djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/internal/concierge/impersonator/impersonator_test.go

468 lines
18 KiB
Go
Raw Normal View History

Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package impersonator
import (
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
"context"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"crypto/x509/pkix"
"net"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"net/http"
"net/http/httptest"
"net/url"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"strconv"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"testing"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"time"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"github.com/stretchr/testify/require"
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"k8s.io/apiserver/pkg/authentication/user"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/features"
genericoptions "k8s.io/apiserver/pkg/server/options"
utilfeature "k8s.io/apiserver/pkg/util/feature"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd/api"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
featuregatetesting "k8s.io/component-base/featuregate/testing"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"go.pinniped.dev/internal/certauthority"
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
"go.pinniped.dev/internal/dynamiccert"
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
"go.pinniped.dev/internal/here"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"go.pinniped.dev/internal/kubeclient"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"go.pinniped.dev/internal/testutil"
)
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
func TestImpersonator(t *testing.T) {
const port = 9444
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
ca, err := certauthority.New(pkix.Name{CommonName: "ca"}, time.Hour)
require.NoError(t, err)
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
caKey, err := ca.PrivateKeyToPEM()
require.NoError(t, err)
caContent := dynamiccert.New("ca")
err = caContent.SetCertKeyContent(ca.Bundle(), caKey)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
require.NoError(t, err)
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
cert, key, err := ca.IssuePEM(pkix.Name{}, nil, []net.IP{net.ParseIP("127.0.0.1")}, time.Hour)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
require.NoError(t, err)
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
certKeyContent := dynamiccert.New("cert-key")
err = certKeyContent.SetCertKeyContent(cert, key)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
require.NoError(t, err)
// Punch out just enough stuff to make New actually run without error.
recOpts := func(options *genericoptions.RecommendedOptions) {
options.Authentication.RemoteKubeConfigFileOptional = true
options.Authorization.RemoteKubeConfigFileOptional = true
options.CoreAPI = nil
options.Admission = nil
}
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIPriorityAndFairness, false)()
tests := []struct {
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
name string
clientUsername string
clientGroups []string
clientImpersonateUser rest.ImpersonationConfig
kubeAPIServerClientBearerTokenFile string
kubeAPIServerStatusCode int
wantError string
wantConstructionError string
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}{
{
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
name: "happy path",
clientUsername: "test-username",
clientGroups: []string{"test-group1", "test-group2"},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
},
{
name: "no bearer token file in Kube API server client config",
wantConstructionError: "invalid impersonator loopback rest config has wrong bearer token semantics",
},
{
name: "user is authenticated but the kube API request returns an error",
kubeAPIServerStatusCode: http.StatusNotFound,
clientUsername: "test-username",
clientGroups: []string{"test-group1", "test-group2"},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: `the server could not find the requested resource (get namespaces)`,
},
{
name: "double impersonation is not allowed by regular users",
clientUsername: "test-username",
clientGroups: []string{"test-group1", "test-group2"},
clientImpersonateUser: rest.ImpersonationConfig{UserName: "some-other-username"},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: `users "some-other-username" is forbidden: User "test-username" ` +
`cannot impersonate resource "users" in API group "" at the cluster scope: impersonation is not allowed or invalid verb`,
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
},
{
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
name: "double impersonation is not allowed by admin users",
clientUsername: "test-admin",
clientGroups: []string{"system:masters", "test-group2"},
clientImpersonateUser: rest.ImpersonationConfig{UserName: "some-other-username"},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: `users "some-other-username" is forbidden: User "test-admin" ` +
`cannot impersonate resource "users" in API group "" at the cluster scope: impersonation is not allowed or invalid verb`,
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
},
}
for _, tt := range tests {
tt := tt
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// This is a serial test because the production code binds to the port.
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
t.Run(tt.name, func(t *testing.T) {
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
if tt.kubeAPIServerStatusCode == 0 {
tt.kubeAPIServerStatusCode = http.StatusOK
}
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Set up a fake Kube API server which will stand in for the real one. The impersonator
// will proxy incoming calls to this fake server.
testKubeAPIServerWasCalled := false
testKubeAPIServerSawHeaders := http.Header{}
testKubeAPIServerCA, testKubeAPIServerURL := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
require.Equal(t, http.MethodGet, r.Method)
switch r.URL.Path {
case "/api/v1/namespaces/kube-system/configmaps":
// The production code uses NewDynamicCAFromConfigMapController which fetches a ConfigMap,
// so treat that differently. It wants to read the Kube API server CA from that ConfigMap
// to use it to validate client certs. We don't need it for this test, so return NotFound.
http.NotFound(w, r)
return
case "/api/v1/namespaces":
testKubeAPIServerWasCalled = true
testKubeAPIServerSawHeaders = r.Header
if tt.kubeAPIServerStatusCode != http.StatusOK {
w.WriteHeader(tt.kubeAPIServerStatusCode)
} else {
w.Header().Add("Content-Type", "application/json; charset=UTF-8")
_, _ = w.Write([]byte(here.Doc(`
{
"kind": "NamespaceList",
"apiVersion":"v1",
"items": [
{"metadata":{"name": "namespace1"}},
{"metadata":{"name": "namespace2"}}
]
}
`)))
}
default:
require.Fail(t, "fake Kube API server got an unexpected request")
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
})
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
// Create the client config that the impersonation server should use to talk to the Kube API server.
