From 8df55ddbe530c85a4924b5a348dbe29f0285e265 Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric.chiang@coreos.com>
Date: Tue, 1 Mar 2016 11:37:00 -0800
Subject: [PATCH] plugin/pkg/auth/authenticator/token/oidc: update test to new
 go-oidc types

The provider config has changed a little bit in go-oidc. It is more
complete and now throws errors when unmarshaling provider configs
that are missing required fields (as defined by the OpenID Connect
Discovery spec).

Update the oidc plugin to use the new type.
---
 .../pkg/auth/authenticator/token/oidc/oidc.go |  4 --
 .../authenticator/token/oidc/oidc_test.go     | 38 +++++++++++++------
 2 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/plugin/pkg/auth/authenticator/token/oidc/oidc.go b/plugin/pkg/auth/authenticator/token/oidc/oidc.go
index 4c042d6115a..c9071b1d723 100644
--- a/plugin/pkg/auth/authenticator/token/oidc/oidc.go
+++ b/plugin/pkg/auth/authenticator/token/oidc/oidc.go
@@ -99,10 +99,6 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
 
 	glog.Infof("Fetched provider config from %s: %#v", issuerURL, cfg)
 
-	if cfg.KeysEndpoint == "" {
-		return nil, fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery")
-	}
-
 	ccfg := oidc.ClientConfig{
 		HTTPClient:     hc,
 		Credentials:    oidc.ClientCredentials{ID: clientID},
diff --git a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
index d8260b842f7..a2e3559ce29 100644
--- a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
+++ b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
@@ -31,6 +31,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -70,8 +71,16 @@ func newOIDCProvider(t *testing.T) *oidcProvider {
 
 }
 
+func mustParseURL(t *testing.T, s string) *url.URL {
+	u, err := url.Parse(s)
+	if err != nil {
+		t.Fatalf("Failed to parse url: %v", err)
+	}
+	return u
+}
+
 func (op *oidcProvider) handleConfig(w http.ResponseWriter, req *http.Request) {
-	b, err := json.Marshal(op.pcfg)
+	b, err := json.Marshal(&op.pcfg)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -203,7 +212,7 @@ func TestOIDCDiscoveryTimeout(t *testing.T) {
 
 func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
 	var err error
-	expectErr := fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery")
+	expectErr := fmt.Errorf("failed to fetch provider config after 3 retries")
 
 	cert := path.Join(os.TempDir(), "oidc-cert")
 	key := path.Join(os.TempDir(), "oidc-key")
@@ -225,7 +234,7 @@ func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
 	// defer srv.Close()
 
 	op.pcfg = oidc.ProviderConfig{
-		Issuer: srv.URL,
+		Issuer: mustParseURL(t, srv.URL), // An invalid ProviderConfig. Keys endpoint is required.
 	}
 
 	_, err = New(srv.URL, "client-foo", cert, "sub", "")
@@ -245,8 +254,8 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
 	// defer srv.Close()
 
 	op.pcfg = oidc.ProviderConfig{
-		Issuer:       srv.URL,
-		KeysEndpoint: srv.URL + "/keys",
+		Issuer:       mustParseURL(t, srv.URL),
+		KeysEndpoint: mustParseURL(t, srv.URL+"/keys"),
 	}
 
 	expectErr := fmt.Errorf("'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'", srv.URL, "http")
@@ -282,8 +291,8 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
 	// defer tlsSrv.Close()
 
 	op.pcfg = oidc.ProviderConfig{
-		Issuer:       tlsSrv.URL,
-		KeysEndpoint: tlsSrv.URL + "/keys",
+		Issuer:       mustParseURL(t, tlsSrv.URL),
+		KeysEndpoint: mustParseURL(t, tlsSrv.URL+"/keys"),
 	}
 
 	// Create a client using cert2, should fail.
@@ -317,9 +326,15 @@ func TestOIDCAuthentication(t *testing.T) {
 	// TODO: Uncomment when fix #19254
 	// defer srv.Close()
 
+	// A provider config with all required fields.
 	op.pcfg = oidc.ProviderConfig{
-		Issuer:       srv.URL,
-		KeysEndpoint: srv.URL + "/keys",
+		Issuer:                  mustParseURL(t, srv.URL),
+		AuthEndpoint:            mustParseURL(t, srv.URL+"/auth"),
+		TokenEndpoint:           mustParseURL(t, srv.URL+"/token"),
+		KeysEndpoint:            mustParseURL(t, srv.URL+"/keys"),
+		ResponseTypesSupported:  []string{"code"},
+		SubjectTypesSupported:   []string{"public"},
+		IDTokenSigningAlgValues: []string{"RS256"},
 	}
 
 	tests := []struct {
@@ -371,7 +386,7 @@ func TestOIDCAuthentication(t *testing.T) {
 			op.generateMalformedToken(t, srv.URL, "client-foo", "client-foo", "sub", "user-foo", "", nil),
 			nil,
 			false,
-			"malformed JWS, unable to decode signature",
+			"oidc: unable to verify JWT signature: no matching keys",
 		},
 		{
 			// Invalid 'aud'.
@@ -404,7 +419,8 @@ func TestOIDCAuthentication(t *testing.T) {
 	for i, tt := range tests {
 		client, err := New(srv.URL, "client-foo", cert, tt.userClaim, tt.groupsClaim)
 		if err != nil {
-			t.Fatalf("Unexpected error: %v", err)
+			t.Errorf("Unexpected error: %v", err)
+			continue
 		}
 
 		user, result, err := client.AuthenticateToken(tt.token)