Merge pull request #273 from vmware-tanzu/secret-generation

Generate secrets for Pinniped Supervisor
2026-01-07 14:05:50 +00:00 · 2020-12-16 15:22:23 -06:00
parent 7bb0d649c0 5367fd9fcb
commit 72ce69410e
52 changed files with 3487 additions and 239 deletions
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@@ -35,6 +35,11 @@ import (
 // TestE2EFullIntegration tests a full integration scenario that combines the supervisor, concierge, and CLI.
 func TestE2EFullIntegration(t *testing.T) {
 	env := library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
+
+	// If anything in this test crashes, dump out the supervisor and proxy pod logs.
+	defer library.DumpLogs(t, env.SupervisorNamespace, "")
+	defer library.DumpLogs(t, "dex", "app=proxy")
+
 	ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancelFunc()

@@ -160,7 +165,15 @@ func TestE2EFullIntegration(t *testing.T) {
 	t.Cleanup(func() {
 		err := kubectlCmd.Wait()
 		t.Logf("kubectl subprocess exited with code %d", kubectlCmd.ProcessState.ExitCode())
-		require.NoErrorf(t, err, "kubectl process did not exit cleanly")
+		stdout, stdoutErr := ioutil.ReadAll(stdoutPipe)
+		if stdoutErr != nil {
+			stdout = []byte("<error reading stdout: " + stdoutErr.Error() + ">")
+		}
+		stderr, stderrErr := ioutil.ReadAll(stderrPipe)
+		if stderrErr != nil {
+			stderr = []byte("<error reading stderr: " + stderrErr.Error() + ">")
+		}
+		require.NoErrorf(t, err, "kubectl process did not exit cleanly, stdout/stderr: %q/%q", string(stdout), string(stderr))
 	})

 	// Start a background goroutine to read stderr from the CLI and parse out the login URL.
@@ -244,7 +257,7 @@ func TestE2EFullIntegration(t *testing.T) {
 		require.Fail(t, "timed out waiting for kubectl output")
 	case kubectlOutput = <-kubectlOutputChan:
 	}
-	require.Greaterf(t, len(strings.Split(kubectlOutput, "\n")), 2, "expected some namespaces to be returned")
+	require.Greaterf(t, len(strings.Split(kubectlOutput, "\n")), 2, "expected some namespaces to be returned, got %q", kubectlOutput)
 	t.Logf("first kubectl command took %s", time.Since(start).String())

 	// 	Run kubectl again, which should work with no browser interaction.
--- a/test/integration/supervisor_discovery_test.go
+++ b/test/integration/supervisor_discovery_test.go
@@ -592,13 +592,16 @@ func requireDelete(t *testing.T, client pinnipedclientset.Interface, ns, name st

 func requireStatus(t *testing.T, client pinnipedclientset.Interface, ns, name string, status v1alpha1.OIDCProviderStatusCondition) {
 	t.Helper()
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()

