-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add E2E tests for OIDC token validation #323
base: master
Are you sure you want to change the base?
Conversation
042bd58
to
c04635c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your pull request.
Please don't add private keys to this repository - ideally we would remove them from the manifests, too. Our test suite is in golang so please move your bash tests into golang.
@stlaz My apologies. Was just following what already existed in this repo since the private key for client testing is already stored. I'll do my best to refactor. |
No need to apologize 🙂 I don't think there were private keys before in the repo, which is a little bit of a difference. I believe Red Hat infosec detects that at least in their repos, not sure if by any chance for all of their employees. so you may still be getting an email from them 😁 I believe that generating cryptomaterial as a golang fixture will be a great improvement to the test suite, actually, and would be very welcome 👍 |
I reworked my changes on the weekend and now have fixtures for the certs and tokens. Still need to do a bit of testing before I update the PR with the new code. Thanks for the quick review. |
c04635c
to
f6d634d
Compare
@stlaz Pushed new changes with an attempt at refactoring to create certs/tokens dynamically. Please take another look when you have a chance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, this must have been a lot of work.
I think we'll need to change the mockserver though, the current one is unmaintained.
github.com/moby/term v0.5.0 // indirect | ||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect | ||
github.com/modern-go/reflect2 v1.0.2 // indirect | ||
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's a version from 10 years ago 😱
Is there an alternative that you would recommend? |
An ideal alternative would be something we can actually run in a container but that might be hard. Basically you'd have an HTTP server and you'd instruct it with how it should respond to certain queries. kubernetes/kubernetes is using https://github.com/uber-go/mock for mocking (it's actually using an older version that was originally in the golang org). Not sure whether we could actually use it here, too. |
mock-server is the most popular out there as far as I can tell even though the maintainer seems to have disappeared. Given its popularity i would hope someone would pick it up, but if you don't like depending on that then may https://wiremock.org/ might work, i'll take a look at what its capabilities are. |
That's exactly what mock-server does. It's also what wiremock does -- i'm testing this one now to see if it'll do what we need. |
This partially cherry-picks commit 204148c from the sig-auth-acceptance branch so that the certificate utilities can be used. Signed-off-by: Allain Legacy <[email protected]>
Unify cert template generation. SKID and AKID should be properly computed by Golang, no need to add them explicitly - unless we need explicit SKID but that's not the case in our tests.
The previous design was mixing CA and leaf certificates, making it easy to confuse them at place of use. Have all the leaf cryptomaterial in a secret, and the trust in the CM to avoid those issues.
This adds end-to-end tests and supporting material to execute tests that validate parts of the OIDC functionality. Signed-off-by: Allain Legacy <[email protected]>
f6d634d
to
634fe0a
Compare
@stlaz I've updated with changes to use wiremock instead of mock-server. Please have another look. |
@stlaz Any chance you could re-review this so we can move this forward? |
Sorry about the delay, I'll try to get to this at the beginning of the next week. |
@stlaz ...reminder |
This adds end-to-end tests and supporting material to execute tests that validate parts of the OIDC functionality.
Current tests include: