djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
70d607d87e
ContainerImage.Pinniped/internal/concierge/impersonator/impersonator_test.go

639 lines
27 KiB
Go
Raw Normal View History

Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package impersonator
import (
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
"context"
internal/concierge/impersonator: use http/2.0 as much as we can Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-18 19:32:33 +00:00
"math/rand"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"net"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"net/http"
"net/http/httptest"
"net/url"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"strconv"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"testing"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"time"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"github.com/stretchr/testify/require"
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
corev1 "k8s.io/api/core/v1"
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
Use http2 for all non-upgrade requests Instead of using the LongRunningFunc to determine if we can safely use http2, follow the same logic as the aggregation proxy and only use http2 when the request is not an upgrade. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 17:39:55 +00:00
"k8s.io/apimachinery/pkg/util/httpstream"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"k8s.io/apiserver/pkg/authentication/user"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/features"
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
genericapiserver "k8s.io/apiserver/pkg/server"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
genericoptions "k8s.io/apiserver/pkg/server/options"
utilfeature "k8s.io/apiserver/pkg/util/feature"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd/api"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
featuregatetesting "k8s.io/component-base/featuregate/testing"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"go.pinniped.dev/internal/certauthority"
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
"go.pinniped.dev/internal/dynamiccert"
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
"go.pinniped.dev/internal/here"
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
"go.pinniped.dev/internal/httputil/roundtripper"
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"go.pinniped.dev/internal/kubeclient"
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
"go.pinniped.dev/internal/testutil"
)
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
func TestImpersonator(t *testing.T) {
const port = 9444
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue*() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue*() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly.
2021-03-13 00:09:16 +00:00
ca, err := certauthority.New("ca", time.Hour)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
require.NoError(t, err)
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
caKey, err := ca.PrivateKeyToPEM()
require.NoError(t, err)
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 16:24:07 +00:00
caContent := dynamiccert.NewCA("ca")
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
err = caContent.SetCertKeyContent(ca.Bundle(), caKey)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
require.NoError(t, err)
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue*() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue*() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly.
2021-03-13 00:09:16 +00:00
cert, key, err := ca.IssueServerCertPEM(nil, []net.IP{net.ParseIP("127.0.0.1")}, time.Hour)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
require.NoError(t, err)
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 16:24:07 +00:00
certKeyContent := dynamiccert.NewServingCert("cert-key")
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-11 21:20:25 +00:00
err = certKeyContent.SetCertKeyContent(cert, key)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
require.NoError(t, err)
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue*() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue*() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly.
2021-03-13 00:09:16 +00:00
unrelatedCA, err := certauthority.New("ca", time.Hour)
impersonator_test.go: Test failed and anonymous auth
2021-03-12 01:11:38 +00:00
require.NoError(t, err)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
// Punch out just enough stuff to make New actually run without error.
