Skip to content

Commit 8b4ea55

Browse files
openshift-merge-robotopenshift-merge-robot
authored
Merge pull request #22739 from stlaz/readd_oauth_tests
tests follow-up to tightening authn APIs validation
2 parents 7c6d73f + 780ffdc commit 8b4ea55

2 files changed

Lines changed: 29 additions & 0 deletions

File tree

test/integration/groups_test.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,16 @@ func TestBasicUserBasedGroupManipulation(t *testing.T) {
6868
t.Errorf("unexpected error: %v", err)
6969
}
7070

71+
// make sure that user/~ returns system groups for backed users when it merges
72+
expectedValerieGroups := []string{"system:authenticated", "system:authenticated:oauth"}
73+
secondValerie, err := userclient.NewForConfigOrDie(valerieConfig).Users().Get("~", metav1.GetOptions{})
74+
if err != nil {
75+
t.Fatalf("unexpected error: %v", err)
76+
}
77+
if !reflect.DeepEqual(secondValerie.Groups, expectedValerieGroups) {
78+
t.Errorf("expected %v, got %v", expectedValerieGroups, secondValerie.Groups)
79+
}
80+
7181
_, err = valerieProjectClient.Projects().Get("empty", metav1.GetOptions{})
7282
if err == nil {
7383
t.Fatalf("expected error")

test/integration/oauth_serviceaccount_client_test.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,7 +160,26 @@ func TestOAuthServiceAccountClient(t *testing.T) {
160160
t.Fatalf("Unexpected error: %v", err)
161161
} else if !reflect.DeepEqual(clientAuth.Scopes, []string{"user:full"}) {
162162
t.Fatalf("Unexpected scopes: %v", clientAuth.Scopes)
163+
} else {
164+
// update the authorization to contain only read scopes
165+
clientAuth.Scopes = []string{"user:info"}
166+
if _, err := clusterAdminOAuthClient.OAuthClientAuthorizations().Update(clientAuth); err != nil {
167+
t.Fatalf("Unexpected error: %v", err)
168+
}
163169
}
170+
// approval steps are needed again for unscoped access
171+
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{
172+
"GET /oauth/authorize",
173+
"received challenge",
174+
"GET /oauth/authorize",
175+
"redirect to /oauth/authorize/approve",
176+
"form",
177+
"POST /oauth/authorize/approve",
178+
"redirect to /oauth/authorize",
179+
"redirect to /oauthcallback",
180+
"code",
181+
"scope:user:full",
182+
})
164183

165184
// with the authorization stored, approval steps are skipped
166185
runOAuthFlow(t, clusterAdminClientConfig, projectName, oauthClientConfig, nil, authorizationCodes, authorizationErrors, true, true, []string{

0 commit comments

Comments
 (0)