mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3317 Commits
35 Branches
98 Tags
58 MiB
Tree: 8e96058e71
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8e96058e71'
${ noResults }
dex/connector/google/google_test.go

452 lines
13 KiB
Raw Normal View History Unescape

Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
package google
import (
Move unique functionality into getGroups to reduce calls to google (#2628) Signed-off-by: Matt Hoey <matt.hoey@missionlane.com>
3 years ago
"context"
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
"encoding/json"
"fmt"
use slog for structured logging (#3502) Signed-off-by: Sean Liao <sean+git@liao.dev>
2 years ago
"log/slog"
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
"net/http"
"net/http/httptest"
feat: Add support for configurable prompt type for Google connector (#3475) Signed-off-by: abhisek <abhisek.datta@gmail.com> Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
2 years ago
"net/url"
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
"os"
Google: Implement groups fetch by default service account from metadata (support for GKE workload identity) (#2989) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com> Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com> Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 years ago
"strings"
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
"testing"
"github.com/stretchr/testify/assert"
Move unique functionality into getGroups to reduce calls to google (#2628) Signed-off-by: Matt Hoey <matt.hoey@missionlane.com>
3 years ago
admin "google.golang.org/api/admin/directory/v1"
"google.golang.org/api/option"
feat: Add support for configurable prompt type for Google connector (#3475) Signed-off-by: abhisek <abhisek.datta@gmail.com> Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
2 years ago
"github.com/dexidp/dex/connector"
Move unique functionality into getGroups to reduce calls to google (#2628) Signed-off-by: Matt Hoey <matt.hoey@missionlane.com>
3 years ago
)
var (
// groups_0
// ┌───────┤
// groups_2 groups_1
// │ ├────────┐
// └── user_1 user_2
testGroups = map[string][]*admin.Group{
"user_1@dexidp.com": {{Email: "groups_2@dexidp.com"}, {Email: "groups_1@dexidp.com"}},
"user_2@dexidp.com": {{Email: "groups_1@dexidp.com"}},
"groups_1@dexidp.com": {{Email: "groups_0@dexidp.com"}},
"groups_2@dexidp.com": {{Email: "groups_0@dexidp.com"}},
"groups_0@dexidp.com": {},
}
callCounter = make(map[string]int)
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
)
chore: Upgrade golangci-lint to v1.50.1 from v1.46.0 (#2790)
3 years ago
func testSetup() *httptest.Server {
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
mux := http.NewServeMux()
Move unique functionality into getGroups to reduce calls to google (#2628) Signed-off-by: Matt Hoey <matt.hoey@missionlane.com>
3 years ago
mux.HandleFunc("/admin/directory/v1/groups/", func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Content-Type", "application/json")
userKey := r.URL.Query().Get("userKey")
if groups, ok := testGroups[userKey]; ok {
json.NewEncoder(w).Encode(admin.Groups{Groups: groups})
callCounter[userKey]++
}
})
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
return httptest.NewServer(mux)
}
chore: Upgrade golangci-lint to v1.50.1 from v1.46.0 (#2790)
3 years ago
func newConnector(config *Config) (*googleConnector, error) {
refactor: simplify tests by using slog.DiscardHandler (#4058) Signed-off-by: Oleksandr Redko <oleksandr.red+github@gmail.com>
1 year ago
log := slog.New(slog.DiscardHandler)
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
conn, err := config.Open("id", log)
if err != nil {
return nil, err
}
googleConn, ok := conn.(*googleConnector)
if !ok {
return nil, fmt.Errorf("failed to convert to googleConnector")
}
return googleConn, nil
}
func tempServiceAccountKey() (string, error) {
fd, err := os.CreateTemp("", "google_service_account_key")
if err != nil {
return "", err
}
defer fd.Close()
err = json.NewEncoder(fd).Encode(map[string]string{
"type": "service_account",
"project_id": "sample-project",
"private_key_id": "sample-key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nsample-key\n-----END PRIVATE KEY-----\n",