recOpts := func(options *genericoptions.RecommendedOptions) {
options.Authentication.RemoteKubeConfigFileOptional = true
options.Authorization.RemoteKubeConfigFileOptional = true
options.CoreAPI = nil
options.Admission = nil
}
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.APIPriorityAndFairness, false)()
tests := []struct {
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
name string
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
clientCert *clientCert
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
clientImpersonateUser rest.ImpersonationConfig
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
clientMutateHeaders func(http.Header)
Use http2 for all non-upgrade requests Instead of using the LongRunningFunc to determine if we can safely use http2, follow the same logic as the aggregation proxy and only use http2 when the request is not an upgrade. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 17:39:55 +00:00
clientNextProtos []string
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
kubeAPIServerClientBearerTokenFile string
kubeAPIServerStatusCode int
impersonator_test.go: Test failed and anonymous auth
2021-03-12 01:11:38 +00:00
wantKubeAPIServerRequestHeaders http.Header
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
wantError string
wantConstructionError string
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}{
{
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
name: "happy path",
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
clientCert: newClientCert(t, ca, "test-username", []string{"test-group1", "test-group2"}),
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
impersonator_test.go: Test failed and anonymous auth
2021-03-12 01:11:38 +00:00
wantKubeAPIServerRequestHeaders: http.Header{
"Impersonate-User": {"test-username"},
"Impersonate-Group": {"test-group1", "test-group2", "system:authenticated"},
"Authorization": {"Bearer some-service-account-token"},
"User-Agent": {"test-agent"},
"Accept": {"application/vnd.kubernetes.protobuf,application/json"},
"Accept-Encoding": {"gzip"},
"X-Forwarded-For": {"127.0.0.1"},
},
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
},
Use http2 for all non-upgrade requests Instead of using the LongRunningFunc to determine if we can safely use http2, follow the same logic as the aggregation proxy and only use http2 when the request is not an upgrade. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 17:39:55 +00:00
{
name: "happy path with upgrade",
clientCert: newClientCert(t, ca, "test-username2", []string{"test-group3", "test-group4"}),
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
clientMutateHeaders: func(header http.Header) {
header.Add("Connection", "Upgrade")
header.Add("Upgrade", "spdy/3.1")
if ok := httpstream.IsUpgradeRequest(&http.Request{Header: header}); !ok {
panic("request must be upgrade in this test")
}
},
clientNextProtos: []string{"http/1.1"}, // we need to use http1 as http2 does not support upgrades, see http2checkConnHeaders
wantKubeAPIServerRequestHeaders: http.Header{
"Impersonate-User": {"test-username2"},
"Impersonate-Group": {"test-group3", "test-group4", "system:authenticated"},
"Authorization": {"Bearer some-service-account-token"},
"User-Agent": {"test-agent"},
"Accept": {"application/vnd.kubernetes.protobuf,application/json"},
"Accept-Encoding": {"gzip"},
"X-Forwarded-For": {"127.0.0.1"},
"Connection": {"Upgrade"},
"Upgrade": {"spdy/3.1"},
},
},
impersonator: disallow clients from setting the X-Forwarded-For header Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 19:35:06 +00:00
{
name: "happy path ignores forwarded header",
clientCert: newClientCert(t, ca, "test-username2", []string{"test-group3", "test-group4"}),
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
clientMutateHeaders: func(header http.Header) {
header.Add("X-Forwarded-For", "example.com")
},
wantKubeAPIServerRequestHeaders: http.Header{
"Impersonate-User": {"test-username2"},
"Impersonate-Group": {"test-group3", "test-group4", "system:authenticated"},
"Authorization": {"Bearer some-service-account-token"},
"User-Agent": {"test-agent"},
"Accept": {"application/vnd.kubernetes.protobuf,application/json"},
"Accept-Encoding": {"gzip"},
"X-Forwarded-For": {"127.0.0.1"},
},
},
{
name: "happy path ignores forwarded header canonicalization",
clientCert: newClientCert(t, ca, "test-username2", []string{"test-group3", "test-group4"}),
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
clientMutateHeaders: func(header http.Header) {
header.Add("x-FORWARDED-for", "example.com")
},
wantKubeAPIServerRequestHeaders: http.Header{
"Impersonate-User": {"test-username2"},
"Impersonate-Group": {"test-group3", "test-group4", "system:authenticated"},
"Authorization": {"Bearer some-service-account-token"},
"User-Agent": {"test-agent"},
"Accept": {"application/vnd.kubernetes.protobuf,application/json"},
"Accept-Encoding": {"gzip"},
"X-Forwarded-For": {"127.0.0.1"},
