mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-08 15:21:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add callback_handler tests for GitHub+IdentityTransformations

Browse Source 
Co-authored-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Joshua Casey
2024-05-28 15:59:52 -05:00
parent 8b1e5aa320
commit d3fb567fdb
2 changed files with 102 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
internal/federationdomain/endpoints/callback/callback_handler_test.go
View File

@@ -82,10 +82,10 @@ const (
) )
var ( var (
githubUpstreamUsername = "some-github-login" githubUpstreamUsername = "some-github-login"
githubUpstreamGroups = []string{"org1/team1", "org2/team2"} githubUpstreamGroupMembership = []string{"org1/team1", "org2/team2"}
githubDownstreamSubject = fmt.Sprintf("https://github.com?idpName=%s&sub=%s", happyGithubIDPName, githubUpstreamUsername) githubDownstreamSubject = fmt.Sprintf("https://github.com?idpName=%s&sub=%s", happyGithubIDPName, githubUpstreamUsername)
githubUpstreamAccessToken = "some-opaque-access-token-from-github" //nolint:gosec // this is not a credential githubUpstreamAccessToken = "some-opaque-access-token-from-github" //nolint:gosec // this is not a credential
oidcUpstreamGroupMembership = []string{"test-pinniped-group-0", "test-pinniped-group-1"} oidcUpstreamGroupMembership = []string{"test-pinniped-group-0", "test-pinniped-group-1"}
happyDownstreamScopesRequested = []string{"openid", "username", "groups"} happyDownstreamScopesRequested = []string{"openid", "username", "groups"}
@@ -108,7 +108,7 @@ var (
) )
happyDownstreamRequestParamsForDynamicClient = happyDownstreamRequestParamsQueryForDynamicClient.Encode() happyDownstreamRequestParamsForDynamicClient = happyDownstreamRequestParamsQueryForDynamicClient.Encode()
happyDownstreamCustomSessionData = &psession.CustomSessionData{ happyDownstreamCustomSessionDataForOIDCUpstream = &psession.CustomSessionData{
Username: oidcUpstreamUsername, Username: oidcUpstreamUsername,
UpstreamUsername: oidcUpstreamUsername, UpstreamUsername: oidcUpstreamUsername,
UpstreamGroups: oidcUpstreamGroupMembership, UpstreamGroups: oidcUpstreamGroupMembership,
@@ -121,10 +121,16 @@ var (
UpstreamSubject: oidcUpstreamSubject, UpstreamSubject: oidcUpstreamSubject,
}, },
} }
happyDownstreamCustomSessionDataWithUsernameAndGroups = func(wantDownstreamUsername, wantUpstreamUsername string, wantUpstreamGroups []string) *psession.CustomSessionData { happyDownstreamCustomSessionDataWithUsernameAndGroups = func(startingSessionData *psession.CustomSessionData, wantDownstreamUsername, wantUpstreamUsername string, wantUpstreamGroups []string) *psession.CustomSessionData {
copyOfCustomSession := *happyDownstreamCustomSessionData copyOfCustomSession := *startingSessionData
copyOfOIDC := *(happyDownstreamCustomSessionData.OIDC) if startingSessionData.OIDC != nil {
copyOfCustomSession.OIDC = &copyOfOIDC copyOfOIDC := *(startingSessionData.OIDC)
copyOfCustomSession.OIDC = &copyOfOIDC
}
if startingSessionData.GitHub != nil {
copyOfGitHub := *(startingSessionData.GitHub)
copyOfCustomSession.GitHub = &copyOfGitHub
}
copyOfCustomSession.Username = wantDownstreamUsername copyOfCustomSession.Username = wantDownstreamUsername
copyOfCustomSession.UpstreamUsername = wantUpstreamUsername copyOfCustomSession.UpstreamUsername = wantUpstreamUsername
copyOfCustomSession.UpstreamGroups = wantUpstreamGroups copyOfCustomSession.UpstreamGroups = wantUpstreamGroups
@@ -143,10 +149,10 @@ var (
UpstreamSubject: oidcUpstreamSubject, UpstreamSubject: oidcUpstreamSubject,
}, },
} }
happyDownstreamGitHubCustomSessionData = &psession.CustomSessionData{ happyDownstreamCustomSessionDataForGitHubUpstream = &psession.CustomSessionData{
Username: githubUpstreamUsername, Username: githubUpstreamUsername,
UpstreamUsername: githubUpstreamUsername, UpstreamUsername: githubUpstreamUsername,
UpstreamGroups: githubUpstreamGroups, UpstreamGroups: githubUpstreamGroupMembership,
ProviderUID: happyGithubIDPResourceUID, ProviderUID: happyGithubIDPResourceUID,
ProviderName: happyGithubIDPName, ProviderName: happyGithubIDPName,
ProviderType: psession.ProviderTypeGitHub, ProviderType: psession.ProviderTypeGitHub,
@@ -180,6 +186,8 @@ func TestCallbackEndpoint(t *testing.T) {
