Add E2E tests for OIDC token validation #323
Conversation
alegacy
force-pushed
the
feature/add-e2e-tests-for-oidc
branch
from
042bd58 to
c04635c
Compare
@stlaz My apologies. Was just following what already existed in this repo since the private key for client testing is already stored. I'll do my best to refactor. |
|
No need to apologize 🙂 I don't think there were private keys before in the repo, which is a little bit of a difference. I believe Red Hat infosec detects that at least in their repos, not sure if by any chance for all of their employees. so you may still be getting an email from them 😁 I believe that generating cryptomaterial as a golang fixture will be a great improvement to the test suite, actually, and would be very welcome 👍 |
I reworked my changes on the weekend and now have fixtures for the certs and tokens. Still need to do a bit of testing before I update the PR with the new code. Thanks for the quick review. |
alegacy
force-pushed
the
feature/add-e2e-tests-for-oidc
branch
from
c04635c to
f6d634d
Compare
|
@stlaz Pushed new changes with an attempt at refactoring to create certs/tokens dynamically. Please take another look when you have a chance. |
| github.com/moby/term v0.5.0 // indirect | ||
| github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect | ||
| github.com/modern-go/reflect2 v1.0.2 // indirect | ||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||
| github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect |
There was a problem hiding this comment.
that's a version from 10 years ago 😱
Is there an alternative that you would recommend? |
An ideal alternative would be something we can actually run in a container but that might be hard. Basically you'd have an HTTP server and you'd instruct it with how it should respond to certain queries. kubernetes/kubernetes is using https://github.com/uber-go/mock for mocking (it's actually using an older version that was originally in the golang org). Not sure whether we could actually use it here, too. |
mock-server is the most popular out there as far as I can tell even though the maintainer seems to have disappeared. Given its popularity i would hope someone would pick it up, but if you don't like depending on that then may https://wiremock.org/ might work, i'll take a look at what its capabilities are. |
That's exactly what mock-server does. It's also what wiremock does -- i'm testing this one now to see if it'll do what we need. |
This partially cherry-picks commit 204148c from the sig-auth-acceptance branch so that the certificate utilities can be used. Signed-off-by: Allain Legacy <[email protected]>
Unify cert template generation. SKID and AKID should be properly computed by Golang, no need to add them explicitly - unless we need explicit SKID but that's not the case in our tests.
The previous design was mixing CA and leaf certificates, making it easy to confuse them at place of use. Have all the leaf cryptomaterial in a secret, and the trust in the CM to avoid those issues.
This adds end-to-end tests and supporting material to execute tests that validate parts of the OIDC functionality. Signed-off-by: Allain Legacy <[email protected]>
alegacy
force-pushed
the
feature/add-e2e-tests-for-oidc
branch
from
f6d634d to
634fe0a
Compare
|
@stlaz I've updated with changes to use wiremock instead of mock-server. Please have another look. |
|
@stlaz Any chance you could re-review this so we can move this forward? |
This adds end-to-end tests and supporting material to execute tests that validate parts of the OIDC functionality.
Current tests include: