e2e: fix Dex token TLS verification for test CA and CI

Sign leaves with the parsed CA so AuthorityKeyId matches SubjectKeyId on ca.pem.
Add host.docker.internal to Dex/API SANs, set tls.ServerName to the Dex Docker
hostname when posting to dex/token, and fail if ca.pem does not parse into the
root pool.

Author: JoaoBraveCoding

test/e2e/helpers.go

@@ -39,21 +39,36 @@ func prepareConfigsAndCerts(t *testing.T, e e2e.Environment) {
 		testtls.GenerateCerts(
 			filepath.Join(e.SharedDir(), certsSharedDir),
 			getContainerName(e, "observatorium-api"),
-			[]string{getContainerName(e, "observatorium-api"), "127.0.0.1"},
+			[]string{
+				getContainerName(e, "observatorium-api"),
+				"127.0.0.1",
+				"host.docker.internal",
+			},
 			getContainerName(e, "dex"),
-			[]string{getContainerName(e, "dex"), "127.0.0.1"},
+			[]string{
+				getContainerName(e, "dex"),
+				"127.0.0.1",
+				"host.docker.internal",
+			},
 		),
 	)
 
 	testutil.Ok(t, exec.Command("cp", "-r", "../config", filepath.Join(e.SharedDir(), configSharedDir)).Run())
 }
 
 // obtainToken obtains a bearer token needed for communication with the API.
-func obtainToken(endpoint string, tlsConf *tls.Config) (string, error) {
+// dexTLSHost is the Dex DNS name from the test CA (e.g. {network}-dex); set it so TLS verifies the
+// server cert when the TCP dial target is 127.0.0.1 or host.docker.internal (e2e.Endpoint).
+func obtainToken(endpoint, dexTLSHost string, tlsConf *tls.Config) (string, error) {
 	type token struct {
 		IDToken string `json:"id_token"`
 	}
 
+	tlsClient := tlsConf.Clone()
+	if dexTLSHost != "" {
+		tlsClient.ServerName = dexTLSHost
+	}
+
 	data := url.Values{}
 	data.Add("grant_type", "password")
 	data.Add("username", "admin@example.com")
@@ -70,7 +85,7 @@ func obtainToken(endpoint string, tlsConf *tls.Config) (string, error) {
 
 	c := &http.Client{
 		Transport: &http.Transport{
-			TLSClientConfig: tlsConf,
+			TLSClientConfig: tlsClient,
 		},
 	}
 
@@ -104,7 +119,9 @@ func getTLSClientConfig(t *testing.T, e e2e.Environment) *tls.Config {
 	testutil.Ok(t, err)
 
 	cp := x509.NewCertPool()
-	cp.AppendCertsFromPEM(cert)
+	if ok := cp.AppendCertsFromPEM(cert); !ok {
+		t.Fatal("failed to parse CA certificate from ca.pem")
+	}
 
 	return &tls.Config{
 		RootCAs: cp,

test/e2e/services.go

@@ -191,7 +191,7 @@ func startBaseServices(t *testing.T, e e2e.Environment) (
 
 	createTenantsYAML(t, e, dex.InternalEndpoint("https"), opa.InternalEndpoint("http"), getContainerName(e, "observatorium-api"))
 
-	token, err := obtainToken(dex.Endpoint("https"), getTLSClientConfig(t, e))
+	token, err := obtainToken(dex.Endpoint("https"), getContainerName(e, "dex"), getTLSClientConfig(t, e))
 	testutil.Ok(t, err)
 
 	return dex, token, gubernator.InternalEndpoint("grpc")

test/e2e/tenants_test.go

@@ -59,7 +59,7 @@ func TestTenantsRetryAuthenticationProviderRegistration(t *testing.T) {
 
 		// Restart Dex.
 		testutil.Ok(t, e2e.StartAndWaitReady(dex))
-		token, err := obtainToken(dex.Endpoint("https"), getTLSClientConfig(t, e))
+		token, err := obtainToken(dex.Endpoint("https"), getContainerName(e, "dex"), getTLSClientConfig(t, e))
 		testutil.Ok(t, err)
 
 		up, err := newUpRun(

test/testtls/generate.go

@@ -65,6 +65,13 @@ func GenerateCerts(
 		return err
 	}
 
+	// Use the parsed CA for signing leaves so leaf AuthorityKeyId matches the issued CA's
+	// SubjectKeyId (the in-memory template may omit fields the encoder adds).
+	caParsed, err := x509.ParseCertificate(caBytes)
+	if err != nil {
+		return fmt.Errorf("parse CA certificate: %w", err)
+	}
+
 	caPEM := new(bytes.Buffer)
 	if err := pem.Encode(caPEM, &pem.Block{
 		Type:  "CERTIFICATE",
@@ -88,15 +95,15 @@ func GenerateCerts(
 		key:  caPrivKeyPEM.Bytes(),
 	}
 
-	apiBundle, err := generateCert(ca, caPrivKey, false, apiCommonName, apiSANs, nil)
+	apiBundle, err := generateCert(caParsed, caPrivKey, false, apiCommonName, apiSANs, nil)
 	if err != nil {
 		return err
 	}
-	dexBundle, err := generateCert(ca, caPrivKey, false, dexCommonName, dexSANs, nil)
+	dexBundle, err := generateCert(caParsed, caPrivKey, false, dexCommonName, dexSANs, nil)
 	if err != nil {
 		return err
 	}
-	clientBundle, err := generateCert(ca, caPrivKey, true, clientCommonName, []string{clientSANs}, []string{clientGroups})
+	clientBundle, err := generateCert(caParsed, caPrivKey, true, clientCommonName, []string{clientSANs}, []string{clientGroups})
 	if err != nil {
 		return err
 	}