},
},
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
{
name: "user is authenticated but the kube API request returns an error",
kubeAPIServerStatusCode: http.StatusNotFound,
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
clientCert: newClientCert(t, ca, "test-username", []string{"test-group1", "test-group2"}),
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: `the server could not find the requested resource (get namespaces)`,
impersonator_test.go: Test failed and anonymous auth
2021-03-12 01:11:38 +00:00
wantKubeAPIServerRequestHeaders: http.Header{
"Impersonate-User": {"test-username"},
"Impersonate-Group": {"test-group1", "test-group2", "system:authenticated"},
"Authorization": {"Bearer some-service-account-token"},
"User-Agent": {"test-agent"},
"Accept": {"application/vnd.kubernetes.protobuf,application/json"},
"Accept-Encoding": {"gzip"},
"X-Forwarded-For": {"127.0.0.1"},
},
},
{
name: "when there is no client cert on request, it is an anonymous request",
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
clientCert: &clientCert{},
impersonator_test.go: Test failed and anonymous auth
2021-03-12 01:11:38 +00:00
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantKubeAPIServerRequestHeaders: http.Header{
"Impersonate-User": {"system:anonymous"},
"Impersonate-Group": {"system:unauthenticated"},
"Authorization": {"Bearer some-service-account-token"},
"User-Agent": {"test-agent"},
"Accept": {"application/vnd.kubernetes.protobuf,application/json"},
"Accept-Encoding": {"gzip"},
"X-Forwarded-For": {"127.0.0.1"},
},
},
{
name: "failed client cert authentication",
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
clientCert: newClientCert(t, unrelatedCA, "test-username", []string{"test-group1"}),
impersonator_test.go: Test failed and anonymous auth
2021-03-12 01:11:38 +00:00
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: "Unauthorized",
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
},
{
name: "double impersonation is not allowed by regular users",
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
clientCert: newClientCert(t, ca, "test-username", []string{"test-group1", "test-group2"}),
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
clientImpersonateUser: rest.ImpersonationConfig{UserName: "some-other-username"},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: `users "some-other-username" is forbidden: User "test-username" ` +
`cannot impersonate resource "users" in API group "" at the cluster scope: impersonation is not allowed or invalid verb`,
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
},
{
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
name: "double impersonation is not allowed by admin users",
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
clientCert: newClientCert(t, ca, "test-admin", []string{"system:masters", "test-group2"}),
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
clientImpersonateUser: rest.ImpersonationConfig{UserName: "some-other-username"},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: `users "some-other-username" is forbidden: User "test-admin" ` +
`cannot impersonate resource "users" in API group "" at the cluster scope: impersonation is not allowed or invalid verb`,
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
},
impersonator_test.go: Test failed and anonymous auth
2021-03-12 01:11:38 +00:00
{
name: "no bearer token file in Kube API server client config",
wantConstructionError: "invalid impersonator loopback rest config has wrong bearer token semantics",
},
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
{
name: "header canonicalization user header",
clientCert: newClientCert(t, ca, "test-username", []string{"test-group1", "test-group2"}),
clientMutateHeaders: func(header http.Header) {
header.Set("imPerSonaTE-USer", "PANDA")
},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: `users "PANDA" is forbidden: User "test-username" ` +
`cannot impersonate resource "users" in API group "" at the cluster scope: impersonation is not allowed or invalid verb`,
},
{
name: "header canonicalization future UID header",
clientCert: newClientCert(t, ca, "test-username", []string{"test-group1", "test-group2"}),
clientMutateHeaders: func(header http.Header) {
header.Set("imPerSonaTE-uid", "007")
},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: "Internal error occurred: invalid impersonation",
},
{
name: "future UID header",
clientCert: newClientCert(t, ca, "test-username", []string{"test-group1", "test-group2"}),
clientMutateHeaders: func(header http.Header) {
header.Set("Impersonate-Uid", "008")
},
kubeAPIServerClientBearerTokenFile: "required-to-be-set",
wantError: "Internal error occurred: invalid impersonation",
},
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}
for _, tt := range tests {
tt := tt
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// This is a serial test because the production code binds to the port.
