Merge pull request #1930 from vmware-tanzu/ben/discovery-test/oidc-and-ldap

IDP Discovery Test improvement: Add OIDC, LDAP
2026-01-03 11:45:45 +00:00 · 2024-05-01 10:35:26 -04:00
parent 0d709ea8db 00567645d0
commit 0896e7164a
1 changed files with 111 additions and 13 deletions
--- a/test/integration/supervisor_discovery_test.go
+++ b/test/integration/supervisor_discovery_test.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -783,20 +784,108 @@ func requireIDPsListedByIDPDiscoveryEndpoint(
 		},
 	}, idpv1alpha1.GitHubPhaseReady)

-	// TODO: add ldap to prove it shows up in the IDP discovery API
-	// TODO: add oidc to prove it shows up in the IDP discovery API
-	// TODO: add ad to prove it shows up in the IDP discovery API
+	ldapBindSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", corev1.SecretTypeBasicAuth,
+		map[string]string{
+			corev1.BasicAuthUsernameKey: env.SupervisorUpstreamLDAP.BindUsername,
+			corev1.BasicAuthPasswordKey: env.SupervisorUpstreamLDAP.BindPassword,
+		},
+	)
+	ldapIDP := testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
+		Host: env.SupervisorUpstreamLDAP.Host,
+		TLS: &idpv1alpha1.TLSSpec{
+			CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
+		},
+		Bind: idpv1alpha1.LDAPIdentityProviderBind{
+			SecretName: ldapBindSecret.Name,
+		},
+		UserSearch: idpv1alpha1.LDAPIdentityProviderUserSearch{
+			Base:   env.SupervisorUpstreamLDAP.UserSearchBase,
+			Filter: "",
+			Attributes: idpv1alpha1.LDAPIdentityProviderUserSearchAttributes{
+				Username: env.SupervisorUpstreamLDAP.TestUserMailAttributeName,
+				UID:      env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName,
+			},
+		},
+		GroupSearch: idpv1alpha1.LDAPIdentityProviderGroupSearch{
+			Base:   env.SupervisorUpstreamLDAP.GroupSearchBase,
+			Filter: "", // use the default value of "member={}"
+			Attributes: idpv1alpha1.LDAPIdentityProviderGroupSearchAttributes{
+				GroupName: "", // use the default value of "dn"
+			},
+		},
+	}, idpv1alpha1.LDAPPhaseReady)

-	federationDomainConfig := testlib.CreateTestFederationDomain(ctx, t, v1alpha1.FederationDomainSpec{
-		Issuer: issuerName,
-		IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{{
-			DisplayName: ghIDP.Name,
+	oidcIDP := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
+		Issuer: env.SupervisorUpstreamOIDC.Issuer,
+		TLS: &idpv1alpha1.TLSSpec{
+			CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
+		},
+		AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{
+			AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
+		},
+		Claims: idpv1alpha1.OIDCClaims{
+			Username: env.SupervisorUpstreamOIDC.UsernameClaim,
+			Groups:   env.SupervisorUpstreamOIDC.GroupsClaim,
+		},
+		Client: idpv1alpha1.OIDCClient{
+			SecretName: testlib.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
+		},
+	}, idpv1alpha1.PhaseReady)
+
+	var adIDP *idpv1alpha1.ActiveDirectoryIdentityProvider
+	if activeDirectoryAvailable(t, env) {
+		activeDirectoryBindSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", corev1.SecretTypeBasicAuth,
+			map[string]string{
+				corev1.BasicAuthUsernameKey: env.SupervisorUpstreamActiveDirectory.BindUsername,
+				corev1.BasicAuthPasswordKey: env.SupervisorUpstreamActiveDirectory.BindPassword,
+			},
+		)
+		adIDP = testlib.CreateTestActiveDirectoryIdentityProvider(t, idpv1alpha1.ActiveDirectoryIdentityProviderSpec{
+			Host: env.SupervisorUpstreamActiveDirectory.Host,
+			TLS: &idpv1alpha1.TLSSpec{
+				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.CABundle)),
+			},
+			Bind: idpv1alpha1.ActiveDirectoryIdentityProviderBind{
+				SecretName: activeDirectoryBindSecret.Name,
+			},
+		}, idpv1alpha1.ActiveDirectoryPhaseReady)
+	}
+
+	idpsForFD := []v1alpha1.FederationDomainIdentityProvider{{
+		DisplayName: ghIDP.Name,
+		ObjectRef: corev1.TypedLocalObjectReference{
+			APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+			Kind:     "GitHubIdentityProvider",
+			Name:     ghIDP.Name,
+		},
+	}, {
+		DisplayName: ldapIDP.Name,
+		ObjectRef: corev1.TypedLocalObjectReference{
+			APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+			Kind:     "LDAPIdentityProvider",
+			Name:     ldapIDP.Name,
+		},
+	}, {
+		DisplayName: oidcIDP.Name,
+		ObjectRef: corev1.TypedLocalObjectReference{
+			APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+			Kind:     "OIDCIdentityProvider",
+			Name:     oidcIDP.Name,
+		},
+	}}
+	if activeDirectoryAvailable(t, env) {
+		idpsForFD = append(idpsForFD, v1alpha1.FederationDomainIdentityProvider{
+			DisplayName: adIDP.Name,
 			ObjectRef: corev1.TypedLocalObjectReference{
 				APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
-				Kind:     "GitHubIdentityProvider",
-				Name:     ghIDP.Name,
+				Kind:     "ActiveDirectoryIdentityProvider",
+				Name:     adIDP.Name,
 			},
-		}},
+		})
+	}
+	federationDomainConfig := testlib.CreateTestFederationDomain(ctx, t, v1alpha1.FederationDomainSpec{
+		Issuer:            issuerName,
+		IdentityProviders: idpsForFD,
 	}, v1alpha1.FederationDomainPhaseReady)

 	requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, nil)
@@ -829,12 +918,21 @@ func requireIDPsListedByIDPDiscoveryEndpoint(
 	err = json.Unmarshal([]byte(discoveryIDPResponseBody), &identityProviderListResponse)
 	require.NoError(t, err)

-	allIDPs := []string{ghIDP.Name}
-	require.Equal(t, len(identityProviderListResponse.IdentityProviders), 1, "all IDPs should be listed by idp discovery endpoint")
+	allIDPs := []string{ghIDP.Name, ldapIDP.Name, oidcIDP.Name}
+	if activeDirectoryAvailable(t, env) {
+		allIDPs = append(allIDPs, adIDP.Name)
+	}
+	require.Equal(t, len(identityProviderListResponse.IdentityProviders), len(allIDPs), "all IDPs should be listed by idp discovery endpoint")
 	for _, provider := range identityProviderListResponse.IdentityProviders {
-		require.True(t, slices.Contains(allIDPs, provider.Name))
 		require.Contains(t, allIDPs, provider.Name, fmt.Sprintf("provider name should be listed in IDP discovery: %s", provider.Name))
 	}

 	return federationDomainConfig
 }
+
+func activeDirectoryAvailable(t *testing.T, env *testlib.TestEnv) bool {
+	t.Helper()
+	hasLDAPPorts := env.HasCapability(testlib.CanReachInternetLDAPPorts)
+	hasADHost := testlib.IntegrationEnv(t).SupervisorUpstreamActiveDirectory.Host != ""
+	return hasLDAPPorts && hasADHost
+}