From 59402bca7b0253c9d1e68e5ba96d2cfa2354397a Mon Sep 17 00:00:00 2001 From: Ashish Amarnath Date: Sat, 3 Aug 2024 01:06:31 -0700 Subject: [PATCH] add integration test for TLS config validation in OIDCIdentityProvider Signed-off-by: Ashish Amarnath --- test/integration/supervisor_upstream_test.go | 247 +++++++++++++++++++ 1 file changed, 247 insertions(+) diff --git a/test/integration/supervisor_upstream_test.go b/test/integration/supervisor_upstream_test.go index c20da7301..47f18a127 100644 --- a/test/integration/supervisor_upstream_test.go +++ b/test/integration/supervisor_upstream_test.go @@ -5,6 +5,7 @@ package integration import ( "encoding/base64" + "fmt" "testing" "github.com/stretchr/testify/require" @@ -126,6 +127,252 @@ oidc: issuer did not match the issuer returned by provider, expected "` + env.Su expectedTLSConfigValidCondition(env.SupervisorUpstreamOIDC.CABundle != ""), }) }) + + t.Run("invalid when tlsSpec supplies both certificateAuthorityData and certificateAuthorityDataSource", func(t *testing.T) { + t.Parallel() + spec := idpv1alpha1.OIDCIdentityProviderSpec{ + Issuer: env.SupervisorUpstreamOIDC.Issuer, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), + CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ + Kind: "ConfigMap", + Name: "does=not-matter", + Key: "also-does-not-matter", + }, + }, + AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: []string{"email", "profile"}, + }, + Client: idpv1alpha1.OIDCClient{ + SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, + }, + } + upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) + expectUpstreamConditions(t, upstream, []metav1.Condition{ + { + Type: "ClientCredentialsSecretValid", + Status: "True", + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + Reason: "InvalidTLSConfig", + Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided", + }, + { + Type: "AdditionalAuthorizeParametersValid", + Status: "True", + Reason: "Success", + Message: "additionalAuthorizeParameters parameter names are allowed", + }, + { + Type: "TLSConfigurationValid", + Status: "False", + Reason: "InvalidTLSConfig", + Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided", + }, + }) + }) + + t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not exist", func(t *testing.T) { + t.Parallel() + spec := idpv1alpha1.OIDCIdentityProviderSpec{ + Issuer: env.SupervisorUpstreamOIDC.Issuer, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ + Kind: "ConfigMap", + Name: "does=not-exist", + Key: "does-not-matter", + }, + }, + AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: []string{"email", "profile"}, + }, + Client: idpv1alpha1.OIDCClient{ + SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, + }, + } + upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) + expectUpstreamConditions(t, upstream, []metav1.Condition{ + { + Type: "ClientCredentialsSecretValid", + Status: "True", + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + Reason: "InvalidTLSConfig", + Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/does=not-exist\": configmap \"does=not-exist\" not found", + }, + { + Type: "AdditionalAuthorizeParametersValid", + Status: "True", + Reason: "Success", + Message: "additionalAuthorizeParameters parameter names are allowed", + }, + { + Type: "TLSConfigurationValid", + Status: "False", + Reason: "InvalidTLSConfig", + Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/does=not-exist\": configmap \"does=not-exist\" not found", + }, + }) + }) + + t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a secret that does not exist", func(t *testing.T) { + t.Parallel() + spec := idpv1alpha1.OIDCIdentityProviderSpec{ + Issuer: env.SupervisorUpstreamOIDC.Issuer, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ + Kind: "Secret", + Name: "does=not-exist", + Key: "does-not-matter", + }, + }, + AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: []string{"email", "profile"}, + }, + Client: idpv1alpha1.OIDCClient{ + SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, + }, + } + upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) + expectUpstreamConditions(t, upstream, []metav1.Condition{ + { + Type: "ClientCredentialsSecretValid", + Status: "True", + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + Reason: "InvalidTLSConfig", + Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"supervisor/does=not-exist\": secret \"does=not-exist\" not found", + }, + { + Type: "AdditionalAuthorizeParametersValid", + Status: "True", + Reason: "Success", + Message: "additionalAuthorizeParameters parameter names are allowed", + }, + { + Type: "TLSConfigurationValid", + Status: "False", + Reason: "InvalidTLSConfig", + Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"supervisor/does=not-exist\": secret \"does=not-exist\" not found", + }, + }) + }) + + t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not have valid PEM bytes", func(t *testing.T) { + t.Parallel() + + badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-bundle", map[string]string{ + "ca.crt": "This is not a real CA bundle", + }) + + spec := idpv1alpha1.OIDCIdentityProviderSpec{ + Issuer: env.SupervisorUpstreamOIDC.Issuer, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ + Kind: "ConfigMap", + Name: badCABundleConfigMap.Name, + Key: "ca.crt", + }, + }, + AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: []string{"email", "profile"}, + }, + Client: idpv1alpha1.OIDCClient{ + SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, + }, + } + upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) + expectUpstreamConditions(t, upstream, []metav1.Condition{ + { + Type: "ClientCredentialsSecretValid", + Status: "True", + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + Reason: "InvalidTLSConfig", + Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/%s\": configmap \"%s\" not found", badCABundleConfigMap.Name, badCABundleConfigMap.Name), + }, + { + Type: "AdditionalAuthorizeParametersValid", + Status: "True", + Reason: "Success", + Message: "additionalAuthorizeParameters parameter names are allowed", + }, + { + Type: "TLSConfigurationValid", + Status: "False", + Reason: "InvalidTLSConfig", + Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/%s\": configmap \"%s\" not found", badCABundleConfigMap.Name, badCABundleConfigMap.Name), + }, + }) + }) + + t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a key in a configmap that does not exist", func(t *testing.T) { + t.Parallel() + + badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-bundle", map[string]string{ + "ca.crt": "This is not a real CA bundle", + }) + + spec := idpv1alpha1.OIDCIdentityProviderSpec{ + Issuer: env.SupervisorUpstreamOIDC.Issuer, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ + Kind: "ConfigMap", + Name: badCABundleConfigMap.Name, + Key: "key-not-present", + }, + }, + AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ + AdditionalScopes: []string{"email", "profile"}, + }, + Client: idpv1alpha1.OIDCClient{ + SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, + }, + } + upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) + expectUpstreamConditions(t, upstream, []metav1.Condition{ + { + Type: "ClientCredentialsSecretValid", + Status: "True", + Reason: "Success", + Message: "loaded client credentials", + }, + { + Type: "OIDCDiscoverySucceeded", + Status: "False", + Reason: "InvalidTLSConfig", + Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"supervisor/%s\"", badCABundleConfigMap.Name), + }, + { + Type: "AdditionalAuthorizeParametersValid", + Status: "True", + Reason: "Success", + Message: "additionalAuthorizeParameters parameter names are allowed", + }, + { + Type: "TLSConfigurationValid", + Status: "False", + Reason: "InvalidTLSConfig", + Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"supervisor/%s\"", badCABundleConfigMap.Name), + }, + }) + }) } func expectUpstreamConditions(t *testing.T, upstream *idpv1alpha1.OIDCIdentityProvider, expected []metav1.Condition) {