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
t.Run(tt.name, func(t *testing.T) {
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
// After failing to start and after shutdown, the impersonator port should be available again.
defer requireCanBindToPort(t, port)
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
if tt.kubeAPIServerStatusCode == 0 {
tt.kubeAPIServerStatusCode = http.StatusOK
}
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Set up a fake Kube API server which will stand in for the real one. The impersonator
// will proxy incoming calls to this fake server.
testKubeAPIServerWasCalled := false
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
var testKubeAPIServerSawHeaders http.Header
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
testKubeAPIServerCA, testKubeAPIServerURL := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
require.Equal(t, http.MethodGet, r.Method)
switch r.URL.Path {
case "/api/v1/namespaces/kube-system/configmaps":
// The production code uses NewDynamicCAFromConfigMapController which fetches a ConfigMap,
// so treat that differently. It wants to read the Kube API server CA from that ConfigMap
// to use it to validate client certs. We don't need it for this test, so return NotFound.
http.NotFound(w, r)
return
case "/api/v1/namespaces":
testKubeAPIServerWasCalled = true
testKubeAPIServerSawHeaders = r.Header
if tt.kubeAPIServerStatusCode != http.StatusOK {
w.WriteHeader(tt.kubeAPIServerStatusCode)
} else {
w.Header().Add("Content-Type", "application/json; charset=UTF-8")
_, _ = w.Write([]byte(here.Doc(`
{
"kind": "NamespaceList",
"apiVersion":"v1",
"items": [
{"metadata":{"name": "namespace1"}},
{"metadata":{"name": "namespace2"}}
]
}
`)))
}
default:
require.Fail(t, "fake Kube API server got an unexpected request")
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
})
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
// Create the client config that the impersonation server should use to talk to the Kube API server.
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
testKubeAPIServerKubeconfig := rest.Config{
Host: testKubeAPIServerURL,
BearerToken: "some-service-account-token",
TLSClientConfig: rest.TLSClientConfig{CAData: []byte(testKubeAPIServerCA)},
BearerTokenFile: tt.kubeAPIServerClientBearerTokenFile,
}
clientOpts := []kubeclient.Option{kubeclient.WithConfig(&testKubeAPIServerKubeconfig)}
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Create an impersonator.
runner, constructionErr := newInternal(port, certKeyContent, caContent, clientOpts, recOpts)
if len(tt.wantConstructionError) > 0 {
require.EqualError(t, constructionErr, tt.wantConstructionError)
require.Nil(t, runner)
// The rest of the test doesn't make sense when you expect a construction error, so stop here.
return
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
require.NoError(t, constructionErr)
require.NotNil(t, runner)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Start the impersonator.
stopCh := make(chan struct{})
errCh := make(chan error)
go func() {
stopErr := runner(stopCh)
errCh <- stopErr
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}()
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Create a kubeconfig to talk to the impersonator as a client.
clientKubeconfig := &rest.Config{
Host: "https://127.0.0.1:" + strconv.Itoa(port),
TLSClientConfig: rest.TLSClientConfig{
Use http2 for all non-upgrade requests Instead of using the LongRunningFunc to determine if we can safely use http2, follow the same logic as the aggregation proxy and only use http2 when the request is not an upgrade. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 17:39:55 +00:00
CAData: ca.Bundle(),
CertData: tt.clientCert.certPEM,
KeyData: tt.clientCert.keyPEM,
NextProtos: tt.clientNextProtos,
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
},
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
UserAgent: "test-agent",
impersonator_test.go: Test failed and anonymous auth
2021-03-12 01:11:38 +00:00
// BearerToken should be ignored during auth when there are valid client certs,
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
// and it should not passed into the impersonator handler func as an authorization header.
