigv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
|
"go.pinniped.dev/test/testlib"
|
|
)
|
|
|
|
func TestOIDCClientSecretRequest_HappyPath_Parallel(t *testing.T) {
|
|
env := testlib.IntegrationEnv(t)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
t.Cleanup(cancel)
|
|
|
|
client := testlib.NewSupervisorClientset(t)
|
|
|
|
oidcClient, err := client.ConfigV1alpha1().OIDCClients(env.SupervisorNamespace).Create(ctx,
|
|
&supervisorconfigv1alpha1.OIDCClient{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
GenerateName: "client.oauth.pinniped.dev-",
|
|
},
|
|
Spec: supervisorconfigv1alpha1.OIDCClientSpec{
|
|
AllowedRedirectURIs: []supervisorconfigv1alpha1.RedirectURI{
|
|
"https://example.com",
|
|
"http://127.0.0.1/yoyo",
|
|
},
|
|
AllowedGrantTypes: []supervisorconfigv1alpha1.GrantType{
|
|
"authorization_code",
|
|
"refresh_token",
|
|
"urn:ietf:params:oauth:grant-type:token-exchange",
|
|
},
|
|
AllowedScopes: []supervisorconfigv1alpha1.Scope{
|
|
"openid",
|
|
"offline_access",
|
|
"username",
|
|
"groups",
|
|
"pinniped:request-audience",
|
|
},
|
|
},
|
|
},
|
|
metav1.CreateOptions{},
|
|
)
|
|
require.NoError(t, err)
|
|
t.Cleanup(func() {
|
|
deleteErr := client.ConfigV1alpha1().OIDCClients(env.SupervisorNamespace).Delete(ctx, oidcClient.Name, metav1.DeleteOptions{})
|
|
require.NoError(t, deleteErr)
|
|
})
|
|
|
|
response, err := client.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx,
|
|
&v1alpha1.OIDCClientSecretRequest{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: oidcClient.Name,
|
|
},
|
|
Spec: v1alpha1.OIDCClientSecretRequestSpec{
|
|
GenerateNewSecret: true,
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
require.NoError(t, err)
|
|
require.Equal(t, response.Status.TotalClientSecrets, 1)
|
|
require.Len(t, response.Status.GeneratedSecret, hex.EncodedLen(32))
|
|
}
|
|
|
|
func TestOIDCClientSecretRequest_Unauthenticated_Parallel(t *testing.T) {
|
|
env := testlib.IntegrationEnv(t)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
|
t.Cleanup(cancel)
|
|
|
|
client := testlib.NewAnonymousSupervisorClientset(t)
|
|
|
|
_, err := client.ClientsecretV1alpha1().OIDCClientSecretRequests(env.SupervisorNamespace).Create(ctx,
|
|
&v1alpha1.OIDCClientSecretRequest{
|
|
Spec: v1alpha1.OIDCClientSecretRequestSpec{
|
|
GenerateNewSecret: true,
|
|
},
|
|
}, metav1.CreateOptions{})
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), "User \"system:anonymous\" cannot create resource \"oidcclientsecretrequests\"")
|
|
}
|