happyOIDCState := happyOIDCUpstreamStateParam().Build(t, happyStateCodec) happyOIDCState := happyOIDCUpstreamStateParam().Build(t, happyStateCodec)
happyOIDCStateForDynamicClient := happyOIDCUpstreamStateParamForDynamicClient().Build(t, happyStateCodec) happyOIDCStateForDynamicClient := happyOIDCUpstreamStateParamForDynamicClient().Build(t, happyStateCodec)
happyGitHubPath := newRequestPath().WithState(happyGitHubUpstreamStateParam().Build(t, happyStateCodec)).String()
encodedIncomingCookieCSRFValue, err := happyCookieCodec.Encode("csrf", happyDownstreamCSRF) encodedIncomingCookieCSRFValue, err := happyCookieCodec.Encode("csrf", happyDownstreamCSRF)
require.NoError(t, err) require.NoError(t, err)
happyCSRFCookie := "__Host-pinniped-csrf=" + encodedIncomingCookieCSRFValue happyCSRFCookie := "__Host-pinniped-csrf=" + encodedIncomingCookieCSRFValue
@@ -263,7 +271,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -287,14 +295,14 @@ func TestCallbackEndpoint(t *testing.T) {
wantBodyFormResponseRegexp: `<code id="manual-auth-code">(.+)</code>`, wantBodyFormResponseRegexp: `<code id="manual-auth-code">(.+)</code>`,
wantDownstreamIDTokenSubject: githubDownstreamSubject, wantDownstreamIDTokenSubject: githubDownstreamSubject,
wantDownstreamIDTokenUsername: githubUpstreamUsername, wantDownstreamIDTokenUsername: githubUpstreamUsername,
wantDownstreamIDTokenGroups: githubUpstreamGroups, wantDownstreamIDTokenGroups: githubUpstreamGroupMembership,
wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamGrantedScopes: happyDownstreamScopesGranted,
wantDownstreamNonce: downstreamNonce, wantDownstreamNonce: downstreamNonce,
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamGitHubCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForGitHubUpstream,
wantGitHubAuthcodeExchangeCall: &expectedGitHubAuthcodeExchange{ wantGitHubAuthcodeExchangeCall: &expectedGitHubAuthcodeExchange{
performedByUpstreamName: happyGithubIDPName, performedByUpstreamName: happyGithubIDPName,
args: happyGitHubUpstreamExchangeAuthcodeArgs, args: happyGitHubUpstreamExchangeAuthcodeArgs,
@@ -333,7 +341,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -361,7 +369,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -386,7 +394,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamDynamicClientID, wantDownstreamClientID: downstreamDynamicClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -445,7 +453,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -509,6 +517,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
oidcUpstreamIssuer+"?sub="+oidcUpstreamSubjectQueryEscaped, oidcUpstreamIssuer+"?sub="+oidcUpstreamSubjectQueryEscaped,
oidcUpstreamIssuer+"?sub="+oidcUpstreamSubjectQueryEscaped, oidcUpstreamIssuer+"?sub="+oidcUpstreamSubjectQueryEscaped,
nil, nil,
@@ -539,6 +548,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
"joe@whitehouse.gov", "joe@whitehouse.gov",
"joe@whitehouse.gov", "joe@whitehouse.gov",
oidcUpstreamGroupMembership, oidcUpstreamGroupMembership,
@@ -571,6 +581,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
"joe@whitehouse.gov", "joe@whitehouse.gov",
"joe@whitehouse.gov", "joe@whitehouse.gov",
oidcUpstreamGroupMembership, oidcUpstreamGroupMembership,
@@ -604,6 +615,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
"joe", "joe",
"joe", "joe",
oidcUpstreamGroupMembership, oidcUpstreamGroupMembership,
@@ -739,6 +751,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
oidcUpstreamSubject, oidcUpstreamSubject,
oidcUpstreamSubject, oidcUpstreamSubject,
oidcUpstreamGroupMembership, oidcUpstreamGroupMembership,
@@ -769,6 +782,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
oidcUpstreamUsername, oidcUpstreamUsername,
oidcUpstreamUsername, oidcUpstreamUsername,
[]string{"notAnArrayGroup1 notAnArrayGroup2"}, []string{"notAnArrayGroup1 notAnArrayGroup2"},
@@ -799,6 +813,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
oidcUpstreamUsername, oidcUpstreamUsername,
oidcUpstreamUsername, oidcUpstreamUsername,
[]string{"group1", "group2"}, []string{"group1", "group2"},