 	var opc *v1alpha1.OIDCProvider
 	var err error
 	assert.Eventually(t, func() bool {
 		opc, err = client.ConfigV1alpha1().OIDCProviders(ns).Get(ctx, name, metav1.GetOptions{})
+		if err != nil {
+			t.Logf("error trying to get OIDCProvider: %s", err.Error())
+		}
 		return err == nil && opc.Status.Status == status
 	}, 10*time.Second, 200*time.Millisecond)
 	require.NoError(t, err)
--- a/test/integration/supervisor_keys_test.go
+++ b/test/integration/supervisor_keys_test.go
@@ -1,101 +0,0 @@
-// Copyright 2020 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-package integration
-
-import (
-	"context"
-	"encoding/json"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
-	"go.pinniped.dev/test/library"
-)
-
-func TestSupervisorOIDCKeys(t *testing.T) {
-	env := library.IntegrationEnv(t)
-	kubeClient := library.NewClientset(t)
-	supervisorClient := library.NewSupervisorClientset(t)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
-	defer cancel()
-
-	// Create our OPC under test.
-	opc := library.CreateTestOIDCProvider(ctx, t, "", "", "")
-
-	// Ensure a secret is created with the OPC's JWKS.
-	var updatedOPC *configv1alpha1.OIDCProvider
-	var err error
-	assert.Eventually(t, func() bool {
-		updatedOPC, err = supervisorClient.
-			ConfigV1alpha1().
-			OIDCProviders(env.SupervisorNamespace).
-			Get(ctx, opc.Name, metav1.GetOptions{})
-		return err == nil && updatedOPC.Status.JWKSSecret.Name != ""
-	}, time.Second*10, time.Millisecond*500)
-	require.NoError(t, err)
-	require.NotEmpty(t, updatedOPC.Status.JWKSSecret.Name)
-
-	// Ensure the secret actually exists.
-	secret, err := kubeClient.
-		CoreV1().
-		Secrets(env.SupervisorNamespace).
-		Get(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.GetOptions{})
-	require.NoError(t, err)
-
-	// Ensure that the secret was labelled.
-	for k, v := range env.SupervisorCustomLabels {
-		require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
-	}
-	require.Equal(t, env.SupervisorAppName, secret.Labels["app"])
-
-	// Ensure the secret has an active key.
-	jwkData, ok := secret.Data["activeJWK"]
-	require.True(t, ok, "secret is missing active jwk")
-
-	// Ensure the secret's active key is valid.
-	var activeJWK jose.JSONWebKey
-	require.NoError(t, json.Unmarshal(jwkData, &activeJWK))
-	require.True(t, activeJWK.Valid(), "active jwk is invalid")
-	require.False(t, activeJWK.IsPublic(), "active jwk is public")
-
-	// Ensure the secret has a JWKS.
-	jwksData, ok := secret.Data["jwks"]
-	require.True(t, ok, "secret is missing jwks")
-
-	// Ensure the secret's JWKS is valid, public, and contains the singing key.
-	var jwks jose.JSONWebKeySet
-	require.NoError(t, json.Unmarshal(jwksData, &jwks))
-	foundActiveJWK := false
-	for _, jwk := range jwks.Keys {
-		require.Truef(t, jwk.Valid(), "jwk %s is invalid", jwk.KeyID)
-		require.Truef(t, jwk.IsPublic(), "jwk %s is not public", jwk.KeyID)
-		if jwk.KeyID == activeJWK.KeyID {
-			foundActiveJWK = true
-		}
-	}
-	require.True(t, foundActiveJWK, "could not find active JWK in JWKS: %s", jwks)
-
-	// Ensure upon deleting the secret, it is eventually brought back.
-	err = kubeClient.
-		CoreV1().
-		Secrets(env.SupervisorNamespace).
-		Delete(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.DeleteOptions{})
-	require.NoError(t, err)
-	assert.Eventually(t, func() bool {
-		secret, err = kubeClient.
-			CoreV1().
-			Secrets(env.SupervisorNamespace).
-			Get(ctx, updatedOPC.Status.JWKSSecret.Name, metav1.GetOptions{})
-		return err == nil
-	}, time.Second*10, time.Millisecond*500)
-	require.NoError(t, err)
-
-	// Upon deleting the OPC, the secret is deleted (we test this behavior in our uninstall tests).
-}
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -179,12 +179,8 @@ func TestSupervisorLogin(t *testing.T) {
 	authcode := callback.URL.Query().Get("code")
 	require.NotEmpty(t, authcode)