"client_id": "sample-client-id",
"client_x509_cert_url": "localhost",
})
return fd.Name(), err
}
func TestOpen(t *testing.T) {
chore: Upgrade golangci-lint to v1.50.1 from v1.46.0 (#2790)
3 years ago
ts := testSetup()
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
defer ts.Close()
type testCase struct {
config *Config
expectedErr string
// string to set in GOOGLE_APPLICATION_CREDENTIALS. As local development environments can
spelling: upon Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
3 years ago
// already contain ADC, test cases will be built upon this setting this env variable
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
adc string
}
serviceAccountFilePath, err := tempServiceAccountKey()
assert.Nil(t, err)
for name, reference := range map[string]testCase{
"missing_admin_email": {
config: &Config{
fix(connector/google): make admin email optional for default creds Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
4 years ago
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
ServiceAccountFilePath: serviceAccountFilePath,
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
},
#2895: Add Support for Multiple Admin Emails to Retrieve Group Lists (#2911) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com>
3 years ago
expectedErr: "requires the domainToAdminEmail",
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
},
"service_account_key_not_found": {
config: &Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
#2895: Add Support for Multiple Admin Emails to Retrieve Group Lists (#2911) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com>
3 years ago
DomainToAdminEmail: map[string]string{"*": "foo@bar.com"},
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
ServiceAccountFilePath: "not_found.json",
},
expectedErr: "error reading credentials",
},
"service_account_key_valid": {
config: &Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
#2895: Add Support for Multiple Admin Emails to Retrieve Group Lists (#2911) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com>
3 years ago
DomainToAdminEmail: map[string]string{"bar.com": "foo@bar.com"},
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
ServiceAccountFilePath: serviceAccountFilePath,
},
expectedErr: "",
},
"adc": {
config: &Config{
#2895: Add Support for Multiple Admin Emails to Retrieve Group Lists (#2911) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com>
3 years ago
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
DomainToAdminEmail: map[string]string{"*": "foo@bar.com"},
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
},
adc: serviceAccountFilePath,
expectedErr: "",
},
"adc_priority": {
config: &Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
#2895: Add Support for Multiple Admin Emails to Retrieve Group Lists (#2911) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com>
3 years ago
DomainToAdminEmail: map[string]string{"*": "foo@bar.com"},
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
ServiceAccountFilePath: serviceAccountFilePath,
},
adc: "/dev/null",
expectedErr: "",
},
} {
reference := reference
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", reference.adc)
chore: Upgrade golangci-lint to v1.50.1 from v1.46.0 (#2790)
3 years ago
conn, err := newConnector(reference.config)
Implement Application Default Credentials for the google connector (#2530) Signed-off-by: Trung <trung.hoang@pricehubble.com>
4 years ago
if reference.expectedErr == "" {
assert.Nil(err)
assert.NotNil(conn)
} else {
assert.ErrorContains(err, reference.expectedErr)
}
})
}
}
Move unique functionality into getGroups to reduce calls to google (#2628) Signed-off-by: Matt Hoey <matt.hoey@missionlane.com>
3 years ago
func TestGetGroups(t *testing.T) {
chore: Upgrade golangci-lint to v1.50.1 from v1.46.0 (#2790)
3 years ago
ts := testSetup()
Move unique functionality into getGroups to reduce calls to google (#2628) Signed-off-by: Matt Hoey <matt.hoey@missionlane.com>
3 years ago
defer ts.Close()
serviceAccountFilePath, err := tempServiceAccountKey()
assert.Nil(t, err)
os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", serviceAccountFilePath)
conn, err := newConnector(&Config{