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
testKubeAPIServerKubeconfig := rest.Config{
Host: testKubeAPIServerURL,
BearerToken: "some-service-account-token",
TLSClientConfig: rest.TLSClientConfig{CAData: []byte(testKubeAPIServerCA)},
BearerTokenFile: tt.kubeAPIServerClientBearerTokenFile,
}
clientOpts := []kubeclient.Option{kubeclient.WithConfig(&testKubeAPIServerKubeconfig)}
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Create an impersonator.
runner, constructionErr := newInternal(port, certKeyContent, caContent, clientOpts, recOpts)
if len(tt.wantConstructionError) > 0 {
require.EqualError(t, constructionErr, tt.wantConstructionError)
require.Nil(t, runner)
// After failing to start, the impersonator port should be available again.
requireCanBindToPort(t, port)
// The rest of the test doesn't make sense when you expect a construction error, so stop here.
return
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
require.NoError(t, constructionErr)
require.NotNil(t, runner)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Start the impersonator.
stopCh := make(chan struct{})
errCh := make(chan error)
go func() {
stopErr := runner(stopCh)
errCh <- stopErr
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}()
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Create client certs for authentication to the impersonator.
clientCertPEM, clientKeyPEM, err := ca.IssuePEM(
pkix.Name{CommonName: tt.clientUsername, Organization: tt.clientGroups}, nil, nil, time.Hour,
)
require.NoError(t, err)
// Create a kubeconfig to talk to the impersonator as a client.
clientKubeconfig := &rest.Config{
Host: "https://127.0.0.1:" + strconv.Itoa(port),
TLSClientConfig: rest.TLSClientConfig{
CAData: ca.Bundle(),
CertData: clientCertPEM,
KeyData: clientKeyPEM,
},
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
UserAgent: "test-agent",
// BearerToken should be ignored during auth because there are valid client certs,
// and it should not passed into the impersonator handler func as an authorization header.
BearerToken: "must-be-ignored",
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
Impersonate: tt.clientImpersonateUser,
}
// Create a real Kube client to make API requests to the impersonator.
client, err := kubeclient.New(kubeclient.WithConfig(clientKubeconfig))
require.NoError(t, err)
// The fake Kube API server knows how to to list namespaces, so make that request using the client
// through the impersonator.
listResponse, err := client.Kubernetes.CoreV1().Namespaces().List(context.Background(), metav1.ListOptions{})
if len(tt.wantError) > 0 {
require.EqualError(t, err, tt.wantError)
} else {
require.NoError(t, err)
require.Equal(t, &v1.NamespaceList{
Items: []v1.Namespace{
{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
{ObjectMeta: metav1.ObjectMeta{Name: "namespace2"}},
},
}, listResponse)
// The impersonator should have proxied the request to the fake Kube API server, which should have seen
// the headers of the original request mutated by the impersonator.
require.True(t, testKubeAPIServerWasCalled)
require.Equal(t,
http.Header{
"Impersonate-User": {tt.clientUsername},
"Impersonate-Group": append(tt.clientGroups, "system:authenticated"),
"Authorization": {"Bearer some-service-account-token"},
"User-Agent": {"test-agent"},
"Accept": {"application/vnd.kubernetes.protobuf,application/json"},
"Accept-Encoding": {"gzip"},
"X-Forwarded-For": {"127.0.0.1"},
},
testKubeAPIServerSawHeaders,
)
}
// Stop the impersonator server.
close(stopCh)
exitErr := <-errCh
require.NoError(t, exitErr)
// After shutdown, the impersonator port should be available again.
