mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-01-06 13:36:54 +00:00
skip external CA bundle tests when CA bundle is empty
Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
This commit is contained in:
Ryan Richard
@@ -21,6 +21,11 @@ import (
|
||||
|
||||
func TestConciergeJWTAuthenticatorWithExternalCABundleStatusIsUpdatedWhenExternalBundleIsUpdated_Parallel(t *testing.T) {
|
||||
env := testlib.IntegrationEnv(t)
|
||||
|
||||
if len(env.SupervisorUpstreamOIDC.CABundle) == 0 {
|
||||
t.Skip("skipping external CA bundle test because env.SupervisorUpstreamOIDC.CABundle is empty")
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
|
||||
t.Cleanup(cancel)
|
||||
|
||||
@@ -128,7 +133,7 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
},
|
||||
},
|
||||
wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseReady,
|
||||
wantConditions: allSuccessfulJWTAuthenticatorConditions(true),
|
||||
wantConditions: allSuccessfulJWTAuthenticatorConditions(len(env.SupervisorUpstreamOIDC.CABundle) != 0),
|
||||
},
|
||||
{
|
||||
name: "valid spec with invalid CA in TLS config will result in a jwt authenticator that is not ready",
|
||||
@@ -218,11 +223,6 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
Status: "False",
|
||||
Reason: "InvalidDiscoveryProbe",
|
||||
Message: `could not perform oidc discovery on provider issuer: Get "` + env.SupervisorUpstreamOIDC.Issuer + `/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority`,
|
||||
}, {
|
||||
Type: "TLSConfigurationValid",
|
||||
Status: "True",
|
||||
Reason: "Success",
|
||||
Message: "spec.tls is valid: using configured CA bundle",
|
||||
},
|
||||
},
|
||||
),
|
||||
@@ -238,7 +238,7 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
},
|
||||
wantPhase: authenticationv1alpha1.JWTAuthenticatorPhaseError,
|
||||
wantConditions: replaceSomeConditions(
|
||||
allSuccessfulJWTAuthenticatorConditions(true),
|
||||
allSuccessfulJWTAuthenticatorConditions(len(env.SupervisorUpstreamOIDC.CABundle) != 0),
|
||||
[]metav1.Condition{
|
||||
{
|
||||
Type: "Ready",
|
||||
@@ -422,7 +422,7 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
}
|
||||
|
||||
func allSuccessfulJWTAuthenticatorConditions(caBundleExists bool) []metav1.Condition {
|
||||
tlsConfigValidMsg := "no CA bundle specified"
|
||||
tlsConfigValidMsg := "spec.tls is valid: no TLS configuration provided: using default root CA bundle from container image"
|
||||
if caBundleExists {
|
||||
tlsConfigValidMsg = "spec.tls is valid: using configured CA bundle"
|
||||
}
|
||||
|
||||
@@ -74,35 +74,35 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
// Generate a CA bundle with which to serve this provider.
|
||||
t.Logf("generating test CA")
|
||||
ca, err := certauthority.New("Downstream Test CA", 1*time.Hour)
|
||||
federationDomainSelfSignedCA, err := certauthority.New("Downstream Test CA", 1*time.Hour)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Save that bundle plus the one that signs the upstream issuer, for test purposes.
|
||||
testCABundlePath := filepath.Join(t.TempDir(), "test-ca.pem")
|
||||
testCABundlePEM := []byte(string(ca.Bundle()) + "\n" + env.SupervisorUpstreamOIDC.CABundle)
|
||||
testCABundleBase64 := base64.StdEncoding.EncodeToString(testCABundlePEM)
|
||||
require.NoError(t, os.WriteFile(testCABundlePath, testCABundlePEM, 0600))
|
||||
federationDomainCABundlePath := filepath.Join(t.TempDir(), "test-ca.pem")
|
||||
federationDomainCABundlePEM := federationDomainSelfSignedCA.Bundle()
|
||||
require.NoError(t, os.WriteFile(federationDomainCABundlePath, federationDomainCABundlePEM, 0600))
|
||||
|
||||
// Use the CA to issue a TLS server cert.
