From 01c6dbeeb36164225550e2c246e92064d8d10084 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Fri, 17 Jan 2025 11:47:58 +0000 Subject: [PATCH 1/2] Fix HTTPS thumbprint lookup test (#51152) Go 1.23.5 changed the certificate (added another host), and the thumbprint is now different. Instead of updating the thumbprint, we now rely on the presented certificate by the TLS Server. This should ensure the test doesn't break again if the test certificate is changed again. --- lib/integrations/awsoidc/idp_thumbprint_test.go | 8 ++++---- lib/web/oidcidp_test.go | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/integrations/awsoidc/idp_thumbprint_test.go b/lib/integrations/awsoidc/idp_thumbprint_test.go index 72b7f06c0ed12..14fc814688b14 100644 --- a/lib/integrations/awsoidc/idp_thumbprint_test.go +++ b/lib/integrations/awsoidc/idp_thumbprint_test.go @@ -20,6 +20,8 @@ package awsoidc import ( "context" + "crypto/sha1" + "encoding/hex" "net/http/httptest" "testing" @@ -40,10 +42,8 @@ func TestThumbprint(t *testing.T) { thumbprint, err := ThumbprintIdP(ctx, tlsServer.URL) require.NoError(t, err) - // The Proxy is started using httptest.NewTLSServer, which uses a hard-coded cert - // located at go/src/net/http/internal/testcert/testcert.go - // The following value is the sha1 fingerprint of that certificate. - expectedThumbprint := "15dbd260c7465ecca6de2c0b2181187f66ee0d1a" + serverCertificateSHA1 := sha1.Sum(tlsServer.Certificate().Raw) + expectedThumbprint := hex.EncodeToString(serverCertificateSHA1[:]) require.Equal(t, expectedThumbprint, thumbprint) } diff --git a/lib/web/oidcidp_test.go b/lib/web/oidcidp_test.go index ac346de37a8e8..d9615d4fd812b 100644 --- a/lib/web/oidcidp_test.go +++ b/lib/web/oidcidp_test.go @@ -20,6 +20,8 @@ package web import ( "context" + "crypto/sha1" + "encoding/hex" "encoding/json" "strings" "testing" @@ -103,10 +105,8 @@ func TestThumbprint(t *testing.T) { thumbprint := strings.Trim(string(resp.Bytes()), "\"") - // The Proxy is started using httptest.NewTLSServer, which uses a hard-coded cert - // located at go/src/net/http/internal/testcert/testcert.go - // The following value is the sha1 fingerprint of that certificate. - expectedThumbprint := "15dbd260c7465ecca6de2c0b2181187f66ee0d1a" + serverCertificateSHA1 := sha1.Sum(proxy.web.TLS.Certificates[0].Leaf.Raw) + expectedThumbprint := hex.EncodeToString(serverCertificateSHA1[:]) require.Equal(t, expectedThumbprint, thumbprint) } From 5f832ecb9ff73c5610a3e3e5606dc7d8362bc9e0 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Fri, 17 Jan 2025 14:21:06 +0000 Subject: [PATCH 2/2] fix panic --- lib/web/oidcidp_test.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/web/oidcidp_test.go b/lib/web/oidcidp_test.go index d9615d4fd812b..beb644afb90ea 100644 --- a/lib/web/oidcidp_test.go +++ b/lib/web/oidcidp_test.go @@ -105,7 +105,9 @@ func TestThumbprint(t *testing.T) { thumbprint := strings.Trim(string(resp.Bytes()), "\"") - serverCertificateSHA1 := sha1.Sum(proxy.web.TLS.Certificates[0].Leaf.Raw) + require.NotEmpty(t, proxy.web.TLS.Certificates, "missing web tls certificates") + require.NotEmpty(t, proxy.web.TLS.Certificates[0].Certificate, "missing web tls certificates") + serverCertificateSHA1 := sha1.Sum(proxy.web.TLS.Certificates[0].Certificate[0]) expectedThumbprint := hex.EncodeToString(serverCertificateSHA1[:]) require.Equal(t, expectedThumbprint, thumbprint)