requireCanBindToPort(t, port)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
})
}
}
internal/concierge/impersonator: set user extra impersonation headers Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 14:09:54 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
func requireCanBindToPort(t *testing.T, port int) {
ln, _, listenErr := genericoptions.CreateListener("", "0.0.0.0:"+strconv.Itoa(port), net.ListenConfig{})
require.NoError(t, listenErr)
require.NoError(t, ln.Close())
}
func TestImpersonatorHTTPHandler(t *testing.T) {
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
const testUser = "test-user"
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
internal/concierge/impersonator: set user extra impersonation headers Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 14:09:54 +00:00
testGroups := []string{"test-group-1", "test-group-2"}
testExtra := map[string][]string{
"extra-1": {"some", "extra", "stuff"},
"extra-2": {"some", "more", "extra", "stuff"},
}
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
validURL, _ := url.Parse("http://pinniped.dev/blah")
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
newRequest := func(h http.Header, userInfo user.Info) *http.Request {
ctx := context.Background()
if userInfo != nil {
ctx = request.WithUser(ctx, userInfo)
}
r, err := http.NewRequestWithContext(ctx, http.MethodGet, validURL.String(), nil)
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
require.NoError(t, err)
r.Header = h
return r
}
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
tests := []struct {
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
name string
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
restConfig *rest.Config
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
wantCreationErr string
request *http.Request
wantHTTPBody string
wantHTTPStatus int
wantKubeAPIServerRequestHeaders http.Header
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
kubeAPIServerStatusCode int
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
}{
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "invalid kubeconfig host",
restConfig: &rest.Config{Host: ":"},
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
wantCreationErr: "could not parse host URL from in-cluster config: parse \":\": missing protocol scheme",
},
{
name: "invalid transport config",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
restConfig: &rest.Config{
Host: "pinniped.dev/blah",
ExecProvider: &api.ExecConfig{},
AuthProvider: &api.AuthProviderConfig{},
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
wantCreationErr: "could not get in-cluster transport config: execProvider and authProvider cannot be used in combination",
},
{
name: "fail to get transport from config",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
restConfig: &rest.Config{
Host: "pinniped.dev/blah",
BearerToken: "test-bearer-token",
Transport: http.DefaultTransport,
TLSClientConfig: rest.TLSClientConfig{Insecure: true},
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
wantCreationErr: "could not get in-cluster transport: using a custom transport with TLS certificate options or the insecure flag is not allowed",
},
internal/concierge/impersonator: fail if impersonation headers set If someone has already set impersonation headers in their request, then we should fail loudly so the client knows that its existing impersonation headers will not work. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 13:15:50 +00:00
{
name: "Impersonate-User header already in request",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
request: newRequest(map[string][]string{"Impersonate-User": {"some-user"}}, nil),
wantHTTPBody: "invalid impersonation\n",
wantHTTPStatus: http.StatusInternalServerError,
internal/concierge/impersonator: fail if impersonation headers set If someone has already set impersonation headers in their request, then we should fail loudly so the client knows that its existing impersonation headers will not work. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 13:15:50 +00:00
},
{
name: "Impersonate-Group header already in request",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
request: newRequest(map[string][]string{"Impersonate-Group": {"some-group"}}, nil),
wantHTTPBody: "invalid impersonation\n",
wantHTTPStatus: http.StatusInternalServerError,
internal/concierge/impersonator: fail if impersonation headers set If someone has already set impersonation headers in their request, then we should fail loudly so the client knows that its existing impersonation headers will not work. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 13:15:50 +00:00
},
{
name: "Impersonate-Extra header already in request",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
request: newRequest(map[string][]string{"Impersonate-Extra-something": {"something"}}, nil),
wantHTTPBody: "invalid impersonation\n",
wantHTTPStatus: http.StatusInternalServerError,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "Impersonate-* header already in request",
request: newRequest(map[string][]string{"Impersonate-Something": {"some-newfangled-impersonate-header"}}, nil),
wantHTTPBody: "invalid impersonation\n",
wantHTTPStatus: http.StatusInternalServerError,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "unexpected authorization header",
request: newRequest(map[string][]string{"Authorization": {"panda"}}, nil),
wantHTTPBody: "invalid authorization header\n",
wantHTTPStatus: http.StatusInternalServerError,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "missing user",
request: newRequest(map[string][]string{}, nil),
wantHTTPBody: "invalid user\n",
wantHTTPStatus: http.StatusInternalServerError,
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
},
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "unexpected UID",
request: newRequest(map[string][]string{}, &user.DefaultInfo{UID: "007"}),
wantHTTPBody: "unexpected uid\n",
wantHTTPStatus: http.StatusUnprocessableEntity,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
// happy path
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "authenticated user",
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
request: newRequest(map[string][]string{