-	// Call the token endpoint to get tokens. Give the Supervisor a couple of seconds to wire up its signing key.
-	var tokenResponse *oauth2.Token
-	assert.Eventually(t, func() bool {
-		tokenResponse, err = downstreamOAuth2Config.Exchange(oidcHTTPClientContext, authcode, pkceParam.Verifier())
-		return err == nil
-	}, time.Second*5, time.Second*1)
+	// Call the token endpoint to get tokens.
+	tokenResponse, err := downstreamOAuth2Config.Exchange(oidcHTTPClientContext, authcode, pkceParam.Verifier())
 	require.NoError(t, err)

 	expectedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "nonce", "rat"}
--- a/test/integration/supervisor_secrets_test.go
+++ b/test/integration/supervisor_secrets_test.go
@@ -0,0 +1,166 @@
+// Copyright 2020 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package integration
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/square/go-jose.v2"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	configv1alpha1 "go.pinniped.dev/generated/1.19/apis/supervisor/config/v1alpha1"
+	"go.pinniped.dev/test/library"
+)
+
+func TestSupervisorSecrets(t *testing.T) {
+	env := library.IntegrationEnv(t)
+	kubeClient := library.NewClientset(t)
+	supervisorClient := library.NewSupervisorClientset(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	// Create our OP under test.
+	op := library.CreateTestOIDCProvider(ctx, t, "", "", "")
+
+	tests := []struct {
+		name        string
+		secretName  func(op *configv1alpha1.OIDCProvider) string
+		ensureValid func(t *testing.T, secret *corev1.Secret)
+	}{
+		{
+			name: "csrf cookie signing key",
+			secretName: func(op *configv1alpha1.OIDCProvider) string {
+				return env.SupervisorAppName + "-key"
+			},
+			ensureValid: ensureValidSymmetricKey,
+		},
+		{
+			name: "jwks",
+			secretName: func(op *configv1alpha1.OIDCProvider) string {
+				return op.Status.Secrets.JWKS.Name
+			},
+			ensureValid: ensureValidJWKS,
+		},
+		{
+			name: "hmac signing secret",
+			secretName: func(op *configv1alpha1.OIDCProvider) string {
+				return op.Status.Secrets.TokenSigningKey.Name
+			},
+			ensureValid: ensureValidSymmetricKey,
+		},
+		{
+			name: "state signature secret",
+			secretName: func(op *configv1alpha1.OIDCProvider) string {
+				return op.Status.Secrets.StateSigningKey.Name
+			},
+			ensureValid: ensureValidSymmetricKey,
+		},
+		{
+			name: "state encryption secret",
+			secretName: func(op *configv1alpha1.OIDCProvider) string {
+				return op.Status.Secrets.StateEncryptionKey.Name
+			},
+			ensureValid: ensureValidSymmetricKey,
+		},
+	}
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			// Ensure a secret is created with the OP's JWKS.
+			var updatedOP *configv1alpha1.OIDCProvider
+			var err error
+			assert.Eventually(t, func() bool {
+				updatedOP, err = supervisorClient.
+					ConfigV1alpha1().
+					OIDCProviders(env.SupervisorNamespace).
+					Get(ctx, op.Name, metav1.GetOptions{})
+				return err == nil && test.secretName(updatedOP) != ""
+			}, time.Second*10, time.Millisecond*500)
+			require.NoError(t, err)
+			require.NotEmpty(t, test.secretName(updatedOP))
+
+			// Ensure the secret actually exists.
+			secret, err := kubeClient.
+				CoreV1().
+				Secrets(env.SupervisorNamespace).
+				Get(ctx, test.secretName(updatedOP), metav1.GetOptions{})
+			require.NoError(t, err)
+
+			// Ensure that the secret was labelled.
+			for k, v := range env.SupervisorCustomLabels {
+				require.Equalf(t, v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
+			}
