From 676783122dd780bfd02311099b7bc6456e367ebc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Tue, 18 Oct 2022 14:06:14 +0200 Subject: [PATCH 01/10] add clientSecret to cache key --- .../metadata/serviceapi/serviceapiservice.go | 1 + .../externaltokenstrategy_test.go | 2 +- .../pkg/authorization/factory.go | 6 ++--- .../pkg/authorization/factory_test.go | 11 +++++----- .../pkg/authorization/mocks/OAuthClient.go | 20 ++++++++--------- .../pkg/authorization/model.go | 1 + .../pkg/authorization/oauth/mocks/Client.go | 20 ++++++++--------- .../pkg/authorization/oauth/oauthclient.go | 22 +++++++++---------- .../authorization/oauth/oauthclient_test.go | 16 +++++++------- .../pkg/authorization/oauthcertstrategy.go | 8 ++++--- .../authorization/oauthcertstrategy_test.go | 12 +++++----- .../pkg/authorization/oauthstrategy.go | 2 +- .../pkg/authorization/oauthstrategy_test.go | 2 +- 13 files changed, 64 insertions(+), 59 deletions(-) diff --git a/components/central-application-gateway/internal/metadata/serviceapi/serviceapiservice.go b/components/central-application-gateway/internal/metadata/serviceapi/serviceapiservice.go index 1bc4737818ed..e5aafb9c48a1 100644 --- a/components/central-application-gateway/internal/metadata/serviceapi/serviceapiservice.go +++ b/components/central-application-gateway/internal/metadata/serviceapi/serviceapiservice.go @@ -175,6 +175,7 @@ func getOAuthWithCertCredentials(secret map[string][]byte, url string) (*authori return &authorization.OAuthWithCert{ ClientID: string(secret[ClientIDKey]), + ClientSecret: string(secret[ClientSecretKey]), Certificate: secret[CertificateKey], PrivateKey: secret[PrivateKeyKey], URL: url, diff --git a/components/central-application-gateway/pkg/authorization/externaltokenstrategy_test.go b/components/central-application-gateway/pkg/authorization/externaltokenstrategy_test.go index ee4893a342fa..ea142c8a1548 100644 --- a/components/central-application-gateway/pkg/authorization/externaltokenstrategy_test.go +++ b/components/central-application-gateway/pkg/authorization/externaltokenstrategy_test.go @@ -64,7 +64,7 @@ func TestExternalAuthStrategy(t *testing.T) { t.Run("should call Invalidate method on the provided strategy", func(t *testing.T) { // given oauthClientMock := &mocks.Client{} - oauthClientMock.On("InvalidateTokenCache", "clientId", "www.example.com/token").Return("token", nil).Once() + oauthClientMock.On("InvalidateTokenCache", "clientId", "clientSecret", "www.example.com/token").Return("token", nil).Once() oauthStrategy := newOAuthStrategy(oauthClientMock, "clientId", "clientSecret", "www.example.com/token", nil) diff --git a/components/central-application-gateway/pkg/authorization/factory.go b/components/central-application-gateway/pkg/authorization/factory.go index 757abbddede9..7aecd3cd1e1e 100644 --- a/components/central-application-gateway/pkg/authorization/factory.go +++ b/components/central-application-gateway/pkg/authorization/factory.go @@ -29,9 +29,9 @@ type StrategyFactory interface { type OAuthClient interface { // GetToken obtains OAuth token GetToken(clientID string, clientSecret string, authURL string, headers, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) - GetTokenMTLS(clientID, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) + GetTokenMTLS(clientID, clientSecret string, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) // InvalidateTokenCache resets internal token cache - InvalidateTokenCache(clientID string, authURL string) + InvalidateTokenCache(clientID string, clientSecret string, authURL string) } type authorizationStrategyFactory struct { @@ -47,7 +47,7 @@ func (asf authorizationStrategyFactory) create(c *Credentials) Strategy { if c != nil && c.OAuth != nil { return newOAuthStrategy(asf.oauthClient, c.OAuth.ClientID, c.OAuth.ClientSecret, c.OAuth.URL, c.OAuth.RequestParameters) } else if c != nil && c.OAuthWithCert != nil { - oAuthStrategy := newOAuthWithCertStrategy(asf.oauthClient, c.OAuthWithCert.ClientID, c.OAuthWithCert.Certificate, c.OAuthWithCert.PrivateKey, c.OAuthWithCert.URL, c.OAuthWithCert.RequestParameters) + oAuthStrategy := newOAuthWithCertStrategy(asf.oauthClient, c.OAuthWithCert.ClientID, c.OAuthWithCert.ClientSecret, c.OAuthWithCert.Certificate, c.OAuthWithCert.PrivateKey, c.OAuthWithCert.URL, c.OAuthWithCert.RequestParameters) return &oAuthStrategy } else if c != nil && c.BasicAuth != nil { return newBasicAuthStrategy(c.BasicAuth.Username, c.BasicAuth.Password) diff --git a/components/central-application-gateway/pkg/authorization/factory_test.go b/components/central-application-gateway/pkg/authorization/factory_test.go index 87f67d00b986..785b6527d045 100644 --- a/components/central-application-gateway/pkg/authorization/factory_test.go +++ b/components/central-application-gateway/pkg/authorization/factory_test.go @@ -151,15 +151,16 @@ func TestStrategyFactory(t *testing.T) { require.NoError(t, err) oauthClientMock := &oauthMocks.Client{} - oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", pair, (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("token", nil) + oauthClientMock.On("GetTokenMTLS", "clientId", "clientSecret", "www.example.com/token", pair, (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("token", nil) factory := authorizationStrategyFactory{oauthClient: oauthClientMock} credentials := &Credentials{ OAuthWithCert: &OAuthWithCert{ - ClientID: "clientId", - Certificate: certificate, - PrivateKey: privateKey, - URL: "www.example.com/token", + ClientID: "clientId", + ClientSecret: "clientSecret", + Certificate: certificate, + PrivateKey: privateKey, + URL: "www.example.com/token", }, } diff --git a/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go b/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go index 703dbdc9b9c9..ce11c49e17a1 100644 --- a/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go +++ b/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go @@ -38,20 +38,20 @@ func (_m *OAuthClient) GetToken(clientID string, clientSecret string, authURL st return r0, r1 } -// GetTokenMTLS provides a mock function with given fields: clientID, authURL, cert, headers, queryParameters, skipTLSVerification -func (_m *OAuthClient) GetTokenMTLS(clientID string, authURL string, cert tls.Certificate, headers *map[string][]string, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) { - ret := _m.Called(clientID, authURL, cert, headers, queryParameters, skipTLSVerification) +// GetTokenMTLS provides a mock function with given fields: clientID, clientSecret, authURL, cert, headers, queryParameters, skipTLSVerification +func (_m *OAuthClient) GetTokenMTLS(clientID string, clientSecret string, authURL string, cert tls.Certificate, headers *map[string][]string, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) { + ret := _m.Called(clientID, clientSecret, authURL, cert, headers, queryParameters, skipTLSVerification) var r0 string - if rf, ok := ret.Get(0).(func(string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) string); ok { - r0 = rf(clientID, authURL, cert, headers, queryParameters, skipTLSVerification) + if rf, ok := ret.Get(0).(func(string, string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) string); ok { + r0 = rf(clientID, clientSecret, authURL, cert, headers, queryParameters, skipTLSVerification) } else { r0 = ret.Get(0).(string) } var r1 apperrors.AppError - if rf, ok := ret.Get(1).(func(string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { - r1 = rf(clientID, authURL, cert, headers, queryParameters, skipTLSVerification) + if rf, ok := ret.Get(1).(func(string, string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { + r1 = rf(clientID, clientSecret, authURL, cert, headers, queryParameters, skipTLSVerification) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(apperrors.AppError) @@ -61,9 +61,9 @@ func (_m *OAuthClient) GetTokenMTLS(clientID string, authURL string, cert tls.Ce return r0, r1 } -// InvalidateTokenCache provides a mock function with given fields: clientID, authURL -func (_m *OAuthClient) InvalidateTokenCache(clientID string, authURL string) { - _m.Called(clientID, authURL) +// InvalidateTokenCache provides a mock function with given fields: clientID, clientSecret, authURL +func (_m *OAuthClient) InvalidateTokenCache(clientID string, clientSecret string, authURL string) { + _m.Called(clientID, clientSecret, authURL) } type mockConstructorTestingTNewOAuthClient interface { diff --git a/components/central-application-gateway/pkg/authorization/model.go b/components/central-application-gateway/pkg/authorization/model.go index f668cd6c0593..5dda6a34a2e4 100644 --- a/components/central-application-gateway/pkg/authorization/model.go +++ b/components/central-application-gateway/pkg/authorization/model.go @@ -47,6 +47,7 @@ type CertificateGen struct { type OAuthWithCert struct { URL string ClientID string + ClientSecret string Certificate []byte PrivateKey []byte RequestParameters *RequestParameters diff --git a/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go b/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go index 5a2b9b177e95..63ffbc7f955b 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go +++ b/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go @@ -37,20 +37,20 @@ func (_m *Client) GetToken(clientID string, clientSecret string, authURL string, return r0, r1 } -// GetTokenMTLS provides a mock function with given fields: clientID, authURL, cert, headers, queryParameters, skipVerify -func (_m *Client) GetTokenMTLS(clientID string, authURL string, cert tls.Certificate, headers *map[string][]string, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { - ret := _m.Called(clientID, authURL, cert, headers, queryParameters, skipVerify) +// GetTokenMTLS provides a mock function with given fields: clientID, clientSecret, authURL, cert, headers, queryParameters, skipVerify +func (_m *Client) GetTokenMTLS(clientID string, clientSecret string, authURL string, cert tls.Certificate, headers *map[string][]string, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { + ret := _m.Called(clientID, clientSecret, authURL, cert, headers, queryParameters, skipVerify) var r0 string - if rf, ok := ret.Get(0).(func(string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) string); ok { - r0 = rf(clientID, authURL, cert, headers, queryParameters, skipVerify) + if rf, ok := ret.Get(0).(func(string, string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) string); ok { + r0 = rf(clientID, clientSecret, authURL, cert, headers, queryParameters, skipVerify) } else { r0 = ret.Get(0).(string) } var r1 apperrors.AppError - if rf, ok := ret.Get(1).(func(string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { - r1 = rf(clientID, authURL, cert, headers, queryParameters, skipVerify) + if rf, ok := ret.Get(1).(func(string, string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { + r1 = rf(clientID, clientSecret, authURL, cert, headers, queryParameters, skipVerify) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(apperrors.AppError) @@ -60,9 +60,9 @@ func (_m *Client) GetTokenMTLS(clientID string, authURL string, cert tls.Certifi return r0, r1 } -// InvalidateTokenCache provides a mock function with given fields: clientID, authURL -func (_m *Client) InvalidateTokenCache(clientID string, authURL string) { - _m.Called(clientID, authURL) +// InvalidateTokenCache provides a mock function with given fields: clientID, clientSecret, authURL +func (_m *Client) InvalidateTokenCache(clientID string, clientSecret string, authURL string) { + _m.Called(clientID, clientSecret, authURL) } type mockConstructorTestingTNewClient interface { diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go index 4ceaea059833..5678a70cbf14 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go @@ -27,8 +27,8 @@ type oauthResponse struct { //go:generate mockery --name=Client type Client interface { GetToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) - GetTokenMTLS(clientID, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) - InvalidateTokenCache(clientID string, authURL string) + GetTokenMTLS(clientID, clientSecret string, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) + InvalidateTokenCache(clientID string, clientSecret string, authURL string) } type client struct { @@ -44,7 +44,7 @@ func NewOauthClient(timeoutDuration int, tokenCache tokencache.TokenCache) Clien } func (c *client) GetToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { - token, found := c.tokenCache.Get(c.makeOAuthTokenCacheKey(clientID, authURL)) + token, found := c.tokenCache.Get(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL)) if found { return token, nil } @@ -54,13 +54,13 @@ func (c *client) GetToken(clientID, clientSecret, authURL string, headers, query return "", err } - c.tokenCache.Add(c.makeOAuthTokenCacheKey(clientID, authURL), tokenResponse.AccessToken, tokenResponse.ExpiresIn) + c.tokenCache.Add(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL), tokenResponse.AccessToken, tokenResponse.ExpiresIn) return tokenResponse.AccessToken, nil } -func (c *client) GetTokenMTLS(clientID, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { - token, found := c.tokenCache.Get(c.makeOAuthTokenCacheKey(clientID, authURL)) +func (c *client) GetTokenMTLS(clientID, clientSecret string, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { + token, found := c.tokenCache.Get(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL)) if found { return token, nil } @@ -70,18 +70,18 @@ func (c *client) GetTokenMTLS(clientID, authURL string, cert tls.Certificate, he return "", err } - c.tokenCache.Add(c.makeOAuthTokenCacheKey(clientID, authURL), tokenResponse.AccessToken, tokenResponse.ExpiresIn) + c.tokenCache.Add(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL), tokenResponse.AccessToken, tokenResponse.ExpiresIn) return tokenResponse.AccessToken, nil } -func (c *client) InvalidateTokenCache(clientID, authURL string) { - c.tokenCache.Remove(c.makeOAuthTokenCacheKey(clientID, authURL)) +func (c *client) InvalidateTokenCache(clientID, clientSecret, authURL string) { + c.tokenCache.Remove(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL)) } // to avoid case of single clientID and different endpoints for MTLS and standard oauth -func (c *client) makeOAuthTokenCacheKey(clientID, authURL string) string { - return clientID + authURL +func (c *client) makeOAuthTokenCacheKey(clientID, clientSecret, authURL string) string { + return clientID + clientSecret + authURL } func (c *client) requestToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (*oauthResponse, apperrors.AppError) { diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go index 102ce62a0786..f97660cb822d 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go @@ -19,7 +19,7 @@ func TestOauthClient_GetToken(t *testing.T) { t.Run("should get token from cache if present", func(t *testing.T) { // given tokenCache := mocks.TokenCache{} - tokenCache.On("Get", "testID").Return("123456789", true) + tokenCache.On("Get", "testIDtestSecret").Return("123456789", true) oauthClient := NewOauthClient(10, &tokenCache) @@ -45,7 +45,7 @@ func TestOauthClient_GetToken(t *testing.T) { })) defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -77,7 +77,7 @@ func TestOauthClient_GetToken(t *testing.T) { ts.StartTLS() defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -115,7 +115,7 @@ func TestOauthClient_GetToken(t *testing.T) { })) defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -140,7 +140,7 @@ func TestOauthClient_GetToken(t *testing.T) { })) defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -166,7 +166,7 @@ func TestOauthClient_GetToken(t *testing.T) { })) defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -184,7 +184,7 @@ func TestOauthClient_GetToken(t *testing.T) { t.Run("should fail if OAuth address is incorrect", func(t *testing.T) { // given - tokenKey := "testID" + "http://some_no_existent_address.com/token" + tokenKey := "testID" + "testSecret" + "http://some_no_existent_address.com/token" tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -209,7 +209,7 @@ func TestOauthClient_GetToken(t *testing.T) { ts.StartTLS() defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) diff --git a/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go b/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go index 42af05e0ba15..bba395c2e6ff 100644 --- a/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go +++ b/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go @@ -15,6 +15,7 @@ import ( type oauthWithCertStrategy struct { oauthClient OAuthClient clientId string + clientSecret string certificate []byte privateKey []byte url string @@ -22,10 +23,11 @@ type oauthWithCertStrategy struct { tokenRequestSkipVerify bool } -func newOAuthWithCertStrategy(oauthClient OAuthClient, clientId string, certificate, privateKey []byte, url string, requestParameters *RequestParameters) oauthWithCertStrategy { +func newOAuthWithCertStrategy(oauthClient OAuthClient, clientId string, clientSecret string, certificate, privateKey []byte, url string, requestParameters *RequestParameters) oauthWithCertStrategy { return oauthWithCertStrategy{ oauthClient: oauthClient, clientId: clientId, + clientSecret: clientSecret, certificate: certificate, privateKey: privateKey, url: url, @@ -40,7 +42,7 @@ func (o oauthWithCertStrategy) AddAuthorization(r *http.Request, _ clientcert.Se return apperrors.Internal("Failed to prepare certificate, %s", err.Error()) } headers, queryParameters := o.requestParameters.unpack() - token, err := o.oauthClient.GetTokenMTLS(o.clientId, o.url, cert, headers, queryParameters, skipTLSVerification) + token, err := o.oauthClient.GetTokenMTLS(o.clientId, o.clientSecret, o.url, cert, headers, queryParameters, skipTLSVerification) if err != nil { log.Errorf("failed to get token : '%s'", err) return apperrors.Internal("Failed to get token: %s", err.Error()) @@ -52,7 +54,7 @@ func (o oauthWithCertStrategy) AddAuthorization(r *http.Request, _ clientcert.Se } func (o oauthWithCertStrategy) Invalidate() { - o.oauthClient.InvalidateTokenCache(o.clientId, o.url) + o.oauthClient.InvalidateTokenCache(o.clientId, o.clientSecret, o.url) } func (o oauthWithCertStrategy) prepareCertificate() (tls.Certificate, error) { diff --git a/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go b/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go index e5a7d236e85a..3b4aef056afd 100644 --- a/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go +++ b/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go @@ -18,12 +18,12 @@ func TestAuthWithCerStrategy(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - oauthStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", certificate, privateKey, "www.example.com/token", nil) + oauthStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) prepareCertificate, err := oauthStrategy.prepareCertificate() require.NoError(t, err) - oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", prepareCertificate, (*map[string][]string)(nil), (*map[string][]string)(nil), true).Return("token", nil) + oauthClientMock.On("GetTokenMTLS", "clientId", "clientSecret", "www.example.com/token", prepareCertificate, (*map[string][]string)(nil), (*map[string][]string)(nil), true).Return("token", nil) request, err := http.NewRequest("GET", "www.example.com", nil) require.NoError(t, err) @@ -40,9 +40,9 @@ func TestAuthWithCerStrategy(t *testing.T) { t.Run("should invalidate cache", func(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - oauthClientMock.On("InvalidateTokenCache", "clientId", "www.example.com/token").Return("token", nil).Once() + oauthClientMock.On("InvalidateTokenCache", "clientId", "clientSecret", "www.example.com/token").Return("token", nil).Once() - authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", certificate, privateKey, "www.example.com/token", nil) + authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) // when authWithCertStrategy.Invalidate() @@ -55,12 +55,12 @@ func TestAuthWithCerStrategy(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", certificate, privateKey, "www.example.com/token", nil) + authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) prepareCertificate, err := authWithCertStrategy.prepareCertificate() require.NoError(t, err) - oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", prepareCertificate, (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("", apperrors.Internal("failed")).Once() + oauthClientMock.On("GetTokenMTLS", "clientId", "clientSecret", "www.example.com/token", prepareCertificate, (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("", apperrors.Internal("failed")).Once() request, err := http.NewRequest("GET", "www.example.com", nil) require.NoError(t, err) diff --git a/components/central-application-gateway/pkg/authorization/oauthstrategy.go b/components/central-application-gateway/pkg/authorization/oauthstrategy.go