|
||||
t.Logf("issuing test certificate")
|
||||
tlsCert, err := ca.IssueServerCert([]string{issuerURL.Hostname()}, nil, 1*time.Hour)
|
||||
federationDomainTLSServingCert, err := federationDomainSelfSignedCA.IssueServerCert(
|
||||
[]string{issuerURL.Hostname()}, nil, 1*time.Hour)
|
||||
require.NoError(t, err)
|
||||
certPEM, keyPEM, err := certauthority.ToPEM(tlsCert)
|
||||
federationDomainTLSServingCertPEM, federationDomainTLSServingCertKeyPEM, err := certauthority.ToPEM(federationDomainTLSServingCert)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Write the serving cert to a secret.
|
||||
certSecret := testlib.CreateTestSecret(t,
|
||||
federationDomainTLSServingCertSecret := testlib.CreateTestSecret(t,
|
||||
env.SupervisorNamespace,
|
||||
"oidc-provider-tls",
|
||||
corev1.SecretTypeTLS,
|
||||
map[string]string{"tls.crt": string(certPEM), "tls.key": string(keyPEM)},
|
||||
map[string]string{"tls.crt": string(federationDomainTLSServingCertPEM), "tls.key": string(federationDomainTLSServingCertKeyPEM)},
|
||||
)
|
||||
|
||||
// Create the downstream FederationDomain and expect it to go into the success status condition.
|
||||
federationDomain := testlib.CreateTestFederationDomain(topSetupCtx, t,
|
||||
supervisorconfigv1alpha1.FederationDomainSpec{
|
||||
Issuer: issuerURL.String(),
|
||||
TLS: &supervisorconfigv1alpha1.FederationDomainTLSSpec{SecretName: certSecret.Name},
|
||||
TLS: &supervisorconfigv1alpha1.FederationDomainTLSSpec{SecretName: federationDomainTLSServingCertSecret.Name},
|
||||
},
|
||||
supervisorconfigv1alpha1.FederationDomainPhaseError, // in phase error until there is an IDP created
|
||||
)
|
||||
@@ -113,7 +113,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
defaultJWTAuthenticatorSpec := authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: federationDomain.Spec.Issuer,
|
||||
Audience: clusterAudience,
|
||||
TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64},
|
||||
TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: base64.StdEncoding.EncodeToString(federationDomainCABundlePEM)},
|
||||
}
|
||||
|
||||
// Add an OIDC upstream IDP and try using it to authenticate during kubectl commands.
|
||||
@@ -172,7 +172,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--concierge-authenticator-type", "jwt",
|
||||
"--concierge-authenticator-name", authenticator.Name,
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
// use default for --oidc-scopes, which is to request all relevant scopes
|
||||
@@ -231,7 +231,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
// in this test, use a secret of type TLS to source ca bundle for the JWT authenticator
|
||||
caSecret := testlib.CreateTestSecret(t, env.ConciergeNamespace, "ca-cert", corev1.SecretTypeTLS,
|
||||
map[string]string{
|
||||
"ca.crt": string(testCABundlePEM),
|
||||
"ca.crt": string(federationDomainCABundlePEM),
|
||||
"tls.crt": "",
|
||||
"tls.key": "",
|
||||
})
|
||||
@@ -243,6 +243,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
Key: "ca.crt",
|
||||
}
|
||||
authenticator := testlib.CreateTestJWTAuthenticator(testCtx, t, *jwtAuthnSpec, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
|
||||
// Create upstream OIDC provider and wait for it to become ready.
|
||||
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||
@@ -273,7 +274,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--concierge-authenticator-type", "jwt",
|
||||
"--concierge-authenticator-name", authenticator.Name,
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
"--oidc-scopes", "offline_access,openid,pinniped:request-audience", // does not request username or groups
|
||||
@@ -334,9 +335,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
// in this test, use a secret of type opaque to source ca bundle for the JWT authenticator
|
||||
caSecret := testlib.CreateTestSecret(t, env.ConciergeNamespace, "ca-cert", corev1.SecretTypeOpaque,
|
||||
map[string]string{
|
||||
"ca.crt": string(testCABundlePEM),
|
||||
"ca.crt": string(federationDomainCABundlePEM),
|
||||
})
|
||||
t.Logf("created secret %s/%s", caSecret.Namespace, caSecret.Name)
|
||||
jwtAuthnSpec := defaultJWTAuthenticatorSpec.DeepCopy()
|
||||
jwtAuthnSpec.TLS.CertificateAuthorityData = ""
|
||||
jwtAuthnSpec.TLS.CertificateAuthorityDataSource = &authenticationv1alpha1.CABundleSource{
|
||||
@@ -344,9 +344,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
Name: caSecret.Name,
|
||||
Key: "ca.crt",
|
||||
}
|
||||
|
||||
authenticator := testlib.CreateTestJWTAuthenticator(testCtx, t, *jwtAuthnSpec, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
t.Logf("authenticator: %s/%s; concierge ns: %s", authenticator.Namespace, authenticator.Name, env.ConciergeNamespace)
|
||||
|
||||
// Create upstream OIDC provider and wait for it to become ready.