@@ -832,7 +847,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamDynamicClientID, wantDownstreamClientID: downstreamDynamicClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -862,7 +877,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamDynamicClientID, wantDownstreamClientID: downstreamDynamicClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -905,7 +920,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamDynamicClientID, wantDownstreamClientID: downstreamDynamicClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -948,14 +963,14 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamDynamicClientID, wantDownstreamClientID: downstreamDynamicClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
}, },
}, },
{ {
name: "using identity transformations which modify the username and group names", name: "OIDC: using identity transformations which modify the username and group names",
idps: testidplister.NewUpstreamIDPListerBuilder(). idps: testidplister.NewUpstreamIDPListerBuilder().
WithOIDC(happyOIDCUpstream().WithTransformsForFederationDomain(prefixUsernameAndGroupsPipeline).Build()), WithOIDC(happyOIDCUpstream().WithTransformsForFederationDomain(prefixUsernameAndGroupsPipeline).Build()),
method: http.MethodGet, method: http.MethodGet,
@@ -974,6 +989,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
transformationUsernamePrefix+oidcUpstreamUsername, transformationUsernamePrefix+oidcUpstreamUsername,
oidcUpstreamUsername, oidcUpstreamUsername,
oidcUpstreamGroupMembership, oidcUpstreamGroupMembership,
@@ -983,6 +999,36 @@ func TestCallbackEndpoint(t *testing.T) {
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
}, },
}, },
{
name: "GitHub: using identity transformations which modify the username and group names",
idps: testidplister.NewUpstreamIDPListerBuilder().
WithGitHub(happyGitHubUpstream().WithTransformsForFederationDomain(prefixUsernameAndGroupsPipeline).Build()),
method: http.MethodGet,
path: happyGitHubPath,
csrfCookie: happyCSRFCookie,
wantStatus: http.StatusSeeOther,
wantRedirectLocationRegexp: happyDownstreamRedirectLocationRegexp,
wantBody: "",
wantDownstreamIDTokenSubject: githubDownstreamSubject,
wantDownstreamIDTokenUsername: transformationUsernamePrefix + githubUpstreamUsername,
wantDownstreamIDTokenGroups: testutil.AddPrefixToEach(transformationGroupsPrefix, githubUpstreamGroupMembership),
wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
wantDownstreamGrantedScopes: happyDownstreamScopesGranted,
wantDownstreamNonce: downstreamNonce,
wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForGitHubUpstream,
transformationUsernamePrefix+githubUpstreamUsername,
githubUpstreamUsername,
githubUpstreamGroupMembership,
),
wantGitHubAuthcodeExchangeCall: &expectedGitHubAuthcodeExchange{
performedByUpstreamName: happyGithubIDPName,
args: happyGitHubUpstreamExchangeAuthcodeArgs,
},
},
// Pre-upstream-exchange verification // Pre-upstream-exchange verification
{ {
@@ -1228,7 +1274,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -1258,7 +1304,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
@@ -1287,14 +1333,14 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForOIDCUpstream,
wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{ wantOIDCAuthcodeExchangeCall: &expectedOIDCAuthcodeExchange{
performedByUpstreamName: happyOIDCUpstreamIDPName, performedByUpstreamName: happyOIDCUpstreamIDPName,
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
}, },
}, },
{ {
name: "GitHub IDP: GET with good state and cookie and successful upstream token exchange returns 303 to downstream client callback", name: "GitHub: GET with good state and cookie and successful upstream token exchange returns 303 to downstream client callback",
idps: testidplister.NewUpstreamIDPListerBuilder().WithGitHub(happyGitHubUpstream().Build()), idps: testidplister.NewUpstreamIDPListerBuilder().WithGitHub(happyGitHubUpstream().Build()),
method: http.MethodGet, method: http.MethodGet,
path: newRequestPath().WithState( path: newRequestPath().WithState(
@@ -1309,21 +1355,21 @@ func TestCallbackEndpoint(t *testing.T) {
wantBody: "", wantBody: "",
wantDownstreamIDTokenSubject: githubDownstreamSubject, wantDownstreamIDTokenSubject: githubDownstreamSubject,
wantDownstreamIDTokenUsername: githubUpstreamUsername, wantDownstreamIDTokenUsername: githubUpstreamUsername,
