mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-07 05:57:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

store ca bundle hash in validated settings cache

Browse Source 
Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
This commit is contained in:
Ashish Amarnath
2024-07-25 13:06:52 -07:00
committed by Ryan Richard
parent 242fa8afb2
commit 2a62beeb5f
3 changed files with 55 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go
View File

@@ -5,6 +5,7 @@ package activedirectoryupstreamwatcher
import (
"context"
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
@@ -469,6 +470,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -669,6 +671,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(nil),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -739,6 +742,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(nil),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -815,6 +819,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
IDPSpecGeneration: 1234,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
ConnectionValidCondition: &metav1.Condition{
Type: "LDAPConnectionValid",
Status: "True",
@@ -949,6 +954,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(nil),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1001,6 +1007,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1162,6 +1169,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1182,6 +1190,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1253,6 +1262,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
BindSecretResourceVersion: "4242",
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: exampleDefaultNamingContext,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
GroupSearchBase: testGroupSearchBase,
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
@@ -1275,6 +1285,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: exampleDefaultNamingContext,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))),
@@ -1327,6 +1338,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: exampleDefaultNamingContext,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))),
@@ -1346,6 +1358,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
BindSecretResourceVersion: "4242",
LDAPConnectionProtocol: upstreamldap.StartTLS,
IDPSpecGeneration: 1234,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle),
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
@@ -1367,6 +1380,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.StartTLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1386,6 +1400,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1233,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1408,6 +1423,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1428,6 +1444,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
IDPSpecGeneration: 1234,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), // already previously validated with version 4242
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
}},
@@ -1448,6 +1465,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1487,6 +1505,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1506,6 +1525,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4241")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1528,6 +1548,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1589,6 +1610,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),
@@ -1654,6 +1676,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: exampleDefaultNamingContext,
GroupSearchBase: exampleDefaultNamingContext,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))),
@@ -1718,6 +1741,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: exampleDefaultNamingContext,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))),
@@ -1782,6 +1806,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: exampleDefaultNamingContext,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))),
@@ -1938,6 +1963,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4241")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))),
@@ -1994,6 +2020,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
GroupSearchBase: exampleDefaultNamingContext,
UserSearchBase: testUserSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))),
@@ -2064,6 +2091,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))),

18
internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go
View File

@@ -5,6 +5,7 @@ package ldapupstreamwatcher
import (
"context"
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
@@ -399,6 +400,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -591,6 +593,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(nil),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -658,6 +661,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.StartTLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: &metav1.Condition{
Type: "LDAPConnectionValid",
@@ -778,6 +782,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(nil),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -829,6 +834,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -881,6 +887,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -900,6 +907,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -918,6 +926,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.StartTLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -937,6 +946,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.StartTLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -954,6 +964,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
BindSecretResourceVersion: "4242",
LDAPConnectionProtocol: upstreamldap.TLS,
IDPSpecGeneration: 1233,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
}},
@@ -975,6 +986,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -994,6 +1006,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
IDPSpecGeneration: 1234,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), // already previously validated with version 4242
}},
setupMocks: func(conn *mockldapconn.MockConn) {
@@ -1013,6 +1026,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -1051,6 +1065,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -1094,6 +1109,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},
@@ -1132,6 +1148,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}}},
@@ -1193,6 +1210,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) {
LDAPConnectionProtocol: upstreamldap.TLS,
UserSearchBase: testUserSearchBase,
GroupSearchBase: testGroupSearchBase,
CABundlePEMSHA256: sha256.Sum256(testCABundle),
IDPSpecGeneration: 1234,
ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")),
}},

13
internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go
View File

@@ -5,6 +5,7 @@ package upstreamwatchers
import (
"context"
"crypto/sha256"
"fmt"
"time"
@@ -40,8 +41,9 @@ const (
// ValidatedSettings is the struct which is cached by the ValidatedSettingsCacheI interface.
type ValidatedSettings struct {
IDPSpecGeneration int64 // which IDP spec was used during the validation
BindSecretResourceVersion string // which bind secret was used during the validation
IDPSpecGeneration int64 // which IDP spec was used during the validation
BindSecretResourceVersion string // which bind secret was used during the validation
CABundlePEMSHA256 [32]byte // hash of the CA bundle used during the validation
// Cache the setting for TLS vs StartTLS. This is always auto-discovered by probing the server.
LDAPConnectionProtocol upstreamldap.LDAPConnectionProtocol
@@ -277,11 +279,13 @@ func validateAndSetLDAPServerConnectivityAndSearchBase(
config *upstreamldap.ProviderConfig,
currentSecretVersion string,
) (*metav1.Condition, *metav1.Condition) {
// TODO: if the CA bundle has changed, then we should redo the below connection probes. So maybe this cache should also include the CA bundle (or the hash of the bundle) as part of the lookup?
validatedSettings, hasPreviousValidatedSettings := validatedSettingsCache.Get(upstream.Name(), currentSecretVersion, upstream.Generation())
var ldapConnectionValidCondition, searchBaseFoundCondition *metav1.Condition
if hasPreviousValidatedSettings && validatedSettings.UserSearchBase != "" && validatedSettings.GroupSearchBase != "" {
if hasPreviousValidatedSettings &&
validatedSettings.UserSearchBase != "" &&
validatedSettings.GroupSearchBase != "" &&
validatedSettings.CABundlePEMSHA256 == sha256.Sum256(config.CABundle) {
// Found previously validated settings in the cache (which is also not missing search base fields), so use them.
config.ConnectionProtocol = validatedSettings.LDAPConnectionProtocol
config.UserSearch.Base = validatedSettings.UserSearchBase
@@ -309,6 +313,7 @@ func validateAndSetLDAPServerConnectivityAndSearchBase(
validatedSettingsCache.Set(upstream.Name(), ValidatedSettings{
IDPSpecGeneration: upstream.Generation(),
BindSecretResourceVersion: currentSecretVersion,
CABundlePEMSHA256: sha256.Sum256(config.CABundle),
LDAPConnectionProtocol: config.ConnectionProtocol,
UserSearchBase: config.UserSearch.Base,
GroupSearchBase: config.GroupSearch.Base,