index 5ac4659b0ecf..6ab1e6c67914 100644 --- a/components/central-application-gateway/pkg/authorization/oauthstrategy.go +++ b/components/central-application-gateway/pkg/authorization/oauthstrategy.go @@ -43,5 +43,5 @@ func (o oauthStrategy) AddAuthorization(r *http.Request, _ clientcert.SetClientC } func (o oauthStrategy) Invalidate() { - o.oauthClient.InvalidateTokenCache(o.clientId, o.url) + o.oauthClient.InvalidateTokenCache(o.clientId, o.clientSecret, o.url) } diff --git a/components/central-application-gateway/pkg/authorization/oauthstrategy_test.go b/components/central-application-gateway/pkg/authorization/oauthstrategy_test.go index 83281b8f1631..5bb973c10f05 100644 --- a/components/central-application-gateway/pkg/authorization/oauthstrategy_test.go +++ b/components/central-application-gateway/pkg/authorization/oauthstrategy_test.go @@ -35,7 +35,7 @@ func TestAuthStrategy(t *testing.T) { t.Run("should invalidate cache", func(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - oauthClientMock.On("InvalidateTokenCache", "clientId", "www.example.com/token").Return("token", nil).Once() + oauthClientMock.On("InvalidateTokenCache", "clientId", "clientSecret", "www.example.com/token").Return("token", nil).Once() oauthStrategy := newOAuthStrategy(oauthClientMock, "clientId", "clientSecret", "www.example.com/token", nil) From 08f33a7efbd31ecc9bbe7f55bdb46b33e9b9831e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Fri, 21 Oct 2022 14:29:32 +0200 Subject: [PATCH 02/10] cache key, first approach --- .../pkg/authorization/oauth/key_test.go | 46 +++++++++++++++++++ .../pkg/authorization/oauth/oauthclient.go | 1 + 2 files changed, 47 insertions(+) create mode 100644 components/central-application-gateway/pkg/authorization/oauth/key_test.go diff --git a/components/central-application-gateway/pkg/authorization/oauth/key_test.go b/components/central-application-gateway/pkg/authorization/oauth/key_test.go new file mode 100644 index 000000000000..c3f80d520bc5 --- /dev/null +++ b/components/central-application-gateway/pkg/authorization/oauth/key_test.go @@ -0,0 +1,46 @@ +package oauth + +import ( + "github.com/stretchr/testify/require" + "testing" +) + +func TestGenerateKey(t *testing.T) { + t.Run("should", func(t *testing.T) { + //given + clientID := "clientID" + privateKey := "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFyjWCE2FiVs5H\n1+KTs6DAaxCmytVFSykHyJYmvYBSw1TI8+Ho1WWKOY8q/EtYVpYdaq0ILeGFhA6z\nkl32VYK8oJER+cyG65ivpIoFCGS52VWyjinrjcFxsEf4S4vgl/QPbaSZz32tHH1h\n56wMnhRR8fLGsY+k2VVwpTduag9EUAQsvlO3r0aEr53/g2yTmPgwx5GGHiDMamB6\n9g+6ULN42RxGnWhgUnDLQfXY0yN/pwUKC/ukrTMy/+ImVDuskJvQnPLkV70FoPwq\nJ3gYUA3QfQ/lRLpt9N87NFVdVsJcVruNaR7B7Ta8Ghlu5eXndy+VRNU+rS8KdL4j\n1jExeMrHAgMBAAECggEAVpsOp/jFfRJme8XXg/Y1Dtwyq94H2bIp8qsNuEPlAxhd\nsSo9Ar8iGY7PljJn6XPsgk/6GSlB5T0oVM/jzd+ugdrK+vSG7pMNxecFumNs+4Xj\nRO6EA40MJbRbJykpQ/w1VWYcm27j6F+ftTWEu/eiDSmktQT90WCKzWrCpVnSeoXL\npssENiEzhU3lsgK+M8bj7GmCiSqz1Ki0qVQzxH1DJeOJ/XI7TYjhYdU+Lchm+PMK\nTUBEtgqEh0GD6XzQ70zjEIzGtpToMTsmIPRhC5t+vNwZp/2ZyONFkj74fP84XZbs\nDW5Ji9JfAyDudPSGSe8+EzA9TBGhd4ik1LmQcvvedQKBgQDV/YS/a+2bQlIrhkdH\n2tWfwuJwAjW0D61t/JftAY7GR3Nys963/4T+rd2TsDs9MF+zACEg7cKeTaC5IgHP\nQ8+TGyHeVaxn+ZnAfF5lrHjXBeMFWZIus/rBDogRy+0mh1oR58Fa0gvFmRBnvaxq\n/q+g1B0/kuJG5k3PrePA99EOBQKBgQDsnoH+uv8/uwRihzgVH47u3XBPwoflSYqi\nezhHWpeZkQ8qfEsX89KUnDc2TGoqBDxHTwcBNu4OQ1cTi0xgMgRFvNiwnyQGlykp\nJixu+MTdcegZbxcS0ippawerm97YNxH6X8LZflguZjVqN/nCk3tJs9iiZyjxNBRW\nRBxvyH/DWwKBgQCpCDEr4900nxa5OsBjigDkydSEFbrGGPwtvTFlDa3yAc639E0h\nmr07T6uPVc31b5iolJmWoTjyQu+KTcqQJkh5Mx11uscM+qTw30zRk4OAli3VtAM8\n0P5qMUhahnM11ATZz+90Bic2VsoWqETh33xr1iGkbio/Rvx/6CPX8ek44QKBgDMx\nXAijpoPAT4ONo8mWKVNun1TyTnqB/beHlzaA2BnGc5SKjaih/OZgIeXihHmQrwXy\niB5wJvL5CMbWtXB+gcQgxnT4CVBPtf0MIELmGZmbgk62ZTSSOdDS8jbjo0P+LiqQ\nO1TY6/Ul8dqIP8YkKGFawrzoOshsrxW26LwakeHPAoGBAKOs3CswKEVU23SY/vsL\nUMMciKXOclS77P+et2aQpodyqd8zDf8Zo4AzXDP7P1hndR3DFN7DK7FfzfGjbzoI\neOrbYDKM/8g/7G2BD53isaqRxXe0mbCsnGGS9qW0LnqbZHroIHzkSfaE07RZSuy3\ncGULnAlIuR23/9VjSUP7wAO2\n-----END PRIVATE KEY-----\n" + certificate := "-----BEGIN CERTIFICATE-----\nMIIDXDCCAkSgAwIBAgIUBX/p1ZN7UFuCsygfIOHmEDpVHtswDQYJKoZIhvcNAQEL\nBQAwOzELMAkGA1UEBhMCUEwxCjAIBgNVBAgMAUExDDAKBgNVBAoMA1NBUDESMBAG\nA1UEAwwJbG9jYWxob3N0MB4XDTIyMTAwMzEwMzYxMloXDTIzMTAwMzEwMzYxMlow\nOzELMAkGA1UEBhMCUEwxCjAIBgNVBAgMAUExDDAKBgNVBAoMA1NBUDESMBAGA1UE\nAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxco1\nghNhYlbOR9fik7OgwGsQpsrVRUspB8iWJr2AUsNUyPPh6NVlijmPKvxLWFaWHWqt\nCC3hhYQOs5Jd9lWCvKCREfnMhuuYr6SKBQhkudlVso4p643BcbBH+EuL4Jf0D22k\nmc99rRx9YeesDJ4UUfHyxrGPpNlVcKU3bmoPRFAELL5Tt69GhK+d/4Nsk5j4MMeR\nhh4gzGpgevYPulCzeNkcRp1oYFJwy0H12NMjf6cFCgv7pK0zMv/iJlQ7rJCb0Jzy\n5Fe9BaD8Kid4GFAN0H0P5US6bfTfOzRVXVbCXFa7jWkewe02vBoZbuXl53cvlUTV\nPq0vCnS+I9YxMXjKxwIDAQABo1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYD\nVR0OBBYEFP/P8Vy9b+Kvx9t6i5TVOjiD5OT1MB8GA1UdIwQYMBaAFI62bpw2BVd6\n5l3PN3wR83xxhk0VMA0GCSqGSIb3DQEBCwUAA4IBAQCWNO04okw24eoQVdapxkZP\n+YiCRwV9AWUvssr9qccrXZCVpERBVTFu1rx20KDenU8u8weGTu9Esx7uzkn6zaqV\n83mNYJi4FjrVMRz75YdvMjIG8E0/+9P3/Zw+3ui5HFD5e2pPgN03EgXivM/BswGz\nxctkAC04lu2bvkGHeyzURSMB65Wtv+YvaGC7WigdO+PQavStGGOuv4koIbs3ZNyg\nh2LJ7Uc6TiRSEHTnics+tsBbvy23v4At9hSw5xdicCe/TODcTcmZutelnHp0NjH1\nHiRJdUhfEnQm3VhdJGLhrO19QU4cD9TKp5csixZgY2DUqnsZAerwOqccJN1bfAvT\n-----END CERTIFICATE-----\n" + authURL := "www.example.com" + certSha := "6e268674edb6685600ffcb61552c900c6ea9d42d391c63e188fc7ccff967f86a" + keySha := "0ebb97467eb55862b26c5c10ec25a57114bc7e25a99530a52b7f5fdb5ff0f377" + expectedKey := clientID + "-" + certSha + "-" + keySha + "-" + authURL + + //when + //tlsCert, err := tls.X509KeyPair([]byte(certificate), []byte(privateKey)) + key, err := generateKey(clientID, certificate, privateKey, authURL) + + //then + require.NoError(t, err) + require.Equal(t, expectedKey, key) + }) +} + +func BenchmarkBase64decode(b *testing.B) { + //given + clientID := "clientID" + privateKey := "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFyjWCE2FiVs5H\n1+KTs6DAaxCmytVFSykHyJYmvYBSw1TI8+Ho1WWKOY8q/EtYVpYdaq0ILeGFhA6z\nkl32VYK8oJER+cyG65ivpIoFCGS52VWyjinrjcFxsEf4S4vgl/QPbaSZz32tHH1h\n56wMnhRR8fLGsY+k2VVwpTduag9EUAQsvlO3r0aEr53/g2yTmPgwx5GGHiDMamB6\n9g+6ULN42RxGnWhgUnDLQfXY0yN/pwUKC/ukrTMy/+ImVDuskJvQnPLkV70FoPwq\nJ3gYUA3QfQ/lRLpt9N87NFVdVsJcVruNaR7B7Ta8Ghlu5eXndy+VRNU+rS8KdL4j\n1jExeMrHAgMBAAECggEAVpsOp/jFfRJme8XXg/Y1Dtwyq94H2bIp8qsNuEPlAxhd\nsSo9Ar8iGY7PljJn6XPsgk/6GSlB5T0oVM/jzd+ugdrK+vSG7pMNxecFumNs+4Xj\nRO6EA40MJbRbJykpQ/w1VWYcm27j6F+ftTWEu/eiDSmktQT90WCKzWrCpVnSeoXL\npssENiEzhU3lsgK+M8bj7GmCiSqz1Ki0qVQzxH1DJeOJ/XI7TYjhYdU+Lchm+PMK\nTUBEtgqEh0GD6XzQ70zjEIzGtpToMTsmIPRhC5t+vNwZp/2ZyONFkj74fP84XZbs\nDW5Ji9JfAyDudPSGSe8+EzA9TBGhd4ik1LmQcvvedQKBgQDV/YS/a+2bQlIrhkdH\n2tWfwuJwAjW0D61t/JftAY7GR3Nys963/4T+rd2TsDs9MF+zACEg7cKeTaC5IgHP\nQ8+TGyHeVaxn+ZnAfF5lrHjXBeMFWZIus/rBDogRy+0mh1oR58Fa0gvFmRBnvaxq\n/q+g1B0/kuJG5k3PrePA99EOBQKBgQDsnoH+uv8/uwRihzgVH47u3XBPwoflSYqi\nezhHWpeZkQ8qfEsX89KUnDc2TGoqBDxHTwcBNu4OQ1cTi0xgMgRFvNiwnyQGlykp\nJixu+MTdcegZbxcS0ippawerm97YNxH6X8LZflguZjVqN/nCk3tJs9iiZyjxNBRW\nRBxvyH/DWwKBgQCpCDEr4900nxa5OsBjigDkydSEFbrGGPwtvTFlDa3yAc639E0h\nmr07T6uPVc31b5iolJmWoTjyQu+KTcqQJkh5Mx11uscM+qTw30zRk4OAli3VtAM8\n0P5qMUhahnM11ATZz+90Bic2VsoWqETh33xr1iGkbio/Rvx/6CPX8ek44QKBgDMx\nXAijpoPAT4ONo8mWKVNun1TyTnqB/beHlzaA2BnGc5SKjaih/OZgIeXihHmQrwXy\niB5wJvL5CMbWtXB+gcQgxnT4CVBPtf0MIELmGZmbgk62ZTSSOdDS8jbjo0P+LiqQ\nO1TY6/Ul8dqIP8YkKGFawrzoOshsrxW26LwakeHPAoGBAKOs3CswKEVU23SY/vsL\nUMMciKXOclS77P+et2aQpodyqd8zDf8Zo4AzXDP7P1hndR3DFN7DK7FfzfGjbzoI\neOrbYDKM/8g/7G2BD53isaqRxXe0mbCsnGGS9qW0LnqbZHroIHzkSfaE07RZSuy3\ncGULnAlIuR23/9VjSUP7wAO2\n-----END PRIVATE KEY-----\n" + certificate := "-----BEGIN CERTIFICATE-----\nMIIDXDCCAkSgAwIBAgIUBX/p1ZN7UFuCsygfIOHmEDpVHtswDQYJKoZIhvcNAQEL\nBQAwOzELMAkGA1UEBhMCUEwxCjAIBgNVBAgMAUExDDAKBgNVBAoMA1NBUDESMBAG\nA1UEAwwJbG9jYWxob3N0MB4XDTIyMTAwMzEwMzYxMloXDTIzMTAwMzEwMzYxMlow\nOzELMAkGA1UEBhMCUEwxCjAIBgNVBAgMAUExDDAKBgNVBAoMA1NBUDESMBAGA1UE\nAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxco1\nghNhYlbOR9fik7OgwGsQpsrVRUspB8iWJr2AUsNUyPPh6NVlijmPKvxLWFaWHWqt\nCC3hhYQOs5Jd9lWCvKCREfnMhuuYr6SKBQhkudlVso4p643BcbBH+EuL4Jf0D22k\nmc99rRx9YeesDJ4UUfHyxrGPpNlVcKU3bmoPRFAELL5Tt69GhK+d/4Nsk5j4MMeR\nhh4gzGpgevYPulCzeNkcRp1oYFJwy0H12NMjf6cFCgv7pK0zMv/iJlQ7rJCb0Jzy\n5Fe9BaD8Kid4GFAN0H0P5US6bfTfOzRVXVbCXFa7jWkewe02vBoZbuXl53cvlUTV\nPq0vCnS+I9YxMXjKxwIDAQABo1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYD\nVR0OBBYEFP/P8Vy9b+Kvx9t6i5TVOjiD5OT1MB8GA1UdIwQYMBaAFI62bpw2BVd6\n5l3PN3wR83xxhk0VMA0GCSqGSIb3DQEBCwUAA4IBAQCWNO04okw24eoQVdapxkZP\n+YiCRwV9AWUvssr9qccrXZCVpERBVTFu1rx20KDenU8u8weGTu9Esx7uzkn6zaqV\n83mNYJi4FjrVMRz75YdvMjIG8E0/+9P3/Zw+3ui5HFD5e2pPgN03EgXivM/BswGz\nxctkAC04lu2bvkGHeyzURSMB65Wtv+YvaGC7WigdO+PQavStGGOuv4koIbs3ZNyg\nh2LJ7Uc6TiRSEHTnics+tsBbvy23v4At9hSw5xdicCe/TODcTcmZutelnHp0NjH1\nHiRJdUhfEnQm3VhdJGLhrO19QU4cD9TKp5csixZgY2DUqnsZAerwOqccJN1bfAvT\n-----END CERTIFICATE-----\n" + authURL := "www.example.com" + certSha := "6e268674edb6685600ffcb61552c900c6ea9d42d391c63e188fc7ccff967f86a" + keySha := "0ebb97467eb55862b26c5c10ec25a57114bc7e25a99530a52b7f5fdb5ff0f377" + expectedKey := clientID + "-" + certSha + "-" + keySha + "-" + authURL + + //when + //tlsCert, err := tls.X509KeyPair([]byte(certificate), []byte(privateKey)) + key, err := generateKey(clientID, certificate, privateKey, authURL) + + //then + require.NoError(b, err) + require.Equal(b, expectedKey, key) +} diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go index 5678a70cbf14..bfd3427ad752 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go @@ -65,6 +65,7 @@ func (c *client) GetTokenMTLS(clientID, clientSecret string, authURL string, cer return token, nil } + //tutaj zrobic keypar x509 cos tam na slacku mam tokenResponse, err := c.requestTokenMTLS(clientID, authURL, cert, headers, queryParameters, skipVerify) if err != nil { return "", err From 77898463893e3f920e80ee19f8b225fa399e36c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Mon, 24 Oct 2022 14:49:48 +0200 Subject: [PATCH 03/10] cache key by SHA on mTLS OAuth --- .../pkg/authorization/factory.go | 3 +- .../pkg/authorization/factory_test.go | 6 +- .../pkg/authorization/mocks/OAuthClient.go | 16 ++--- .../pkg/authorization/oauth/key.go | 6 ++ .../pkg/authorization/oauth/key_test.go | 70 +++++++------------ .../pkg/authorization/oauth/mocks/Client.go | 16 ++--- .../pkg/authorization/oauth/oauthclient.go | 30 ++++++-- .../authorization/oauth/oauthclient_test.go | 38 ++++++++++ .../pkg/authorization/oauthcertstrategy.go | 11 +-- .../authorization/oauthcertstrategy_test.go | 12 +--- 10 files changed, 114 insertions(+), 94 deletions(-) create mode 100644 components/central-application-gateway/pkg/authorization/oauth/key.go diff --git a/components/central-application-gateway/pkg/authorization/factory.go b/components/central-application-gateway/pkg/authorization/factory.go index 7aecd3cd1e1e..357262884a5e 100644 --- a/components/central-application-gateway/pkg/authorization/factory.go +++ b/components/central-application-gateway/pkg/authorization/factory.go @@ -1,7 +1,6 @@ package authorization import ( - "crypto/tls" "net/http" "github.com/kyma-project/kyma/components/central-application-gateway/pkg/authorization/oauth" @@ -29,7 +28,7 @@ type StrategyFactory interface { type OAuthClient interface { // GetToken obtains OAuth token GetToken(clientID string, clientSecret string, authURL string, headers, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) - GetTokenMTLS(clientID, clientSecret string, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) + GetTokenMTLS(clientID, authURL string, certificate, privateKey []byte, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) // InvalidateTokenCache resets internal token cache InvalidateTokenCache(clientID string, clientSecret string, authURL string) } diff --git a/components/central-application-gateway/pkg/authorization/factory_test.go b/components/central-application-gateway/pkg/authorization/factory_test.go index 785b6527d045..387a3bb4eac9 100644 --- a/components/central-application-gateway/pkg/authorization/factory_test.go +++ b/components/central-application-gateway/pkg/authorization/factory_test.go @@ -2,6 +2,7 @@ package authorization import ( "crypto/tls" + "github.com/kyma-project/kyma/components/central-application-gateway/pkg/authorization/testconsts" "net/http" "testing" @@ -147,11 +148,8 @@ func TestStrategyFactory(t *testing.T) { t.Run("should create oauth with cert strategy", func(t *testing.T) { // given - pair, err := tls.X509KeyPair(certificate, privateKey) - require.NoError(t, err) - oauthClientMock := &oauthMocks.Client{} - oauthClientMock.On("GetTokenMTLS", "clientId", "clientSecret", "www.example.com/token", pair, (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("token", nil) + oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", []byte(testconsts.Certificate), []byte(testconsts.PrivateKey), (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("token", nil) factory := authorizationStrategyFactory{oauthClient: oauthClientMock} credentials := &Credentials{ diff --git a/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go b/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go index ce11c49e17a1..4b894ee7f380 100644 --- a/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go +++ b/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go @@ -6,8 +6,6 @@ import ( apperrors "github.com/kyma-project/kyma/components/central-application-gateway/pkg/apperrors" mock "github.com/stretchr/testify/mock" - - tls "crypto/tls" ) // OAuthClient is an autogenerated mock type for the OAuthClient type @@ -38,20 +36,20 @@ func (_m *OAuthClient) GetToken(clientID string, clientSecret string, authURL st return r0, r1 } -// GetTokenMTLS provides a mock function with given fields: clientID, clientSecret, authURL, cert, headers, queryParameters, skipTLSVerification -func (_m *OAuthClient) GetTokenMTLS(clientID string, clientSecret string, authURL string, cert tls.Certificate, headers *map[string][]string, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) { - ret := _m.Called(clientID, clientSecret, authURL, cert, headers, queryParameters, skipTLSVerification) +// GetTokenMTLS provides a mock function with given fields: clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify +func (_m *OAuthClient) GetTokenMTLS(clientID string, authURL string, certificate []byte, privateKey []byte, headers *map[string][]string, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { + ret := _m.Called(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) var r0 string - if rf, ok := ret.Get(0).(func(string, string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) string); ok { - r0 = rf(clientID, clientSecret, authURL, cert, headers, queryParameters, skipTLSVerification) + if rf, ok := ret.Get(0).(func(string, string, []byte, []byte, *map[string][]string, *map[string][]string, bool) string); ok { + r0 = rf(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) } else { r0 = ret.Get(0).(string) } var r1 apperrors.AppError - if rf, ok := ret.Get(1).(func(string, string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { - r1 = rf(clientID, clientSecret, authURL, cert, headers, queryParameters, skipTLSVerification) + if rf, ok := ret.Get(1).(func(string, string, []byte, []byte, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { + r1 = rf(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(apperrors.AppError) diff --git a/components/central-application-gateway/pkg/authorization/oauth/key.go b/components/central-application-gateway/pkg/authorization/oauth/key.go new file mode 100644 index 000000000000..6fb8166475bd --- /dev/null +++ b/components/central-application-gateway/pkg/authorization/oauth/key.go @@ -0,0 +1,6 @@ +package oauth + +// +//func generateKey(id, url string, certificate, privateKey []byte) (string, error) { +// +//} diff --git a/components/central-application-gateway/pkg/authorization/oauth/key_test.go b/components/central-application-gateway/pkg/authorization/oauth/key_test.go index c3f80d520bc5..e0aa38865596 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/key_test.go +++ b/components/central-application-gateway/pkg/authorization/oauth/key_test.go @@ -1,46 +1,28 @@ package oauth -import ( - "github.com/stretchr/testify/require" - "testing" -) - -func TestGenerateKey(t *testing.T) { - t.Run("should", func(t *testing.T) { - //given - clientID := "clientID" - privateKey := "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFyjWCE2FiVs5H\n1+KTs6DAaxCmytVFSykHyJYmvYBSw1TI8+Ho1WWKOY8q/EtYVpYdaq0ILeGFhA6z\nkl32VYK8oJER+cyG65ivpIoFCGS52VWyjinrjcFxsEf4S4vgl/QPbaSZz32tHH1h\n56wMnhRR8fLGsY+k2VVwpTduag9EUAQsvlO3r0aEr53/g2yTmPgwx5GGHiDMamB6\n9g+6ULN42RxGnWhgUnDLQfXY0yN/pwUKC/ukrTMy/+ImVDuskJvQnPLkV70FoPwq\nJ3gYUA3QfQ/lRLpt9N87NFVdVsJcVruNaR7B7Ta8Ghlu5eXndy+VRNU+rS8KdL4j\n1jExeMrHAgMBAAECggEAVpsOp/jFfRJme8XXg/Y1Dtwyq94H2bIp8qsNuEPlAxhd\nsSo9Ar8iGY7PljJn6XPsgk/6GSlB5T0oVM/jzd+ugdrK+vSG7pMNxecFumNs+4Xj\nRO6EA40MJbRbJykpQ/w1VWYcm27j6F+ftTWEu/eiDSmktQT90WCKzWrCpVnSeoXL\npssENiEzhU3lsgK+M8bj7GmCiSqz1Ki0qVQzxH1DJeOJ/XI7TYjhYdU+Lchm+PMK\nTUBEtgqEh0GD6XzQ70zjEIzGtpToMTsmIPRhC5t+vNwZp/2ZyONFkj74fP84XZbs\nDW5Ji9JfAyDudPSGSe8+EzA9TBGhd4ik1LmQcvvedQKBgQDV/YS/a+2bQlIrhkdH\n2tWfwuJwAjW0D61t/JftAY7GR3Nys963/4T+rd2TsDs9MF+zACEg7cKeTaC5IgHP\nQ8+TGyHeVaxn+ZnAfF5lrHjXBeMFWZIus/rBDogRy+0mh1oR58Fa0gvFmRBnvaxq\n/q+g1B0/kuJG5k3PrePA99EOBQKBgQDsnoH+uv8/uwRihzgVH47u3XBPwoflSYqi\nezhHWpeZkQ8qfEsX89KUnDc2TGoqBDxHTwcBNu4OQ1cTi0xgMgRFvNiwnyQGlykp\nJixu+MTdcegZbxcS0ippawerm97YNxH6X8LZflguZjVqN/nCk3tJs9iiZyjxNBRW\nRBxvyH/DWwKBgQCpCDEr4900nxa5OsBjigDkydSEFbrGGPwtvTFlDa3yAc639E0h\nmr07T6uPVc31b5iolJmWoTjyQu+KTcqQJkh5Mx11uscM+qTw30zRk4OAli3VtAM8\n0P5qMUhahnM11ATZz+90Bic2VsoWqETh33xr1iGkbio/Rvx/6CPX8ek44QKBgDMx\nXAijpoPAT4ONo8mWKVNun1TyTnqB/beHlzaA2BnGc5SKjaih/OZgIeXihHmQrwXy\niB5wJvL5CMbWtXB+gcQgxnT4CVBPtf0MIELmGZmbgk62ZTSSOdDS8jbjo0P+LiqQ\nO1TY6/Ul8dqIP8YkKGFawrzoOshsrxW26LwakeHPAoGBAKOs3CswKEVU23SY/vsL\nUMMciKXOclS77P+et2aQpodyqd8zDf8Zo4AzXDP7P1hndR3DFN7DK7FfzfGjbzoI\neOrbYDKM/8g/7G2BD53isaqRxXe0mbCsnGGS9qW0LnqbZHroIHzkSfaE07RZSuy3\ncGULnAlIuR23/9VjSUP7wAO2\n-----END PRIVATE KEY-----\n" - certificate := "-----BEGIN CERTIFICATE-----\nMIIDXDCCAkSgAwIBAgIUBX/p1ZN7UFuCsygfIOHmEDpVHtswDQYJKoZIhvcNAQEL\nBQAwOzELMAkGA1UEBhMCUEwxCjAIBgNVBAgMAUExDDAKBgNVBAoMA1NBUDESMBAG\nA1UEAwwJbG9jYWxob3N0MB4XDTIyMTAwMzEwMzYxMloXDTIzMTAwMzEwMzYxMlow\nOzELMAkGA1UEBhMCUEwxCjAIBgNVBAgMAUExDDAKBgNVBAoMA1NBUDESMBAGA1UE\nAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxco1\nghNhYlbOR9fik7OgwGsQpsrVRUspB8iWJr2AUsNUyPPh6NVlijmPKvxLWFaWHWqt\nCC3hhYQOs5Jd9lWCvKCREfnMhuuYr6SKBQhkudlVso4p643BcbBH+EuL4Jf0D22k\nmc99rRx9YeesDJ4UUfHyxrGPpNlVcKU3bmoPRFAELL5Tt69GhK+d/4Nsk5j4MMeR\nhh4gzGpgevYPulCzeNkcRp1oYFJwy0H12NMjf6cFCgv7pK0zMv/iJlQ7rJCb0Jzy\n5Fe9BaD8Kid4GFAN0H0P5US6bfTfOzRVXVbCXFa7jWkewe02vBoZbuXl53cvlUTV\nPq0vCnS+I9YxMXjKxwIDAQABo1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYD\nVR0OBBYEFP/P8Vy9b+Kvx9t6i5TVOjiD5OT1MB8GA1UdIwQYMBaAFI62bpw2BVd6\n5l3PN3wR83xxhk0VMA0GCSqGSIb3DQEBCwUAA4IBAQCWNO04okw24eoQVdapxkZP\n+YiCRwV9AWUvssr9qccrXZCVpERBVTFu1rx20KDenU8u8weGTu9Esx7uzkn6zaqV\n83mNYJi4FjrVMRz75YdvMjIG8E0/+9P3/Zw+3ui5HFD5e2pPgN03EgXivM/BswGz\nxctkAC04lu2bvkGHeyzURSMB65Wtv+YvaGC7WigdO+PQavStGGOuv4koIbs3ZNyg\nh2LJ7Uc6TiRSEHTnics+tsBbvy23v4At9hSw5xdicCe/TODcTcmZutelnHp0NjH1\nHiRJdUhfEnQm3VhdJGLhrO19QU4cD9TKp5csixZgY2DUqnsZAerwOqccJN1bfAvT\n-----END CERTIFICATE-----\n" - authURL := "www.example.com" - certSha := "6e268674edb6685600ffcb61552c900c6ea9d42d391c63e188fc7ccff967f86a" - keySha := "0ebb97467eb55862b26c5c10ec25a57114bc7e25a99530a52b7f5fdb5ff0f377" - expectedKey := clientID + "-" + certSha + "-" + keySha + "-" + authURL - - //when - //tlsCert, err := tls.X509KeyPair([]byte(certificate), []byte(privateKey)) - key, err := generateKey(clientID, certificate, privateKey, authURL) - - //then - require.NoError(t, err) - require.Equal(t, expectedKey, key) - }) -} - -func BenchmarkBase64decode(b *testing.B) { - //given - clientID := "clientID" - privateKey := "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFyjWCE2FiVs5H\n1+KTs6DAaxCmytVFSykHyJYmvYBSw1TI8+Ho1WWKOY8q/EtYVpYdaq0ILeGFhA6z\nkl32VYK8oJER+cyG65ivpIoFCGS52VWyjinrjcFxsEf4S4vgl/QPbaSZz32tHH1h\n56wMnhRR8fLGsY+k2VVwpTduag9EUAQsvlO3r0aEr53/g2yTmPgwx5GGHiDMamB6\n9g+6ULN42RxGnWhgUnDLQfXY0yN/pwUKC/ukrTMy/+ImVDuskJvQnPLkV70FoPwq\nJ3gYUA3QfQ/lRLpt9N87NFVdVsJcVruNaR7B7Ta8Ghlu5eXndy+VRNU+rS8KdL4j\n1jExeMrHAgMBAAECggEAVpsOp/jFfRJme8XXg/Y1Dtwyq94H2bIp8qsNuEPlAxhd\nsSo9Ar8iGY7PljJn6XPsgk/6GSlB5T0oVM/jzd+ugdrK+vSG7pMNxecFumNs+4Xj\nRO6EA40MJbRbJykpQ/w1VWYcm27j6F+ftTWEu/eiDSmktQT90WCKzWrCpVnSeoXL\npssENiEzhU3lsgK+M8bj7GmCiSqz1Ki0qVQzxH1DJeOJ/XI7TYjhYdU+Lchm+PMK\nTUBEtgqEh0GD6XzQ70zjEIzGtpToMTsmIPRhC5t+vNwZp/2ZyONFkj74fP84XZbs\nDW5Ji9JfAyDudPSGSe8+EzA9TBGhd4ik1LmQcvvedQKBgQDV/YS/a+2bQlIrhkdH\n2tWfwuJwAjW0D61t/JftAY7GR3Nys963/4T+rd2TsDs9MF+zACEg7cKeTaC5IgHP\nQ8+TGyHeVaxn+ZnAfF5lrHjXBeMFWZIus/rBDogRy+0mh1oR58Fa0gvFmRBnvaxq\n/q+g1B0/kuJG5k3PrePA99EOBQKBgQDsnoH+uv8/uwRihzgVH47u3XBPwoflSYqi\nezhHWpeZkQ8qfEsX89KUnDc2TGoqBDxHTwcBNu4OQ1cTi0xgMgRFvNiwnyQGlykp\nJixu+MTdcegZbxcS0ippawerm97YNxH6X8LZflguZjVqN/nCk3tJs9iiZyjxNBRW\nRBxvyH/DWwKBgQCpCDEr4900nxa5OsBjigDkydSEFbrGGPwtvTFlDa3yAc639E0h\nmr07T6uPVc31b5iolJmWoTjyQu+KTcqQJkh5Mx11uscM+qTw30zRk4OAli3VtAM8\n0P5qMUhahnM11ATZz+90Bic2VsoWqETh33xr1iGkbio/Rvx/6CPX8ek44QKBgDMx\nXAijpoPAT4ONo8mWKVNun1TyTnqB/beHlzaA2BnGc5SKjaih/OZgIeXihHmQrwXy\niB5wJvL5CMbWtXB+gcQgxnT4CVBPtf0MIELmGZmbgk62ZTSSOdDS8jbjo0P+LiqQ\nO1TY6/Ul8dqIP8YkKGFawrzoOshsrxW26LwakeHPAoGBAKOs3CswKEVU23SY/vsL\nUMMciKXOclS77P+et2aQpodyqd8zDf8Zo4AzXDP7P1hndR3DFN7DK7FfzfGjbzoI\neOrbYDKM/8g/7G2BD53isaqRxXe0mbCsnGGS9qW0LnqbZHroIHzkSfaE07RZSuy3\ncGULnAlIuR23/9VjSUP7wAO2\n-----END