From 23fd15f840007712aa6d72b6ece260bea689f4a4 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 5 Aug 2024 12:52:21 -0700 Subject: [PATCH] Revert "Add integration tests for tls spec validation in JWTAuthenticator and WebhookAuthenticator" This reverts commit c3405095b23db9aa4e64eb42829c48814954bab9. --- .../concierge_jwtauthenticator_status_test.go | 295 ------------------ ...cierge_webhookauthenticator_status_test.go | 220 ------------- 2 files changed, 515 deletions(-) diff --git a/test/integration/concierge_jwtauthenticator_status_test.go b/test/integration/concierge_jwtauthenticator_status_test.go index 327e85e87..bc2d502b9 100644 --- a/test/integration/concierge_jwtauthenticator_status_test.go +++ b/test/integration/concierge_jwtauthenticator_status_test.go @@ -164,10 +164,6 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { unusedLocalhostPort := findRecentlyUnusedLocalhostPorts(t, 1)[0] - badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.ConciergeNamespace, "ca-bundle", map[string]string{ - "ca.crt": "This is not a real CA bundle", - }) - tests := []struct { name string spec authenticationv1alpha1.JWTAuthenticatorSpec @@ -326,297 +322,6 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) { }, ), }, - { - name: "invalid when spec.tls supplies both certificateAuthorityData and certificateAuthorityDataSource", - spec: authenticationv1alpha1.JWTAuthenticatorSpec{ - Issuer: env.CLIUpstreamOIDC.Issuer, - Audience: "foo", - Claims: authenticationv1alpha1.JWTTokenClaims{ - Groups: "", - Username: "", - }, - TLS: &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityData: "pretend-this-is-a-certificate", - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: "does-not-matter", - Key: "also-does-not-matter", - }, - }, - }, - wantConditions: []metav1.Condition{ - { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "DiscoveryURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "IssuerURLValid", - Status: "True", - Reason: "Success", - Message: "issuer is a valid URL", - }, { - Type: "JWKSFetchValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "JWKSURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the JWTAuthenticator is not ready: see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided", - }, - }, - wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError, - }, - { - name: "invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not exist", - spec: authenticationv1alpha1.JWTAuthenticatorSpec{ - Issuer: env.CLIUpstreamOIDC.Issuer, - Audience: "foo", - Claims: authenticationv1alpha1.JWTTokenClaims{ - Groups: "", - Username: "", - }, - TLS: &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: "does-not-exist", - Key: "does-not-matter", - }, - }, - }, - wantConditions: []metav1.Condition{ - { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "DiscoveryURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "IssuerURLValid", - Status: "True", - Reason: "Success", - Message: "issuer is a valid URL", - }, { - Type: "JWKSFetchValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "JWKSURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the JWTAuthenticator is not ready: see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"concierge/does-not-exist\": configmap \"does-not-exist\" not found", - }, - }, - wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError, - }, - { - name: "invalid when spec.tls.certificateAuthorityDataSource refers to a secret that does not exist", - spec: authenticationv1alpha1.JWTAuthenticatorSpec{ - Issuer: env.CLIUpstreamOIDC.Issuer, - Audience: "foo", - Claims: authenticationv1alpha1.JWTTokenClaims{ - Groups: "", - Username: "", - }, - TLS: &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "Secret", - Name: "does-not-exist", - Key: "does-not-matter", - }, - }, - }, - wantConditions: []metav1.Condition{ - { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "DiscoveryURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "IssuerURLValid", - Status: "True", - Reason: "Success", - Message: "issuer is a valid URL", - }, { - Type: "JWKSFetchValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "JWKSURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the JWTAuthenticator is not ready: see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"concierge/does-not-exist\": secret \"does-not-exist\" not found", - }, - }, - wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError, - }, - { - name: "invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not have valid PEM bytes", - spec: authenticationv1alpha1.JWTAuthenticatorSpec{ - Issuer: env.CLIUpstreamOIDC.Issuer, - Audience: "foo", - Claims: authenticationv1alpha1.JWTTokenClaims{ - Groups: "", - Username: "", - }, - TLS: &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: badCABundleConfigMap.Name, - Key: "ca.crt", - }, - }, - }, - wantConditions: []metav1.Condition{ - { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "DiscoveryURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "IssuerURLValid", - Status: "True", - Reason: "Success", - Message: "issuer is a valid URL", - }, { - Type: "JWKSFetchValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "JWKSURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the JWTAuthenticator is not ready: see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"ca.crt\" with 28 bytes of data in configmap \"concierge/%s\" is not a PEM-encoded certificate (PEM certificates must begin with \"-----BEGIN CERTIFICATE-----\")", badCABundleConfigMap.Name), - }, - }, - wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError, - }, - { - name: "invalid when spec.tls.certificateAuthorityDataSource refers to a key in a configmap that does not exist", - spec: authenticationv1alpha1.JWTAuthenticatorSpec{ - Issuer: env.CLIUpstreamOIDC.Issuer, - Audience: "foo", - Claims: authenticationv1alpha1.JWTTokenClaims{ - Groups: "", - Username: "", - }, - TLS: &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: badCABundleConfigMap.Name, - Key: "key-not-present", - }, - }, - }, - wantConditions: []metav1.Condition{ - { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "DiscoveryURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "IssuerURLValid", - Status: "True", - Reason: "Success", - Message: "issuer is a valid URL", - }, { - Type: "JWKSFetchValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "JWKSURLValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the JWTAuthenticator is not ready: see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"concierge/%s\"", badCABundleConfigMap.Name), - }, - }, - wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError, - }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { diff --git a/test/integration/concierge_webhookauthenticator_status_test.go b/test/integration/concierge_webhookauthenticator_status_test.go index 8c8b3b515..c5a9dec3c 100644 --- a/test/integration/concierge_webhookauthenticator_status_test.go +++ b/test/integration/concierge_webhookauthenticator_status_test.go @@ -155,10 +155,6 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { caBundleSomePivotalCA := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" - badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.ConciergeNamespace, "ca-bundle", map[string]string{ - "ca.crt": "This is not a real CA bundle", - }) - tests := []struct { name string spec func() *authenticationv1alpha1.WebhookAuthenticatorSpec @@ -277,222 +273,6 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) { }, ), }, - { - name: "invalid when spec.tls supplies both certificateAuthorityData and certificateAuthorityDataSource", - spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { - webhookSpec := env.TestWebhook.DeepCopy() - webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityData: caBundleSomePivotalCA, - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: "does-not-matter", - Key: "also-does-not-matter", - }, - } - webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint" - return webhookSpec - }, - initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError, - finalConditions: replaceSomeConditions( - allSuccessfulWebhookAuthenticatorConditions(), - []metav1.Condition{ - { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the WebhookAuthenticator is not ready: see other conditions for details", - }, { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "WebhookConnectionValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided", - }, - }, - ), - }, - { - name: "invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not exist", - spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { - webhookSpec := env.TestWebhook.DeepCopy() - webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: "does-not-exist", - Key: "does-not-matter", - }, - } - webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint" - return webhookSpec - }, - initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError, - finalConditions: replaceSomeConditions( - allSuccessfulWebhookAuthenticatorConditions(), - []metav1.Condition{ - { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the WebhookAuthenticator is not ready: see other conditions for details", - }, { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "WebhookConnectionValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"concierge/does-not-exist\": configmap \"does-not-exist\" not found", - }, - }, - ), - }, - { - name: "invalid when spec.tls.certificateAuthorityDataSource refers to a secret that does not exist", - spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { - webhookSpec := env.TestWebhook.DeepCopy() - webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "Secret", - Name: "does-not-exist", - Key: "does-not-matter", - }, - } - webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint" - return webhookSpec - }, - initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError, - finalConditions: replaceSomeConditions( - allSuccessfulWebhookAuthenticatorConditions(), - []metav1.Condition{ - { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the WebhookAuthenticator is not ready: see other conditions for details", - }, { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "WebhookConnectionValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"concierge/does-not-exist\": secret \"does-not-exist\" not found", - }, - }, - ), - }, - { - name: "invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not have valid PEM bytes", - spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { - webhookSpec := env.TestWebhook.DeepCopy() - webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: badCABundleConfigMap.Name, - Key: "ca.crt", - }, - } - webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint" - return webhookSpec - }, - initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError, - finalConditions: replaceSomeConditions( - allSuccessfulWebhookAuthenticatorConditions(), - []metav1.Condition{ - { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the WebhookAuthenticator is not ready: see other conditions for details", - }, { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "WebhookConnectionValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"ca.crt\" with 28 bytes of data in configmap \"concierge/%s\" is not a PEM-encoded certificate (PEM certificates must begin with \"-----BEGIN CERTIFICATE-----\")", badCABundleConfigMap.Name), - }, - }, - ), - }, - { - name: "invalid when spec.tls.certificateAuthorityDataSource refers to a key in a configmap that does not exist", - spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec { - webhookSpec := env.TestWebhook.DeepCopy() - webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &authenticationv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: badCABundleConfigMap.Name, - Key: "key-not-present", - }, - } - webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint" - return webhookSpec - }, - initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError, - finalConditions: replaceSomeConditions( - allSuccessfulWebhookAuthenticatorConditions(), - []metav1.Condition{ - { - Type: "Ready", - Status: "False", - Reason: "NotReady", - Message: "the WebhookAuthenticator is not ready: see other conditions for details", - }, { - Type: "AuthenticatorValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, { - Type: "WebhookConnectionValid", - Status: "Unknown", - Reason: "UnableToValidate", - Message: "unable to validate; see other conditions for details", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"concierge/%s\"", badCABundleConfigMap.Name), - }, - }, - ), - }, } for _, test := range tests { tt := test