add integration test for TLS config validation in OIDCIdentityProvider

Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>

test/integration/supervisor_upstream_test.go

@@ -5,6 +5,7 @@ package integration
 
 import (
 	"encoding/base64"
+	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -126,6 +127,252 @@ oidc: issuer did not match the issuer returned by provider, expected "` + env.Su
 			expectedTLSConfigValidCondition(env.SupervisorUpstreamOIDC.CABundle != ""),
 		})
 	})
+
+	t.Run("invalid when tlsSpec supplies both certificateAuthorityData and certificateAuthorityDataSource", func(t *testing.T) {
+		t.Parallel()
+		spec := idpv1alpha1.OIDCIdentityProviderSpec{
+			Issuer: env.SupervisorUpstreamOIDC.Issuer,
+			TLS: &idpv1alpha1.TLSSpec{
+				CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte(env.SupervisorUpstreamOIDC.CABundle)),
+				CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{
+					Kind: "ConfigMap",
+					Name: "does=not-matter",
+					Key:  "also-does-not-matter",
+				},
+			},
+			AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{
+				AdditionalScopes: []string{"email", "profile"},
+			},
+			Client: idpv1alpha1.OIDCClient{
+				SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name,
+			},
+		}
+		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError)
+		expectUpstreamConditions(t, upstream, []metav1.Condition{
+			{
+				Type:    "ClientCredentialsSecretValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "loaded client credentials",
+			},
+			{
+				Type:    "OIDCDiscoverySucceeded",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided",
+			},
+			{
+				Type:    "AdditionalAuthorizeParametersValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "additionalAuthorizeParameters parameter names are allowed",
+			},
+			{
+				Type:    "TLSConfigurationValid",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: "spec.tls is invalid: both tls.certificateAuthorityDataSource and tls.certificateAuthorityData provided",
+			},
+		})
+	})
+
+	t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not exist", func(t *testing.T) {
+		t.Parallel()
+		spec := idpv1alpha1.OIDCIdentityProviderSpec{
+			Issuer: env.SupervisorUpstreamOIDC.Issuer,
+			TLS: &idpv1alpha1.TLSSpec{
+				CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{
+					Kind: "ConfigMap",
+					Name: "does=not-exist",
+					Key:  "does-not-matter",
+				},
+			},
+			AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{
+				AdditionalScopes: []string{"email", "profile"},
+			},
+			Client: idpv1alpha1.OIDCClient{
+				SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name,
+			},
+		}
+		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError)
+		expectUpstreamConditions(t, upstream, []metav1.Condition{
+			{
+				Type:    "ClientCredentialsSecretValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "loaded client credentials",
+			},
+			{
+				Type:    "OIDCDiscoverySucceeded",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/does=not-exist\": configmap \"does=not-exist\" not found",
+			},
+			{
+				Type:    "AdditionalAuthorizeParametersValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "additionalAuthorizeParameters parameter names are allowed",
+			},
+			{
+				Type:    "TLSConfigurationValid",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/does=not-exist\": configmap \"does=not-exist\" not found",
+			},
+		})
+	})
+
+	t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a secret that does not exist", func(t *testing.T) {
+		t.Parallel()
+		spec := idpv1alpha1.OIDCIdentityProviderSpec{
+			Issuer: env.SupervisorUpstreamOIDC.Issuer,
+			TLS: &idpv1alpha1.TLSSpec{
+				CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{
+					Kind: "Secret",
+					Name: "does=not-exist",
+					Key:  "does-not-matter",
+				},
+			},
+			AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{
+				AdditionalScopes: []string{"email", "profile"},
+			},
+			Client: idpv1alpha1.OIDCClient{
+				SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name,
+			},
+		}
+		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError)
+		expectUpstreamConditions(t, upstream, []metav1.Condition{
+			{
+				Type:    "ClientCredentialsSecretValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "loaded client credentials",
