From acfc5acfb2757be3454fe07d72279be91a520ddb Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Mon, 14 Sep 2020 10:41:36 -0500 Subject: [PATCH] Add a controller to fill the idpcache.Cache from WebhookIdentityProvider objects. Signed-off-by: Matt Moyer --- .../webhookcachefiller/webhookcachefiller.go | 127 +++++++++++++ .../webhookcachefiller_test.go | 174 ++++++++++++++++++ 2 files changed, 301 insertions(+) create mode 100644 internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go create mode 100644 internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go new file mode 100644 index 00000000..6b67d940 --- /dev/null +++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller.go @@ -0,0 +1,127 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +// Package webhookcachefiller implements a controller for filling an idpcache.Cache with each added/updated WebhookIdentityProvider. +package webhookcachefiller + +import ( + "encoding/base64" + "fmt" + "io/ioutil" + "os" + + "github.com/go-logr/logr" + k8sauthv1beta1 "k8s.io/api/authentication/v1beta1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/util/net" + "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + "k8s.io/klog/v2" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + idpinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions/idp/v1alpha1" + pinnipedcontroller "github.com/suzerain-io/pinniped/internal/controller" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" +) + +// New instantiates a new controllerlib.Controller which will populate the provided idpcache.Cache. +func New(cache *idpcache.Cache, webhookIDPs idpinformers.WebhookIdentityProviderInformer, log logr.Logger) controllerlib.Controller { + return controllerlib.New( + controllerlib.Config{ + Name: "webhookcachefiller-controller", + Syncer: &controller{ + cache: cache, + webhookIDPs: webhookIDPs, + log: log.WithName("webhookcachefiller-controller"), + }, + }, + controllerlib.WithInformer( + webhookIDPs, + pinnipedcontroller.NoOpFilter(), + controllerlib.InformerOption{}, + ), + ) +} + +type controller struct { + cache *idpcache.Cache + webhookIDPs idpinformers.WebhookIdentityProviderInformer + log logr.Logger +} + +// Sync implements controllerlib.Syncer. +func (c *controller) Sync(ctx controllerlib.Context) error { + obj, err := c.webhookIDPs.Lister().WebhookIdentityProviders(ctx.Key.Namespace).Get(ctx.Key.Name) + if err != nil && errors.IsNotFound(err) { + c.log.Info("Sync() found that the WebhookIdentityProvider does not exist yet or was deleted") + return nil + } + if err != nil { + return fmt.Errorf("failed to get WebhookIdentityProvider %s/%s: %w", ctx.Key.Namespace, ctx.Key.Name, err) + } + + webhookAuthenticator, err := newWebhookAuthenticator(&obj.Spec, ioutil.TempFile, clientcmd.WriteToFile) + if err != nil { + return fmt.Errorf("failed to build webhook config: %w", err) + } + + c.cache.Store(ctx.Key, webhookAuthenticator) + c.log.WithValues("idp", klog.KObj(obj), "endpoint", obj.Spec.Endpoint).Info("added new webhook IDP") + return nil +} + +// newWebhookAuthenticator creates a webhook from the provided API server url and caBundle +// used to validate TLS connections. +func newWebhookAuthenticator( + spec *idpv1alpha1.WebhookIdentityProviderSpec, + tempfileFunc func(string, string) (*os.File, error), + marshalFunc func(clientcmdapi.Config, string) error, +) (*webhook.WebhookTokenAuthenticator, error) { + temp, err := tempfileFunc("", "pinniped-webhook-kubeconfig-*") + if err != nil { + return nil, fmt.Errorf("unable to create temporary file: %w", err) + } + defer func() { _ = os.Remove(temp.Name()) }() + + cluster := &clientcmdapi.Cluster{Server: spec.Endpoint} + cluster.CertificateAuthorityData, err = getCABundle(spec.TLS) + if err != nil { + return nil, fmt.Errorf("invalid TLS configuration: %w", err) + } + + kubeconfig := clientcmdapi.NewConfig() + kubeconfig.Clusters["anonymous-cluster"] = cluster + kubeconfig.Contexts["anonymous"] = &clientcmdapi.Context{Cluster: "anonymous-cluster"} + kubeconfig.CurrentContext = "anonymous" + + if err := marshalFunc(*kubeconfig, temp.Name()); err != nil { + return nil, fmt.Errorf("unable to marshal kubeconfig: %w", err) + } + + // We use v1beta1 instead of v1 since v1beta1 is more prevalent in our desired + // integration points. + version := k8sauthv1beta1.SchemeGroupVersion.Version + + // At the current time, we don't provide any audiences because we simply don't + // have any requirements to do so. This can be changed in the future as + // requirements change. + var implicitAuds authenticator.Audiences + + // We set this to nil because we would only need this to support some of the + // custom proxy stuff used by the API server. + var customDial net.DialFunc + + return webhook.New(temp.Name(), version, implicitAuds, customDial) +} + +func getCABundle(spec *idpv1alpha1.TLSSpec) ([]byte, error) { + if spec == nil { + return nil, nil + } + return base64.RawStdEncoding.DecodeString(spec.CertificateAuthorityData) +} diff --git a/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go new file mode 100644 index 00000000..c2d9fc17 --- /dev/null +++ b/internal/controller/identityprovider/webhookcachefiller/webhookcachefiller_test.go @@ -0,0 +1,174 @@ +/* +Copyright 2020 