From 52622d5e4c5d3054588822bb35a54a96204f9259 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 17 Jul 2025 10:52:29 -0700 Subject: [PATCH] fix pre-existing integration tests for new JWTAuthenticator features --- test/integration/audit_test.go | 21 +++++++++++++++++++++ test/integration/kube_api_discovery_test.go | 5 +++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/test/integration/audit_test.go b/test/integration/audit_test.go index 9e9a0bfe0..adead2aad 100644 --- a/test/integration/audit_test.go +++ b/test/integration/audit_test.go @@ -209,6 +209,7 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) { "personalInfo": map[string]any{ "username": "redacted", "groups": []any{"redacted 2 values"}, + "extras": map[string]any{"redacted": "redacted 1 keys"}, }, }, }, allConciergeTCRLogs) @@ -342,6 +343,25 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) { for _, log := range allConciergeTCRLogs { require.NotEmpty(t, log["issuedClientCert"]) delete(log, "issuedClientCert") + + // The value at the extras key "authentication.kubernetes.io/credential-id" will be a JWT ID, + // which is hard to predict, so just assert that it is there without worrying about its exact value. + require.Contains(t, log, "personalInfo") + personalInfo, ok := log["personalInfo"].(map[string]any) + require.True(t, ok) + require.NotNil(t, personalInfo["extras"]) + extras, ok := personalInfo["extras"].(map[string]any) + require.True(t, ok) + require.Contains(t, extras, "authentication.kubernetes.io/credential-id") + require.Len(t, extras, 1) // should be the only key + id := extras["authentication.kubernetes.io/credential-id"] + idValues, ok := id.([]any) + require.True(t, ok) + require.Len(t, idValues, 1) + require.Regexp(t, "JTI=.+", idValues[0]) + // Now that we have made assertions about all the expected extras, + // delete it so we can compare the rest using equals below. + delete(personalInfo, "extras") } // All values in the personalInfo map should not be redacted anymore. @@ -357,6 +377,7 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) { "personalInfo": map[string]any{ "username": expectedUsername, "groups": expectedGroups, + // note: also has an "extras" key, which we deleted from the actual value above }, }, }, allConciergeTCRLogs) diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index ded484662..260da7711 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -451,8 +451,9 @@ func TestGetAPIResourceList(t *testing.T) { //nolint:gocyclo // each t.Run is pr } } - // manually update this value whenever you add additional fields to an API resource and then run the generator - totalExpectedAPIFields := 310 + // Manually update this value whenever you add additional fields to an API resource and then run the generator. + // This is to ensure that this test checked every field in our whole API surface area. + totalExpectedAPIFields := 323 // Because we are parsing text from `kubectl explain` and because the format of that text can change // over time, make a rudimentary assertion that this test exercised the whole tree of all fields of all