mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-01-07 05:57:02 +00:00
Enforce more imports
- k8s.io/apimachinery/pkg/apis/meta/v1 - k8s.io/api/core/v1 - github.com/coreos/go-oidc/v3/oidc - github.com/ory/fosite/handler/oauth2 - go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1
This commit is contained in:
Joshua Casey
@@ -26,7 +26,7 @@ import (
|
||||
"k8s.io/apimachinery/pkg/runtime/serializer"
|
||||
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
|
||||
|
||||
"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
|
||||
conciergescheme "go.pinniped.dev/internal/concierge/scheme"
|
||||
"go.pinniped.dev/pkg/oidcclient"
|
||||
@@ -43,7 +43,7 @@ func TestCLIGetKubeconfigStaticToken_Parallel(t *testing.T) {
|
||||
ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Minute)
|
||||
defer cancelFunc()
|
||||
|
||||
authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
authenticator := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
|
||||
// Build pinniped CLI.
|
||||
pinnipedExe := testlib.PinnipedCLIPath(t)
|
||||
|
||||
@@ -12,7 +12,7 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
|
||||
"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
|
||||
"go.pinniped.dev/internal/testutil"
|
||||
"go.pinniped.dev/test/testlib"
|
||||
@@ -83,7 +83,7 @@ func TestAPIServingCertificateAutoCreationAndRotation_Disruptive(t *testing.T) {
|
||||
|
||||
// Create a testWebhook so we have a legitimate authenticator to pass to the
|
||||
// TokenCredentialRequest API.
|
||||
testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
|
||||
// Get the initial auto-generated version of the Secret.
|
||||
secret, err := kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
|
||||
|
||||
@@ -11,7 +11,7 @@ import (
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
"go.pinniped.dev/internal/here"
|
||||
"go.pinniped.dev/pkg/conciergeclient"
|
||||
"go.pinniped.dev/test/testlib"
|
||||
@@ -59,7 +59,7 @@ func TestClient(t *testing.T) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
||||
defer cancel()
|
||||
|
||||
webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
webhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
|
||||
// Use an invalid certificate/key to validate that the ServerVersion API fails like we assume.
|
||||
invalidClient := testlib.NewClientsetWithCertAndKey(t, testCert, testKey)
|
||||
|
||||
@@ -17,7 +17,7 @@ import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/utils/ptr"
|
||||
|
||||
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
|
||||
"go.pinniped.dev/test/testlib"
|
||||
)
|
||||
@@ -33,7 +33,7 @@ func TestUnsuccessfulCredentialRequest_Parallel(t *testing.T) {
|
||||
loginv1alpha1.TokenCredentialRequestSpec{
|
||||
Token: env.TestUser.Token,
|
||||
Authenticator: corev1.TypedLocalObjectReference{
|
||||
APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
|
||||
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
|
||||
Kind: "WebhookAuthenticator",
|
||||
Name: "some-webhook-that-does-not-exist",
|
||||
},
|
||||
@@ -62,7 +62,7 @@ func TestSuccessfulCredentialRequest_Browser(t *testing.T) {
|
||||
{
|
||||
name: "webhook",
|
||||
authenticator: func(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
|
||||
return testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
return testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
},
|
||||
token: func(t *testing.T) (string, string, []string) {
|
||||
return testlib.IntegrationEnv(t).TestUser.Token, env.TestUser.ExpectedUsername, env.TestUser.ExpectedGroups
|
||||
@@ -73,7 +73,7 @@ func TestSuccessfulCredentialRequest_Browser(t *testing.T) {
|
||||
authenticator: func(ctx context.Context, t *testing.T) corev1.TypedLocalObjectReference {
|
||||
authenticator := testlib.CreateTestJWTAuthenticatorForCLIUpstream(ctx, t)
|
||||
return corev1.TypedLocalObjectReference{
|
||||
APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
|
||||
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
|
||||
Kind: "JWTAuthenticator",
|
||||
Name: authenticator.Name,
|
||||
}
|
||||
@@ -148,7 +148,7 @@ func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthentic
|
||||
// TokenCredentialRequest API.
|
||||
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
||||
defer cancel()
|
||||
testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
|
||||
response, err := testlib.CreateTokenCredentialRequest(context.Background(), t,
|
||||
loginv1alpha1.TokenCredentialRequestSpec{Token: "not a good token", Authenticator: testWebhook},
|
||||
@@ -169,7 +169,7 @@ func TestCredentialRequest_ShouldFailWhenRequestDoesNotIncludeToken_Parallel(t *
|
||||
// TokenCredentialRequest API.