wantDownstreamIDTokenGroups: githubUpstreamGroups, wantDownstreamIDTokenGroups: githubUpstreamGroupMembership,
wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamGrantedScopes: happyDownstreamScopesGranted,
wantDownstreamNonce: downstreamNonce, wantDownstreamNonce: downstreamNonce,
wantDownstreamClientID: downstreamPinnipedClientID, wantDownstreamClientID: downstreamPinnipedClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamGitHubCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForGitHubUpstream,
wantGitHubAuthcodeExchangeCall: &expectedGitHubAuthcodeExchange{ wantGitHubAuthcodeExchangeCall: &expectedGitHubAuthcodeExchange{
performedByUpstreamName: happyGithubIDPName, performedByUpstreamName: happyGithubIDPName,
args: happyGitHubUpstreamExchangeAuthcodeArgs, args: happyGitHubUpstreamExchangeAuthcodeArgs,
}, },
}, },
{ {
name: "GitHub IDP: GET with good state and cookie and successful upstream token exchange with dynamic client returns 303 to downstream client callback, with dynamic client", name: "GitHub: GET with good state and cookie and successful upstream token exchange with dynamic client returns 303 to downstream client callback, with dynamic client",
idps: testidplister.NewUpstreamIDPListerBuilder().WithGitHub(happyGitHubUpstream().Build()), idps: testidplister.NewUpstreamIDPListerBuilder().WithGitHub(happyGitHubUpstream().Build()),
method: http.MethodGet, method: http.MethodGet,
kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources, kubeResources: addFullyCapableDynamicClientAndSecretToKubeResources,
@@ -1344,14 +1390,14 @@ func TestCallbackEndpoint(t *testing.T) {
wantBody: "", wantBody: "",
wantDownstreamIDTokenSubject: githubDownstreamSubject, wantDownstreamIDTokenSubject: githubDownstreamSubject,
wantDownstreamIDTokenUsername: githubUpstreamUsername, wantDownstreamIDTokenUsername: githubUpstreamUsername,
wantDownstreamIDTokenGroups: githubUpstreamGroups, wantDownstreamIDTokenGroups: githubUpstreamGroupMembership,
wantDownstreamRequestedScopes: happyDownstreamScopesRequested, wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
wantDownstreamGrantedScopes: happyDownstreamScopesGranted, wantDownstreamGrantedScopes: happyDownstreamScopesGranted,
wantDownstreamNonce: downstreamNonce, wantDownstreamNonce: downstreamNonce,
wantDownstreamClientID: downstreamDynamicClientID, wantDownstreamClientID: downstreamDynamicClientID,
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamGitHubCustomSessionData, wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataForGitHubUpstream,
wantGitHubAuthcodeExchangeCall: &expectedGitHubAuthcodeExchange{ wantGitHubAuthcodeExchangeCall: &expectedGitHubAuthcodeExchange{
performedByUpstreamName: happyGithubIDPName, performedByUpstreamName: happyGithubIDPName,
args: happyGitHubUpstreamExchangeAuthcodeArgs, args: happyGitHubUpstreamExchangeAuthcodeArgs,
@@ -1415,7 +1461,7 @@ func TestCallbackEndpoint(t *testing.T) {
}, },
}, },
{ {
name: "GitHub upstream auth code exchange fails", name: "GitHub: upstream auth code exchange fails",
idps: testidplister.NewUpstreamIDPListerBuilder().WithGitHub( idps: testidplister.NewUpstreamIDPListerBuilder().WithGitHub(
happyGitHubUpstream().WithAuthcodeExchangeError(errors.New("some error")).Build(), happyGitHubUpstream().WithAuthcodeExchangeError(errors.New("some error")).Build(),
), ),
@@ -1472,6 +1518,7 @@ func TestCallbackEndpoint(t *testing.T) {
wantDownstreamPKCEChallenge: downstreamPKCEChallenge, wantDownstreamPKCEChallenge: downstreamPKCEChallenge,
wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod, wantDownstreamPKCEChallengeMethod: downstreamPKCEChallengeMethod,
wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups( wantDownstreamCustomSessionData: happyDownstreamCustomSessionDataWithUsernameAndGroups(
happyDownstreamCustomSessionDataForOIDCUpstream,
oidcUpstreamUsername, oidcUpstreamUsername,
oidcUpstreamUsername, oidcUpstreamUsername,
nil, nil,
@@ -1658,7 +1705,7 @@ func TestCallbackEndpoint(t *testing.T) {
}, },
}, },
{ {
name: "using identity transformations which reject the authentication", name: "OIDC: using identity transformations which reject the authentication",
idps: testidplister.NewUpstreamIDPListerBuilder(). idps: testidplister.NewUpstreamIDPListerBuilder().