PRIVATE KEY-----\n" - certificate := "-----BEGIN CERTIFICATE-----\nMIIDXDCCAkSgAwIBAgIUBX/p1ZN7UFuCsygfIOHmEDpVHtswDQYJKoZIhvcNAQEL\nBQAwOzELMAkGA1UEBhMCUEwxCjAIBgNVBAgMAUExDDAKBgNVBAoMA1NBUDESMBAG\nA1UEAwwJbG9jYWxob3N0MB4XDTIyMTAwMzEwMzYxMloXDTIzMTAwMzEwMzYxMlow\nOzELMAkGA1UEBhMCUEwxCjAIBgNVBAgMAUExDDAKBgNVBAoMA1NBUDESMBAGA1UE\nAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxco1\nghNhYlbOR9fik7OgwGsQpsrVRUspB8iWJr2AUsNUyPPh6NVlijmPKvxLWFaWHWqt\nCC3hhYQOs5Jd9lWCvKCREfnMhuuYr6SKBQhkudlVso4p643BcbBH+EuL4Jf0D22k\nmc99rRx9YeesDJ4UUfHyxrGPpNlVcKU3bmoPRFAELL5Tt69GhK+d/4Nsk5j4MMeR\nhh4gzGpgevYPulCzeNkcRp1oYFJwy0H12NMjf6cFCgv7pK0zMv/iJlQ7rJCb0Jzy\n5Fe9BaD8Kid4GFAN0H0P5US6bfTfOzRVXVbCXFa7jWkewe02vBoZbuXl53cvlUTV\nPq0vCnS+I9YxMXjKxwIDAQABo1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYD\nVR0OBBYEFP/P8Vy9b+Kvx9t6i5TVOjiD5OT1MB8GA1UdIwQYMBaAFI62bpw2BVd6\n5l3PN3wR83xxhk0VMA0GCSqGSIb3DQEBCwUAA4IBAQCWNO04okw24eoQVdapxkZP\n+YiCRwV9AWUvssr9qccrXZCVpERBVTFu1rx20KDenU8u8weGTu9Esx7uzkn6zaqV\n83mNYJi4FjrVMRz75YdvMjIG8E0/+9P3/Zw+3ui5HFD5e2pPgN03EgXivM/BswGz\nxctkAC04lu2bvkGHeyzURSMB65Wtv+YvaGC7WigdO+PQavStGGOuv4koIbs3ZNyg\nh2LJ7Uc6TiRSEHTnics+tsBbvy23v4At9hSw5xdicCe/TODcTcmZutelnHp0NjH1\nHiRJdUhfEnQm3VhdJGLhrO19QU4cD9TKp5csixZgY2DUqnsZAerwOqccJN1bfAvT\n-----END CERTIFICATE-----\n" - authURL := "www.example.com" - certSha := "6e268674edb6685600ffcb61552c900c6ea9d42d391c63e188fc7ccff967f86a" - keySha := "0ebb97467eb55862b26c5c10ec25a57114bc7e25a99530a52b7f5fdb5ff0f377" - expectedKey := clientID + "-" + certSha + "-" + keySha + "-" + authURL - - //when - //tlsCert, err := tls.X509KeyPair([]byte(certificate), []byte(privateKey)) - key, err := generateKey(clientID, certificate, privateKey, authURL) - - //then - require.NoError(b, err) - require.Equal(b, expectedKey, key) -} +// +//import ( +// "github.com/kyma-project/kyma/components/central-application-gateway/pkg/authorization/testconsts" +// "github.com/stretchr/testify/require" +// "testing" +//) +// +//func TestGenerateKey(t *testing.T) { +// t.Run("should", func(t *testing.T) { +// //given +// clientID := "clientID" +// certificate := []byte(testconsts.Certificate) +// privateKey := []byte(testconsts.PrivateKey) +// authURL := "www.example.com" +// certSha := "764a894fc802acd8edfa2771e9e424c8868d5891a58a345f04e898a5cec06a21" +// keySha := "840a2bfed372a0b2f01b0be877978bb5a56d9b83dee199fe11d55819d20ead18" +// expectedKey := clientID + "-" + certSha + "-" + keySha + "-" + authURL +// +// //when +// key, err := generateKey(clientID, authURL, certificate, privateKey) +// +// //then +// require.NoError(t, err) +// require.Equal(t, expectedKey, key) +// }) +//} diff --git a/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go b/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go index 63ffbc7f955b..0cea5d7974cd 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go +++ b/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go @@ -5,8 +5,6 @@ package mocks import ( apperrors "github.com/kyma-project/kyma/components/central-application-gateway/pkg/apperrors" mock "github.com/stretchr/testify/mock" - - tls "crypto/tls" ) // Client is an autogenerated mock type for the Client type @@ -37,20 +35,20 @@ func (_m *Client) GetToken(clientID string, clientSecret string, authURL string, return r0, r1 } -// GetTokenMTLS provides a mock function with given fields: clientID, clientSecret, authURL, cert, headers, queryParameters, skipVerify -func (_m *Client) GetTokenMTLS(clientID string, clientSecret string, authURL string, cert tls.Certificate, headers *map[string][]string, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { - ret := _m.Called(clientID, clientSecret, authURL, cert, headers, queryParameters, skipVerify) +// GetTokenMTLS provides a mock function with given fields: clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify +func (_m *Client) GetTokenMTLS(clientID string, authURL string, certificate []byte, privateKey []byte, headers *map[string][]string, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { + ret := _m.Called(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) var r0 string - if rf, ok := ret.Get(0).(func(string, string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) string); ok { - r0 = rf(clientID, clientSecret, authURL, cert, headers, queryParameters, skipVerify) + if rf, ok := ret.Get(0).(func(string, string, []byte, []byte, *map[string][]string, *map[string][]string, bool) string); ok { + r0 = rf(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) } else { r0 = ret.Get(0).(string) } var r1 apperrors.AppError - if rf, ok := ret.Get(1).(func(string, string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { - r1 = rf(clientID, clientSecret, authURL, cert, headers, queryParameters, skipVerify) + if rf, ok := ret.Get(1).(func(string, string, []byte, []byte, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { + r1 = rf(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(apperrors.AppError) diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go index bfd3427ad752..96fb5b75c12b 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go @@ -2,8 +2,11 @@ package oauth import ( "context" + "crypto/sha256" "crypto/tls" + "encoding/hex" "encoding/json" + "fmt" "io/ioutil" "net/http" "net/url" @@ -27,7 +30,7 @@ type oauthResponse struct { //go:generate mockery --name=Client type Client interface { GetToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) - GetTokenMTLS(clientID, clientSecret string, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) + GetTokenMTLS(clientID, authURL string, certificate, privateKey []byte, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) InvalidateTokenCache(clientID string, clientSecret string, authURL string) } @@ -59,19 +62,23 @@ func (c *client) GetToken(clientID, clientSecret, authURL string, headers, query return tokenResponse.AccessToken, nil } -func (c *client) GetTokenMTLS(clientID, clientSecret string, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { - token, found := c.tokenCache.Get(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL)) +func (c *client) GetTokenMTLS(clientID, authURL string, certificate, privateKey []byte, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { + token, found := c.tokenCache.Get(c.makeMTLSOAuthTokenCacheKey(clientID, authURL, certificate, privateKey)) if found { return token, nil } - //tutaj zrobic keypar x509 cos tam na slacku mam - tokenResponse, err := c.requestTokenMTLS(clientID, authURL, cert, headers, queryParameters, skipVerify) + cert, err := tls.X509KeyPair(certificate, privateKey) if err != nil { - return "", err + return "", apperrors.Internal("Failed to prepare certificate, %s", err.Error()) } - c.tokenCache.Add(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL), tokenResponse.AccessToken, tokenResponse.ExpiresIn) + tokenResponse, requestError := c.requestTokenMTLS(clientID, authURL, cert, headers, queryParameters, skipVerify) + if err != nil { + return "", requestError + } + + c.tokenCache.Add(c.makeMTLSOAuthTokenCacheKey(clientID, authURL, certificate, privateKey), tokenResponse.AccessToken, tokenResponse.ExpiresIn) return tokenResponse.AccessToken, nil } @@ -85,6 +92,15 @@ func (c *client) makeOAuthTokenCacheKey(clientID, clientSecret, authURL string) return clientID + clientSecret + authURL } +func (c *client) makeMTLSOAuthTokenCacheKey(clientID, authURL string, certificate, privateKey []byte) string { + certificateSha := sha256.Sum256(certificate) + keySha := sha256.Sum256(privateKey) + + hashedCertificate := hex.EncodeToString(certificateSha[:]) + hashedKey := hex.EncodeToString(keySha[:]) + return fmt.Sprintf("%v-%v-%v-%v", clientID, hashedCertificate, hashedKey, authURL) +} + func (c *client) requestToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (*oauthResponse, apperrors.AppError) { transport := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: skipVerify}, diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go index f97660cb822d..420df2b99823 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go @@ -3,6 +3,7 @@ package oauth import ( "encoding/base64" "encoding/json" + "github.com/kyma-project/kyma/components/central-application-gateway/pkg/apperrors" "net/http" "net/http/httptest" "strings" @@ -226,6 +227,43 @@ func TestOauthClient_GetToken(t *testing.T) { }) } +func TestOauthClient_GetTokenMTLS(t *testing.T) { + var certSHA = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + var keySHA = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + + t.Run("should get token from cache if present", func(t *testing.T) { + // given + tokenCache := mocks.TokenCache{} + tokenCache.On("Get", "testID-"+certSHA+"-"+keySHA+"-testURL").Return("123456789", true) + + oauthClient := NewOauthClient(10, &tokenCache) + + // when + token, err := oauthClient.GetTokenMTLS("testID", "testURL", []byte("test"), []byte("test"), nil, nil, false) + + // then + require.NoError(t, err) + assert.Equal(t, "123456789", token) + tokenCache.AssertExpectations(t) + }) + + t.Run("should fail if Certificate and Private Key is not valid", func(t *testing.T) { + // given + tokenCache := mocks.TokenCache{} + tokenCache.On("Get", "testID-"+certSHA+"-"+keySHA+"-testURL").Return("", false) + + oauthClient := NewOauthClient(10, &tokenCache) + + // when + token, err := oauthClient.GetTokenMTLS("testID", "testURL", []byte("test"), []byte("test"), nil, nil, false) + + // then + assert.Error(t, err, apperrors.Internal("Failed to prepare certificate, %s", err.Error())) + assert.Equal(t, "", token) + tokenCache.AssertExpectations(t) + }) +} + func checkAccessTokenRequest(t *testing.T, r *http.Request) { err := r.ParseForm() require.NoError(t, err) diff --git a/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go b/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go index bba395c2e6ff..7d1a58d70199 100644 --- a/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go +++ b/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go @@ -1,7 +1,6 @@ package authorization import ( - "crypto/tls" "fmt" "net/http" @@ -37,12 +36,8 @@ func newOAuthWithCertStrategy(oauthClient OAuthClient, clientId string, clientSe func (o oauthWithCertStrategy) AddAuthorization(r *http.Request, _ clientcert.SetClientCertificateFunc, skipTLSVerification bool) apperrors.AppError { log.Infof("Passing skipTLSVerification=%v to GetTokenMTLS", skipTLSVerification) - cert, err := o.prepareCertificate() - if err != nil { - return apperrors.Internal("Failed to prepare certificate, %s", err.Error()) - } headers, queryParameters := o.requestParameters.unpack() - token, err := o.oauthClient.GetTokenMTLS(o.clientId, o.clientSecret, o.url, cert, headers, queryParameters, skipTLSVerification) + token, err := o.oauthClient.GetTokenMTLS(o.clientId, o.url, o.certificate, o.privateKey, headers, queryParameters, skipTLSVerification) if err != nil { log.Errorf("failed to get token : '%s'", err) return apperrors.Internal("Failed to get token: %s", err.Error()) @@ -56,7 +51,3 @@ func (o oauthWithCertStrategy) AddAuthorization(r *http.Request, _ clientcert.Se func (o oauthWithCertStrategy) Invalidate() { o.oauthClient.InvalidateTokenCache(o.clientId, o.clientSecret, o.url) } - -func (o oauthWithCertStrategy) prepareCertificate() (tls.Certificate, error) { - return tls.X509KeyPair(o.certificate, o.privateKey) -} diff --git a/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go b/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go index 3b4aef056afd..9015f5d9a4d4 100644 --- a/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go +++ b/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go @@ -1,6 +1,7 @@ package authorization import ( + "github.com/kyma-project/kyma/components/central-application-gateway/pkg/authorization/testconsts" "net/http" "testing" @@ -20,10 +21,7 @@ func TestAuthWithCerStrategy(t *testing.T) { oauthStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) - prepareCertificate, err := oauthStrategy.prepareCertificate() - require.NoError(t, err) - - oauthClientMock.On("GetTokenMTLS", "clientId", "clientSecret", "www.example.com/token", prepareCertificate, (*map[string][]string)(nil), (*map[string][]string)(nil), true).Return("token", nil) + oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", []byte(testconsts.Certificate), []byte(testconsts.PrivateKey), (*map[string][]string)(nil), (*map[string][]string)(nil), true).Return("token", nil) request, err := http.NewRequest("GET", "www.example.com", nil) require.NoError(t, err) @@ -56,11 +54,7 @@ func TestAuthWithCerStrategy(t *testing.T) { oauthClientMock := &oauthMocks.Client{} authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) - - prepareCertificate, err := authWithCertStrategy.prepareCertificate() - require.NoError(t, err) - - oauthClientMock.On("GetTokenMTLS", "clientId", "clientSecret", "www.example.com/token", prepareCertificate, (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("", apperrors.Internal("failed")).Once() + oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", []byte(testconsts.Certificate), []byte(testconsts.PrivateKey), (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("", apperrors.Internal("failed")).Once() request, err := http.NewRequest("GET", "www.example.com", nil) require.NoError(t, err) From c62373a45d92aa689469bd8f612188aa02d7516f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Tue, 25 Oct 2022 12:19:40 +0200 Subject: [PATCH 04/10] invalidate mTLS token cache --- .../central-application-gateway/pkg/authorization/factory.go | 1 + .../pkg/authorization/mocks/OAuthClient.go | 5 +++++ .../pkg/authorization/oauth/mocks/Client.go | 5 +++++ .../pkg/authorization/oauth/oauthclient.go | 5 +++++ .../pkg/authorization/oauthcertstrategy.go | 2 +- .../pkg/authorization/oauthcertstrategy_test.go | 2 +- 6 files changed, 18 insertions(+), 2 deletions(-) diff --git a/components/central-application-gateway/pkg/authorization/factory.go b/components/central-application-gateway/pkg/authorization/factory.go index 357262884a5e..381b10e90647 100644 --- a/components/central-application-gateway/pkg/authorization/factory.go +++ b/components/central-application-gateway/pkg/authorization/factory.go @@ -31,6 +31,7 @@ type OAuthClient interface { GetTokenMTLS(clientID, authURL string, certificate, privateKey []byte, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) // InvalidateTokenCache resets internal token cache InvalidateTokenCache(clientID string, clientSecret string, authURL string) + InvalidateTokenCacheMTLS(clientID, authURL string, certificate, privateKey []byte) } type authorizationStrategyFactory struct { diff --git a/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go b/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go index 4b894ee7f380..827f147d0b4b 100644 --- a/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go +++ b/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go @@ -64,6 +64,11 @@ func (_m *OAuthClient) InvalidateTokenCache(clientID string, clientSecret string _m.Called(clientID, clientSecret, authURL) } +// InvalidateTokenCacheMTLS provides a mock function with given fields: clientID, authURL, certificate, privateKey +func (_m *OAuthClient) InvalidateTokenCacheMTLS(clientID string, authURL string, certificate []byte, privateKey []byte) { + _m.Called(clientID, authURL, certificate, privateKey) +} + type mockConstructorTestingTNewOAuthClient interface { mock.TestingT Cleanup(func()) diff --git a/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go b/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go index 0cea5d7974cd..5d97fce9fa47 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go +++ b/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go @@ -63,6 +63,11 @@ func (_m *Client) InvalidateTokenCache(clientID string, clientSecret string, aut _m.Called(clientID, clientSecret, authURL) } +// InvalidateTokenCacheMTLS provides a mock function with given fields: clientID, authURL, certificate, privateKey +func (_m *Client) InvalidateTokenCacheMTLS(clientID string, authURL string, certificate []byte, privateKey []byte) { + _m.Called(clientID, authURL, certificate, privateKey) +} + type mockConstructorTestingTNewClient interface { mock.TestingT Cleanup(func()) diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go index 96fb5b75c12b..9e16664a03eb 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go @@ -32,6 +32,7 @@ type Client interface { GetToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) GetTokenMTLS(clientID, authURL string, certificate, privateKey []byte, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) InvalidateTokenCache(clientID string, clientSecret string, authURL string) + InvalidateTokenCacheMTLS(clientID, authURL string, certificate, privateKey []byte) } type client struct { @@ -87,6 +88,10 @@ func (c *client) InvalidateTokenCache(clientID, clientSecret, authURL string) { c.tokenCache.Remove(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL)) } +func (c *client) InvalidateTokenCacheMTLS(clientID, authURL string, certificate, privateKey []byte) { + c.tokenCache.Remove(c.makeMTLSOAuthTokenCacheKey(clientID, authURL, certificate, privateKey)) +} + // to avoid case of single clientID and different endpoints for MTLS and standard oauth func (c *client) makeOAuthTokenCacheKey(clientID, clientSecret, authURL string) string { return clientID + clientSecret + authURL diff --git a/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go b/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go index 7d1a58d70199..35b71dbef610 100644 --- a/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go +++ b/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go @@ -49,5 +49,5 @@ func (o oauthWithCertStrategy) AddAuthorization(r *http.Request, _ clientcert.Se } func (o oauthWithCertStrategy) Invalidate() { - o.oauthClient.InvalidateTokenCache(o.clientId, o.clientSecret, o.url) + o.oauthClient.InvalidateTokenCacheMTLS(o.clientId, o.url, o.certificate, o.privateKey) } diff --git a/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go b/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go index 9015f5d9a4d4..b3ea10ea1414 100644 --- a/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go +++ b/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go @@ -38,7 +38,7 @@ func TestAuthWithCerStrategy(t *testing.T) { t.Run("should invalidate cache", func(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - oauthClientMock.On("InvalidateTokenCache", "clientId", "clientSecret", "www.example.com/token").Return("token", nil).Once() + oauthClientMock.On("InvalidateTokenCacheMTLS", "clientId", "www.example.com/token", certificate, privateKey).Return("token", nil).Once() authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) From 91060ee5e71f3ad29cd293bfcd9cb3286874b66b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Thu, 27 Oct 2022 12:45:41 +0200 Subject: [PATCH 05/10] fix nil pointer, doc update, secret modify --- .../pkg/authorization/oauth/oauthclient.go | 4 ++++ .../application-connector/docs/application-gateway-tests.md | 2 +- .../credentials/mtls-oauth-nagative-other-ca.yaml | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go index 9e16664a03eb..0a3aa0e4215d 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go @@ -79,6 +79,10 @@ func (c *client) GetTokenMTLS(clientID, authURL string, certificate, privateKey return "", requestError } + if tokenResponse == nil { + return "", apperrors.Internal("Failed to fetch token, possible certificate problem") + } + c.tokenCache.Add(c.makeMTLSOAuthTokenCacheKey(clientID, authURL, certificate, privateKey), tokenResponse.AccessToken, tokenResponse.ExpiresIn) return tokenResponse.AccessToken, nil diff --git a/tests/components/application-connector/docs/application-gateway-tests.md b/tests/components/application-connector/docs/application-gateway-tests.md index e64516953bc3..63e26b23b450 100644 --- a/tests/components/application-connector/docs/application-gateway-tests.md +++ b/tests/components/application-connector/docs/application-gateway-tests.md @@ -194,7 +194,7 @@ To run the mock application locally, follow these steps: ```shell - docker