ContainerImage.Pinniped/internal/testutil/impersonationtoken/impersonationtoken.go

// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package impersonationtoken contains a test utility to generate a token to be used against our
// impersonation proxy.
//
// It is its own package to fix import cycles involving concierge/scheme, testutil, and groupsuffix.
package impersonationtoken

import (
	"encoding/base64"
	"testing"

	"github.com/stretchr/testify/require"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apimachinery/pkg/runtime/serializer"

	loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"
	conciergescheme "go.pinniped.dev/internal/concierge/scheme"
	"go.pinniped.dev/internal/groupsuffix"
)

func Make(
	t *testing.T,
	token string,
	authenticator *corev1.TypedLocalObjectReference,
	apiGroupSuffix string,
) string {
	t.Helper()

	// The impersonation test token should be a base64-encoded TokenCredentialRequest object.  The API
	// group of the TokenCredentialRequest object, and its Spec.Authenticator, should match whatever
	// is installed on the cluster. This API group is usually replaced by the kubeclient middleware,
	// but this object is not touched by the middleware since it is in a HTTP header. Therefore, we
	// need to make a manual edit here.
	scheme, loginGV, _ := conciergescheme.New(apiGroupSuffix)
	tokenCredentialRequest := loginv1alpha1.TokenCredentialRequest{
		TypeMeta: metav1.TypeMeta{
			Kind:       "TokenCredentialRequest",
			APIVersion: loginGV.Group + "/v1alpha1",
		},
		Spec: loginv1alpha1.TokenCredentialRequestSpec{
			Token:         token,
			Authenticator: *authenticator.DeepCopy(),
		},
	}

	// It is assumed that the provided authenticator uses the default pinniped.dev API group, since
	// this is usually replaced by the kubeclient middleware. Since we are not going through the
	// kubeclient middleware, we need to make this replacement ourselves.
	require.NotNil(t, tokenCredentialRequest.Spec.Authenticator.APIGroup, "expected authenticator to have non-nil API group")
	authenticatorAPIGroup, ok := groupsuffix.Replace(*tokenCredentialRequest.Spec.Authenticator.APIGroup, apiGroupSuffix)
	require.True(t, ok, "couldn't replace suffix of %q with %q", *tokenCredentialRequest.Spec.Authenticator.APIGroup, apiGroupSuffix)
	tokenCredentialRequest.Spec.Authenticator.APIGroup = &authenticatorAPIGroup

	codecs := serializer.NewCodecFactory(scheme)
	respInfo, ok := runtime.SerializerInfoForMediaType(codecs.SupportedMediaTypes(), runtime.ContentTypeJSON)
	require.True(t, ok, "couldn't find serializer info for media type")

	reqJSON, err := runtime.Encode(respInfo.PrettySerializer, &tokenCredentialRequest)
	require.NoError(t, err)
	return base64.StdEncoding.EncodeToString(reqJSON)
}
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`// Copyright 2021 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`// Package impersonationtoken contains a test utility to generate a token to be used against our`
			`// impersonation proxy.`
			`//`
			`// It is its own package to fix import cycles involving concierge/scheme, testutil, and groupsuffix.`
			`package impersonationtoken`

			`import (`
			`"encoding/base64"`
			`"testing"`

			`"github.com/stretchr/testify/require"`
			`corev1 "k8s.io/api/core/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/runtime"`
			`"k8s.io/apimachinery/pkg/runtime/serializer"`

Merge remote-tracking branch 'upstream/main' into impersonation-proxy Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-18 18:37:28 +00:00			`loginv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/login/v1alpha1"`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`conciergescheme "go.pinniped.dev/internal/concierge/scheme"`
			`"go.pinniped.dev/internal/groupsuffix"`
			`)`

			`func Make(`
			`t *testing.T,`
			`token string,`
			`authenticator *corev1.TypedLocalObjectReference,`
			`apiGroupSuffix string,`
			`) string {`
			`t.Helper()`

			`// The impersonation test token should be a base64-encoded TokenCredentialRequest object. The API`
			`// group of the TokenCredentialRequest object, and its Spec.Authenticator, should match whatever`
			`// is installed on the cluster. This API group is usually replaced by the kubeclient middleware,`
			`// but this object is not touched by the middleware since it is in a HTTP header. Therefore, we`
			`// need to make a manual edit here.`
Merge remote-tracking branch 'upstream/main' into impersonation-proxy Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-23 17:10:52 +00:00			`scheme, loginGV, _ := conciergescheme.New(apiGroupSuffix)`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`tokenCredentialRequest := loginv1alpha1.TokenCredentialRequest{`
			`TypeMeta: metav1.TypeMeta{`
			`Kind: "TokenCredentialRequest",`
Merge remote-tracking branch 'upstream/main' into impersonation-proxy Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-23 17:10:52 +00:00			`APIVersion: loginGV.Group + "/v1alpha1",`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`},`
			`Spec: loginv1alpha1.TokenCredentialRequestSpec{`
			`Token: token,`
			`Authenticator: *authenticator.DeepCopy(),`
			`},`
			`}`

			`// It is assumed that the provided authenticator uses the default pinniped.dev API group, since`
			`// this is usually replaced by the kubeclient middleware. Since we are not going through the`
			`// kubeclient middleware, we need to make this replacement ourselves.`
			`require.NotNil(t, tokenCredentialRequest.Spec.Authenticator.APIGroup, "expected authenticator to have non-nil API group")`
			`authenticatorAPIGroup, ok := groupsuffix.Replace(*tokenCredentialRequest.Spec.Authenticator.APIGroup, apiGroupSuffix)`
			`require.True(t, ok, "couldn't replace suffix of %q with %q", *tokenCredentialRequest.Spec.Authenticator.APIGroup, apiGroupSuffix)`
			`tokenCredentialRequest.Spec.Authenticator.APIGroup = &authenticatorAPIGroup`

			`codecs := serializer.NewCodecFactory(scheme)`
			`respInfo, ok := runtime.SerializerInfoForMediaType(codecs.SupportedMediaTypes(), runtime.ContentTypeJSON)`
			`require.True(t, ok, "couldn't find serializer info for media type")`

			`reqJSON, err := runtime.Encode(respInfo.PrettySerializer, &tokenCredentialRequest)`
			`require.NoError(t, err)`
Fix bug which prevented watches from working through impersonator Also: - Changed base64 encoding of impersonator bearer tokens to use `base64.StdEncoding` to make it easier for users to manually create a token using the unix `base64` command - Test the headers which are and are not passed through to the Kube API by the impersonator more carefully in the unit tests - More WIP on concierge_impersonation_proxy_test.go Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-02-23 01:23:11 +00:00			`return base64.StdEncoding.EncodeToString(reqJSON)`
internal/concierge/impersonator: handle custom login API group Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-02-15 23:00:10 +00:00			`}`