VMware, Inc. +SPDX-License-Identifier: Apache-2.0 +*/ + +package webhookcachefiller + +import ( + "context" + "encoding/base64" + "fmt" + "io/ioutil" + "net/http" + "os" + "testing" + "time" + + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/client-go/tools/clientcmd" + clientcmdapi "k8s.io/client-go/tools/clientcmd/api" + + idpv1alpha1 "github.com/suzerain-io/pinniped/generated/1.19/apis/idp/v1alpha1" + pinnipedfake "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned/fake" + pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions" + "github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache" + "github.com/suzerain-io/pinniped/internal/controllerlib" + "github.com/suzerain-io/pinniped/internal/testutil" + "github.com/suzerain-io/pinniped/internal/testutil/testlogger" +) + +func TestController(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + syncKey controllerlib.Key + webhookIDPs []runtime.Object + wantErr string + wantLogs []string + wantCacheEntries int + }{ + { + name: "not found", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + wantLogs: []string{ + `webhookcachefiller-controller "level"=0 "msg"="Sync() found that the WebhookIdentityProvider does not exist yet or was deleted"`, + }, + }, + { + name: "invalid webhook", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + webhookIDPs: []runtime.Object{ + &idpv1alpha1.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-namespace", + Name: "test-name", + }, + Spec: idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "invalid url", + }, + }, + }, + wantErr: `failed to build webhook config: parse "http://invalid url": invalid character " " in host name`, + }, + { + name: "valid webhook", + syncKey: controllerlib.Key{Namespace: "test-namespace", Name: "test-name"}, + webhookIDPs: []runtime.Object{ + &idpv1alpha1.WebhookIdentityProvider{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "test-namespace", + Name: "test-name", + }, + Spec: idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: ""}, + }, + }, + }, + wantLogs: []string{ + `webhookcachefiller-controller "level"=0 "msg"="added new webhook IDP" "endpoint"="https://example.com" "idp"={"name":"test-name","namespace":"test-namespace"}`, + }, + wantCacheEntries: 1, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + fakeClient := pinnipedfake.NewSimpleClientset(tt.webhookIDPs...) + informers := pinnipedinformers.NewSharedInformerFactory(fakeClient, 0) + cache := idpcache.New() + testLog := testlogger.New(t) + + controller := New(cache, informers.IDP().V1alpha1().WebhookIdentityProviders(), testLog) + + ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) + defer cancel() + + informers.Start(ctx.Done()) + controllerlib.TestRunSynchronously(t, controller) + + syncCtx := controllerlib.Context{Context: ctx, Key: tt.syncKey} + + if err := controllerlib.TestSync(t, controller, syncCtx); tt.wantErr != "" { + require.EqualError(t, err, tt.wantErr) + } else { + require.NoError(t, err) + } + require.Equal(t, tt.wantLogs, testLog.Lines()) + require.Equal(t, tt.wantCacheEntries, len(cache.Keys())) + }) + } +} + +func TestNewWebhookAuthenticator(t *testing.T) { + t.Run("temp file failure", func(t *testing.T) { + brokenTempFile := func(_ string, _ string) (*os.File, error) { return nil, fmt.Errorf("some temp file error") } + res, err := newWebhookAuthenticator(nil, brokenTempFile, clientcmd.WriteToFile) + require.Nil(t, res) + require.EqualError(t, err, "unable to create temporary file: some temp file error") + }) + + t.Run("marshal failure", func(t *testing.T) { + marshalError := func(_ clientcmdapi.Config, _ string) error { return fmt.Errorf("some marshal error") } + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{}, ioutil.TempFile, marshalError) + require.Nil(t, res) + require.EqualError(t, err, "unable to marshal kubeconfig: some marshal error") + }) + + t.Run("invalid base64", func(t *testing.T) { + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + TLS: &idpv1alpha1.TLSSpec{CertificateAuthorityData: "invalid-base64"}, + }, ioutil.TempFile, clientcmd.WriteToFile) + require.Nil(t, res) + require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7") + }) + + t.Run("valid config with no TLS spec", func(t *testing.T) { + res, err := newWebhookAuthenticator(&idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: "https://example.com", + }, ioutil.TempFile, clientcmd.WriteToFile) + require.NotNil(t, res) + require.NoError(t, err) + }) + + t.Run("success", func(t *testing.T) { + caBundle, url := testutil.TLSTestServer(t, func(w http.ResponseWriter, r *http.Request) { + body, err := ioutil.ReadAll(r.Body) + require.NoError(t, err) + require.Contains(t, string(body), "test-token") + _, err = w.Write([]byte(`{}`)) + require.NoError(t, err) + }) + spec := &idpv1alpha1.WebhookIdentityProviderSpec{ + Endpoint: url, + TLS: &idpv1alpha1.TLSSpec{ + CertificateAuthorityData: base64.RawStdEncoding.EncodeToString([]byte(caBundle)), + }, + } + res, err := newWebhookAuthenticator(spec, ioutil.TempFile, clientcmd.WriteToFile) + require.NoError(t, err) + require.NotNil(t, res) + + resp, authenticated, err := res.AuthenticateToken(context.Background(), "test-token") + require.NoError(t, err) + require.Nil(t, resp) + require.False(t, authenticated) + }) +}