Skip to content

Commit

Permalink
Merge branch 'master' into feat/dex-https-separated
Browse files Browse the repository at this point in the history
  • Loading branch information
notfromstatefarm authored Jul 12, 2022
2 parents 7dc2243 + b515ea7 commit 6499bf8
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 8 deletions.
21 changes: 17 additions & 4 deletions util/oidc/oidc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"net/http/httptest"
"net/url"
"os"
"strings"
"testing"

gooidc "github.com/coreos/go-oidc"
Expand Down Expand Up @@ -133,7 +134,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),

app.HandleLogin(w, req)

assert.Contains(t, w.Body.String(), "certificate is not trusted")
if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") {
t.Fatal("did not receive expected certificate verification failure error")
}

cdSettings.OIDCTLSInsecureSkipVerify = true

Expand All @@ -145,6 +148,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
app.HandleLogin(w, req)

assert.NotContains(t, w.Body.String(), "certificate is not trusted")
assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
})

t.Run("dex certificate checking during login should toggle on config", func(t *testing.T) {
Expand All @@ -170,7 +174,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),

app.HandleLogin(w, req)

assert.Contains(t, w.Body.String(), "certificate signed by unknown authority")
if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") {
t.Fatal("did not receive expected certificate verification failure error")
}

cdSettings.OIDCTLSInsecureSkipVerify = true

Expand All @@ -181,6 +187,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),

app.HandleLogin(w, req)

assert.NotContains(t, w.Body.String(), "certificate is not trusted")
assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
})
}
Expand Down Expand Up @@ -211,7 +218,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),

app.HandleCallback(w, req)

assert.Contains(t, w.Body.String(), "certificate is not trusted")
if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") {
t.Fatal("did not receive expected certificate verification failure error")
}

cdSettings.OIDCTLSInsecureSkipVerify = true

Expand All @@ -223,6 +232,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
app.HandleCallback(w, req)

assert.NotContains(t, w.Body.String(), "certificate is not trusted")
assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
})

t.Run("dex certificate checking during oidc callback should toggle on config", func(t *testing.T) {
Expand All @@ -248,7 +258,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),

app.HandleCallback(w, req)

assert.Contains(t, w.Body.String(), "certificate signed by unknown authority")
if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") {
t.Fatal("did not receive expected certificate verification failure error")
}

cdSettings.OIDCTLSInsecureSkipVerify = true

Expand All @@ -259,6 +271,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),

app.HandleCallback(w, req)

assert.NotContains(t, w.Body.String(), "certificate is not trusted")
assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
})
}
Expand Down
21 changes: 17 additions & 4 deletions util/session/sessionmanager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -550,8 +550,10 @@ rootCA: |
require.NoError(t, err)

_, _, err = mgr.VerifyToken(tokenString)
// If the root CA is being respected, we won't get this error.
// If the root CA is being respected, we won't get this error. The error message is environment-dependent, so
// we check for either of the error messages associated with a failed cert check.
assert.NotContains(t, err.Error(), "certificate is not trusted")
assert.NotContains(t, err.Error(), "certificate signed by unknown authority")
})

t.Run("OIDC provider is Dex, TLS is configured", func(t *testing.T) {
Expand Down Expand Up @@ -585,7 +587,10 @@ rootCA: |
require.NoError(t, err)

_, _, err = mgr.VerifyToken(tokenString)
assert.ErrorContains(t, err, "certificate signed by unknown authority")
require.Error(t, err)
if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") {
t.Fatal("did not receive expected certificate verification failure error")
}
})

t.Run("OIDC provider is external, TLS is configured", func(t *testing.T) {
Expand Down Expand Up @@ -619,7 +624,10 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
require.NoError(t, err)

_, _, err = mgr.VerifyToken(tokenString)
assert.ErrorContains(t, err, "certificate is not trusted")
require.Error(t, err)
if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") {
t.Fatal("did not receive expected certificate verification failure error")
}
})

t.Run("OIDC provider is Dex, TLS is configured", func(t *testing.T) {
Expand Down Expand Up @@ -653,7 +661,10 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
require.NoError(t, err)

_, _, err = mgr.VerifyToken(tokenString)
assert.ErrorContains(t, err, "certificate signed by unknown authority")
require.Error(t, err)
if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") {
t.Fatal("did not receive expected certificate verification failure error")
}
})

t.Run("OIDC provider is external, TLS is configured, OIDCTLSInsecureSkipVerify is true", func(t *testing.T) {
Expand Down Expand Up @@ -688,6 +699,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
require.NoError(t, err)

_, _, err = mgr.VerifyToken(tokenString)
assert.NotContains(t, err.Error(), "certificate is not trusted")
assert.NotContains(t, err.Error(), "certificate signed by unknown authority")
})

Expand Down Expand Up @@ -718,5 +730,6 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
_, _, err = mgr.VerifyToken(tokenString)
// This is the error thrown when the test server's certificate _is_ being verified.
assert.NotContains(t, err.Error(), "certificate is not trusted")
assert.NotContains(t, err.Error(), "certificate signed by unknown authority")
})
}

0 comments on commit 6499bf8

Please sign in to comment.