|
||||
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
|
||||
defer cancel()
|
||||
testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, auth1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
testWebhook := testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady)
|
||||
|
||||
response, err := testlib.CreateTokenCredentialRequest(context.Background(), t,
|
||||
loginv1alpha1.TokenCredentialRequestSpec{Token: "", Authenticator: testWebhook},
|
||||
|
||||
@@ -61,7 +61,7 @@ import (
|
||||
"k8s.io/client-go/util/retry"
|
||||
"k8s.io/utils/ptr"
|
||||
|
||||
"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
conciergev1alpha "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
|
||||
identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
|
||||
loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
|
||||
@@ -121,7 +121,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
|
||||
// Create a WebhookAuthenticator and prepare a TokenCredentialRequestSpec using the authenticator for use later.
|
||||
credentialRequestSpecWithWorkingCredentials := loginv1alpha1.TokenCredentialRequestSpec{
|
||||
Token: env.TestUser.Token,
|
||||
Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, v1alpha1.WebhookAuthenticatorPhaseReady),
|
||||
Authenticator: testlib.CreateTestWebhookAuthenticator(ctx, t, &testlib.IntegrationEnv(t).TestWebhook, authenticationv1alpha1.WebhookAuthenticatorPhaseReady),
|
||||
}
|
||||
|
||||
// The address of the ClusterIP service that points at the impersonation proxy's port (used when there is no load balancer).
|
||||
|
||||
@@ -14,7 +14,7 @@ import (
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
"go.pinniped.dev/test/testlib"
|
||||
)
|
||||
|
||||
@@ -31,13 +31,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
name: "valid spec with no errors and all good status conditions and phase will result in a jwt authenticator that is ready",
|
||||
run: func(t *testing.T) {
|
||||
caBundleString := base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle))
|
||||
jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
|
||||
jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||
Audience: "some-fake-audience",
|
||||
TLS: &v1alpha1.TLSSpec{
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: caBundleString,
|
||||
},
|
||||
}, v1alpha1.JWTAuthenticatorPhaseReady)
|
||||
}, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
testlib.WaitForJWTAuthenticatorStatusConditions(
|
||||
ctx, t,
|
||||
@@ -49,13 +49,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
name: "valid spec with invalid CA in TLS config will result in a jwt authenticator that is not ready",
|
||||
run: func(t *testing.T) {
|
||||
caBundleString := "invalid base64-encoded data"
|
||||
jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
|
||||
jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||
Audience: "some-fake-audience",
|
||||
TLS: &v1alpha1.TLSSpec{
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: caBundleString,
|
||||
},
|
||||
}, v1alpha1.JWTAuthenticatorPhaseError)
|
||||
}, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
|
||||
testlib.WaitForJWTAuthenticatorStatusConditions(
|
||||
ctx, t,
|
||||
@@ -102,16 +102,16 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
name: "valid spec with valid CA in TLS config but does not match issuer server will result in a jwt authenticator that is not ready",
|
||||
run: func(t *testing.T) {
|
||||
caBundleString := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lWQUpzNStTbVRtaTJXeUI0bGJJRXBXaUs5a1RkUE1BMEdDU3FHU0liM0RRRUIKQ3dVQU1COHhDekFKQmdOVkJBWVRBbFZUTVJBd0RnWURWUVFLREFkUWFYWnZkR0ZzTUI0WERUSXdNRFV3TkRFMgpNamMxT0ZvWERUSTBNRFV3TlRFMk1qYzFPRm93SHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFREFPQmdOVkJBb01CMUJwCmRtOTBZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRERZWmZvWGR4Z2NXTEMKZEJtbHB5a0tBaG9JMlBuUWtsVFNXMno1cGcwaXJjOGFRL1E3MXZzMTRZYStmdWtFTGlvOTRZYWw4R01DdVFrbApMZ3AvUEE5N1VYelhQNDBpK25iNXcwRGpwWWd2dU9KQXJXMno2MFRnWE5NSFh3VHk4ME1SZEhpUFVWZ0VZd0JpCmtkNThzdEFVS1Y1MnBQTU1reTJjNy9BcFhJNmRXR2xjalUvaFBsNmtpRzZ5dEw2REtGYjJQRWV3MmdJM3pHZ2IKOFVVbnA1V05DZDd2WjNVY0ZHNXlsZEd3aGc3cnZ4U1ZLWi9WOEhCMGJmbjlxamlrSVcxWFM4dzdpUUNlQmdQMApYZWhKZmVITlZJaTJtZlczNlVQbWpMdnVKaGpqNDIrdFBQWndvdDkzdWtlcEgvbWpHcFJEVm9wamJyWGlpTUYrCkYxdnlPNGMxQWdNQkFBR2pnWU13Z1lBd0hRWURWUjBPQkJZRUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1IKTUI4R0ExVWRJd1FZTUJhQUZNTWJpSXFhdVkwajRVWWphWDl0bDJzby9LQ1JNQjBHQTFVZEpRUVdNQlFHQ0NzRwpBUVVGQndNQ0JnZ3JCZ0VGQlFjREFUQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BNEdBMVVkRHdFQi93UUVBd0lCCkJqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFYbEh4M2tIMDZwY2NDTDlEVE5qTnBCYnlVSytGd2R6T2IwWFYKcmpNaGtxdHVmdEpUUnR5T3hKZ0ZKNXhUR3pCdEtKamcrVU1pczBOV0t0VDBNWThVMU45U2c5SDl0RFpHRHBjVQpxMlVRU0Y4dXRQMVR3dnJIUzIrdzB2MUoxdHgrTEFiU0lmWmJCV0xXQ21EODUzRlVoWlFZekkvYXpFM28vd0p1CmlPUklMdUpNUk5vNlBXY3VLZmRFVkhaS1RTWnk3a25FcHNidGtsN3EwRE91eUFWdG9HVnlkb3VUR0FOdFhXK2YKczNUSTJjKzErZXg3L2RZOEJGQTFzNWFUOG5vZnU3T1RTTzdiS1kzSkRBUHZOeFQzKzVZUXJwNGR1Nmh0YUFMbAppOHNaRkhidmxpd2EzdlhxL3p1Y2JEaHEzQzBhZnAzV2ZwRGxwSlpvLy9QUUFKaTZLQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
