From fdeca2c026dd1bb5b25796bd2661411b653fd6d4 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 5 Aug 2024 12:52:29 -0700 Subject: [PATCH] Revert "add integration test for TLS config validation in OIDCIdentityProvider" This reverts commit 59402bca7b0253c9d1e68e5ba96d2cfa2354397a. --- test/integration/supervisor_upstream_test.go | 247 ------------------- 1 file changed, 247 deletions(-) diff --git a/test/integration/supervisor_upstream_test.go b/test/integration/supervisor_upstream_test.go index 47f18a127..c20da7301 100644 --- a/test/integration/supervisor_upstream_test.go +++ b/test/integration/supervisor_upstream_test.go @@ -5,7 +5,6 @@ package integration import ( "encoding/base64" - "fmt" "testing" "github.com/stretchr/testify/require" @@ -127,252 +126,6 @@ oidc: issuer did not match the issuer returned by provider, expected "` + env.Su expectedTLSConfigValidCondition(env.SupervisorUpstreamOIDC.CABundle != ""), }) }) - - t.Run("invalid when tlsSpec supplies both certificateAuthorityData and certificateAuthorityDataSource", func(t *testing.T) { - t.Parallel() - spec := idpv1alpha1.OIDCIdentityProviderSpec{ - Issuer: env.SupervisorUpstreamOIDC.Issuer, - TLS: &idpv1alpha1.TLSSpec{ - CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)), - CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: "does=not-matter", - Key: "also-does-not-matter", - }, - }, - AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ - AdditionalScopes: []string{"email", "profile"}, - }, - Client: idpv1alpha1.OIDCClient{ - SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, - }, - } - upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) - expectUpstreamConditions(t, upstream, []metav1.Condition{ - { - Type: "ClientCredentialsSecretValid", - Status: "True", - Reason: "Success", - Message: "loaded client credentials", - }, - { - Type: "OIDCDiscoverySucceeded", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided", - }, - { - Type: "AdditionalAuthorizeParametersValid", - Status: "True", - Reason: "Success", - Message: "additionalAuthorizeParameters parameter names are allowed", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided", - }, - }) - }) - - t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not exist", func(t *testing.T) { - t.Parallel() - spec := idpv1alpha1.OIDCIdentityProviderSpec{ - Issuer: env.SupervisorUpstreamOIDC.Issuer, - TLS: &idpv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: "does=not-exist", - Key: "does-not-matter", - }, - }, - AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ - AdditionalScopes: []string{"email", "profile"}, - }, - Client: idpv1alpha1.OIDCClient{ - SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, - }, - } - upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) - expectUpstreamConditions(t, upstream, []metav1.Condition{ - { - Type: "ClientCredentialsSecretValid", - Status: "True", - Reason: "Success", - Message: "loaded client credentials", - }, - { - Type: "OIDCDiscoverySucceeded", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/does=not-exist\": configmap \"does=not-exist\" not found", - }, - { - Type: "AdditionalAuthorizeParametersValid", - Status: "True", - Reason: "Success", - Message: "additionalAuthorizeParameters parameter names are allowed", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/does=not-exist\": configmap \"does=not-exist\" not found", - }, - }) - }) - - t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a secret that does not exist", func(t *testing.T) { - t.Parallel() - spec := idpv1alpha1.OIDCIdentityProviderSpec{ - Issuer: env.SupervisorUpstreamOIDC.Issuer, - TLS: &idpv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "Secret", - Name: "does=not-exist", - Key: "does-not-matter", - }, - }, - AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ - AdditionalScopes: []string{"email", "profile"}, - }, - Client: idpv1alpha1.OIDCClient{ - SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, - }, - } - upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) - expectUpstreamConditions(t, upstream, []metav1.Condition{ - { - Type: "ClientCredentialsSecretValid", - Status: "True", - Reason: "Success", - Message: "loaded client credentials", - }, - { - Type: "OIDCDiscoverySucceeded", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"supervisor/does=not-exist\": secret \"does=not-exist\" not found", - }, - { - Type: "AdditionalAuthorizeParametersValid", - Status: "True", - Reason: "Success", - Message: "additionalAuthorizeParameters parameter names are allowed", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"supervisor/does=not-exist\": secret \"does=not-exist\" not found", - }, - }) - }) - - t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not have valid PEM bytes", func(t *testing.T) { - t.Parallel() - - badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-bundle", map[string]string{ - "ca.crt": "This is not a real CA bundle", - }) - - spec := idpv1alpha1.OIDCIdentityProviderSpec{ - Issuer: env.SupervisorUpstreamOIDC.Issuer, - TLS: &idpv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: badCABundleConfigMap.Name, - Key: "ca.crt", - }, - }, - AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ - AdditionalScopes: []string{"email", "profile"}, - }, - Client: idpv1alpha1.OIDCClient{ - SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, - }, - } - upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) - expectUpstreamConditions(t, upstream, []metav1.Condition{ - { - Type: "ClientCredentialsSecretValid", - Status: "True", - Reason: "Success", - Message: "loaded client credentials", - }, - { - Type: "OIDCDiscoverySucceeded", - Status: "False", - Reason: "InvalidTLSConfig", - Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/%s\": configmap \"%s\" not found", badCABundleConfigMap.Name, badCABundleConfigMap.Name), - }, - { - Type: "AdditionalAuthorizeParametersValid", - Status: "True", - Reason: "Success", - Message: "additionalAuthorizeParameters parameter names are allowed", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/%s\": configmap \"%s\" not found", badCABundleConfigMap.Name, badCABundleConfigMap.Name), - }, - }) - }) - - t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a key in a configmap that does not exist", func(t *testing.T) { - t.Parallel() - - badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-bundle", map[string]string{ - "ca.crt": "This is not a real CA bundle", - }) - - spec := idpv1alpha1.OIDCIdentityProviderSpec{ - Issuer: env.SupervisorUpstreamOIDC.Issuer, - TLS: &idpv1alpha1.TLSSpec{ - CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{ - Kind: "ConfigMap", - Name: badCABundleConfigMap.Name, - Key: "key-not-present", - }, - }, - AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{ - AdditionalScopes: []string{"email", "profile"}, - }, - Client: idpv1alpha1.OIDCClient{ - SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name, - }, - } - upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError) - expectUpstreamConditions(t, upstream, []metav1.Condition{ - { - Type: "ClientCredentialsSecretValid", - Status: "True", - Reason: "Success", - Message: "loaded client credentials", - }, - { - Type: "OIDCDiscoverySucceeded", - Status: "False", - Reason: "InvalidTLSConfig", - Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"supervisor/%s\"", badCABundleConfigMap.Name), - }, - { - Type: "AdditionalAuthorizeParametersValid", - Status: "True", - Reason: "Success", - Message: "additionalAuthorizeParameters parameter names are allowed", - }, - { - Type: "TLSConfigurationValid", - Status: "False", - Reason: "InvalidTLSConfig", - Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"supervisor/%s\"", badCABundleConfigMap.Name), - }, - }) - }) } func expectUpstreamConditions(t *testing.T, upstream *idpv1alpha1.OIDCIdentityProvider, expected []metav1.Condition) {