diff --git a/util/oidc/oidc_test.go b/util/oidc/oidc_test.go index e61d0ada3164b..4136a1948e616 100644 --- a/util/oidc/oidc_test.go +++ b/util/oidc/oidc_test.go @@ -9,6 +9,7 @@ import ( "net/http/httptest" "net/url" "os" + "strings" "testing" gooidc "github.com/coreos/go-oidc" @@ -133,7 +134,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleLogin(w, req) - assert.Contains(t, w.Body.String(), "certificate is not trusted") + if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } cdSettings.OIDCTLSInsecureSkipVerify = true @@ -145,6 +148,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleLogin(w, req) assert.NotContains(t, w.Body.String(), "certificate is not trusted") + assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority") }) t.Run("dex certificate checking during login should toggle on config", func(t *testing.T) { @@ -170,7 +174,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleLogin(w, req) - assert.Contains(t, w.Body.String(), "certificate signed by unknown authority") + if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } cdSettings.OIDCTLSInsecureSkipVerify = true @@ -181,6 +187,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleLogin(w, req) + assert.NotContains(t, w.Body.String(), "certificate is not trusted") assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority") }) } @@ -211,7 +218,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleCallback(w, req) - assert.Contains(t, w.Body.String(), "certificate is not trusted") + if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } cdSettings.OIDCTLSInsecureSkipVerify = true @@ -223,6 +232,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleCallback(w, req) assert.NotContains(t, w.Body.String(), "certificate is not trusted") + assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority") }) t.Run("dex certificate checking during oidc callback should toggle on config", func(t *testing.T) { @@ -248,7 +258,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleCallback(w, req) - assert.Contains(t, w.Body.String(), "certificate signed by unknown authority") + if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } cdSettings.OIDCTLSInsecureSkipVerify = true @@ -259,6 +271,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), app.HandleCallback(w, req) + assert.NotContains(t, w.Body.String(), "certificate is not trusted") assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority") }) } diff --git a/util/session/sessionmanager_test.go b/util/session/sessionmanager_test.go index 6e35689421eb1..83327e594ce9c 100644 --- a/util/session/sessionmanager_test.go +++ b/util/session/sessionmanager_test.go @@ -550,8 +550,10 @@ rootCA: | require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) - // If the root CA is being respected, we won't get this error. + // If the root CA is being respected, we won't get this error. The error message is environment-dependent, so + // we check for either of the error messages associated with a failed cert check. assert.NotContains(t, err.Error(), "certificate is not trusted") + assert.NotContains(t, err.Error(), "certificate signed by unknown authority") }) t.Run("OIDC provider is Dex, TLS is configured", func(t *testing.T) { @@ -585,7 +587,10 @@ rootCA: | require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) - assert.ErrorContains(t, err, "certificate signed by unknown authority") + require.Error(t, err) + if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } }) t.Run("OIDC provider is external, TLS is configured", func(t *testing.T) { @@ -619,7 +624,10 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) - assert.ErrorContains(t, err, "certificate is not trusted") + require.Error(t, err) + if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } }) t.Run("OIDC provider is Dex, TLS is configured", func(t *testing.T) { @@ -653,7 +661,10 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) - assert.ErrorContains(t, err, "certificate signed by unknown authority") + require.Error(t, err) + if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") { + t.Fatal("did not receive expected certificate verification failure error") + } }) t.Run("OIDC provider is external, TLS is configured, OIDCTLSInsecureSkipVerify is true", func(t *testing.T) { @@ -688,6 +699,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), require.NoError(t, err) _, _, err = mgr.VerifyToken(tokenString) + assert.NotContains(t, err.Error(), "certificate is not trusted") assert.NotContains(t, err.Error(), "certificate signed by unknown authority") }) @@ -718,5 +730,6 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), _, _, err = mgr.VerifyToken(tokenString) // This is the error thrown when the test server's certificate _is_ being verified. assert.NotContains(t, err.Error(), "certificate is not trusted") + assert.NotContains(t, err.Error(), "certificate signed by unknown authority") }) }