From 81f3acfa3889f47c718ad5020b3ca4f07dd5e13d Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Thu, 9 May 2024 10:01:51 -0500 Subject: [PATCH] Update some build tags since go1.22+ is now required --- cmd/pinniped/cmd/kubeconfig_test.go | 4 +-- .../jwtcachefiller/jwtcachefiller_test.go | 2 +- .../oidc_upstream_watcher_test.go | 9 +++---- internal/crypto/ptls/old.go | 14 ---------- internal/testutil/assertions.go | 26 +------------------ internal/testutil/tlsassertions/assertions.go | 10 ------- .../tlsassertions/assertions_before_go1.20.go | 10 ------- internal/upstreamldap/upstreamldap_test.go | 5 ++-- test/integration/ldap_client_test.go | 4 +-- 9 files changed, 12 insertions(+), 72 deletions(-) delete mode 100644 internal/crypto/ptls/old.go delete mode 100644 internal/testutil/tlsassertions/assertions.go delete mode 100644 internal/testutil/tlsassertions/assertions_before_go1.20.go diff --git a/cmd/pinniped/cmd/kubeconfig_test.go b/cmd/pinniped/cmd/kubeconfig_test.go index 50acdf919..6d95fa565 100644 --- a/cmd/pinniped/cmd/kubeconfig_test.go +++ b/cmd/pinniped/cmd/kubeconfig_test.go @@ -1029,8 +1029,8 @@ func TestGetKubeconfig(t *testing.T) { } }, wantError: true, - wantStderr: func(issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc { - return testutil.WantX509UntrustedCertErrorString(fmt.Sprintf("Error: while fetching OIDC discovery data from issuer: Get \"%s/.well-known/openid-configuration\": %%s\n", issuerURL), "Acme Co") + wantStderr: func(_issuerCABundle string, issuerURL string) testutil.RequireErrorStringFunc { + return testutil.WantSprintfErrorString(`Error: while fetching OIDC discovery data from issuer: Get "%s/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority%s`, issuerURL, "\n") }, }, { diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go index d934f08b8..ca09c410b 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go @@ -1031,7 +1031,7 @@ func TestController(t *testing.T) { }, // no explicit logs, this is an issue of config, the user must provide TLS config for the // custom cert provided for this server. - wantSyncLoopErr: testutil.WantX509UntrustedCertErrorString(`could not perform oidc discovery on provider issuer: Get "`+goodIssuer+`/.well-known/openid-configuration": %s`, "Acme Co"), + wantSyncLoopErr: testutil.WantSprintfErrorString(`could not perform oidc discovery on provider issuer: Get "%s/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority`, goodIssuer), wantCacheEntries: 0, }, { diff --git a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go index 614ee3afd..5810e272d 100644 --- a/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go +++ b/internal/controller/supervisorconfig/oidcupstreamwatcher/oidc_upstream_watcher_test.go @@ -34,7 +34,6 @@ import ( "go.pinniped.dev/internal/testutil" "go.pinniped.dev/internal/testutil/oidctestutil" "go.pinniped.dev/internal/testutil/testlogger" - "go.pinniped.dev/internal/testutil/tlsassertions" "go.pinniped.dev/internal/testutil/tlsserver" "go.pinniped.dev/internal/upstreamoidc" ) @@ -597,11 +596,11 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { }}, wantErr: controllerlib.ErrSyntheticRequeue.Error(), wantLogs: []string{ - `oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="Get \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": ` + tlsassertions.GetTLSErrorPrefix() + `x509: certificate signed by unknown authority" "issuer"="` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "name"="test-name" "namespace"="test-namespace"`, + `oidc-upstream-observer "msg"="failed to perform OIDC discovery" "error"="Get \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority" "issuer"="` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "name"="test-name" "namespace"="test-namespace"`, `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="loaded client credentials" "reason"="Success" "status"="True" "type"="ClientCredentialsValid"`, - `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": ` + tlsassertions.GetTLSErrorPrefix() + `x509: certificate signed by unknown authority" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`, + `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority" "reason"="Unreachable" "status"="False" "type"="OIDCDiscoverySucceeded"`, `oidc-upstream-observer "level"=0 "msg"="updated condition" "name"="test-name" "namespace"="test-namespace" "message"="additionalAuthorizeParameters parameter names are allowed" "reason"="Success" "status"="True" "type"="AdditionalAuthorizeParametersValid"`, - `oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": ` + tlsassertions.GetTLSErrorPrefix() + `x509: certificate signed by unknown authority" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`, + `oidc-upstream-observer "msg"="found failing condition" "error"="OIDCIdentityProvider has a failing condition" "message"="failed to perform OIDC discovery against \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\":\nGet \"` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority" "name"="test-name" "namespace"="test-namespace" "reason"="Unreachable" "type"="OIDCDiscoverySucceeded"`, }, wantResultingCache: []*oidctestutil.TestUpstreamOIDCIdentityProvider{}, wantResultingUpstreams: []v1alpha1.OIDCIdentityProvider{{ @@ -623,7 +622,7 @@ func TestOIDCUpstreamWatcherControllerSync(t *testing.T) { LastTransitionTime: now, Reason: "Unreachable", Message: `failed to perform OIDC discovery against "` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee": -Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration": ` + tlsassertions.GetTLSErrorPrefix() + `x509: certificate signed by unknown authority`, +Get "` + testIssuerURL + `/valid-url-that-is-really-really-long-nanananananananannanananan-batman-nanananananananananananananana-batman-lalalalalalalalalal-batman-weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority`, }, }, }, diff --git a/internal/crypto/ptls/old.go b/internal/crypto/ptls/old.go deleted file mode 100644 index 0848df7d3..000000000 --- a/internal/crypto/ptls/old.go +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -//go:build !go1.19 - -package ptls - -func init() { - // cause compile time failure if an older version of Go is used - `Pinniped's TLS configuration makes assumptions about how the Go standard library implementation of TLS works. -It particular, we rely on the server controlling cipher suite selection. For these assumptions to hold, Pinniped -must be compiled with Go 1.19+. If you are seeing this error message, your attempt to compile Pinniped with an -older Go compiler was explicitly failed to prevent an unsafe configuration.` -} diff --git a/internal/testutil/assertions.go b/internal/testutil/assertions.go index 910ef022c..ec4211c1d 100644 --- a/internal/testutil/assertions.go +++ b/internal/testutil/assertions.go @@ -1,4 +1,4 @@ -// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package testutil @@ -16,8 +16,6 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" v1 "k8s.io/client-go/kubernetes/typed/core/v1" - - "go.pinniped.dev/internal/testutil/tlsassertions" ) func RequireTimeInDelta(t *testing.T, t1 time.Time, t2 time.Time, delta time.Duration) { @@ -179,25 +177,3 @@ func WantMatchingErrorString(wantErrRegexp string) RequireErrorStringFunc { require.Regexp(t, wantErrRegexp, actualErrorStr) } } - -// WantX509UntrustedCertErrorString can be used to set up an expected value for an error string in a test table. -// expectedErrorFormatString must contain exactly one formatting verb, which should usually be %s, which will -// be replaced by the platform-specific X509 untrusted certs error string and then compared against expectedCommonName. -func WantX509UntrustedCertErrorString(expectedErrorFormatSpecifier string, expectedCommonName string) RequireErrorStringFunc { - // Starting in Go 1.18.1, and until it was fixed in Go 1.19.5, Go on MacOS had an incorrect error string. - // We don't care which error string was returned, as long as it is either the normal error string from - // the Go x509 library, or the error string that was accidentally returned from the Go x509 library in - // those versions of Go on MacOS which had the bug. - return func(t *testing.T, actualErrorStr string) { - // This is the MacOS error string starting in Go 1.18.1, and until it was fixed in Go 1.19.5. - macOSErr := fmt.Sprintf(`x509: ā€œ%sā€ certificate is not trusted`, expectedCommonName) - // This is the normal Go x509 library error string. - standardErr := `x509: certificate signed by unknown authority` - allowedErrorStrings := []string{ - fmt.Sprintf(expectedErrorFormatSpecifier, tlsassertions.GetTLSErrorPrefix()+macOSErr), - fmt.Sprintf(expectedErrorFormatSpecifier, tlsassertions.GetTLSErrorPrefix()+standardErr), - } - // Allow either. - require.Contains(t, allowedErrorStrings, actualErrorStr) - } -} diff --git a/internal/testutil/tlsassertions/assertions.go b/internal/testutil/tlsassertions/assertions.go deleted file mode 100644 index e9fc3187b..000000000 --- a/internal/testutil/tlsassertions/assertions.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2023 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -//go:build go1.20 - -package tlsassertions - -func GetTLSErrorPrefix() string { - return "tls: failed to verify certificate: " -} diff --git a/internal/testutil/tlsassertions/assertions_before_go1.20.go b/internal/testutil/tlsassertions/assertions_before_go1.20.go deleted file mode 100644 index ce94fc07b..000000000 --- a/internal/testutil/tlsassertions/assertions_before_go1.20.go +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright 2023 the Pinniped contributors. All Rights Reserved. -// SPDX-License-Identifier: Apache-2.0 - -//go:build !go1.20 - -package tlsassertions - -func GetTLSErrorPrefix() string { - return "" -} diff --git a/internal/upstreamldap/upstreamldap_test.go b/internal/upstreamldap/upstreamldap_test.go index c8308f96a..f7cdcadbe 100644 --- a/internal/upstreamldap/upstreamldap_test.go +++ b/internal/upstreamldap/upstreamldap_test.go @@ -28,7 +28,6 @@ import ( "go.pinniped.dev/internal/federationdomain/upstreamprovider" "go.pinniped.dev/internal/mocks/mockldapconn" "go.pinniped.dev/internal/testutil" - "go.pinniped.dev/internal/testutil/tlsassertions" "go.pinniped.dev/internal/testutil/tlsserver" ) @@ -2414,7 +2413,7 @@ func TestRealTLSDialing(t *testing.T) { caBundle: caForTestServerWithBadCertName.Bundle(), connProto: TLS, context: context.Background(), - wantError: testutil.WantExactErrorString(fmt.Sprintf(`LDAP Result Code 200 "Network Error": %sx509: certificate is valid for 10.2.3.4, not 127.0.0.1`, tlsassertions.GetTLSErrorPrefix())), + wantError: testutil.WantExactErrorString(`LDAP Result Code 200 "Network Error": tls: failed to verify certificate: x509: certificate is valid for 10.2.3.4, not 127.0.0.1`), }, { name: "invalid CA bundle with TLS", @@ -2454,7 +2453,7 @@ func TestRealTLSDialing(t *testing.T) { caBundle: nil, connProto: TLS, context: context.Background(), - wantError: testutil.WantX509UntrustedCertErrorString(`LDAP Result Code 200 "Network Error": %s`, "Acme Co"), + wantError: testutil.WantExactErrorString(`LDAP Result Code 200 "Network Error": tls: failed to verify certificate: x509: certificate signed by unknown authority`), }, { name: "cannot connect to host", diff --git a/test/integration/ldap_client_test.go b/test/integration/ldap_client_test.go index 7a4fac130..e6d97326d 100644 --- a/test/integration/ldap_client_test.go +++ b/test/integration/ldap_client_test.go @@ -560,7 +560,7 @@ func TestLDAPSearch_Parallel(t *testing.T) { username: "pinny", password: pinnyPassword, provider: upstreamldap.New(*providerConfig(func(p *upstreamldap.ProviderConfig) { p.CABundle = nil })), - wantError: testutil.WantX509UntrustedCertErrorString(fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": %%s`, ldapsLocalhostPort), "Pinniped Test"), + wantError: testutil.WantSprintfErrorString(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": tls: failed to verify certificate: x509: certificate signed by unknown authority`, ldapsLocalhostPort), }, { name: "when the CA bundle does not cause the host to be trusted with StartTLS", @@ -571,7 +571,7 @@ func TestLDAPSearch_Parallel(t *testing.T) { p.ConnectionProtocol = upstreamldap.StartTLS p.CABundle = nil })), - wantError: testutil.WantX509UntrustedCertErrorString(fmt.Sprintf(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": TLS handshake failed (%%s)`, ldapLocalhostPort), "Pinniped Test"), + wantError: testutil.WantSprintfErrorString(`error dialing host "127.0.0.1:%s": LDAP Result Code 200 "Network Error": TLS handshake failed (tls: failed to verify certificate: x509: certificate signed by unknown authority)`, ldapLocalhostPort), }, { name: "when trying to use TLS to connect to a port which only supports StartTLS",