BearerToken: "must-be-ignored",
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
Impersonate: tt.clientImpersonateUser,
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
WrapTransport: func(rt http.RoundTripper) http.RoundTripper {
if tt.clientMutateHeaders == nil {
return rt
}
return roundtripper.Func(func(req *http.Request) (*http.Response, error) {
req = req.Clone(req.Context())
tt.clientMutateHeaders(req.Header)
return rt.RoundTrip(req)
})
},
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
}
// Create a real Kube client to make API requests to the impersonator.
client, err := kubeclient.New(kubeclient.WithConfig(clientKubeconfig))
require.NoError(t, err)
// The fake Kube API server knows how to to list namespaces, so make that request using the client
// through the impersonator.
listResponse, err := client.Kubernetes.CoreV1().Namespaces().List(context.Background(), metav1.ListOptions{})
if len(tt.wantError) > 0 {
require.EqualError(t, err, tt.wantError)
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
require.Equal(t, &corev1.NamespaceList{}, listResponse)
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
} else {
require.NoError(t, err)
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
require.Equal(t, &corev1.NamespaceList{
Items: []corev1.Namespace{
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
{ObjectMeta: metav1.ObjectMeta{Name: "namespace1"}},
{ObjectMeta: metav1.ObjectMeta{Name: "namespace2"}},
},
}, listResponse)
}
impersonator: test UID impersonation and header canonicalization Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-16 16:59:07 +00:00
// If we expect to see some headers, then the fake KAS should have been called.
require.Equal(t, len(tt.wantKubeAPIServerRequestHeaders) != 0, testKubeAPIServerWasCalled)
// If the impersonator proxied the request to the fake Kube API server, we should see the headers
// of the original request mutated by the impersonator. Otherwise the headers should be nil.
require.Equal(t, tt.wantKubeAPIServerRequestHeaders, testKubeAPIServerSawHeaders)
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
// Stop the impersonator server.
close(stopCh)
exitErr := <-errCh
require.NoError(t, exitErr)
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
})
}
}
internal/concierge/impersonator: set user extra impersonation headers Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 14:09:54 +00:00
Rewrite impersonator_test.go, add missing argument to IssuePEM() The impersonator_test.go unit test now starts the impersonation server and makes real HTTP requests against it using client-go. It is backed by a fake Kube API server. The CA IssuePEM() method was missing the argument to allow a slice of IP addresses to be passed in.
2021-03-12 00:27:16 +00:00
func TestImpersonatorHTTPHandler(t *testing.T) {
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
const testUser = "test-user"
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
internal/concierge/impersonator: set user extra impersonation headers Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 14:09:54 +00:00
testGroups := []string{"test-group-1", "test-group-2"}
testExtra := map[string][]string{
"extra-1": {"some", "extra", "stuff"},
"extra-2": {"some", "more", "extra", "stuff"},
}
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
validURL, _ := url.Parse("http://pinniped.dev/blah")
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
newRequest := func(h http.Header, userInfo user.Info) *http.Request {
ctx := context.Background()
if userInfo != nil {
ctx = request.WithUser(ctx, userInfo)
}
r, err := http.NewRequestWithContext(ctx, http.MethodGet, validURL.String(), nil)
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
require.NoError(t, err)
r.Header = h
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
reqInfo := &request.RequestInfo{
IsResourceRequest: false,
Path: validURL.Path,
Verb: "get",
}
r = r.WithContext(request.WithRequestInfo(ctx, reqInfo))
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
return r
}
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
tests := []struct {
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
name string
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
restConfig *rest.Config
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
wantCreationErr string
request *http.Request
wantHTTPBody string
wantHTTPStatus int
wantKubeAPIServerRequestHeaders http.Header
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
kubeAPIServerStatusCode int
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
}{
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "invalid kubeconfig host",
restConfig: &rest.Config{Host: ":"},
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
wantCreationErr: "could not parse host URL from in-cluster config: parse \":\": missing protocol scheme",
},
{
name: "invalid transport config",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
restConfig: &rest.Config{
