diff --git a/util/oidc/oidc_test.go b/util/oidc/oidc_test.go index 4dfd273271180..1a675f960d4ff 100644 --- a/util/oidc/oidc_test.go +++ b/util/oidc/oidc_test.go @@ -7,6 +7,7 @@ import ( "io/ioutil" "net/http/httptest" "net/url" + "strings" "testing" gooidc "github.com/coreos/go-oidc" @@ -142,7 +143,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleLogin(w, req) - assert.Contains(t, w.Body.String(), "certificate is not trusted") + if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } cdSettings.OIDCTLSInsecureSkipVerify = true @@ -154,6 +157,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleLogin(w, req) assert.NotContains(t, w.Body.String(), "certificate is not trusted") + assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority") }) t.Run("dex certificate checking during login should toggle on config", func(t *testing.T) { @@ -179,7 +183,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleLogin(w, req) - assert.Contains(t, w.Body.String(), "certificate signed by unknown authority") + if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } cdSettings.OIDCTLSInsecureSkipVerify = true @@ -190,6 +196,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleLogin(w, req) + assert.NotContains(t, w.Body.String(), "certificate is not trusted") assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority") }) } @@ -220,7 +227,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleCallback(w, req) - assert.Contains(t, w.Body.String(), "certificate is not trusted") + if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } cdSettings.OIDCTLSInsecureSkipVerify = true @@ -232,6 +241,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleCallback(w, req) assert.NotContains(t, w.Body.String(), "certificate is not trusted") + assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority") }) t.Run("dex certificate checking during oidc callback should toggle on config", func(t *testing.T) { @@ -257,7 +267,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleCallback(w, req) - assert.Contains(t, w.Body.String(), "certificate signed by unknown authority") + if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } cdSettings.OIDCTLSInsecureSkipVerify = true @@ -268,6 +280,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleCallback(w, req) + assert.NotContains(t, w.Body.String(), "certificate is not trusted") assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority") }) } diff --git a/util/session/sessionmanager_test.go b/util/session/sessionmanager_test.go index 0717036aea385..6a9ce5e223c66 100644 --- a/util/session/sessionmanager_test.go +++ b/util/session/sessionmanager_test.go @@ -521,8 +521,10 @@ rootCA: | require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) - // If the root CA is being respected, we won't get this error. + // If the root CA is being respected, we won't get this error. The error message is environment-dependent, so + // we check for either of the error messages associated with a failed cert check. assert.NotContains(t, err.Error(), "certificate is not trusted") + assert.NotContains(t, err.Error(), "certificate signed by unknown authority") }) t.Run("OIDC provider is Dex, TLS is configured", func(t *testing.T) { @@ -556,8 +558,10 @@ rootCA: | require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) - assert.Error(t, err) - assert.Contains(t, err.Error(), "certificate signed by unknown authority") + require.Error(t, err) + if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } }) t.Run("OIDC provider is external, TLS is configured", func(t *testing.T) { @@ -591,8 +595,10 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) - assert.Error(t, err) - assert.Contains(t, err.Error(), "certificate is not trusted") + require.Error(t, err) + if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } }) t.Run("OIDC provider is Dex, TLS is configured", func(t *testing.T) { @@ -626,8 +632,10 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) - assert.Error(t, err) - assert.Contains(t, err.Error(), "certificate signed by unknown authority") + require.Error(t, err) + if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } }) t.Run("OIDC provider is external, TLS is configured, OIDCTLSInsecureSkipVerify is true", func(t *testing.T) { @@ -662,6 +670,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) + assert.NotContains(t, err.Error(), "certificate is not trusted") assert.NotContains(t, err.Error(), "certificate signed by unknown authority") }) @@ -692,5 +701,6 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), _, _, err = mgr.VerifyToken(tokenString) // This is the error thrown when the test server's certificate _is_ being verified. assert.NotContains(t, err.Error(), "certificate is not trusted") + assert.NotContains(t, err.Error(), "certificate signed by unknown authority") }) }