|
||||
jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
|
||||
jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.SupervisorUpstreamOIDC.Issuer,
|
||||
Audience: "some-fake-audience",
|
||||
// Some random generated cert
|
||||
// Issuer: C=US, O=Pivotal
|
||||
// No SAN provided
|
||||
TLS: &v1alpha1.TLSSpec{
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: caBundleString,
|
||||
},
|
||||
}, v1alpha1.JWTAuthenticatorPhaseError)
|
||||
}, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
|
||||
testlib.WaitForJWTAuthenticatorStatusConditions(
|
||||
ctx, t,
|
||||
@@ -159,13 +159,13 @@ func TestConciergeJWTAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
run: func(t *testing.T) {
|
||||
caBundleString := base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle))
|
||||
fakeIssuerURL := "https://127.0.0.1:443/some-fake-issuer"
|
||||
jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, v1alpha1.JWTAuthenticatorSpec{
|
||||
jwtAuthenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: fakeIssuerURL,
|
||||
Audience: "some-fake-audience",
|
||||
TLS: &v1alpha1.TLSSpec{
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: caBundleString,
|
||||
},
|
||||
}, v1alpha1.JWTAuthenticatorPhaseError)
|
||||
}, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
|
||||
testlib.WaitForJWTAuthenticatorStatusConditions(
|
||||
ctx, t,
|
||||
@@ -223,14 +223,14 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
objectMeta := testlib.ObjectMetaWithRandomName(t, "jwt-authenticator")
|
||||
tests := []struct {
|
||||
name string
|
||||
jwtAuthenticator *v1alpha1.JWTAuthenticator
|
||||
jwtAuthenticator *authenticationv1alpha1.JWTAuthenticator
|
||||
wantErr string
|
||||
}{
|
||||
{
|
||||
name: "issuer can not be empty string",
|
||||
jwtAuthenticator: &v1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: objectMeta,
|
||||
Spec: v1alpha1.JWTAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: "",
|
||||
Audience: "fake-audience",
|
||||
},
|
||||
@@ -240,9 +240,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "audience can not be empty string",
|
||||
jwtAuthenticator: &v1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: objectMeta,
|
||||
Spec: v1alpha1.JWTAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: "https://example.com",
|
||||
Audience: "",
|
||||
},
|
||||
@@ -252,9 +252,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "issuer must be https",
|
||||
jwtAuthenticator: &v1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: objectMeta,
|
||||
Spec: v1alpha1.JWTAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: "http://www.example.com",
|
||||
Audience: "foo",
|
||||
},
|
||||
@@ -264,9 +264,9 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "minimum valid authenticator",
|
||||
jwtAuthenticator: &v1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
|
||||
Spec: v1alpha1.JWTAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
},
|
||||
@@ -274,23 +274,23 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "valid authenticator can have empty claims block",
|
||||
jwtAuthenticator: &v1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
|
||||
Spec: v1alpha1.JWTAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: v1alpha1.JWTTokenClaims{},
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid authenticator can have empty group claim and empty username claim",
|
||||
jwtAuthenticator: &v1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
|
||||
Spec: v1alpha1.JWTAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: v1alpha1.JWTTokenClaims{
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{
|
||||
Groups: "",
|
||||
Username: "",
|
||||
},
|
||||
@@ -299,31 +299,31 @@ func TestConciergeJWTAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "valid authenticator can have empty TLS block",
|
||||
jwtAuthenticator: &v1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
|
||||
Spec: v1alpha1.JWTAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: v1alpha1.JWTTokenClaims{
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{
|
||||
Groups: "",
|
||||
Username: "",
|
||||
},
|
||||
TLS: &v1alpha1.TLSSpec{},
|
||||
TLS: &authenticationv1alpha1.TLSSpec{},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid authenticator can have empty TLS CertificateAuthorityData",
|
||||
jwtAuthenticator: &v1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator: &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
|
||||
Spec: v1alpha1.JWTAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: env.CLIUpstreamOIDC.Issuer,
|
||||
Audience: "foo",
|
||||
Claims: v1alpha1.JWTTokenClaims{
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{
|
||||
Groups: "",
|
||||
Username: "",
|
||||
},
|
||||
TLS: &v1alpha1.TLSSpec{
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: "pretend-this-is-a-certificate",
|
||||
},
|
||||
},
|
||||
|
||||
@@ -12,7 +12,7 @@ import (
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
||||
"go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
"go.pinniped.dev/test/testlib"
|
||||
)
|
||||
|
||||
@@ -25,30 +25,30 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
spec func() *v1alpha1.WebhookAuthenticatorSpec
|
||||
initialPhase v1alpha1.WebhookAuthenticatorPhase
|
||||
spec func() *authenticationv1alpha1.WebhookAuthenticatorSpec
|
||||
initialPhase authenticationv1alpha1.WebhookAuthenticatorPhase
|
||||
finalConditions []metav1.Condition
|
||||
run func(t *testing.T)
|
||||
}{
|
||||
{
|
||||
name: "Basic test to see if the WebhookAuthenticator wakes up or not.",
|
||||
spec: func() *v1alpha1.WebhookAuthenticatorSpec {
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
return &testlib.IntegrationEnv(t).TestWebhook
|
||||
},
|
||||
initialPhase: v1alpha1.WebhookAuthenticatorPhaseReady,
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseReady,
|
||||
finalConditions: allSuccessfulWebhookAuthenticatorConditions(),
|
||||
},
|
||||
{
|
||||
name: "valid spec with invalid CA in TLS config will result in a WebhookAuthenticator that is not ready",
|
||||
spec: func() *v1alpha1.WebhookAuthenticatorSpec {
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
caBundleString := "invalid base64-encoded data"
|
||||
webhookSpec := testEnv.TestWebhook.DeepCopy()
|
||||
webhookSpec.TLS = &v1alpha1.TLSSpec{
|
||||
webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: caBundleString,
|
||||
}
|
||||
return webhookSpec
|
||||
},
|
||||
initialPhase: v1alpha1.WebhookAuthenticatorPhaseError,
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
|
||||
finalConditions: replaceSomeConditions(
|
||||
allSuccessfulWebhookAuthenticatorConditions(),
|
||||
[]metav1.Condition{
|
||||
@@ -78,14 +78,14 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "valid spec with valid CA in TLS config but does not match issuer server will result in a WebhookAuthenticator that is not ready",
|
||||
spec: func() *v1alpha1.WebhookAuthenticatorSpec {
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
webhookSpec := testEnv.TestWebhook.DeepCopy()
|
||||
webhookSpec.TLS = &v1alpha1.TLSSpec{
|
||||
webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: caBundleSomePivotalCA,
|
||||
}
|
||||
return webhookSpec
|
||||
},
|
||||
initialPhase: v1alpha1.WebhookAuthenticatorPhaseError,
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
|
||||
finalConditions: replaceSomeConditions(
|
||||
allSuccessfulWebhookAuthenticatorConditions(),
|
||||
[]metav1.Condition{
|
||||
@@ -110,15 +110,15 @@ func TestConciergeWebhookAuthenticatorStatus_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "invalid with unresponsive endpoint will result in a WebhookAuthenticator that is not ready",
|
||||
spec: func() *v1alpha1.WebhookAuthenticatorSpec {
|
||||
spec: func() *authenticationv1alpha1.WebhookAuthenticatorSpec {
|
||||
webhookSpec := testEnv.TestWebhook.DeepCopy()
|
||||
webhookSpec.TLS = &v1alpha1.TLSSpec{
|
||||
webhookSpec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: caBundleSomePivotalCA,
|
||||
}
|
||||
webhookSpec.Endpoint = "https://127.0.0.1:443/some-fake-endpoint"
|
||||
return webhookSpec
|
||||
},
|
||||
initialPhase: v1alpha1.WebhookAuthenticatorPhaseError,
|
||||
initialPhase: authenticationv1alpha1.WebhookAuthenticatorPhaseError,
|
||||
finalConditions: replaceSomeConditions(
|
||||
allSuccessfulWebhookAuthenticatorConditions(),
|
||||
[]metav1.Condition{
|
||||
@@ -171,14 +171,14 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
objectMeta := testlib.ObjectMetaWithRandomName(t, "webhook-authenticator")
|
||||
tests := []struct {
|
||||
name string
|
||||
webhookAuthenticator *v1alpha1.WebhookAuthenticator
|
||||
webhookAuthenticator *authenticationv1alpha1.WebhookAuthenticator
|
||||
wantErr string
|
||||
}{
|
||||
{
|
||||
name: "endpoint can not be empty string",
|
||||
webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
|
||||
webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
|
||||
ObjectMeta: objectMeta,
|
||||
Spec: v1alpha1.WebhookAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
|
||||
Endpoint: "",
|
||||
},
|
||||
},
|
||||
@@ -187,9 +187,9 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "endpoint must be https",
|
||||
webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
|
||||
webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
|
||||
ObjectMeta: objectMeta,
|
||||
Spec: v1alpha1.WebhookAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
|
||||
Endpoint: "http://www.example.com",
|
||||
},
|
||||
},
|
||||
@@ -198,30 +198,30 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "minimum valid authenticator",
|
||||
webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
|
||||
webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "webhook"),
|
||||
