ContainerImage.Pinniped/test/integration/whoami_test.go
Monis Khan abc941097c
Add WhoAmIRequest Aggregated Virtual REST API
This change adds a new virtual aggregated API that can be used by
any user to echo back who they are currently authenticated as.  This
has general utility to end users and can be used in tests to
validate if authentication was successful.

Signed-off-by: Monis Khan <mok@vmware.com>
2021-02-22 20:02:41 -05:00

449 lines
14 KiB
Go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package integration
import (
"context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"testing"
"time"
"github.com/stretchr/testify/require"
authenticationv1 "k8s.io/api/authentication/v1"
certificatesv1 "k8s.io/api/certificates/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/certificate/csr"
"k8s.io/client-go/util/keyutil"
identityv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/identity/v1alpha1"
"go.pinniped.dev/test/library"
)
func TestWhoAmI_Kubeadm(t *testing.T) {
// use the cluster signing key being available as a proxy for this being a kubeadm cluster
// we should add more robust logic around skipping clusters based on vendor
_ = library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
whoAmI, err := library.NewConciergeClientset(t).IdentityV1alpha1().WhoAmIRequests().
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
require.NoError(t, err)
// this user info is based off of the bootstrap cert user created by kubeadm
require.Equal(t,
&identityv1alpha1.WhoAmIRequest{
Status: identityv1alpha1.WhoAmIRequestStatus{
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
User: identityv1alpha1.UserInfo{
Username: "kubernetes-admin",
Groups: []string{
"system:masters",
"system:authenticated",
},
},
},
},
},
whoAmI,
)
}
func TestWhoAmI_ServiceAccount_Legacy(t *testing.T) {
_ = library.IntegrationEnv(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
kubeClient := library.NewKubernetesClientset(t).CoreV1()
ns, err := kubeClient.Namespaces().Create(ctx, &corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "test-whoami-",
},
}, metav1.CreateOptions{})
require.NoError(t, err)
defer func() {
if t.Failed() {
return
}
err := kubeClient.Namespaces().Delete(ctx, ns.Name, metav1.DeleteOptions{})
require.NoError(t, err)
}()
sa, err := kubeClient.ServiceAccounts(ns.Name).Create(ctx, &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "test-whoami-",
},
}, metav1.CreateOptions{})
require.NoError(t, err)
secret, err := kubeClient.Secrets(ns.Name).Create(ctx, &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "test-whoami-",
Annotations: map[string]string{
corev1.ServiceAccountNameKey: sa.Name,
},
},
Type: corev1.SecretTypeServiceAccountToken,
}, metav1.CreateOptions{})
require.NoError(t, err)
library.RequireEventuallyWithoutError(t, func() (bool, error) {
secret, err = kubeClient.Secrets(ns.Name).Get(ctx, secret.Name, metav1.GetOptions{})
if err != nil {
return false, err
}
return len(secret.Data[corev1.ServiceAccountTokenKey]) > 0, nil
}, 30*time.Second, time.Second)
saConfig := library.NewAnonymousClientRestConfig(t)
saConfig.BearerToken = string(secret.Data[corev1.ServiceAccountTokenKey])
whoAmI, err := library.NewKubeclient(t, saConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
require.NoError(t, err)
// legacy service account tokens do not have any extra info
require.Equal(t,
&identityv1alpha1.WhoAmIRequest{
Status: identityv1alpha1.WhoAmIRequestStatus{
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
User: identityv1alpha1.UserInfo{
Username: "system:serviceaccount:" + ns.Name + ":" + sa.Name,
UID: "", // aggregation drops UID: https://github.com/kubernetes/kubernetes/issues/93699
Groups: []string{
"system:serviceaccounts",
"system:serviceaccounts:" + ns.Name,
"system:authenticated",
},
},
},
},
},
whoAmI,
)
}
func TestWhoAmI_ServiceAccount_TokenRequest(t *testing.T) {
_ = library.IntegrationEnv(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
kubeClient := library.NewKubernetesClientset(t).CoreV1()
ns, err := kubeClient.Namespaces().Create(ctx, &corev1.Namespace{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "test-whoami-",
},
}, metav1.CreateOptions{})
require.NoError(t, err)
defer func() {
if t.Failed() {
return
}
err := kubeClient.Namespaces().Delete(ctx, ns.Name, metav1.DeleteOptions{})
require.NoError(t, err)
}()
