diff --git a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go index c956a9635..1b2d5b242 100644 --- a/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/activedirectoryupstreamwatcher/active_directory_upstream_watcher_test.go @@ -5,6 +5,7 @@ package activedirectoryupstreamwatcher import ( "context" + "crypto/sha256" "encoding/base64" "errors" "fmt" @@ -469,6 +470,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -669,6 +671,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -739,6 +742,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -815,6 +819,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, IDPSpecGeneration: 1234, + CABundlePEMSHA256: sha256.Sum256(testCABundle), ConnectionValidCondition: &metav1.Condition{ Type: "LDAPConnectionValid", Status: "True", @@ -949,6 +954,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1001,6 +1007,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1162,6 +1169,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1182,6 +1190,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1253,6 +1262,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { BindSecretResourceVersion: "4242", LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, + CABundlePEMSHA256: sha256.Sum256(testCABundle), GroupSearchBase: testGroupSearchBase, IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), @@ -1275,6 +1285,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1327,6 +1338,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1346,6 +1358,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { BindSecretResourceVersion: "4242", LDAPConnectionProtocol: upstreamldap.StartTLS, IDPSpecGeneration: 1234, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle), UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), @@ -1367,6 +1380,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.StartTLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1386,6 +1400,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1233, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1408,6 +1423,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1428,6 +1444,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { IDPSpecGeneration: 1234, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), // already previously validated with version 4242 SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), }}, @@ -1448,6 +1465,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1487,6 +1505,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1506,6 +1525,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4241")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1528,6 +1548,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1589,6 +1610,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), @@ -1654,6 +1676,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, GroupSearchBase: exampleDefaultNamingContext, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1718,6 +1741,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: exampleDefaultNamingContext, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1782,6 +1806,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: exampleDefaultNamingContext, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1938,6 +1963,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4241")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -1994,6 +2020,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, GroupSearchBase: exampleDefaultNamingContext, UserSearchBase: testUserSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInRootDSECondition(0))), @@ -2064,6 +2091,7 @@ func TestActiveDirectoryUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(activeDirectoryConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), SearchBaseFoundCondition: condPtr(withoutTime(searchBaseFoundInConfigCondition(0))), diff --git a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go index 77269be21..30a7d48f0 100644 --- a/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/ldapupstreamwatcher/ldap_upstream_watcher_test.go @@ -5,6 +5,7 @@ package ldapupstreamwatcher import ( "context" + "crypto/sha256" "encoding/base64" "errors" "fmt" @@ -399,6 +400,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -591,6 +593,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -658,6 +661,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.StartTLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: &metav1.Condition{ Type: "LDAPConnectionValid", @@ -778,6 +782,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(nil), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -829,6 +834,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -881,6 +887,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -900,6 +907,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -918,6 +926,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.StartTLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -937,6 +946,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.StartTLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithStartTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -954,6 +964,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { BindSecretResourceVersion: "4242", LDAPConnectionProtocol: upstreamldap.TLS, IDPSpecGeneration: 1233, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, }}, @@ -975,6 +986,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -994,6 +1006,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { IDPSpecGeneration: 1234, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), // already previously validated with version 4242 }}, setupMocks: func(conn *mockldapconn.MockConn) { @@ -1013,6 +1026,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -1051,6 +1065,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -1094,6 +1109,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, @@ -1132,6 +1148,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(providerConfigForValidUpstreamWithTLS.CABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}}, @@ -1193,6 +1210,7 @@ func TestLDAPUpstreamWatcherControllerSync(t *testing.T) { LDAPConnectionProtocol: upstreamldap.TLS, UserSearchBase: testUserSearchBase, GroupSearchBase: testGroupSearchBase, + CABundlePEMSHA256: sha256.Sum256(testCABundle), IDPSpecGeneration: 1234, ConnectionValidCondition: condPtr(ldapConnectionValidTrueConditionWithoutTimeOrGeneration("4242")), }}, diff --git a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go index 81d791d80..7bb9abff6 100644 --- a/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go +++ b/internal/controller/supervisorconfig/upstreamwatchers/upstream_watchers.go @@ -5,6 +5,7 @@ package upstreamwatchers import ( "context" + "crypto/sha256" "fmt" "time" @@ -40,8 +41,9 @@ const ( // ValidatedSettings is the struct which is cached by the ValidatedSettingsCacheI interface. type ValidatedSettings struct { - IDPSpecGeneration int64 // which IDP spec was used during the validation - BindSecretResourceVersion string // which bind secret was used during the validation + IDPSpecGeneration int64 // which IDP spec was used during the validation + BindSecretResourceVersion string // which bind secret was used during the validation + CABundlePEMSHA256 [32]byte // hash of the CA bundle used during the validation // Cache the setting for TLS vs StartTLS. This is always auto-discovered by probing the server. LDAPConnectionProtocol upstreamldap.LDAPConnectionProtocol @@ -277,11 +279,13 @@ func validateAndSetLDAPServerConnectivityAndSearchBase( config *upstreamldap.ProviderConfig, currentSecretVersion string, ) (*metav1.Condition, *metav1.Condition) { - // TODO: if the CA bundle has changed, then we should redo the below connection probes. So maybe this cache should also include the CA bundle (or the hash of the bundle) as part of the lookup? validatedSettings, hasPreviousValidatedSettings := validatedSettingsCache.Get(upstream.Name(), currentSecretVersion, upstream.Generation()) var ldapConnectionValidCondition, searchBaseFoundCondition *metav1.Condition - if hasPreviousValidatedSettings && validatedSettings.UserSearchBase != "" && validatedSettings.GroupSearchBase != "" { + if hasPreviousValidatedSettings && + validatedSettings.UserSearchBase != "" && + validatedSettings.GroupSearchBase != "" && + validatedSettings.CABundlePEMSHA256 == sha256.Sum256(config.CABundle) { // Found previously validated settings in the cache (which is also not missing search base fields), so use them. config.ConnectionProtocol = validatedSettings.LDAPConnectionProtocol config.UserSearch.Base = validatedSettings.UserSearchBase @@ -309,6 +313,7 @@ func validateAndSetLDAPServerConnectivityAndSearchBase( validatedSettingsCache.Set(upstream.Name(), ValidatedSettings{ IDPSpecGeneration: upstream.Generation(), BindSecretResourceVersion: currentSecretVersion, + CABundlePEMSHA256: sha256.Sum256(config.CABundle), LDAPConnectionProtocol: config.ConnectionProtocol, UserSearchBase: config.UserSearch.Base, GroupSearchBase: config.GroupSearch.Base,