Spec: v1alpha1.WebhookAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
|
||||
Endpoint: "https://localhost/webhook-isnt-actually-here",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid authenticator can have empty TLS block",
|
||||
webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
|
||||
webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "webhook"),
|
||||
Spec: v1alpha1.WebhookAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
|
||||
Endpoint: "https://localhost/webhook-isnt-actually-here",
|
||||
TLS: &v1alpha1.TLSSpec{},
|
||||
TLS: &authenticationv1alpha1.TLSSpec{},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid authenticator can have empty TLS CertificateAuthorityData",
|
||||
webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
|
||||
webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
|
||||
Spec: v1alpha1.WebhookAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
|
||||
Endpoint: "https://localhost/webhook-isnt-actually-here",
|
||||
TLS: &v1alpha1.TLSSpec{
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: "",
|
||||
},
|
||||
},
|
||||
@@ -230,11 +230,11 @@ func TestConciergeWebhookAuthenticatorCRDValidations_Parallel(t *testing.T) {
|
||||
{
|
||||
// since the CRD validations do not assess fitness of the value provided
|
||||
name: "valid authenticator can have TLS CertificateAuthorityData string that is an invalid certificate",
|
||||
webhookAuthenticator: &v1alpha1.WebhookAuthenticator{
|
||||
webhookAuthenticator: &authenticationv1alpha1.WebhookAuthenticator{
|
||||
ObjectMeta: testlib.ObjectMetaWithRandomName(t, "jwtauthenticator"),
|
||||
Spec: v1alpha1.WebhookAuthenticatorSpec{
|
||||
Spec: authenticationv1alpha1.WebhookAuthenticatorSpec{
|
||||
Endpoint: "https://localhost/webhook-isnt-actually-here",
|
||||
TLS: &v1alpha1.TLSSpec{
|
||||
TLS: &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: "pretend-this-is-a-certificate",
|
||||
},
|
||||
},
|
||||
|
||||
@@ -34,7 +34,7 @@ import (
|
||||
utilerrors "k8s.io/apimachinery/pkg/util/errors"
|
||||
"k8s.io/utils/ptr"
|
||||
|
||||
authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
||||
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
|
||||
supervisorclient "go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
|
||||
@@ -115,11 +115,11 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
// Create a JWTAuthenticator that will validate the tokens from the downstream issuer.
|
||||
// If the FederationDomain is not Ready, the JWTAuthenticator cannot be ready, either.
|
||||
clusterAudience := "test-cluster-" + testlib.RandHex(t, 8)
|
||||
authenticator := testlib.CreateTestJWTAuthenticator(topSetupCtx, t, authv1alpha.JWTAuthenticatorSpec{
|
||||
authenticator := testlib.CreateTestJWTAuthenticator(topSetupCtx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: federationDomain.Spec.Issuer,
|
||||
Audience: clusterAudience,
|
||||
TLS: &authv1alpha.TLSSpec{CertificateAuthorityData: testCABundleBase64},
|
||||
}, authv1alpha.JWTAuthenticatorPhaseError)
|
||||
TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64},
|
||||
}, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
|
||||
// Add an OIDC upstream IDP and try using it to authenticate during kubectl commands.
|
||||
t.Run("with Supervisor OIDC upstream IDP and browser flow with with form_post automatic authcode delivery to CLI", func(t *testing.T) {
|
||||
@@ -164,7 +164,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
},
|
||||
}, idpv1alpha1.PhaseReady)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -250,7 +250,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
},
|
||||
}, idpv1alpha1.PhaseReady)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -338,7 +338,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
},
|
||||
}, idpv1alpha1.PhaseReady)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -462,7 +462,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
},
|
||||
}, idpv1alpha1.PhaseReady)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -593,7 +593,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
},
|
||||
}, idpv1alpha1.PhaseReady)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -666,7 +666,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
},
|
||||
}, idpv1alpha1.PhaseReady)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -730,7 +730,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -789,7 +789,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -852,7 +852,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -923,7 +923,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -982,7 +982,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -1055,7 +1055,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -1110,7 +1110,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -1165,7 +1165,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -1242,7 +1242,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
// Having one IDP should put the FederationDomain into a ready state.
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Create a ClusterRoleBinding to give our test user from the upstream read-only access to the cluster.
|
||||
testlib.CreateTestClusterRoleBinding(t,
|
||||
@@ -1276,7 +1276,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
// Having a second IDP should put the FederationDomain back into an error state until we tell it which one to use.
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseError)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Update the FederationDomain to use the two IDPs.
|
||||
federationDomainsClient := testlib.NewSupervisorClientset(t).ConfigV1alpha1().FederationDomains(env.SupervisorNamespace)
|
||||
@@ -1371,7 +1371,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
|
||||
// The FederationDomain should be valid after the above update.
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/test-sessions.yaml"
|
||||
@@ -1505,7 +1505,7 @@ func TestE2EFullIntegration_Browser(t *testing.T) {
|
||||
}, 20*time.Second, 250*time.Millisecond)
|
||||
// The FederationDomain should be valid after the above update.
|
||||
testlib.WaitForFederationDomainStatusPhase(testCtx, t, federationDomain.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(testCtx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Log out so we can try fresh logins again.
|
||||
require.NoError(t, os.Remove(credentialCachePath))
|
||||
|
||||
@@ -24,7 +24,7 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
|
||||
authv1alpha "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
||||
idpv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idp/v1alpha1"
|
||||
"go.pinniped.dev/internal/certauthority"
|
||||
@@ -93,11 +93,11 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
||||
// Create a JWTAuthenticator that will validate the tokens from the downstream issuer.
|
||||
// if the FederationDomain is not Ready, the JWTAuthenticator cannot be ready, either.
|
||||
clusterAudience := "test-cluster-" + testlib.RandHex(t, 8)
|
||||
authenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authv1alpha.JWTAuthenticatorSpec{
|
||||
authenticator := testlib.CreateTestJWTAuthenticator(ctx, t, authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: downstream.Spec.Issuer,
|
||||
Audience: clusterAudience,
|
||||
TLS: &authv1alpha.TLSSpec{CertificateAuthorityData: testCABundleBase64},
|
||||
}, authv1alpha.JWTAuthenticatorPhaseError)
|
||||
TLS: &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: testCABundleBase64},
|
||||
}, authenticationv1alpha1.JWTAuthenticatorPhaseError)
|
||||
|
||||
const (
|
||||
yellowColor = "\u001b[33;1m"
|
||||
@@ -111,7 +111,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
||||
|
||||
createdProvider := setupClusterForEndToEndLDAPTest(t, expectedUsername, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
|
||||
@@ -259,7 +259,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
||||
sAMAccountName := expectedUsername + "@" + env.SupervisorUpstreamActiveDirectory.Domain
|
||||
createdProvider := setupClusterForEndToEndActiveDirectoryTest(t, sAMAccountName, env)
|
||||
testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
|
||||
@@ -421,7 +421,7 @@ func TestSupervisorWarnings_Browser(t *testing.T) {
|
||||
},
|
||||
}, idpv1alpha1.PhaseReady)
|
||||
testlib.WaitForFederationDomainStatusPhase(ctx, t, downstream.Name, configv1alpha1.FederationDomainPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authv1alpha.JWTAuthenticatorPhaseReady)
|
||||
testlib.WaitForJWTAuthenticatorStatusPhase(ctx, t, authenticator.Name, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
|
||||
// Use a specific session cache for this test.
|
||||
sessionCachePath := tempDir + "/ldap-test-refresh-sessions.yaml"
|
||||
|
||||
@@ -27,7 +27,7 @@ import (
|
||||
aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
|
||||
"k8s.io/utils/ptr"
|
||||
|
||||
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
"go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
|
||||
clientsecretv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/clientsecret/v1alpha1"
|
||||
configv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/config/v1alpha1"
|
||||
@@ -174,8 +174,8 @@ func NewKubeclient(t *testing.T, config *rest.Config) *kubeclient.Client {
|
||||
func CreateTestWebhookAuthenticator(
|
||||
ctx context.Context,
|
||||
t *testing.T,
|
||||
webhookSpec *auth1alpha1.WebhookAuthenticatorSpec,
|
||||
expectedStatus auth1alpha1.WebhookAuthenticatorPhase) corev1.TypedLocalObjectReference {
|
||||
webhookSpec *authenticationv1alpha1.WebhookAuthenticatorSpec,
|
||||
expectedStatus authenticationv1alpha1.WebhookAuthenticatorPhase) corev1.TypedLocalObjectReference {
|
||||
t.Helper()
|
||||
|
||||
client := NewConciergeClientset(t)
|
||||
@@ -184,7 +184,7 @@ func CreateTestWebhookAuthenticator(
|
||||
createContext, cancel := context.WithTimeout(ctx, time.Minute)
|
||||
defer cancel()
|
||||
|
||||
webhook, err := webhooks.Create(createContext, &auth1alpha1.WebhookAuthenticator{
|
||||
webhook, err := webhooks.Create(createContext, &authenticationv1alpha1.WebhookAuthenticator{
|
||||
ObjectMeta: testObjectMeta(t, "webhook"),
|
||||
Spec: *webhookSpec,
|
||||
}, metav1.CreateOptions{})
|
||||
@@ -205,7 +205,7 @@ func CreateTestWebhookAuthenticator(
|
||||
}
|
||||
|
||||
return corev1.TypedLocalObjectReference{
|
||||
APIGroup: &auth1alpha1.SchemeGroupVersion.Group,
|
||||
APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group,
|
||||
Kind: "WebhookAuthenticator",
|
||||
Name: webhook.Name,
|
||||
}
|
||||
@@ -215,7 +215,7 @@ func WaitForWebhookAuthenticatorStatusPhase(
|
||||
ctx context.Context,
|
||||
t *testing.T,
|
||||
webhookName string,
|
||||
expectPhase auth1alpha1.WebhookAuthenticatorPhase) {
|
||||
expectPhase authenticationv1alpha1.WebhookAuthenticatorPhase) {
|
||||
t.Helper()
|
||||
webhookAuthenticatorClientSet := NewConciergeClientset(t).AuthenticationV1alpha1().WebhookAuthenticators()
|
||||
|
||||
@@ -256,25 +256,25 @@ func WaitForWebhookAuthenticatorStatusConditions(ctx context.Context, t *testing
|
||||
// deleted at the end of the current test's lifetime.
|
||||
//
|
||||
// CreateTestJWTAuthenticatorForCLIUpstream gets the OIDC issuer info from IntegrationEnv().CLIUpstreamOIDC.
|
||||
func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) *auth1alpha1.JWTAuthenticator {
|
||||
func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T) *authenticationv1alpha1.JWTAuthenticator {
|
||||
t.Helper()
|
||||
testEnv := IntegrationEnv(t)
|
||||
spec := auth1alpha1.JWTAuthenticatorSpec{
|
||||
spec := authenticationv1alpha1.JWTAuthenticatorSpec{
|
||||
Issuer: testEnv.CLIUpstreamOIDC.Issuer,
|
||||
Audience: testEnv.CLIUpstreamOIDC.ClientID,
|
||||
// The default UsernameClaim is "username" but the upstreams that we use for
|
||||
// integration tests won't necessarily have that claim, so use "sub" here.
|
||||
Claims: auth1alpha1.JWTTokenClaims{Username: "sub"},
|
||||
Claims: authenticationv1alpha1.JWTTokenClaims{Username: "sub"},
|
||||
}
|
||||
// If the test upstream does not have a CA bundle specified, then don't configure one in the
|
||||
// JWTAuthenticator. Leaving TLSSpec set to nil will result in OIDC discovery using the OS's root
|
||||
// CA store.
|
||||
if testEnv.CLIUpstreamOIDC.CABundle != "" {
|
||||
spec.TLS = &auth1alpha1.TLSSpec{
|
||||
spec.TLS = &authenticationv1alpha1.TLSSpec{
|
||||
CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(testEnv.CLIUpstreamOIDC.CABundle)),
|
||||
}
|
||||
}
|
||||
authenticator := CreateTestJWTAuthenticator(ctx, t, spec, auth1alpha1.JWTAuthenticatorPhaseReady)
|
||||
authenticator := CreateTestJWTAuthenticator(ctx, t, spec, authenticationv1alpha1.JWTAuthenticatorPhaseReady)
|
||||
return authenticator
|
||||
}
|
||||
|
||||
@@ -283,8 +283,8 @@ func CreateTestJWTAuthenticatorForCLIUpstream(ctx context.Context, t *testing.T)
|
||||
func CreateTestJWTAuthenticator(
|
||||
ctx context.Context,
|
||||
t *testing.T,
|
||||
spec auth1alpha1.JWTAuthenticatorSpec,
|
||||
expectedStatus auth1alpha1.JWTAuthenticatorPhase) *auth1alpha1.JWTAuthenticator {
|
||||
spec authenticationv1alpha1.JWTAuthenticatorSpec,
|
||||
expectedStatus authenticationv1alpha1.JWTAuthenticatorPhase) *authenticationv1alpha1.JWTAuthenticator {
|
||||
t.Helper()
|
||||
|
||||
client := NewConciergeClientset(t)
|
||||
@@ -293,7 +293,7 @@ func CreateTestJWTAuthenticator(
|
||||
createContext, cancel := context.WithTimeout(ctx, time.Minute)
|
||||
defer cancel()
|
||||
|
||||
jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &auth1alpha1.JWTAuthenticator{
|
||||
jwtAuthenticator, err := jwtAuthenticators.Create(createContext, &authenticationv1alpha1.JWTAuthenticator{
|
||||
ObjectMeta: testObjectMeta(t, "jwt-authenticator"),
|
||||
Spec: spec,
|
||||
}, metav1.CreateOptions{})
|
||||
@@ -314,7 +314,7 @@ func CreateTestJWTAuthenticator(
|
||||
return jwtAuthenticator
|
||||
}
|
||||
|
||||
func WaitForJWTAuthenticatorStatusPhase(ctx context.Context, t *testing.T, jwtAuthenticatorName string, expectPhase auth1alpha1.JWTAuthenticatorPhase) {
|
||||
func WaitForJWTAuthenticatorStatusPhase(ctx context.Context, t *testing.T, jwtAuthenticatorName string, expectPhase authenticationv1alpha1.JWTAuthenticatorPhase) {
|
||||
t.Helper()
|
||||
jwtAuthenticatorClientSet := NewConciergeClientset(t).AuthenticationV1alpha1().JWTAuthenticators()
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
||||