+			},
+			{
+				Type:    "OIDCDiscoverySucceeded",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"supervisor/does=not-exist\": secret \"does=not-exist\" not found",
+			},
+			{
+				Type:    "AdditionalAuthorizeParametersValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "additionalAuthorizeParameters parameter names are allowed",
+			},
+			{
+				Type:    "TLSConfigurationValid",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: "spec.tls.certificateAuthorityDataSource is invalid: failed to get secret \"supervisor/does=not-exist\": secret \"does=not-exist\" not found",
+			},
+		})
+	})
+
+	t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a configmap that does not have valid PEM bytes", func(t *testing.T) {
+		t.Parallel()
+
+		badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-bundle", map[string]string{
+			"ca.crt": "This is not a real CA bundle",
+		})
+
+		spec := idpv1alpha1.OIDCIdentityProviderSpec{
+			Issuer: env.SupervisorUpstreamOIDC.Issuer,
+			TLS: &idpv1alpha1.TLSSpec{
+				CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{
+					Kind: "ConfigMap",
+					Name: badCABundleConfigMap.Name,
+					Key:  "ca.crt",
+				},
+			},
+			AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{
+				AdditionalScopes: []string{"email", "profile"},
+			},
+			Client: idpv1alpha1.OIDCClient{
+				SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name,
+			},
+		}
+		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError)
+		expectUpstreamConditions(t, upstream, []metav1.Condition{
+			{
+				Type:    "ClientCredentialsSecretValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "loaded client credentials",
+			},
+			{
+				Type:    "OIDCDiscoverySucceeded",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/%s\": configmap \"%s\" not found", badCABundleConfigMap.Name, badCABundleConfigMap.Name),
+			},
+			{
+				Type:    "AdditionalAuthorizeParametersValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "additionalAuthorizeParameters parameter names are allowed",
+			},
+			{
+				Type:    "TLSConfigurationValid",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: failed to get configmap \"supervisor/%s\": configmap \"%s\" not found", badCABundleConfigMap.Name, badCABundleConfigMap.Name),
+			},
+		})
+	})
+
+	t.Run("invalid when spec.tls.certificateAuthorityDataSource refers to a key in a configmap that does not exist", func(t *testing.T) {
+		t.Parallel()
+
+		badCABundleConfigMap := testlib.CreateTestConfigMap(t, env.SupervisorNamespace, "ca-bundle", map[string]string{
+			"ca.crt": "This is not a real CA bundle",
+		})
+
+		spec := idpv1alpha1.OIDCIdentityProviderSpec{
+			Issuer: env.SupervisorUpstreamOIDC.Issuer,
+			TLS: &idpv1alpha1.TLSSpec{
+				CertificateAuthorityDataSource: &idpv1alpha1.CertificateAuthorityDataSourceSpec{
+					Kind: "ConfigMap",
+					Name: badCABundleConfigMap.Name,
+					Key:  "key-not-present",
+				},
+			},
+			AuthorizationConfig: idpv1alpha1.OIDCAuthorizationConfig{
+				AdditionalScopes: []string{"email", "profile"},
+			},
+			Client: idpv1alpha1.OIDCClient{
+				SecretName: testlib.CreateOIDCClientCredentialsSecret(t, "test-client-id", "test-client-secret").Name,
+			},
+		}
+		upstream := testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseError)
+		expectUpstreamConditions(t, upstream, []metav1.Condition{
+			{
+				Type:    "ClientCredentialsSecretValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "loaded client credentials",
+			},
+			{
+				Type:    "OIDCDiscoverySucceeded",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"supervisor/%s\"", badCABundleConfigMap.Name),
+			},
+			{
+				Type:    "AdditionalAuthorizeParametersValid",
+				Status:  "True",
+				Reason:  "Success",
+				Message: "additionalAuthorizeParameters parameter names are allowed",
+			},
+			{
+				Type:    "TLSConfigurationValid",
+				Status:  "False",
+				Reason:  "InvalidTLSConfig",
+				Message: fmt.Sprintf("spec.tls.certificateAuthorityDataSource is invalid: key \"key-not-present\" not found in configmap \"supervisor/%s\"", badCABundleConfigMap.Name),
+			},
+		})
+	})
 }
 
 func expectUpstreamConditions(t *testing.T, upstream *idpv1alpha1.OIDCIdentityProvider, expected []metav1.Condition) {