From 26a395be414f34aaa9a207177fee2583dd530bee Mon Sep 17 00:00:00 2001
From: Marco Dinis <marco.dinis@goteleport.com>
Date: Fri, 17 Jan 2025 09:49:31 +0000
Subject: [PATCH] Fix HTTPS thumbprint lookup test

Go 1.23.5 changed the certificate (added another host), and the
thumbprint is now different.
Instead of updating the thumbprint, we now rely on the presented
certificate by the TLS Server.

This should ensure the test doesn't break again if the test certificate
is changed again.
---
 lib/integrations/awsoidc/idp_thumbprint_test.go | 8 ++++----
 lib/web/oidcidp_test.go                         | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/integrations/awsoidc/idp_thumbprint_test.go b/lib/integrations/awsoidc/idp_thumbprint_test.go
index 72b7f06c0ed12..14fc814688b14 100644
--- a/lib/integrations/awsoidc/idp_thumbprint_test.go
+++ b/lib/integrations/awsoidc/idp_thumbprint_test.go
@@ -20,6 +20,8 @@ package awsoidc
 
 import (
 	"context"
+	"crypto/sha1"
+	"encoding/hex"
 	"net/http/httptest"
 	"testing"
 
@@ -40,10 +42,8 @@ func TestThumbprint(t *testing.T) {
 	thumbprint, err := ThumbprintIdP(ctx, tlsServer.URL)
 	require.NoError(t, err)
 
-	// The Proxy is started using httptest.NewTLSServer, which uses a hard-coded cert
-	// located at go/src/net/http/internal/testcert/testcert.go
-	// The following value is the sha1 fingerprint of that certificate.
-	expectedThumbprint := "15dbd260c7465ecca6de2c0b2181187f66ee0d1a"
+	serverCertificateSHA1 := sha1.Sum(tlsServer.Certificate().Raw)
+	expectedThumbprint := hex.EncodeToString(serverCertificateSHA1[:])
 
 	require.Equal(t, expectedThumbprint, thumbprint)
 }
diff --git a/lib/web/oidcidp_test.go b/lib/web/oidcidp_test.go
index 20c9063a7fcb0..acd47a17d3475 100644
--- a/lib/web/oidcidp_test.go
+++ b/lib/web/oidcidp_test.go
@@ -20,6 +20,8 @@ package web
 
 import (
 	"context"
+	"crypto/sha1"
+	"encoding/hex"
 	"encoding/json"
 	"strings"
 	"testing"
@@ -99,10 +101,8 @@ func TestThumbprint(t *testing.T) {
 
 	thumbprint := strings.Trim(string(resp.Bytes()), "\"")
 
-	// The Proxy is started using httptest.NewTLSServer, which uses a hard-coded cert
-	// located at go/src/net/http/internal/testcert/testcert.go
-	// The following value is the sha1 fingerprint of that certificate.
-	expectedThumbprint := "15dbd260c7465ecca6de2c0b2181187f66ee0d1a"
+	serverCertificateSHA1 := sha1.Sum(proxy.web.TLS.Certificates[0].Leaf.Raw)
+	expectedThumbprint := hex.EncodeToString(serverCertificateSHA1[:])
 
 	require.Equal(t, expectedThumbprint, thumbprint)
 }