WithOIDC(happyOIDCUpstream().WithTransformsForFederationDomain(rejectAuthPipeline).Build()), WithOIDC(happyOIDCUpstream().WithTransformsForFederationDomain(rejectAuthPipeline).Build()),
method: http.MethodGet, method: http.MethodGet,
@@ -1672,6 +1719,21 @@ func TestCallbackEndpoint(t *testing.T) {
args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs, args: happyOIDCUpstreamExchangeAuthcodeAndValidateTokenArgs,
}, },
}, },
{
name: "GitHub: using identity transformations which reject the authentication",
idps: testidplister.NewUpstreamIDPListerBuilder().
WithGitHub(happyGitHubUpstream().WithTransformsForFederationDomain(rejectAuthPipeline).Build()),
method: http.MethodGet,
path: happyGitHubPath,
csrfCookie: happyCSRFCookie,
wantStatus: http.StatusUnprocessableEntity,
wantContentType: htmlContentType,
wantBody: "Unprocessable Entity: configured identity policy rejected this authentication: authentication was rejected by a configured policy\n",
wantGitHubAuthcodeExchangeCall: &expectedGitHubAuthcodeExchange{
performedByUpstreamName: happyGithubIDPName,
args: happyGitHubUpstreamExchangeAuthcodeArgs,
},
},
} }
for _, test := range tests { for _, test := range tests {
@@ -1896,11 +1958,10 @@ func happyGitHubUpstream() *oidctestutil.TestUpstreamGitHubIdentityProviderBuild
WithName(happyGithubIDPName). WithName(happyGithubIDPName).
WithResourceUID(happyGithubIDPResourceUID). WithResourceUID(happyGithubIDPResourceUID).
WithClientID("some-client-id"). WithClientID("some-client-id").
WithScopes([]string{"these", "scopes", "appear", "unused"}). // TODO: What do we do with these scopes?
WithAccessToken(githubUpstreamAccessToken). WithAccessToken(githubUpstreamAccessToken).
WithUser(&upstreamprovider.GitHubUser{ WithUser(&upstreamprovider.GitHubUser{
Username: githubUpstreamUsername, Username: githubUpstreamUsername,
Groups: githubUpstreamGroups, Groups: githubUpstreamGroupMembership,
DownstreamSubject: githubDownstreamSubject, DownstreamSubject: githubDownstreamSubject,
}) })
} }

5
internal/testutil/oidctestutil/testgithubprovider.go
View File

@@ -112,6 +112,11 @@ func (u *TestUpstreamGitHubIdentityProviderBuilder) WithGetUserError(err error)
return u return u
} }
func (u *TestUpstreamGitHubIdentityProviderBuilder) WithTransformsForFederationDomain(transforms *idtransform.TransformationPipeline) *TestUpstreamGitHubIdentityProviderBuilder {
u.transformsForFederationDomain = transforms
return u
}
func (u *TestUpstreamGitHubIdentityProviderBuilder) Build() *TestUpstreamGitHubIdentityProvider { func (u *TestUpstreamGitHubIdentityProviderBuilder) Build() *TestUpstreamGitHubIdentityProvider {
if u.displayNameForFederationDomain == "" { if u.displayNameForFederationDomain == "" {
// default it to the CR name // default it to the CR name