From 92b9d68863f7dee65a407db87c58032187bac802 Mon Sep 17 00:00:00 2001
From: "Benjamin A. Petersen" <ben@benjaminapetersen.me>
Date: Tue, 30 Apr 2024 14:18:00 -0400
Subject: [PATCH 1/2] Add OIDC, LDAP to supervisor discovery test

---
 test/integration/supervisor_discovery_test.go | 70 +++++++++++++++++--
 1 file changed, 65 insertions(+), 5 deletions(-)

diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go
index ef2967fdc..f48bdebb3 100644
--- a/test/integration/supervisor_discovery_test.go
+++ b/test/integration/supervisor_discovery_test.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -783,8 +784,54 @@ func requireIDPsListedByIDPDiscoveryEndpoint(
 		},
 	}, idpv1alpha1.GitHubPhaseReady)
 
-	// TODO: add ldap to prove it shows up in the IDP discovery API
-	// TODO: add oidc to prove it shows up in the IDP discovery API
+	ldapBindSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", corev1.SecretTypeBasicAuth,
+		map[string]string{
+			corev1.BasicAuthUsernameKey: env.SupervisorUpstreamLDAP.BindUsername,
+			corev1.BasicAuthPasswordKey: env.SupervisorUpstreamLDAP.BindPassword,
+		},
+	)
+	ldapIDP := testlib.CreateTestLDAPIdentityProvider(t, idpv1alpha1.LDAPIdentityProviderSpec{
+		Host: env.SupervisorUpstreamLDAP.Host,
+		TLS: &idpv1alpha1.TLSSpec{
+			CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamLDAP.CABundle)),
+		},
+		Bind: idpv1alpha1.LDAPIdentityProviderBind{
+			SecretName: ldapBindSecret.Name,
+		},
+		UserSearch: idpv1alpha1.LDAPIdentityProviderUserSearch{
+			Base:   env.SupervisorUpstreamLDAP.UserSearchBase,
+			Filter: "",
+			Attributes: idpv1alpha1.LDAPIdentityProviderUserSearchAttributes{
+				Username: env.SupervisorUpstreamLDAP.TestUserMailAttributeName,
+				UID:      env.SupervisorUpstreamLDAP.TestUserUniqueIDAttributeName,
+			},
+		},
+		GroupSearch: idpv1alpha1.LDAPIdentityProviderGroupSearch{
+			Base:   env.SupervisorUpstreamLDAP.GroupSearchBase,
+			Filter: "", // use the default value of "member={}"
+			Attributes: idpv1alpha1.LDAPIdentityProviderGroupSearchAttributes{
+				GroupName: "", // use the default value of "dn"
+			},
+		},
+	}, idpv1alpha1.LDAPPhaseReady)
+
+	oidcIDP := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
+		Issuer: env.SupervisorUpstreamOIDC.Issuer,
+		TLS: &idpv1alpha1.TLSSpec{
+			CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
+		},
+		AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{
+			AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
+		},
+		Claims: idpv1alpha1.OIDCClaims{
+			Username: env.SupervisorUpstreamOIDC.UsernameClaim,
+			Groups:   env.SupervisorUpstreamOIDC.GroupsClaim,
+		},
+		Client: idpv1alpha1.OIDCClient{
+			SecretName: testlib.CreateClientCredsSecret(t, env.SupervisorUpstreamOIDC.ClientID, env.SupervisorUpstreamOIDC.ClientSecret).Name,
+		},
+	}, idpv1alpha1.PhaseReady)
+
 	// TODO: add ad to prove it shows up in the IDP discovery API
 
 	federationDomainConfig := testlib.CreateTestFederationDomain(ctx, t, v1alpha1.FederationDomainSpec{
@@ -796,6 +843,20 @@ func requireIDPsListedByIDPDiscoveryEndpoint(
 				Kind:     "GitHubIdentityProvider",
 				Name:     ghIDP.Name,
 			},
+		}, {
+			DisplayName: ldapIDP.Name,
+			ObjectRef: corev1.TypedLocalObjectReference{
+				APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+				Kind:     "LDAPIdentityProvider",
+				Name:     ldapIDP.Name,
+			},
+		}, {
+			DisplayName: oidcIDP.Name,
+			ObjectRef: corev1.TypedLocalObjectReference{
+				APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+				Kind:     "OIDCIdentityProvider",
+				Name:     oidcIDP.Name,
+			},
 		}},
 	}, v1alpha1.FederationDomainPhaseReady)
 
@@ -829,10 +890,9 @@ func requireIDPsListedByIDPDiscoveryEndpoint(
 	err = json.Unmarshal([]byte(discoveryIDPResponseBody), &identityProviderListResponse)
 	require.NoError(t, err)
 
-	allIDPs := []string{ghIDP.Name}
-	require.Equal(t, len(identityProviderListResponse.IdentityProviders), 1, "all IDPs should be listed by idp discovery endpoint")
+	allIDPs := []string{ghIDP.Name, ldapIDP.Name, oidcIDP.Name}
+	require.Equal(t, len(identityProviderListResponse.IdentityProviders), 3, "all IDPs should be listed by idp discovery endpoint")
 	for _, provider := range identityProviderListResponse.IdentityProviders {
-		require.True(t, slices.Contains(allIDPs, provider.Name))
 		require.Contains(t, allIDPs, provider.Name, fmt.Sprintf("provider name should be listed in IDP discovery: %s", provider.Name))
 	}
 

From 00567645d05382189ae662c8dbb0a53c36a5cb52 Mon Sep 17 00:00:00 2001
From: "Benjamin A. Petersen" <ben@benjaminapetersen.me>
Date: Tue, 30 Apr 2024 14:44:10 -0400
Subject: [PATCH 2/2] Add conditional AD to IDP discovery test

