From b515ea789fd184216e21cf2f708d4f547193b794 Mon Sep 17 00:00:00 2001
From: Michael Crenshaw <michael@crenshaw.dev>
Date: Tue, 12 Jul 2022 13:28:05 -0400
Subject: [PATCH] test: check for error messages from CI env (#9953)

test: check for error messages from CI env (#9953)

Signed-off-by: CI <michael@crenshaw.dev>
---
 util/oidc/oidc_test.go              | 21 +++++++++++++++++----
 util/session/sessionmanager_test.go | 21 +++++++++++++++++----
 2 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/util/oidc/oidc_test.go b/util/oidc/oidc_test.go
index e61d0ada3164b..4136a1948e616 100644
--- a/util/oidc/oidc_test.go
+++ b/util/oidc/oidc_test.go
@@ -9,6 +9,7 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"os"
+	"strings"
 	"testing"
 
 	gooidc "github.com/coreos/go-oidc"
@@ -133,7 +134,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 
 		app.HandleLogin(w, req)
 
-		assert.Contains(t, w.Body.String(), "certificate is not trusted")
+		if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") {
+			t.Fatal("did not receive expected certificate verification failure error")
+		}
 
 		cdSettings.OIDCTLSInsecureSkipVerify = true
 
@@ -145,6 +148,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 		app.HandleLogin(w, req)
 
 		assert.NotContains(t, w.Body.String(), "certificate is not trusted")
+		assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
 	})
 
 	t.Run("dex certificate checking during login should toggle on config", func(t *testing.T) {
@@ -170,7 +174,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 
 		app.HandleLogin(w, req)
 
-		assert.Contains(t, w.Body.String(), "certificate signed by unknown authority")
+		if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") {
+			t.Fatal("did not receive expected certificate verification failure error")
+		}
 
 		cdSettings.OIDCTLSInsecureSkipVerify = true
 
@@ -181,6 +187,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 
 		app.HandleLogin(w, req)
 
+		assert.NotContains(t, w.Body.String(), "certificate is not trusted")
 		assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
 	})
 }
@@ -211,7 +218,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 
 		app.HandleCallback(w, req)
 
-		assert.Contains(t, w.Body.String(), "certificate is not trusted")
+		if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") {
+			t.Fatal("did not receive expected certificate verification failure error")
+		}
 
 		cdSettings.OIDCTLSInsecureSkipVerify = true
 
@@ -223,6 +232,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 		app.HandleCallback(w, req)
 
 		assert.NotContains(t, w.Body.String(), "certificate is not trusted")
+		assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
 	})
 
 	t.Run("dex certificate checking during oidc callback should toggle on config", func(t *testing.T) {
@@ -248,7 +258,9 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 
 		app.HandleCallback(w, req)
 
-		assert.Contains(t, w.Body.String(), "certificate signed by unknown authority")
+		if !strings.Contains(w.Body.String(), "certificate signed by unknown authority") && !strings.Contains(w.Body.String(), "certificate is not trusted") {
+			t.Fatal("did not receive expected certificate verification failure error")
+		}
 
 		cdSettings.OIDCTLSInsecureSkipVerify = true
 
@@ -259,6 +271,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 
 		app.HandleCallback(w, req)
 
+		assert.NotContains(t, w.Body.String(), "certificate is not trusted")
 		assert.NotContains(t, w.Body.String(), "certificate signed by unknown authority")
 	})
 }
diff --git a/util/session/sessionmanager_test.go b/util/session/sessionmanager_test.go
index 6e35689421eb1..83327e594ce9c 100644
--- a/util/session/sessionmanager_test.go
+++ b/util/session/sessionmanager_test.go
@@ -550,8 +550,10 @@ rootCA: |
 		require.NoError(t, err)
 
 		_, _, err = mgr.VerifyToken(tokenString)
-		// If the root CA is being respected, we won't get this error.
+		// If the root CA is being respected, we won't get this error. The error message is environment-dependent, so
+		// we check for either of the error messages associated with a failed cert check.
 		assert.NotContains(t, err.Error(), "certificate is not trusted")
+		assert.NotContains(t, err.Error(), "certificate signed by unknown authority")
 	})
 
 	t.Run("OIDC provider is Dex, TLS is configured", func(t *testing.T) {
@@ -585,7 +587,10 @@ rootCA: |
 		require.NoError(t, err)
 
 		_, _, err = mgr.VerifyToken(tokenString)
-		assert.ErrorContains(t, err, "certificate signed by unknown authority")
+		require.Error(t, err)
+		if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") {
+			t.Fatal("did not receive expected certificate verification failure error")
+		}
 	})
 
 	t.Run("OIDC provider is external, TLS is configured", func(t *testing.T) {
@@ -619,7 +624,10 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 		require.NoError(t, err)
 
 		_, _, err = mgr.VerifyToken(tokenString)
-		assert.ErrorContains(t, err, "certificate is not trusted")
+		require.Error(t, err)
+		if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") {
+			t.Fatal("did not receive expected certificate verification failure error")
+		}
 	})
 
 	t.Run("OIDC provider is Dex, TLS is configured", func(t *testing.T) {
@@ -653,7 +661,10 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 		require.NoError(t, err)
 
 		_, _, err = mgr.VerifyToken(tokenString)
-		assert.ErrorContains(t, err, "certificate signed by unknown authority")
+		require.Error(t, err)
+		if !strings.Contains(err.Error(), "certificate signed by unknown authority") && !strings.Contains(err.Error(), "certificate is not trusted") {
+			t.Fatal("did not receive expected certificate verification failure error")
+		}
 	})
 
 	t.Run("OIDC provider is external, TLS is configured, OIDCTLSInsecureSkipVerify is true", func(t *testing.T) {
@@ -688,6 +699,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 		require.NoError(t, err)
 
 		_, _, err = mgr.VerifyToken(tokenString)
+		assert.NotContains(t, err.Error(), "certificate is not trusted")
 		assert.NotContains(t, err.Error(), "certificate signed by unknown authority")
 	})
 
@@ -718,5 +730,6 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL),
 		_, _, err = mgr.VerifyToken(tokenString)
 		// This is the error thrown when the test server's certificate _is_ being verified.
 		assert.NotContains(t, err.Error(), "certificate is not trusted")
+		assert.NotContains(t, err.Error(), "certificate signed by unknown authority")
 	})
 }