Add custom response_mode=form_post HTML template.

This is a new pacakge internal/oidc/provider/formposthtml containing a number of static files embedded using the relatively recent Go "//go:embed" functionality introduced in Go 1.16 (https://blog.golang.org/go1.16).

The Javascript and CSS files are minifiied and injected to make a single self-contained HTML response. There is a special Content-Security-Policy helper to calculate hash-based script-src and style-src rules.

This new code is covered by a new integration test that exercises the JS/HTML functionality in a real browser outside of the rest of the Supervisor.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

internal/testutil/assertions.go

@@ -1,4 +1,4 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package testutil
@@ -55,7 +55,9 @@ func RequireNumberOfSecretsMatchingLabelSelector(t *testing.T, secrets v1.Secret
 }
 
 func RequireSecurityHeaders(t *testing.T, response *httptest.ResponseRecorder) {
-	require.Equal(t, "default-src 'none'; frame-ancestors 'none'", response.Header().Get("Content-Security-Policy"))
+	// This is a more relaxed assertion rather than an exact match, so it can cover all the CSP headers we use.
+	require.Contains(t, response.Header().Get("Content-Security-Policy"), "default-src 'none'")
+
 	require.Equal(t, "DENY", response.Header().Get("X-Frame-Options"))
 	require.Equal(t, "1; mode=block", response.Header().Get("X-XSS-Protection"))
 	require.Equal(t, "nosniff", response.Header().Get("X-Content-Type-Options"))