Host: "pinniped.dev/blah",
ExecProvider: &api.ExecConfig{},
AuthProvider: &api.AuthProviderConfig{},
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
internal/concierge/impersonator: use http/2.0 as much as we can Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-18 19:32:33 +00:00
wantCreationErr: "could not get http/1.1 round tripper: could not get in-cluster transport config: execProvider and authProvider cannot be used in combination",
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
{
name: "fail to get transport from config",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
restConfig: &rest.Config{
Host: "pinniped.dev/blah",
BearerToken: "test-bearer-token",
Transport: http.DefaultTransport,
TLSClientConfig: rest.TLSClientConfig{Insecure: true},
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
internal/concierge/impersonator: use http/2.0 as much as we can Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-18 19:32:33 +00:00
wantCreationErr: "could not get http/1.1 round tripper: using a custom transport with TLS certificate options or the insecure flag is not allowed",
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
internal/concierge/impersonator: fail if impersonation headers set If someone has already set impersonation headers in their request, then we should fail loudly so the client knows that its existing impersonation headers will not work. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 13:15:50 +00:00
{
name: "Impersonate-User header already in request",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
request: newRequest(map[string][]string{"Impersonate-User": {"some-user"}}, nil),
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: invalid impersonation","reason":"InternalError","details":{"causes":[{"message":"invalid impersonation"}]},"code":500}` + "\n",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
wantHTTPStatus: http.StatusInternalServerError,
internal/concierge/impersonator: fail if impersonation headers set If someone has already set impersonation headers in their request, then we should fail loudly so the client knows that its existing impersonation headers will not work. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 13:15:50 +00:00
},
{
name: "Impersonate-Group header already in request",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
request: newRequest(map[string][]string{"Impersonate-Group": {"some-group"}}, nil),
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: invalid impersonation","reason":"InternalError","details":{"causes":[{"message":"invalid impersonation"}]},"code":500}` + "\n",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
wantHTTPStatus: http.StatusInternalServerError,
internal/concierge/impersonator: fail if impersonation headers set If someone has already set impersonation headers in their request, then we should fail loudly so the client knows that its existing impersonation headers will not work. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 13:15:50 +00:00
},
{
name: "Impersonate-Extra header already in request",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
request: newRequest(map[string][]string{"Impersonate-Extra-something": {"something"}}, nil),
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: invalid impersonation","reason":"InternalError","details":{"causes":[{"message":"invalid impersonation"}]},"code":500}` + "\n",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
wantHTTPStatus: http.StatusInternalServerError,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "Impersonate-* header already in request",
request: newRequest(map[string][]string{"Impersonate-Something": {"some-newfangled-impersonate-header"}}, nil),
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: invalid impersonation","reason":"InternalError","details":{"causes":[{"message":"invalid impersonation"}]},"code":500}` + "\n",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
wantHTTPStatus: http.StatusInternalServerError,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "unexpected authorization header",
request: newRequest(map[string][]string{"Authorization": {"panda"}}, nil),
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: invalid authorization header","reason":"InternalError","details":{"causes":[{"message":"invalid authorization header"}]},"code":500}` + "\n",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
wantHTTPStatus: http.StatusInternalServerError,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "missing user",
request: newRequest(map[string][]string{}, nil),
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: invalid user","reason":"InternalError","details":{"causes":[{"message":"invalid user"}]},"code":500}` + "\n",
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
wantHTTPStatus: http.StatusInternalServerError,
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
},
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "unexpected UID",