run -p 8180:8080 -p 8190:8090 -v "$PWD/k8s/gateway-test/certs:/etc/secret-volume:ro" "$DOCKER_PUSH_REPOSITORY/mock-app:$DOCKER_TAG" + docker run -p 8180:8080 -p 8190:8090 -v "$PWD/resources/charts/gateway-test/charts/test/certs/positive:/etc/secret-volume:ro" -v "$PWD/resources/charts/gateway-test/charts/test/certs/negative:/etc/expired-server-cert-volume:ro" "$DOCKER_PUSH_REPOSITORY/mock-app:$DOCKER_TAG" ``` diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml index 9ebc518018e7..30171e395757 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml @@ -8,4 +8,4 @@ data: {{- $files := .Files }} crt: {{ $files.Get "certs/negative/client.crt" | b64enc }} key: {{ $files.Get "certs/negative/client.key" | b64enc }} - clientId: {{ "someClientID1" | b64enc }} + clientId: {{ "clientID" | b64enc }} From 0f977e42bc19a1598907f388ff061ee45eb0f52a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Thu, 27 Oct 2022 12:59:45 +0200 Subject: [PATCH 06/10] delete unnecessary files --- .../pkg/authorization/oauth/key.go | 6 ---- .../pkg/authorization/oauth/key_test.go | 28 ------------------- 2 files changed, 34 deletions(-) delete mode 100644 components/central-application-gateway/pkg/authorization/oauth/key.go delete mode 100644 components/central-application-gateway/pkg/authorization/oauth/key_test.go diff --git a/components/central-application-gateway/pkg/authorization/oauth/key.go b/components/central-application-gateway/pkg/authorization/oauth/key.go deleted file mode 100644 index 6fb8166475bd..000000000000 --- a/components/central-application-gateway/pkg/authorization/oauth/key.go +++ /dev/null @@ -1,6 +0,0 @@ -package oauth - -// -//func generateKey(id, url string, certificate, privateKey []byte) (string, error) { -// -//} diff --git a/components/central-application-gateway/pkg/authorization/oauth/key_test.go b/components/central-application-gateway/pkg/authorization/oauth/key_test.go deleted file mode 100644 index e0aa38865596..000000000000 --- a/components/central-application-gateway/pkg/authorization/oauth/key_test.go +++ /dev/null @@ -1,28 +0,0 @@ -package oauth - -// -//import ( -// "github.com/kyma-project/kyma/components/central-application-gateway/pkg/authorization/testconsts" -// "github.com/stretchr/testify/require" -// "testing" -//) -// -//func TestGenerateKey(t *testing.T) { -// t.Run("should", func(t *testing.T) { -// //given -// clientID := "clientID" -// certificate := []byte(testconsts.Certificate) -// privateKey := []byte(testconsts.PrivateKey) -// authURL := "www.example.com" -// certSha := "764a894fc802acd8edfa2771e9e424c8868d5891a58a345f04e898a5cec06a21" -// keySha := "840a2bfed372a0b2f01b0be877978bb5a56d9b83dee199fe11d55819d20ead18" -// expectedKey := clientID + "-" + certSha + "-" + keySha + "-" + authURL -// -// //when -// key, err := generateKey(clientID, authURL, certificate, privateKey) -// -// //then -// require.NoError(t, err) -// require.Equal(t, expectedKey, key) -// }) -//} From 797d7e10eca4c1813faed7ce278600f0faff9113 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Thu, 27 Oct 2022 13:36:57 +0200 Subject: [PATCH 07/10] generate client cert with incorrect ca --- .../application-connector/Makefile.test-application-gateway | 1 + .../credentials/mtls-oauth-nagative-other-ca.yaml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/components/application-connector/Makefile.test-application-gateway b/tests/components/application-connector/Makefile.test-application-gateway index 40f92783e2b9..694e43c23f20 100644 --- a/tests/components/application-connector/Makefile.test-application-gateway +++ b/tests/components/application-connector/Makefile.test-application-gateway @@ -60,4 +60,5 @@ enable-sidecar-after-mtls-test: generate-certs: ./scripts/generate-self-signed-certs.sh $(APP_URL) ./resources/charts/gateway-test/charts/test/certs/positive ./scripts/generate-self-signed-certs.sh $(APP_URL) ./resources/charts/gateway-test/charts/test/certs/negative + ./scripts/generate-self-signed-certs.sh test-other-ca ./resources/charts/gateway-test/charts/test/certs/invalid-ca cp -p -R ./resources/charts/gateway-test/charts/test/certs ./resources/charts/gateway-test/charts/mock-app diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml index 30171e395757..66b51b4e985a 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml @@ -6,6 +6,6 @@ metadata: type: Opaque data: {{- $files := .Files }} - crt: {{ $files.Get "certs/negative/client.crt" | b64enc }} - key: {{ $files.Get "certs/negative/client.key" | b64enc }} + crt: {{ $files.Get "certs/invalid-ca/client.crt" | b64enc }} + key: {{ $files.Get "certs/invalid-ca/client.key" | b64enc }} clientId: {{ "clientID" | b64enc }} From 0b891b88b0311282f98baed9c5f3da2f12e3d2eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Thu, 27 Oct 2022 14:20:09 +0200 Subject: [PATCH 08/10] bump images --- resources/application-connector/values.yaml | 2 +- .../resources/charts/gateway-test/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/resources/application-connector/values.yaml b/resources/application-connector/values.yaml index 51ecad07a071..6df526cd3be9 100644 --- a/resources/application-connector/values.yaml +++ b/resources/application-connector/values.yaml @@ -35,7 +35,7 @@ global: version: "v20221014-8d4d8cf0" central_application_gateway: name: "central-application-gateway" - version: "v20221014-ec1ce988" + version: "PR-15924" busybox: name: "busybox" version: "1.34.1" diff --git a/tests/components/application-connector/resources/charts/gateway-test/values.yaml b/tests/components/application-connector/resources/charts/gateway-test/values.yaml index 7e2934ee99d2..e23b7b58ea83 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/values.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/values.yaml @@ -5,11 +5,11 @@ global: images: gatewayTest: name: "gateway-test" - version: "v20221011-7ff00703" + version: "PR-15924" mockApplication: name: "mock-app" - version: "v20221011-7ff00703" + version: "PR-15924" serviceAccountName: "test-account" namespace: "test" From 01e86a6488c16e7b8fea6243968567a30a2d094a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Mon, 31 Oct 2022 11:58:16 +0100 Subject: [PATCH 09/10] apply review sugestions --- .../mtls-oauth-negative-expired-client-cert.yaml | 2 +- .../mtls-oauth-negative-expired-server-cert.yaml | 6 +++--- .../credentials/oauth-negative-incorrect-id.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-client-cert.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-client-cert.yaml index 37db5024c76d..b890d9486314 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-client-cert.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-client-cert.yaml @@ -7,4 +7,4 @@ type: Opaque data: crt: bm90QmVmb3JlPUF1ZyAgMSAwMDowMDowMCAyMDIyIEdNVApub3RBZnRlcj1BdWcgIDIgMDA6MDA6MDAgMjAyMiBHTVQKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURkakNDQWw2Z0F3SUJBZ0lVZldyTzlHRG1rR0FCRktMdzYvL0tVcDdYMnE0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dURUxNQWtHQTFVRUJoTUNVRXd4Q2pBSUJnTlZCQWdNQVVFeEREQUtCZ05WQkFvTUExTkJVREV3TUM0RwpBMVVFQXd3bmJXOWpheTFoY0hCc2FXTmhkR2x2Ymk1MFpYTjBMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQjRYCkRUSXlNRGd3TVRBd01EQXdNRm9YRFRJeU1EZ3dNakF3TURBd01Gb3dXVEVMTUFrR0ExVUVCaE1DVUV3eENqQUkKQmdOVkJBZ01BVUV4RERBS0JnTlZCQW9NQTFOQlVERXdNQzRHQTFVRUF3d25iVzlqYXkxaGNIQnNhV05oZEdsdgpiaTUwWlhOMExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQTZSMU1VeVRTT2FyNGtPTUdMV1BWZUU4WXkwRTRlcGV3NS9aL2ZZNlQ5d1BWYUdSTE9RSEYKLzhCVjVEeHhGLzN0K0Y0S21tSHJ6TjlyUDN5T3VnVnY4bEhlek9VeFhmZWFrN0hMR2VGV3k5TGxmc3BtODhJMwpxR3BHM2FaUUhZS0VGRk1IUDREcGdkM3JUUVlhNVFnMDRNZDZuZjk1SFY1YzJtTlErb2pqUWt0cWROSUpPb2p5Clk4WjdlaWMyRURtMWxqYkdCTFZESEY1aUY3QjQ1bXp0OTgzZElaeC81TW9OMnpjdlF5OU9GMlkvcm1EL284QkQKd3llR2xvejVqTHNGRUJqbWdBSWFrSXBiVkZqekk4Tlp3cW0wOTZSM2JuZCtJdml3eS96YkRxYlNxQ2Qvdi9qRApIT0x2M0pIRXNLL0VxNng0VGZhL1lqTFozbjRrNmhCVHVRSURBUUFCb3pZd05EQXlCZ05WSFJFRUt6QXBnaWR0CmIyTnJMV0Z3Y0d4cFkyRjBhVzl1TG5SbGMzUXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXd3dEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0VCQUxpMVI2MjhpOXZXWkkrNnJKZHN4MEhtZUZLUGNVenV3R1ptU2t2TC9rTHliOUE3b2V6SQpPbkRLL0EzOFpGcmpzTE9YQWRJZkxXS0laMkh5b21FNG9HMldNL3phN1BCWDc4dXpycWw5bFR2eWtQOFRkdm5qCkpTN2l4cWZucW1UNDdLVHFOSjRleXMzd2NOU29kTHlydWNDUWlLeUllMEFUQ3RUSUY2WnNGR3Q2WkN0WS84czYKQTJ0Rk92dmhTWm01UytsZGVEQ3FMajJMOW1oZEY0RzlMRmJ5Q2pTbVNDWEFSbDVpanBjb2pEWEVDRTdobTk5YwpnbU1scjE2Uzh1Nm5mWEVRdXFwTys4MU4xTEVpTzVyUzRwUGxBdGgyVk5YOXc0WHBmbEM1VDA0bzA5S21HYzhLCjhVTjB1YXJpRGx2NW93SEZlWVRsZkZ6eGhUUDJBOWFPL3U4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNlIxTVV5VFNPYXI0a09NR0xXUFZlRThZeTBFNGVwZXc1L1ovZlk2VDl3UFZhR1JMCk9RSEYvOEJWNUR4eEYvM3QrRjRLbW1IcnpOOXJQM3lPdWdWdjhsSGV6T1V4WGZlYWs3SExHZUZXeTlMbGZzcG0KODhJM3FHcEczYVpRSFlLRUZGTUhQNERwZ2QzclRRWWE1UWcwNE1kNm5mOTVIVjVjMm1OUStvampRa3RxZE5JSgpPb2p5WThaN2VpYzJFRG0xbGpiR0JMVkRIRjVpRjdCNDVtenQ5ODNkSVp4LzVNb04yemN2UXk5T0YyWS9ybUQvCm84QkR3eWVHbG96NWpMc0ZFQmptZ0FJYWtJcGJWRmp6SThOWndxbTA5NlIzYm5kK0l2aXd5L3piRHFiU3FDZC8Kdi9qREhPTHYzSkhFc0svRXE2eDRUZmEvWWpMWjNuNGs2aEJUdVFJREFRQUJBb0lCQUhWalJZNFEyclFqZm13bgpobkxROVN4U1dGL3lCZWpsL2pXeEVWNCtzQkFScENPZmJhblZWTW1ISnpsNW5sSEFrMWNndENJdDhUb0h2OUFHCmZ6RDVqL2ZzZGsramtvcUpKeFA4MGhQRVA1c0FKb1VFazNkb2MvS2hJZkozejV3c255cEU3VDl6UVNNZWgyRVEKRS9jRmZPczhTR2pMdjBla3Z3bFNQZk1MZjdWZm9vK2h6K2krUW5jMXFRR2lPVW90Tk11WmoxcU85Mm5Ib2toMApxcWRRWlFOa1pUQm1sd2Y0bGNpeVJsTVUwRHJJNmd1bDNRazNpd2hueU1Kb2h4dVJxT3RSNzJjTS9SVFpsMHdWClh4WmJ5VkM1R2dhRUR0aUtFaE9xdmpPN2N4WU9BU3U3aGVDbWRnRFdMMGFSVjE1ai9Sb0twRUtkeWt0SHFrRjQKcWVLZndBa0NnWUVBL2pKaHBqSWh5N09Vajh1cW1scHE4L0tyRG5zUG1FK0VqbzFxOWdiTDByRVZSaktMNHpLaAp2SDdrdHJjQUkrMkpaS0hlSDVmVUJSMVYxK3R5WXM5OHUwOFpHSmQ0TFdjNjFFUTQvbEtFVUhaUU41TnpJOHprCmhWbjBhNWZOQjlLMDQ4aU1XQTh6ZlgyQ2JvWWltT0V3ZC9BZUtwdzZjN0E0UXU5RVRGckNhMGNDZ1lFQTZzU2gKb2V4U0pxbE9RMjk1VjlVWWtNTkkrNkR1ZGNoSUZkamY2bUp2NEo1aGhQSmJDY1doZkZjdnZmNkQ0SzBDei8rVwpybmhreWNlU1dDRHNuN3laN1VBbHAwVXp2bk1IYXBqUXUwN3JpcGI0UGExdlE2MkxRYWhTWnFJZmkxeFVqQ1NmCm1GcDJZSXVRV2FWOWFlYUdmSnY0anRnZUJ6VUxFYngwMGdpb3lQOENnWUVBOUR5Q09JWm9sR2xxYjdOWHExRCsKL0grSVBiU2Q2bEZVNHdjYjQySHFTdmtjb01NR1Iza3BqNHc0d3hvWUIyMC9Hckt3VXBpMS9XZ1BTQlFRWnNKSApiVTExcG53NjJ4MFptRVFvb3F1ME4vOUYyZkJScSs4OURxZTh3ZmdyNXIxY1VwUXB6SjVtY2NlN0graS9xemFMCk5HSkJDZDNzQjZZa21LTitjd0t0VlJjQ2dZQkRKaFM1RkxmMm1PeHF1Mkt3cmFIR0hpVXMyNzM0OEYwMTZuODUKTWdpZjdZMGxFcERaZmE2UHV2eEwwcFZ6Mk9oNkI3ZllsVlQycGQrRTEzMzJ2bUlraXZsNkc0QU9WQ1psNWVtbAorWS9EWnlUL3R6Q2c0ZTEzelNZc2R1aWcycnJRRHRXYkpSekF4b3AyS2JCeWJ0NCttL24vR1crVlRpV3BZQWJsCjRGWXVqd0tCZ1FDT3VUenVZS1QrVHZuU3hDVWdZbUN3SWs5MlVxUHJCS3J5UE1sekxMdFBaMlF3UjNpRGlWTzEKUlpxNGtkc1NzU05SNUJKUzlrVW92dUpubG1hb0ZBM2NLZXhRdk9mcmFVdXNGcXVHb3NWR3hrSGo3S24ydnFadQppK0NDNTZPNHRRMnNhOXZ6MFNpTWZoMzdFRlh6eUFVODNpWGY2aTB0MGlzb0cvYmFpTlNDZ2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= - clientId: {{ "someClientID2" | b64enc }} \ No newline at end of file + clientId: {{ "clientID" | b64enc }} \ No newline at end of file diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-server-cert.