diff --git a/test/extended/authorization/scopes.go b/test/extended/authorization/scopes.go index 766355e34eb0..a4ec97b9ca51 100644 --- a/test/extended/authorization/scopes.go +++ b/test/extended/authorization/scopes.go @@ -59,8 +59,9 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { t.Fatalf("unexpected error: %v", err) } + whoamiOnlyTokenStr, sha256WhoamiOnlyTokenStr := exutil.GenerateOAuthTokenPair() whoamiOnlyToken := &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{Name: "whoami-token-plus-some-padding-here-to-make-the-limit-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: sha256WhoamiOnlyTokenStr}, ClientName: "openshift-challenging-client", ExpiresIn: 200, Scopes: []string{scope.UserInfo}, @@ -74,7 +75,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), whoamiOnlyToken) whoamiConfig := rest.AnonymousClientConfig(oc.AdminConfig()) - whoamiConfig.BearerToken = whoamiOnlyToken.Name + whoamiConfig.BearerToken = whoamiOnlyTokenStr if _, err := buildv1client.NewForConfigOrDie(whoamiConfig).BuildV1().Builds(projectName).List(context.Background(), metav1.ListOptions{}); !kapierrors.IsForbidden(err) { t.Fatalf("unexpected error: %v", err) @@ -155,8 +156,9 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { t.Fatalf("unexpected error: %v", err) } + nonEscalatingEditTokenStr, sha256NonEscalatingEditTokenStr := exutil.GenerateOAuthTokenPair() nonEscalatingEditToken := &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{Name: "non-escalating-edit-plus-some-padding-here-to-make-the-limit-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: sha256NonEscalatingEditTokenStr}, ClientName: "openshift-challenging-client", ExpiresIn: 200, Scopes: []string{scope.ClusterRoleIndicator + "edit:*"}, @@ -170,7 +172,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), nonEscalatingEditToken) nonEscalatingEditConfig := rest.AnonymousClientConfig(oc.AdminConfig()) - nonEscalatingEditConfig.BearerToken = nonEscalatingEditToken.Name + nonEscalatingEditConfig.BearerToken = nonEscalatingEditTokenStr nonEscalatingEditClient, err := kclientset.NewForConfig(nonEscalatingEditConfig) if err != nil { t.Fatalf("unexpected error: %v", err) @@ -180,8 +182,9 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { t.Fatalf("unexpected error: %v", err) } + escalatingEditTokenStr, sha256EscalatingEditToken := exutil.GenerateOAuthTokenPair() escalatingEditToken := &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{Name: "escalating-edit-plus-some-padding-here-to-make-the-limit-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: sha256EscalatingEditToken}, ClientName: "openshift-challenging-client", ExpiresIn: 200, Scopes: []string{scope.ClusterRoleIndicator + "edit:*:!"}, @@ -195,7 +198,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), escalatingEditToken) escalatingEditConfig := rest.AnonymousClientConfig(oc.AdminConfig()) - escalatingEditConfig.BearerToken = escalatingEditToken.Name + escalatingEditConfig.BearerToken = escalatingEditTokenStr escalatingEditClient, err := kclientset.NewForConfig(escalatingEditConfig) if err != nil { t.Fatalf("unexpected error: %v", err) @@ -308,7 +311,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { name: "no scopes", fail: true, obj: &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, ClientName: client.Name, UserName: "name", UserUID: "uid", @@ -319,7 +322,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { name: "denied literal", fail: true, obj: &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, ClientName: client.Name, UserName: "name", UserUID: "uid", @@ -331,7 +334,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { name: "denied role", fail: true, obj: &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, ClientName: client.Name, UserName: "name", UserUID: "uid", @@ -342,7 +345,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { { name: "ok role", obj: &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, ClientName: client.Name, UserName: "name", UserUID: "uid", @@ -374,7 +377,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { name: "no scopes", fail: true, obj: &oauthv1.OAuthAuthorizeToken{ - ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, ClientName: client.Name, ExpiresIn: 86400, UserName: "name", @@ -386,7 +389,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { name: "denied