fix tests

gravitational · Sep 20, 2024 · 0b90c06 · 0b90c06
1 parent 0cb7ae8
commit 0b90c06
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 40 deletions.
diff --git a/lib/client/ca_export_test.go b/lib/client/ca_export_test.go
@@ -88,7 +88,7 @@ func TestExportAuthorities(t *testing.T) {
 		require.NotNil(t, key.Signer, "ParsePrivateKey returned a nil key")
 	}
 
-	// TestAuthServer uses ECDSA for all CAs except db_client.
+	// TestAuthServer uses ECDSA for all CAs except db, db_client, saml_idp, oidc_idp.
 	validateRSAPrivateKeyDERFunc := func(t *testing.T, s string) {
 		privKey, err := x509.ParsePKCS1PrivateKey([]byte(s))
 		require.NoError(t, err, "x509.ParsePKCS1PrivateKey failed")
@@ -227,7 +227,7 @@ func TestExportAuthorities(t *testing.T) {
 				},
 				errorCheck:      require.NoError,
 				assertNoSecrets: validateTLSCertificateDERFunc,
-				assertSecrets:   validateECDSAPrivateKeyDERFunc,
+				assertSecrets:   validateRSAPrivateKeyDERFunc,
 			},
 			{
 				name: "db-client",

diff --git a/lib/web/oidcidp_test.go b/lib/web/oidcidp_test.go
@@ -24,7 +24,6 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport/lib"
@@ -43,48 +42,71 @@ func TestOIDCIdPPublicEndpoints(t *testing.T) {
 	resp, err := publicClt.Get(ctx, proxy.webURL.String()+"/.well-known/openid-configuration", nil)
 	require.NoError(t, err)
 
-	jwksURI := struct {
-		JWKSURI string `json:"jwks_uri"`
-		Issuer  string `json:"issuer"`
-	}{}
-
-	err = json.Unmarshal(resp.Bytes(), &jwksURI)
-	require.NoError(t, err)
-
-	// Proxy Public addr must match with Issuer
-	require.Equal(t, proxy.webURL.String(), jwksURI.Issuer)
-
-	// Follow the `jwks_uri` endpoint and fetch the public keys
-	require.NotEmpty(t, jwksURI.JWKSURI)
-	resp, err = publicClt.Get(ctx, jwksURI.JWKSURI, nil)
+	// Deliberately redefining the structs in this test to assert that the JSON
+	// representation doesn't unintentionally change.
+	type oidcConfiguration struct {
+		Issuer                           string   `json:"issuer"`
+		JWKSURI                          string   `json:"jwks_uri"`
+		Claims                           []string `json:"claims"`
+		IdTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
+		ResponseTypesSupported           []string `json:"response_types_supported"`
+		ScopesSupported                  []string `json:"scopes_supported"`
+		SubjectTypesSupported            []string `json:"subject_types_supported"`
+	}
+
+	var gotConfiguration oidcConfiguration
+	require.NoError(t, json.Unmarshal(resp.Bytes(), &gotConfiguration))
+
+	expectedConfiguration := oidcConfiguration{
+		Issuer:  proxy.webURL.String(),
+		JWKSURI: proxy.webURL.String() + "/.well-known/jwks-oidc",
+		// OIDC IdPs MUST support RSA256 here.
+		IdTokenSigningAlgValuesSupported: []string{"RS256"},
+		Claims:                           []string{"iss", "sub", "obo", "aud", "jti", "iat", "exp", "nbf"},
+		ResponseTypesSupported:           []string{"id_token"},
+		ScopesSupported:                  []string{"openid"},
+		SubjectTypesSupported:            []string{"public", "pair-wise"},
+	}
+	require.Equal(t, expectedConfiguration, gotConfiguration)
+
+	resp, err = publicClt.Get(ctx, gotConfiguration.JWKSURI, nil)
 	require.NoError(t, err)
 
-	jwksKeys := struct {
-		Keys []struct {
-			Use     string  `json:"use"`
-			KeyID   *string `json:"kid"`
-			KeyType string  `json:"kty"`
-			Alg     string  `json:"alg"`
-		} `json:"keys"`
-	}{}
-
-	err = json.Unmarshal(resp.Bytes(), &jwksKeys)
+	type jwksKey struct {
+		Use     string  `json:"use"`
+		KeyID   *string `json:"kid"`
+		KeyType string  `json:"kty"`
+		Alg     string  `json:"alg"`
+	}
+	type jwksKeys struct {
+		Keys []jwksKey `json:"keys"`
+	}
+
+	var gotKeys jwksKeys
+	err = json.Unmarshal(resp.Bytes(), &gotKeys)
 	require.NoError(t, err)
 
-	require.NotEmpty(t, jwksKeys.Keys)
-	require.Len(t, jwksKeys.Keys, 2)
-
 	// Expect the same key twice, once with a synthesized Key ID, and once with an empty Key ID for compatibility.
-	key1 := jwksKeys.Keys[0]
-	key2 := jwksKeys.Keys[1]
-	assert.Equal(t, "sig", key1.Use)
-	assert.Equal(t, "EC", key1.KeyType)
-	assert.Equal(t, "ES256", key1.Alg)
-	assert.Equal(t, key1.Use, key2.Use)
-	assert.Equal(t, key1.KeyType, key2.KeyType)
-	assert.Equal(t, key1.Alg, key2.Alg)
-	assert.NotEmpty(t, *key1.KeyID)
-	assert.Equal(t, "", *key2.KeyID)
+	require.Len(t, gotKeys.Keys, 2)
+	require.NotEmpty(t, *gotKeys.Keys[0].KeyID)
+	require.Equal(t, "", *gotKeys.Keys[1].KeyID)
+	expectedKeys := jwksKeys{
+		Keys: []jwksKey{
+			{
+				Use:     "sig",
+				KeyType: "RSA",
+				Alg:     "RS256",
+				KeyID:   gotKeys.Keys[0].KeyID,
+			},
+			{
+				Use:     "sig",
+				KeyType: "RSA",
+				Alg:     "RS256",
+				KeyID:   new(string),
+			},
+		},
+	}
+	require.Equal(t, expectedKeys, gotKeys)
 }
 
 func TestThumbprint(t *testing.T) {