---
 test/integration/supervisor_discovery_test.go | 88 +++++++++++++------
 1 file changed, 63 insertions(+), 25 deletions(-)

diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go
index f48bdebb3..9e8e8536b 100644
--- a/test/integration/supervisor_discovery_test.go
+++ b/test/integration/supervisor_discovery_test.go
@@ -832,32 +832,60 @@ func requireIDPsListedByIDPDiscoveryEndpoint(
 		},
 	}, idpv1alpha1.PhaseReady)
 
-	// TODO: add ad to prove it shows up in the IDP discovery API
+	var adIDP *idpv1alpha1.ActiveDirectoryIdentityProvider
+	if activeDirectoryAvailable(t, env) {
+		activeDirectoryBindSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ldap-service-account", corev1.SecretTypeBasicAuth,
+			map[string]string{
+				corev1.BasicAuthUsernameKey: env.SupervisorUpstreamActiveDirectory.BindUsername,
+				corev1.BasicAuthPasswordKey: env.SupervisorUpstreamActiveDirectory.BindPassword,
+			},
+		)
+		adIDP = testlib.CreateTestActiveDirectoryIdentityProvider(t, idpv1alpha1.ActiveDirectoryIdentityProviderSpec{
+			Host: env.SupervisorUpstreamActiveDirectory.Host,
+			TLS: &idpv1alpha1.TLSSpec{
+				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamActiveDirectory.CABundle)),
+			},
+			Bind: idpv1alpha1.ActiveDirectoryIdentityProviderBind{
+				SecretName: activeDirectoryBindSecret.Name,
+			},
+		}, idpv1alpha1.ActiveDirectoryPhaseReady)
+	}
 
+	idpsForFD := []v1alpha1.FederationDomainIdentityProvider{{
+		DisplayName: ghIDP.Name,
+		ObjectRef: corev1.TypedLocalObjectReference{
+			APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+			Kind:     "GitHubIdentityProvider",
+			Name:     ghIDP.Name,
+		},
+	}, {
+		DisplayName: ldapIDP.Name,
+		ObjectRef: corev1.TypedLocalObjectReference{
+			APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+			Kind:     "LDAPIdentityProvider",
+			Name:     ldapIDP.Name,
+		},
+	}, {
+		DisplayName: oidcIDP.Name,
+		ObjectRef: corev1.TypedLocalObjectReference{
+			APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+			Kind:     "OIDCIdentityProvider",
+			Name:     oidcIDP.Name,
+		},
+	}}
+	if activeDirectoryAvailable(t, env) {
+		idpsForFD = append(idpsForFD, v1alpha1.FederationDomainIdentityProvider{
+			DisplayName: adIDP.Name,
+			ObjectRef: corev1.TypedLocalObjectReference{
+				APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+				Kind:     "ActiveDirectoryIdentityProvider",
+				Name:     adIDP.Name,
+			},
+		})
+	}
 	federationDomainConfig := testlib.CreateTestFederationDomain(ctx, t, v1alpha1.FederationDomainSpec{
-		Issuer: issuerName,
-		IdentityProviders: []v1alpha1.FederationDomainIdentityProvider{{
-			DisplayName: ghIDP.Name,
-			ObjectRef: corev1.TypedLocalObjectReference{
-				APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
-				Kind:     "GitHubIdentityProvider",
-				Name:     ghIDP.Name,
-			},
-		}, {
-			DisplayName: ldapIDP.Name,
-			ObjectRef: corev1.TypedLocalObjectReference{
-				APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
-				Kind:     "LDAPIdentityProvider",
-				Name:     ldapIDP.Name,
-			},
-		}, {
-			DisplayName: oidcIDP.Name,
-			ObjectRef: corev1.TypedLocalObjectReference{
-				APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
-				Kind:     "OIDCIdentityProvider",
-				Name:     oidcIDP.Name,
-			},
-		}},
+		Issuer:            issuerName,
+		IdentityProviders: idpsForFD,
 	}, v1alpha1.FederationDomainPhaseReady)
 
 	requireDiscoveryEndpointsAreWorking(t, supervisorScheme, supervisorAddress, supervisorCABundle, issuerName, nil)
@@ -891,10 +919,20 @@ func requireIDPsListedByIDPDiscoveryEndpoint(
 	require.NoError(t, err)
 
 	allIDPs := []string{ghIDP.Name, ldapIDP.Name, oidcIDP.Name}
-	require.Equal(t, len(identityProviderListResponse.IdentityProviders), 3, "all IDPs should be listed by idp discovery endpoint")
+	if activeDirectoryAvailable(t, env) {
+		allIDPs = append(allIDPs, adIDP.Name)
+	}
+	require.Equal(t, len(identityProviderListResponse.IdentityProviders), len(allIDPs), "all IDPs should be listed by idp discovery endpoint")
 	for _, provider := range identityProviderListResponse.IdentityProviders {
 		require.Contains(t, allIDPs, provider.Name, fmt.Sprintf("provider name should be listed in IDP discovery: %s", provider.Name))
 	}
 
 	return federationDomainConfig
 }
+
+func activeDirectoryAvailable(t *testing.T, env *testlib.TestEnv) bool {
+	t.Helper()
+	hasLDAPPorts := env.HasCapability(testlib.CanReachInternetLDAPPorts)
+	hasADHost := testlib.IntegrationEnv(t).SupervisorUpstreamActiveDirectory.Host != ""
+	return hasLDAPPorts && hasADHost
+}