request: newRequest(map[string][]string{}, &user.DefaultInfo{UID: "007"}),
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
wantHTTPStatus: http.StatusInternalServerError,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
// happy path
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "authenticated user",
internal/concierge/impersonator: don't mutate ServeHTTP() req I added that test helper to create an http.Request since I wanted to properly initialize the http.Request's context. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-09 18:25:24 +00:00
request: newRequest(map[string][]string{
Allow all headers besides impersonation-* through impersonation proxy
2021-03-02 22:56:54 +00:00
"User-Agent": {"test-user-agent"},
"Accept": {"some-accepted-format"},
"Accept-Encoding": {"some-accepted-encoding"},
"Connection": {"Upgrade"}, // the value "Upgrade" is handled in a special way by `httputil.NewSingleHostReverseProxy`
"Upgrade": {"some-upgrade"},
"Content-Type": {"some-type"},
"Content-Length": {"some-length"},
"Other-Header": {"test-header-value-1"}, // this header will be passed through
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
}, &user.DefaultInfo{
Name: testUser,
Groups: testGroups,
Extra: testExtra,
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
}),
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
wantKubeAPIServerRequestHeaders: map[string][]string{
"Authorization": {"Bearer some-service-account-token"},
"Impersonate-Extra-Extra-1": {"some", "extra", "stuff"},
"Impersonate-Extra-Extra-2": {"some", "more", "extra", "stuff"},
"Impersonate-Group": {"test-group-1", "test-group-2"},
"Impersonate-User": {"test-user"},
"User-Agent": {"test-user-agent"},
"Accept": {"some-accepted-format"},
"Accept-Encoding": {"some-accepted-encoding"},
"Connection": {"Upgrade"},
"Upgrade": {"some-upgrade"},
"Content-Type": {"some-type"},
Allow all headers besides impersonation-* through impersonation proxy
2021-03-02 22:56:54 +00:00
"Other-Header": {"test-header-value-1"},
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
},
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
wantHTTPBody: "successful proxied response",
wantHTTPStatus: http.StatusOK,
},
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
name: "user is authenticated but the kube API request returns an error",
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
request: newRequest(map[string][]string{
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
"User-Agent": {"test-user-agent"},
}, &user.DefaultInfo{
Name: testUser,
Groups: testGroups,
Extra: testExtra,
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
}),
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
kubeAPIServerStatusCode: http.StatusNotFound,
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
wantKubeAPIServerRequestHeaders: map[string][]string{
"Accept-Encoding": {"gzip"}, // because the rest client used in this test does not disable compression
"Authorization": {"Bearer some-service-account-token"},
"Impersonate-Extra-Extra-1": {"some", "extra", "stuff"},
"Impersonate-Extra-Extra-2": {"some", "more", "extra", "stuff"},
"Impersonate-Group": {"test-group-1", "test-group-2"},
"Impersonate-User": {"test-user"},
"User-Agent": {"test-user-agent"},
},
wantHTTPStatus: http.StatusNotFound,
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
t.Parallel()
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
if tt.kubeAPIServerStatusCode == 0 {
tt.kubeAPIServerStatusCode = http.StatusOK
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
}
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
testKubeAPIServerWasCalled := false
testKubeAPIServerSawHeaders := http.Header{}
testKubeAPIServerCA, testKubeAPIServerURL := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) {
testKubeAPIServerWasCalled = true
testKubeAPIServerSawHeaders = r.Header
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
if tt.kubeAPIServerStatusCode != http.StatusOK {
w.WriteHeader(tt.kubeAPIServerStatusCode)
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
} else {
_, _ = w.Write([]byte("successful proxied response"))
}
})
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
testKubeAPIServerKubeconfig := rest.Config{
Host: testKubeAPIServerURL,
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
BearerToken: "some-service-account-token",
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
TLSClientConfig: rest.TLSClientConfig{CAData: []byte(testKubeAPIServerCA)},
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
}
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
if tt.restConfig == nil {
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
tt.restConfig = &testKubeAPIServerKubeconfig
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-15 23:00:10 +00:00
}
impersonator: wire in genericapiserver.Config Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 14:56:34 +00:00
impersonatorHTTPHandlerFunc, err := newImpersonationReverseProxyFunc(tt.restConfig)