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package testlib
|
||||
@@ -14,7 +14,7 @@ import (
|
||||
"github.com/stretchr/testify/require"
|
||||
"sigs.k8s.io/yaml"
|
||||
|
||||
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||
)
|
||||
|
||||
type Capability string
|
||||
@@ -39,22 +39,22 @@ type TestEnv struct {
|
||||
|
||||
skipPodRestartAssertions bool
|
||||
|
||||
ToolsNamespace string `json:"toolsNamespace"`
|
||||
ConciergeNamespace string `json:"conciergeNamespace"`
|
||||
SupervisorNamespace string `json:"supervisorNamespace"`
|
||||
ConciergeAppName string `json:"conciergeAppName"`
|
||||
SupervisorAppName string `json:"supervisorAppName"`
|
||||
SupervisorCustomLabels map[string]string `json:"supervisorCustomLabels"`
|
||||
ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"`
|
||||
KubernetesDistribution KubeDistro `json:"kubernetesDistribution"`
|
||||
Capabilities map[Capability]bool `json:"capabilities"`
|
||||
TestWebhook auth1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
|
||||
SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"`
|
||||
SupervisorHTTPSIngressAddress string `json:"supervisorHttpsIngressAddress"`
|
||||
SupervisorHTTPSIngressCABundle string `json:"supervisorHttpsIngressCABundle"`
|
||||
Proxy string `json:"proxy"`
|
||||
APIGroupSuffix string `json:"apiGroupSuffix"`
|
||||
ShellContainerImage string `json:"shellContainer"`
|
||||
ToolsNamespace string `json:"toolsNamespace"`
|
||||
ConciergeNamespace string `json:"conciergeNamespace"`
|
||||
SupervisorNamespace string `json:"supervisorNamespace"`
|
||||
ConciergeAppName string `json:"conciergeAppName"`
|
||||
SupervisorAppName string `json:"supervisorAppName"`
|
||||
SupervisorCustomLabels map[string]string `json:"supervisorCustomLabels"`
|
||||
ConciergeCustomLabels map[string]string `json:"conciergeCustomLabels"`
|
||||
KubernetesDistribution KubeDistro `json:"kubernetesDistribution"`
|
||||
Capabilities map[Capability]bool `json:"capabilities"`
|
||||
TestWebhook authenticationv1alpha1.WebhookAuthenticatorSpec `json:"testWebhook"`
|
||||
SupervisorHTTPSAddress string `json:"supervisorHttpsAddress"`
|
||||
SupervisorHTTPSIngressAddress string `json:"supervisorHttpsIngressAddress"`
|
||||
SupervisorHTTPSIngressCABundle string `json:"supervisorHttpsIngressCABundle"`
|
||||
Proxy string `json:"proxy"`
|
||||
APIGroupSuffix string `json:"apiGroupSuffix"`
|
||||
ShellContainerImage string `json:"shellContainer"`
|
||||
|
||||
TestUser struct {
|
||||
Token string `json:"token"`
|
||||
@@ -227,7 +227,7 @@ func loadEnvVars(t *testing.T, result *TestEnv) {
|
||||
result.TestWebhook.Endpoint = needEnv(t, "PINNIPED_TEST_WEBHOOK_ENDPOINT")
|
||||
result.SupervisorNamespace = needEnv(t, "PINNIPED_TEST_SUPERVISOR_NAMESPACE")
|
||||
result.SupervisorAppName = needEnv(t, "PINNIPED_TEST_SUPERVISOR_APP_NAME")
|
||||
result.TestWebhook.TLS = &auth1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
|
||||
result.TestWebhook.TLS = &authenticationv1alpha1.TLSSpec{CertificateAuthorityData: needEnv(t, "PINNIPED_TEST_WEBHOOK_CA_BUNDLE")}
|
||||
|
||||
result.SupervisorHTTPSIngressAddress = os.Getenv("PINNIPED_TEST_SUPERVISOR_HTTPS_INGRESS_ADDRESS")
|
||||
result.SupervisorHTTPSAddress = needEnv(t, "PINNIPED_TEST_SUPERVISOR_HTTPS_ADDRESS")
|
||||
|
||||
Reference in New Issue
Block a user