literal", fail: true, obj: &oauthv1.OAuthAuthorizeToken{ - ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, ClientName: client.Name, ExpiresIn: 86400, UserName: "name", @@ -399,7 +402,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { name: "denied role", fail: true, obj: &oauthv1.OAuthAuthorizeToken{ - ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, ClientName: client.Name, ExpiresIn: 86400, UserName: "name", @@ -411,7 +414,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] scopes", func() { { name: "ok role", obj: &oauthv1.OAuthAuthorizeToken{ - ObjectMeta: metav1.ObjectMeta{Name: "tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, + ObjectMeta: metav1.ObjectMeta{Name: "sha256~tokenlongenoughtobecreatedwithoutfailing-" + oc.Namespace()}, ClientName: client.Name, ExpiresIn: 86400, UserName: "name", diff --git a/test/extended/cli/mustgather.go b/test/extended/cli/mustgather.go index c872add17458..4184bde7416a 100644 --- a/test/extended/cli/mustgather.go +++ b/test/extended/cli/mustgather.go @@ -131,11 +131,11 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() { } // makes some tokens that should not show in the audit logs - const tokenName = "must-gather-audit-logs-token-plus-some-padding-here-to-make-the-limit" + _, sha256TokenName := exutil.GenerateOAuthTokenPair() oauthClient := oauthv1client.NewForConfigOrDie(oc.AdminConfig()) _, err1 := oauthClient.OAuthAccessTokens().Create(context.Background(), &oauthv1.OAuthAccessToken{ ObjectMeta: metav1.ObjectMeta{ - Name: tokenName, + Name: sha256TokenName, }, ClientName: "openshift-challenging-client", ExpiresIn: 30, @@ -147,7 +147,7 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() { o.Expect(err1).NotTo(o.HaveOccurred()) _, err2 := oauthClient.OAuthAuthorizeTokens().Create(context.Background(), &oauthv1.OAuthAuthorizeToken{ ObjectMeta: metav1.ObjectMeta{ - Name: tokenName, + Name: sha256TokenName, }, ClientName: "openshift-challenging-client", ExpiresIn: 30, @@ -241,7 +241,7 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() { // - if on 4.6 but not upgraded => disable check // - if on 4.6 and we have been upgraded from older release => keep the check. if upgradedFrom45 { - for _, token := range []string{"oauthaccesstokens", "oauthauthorizetokens", tokenName} { + for _, token := range []string{"oauthaccesstokens", "oauthauthorizetokens", sha256TokenName} { o.Expect(text).NotTo(o.ContainSubstring(token)) } } diff --git a/test/extended/oauth/client_secret.go b/test/extended/oauth/client_secret.go index ee7cbdedd49e..42900bf618b4 100644 --- a/test/extended/oauth/client_secret.go +++ b/test/extended/oauth/client_secret.go @@ -20,7 +20,7 @@ import ( exutil "github.com/openshift/origin/test/extended/util" ) -const authzTokenName string = "oauth-client-with-plus-with-more-than-thirty-two-characters-in-this-very-long-name" +var authzToken, sha256AuthzToken = exutil.GenerateOAuthTokenPair() var _ = g.Describe("[sig-auth][Feature:OAuthServer]", func() { defer g.GinkgoRecover() @@ -65,7 +65,7 @@ var _ = g.Describe("[sig-auth][Feature:OAuthServer]", func() { g.By("create synthetic authz token") oauthAuthorizeToken, err := oc.AdminOauthClient().OauthV1().OAuthAuthorizeTokens().Create(ctx, &oauthv1.OAuthAuthorizeToken{ ObjectMeta: metav1.ObjectMeta{ - Name: authzTokenName, + Name: sha256AuthzToken, }, ClientName: oauthClient.Name, ExpiresIn: 100000000, @@ -108,7 +108,7 @@ var _ = g.Describe("[sig-auth][Feature:OAuthServer]", func() { func queryClientAuthRequest(host string) *http.Request { req, err := http.NewRequest("POST", "https://"+host+"/oauth/token?"+ "grant_type=authorization_code&"+ - "code="+authzTokenName+"&"+ + "code="+authzToken+"&"+ "client_id=oauth-client-with-plus&"+ "client_secret=secret%2Bwith%2Bplus", nil) @@ -120,7 +120,7 @@ func queryClientAuthRequest(host string) *http.Request { func bodyClientAuthRequest(host string) *http.Request { req, err := http.NewRequest("POST", "https://"+host+"/oauth/token", bytes.NewBufferString("grant_type=authorization_code&"+ - "code="+authzTokenName+"&"+ + "code="+authzToken+"&"+ "client_id=oauth-client-with-plus&"+ "client_secret=secret%2Bwith%2Bplus", ), @@ -133,7 +133,7 @@ func bodyClientAuthRequest(host string) *http.Request { func headerClientAuthRequest(host string) *http.Request { req, err := http.NewRequest("POST", "https://"+host+"/oauth/token", bytes.NewBufferString("grant_type=authorization_code&"+ - "code="+authzTokenName, + "code="+authzToken, ), ) o.Expect(err).NotTo(o.HaveOccurred()) diff --git a/test/extended/oauth/token.go b/test/extended/oauth/token.go index 2cc845f52f63..5b84ec61758e 100644 --- a/test/extended/oauth/token.go +++ b/test/extended/oauth/token.go @@ -27,42 +27,6 @@ var _ = g.Describe("[sig-auth][Feature:OAuthServer] OAuth Authenticator", func() oc := exutil.NewCLI("oauth-access-token-e2e-test") ctx := context.Background() - g.It(fmt.Sprintf("accepts classic non-prefixed access tokens"), func() { - user, err := oc.AdminUserClient().UserV1().Users().Create(ctx, &userv1.User{ - TypeMeta: metav1.TypeMeta{}, - ObjectMeta: metav1.ObjectMeta{ - Name: "oauth-access-token-e2e-test-user-classical", - }, - FullName: "test user", - }, metav1.CreateOptions{}) - o.Expect(err).NotTo(o.HaveOccurred()) - oc.AddResourceToDelete(userv1.GroupVersion.WithResource("users"), user) - - g.By("creating a classic oauth access token") - token := base64.RawURLEncoding.EncodeToString([]byte(uuid.New())) - classicTokenObject, err := oc.AdminOauthClient().OauthV1().OAuthAccessTokens().Create(ctx, &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{ - Name: token, - }, - UserName: user.Name, - UserUID: string(user.UID), - ClientName: "openshift-challenging-client", - Scopes: []string{"user:info"}, - RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", - }, metav1.CreateOptions{}) - o.Expect(err).NotTo(o.HaveOccurred()) - oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), classicTokenObject) - - g.By("authenticating using the classic access token as bearer token") - gotUser, err := whoamiWithToken(token, oc) - o.Expect(err).NotTo(o.HaveOccurred()) - o.Expect(gotUser.Name).To(o.Equal(user.Name)) - - g.By("not-authenticating using a sha256 prefixed access token as bearer token") - _, err = whoamiWithToken("sha256~"+token, oc) - o.Expect(errors.IsUnauthorized(err)).To(o.BeTrue()) - }) - g.It(fmt.Sprintf("accepts sha256 access tokens"), func() { user, err := oc.AdminUserClient().UserV1().Users().Create(ctx, &userv1.User{ TypeMeta: metav1.TypeMeta{}, diff --git a/test/extended/project/project.go b/test/extended/project/project.go index 8910fd870bdd..d1b5dd16b469 100644 --- a/test/extended/project/project.go +++ b/test/extended/project/project.go @@ -19,7 +19,6 @@ import ( corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/rand" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/watch" @@ -572,8 +571,9 @@ func GetScopedClientForUser(oc *exutil.CLI, username string, scopes []string) (* return nil, err } + tokenStr, sha256TokenStr := exutil.GenerateOAuthTokenPair() token := &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("%s-token-plus-some-padding-here-to-make-the-limit-%d", username, rand.Int())}, + ObjectMeta: metav1.ObjectMeta{Name: sha256TokenStr}, ClientName: "openshift-challenging-client", ExpiresIn: 86400, Scopes: scopes, @@ -587,6 +587,6 @@ func GetScopedClientForUser(oc *exutil.CLI, username string, scopes []string) (* oc.AddResourceToDelete(oauthv1.GroupVersion.WithResource("oauthaccesstokens"), token) scopedConfig := rest.AnonymousClientConfig(oc.AdminConfig()) - scopedConfig.BearerToken = token.Name + scopedConfig.BearerToken = tokenStr return scopedConfig, nil } diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go index 918cfeb16b04..f6f5288cd18a 100644 --- a/test/extended/util/annotate/generated/zz_generated.annotations.go +++ b/test/extended/util/annotate/generated/zz_generated.annotations.go @@ -925,8 +925,6 @@ var annotations = map[string]string{ "[Top Level] [sig-auth][Feature:OAuthServer] ClientSecretWithPlus should create oauthclient": "should create oauthclient [Suite:openshift/conformance/parallel]", - "[Top Level] [sig-auth][Feature:OAuthServer] OAuth Authenticator accepts classic non-prefixed access tokens": "accepts classic non-prefixed access tokens [Suite:openshift/conformance/parallel]", - "[Top Level] [sig-auth][Feature:OAuthServer] OAuth Authenticator accepts sha256 access tokens": "accepts sha256 access tokens [Suite:openshift/conformance/parallel]", "[Top Level] [sig-auth][Feature:OAuthServer] OAuth server has the correct token and certificate fallback semantics": "has the correct token and certificate fallback semantics [Suite:openshift/conformance/parallel]",