|
||||
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||
@@ -378,7 +377,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--concierge-authenticator-name", authenticator.Name,
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-skip-listen",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
// use default for --oidc-scopes, which is to request all relevant scopes
|
||||
@@ -474,7 +473,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
// in this test, use a configmap to source ca bundle for the JWT authenticator
|
||||
caConfigMap := testlib.CreateTestConfigMap(t, env.ConciergeNamespace, "ca-cert",
|
||||
map[string]string{
|
||||
"ca.crt": string(testCABundlePEM),
|
||||
"ca.crt": string(federationDomainCABundlePEM),
|
||||
})
|
||||
jwtAuthnSpec := defaultJWTAuthenticatorSpec.DeepCopy()
|
||||
jwtAuthnSpec.TLS.CertificateAuthorityData = ""
|
||||
@@ -483,8 +482,8 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
Name: caConfigMap.Name,
|
||||
Key: "ca.crt",
|
||||
}
|
||||
authenticator := testlib.CreateTestJWTAuthenticator(testCtx, t, *jwtAuthnSpec, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
|
||||
authenticator := testlib.CreateTestJWTAuthenticator(testCtx, t, defaultJWTAuthenticatorSpec, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
// Create upstream OIDC provider and wait for it to become ready.
|
||||
createdProvider := testlib.CreateTestOIDCIdentityProvider(t, idpv1alpha1.OIDCIdentityProviderSpec{
|
||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||
@@ -516,7 +515,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--concierge-authenticator-name", authenticator.Name,
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-skip-listen",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
// use default for --oidc-scopes, which is to request all relevant scopes
|
||||
@@ -649,7 +648,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-skip-listen",
|
||||
"--upstream-identity-provider-flow", "cli_password", // create a kubeconfig configured to use the cli_password flow
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
// use default for --oidc-scopes, which is to request all relevant scopes
|
||||
@@ -729,7 +728,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--upstream-identity-provider-name", oidcIdentityProvider.Name,
|
||||
"--upstream-identity-provider-type", "oidc",
|
||||
"--upstream-identity-provider-flow", "cli_password",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
// use default for --oidc-scopes, which is to request all relevant scopes
|
||||
@@ -1116,7 +1115,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--concierge-authenticator-type", "jwt",
|
||||
"--concierge-authenticator-name", authenticator.Name,
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--upstream-identity-provider-flow", "browser_authcode",
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
@@ -1172,7 +1171,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--concierge-authenticator-type", "jwt",
|
||||
"--concierge-authenticator-name", authenticator.Name,
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--upstream-identity-provider-flow", "browser_authcode",
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
@@ -1228,7 +1227,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--concierge-authenticator-type", "jwt",
|
||||
"--concierge-authenticator-name", authenticator.Name,
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--upstream-identity-provider-flow", "cli_password", // put cli_password in the kubeconfig, so we can override it with the env var
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
@@ -1317,7 +1316,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
"--concierge-authenticator-type", "jwt",
|
||||
"--concierge-authenticator-name", authenticator.Name,
|
||||
"--oidc-skip-browser",
|
||||
"--oidc-ca-bundle", testCABundlePath,
|
||||
"--oidc-ca-bundle", federationDomainCABundlePath,
|
||||
"--oidc-session-cache", sessionCachePath,
|
||||
"--credential-cache", credentialCachePath,
|
||||
// use default for --oidc-scopes, which is to request all relevant scopes
|
||||
|
||||
@@ -178,6 +178,29 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
testlib.SkipTestWhenActiveDirectoryIsUnavailable(t, env)
|
||||
}
|
||||
|
||||