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-server-cert.yaml index 1af713b8ce74..545249994f82 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-server-cert.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-server-cert.yaml @@ -5,6 +5,6 @@ metadata: namespace: kyma-integration type: Opaque data: - crt: bm90QmVmb3JlPUF1ZyAgMSAwMDowMDowMCAyMDIyIEdNVApub3RBZnRlcj1EZWMgMTcgMDA6MDA6MDAgMjA0OSBHTVQKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURkakNDQWw2Z0F3SUJBZ0lVWnVOZ3FCQTdSUEs4bStSSnhuaXRTS21xZFdjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dURUxNQWtHQTFVRUJoTUNVRXd4Q2pBSUJnTlZCQWdNQVVFeEREQUtCZ05WQkFvTUExTkJVREV3TUM0RwpBMVVFQXd3bmJXOWpheTFoY0hCc2FXTmhkR2x2Ymk1MFpYTjBMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQjRYCkRUSXlNRGd3TVRBd01EQXdNRm9YRFRRNU1USXhOekF3TURBd01Gb3dXVEVMTUFrR0ExVUVCaE1DVUV3eENqQUkKQmdOVkJBZ01BVUV4RERBS0JnTlZCQW9NQTFOQlVERXdNQzRHQTFVRUF3d25iVzlqYXkxaGNIQnNhV05oZEdsdgpiaTUwWlhOMExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQTRpZHp6dFhjZG9Dd21YNm9HeSt5elFjYW5iZVpmZ2xBTFlrVktUUVhrYXoyWW8wWXV3cGQKS1VhSjZEbkVUTVVneGYwb3RUWENBSU9HM1cySTZyRzc1UXBsVWZTNDVzNWQ4MVE5WGhMRm9Oa0o1ZWlzUW1paQpCSURQOC9qQ2RHSk04Z2hpa1A1bk1xQ0hRdGk1bkR3MmtINCtiZDNIVzgyWTFWWkg5Y3ArdUpDa251clMvbDArCnFSUkxndWZUY0c0VU5iaGEwWnZaNUcwMStTdnJxVXBudmVaQUdlcTlOaWlhUXhmSkFkcTdISHMrMnFDOGtEczQKUllOVFJNTUMrYXVueDV3M1g4eEUyR0oxRkdjSjNmRkszTFhsNnRXaWFBajVHNjloSnpoNG5HMzdEVy9aMEF0UgovM3B2UnB2K0k1WCtTUWZUVHBqQzBGbld6Z1JrZ2hucWV3SURBUUFCb3pZd05EQXlCZ05WSFJFRUt6QXBnaWR0CmIyTnJMV0Z3Y0d4cFkyRjBhVzl1TG5SbGMzUXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXd3dEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0VCQUxQSmVJNGtGRlV4YlNVN2NtcHFjaFpWWUx0dmhYRkU4Y0YrUUZTRzhTOXZIOUVxdnlYNApNNW8wSkQzeDU3T0dnK0liVHJRQXRXVG5zbnNBbGk4d3FMQTJVYlZZTThOM0JRSFBSNHZUMkZjRndHQmpQR3hGCmlGcDZlUGxvbTJ0bTBEVjNXbzkzdG0wWnhmRXpQYXlHOHJhc0puc3psT0hVOEtqT2ppOUtjN0F4WXBhODh4MDIKdTN4RjNUMkhZMkExeS9NdmJpeFpwNG12YWZiTFJOOUFqUWY3QXJxNEQ5cThlS0ZhY3EwYndFaVlTK3daZG9kNQp0RDM5MktweVNPZDBFMld4dHozNTRsZmI0cEIzK2k5Z21Ma3lUbUhHZWJzMWdBUmV1TENQTW5OQThTZTdHVGNkCjA0ZlltR3pmNjVySDNqM1d2MzQ0dy81M2dtRWdrOXg0TGswPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBNGlkenp0WGNkb0N3bVg2b0d5K3l6UWNhbmJlWmZnbEFMWWtWS1RRWGthejJZbzBZCnV3cGRLVWFKNkRuRVRNVWd4ZjBvdFRYQ0FJT0czVzJJNnJHNzVRcGxVZlM0NXM1ZDgxUTlYaExGb05rSjVlaXMKUW1paUJJRFA4L2pDZEdKTThnaGlrUDVuTXFDSFF0aTVuRHcya0g0K2JkM0hXODJZMVZaSDljcCt1SkNrbnVyUwovbDArcVJSTGd1ZlRjRzRVTmJoYTBadlo1RzAxK1N2cnFVcG52ZVpBR2VxOU5paWFReGZKQWRxN0hIcysycUM4CmtEczRSWU5UUk1NQythdW54NXczWDh4RTJHSjFGR2NKM2ZGSzNMWGw2dFdpYUFqNUc2OWhKemg0bkczN0RXL1oKMEF0Ui8zcHZScHYrSTVYK1NRZlRUcGpDMEZuV3pnUmtnaG5xZXdJREFRQUJBb0lCQVFDWUFySzUzVkFocXlDSgpHL1E4eWRQaU1oczIxZGpyT2FhVXRPYXZXbDlaUUt3ZjAvMUNnNVhaRDV2VXB6ZUY3cDYzMWhGTnRFT2hlc2JsCkFTSWR0cmU0SFVPN1VjWVRCYlZxd0QyN2hOeW40QnJpR1lIbjVWSzV1aWVOTXJEcDc4VU9qb3BLTVdZR1JwYUUKWFE1dHNKOXdnaHJPV0ZzUEh1UFN5ZnIyZ0ZTckV2TEdYRUQxUVBFdUhqcllZeDBMcVJDVSt4NUhvajBkLzZyYgpOMEJjako5SHVwMDZLejN4QlBxemgyeHp1Q2kyYjdGc01vQndkTGcyNGM3bHJsZCtLb09ZdFczLzJSZUJPdXpHCk1HWjFPZlJJcERjdk9xNXlBWXZuYjcya0xJV3E2ZUxCVkx2ekFJZnBLRFBtbmVkd0p2dXVpcUZldktzQVY5eXAKSlo1NjdXeXBBb0dCQVBPbHZvT3pxRUwrN0c4RUM5TW9Vc0lOWVRMMXdYU3VUTzVvczlpc0doRzJHNlprajRWWgpPNlY4Qm1ET2tYT0NtRzNpTWY4M0NSVGs3Um5MVExiRVJJRkxzNFpnend0N2trVHVXSnlzTkRUeGZuMmFVeUlwCm9iNWFvWVozcHNiTXBIbmxNSGN2R1l4SXFVK0JzQVpnbGtOYTdSQVVwTnN5bkJWYzNpZEV5R0hmQW9HQkFPMmUKcWx1dlI4b096VC9jbzVCS1pWS05jQ2V2bHhJNmVXd1NrRDJaaGNuZU1aWFcyY3Z5NERzUWFHQWNKelJsaWpvNAo0RXFsN2VQM0VYbVZYNEtQWXlkSFpZWGZubEkwWVdrSHloR015anBueWFYUWZ2c3AyU1BpM0lKQTZCZ2htbThKCkxyMWFTcmtLaXE3bis3dmtVYitESktBSk0wZXoyc1dzTkNMMC9XTGxBb0dCQUpkcU1YTjNldUhudXRkakZGWXQKZ1FESGY5aERrZTRKUkJZRlMzOGp0Uys4bElKYmpEVzZ0cTZvM08zY2NkZnZHUHR3enRGa1NtaUp2QytEZ0RFMAoxNzNpWmJibEFzYUlET1o1bU9nRXZJMEtaeWwzZHFLTWJNLzNVdHBXRVhjS1JremFlYndYc1REVkZ5TXAzVktaClE4aW9BUnMxT1I1ZjNWQUpYcVhZd1E3UkFvR0Fid0ZvWkZ5R0ZRYkZLOGhQUU9FQVpJaGVsS3VhejVFeG1DTXoKN3hNQlJVVGZ0VGdobHYxbmN6QS9FbWNVaVkzRi9WMEVxdHJKUDIzMFkvQThKaW9HRUJ0eWVnLzFUa0hhSDg3Ygp2MGNlVWhxYVFUUWRuZ2Yyd0tVQ2puYno5aEg4cTFLRzJ6NkxHZGFxNHZyTXh3SHFqcVVkUHdZTlJybm13ZUdvCm1Zd0pzMkVDZ1lFQXROSHI2TEx6VkVIaWU3MzhZV0doYnRSUGRPWGdFMStqVTdhZGZ4RXJtckVLL0ZZdkl5dmoKVWZ1WHlrZ3ZBeWF1Q2tiS2RsRFZkd1d5K2NuTXNCSkFSbFY5a1BGK2xwaTVweUpBL2J6blF4VVJHYmZ1UHNkUQpHZmRjUUhyMjVjR0xxN3E2Z0xaRUJxS0JpMmFZc3BkcmtNQTFIY0txNDhmVUNtNmZyMGVyelVzPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= - clientId: {{ "someClientID3" | b64enc }} \ No newline at end of file + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXJpZ0F3SUJBZ0lVSkV2L3RtUndLOXRzdWhpQVlaT2Q4NjN1UHlBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pqRUxNQWtHQTFVRUJoTUNVRXd4Q2pBSUJnTlZCQWdNQVVFeEREQUtCZ05WQkFvTUExTkJVREU5TURzRwpBMVVFQXd3MGJXOWpheTFoY0hCc2FXTmhkR2x2Ymk1MFpYTjBMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNkR1Z6CmRDMXZkR2hsY2kxallUQWVGdzB5TWpBeE1ERXdPVEV3TVRCYUZ3MHlNakF4TURJd09URXdNVEJhTUdZeEN6QUoKQmdOVkJBWVRBbEJNTVFvd0NBWURWUVFJREFGQk1Rd3dDZ1lEVlFRS0RBTlRRVkF4UFRBN0JnTlZCQU1NTkcxdgpZMnN0WVhCd2JHbGpZWFJwYjI0dWRHVnpkQzV6ZG1NdVkyeDFjM1JsY2k1c2IyTmhiSFJsYzNRdGIzUm9aWEl0ClkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERzFDaHE2WmI3eUdaS0ZwUmgKV01sUDh6L0NtZEFZbktpRkxKNVhpMFlXakpZZXlUSUdXRWM4bm5SK1VOalZKejZjN0w5cCs4bFEvK1ZGZUpmRwpmYTM4WnhHQVZxNitpcXdJOVpwSTd2SlVZRnd0SDJLQXA5cDdZRHdOVllUbXZEb3lyTFh3L1c3c1p1Q2c3QWVBCkh5MGlBcGtBQkk1Tmg4dWFMNkk3eE8xK0dCSVhNYVkzNlFDZXpvejdvbkoyUURBVjlybVEzQndpZUtwMkNUV1QKS3ZHaVBac04rTlVLbndjdVoxbThpUHQxYmozaGsvS3p1MGxvR2RVaXJiOFFUNkFzRnJ2ZzdGNFBYVmFsb1FSNwpJMy9paWpxZFBERmlEOHVwOXltdE9ja2tjQlorSmhqVDI4OTZxcFIzQVJVaGl0dXhreENpMUZHeEd1YlJNREFpCitmcExBZ01CQUFHamRqQjBNRElHQTFVZEVRUXJNQ21DSjIxdlkyc3RZWEJ3YkdsallYUnBiMjR1ZEdWemRDNXoKZG1NdVkyeDFjM1JsY2k1c2IyTmhiREFkQmdOVkhRNEVGZ1FVY25wWGg2b2xoei9tV01LTE1sVTR1Z0gxRUpNdwpId1lEVlIwakJCZ3dGb0FVMzRJa3V5V2NoVlN2ZXlNQXZmdDZOdE1JZkdVd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBQmNvYmVNSmkrQVZ1MGZtY0szYzM1RXhQU0pZTWlOYms1VXU0QmgzUlloY0tJeFFyUjY4T1FYT3ZzMEkKVVNaYmRkRjhrQU1KOFpwTGJWQmJnZ2NmUktrVUxPYko3TklyTEF2UmR6cVVzeThMc0VMZUM5cVlVM0E0TUFEWApHWU8zZjlWbnFIelpmRFNMTjFzOGoyK1JQU0hGL3lZbGxETWhCbkVJa1NwdXdWbXprMGFoZEtXRmthcG1xbEZMCkRSZ2JsTThMMVZTbGpXb3hGYUdLNUZFQ2dGZzJIcHJDc2o3SHl0TFR0KzEwc1F5ZU9vVktUVU9lNjhWeFlzR2kKbXd3bnhzTGtHdkdGWTNaVU9JQk5BY0ovdlJLSER4R1pPS29QblIrRmlodkJvZkR1RlBzbnRSTnBIRncrNVJsUQpjL1lUdThmQ1U4QnRpeGwvYkRxdTZUWmtyazg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRREcxQ2hxNlpiN3lHWksKRnBSaFdNbFA4ei9DbWRBWW5LaUZMSjVYaTBZV2pKWWV5VElHV0VjOG5uUitVTmpWSno2YzdMOXArOGxRLytWRgplSmZHZmEzOFp4R0FWcTYraXF3STlacEk3dkpVWUZ3dEgyS0FwOXA3WUR3TlZZVG12RG95ckxYdy9XN3NadUNnCjdBZUFIeTBpQXBrQUJJNU5oOHVhTDZJN3hPMStHQklYTWFZMzZRQ2V6b3o3b25KMlFEQVY5cm1RM0J3aWVLcDIKQ1RXVEt2R2lQWnNOK05VS253Y3VaMW04aVB0MWJqM2hrL0t6dTBsb0dkVWlyYjhRVDZBc0Zydmc3RjRQWFZhbApvUVI3STMvaWlqcWRQREZpRDh1cDl5bXRPY2trY0JaK0poalQyODk2cXBSM0FSVWhpdHV4a3hDaTFGR3hHdWJSCk1EQWkrZnBMQWdNQkFBRUNnZ0VBQlgrem1IVmFZQjlFT1BOVDZqZE81ZitudVVXUXZFV0U0WjRBeVJJSWY3SW0KcXJaTXhHRW5velVNcXJ1b3E0aDQwbFUzM0FJREtOTFM3KzlzWHloMXFkL2QyNHRLTE9uZjVTV0p2VStpY3hQeApLS3hRQ0pmYjBvS3dWbndSZjJJZ1IrdC80cWpYcXdFVFlFLzJ5eVBSbHptMEtveDF0UTQyNHM1RGNkeTU1cjFPCklNbEhPcXhFcE84YWtiY2ZacHE4cVdqMUFkU2VCRk5WdXJQaUxmQjMxN2pQd25RSkp2MU9NWWxsQXJWa1NDcisKNDlMcmk1QjRBL0UrQkh6SnhCQ1lyaC9IRCtCVlhxY3JDSDBKNEQ3TWEwVWJWMER5Vml5UWtwK2c5MGhoQ21HMwpnYVpKUmdkczJnQzI2cGRlR0E1and2Tjd3ZUYveUtsRVEwZXRib0NHS1FLQmdRREtJYUN3czVHbVZUYlRlaDJ0CnRFWmY1MWZwNVdRL1R2V1VJaWtsdHBXU1RRUHQwQWVtZFJxL1FQak5OS3YycnR0dDZIT0RHcW9iSnFVTENjaGYKbEU1cmc0N09EYnV5OHVPWmtVOEYyMTRjZDlSbnU3alNzcFd3ZkEwakpndFhiblZ2aVlXeUtjam90QVQwTXhQcgpON1VqV2dva20yQWg3amRMU2hvMFF4bkkwd0tCZ1FENzBUVzNCa2llYUdzN3IzY3hhUytvd1VoaUdMTnEyajN4Ckd2QmtXVmx5TzM5aHlCcm5aUk92ak9HRFE4eCtxSmRTN2V6Q2xGVmpsanc2V2dra1V6U1ZQSHkrb094RjE5T3UKM00xalhCZC9PMUh6VU1WUkcvYmJxaTJZeThhb0gyRWplbzE4VE9XbWhYUnFNb045TDV4Q3RkbDRnMGxMNnBJZgpPb3FlanltZHFRS0JnUURCZjZPbXhLQS96UCtwUHhPK1AvL0d1MTZycUU5cFU1dEFiZHRhSVFuYWZpT3V1eUUzCnRvOGVXNEpTWDRQbnFNaWkxSTRRQ2F5aVJVSmw2TDJLMGh5b1M4NmZid0lxY3Q1ekdtbTl2NXkrUC9CMFJYN1AKSk9xcmduWEpHaGh0WUc3SGthME5PM2I3WGFvSVpBVkRmWmJIK3VBTzN6Y09CRSttb1krb1REd1l4UUtCZ1FEcgo4TWpRZFEzRGhuaTYwcHZ1YXV6aHhEK3EwaFFCa1B5cWxLQWFsZkVON0J0ZEpkMjNZMmcvZXRPdFp2QUsyTEg0ClhMOFNUV040VE1LZnRjNk0vM3pzTzJGeVIxczUwWkFnYmZmdkdkRldQK0Y0QmZ6ckV6V0grZnFCQ0tWWXp4WDMKNVJMK0hScXJuSzFIOTQ1bDFCOG9EalQyQ3FTNWdjNXBmak4xZnhQeUNRS0JnQzVJR2FnbldPSG9XVEpnUG95YQptY1QrMk1NUGdJMzhaL2xzM0lmd1dIc2hUbE5sQ2k2RklnMkQrUUYrZk80ZGdYZS85K0dESERvM3J5MDU2Z2VhCng4T1FYZ2dxa0lJdkxDUnZGVlVId0M3Z0MyekpHakJ1V2dYUDhsYjRDNG4yemlQd1c5M1c2RkpXMnpwMzRacSsKU29JaUNXUEh6RXF3WjgxbEJwZ1VkVTZYCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + clientId: {{ "clientID" | b64enc }} \ No newline at end of file diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/oauth-negative-incorrect-id.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/oauth-negative-incorrect-id.yaml index 155936ad8e2f..cdf3d8470a16 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/oauth-negative-incorrect-id.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/oauth-negative-incorrect-id.yaml @@ -5,5 +5,5 @@ metadata: namespace: kyma-integration type: Opaque data: - clientId: {{ "bad id" | b64enc }} + clientId: {{ "clientID" | b64enc }} clientSecret: {{ "bad secret" | b64enc }} From e614edc691d60fa6e287376aeef1c9b74b232b2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Foks?= Date: Mon, 31 Oct 2022 12:07:42 +0100 Subject: [PATCH 10/10] revert clientid --- .../applications/credentials/oauth-negative-incorrect-id.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/oauth-negative-incorrect-id.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/oauth-negative-incorrect-id.yaml index cdf3d8470a16..155936ad8e2f 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/oauth-negative-incorrect-id.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/oauth-negative-incorrect-id.yaml @@ -5,5 +5,5 @@ metadata: namespace: kyma-integration type: Opaque data: - clientId: {{ "clientID" | b64enc }} + clientId: {{ "bad id" | b64enc }} clientSecret: {{ "bad secret" | b64enc }}