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
if tt.wantCreationErr != "" {
require.EqualError(t, err, tt.wantCreationErr)
impersonator: wire in genericapiserver.Config Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 14:56:34 +00:00
require.Nil(t, impersonatorHTTPHandlerFunc)
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
return
}
require.NoError(t, err)
impersonator: wire in genericapiserver.Config Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-12 14:56:34 +00:00
require.NotNil(t, impersonatorHTTPHandlerFunc)
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
impersonator: encode proper API status on failure Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-14 01:25:23 +00:00
// this is not a valid way to get a server config, but it is good enough for a unit test
scheme := runtime.NewScheme()
metav1.AddToGroupVersion(scheme, metav1.Unversioned)
codecs := serializer.NewCodecFactory(scheme)
serverConfig := genericapiserver.NewRecommendedConfig(codecs)
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
w := httptest.NewRecorder()
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
Use http2 for all non-upgrade requests Instead of using the LongRunningFunc to determine if we can safely use http2, follow the same logic as the aggregation proxy and only use http2 when the request is not an upgrade. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 17:39:55 +00:00
r := tt.request
wantKubeAPIServerRequestHeaders := tt.wantKubeAPIServerRequestHeaders
// take the isUpgradeRequest branch randomly to make sure we exercise both branches
forceUpgradeRequest := rand.Int()%2 == 0 //nolint:gosec // we do not care if this is cryptographically secure
if forceUpgradeRequest && len(r.Header.Get("Upgrade")) == 0 {
r = r.Clone(r.Context())
r.Header.Add("Connection", "Upgrade")
r.Header.Add("Upgrade", "spdy/3.1")
wantKubeAPIServerRequestHeaders = wantKubeAPIServerRequestHeaders.Clone()
if wantKubeAPIServerRequestHeaders == nil {
wantKubeAPIServerRequestHeaders = http.Header{}
}
wantKubeAPIServerRequestHeaders.Add("Connection", "Upgrade")
wantKubeAPIServerRequestHeaders.Add("Upgrade", "spdy/3.1")
}
requestBeforeServe := r.Clone(r.Context())
impersonatorHTTPHandlerFunc(&serverConfig.Config).ServeHTTP(w, r)
require.Equal(t, requestBeforeServe, r, "ServeHTTP() mutated the request, and it should not per http.Handler docs")
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
if tt.wantHTTPStatus != 0 {
internal/concierge/impersonator: set user extra impersonation headers Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-02-16 14:09:54 +00:00
require.Equalf(t, tt.wantHTTPStatus, w.Code, "fyi, response body was %q", w.Body.String())
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
}
if tt.wantHTTPBody != "" {
require.Equal(t, tt.wantHTTPBody, w.Body.String())
}
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-10 18:30:06 +00:00
if tt.wantHTTPStatus == http.StatusOK || tt.kubeAPIServerStatusCode != http.StatusOK {
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
require.True(t, testKubeAPIServerWasCalled, "Should have proxied the request to the Kube API server, but didn't")
Use http2 for all non-upgrade requests Instead of using the LongRunningFunc to determine if we can safely use http2, follow the same logic as the aggregation proxy and only use http2 when the request is not an upgrade. Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-19 17:39:55 +00:00
require.Equal(t, wantKubeAPIServerRequestHeaders, testKubeAPIServerSawHeaders)
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
} else {
impersonator_test.go: Test one more thing and small refactors
2021-03-12 00:44:08 +00:00
require.False(t, testKubeAPIServerWasCalled, "Should not have proxied the request to the Kube API server, but did")
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com>
2021-02-23 01:23:11 +00:00
}
Add initial implementation of impersonation proxy. Signed-off-by: Margo Crawford <margaretc@vmware.com> Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-01-20 00:37:02 +00:00
})
}
}
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
type clientCert struct {
certPEM, keyPEM []byte
}
func newClientCert(t *testing.T, ca *certauthority.CA, username string, groups []string) *clientCert {
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue*() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue*() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly.
2021-03-13 00:09:16 +00:00
certPEM, keyPEM, err := ca.IssueClientCertPEM(username, groups, time.Hour)
impersonator_test.go: small refactor of previous commit
2021-03-12 01:24:52 +00:00
require.NoError(t, err)
return &clientCert{
certPEM: certPEM,
keyPEM: keyPEM,
}
}
func requireCanBindToPort(t *testing.T, port int) {
ln, _, listenErr := genericoptions.CreateListener("", "0.0.0.0:"+strconv.Itoa(port), net.ListenConfig{})
require.NoError(t, listenErr)
require.NoError(t, ln.Close())
}
Reference in New Issue Copy Permalink