+			require.Equal(t, env.SupervisorAppName, secret.Labels["app"])
+
+			// Ensure that the secret is valid.
+			test.ensureValid(t, secret)
+
+			// Ensure upon deleting the secret, it is eventually brought back.
+			err = kubeClient.
+				CoreV1().
+				Secrets(env.SupervisorNamespace).
+				Delete(ctx, test.secretName(updatedOP), metav1.DeleteOptions{})
+			require.NoError(t, err)
+			assert.Eventually(t, func() bool {
+				secret, err = kubeClient.
+					CoreV1().
+					Secrets(env.SupervisorNamespace).
+					Get(ctx, test.secretName(updatedOP), metav1.GetOptions{})
+				return err == nil
+			}, time.Second*10, time.Millisecond*500)
+			require.NoError(t, err)
+
+			// Ensure that the new secret is valid.
+			test.ensureValid(t, secret)
+		})
+	}
+
+	// Upon deleting the OP, the secret is deleted (we test this behavior in our uninstall tests).
+}
+
+func ensureValidJWKS(t *testing.T, secret *corev1.Secret) {
+	t.Helper()
+
+	// Ensure the secret has an active key.
+	jwkData, ok := secret.Data["activeJWK"]
+	require.True(t, ok, "secret is missing active jwk")
+
+	// Ensure the secret's active key is valid.
+	var activeJWK jose.JSONWebKey
+	require.NoError(t, json.Unmarshal(jwkData, &activeJWK))
+	require.True(t, activeJWK.Valid(), "active jwk is invalid")
+	require.False(t, activeJWK.IsPublic(), "active jwk is public")
+
+	// Ensure the secret has a JWKS.
+	jwksData, ok := secret.Data["jwks"]
+	require.True(t, ok, "secret is missing jwks")
+
+	// Ensure the secret's JWKS is valid, public, and contains the singing key.
+	var jwks jose.JSONWebKeySet
+	require.NoError(t, json.Unmarshal(jwksData, &jwks))
+	foundActiveJWK := false
+	for _, jwk := range jwks.Keys {
+		require.Truef(t, jwk.Valid(), "jwk %s is invalid", jwk.KeyID)
+		require.Truef(t, jwk.IsPublic(), "jwk %s is not public", jwk.KeyID)
+		if jwk.KeyID == activeJWK.KeyID {
+			foundActiveJWK = true
+		}
+	}
+	require.True(t, foundActiveJWK, "could not find active JWK in JWKS: %s", jwks)
+}
+
+func ensureValidSymmetricKey(t *testing.T, secret *corev1.Secret) {
+	t.Helper()
+	require.Equal(t, corev1.SecretType("secrets.pinniped.dev/symmetric"), secret.Type)
+	key, ok := secret.Data["key"]
+	require.Truef(t, ok, "secret data does not contain 'key': %s", secret.Data)
+	require.Equal(t, 32, len(key))
+}
--- a/test/library/client.go
+++ b/test/library/client.go
@@ -285,6 +285,22 @@ func CreateTestOIDCProvider(ctx context.Context, t *testing.T, issuer string, ce
 	}, 60*time.Second, 1*time.Second, "expected the OIDCProvider to have status %q", expectStatus)
 	require.Equal(t, expectStatus, result.Status.Status)

+	// If the OIDCProvider was successfully created, ensure all secrets are present before continuing
+	if result.Status.Status == configv1alpha1.SuccessOIDCProviderStatusCondition {
+		assert.Eventually(t, func() bool {
+			var err error
+			result, err = opcs.Get(ctx, opc.Name, metav1.GetOptions{})
+			require.NoError(t, err)
+			return result.Status.Secrets.JWKS.Name != "" &&
+				result.Status.Secrets.TokenSigningKey.Name != "" &&
+				result.Status.Secrets.StateSigningKey.Name != "" &&
+				result.Status.Secrets.StateEncryptionKey.Name != ""
+		}, 60*time.Second, 1*time.Second, "expected the OIDCProvider to have secrets populated")
+		require.NotEmpty(t, result.Status.Secrets.JWKS.Name)
+		require.NotEmpty(t, result.Status.Secrets.TokenSigningKey.Name)
+		require.NotEmpty(t, result.Status.Secrets.StateSigningKey.Name)
+		require.NotEmpty(t, result.Status.Secrets.StateEncryptionKey.Name)
+	}
 	return opc
 }