github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-09 12:07:47 +00:00
Code Issues Projects Releases Wiki Activity

plugin/pkg/auth/authenticator/token/oidc: update test to new go-oidc types

Browse Source 
The provider config has changed a little bit in go-oidc. It is more
complete and now throws errors when unmarshaling provider configs
that are missing required fields (as defined by the OpenID Connect
Discovery spec).

Update the oidc plugin to use the new type.
This commit is contained in:
Eric Chiang 2016-03-01 11:37:00 -08:00
parent 3df0ca5bf9
commit 8df55ddbe5
2 changed files with 27 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plugin/pkg/auth/authenticator/token/oidc/oidc.go
View File

@ -99,10 +99,6 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
glog.Infof("Fetched provider config from %s: %#v", issuerURL, cfg) glog.Infof("Fetched provider config from %s: %#v", issuerURL, cfg)
if cfg.KeysEndpoint == "" {
return nil, fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery")
}
ccfg := oidc.ClientConfig{ ccfg := oidc.ClientConfig{
HTTPClient: hc, HTTPClient: hc,
Credentials: oidc.ClientCredentials{ID: clientID}, Credentials: oidc.ClientCredentials{ID: clientID},

38
plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
View File

@ -31,6 +31,7 @@ import (
"net" "net"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url"
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
@ -70,8 +71,16 @@ func newOIDCProvider(t *testing.T) *oidcProvider {
} }
func mustParseURL(t *testing.T, s string) *url.URL {
u, err := url.Parse(s)
if err != nil {
t.Fatalf("Failed to parse url: %v", err)
}
return u
}
func (op *oidcProvider) handleConfig(w http.ResponseWriter, req *http.Request) { func (op *oidcProvider) handleConfig(w http.ResponseWriter, req *http.Request) {
b, err := json.Marshal(op.pcfg) b, err := json.Marshal(&op.pcfg)
if err != nil { if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, err.Error(), http.StatusInternalServerError)
return return
@ -203,7 +212,7 @@ func TestOIDCDiscoveryTimeout(t *testing.T) {
func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) { func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
var err error var err error
expectErr := fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery") expectErr := fmt.Errorf("failed to fetch provider config after 3 retries")
cert := path.Join(os.TempDir(), "oidc-cert") cert := path.Join(os.TempDir(), "oidc-cert")
key := path.Join(os.TempDir(), "oidc-key") key := path.Join(os.TempDir(), "oidc-key")
@ -225,7 +234,7 @@ func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
// defer srv.Close() // defer srv.Close()
op.pcfg = oidc.ProviderConfig{ op.pcfg = oidc.ProviderConfig{
Issuer: srv.URL, Issuer: mustParseURL(t, srv.URL), // An invalid ProviderConfig. Keys endpoint is required.
} }
_, err = New(srv.URL, "client-foo", cert, "sub", "") _, err = New(srv.URL, "client-foo", cert, "sub", "")
@ -245,8 +254,8 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
// defer srv.Close() // defer srv.Close()
op.pcfg = oidc.ProviderConfig{ op.pcfg = oidc.ProviderConfig{
Issuer: srv.URL, Issuer: mustParseURL(t, srv.URL),
KeysEndpoint: srv.URL + "/keys", KeysEndpoint: mustParseURL(t, srv.URL+"/keys"),
} }
expectErr := fmt.Errorf("'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'", srv.URL, "http") expectErr := fmt.Errorf("'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'", srv.URL, "http")
@ -282,8 +291,8 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
// defer tlsSrv.Close() // defer tlsSrv.Close()
op.pcfg = oidc.ProviderConfig{ op.pcfg = oidc.ProviderConfig{
Issuer: tlsSrv.URL, Issuer: mustParseURL(t, tlsSrv.URL),
KeysEndpoint: tlsSrv.URL + "/keys", KeysEndpoint: mustParseURL(t, tlsSrv.URL+"/keys"),
} }
// Create a client using cert2, should fail. // Create a client using cert2, should fail.
@ -317,9 +326,15 @@ func TestOIDCAuthentication(t *testing.T) {
// TODO: Uncomment when fix #19254 // TODO: Uncomment when fix #19254
// defer srv.Close() // defer srv.Close()
// A provider config with all required fields.
op.pcfg = oidc.ProviderConfig{ op.pcfg = oidc.ProviderConfig{
Issuer: srv.URL, Issuer: mustParseURL(t, srv.URL),
KeysEndpoint: srv.URL + "/keys", AuthEndpoint: mustParseURL(t, srv.URL+"/auth"),
TokenEndpoint: mustParseURL(t, srv.URL+"/token"),
KeysEndpoint: mustParseURL(t, srv.URL+"/keys"),
ResponseTypesSupported: []string{"code"},
SubjectTypesSupported: []string{"public"},
IDTokenSigningAlgValues: []string{"RS256"},
} }
tests := []struct { tests := []struct {
@ -371,7 +386,7 @@ func TestOIDCAuthentication(t *testing.T) {
op.generateMalformedToken(t, srv.URL, "client-foo", "client-foo", "sub", "user-foo", "", nil), op.generateMalformedToken(t, srv.URL, "client-foo", "client-foo", "sub", "user-foo", "", nil),
nil, nil,
false, false,
"malformed JWS, unable to decode signature", "oidc: unable to verify JWT signature: no matching keys",
}, },
{ {
// Invalid 'aud'. // Invalid 'aud'.
@ -404,7 +419,8 @@ func TestOIDCAuthentication(t *testing.T) {
for i, tt := range tests { for i, tt := range tests {
client, err := New(srv.URL, "client-foo", cert, tt.userClaim, tt.groupsClaim) client, err := New(srv.URL, "client-foo", cert, tt.userClaim, tt.groupsClaim)
if err != nil { if err != nil {
t.Fatalf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
continue
} }
user, result, err := client.AuthenticateToken(tt.token) user, result, err := client.AuthenticateToken(tt.token)