#2895: Add Support for Multiple Admin Emails to Retrieve Group Lists (#2911) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com>
3 years ago
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
DomainToAdminEmail: map[string]string{"*": "admin@dexidp.com"},
chore: Upgrade golangci-lint to v1.50.1 from v1.46.0 (#2790)
3 years ago
})
Move unique functionality into getGroups to reduce calls to google (#2628) Signed-off-by: Matt Hoey <matt.hoey@missionlane.com>
3 years ago
assert.Nil(t, err)
#2895: Add Support for Multiple Admin Emails to Retrieve Group Lists (#2911) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com>
3 years ago
conn.adminSrv[wildcardDomainToAdminEmail], err = admin.NewService(context.Background(), option.WithoutAuthentication(), option.WithEndpoint(ts.URL))
Move unique functionality into getGroups to reduce calls to google (#2628) Signed-off-by: Matt Hoey <matt.hoey@missionlane.com>
3 years ago
assert.Nil(t, err)
type testCase struct {
userKey string
fetchTransitiveGroupMembership bool
shouldErr bool
expectedGroups []string
}
for name, testCase := range map[string]testCase{
"user1_non_transitive_lookup": {
userKey: "user_1@dexidp.com",
fetchTransitiveGroupMembership: false,
shouldErr: false,
expectedGroups: []string{"groups_1@dexidp.com", "groups_2@dexidp.com"},
},
"user1_transitive_lookup": {
userKey: "user_1@dexidp.com",
fetchTransitiveGroupMembership: true,
shouldErr: false,
expectedGroups: []string{"groups_0@dexidp.com", "groups_1@dexidp.com", "groups_2@dexidp.com"},
},
"user2_non_transitive_lookup": {
userKey: "user_2@dexidp.com",
fetchTransitiveGroupMembership: false,
shouldErr: false,
expectedGroups: []string{"groups_1@dexidp.com"},
},
"user2_transitive_lookup": {
userKey: "user_2@dexidp.com",
fetchTransitiveGroupMembership: true,
shouldErr: false,
expectedGroups: []string{"groups_0@dexidp.com", "groups_1@dexidp.com"},
},
} {
testCase := testCase
callCounter = map[string]int{}
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
lookup := make(map[string]struct{})
groups, err := conn.getGroups(testCase.userKey, testCase.fetchTransitiveGroupMembership, lookup)
if testCase.shouldErr {
assert.NotNil(err)
} else {
assert.Nil(err)
}
assert.ElementsMatch(testCase.expectedGroups, groups)
t.Logf("[%s] Amount of API calls per userKey: %+v\n", t.Name(), callCounter)
})
}
}
#2895: Add Support for Multiple Admin Emails to Retrieve Group Lists (#2911) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com>
3 years ago
func TestDomainToAdminEmailConfig(t *testing.T) {
ts := testSetup()
defer ts.Close()
serviceAccountFilePath, err := tempServiceAccountKey()
assert.Nil(t, err)
os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", serviceAccountFilePath)
conn, err := newConnector(&Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
DomainToAdminEmail: map[string]string{"dexidp.com": "admin@dexidp.com"},
})
assert.Nil(t, err)
conn.adminSrv["dexidp.com"], err = admin.NewService(context.Background(), option.WithoutAuthentication(), option.WithEndpoint(ts.URL))
assert.Nil(t, err)
type testCase struct {
userKey string
expectedErr string
}
for name, testCase := range map[string]testCase{
"correct_user_request": {
userKey: "user_1@dexidp.com",
expectedErr: "",
},
"wrong_user_request": {
userKey: "user_1@foo.bar",
expectedErr: "unable to find super admin email",
},
"wrong_connector_response": {
userKey: "user_1_foo.bar",
expectedErr: "unable to find super admin email",
},
} {
testCase := testCase
callCounter = map[string]int{}
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
lookup := make(map[string]struct{})
_, err := conn.getGroups(testCase.userKey, true, lookup)
if testCase.expectedErr != "" {
assert.ErrorContains(err, testCase.expectedErr)
} else {
assert.Nil(err)
}
t.Logf("[%s] Amount of API calls per userKey: %+v\n", t.Name(), callCounter)
})
}
}
feat: Add support for configurable prompt type for Google connector (#3475) Signed-off-by: abhisek <abhisek.datta@gmail.com> Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
2 years ago
Google: Implement groups fetch by default service account from metadata (support for GKE workload identity) (#2989) Signed-off-by: Viacheslav Sychov <viacheslav.sychov@gmail.com> Signed-off-by: Maksim Nabokikh <maksim.nabokikh@flant.com> Co-authored-by: Maksim Nabokikh <maksim.nabokikh@flant.com>
2 years ago
var gceMetadataFlags = map[string]bool{
"failOnEmailRequest": false,
}
func mockGCEMetadataServer() *httptest.Server {
mux := http.NewServeMux()
mux.HandleFunc("/computeMetadata/v1/instance/service-accounts/default/email", func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Content-Type", "application/json")
if gceMetadataFlags["failOnEmailRequest"] {
w.WriteHeader(http.StatusBadRequest)
}
json.NewEncoder(w).Encode("my-service-account@example-project.iam.gserviceaccount.com")
})
mux.HandleFunc("/computeMetadata/v1/instance/service-accounts/default/token", func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Content-Type", "application/json")
json.NewEncoder(w).Encode(struct {
AccessToken string `json:"access_token"`
ExpiresInSec int `json:"expires_in"`
TokenType string `json:"token_type"`
}{
AccessToken: "my-example.token",
ExpiresInSec: 3600,
TokenType: "Bearer",
})
})
return httptest.NewServer(mux)
}
func TestGCEWorkloadIdentity(t *testing.T) {
ts := testSetup()
defer ts.Close()
metadataServer := mockGCEMetadataServer()
defer metadataServer.Close()
metadataServerHost := strings.Replace(metadataServer.URL, "http://", "", 1)
os.Setenv("GCE_METADATA_HOST", metadataServerHost)
os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", "")
os.Setenv("HOME", "/tmp")
gceMetadataFlags["failOnEmailRequest"] = true
_, err := newConnector(&Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
DomainToAdminEmail: map[string]string{"dexidp.com": "admin@dexidp.com"},
})
assert.Error(t, err)
gceMetadataFlags["failOnEmailRequest"] = false
conn, err := newConnector(&Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
DomainToAdminEmail: map[string]string{"dexidp.com": "admin@dexidp.com"},
})
assert.Nil(t, err)
conn.adminSrv["dexidp.com"], err = admin.NewService(context.Background(), option.WithoutAuthentication(), option.WithEndpoint(ts.URL))
assert.Nil(t, err)
type testCase struct {
userKey string
expectedErr string
}
for name, testCase := range map[string]testCase{
"correct_user_request": {
userKey: "user_1@dexidp.com",
expectedErr: "",
},
"wrong_user_request": {
userKey: "user_1@foo.bar",
expectedErr: "unable to find super admin email",
},
"wrong_connector_response": {
userKey: "user_1_foo.bar",
expectedErr: "unable to find super admin email",
},
} {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
lookup := make(map[string]struct{})
_, err := conn.getGroups(testCase.userKey, true, lookup)
if testCase.expectedErr != "" {
assert.ErrorContains(err, testCase.expectedErr)
} else {
assert.Nil(err)
}
})
}
}
feat: Add support for configurable prompt type for Google connector (#3475) Signed-off-by: abhisek <abhisek.datta@gmail.com> Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com> Co-authored-by: Maksim Nabokikh <max.nabokih@gmail.com>
2 years ago
func TestPromptTypeConfig(t *testing.T) {
promptTypeLogin := "login"
cases := []struct {
name string
promptType *string
expectedPromptTypeValue string
}{
{
name: "prompt type is nil",
promptType: nil,
expectedPromptTypeValue: "consent",
},
{
name: "prompt type is empty",
promptType: new(string),
expectedPromptTypeValue: "",
},
{
name: "prompt type is set",
promptType: &promptTypeLogin,
expectedPromptTypeValue: "login",
},
}
ts := testSetup()
defer ts.Close()
serviceAccountFilePath, err := tempServiceAccountKey()
assert.Nil(t, err)
os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", serviceAccountFilePath)
for _, test := range cases {
t.Run(test.name, func(t *testing.T) {
conn, err := newConnector(&Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups", "offline_access"},
DomainToAdminEmail: map[string]string{"dexidp.com": "admin@dexidp.com"},
PromptType: test.promptType,
})
assert.Nil(t, err)
assert.Equal(t, test.expectedPromptTypeValue, conn.promptType)
loginURL, err := conn.LoginURL(connector.Scopes{OfflineAccess: true}, ts.URL+"/callback", "state")
assert.Nil(t, err)
urlp, err := url.Parse(loginURL)
assert.Nil(t, err)
assert.Equal(t, test.expectedPromptTypeValue, urlp.Query().Get("prompt"))
})
}
}