skipExternalCABundleOIDCTestsWhenCABundleIsEmpty := func(t *testing.T) {
|
||||
t.Helper()
|
||||
if len(env.SupervisorUpstreamOIDC.CABundle) == 0 {
|
||||
t.Skip("skipping external CA bundle test because env.SupervisorUpstreamOIDC.CABundle is empty")
|
||||
}
|
||||
}
|
||||
|
||||
skipExternalCABundleLDAPTestsWhenCABundleIsEmpty := func(t *testing.T) {
|
||||
t.Helper()
|
||||
skipLDAPTests(t)
|
||||
if len(env.SupervisorUpstreamLDAP.CABundle) == 0 {
|
||||
t.Skip("skipping external CA bundle test because env.SupervisorUpstreamLDAP.CABundle is empty")
|
||||
}
|
||||
}
|
||||
|
||||
skipExternalCABundleActiveDirectoryTestsWhenCABundleIsEmpty := func(t *testing.T) {
|
||||
t.Helper()
|
||||
skipActiveDirectoryTests(t)
|
||||
if len(env.SupervisorUpstreamActiveDirectory.CABundle) == 0 {
|
||||
t.Skip("skipping external CA bundle test because env.SupervisorUpstreamActiveDirectory.CABundle is empty")
|
||||
}
|
||||
}
|
||||
|
||||
basicOIDCIdentityProviderSpec := func() idpv1alpha1.OIDCIdentityProviderSpec {
|
||||
return idpv1alpha1.OIDCIdentityProviderSpec{
|
||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||
@@ -340,7 +363,7 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "oidc IDP using secrets of type opaque to source ca bundle with default username and groups claim settings",
|
||||
maybeSkip: skipNever,
|
||||
maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idpSpec := basicOIDCIdentityProviderSpec()
|
||||
caData, err := base64.StdEncoding.DecodeString(idpSpec.TLS.CertificateAuthorityData)
|
||||
@@ -355,7 +378,6 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
Name: caSecret.Name,
|
||||
Key: "ca.crt",
|
||||
}
|
||||
|
||||
return testlib.CreateTestOIDCIdentityProvider(t, idpSpec, idpv1alpha1.PhaseReady).Name
|
||||
},
|
||||
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC,
|
||||
@@ -369,7 +391,7 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "oidc IDP using secrets of type TLS to source ca bundle with default username and groups claim settings",
|
||||
maybeSkip: skipNever,
|
||||
maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idpSpec := basicOIDCIdentityProviderSpec()
|
||||
caData, err := base64.StdEncoding.DecodeString(idpSpec.TLS.CertificateAuthorityData)
|
||||
@@ -386,7 +408,6 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
Name: caSecret.Name,
|
||||
Key: "ca.crt",
|
||||
}
|
||||
|
||||
return testlib.CreateTestOIDCIdentityProvider(t, idpSpec, idpv1alpha1.PhaseReady).Name
|
||||
},
|
||||
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC,
|
||||
@@ -400,7 +421,7 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "oidc IDP using configmaps to source ca bundle with default username and groups claim settings",
|
||||
maybeSkip: skipNever,
|
||||
maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idpSpec := basicOIDCIdentityProviderSpec()
|
||||
caData, err := base64.StdEncoding.DecodeString(idpSpec.TLS.CertificateAuthorityData)
|
||||
@@ -414,7 +435,6 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
Name: caConfigMap.Name,
|
||||
Key: "ca.crt",
|
||||
}
|
||||
|
||||
return testlib.CreateTestOIDCIdentityProvider(t, idpSpec, idpv1alpha1.PhaseReady).Name
|
||||
},
|
||||
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC,
|
||||
@@ -429,7 +449,7 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
|
||||
{
|
||||
name: "oidc IDP using secrets of type opaque to source ca bundle with default username and groups claim settings",
|
||||
maybeSkip: skipNever,
|
||||
maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idpSpec := basicOIDCIdentityProviderSpec()
|
||||
caData, err := base64.StdEncoding.DecodeString(idpSpec.TLS.CertificateAuthorityData)
|
||||
@@ -444,7 +464,6 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
Name: caSecret.Name,
|
||||
Key: "ca.crt",
|
||||
}
|
||||
|
||||
return testlib.CreateTestOIDCIdentityProvider(t, idpSpec, idpv1alpha1.PhaseReady).Name
|
||||
},
|
||||
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC,
|
||||
@@ -655,14 +674,13 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "ldap IDP using secrets of type opaque to source ca bundle and with email as username and groups names as DNs and using an LDAP provider which supports TLS",
|
||||
maybeSkip: skipLDAPTests,
|
||||
maybeSkip: skipExternalCABundleLDAPTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) {
|
||||
caSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ca-cert", corev1.SecretTypeOpaque,
|
||||
map[string]string{
|
||||
"ca.crt": env.SupervisorUpstreamLDAP.CABundle,
|
||||
})
|
||||
|
||||
spec.TLS.CertificateAuthorityData = ""
|
||||
spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{
|
||||
Kind: "Secret",
|
||||
@@ -705,7 +723,7 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "ldap IDP using secrets of type TLS to source ca bundle and with email as username and groups names as DNs and using an LDAP provider which supports TLS",
|
||||
maybeSkip: skipLDAPTests,
|
||||
maybeSkip: skipExternalCABundleLDAPTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) {
|
||||
caSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ca-cert", corev1.SecretTypeTLS,
|
||||
@@ -714,7 +732,6 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
"tls.crt": "",
|
||||
"tls.key": "",
|
||||
})
|
||||
|
||||
spec.TLS.CertificateAuthorityData = ""
|
||||
spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{
|
||||
Kind: "Secret",
|
||||
@@ -757,14 +774,13 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "ldap IDP using configmaps to source ca bundle and with email as username and groups names as DNs and using an LDAP provider which supports TLS",
|
||||
maybeSkip: skipLDAPTests,
|
||||
maybeSkip: skipExternalCABundleLDAPTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idp, _ := createLDAPIdentityProvider(t, func(spec *idpv1alpha1.LDAPIdentityProviderSpec) {
|
||||
caConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-cert",
|
||||
map[string]string{
|
||||
"ca.crt": env.SupervisorUpstreamLDAP.CABundle,
|
||||
})
|
||||
|
||||
spec.TLS.CertificateAuthorityData = ""
|
||||
spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{
|
||||
Kind: "ConfigMap",
|
||||
@@ -1242,14 +1258,13 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "active directory IDP using secret of type opaque to source ca bundle with all default options",
|
||||
maybeSkip: skipActiveDirectoryTests,
|
||||
maybeSkip: skipExternalCABundleActiveDirectoryTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idp, _ := createActiveDirectoryIdentityProvider(t, func(spec *idpv1alpha1.ActiveDirectoryIdentityProviderSpec) {
|
||||
caSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ca-cert", corev1.SecretTypeOpaque,
|
||||
map[string]string{
|
||||
"ca.crt": env.SupervisorUpstreamActiveDirectory.CABundle,
|
||||
})
|
||||
|
||||
spec.TLS.CertificateAuthorityData = ""
|
||||
spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{
|
||||
Kind: "Secret",
|
||||
@@ -1283,7 +1298,7 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "active directory IDP using secret of type TLS to source ca bundle with all default options",
|
||||
maybeSkip: skipActiveDirectoryTests,
|
||||
maybeSkip: skipExternalCABundleActiveDirectoryTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idp, _ := createActiveDirectoryIdentityProvider(t, func(spec *idpv1alpha1.ActiveDirectoryIdentityProviderSpec) {
|
||||
caSecret := testlib.CreateTestSecret(t, env.SupervisorNamespace, "ca-cert", corev1.SecretTypeTLS,
|
||||
@@ -1292,7 +1307,6 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
"tls.crt": "",
|
||||
"tls.key": "",
|
||||
})
|
||||
|
||||
spec.TLS.CertificateAuthorityData = ""
|
||||
spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{
|
||||
Kind: "Secret",
|
||||
@@ -1326,14 +1340,13 @@ func TestSupervisorLogin_Browser(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "active directory IDP using configmaps to source ca bundle with all default options",
|
||||
maybeSkip: skipActiveDirectoryTests,
|
||||
maybeSkip: skipExternalCABundleActiveDirectoryTestsWhenCABundleIsEmpty,
|
||||
createIDP: func(t *testing.T) string {
|
||||
idp, _ := createActiveDirectoryIdentityProvider(t, func(spec *idpv1alpha1.ActiveDirectoryIdentityProviderSpec) {
|
||||
caConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-cert",
|
||||
map[string]string{
|
||||
"ca.crt": env.SupervisorUpstreamActiveDirectory.CABundle,
|
||||
})
|
||||
|
||||
spec.TLS.CertificateAuthorityData = ""
|
||||
spec.TLS.CertificateAuthorityDataSource = &idpv1alpha1.CABundleSource{
|
||||
Kind: "Secret",
|
||||
|
||||
Reference in New Issue
Block a user