Allow all headers besides impersonation-* through impersonation proxy
2021-03-02 22:56:54 +00:00
"User-Agent": {"test-user-agent"},
"Accept": {"some-accepted-format"},
"Accept-Encoding": {"some-accepted-encoding"},
"Connection": {"Upgrade"}, // the value "Upgrade" is handled in a special way by `httputil.NewSingleHostReverseProxy`
"Upgrade": {"some-upgrade"},
"Content-Type": {"some-type"},
"Content-Length": {"some-length"},
"Other-Header": {"test-header-value-1"}, // this header will be passed through
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}, &user.DefaultInfo{
Name: testUser,
Groups: testGroups,
Extra: testExtra,
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
}),
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
wantKubeAPIServerRequestHeaders: map[string][]string{
"Authorization": {"Bearer some-service-account-token"},
"Impersonate-Extra-Extra-1": {"some", "extra", "stuff"},
"Impersonate-Extra-Extra-2": {"some", "more", "extra", "stuff"},
"Impersonate-Group": {"test-group-1", "test-group-2"},
"Impersonate-User": {"test-user"},
"User-Agent": {"test-user-agent"},
"Accept": {"some-accepted-format"},
"Accept-Encoding": {"some-accepted-encoding"},
"Connection": {"Upgrade"},
"Upgrade": {"some-upgrade"},
"Content-Type": {"some-type"},
Allow all headers besides impersonation-* through impersonation proxy
2021-03-02 22:56:54 +00:00
"Other-Header": {"test-header-value-1"},
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
},
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
wantHTTPBody: "successful proxied response",
wantHTTPStatus: http.StatusOK,
},
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "user is authenticated but the kube API request returns an error",
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
request: newRequest(map[string][]string{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"User-Agent": {"test-user-agent"},
}, &user.DefaultInfo{
Name: testUser,
Groups: testGroups,
Extra: testExtra,
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
}),
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
kubeAPIServerStatusCode: http.StatusNotFound,
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
wantKubeAPIServerRequestHeaders: map[string][]string{
"Accept-Encoding": {"gzip"}, // because the rest client used in this test does not disable compression
"Authorization": {"Bearer some-service-account-token"},
"Impersonate-Extra-Extra-1": {"some", "extra", "stuff"},
"Impersonate-Extra-Extra-2": {"some", "more", "extra", "stuff"},
"Impersonate-Group": {"test-group-1", "test-group-2"},
"Impersonate-User": {"test-user"},
"User-Agent": {"test-user-agent"},
},
wantHTTPStatus: http.StatusNotFound,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
t.Parallel()
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
if tt.kubeAPIServerStatusCode == 0 {
tt.kubeAPIServerStatusCode = http.StatusOK
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
}
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
testKubeAPIServerWasCalled := false
testKubeAPIServerSawHeaders := http.Header{}
testKubeAPIServerCA, testKubeAPIServerURL := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
testKubeAPIServerWasCalled = true
testKubeAPIServerSawHeaders = r.Header
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
if tt.kubeAPIServerStatusCode != http.StatusOK {
w.WriteHeader(tt.kubeAPIServerStatusCode)
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
} else {
_, _ = w.Write([]byte("successful proxied response"))
}
})
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
testKubeAPIServerKubeconfig := rest.Config{
Host: testKubeAPIServerURL,
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
BearerToken: "some-service-account-token",
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
TLSClientConfig: rest.TLSClientConfig{CAData: []byte(testKubeAPIServerCA)},
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
}
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
if tt.restConfig == nil {
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
tt.restConfig = &testKubeAPIServerKubeconfig
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
}
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
impersonatorHTTPHandler, err := newImpersonationReverseProxy(tt.restConfig)
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
if tt.wantCreationErr != "" {
require.EqualError(t, err, tt.wantCreationErr)
return
}
require.NoError(t, err)
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
require.NotNil(t, impersonatorHTTPHandler)
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
w := httptest.NewRecorder()
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
requestBeforeServe := tt.request.Clone(tt.request.Context())
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
impersonatorHTTPHandler.ServeHTTP(w, tt.request)
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
require.Equal(t, requestBeforeServe, tt.request, "ServeHTTP() mutated the request, and it should not per http.Handler docs")
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
if tt.wantHTTPStatus != 0 {
internal/concierge/impersonator: set user extra impersonation headers Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 14:09:54 +00:00
require.Equalf(t, tt.wantHTTPStatus, w.Code, "fyi, response body was %q", w.Body.String())
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
}
if tt.wantHTTPBody != "" {
require.Equal(t, tt.wantHTTPBody, w.Body.String())
}
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
if tt.wantHTTPStatus == http.StatusOK || tt.kubeAPIServerStatusCode != http.StatusOK {
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
require.True(t, testKubeAPIServerWasCalled, "Should have proxied the request to the Kube API server, but didn't")
require.Equal(t, tt.wantKubeAPIServerRequestHeaders, testKubeAPIServerSawHeaders)
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
} else {
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
require.False(t, testKubeAPIServerWasCalled, "Should not have proxied the request to the Kube API server, but did")
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
}
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
})
}
}