sa, err := kubeClient.ServiceAccounts(ns.Name).Create(ctx, &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "test-whoami-",
},
}, metav1.CreateOptions{})
require.NoError(t, err)
_, tokenRequestProbeErr := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{}, metav1.CreateOptions{})
if errors.IsNotFound(tokenRequestProbeErr) && tokenRequestProbeErr.Error() == "the server could not find the requested resource" {
return // stop test early since the token request API is not enabled on this cluster - other errors are caught below
}
pod, err := kubeClient.Pods(ns.Name).Create(ctx, &corev1.Pod{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "test-whoami-",
},
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "ignored-but-required",
Image: "does-not-matter",
},
},
ServiceAccountName: sa.Name,
},
}, metav1.CreateOptions{})
require.NoError(t, err)
tokenRequestBadAudience, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
Spec: authenticationv1.TokenRequestSpec{
Audiences: []string{"should-fail-because-wrong-audience"}, // anything that is not an API server audience
BoundObjectRef: &authenticationv1.BoundObjectReference{
Kind: "Pod",
APIVersion: "",
Name: pod.Name,
UID: pod.UID,
},
},
}, metav1.CreateOptions{})
require.NoError(t, err)
saBadAudConfig := library.NewAnonymousClientRestConfig(t)
saBadAudConfig.BearerToken = tokenRequestBadAudience.Status.Token
_, badAudErr := library.NewKubeclient(t, saBadAudConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
require.True(t, errors.IsUnauthorized(badAudErr), library.Sdump(badAudErr))
tokenRequest, err := kubeClient.ServiceAccounts(ns.Name).CreateToken(ctx, sa.Name, &authenticationv1.TokenRequest{
Spec: authenticationv1.TokenRequestSpec{
Audiences: []string{},
BoundObjectRef: &authenticationv1.BoundObjectReference{
Kind: "Pod",
APIVersion: "",
Name: pod.Name,
UID: pod.UID,
},
},
}, metav1.CreateOptions{})
require.NoError(t, err)
saTokenReqConfig := library.NewAnonymousClientRestConfig(t)
saTokenReqConfig.BearerToken = tokenRequest.Status.Token
whoAmITokenReq, err := library.NewKubeclient(t, saTokenReqConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
require.NoError(t, err)
// new service account tokens include the pod info in the extra fields
require.Equal(t,
&identityv1alpha1.WhoAmIRequest{
Status: identityv1alpha1.WhoAmIRequestStatus{
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
User: identityv1alpha1.UserInfo{
Username: "system:serviceaccount:" + ns.Name + ":" + sa.Name,
UID: "", // aggregation drops UID: https://github.com/kubernetes/kubernetes/issues/93699
Groups: []string{
"system:serviceaccounts",
"system:serviceaccounts:" + ns.Name,
"system:authenticated",
},
Extra: map[string]identityv1alpha1.ExtraValue{
"authentication.kubernetes.io/pod-name": {pod.Name},
"authentication.kubernetes.io/pod-uid": {string(pod.UID)},
},
},
},
},
},
whoAmITokenReq,
)
}
func TestWhoAmI_CSR(t *testing.T) {
// use the cluster signing key being available as a proxy for this not being an EKS cluster
// we should add more robust logic around skipping clusters based on vendor
_ = library.IntegrationEnv(t).WithCapability(library.ClusterSigningKeyIsAvailable)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
kubeClient := library.NewKubernetesClientset(t)
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
require.NoError(t, err)
der, err := x509.MarshalECPrivateKey(privateKey)
require.NoError(t, err)
keyPEM := pem.EncodeToMemory(&pem.Block{Type: keyutil.ECPrivateKeyBlockType, Bytes: der})
csrPEM, err := cert.MakeCSR(privateKey, &pkix.Name{
CommonName: "panda-man",
Organization: []string{"living-the-dream", "need-more-sleep"},
}, nil, nil)
require.NoError(t, err)
csrName, csrUID, err := csr.RequestCertificate(
kubeClient,
csrPEM,
"",
certificatesv1.KubeAPIServerClientSignerName,
[]certificatesv1.KeyUsage{certificatesv1.UsageClientAuth},
privateKey,
)
require.NoError(t, err)
defer func() {
if t.Failed() {
return
}
err := kubeClient.CertificatesV1().CertificateSigningRequests().Delete(ctx, csrName, metav1.DeleteOptions{})
require.NoError(t, err)
}()
// this is a blind update with no resource version checks, which is only safe during tests
_, err = kubeClient.CertificatesV1().CertificateSigningRequests().UpdateApproval(ctx, csrName, &certificatesv1.CertificateSigningRequest{
ObjectMeta: metav1.ObjectMeta{
Name: csrName,
},
Status: certificatesv1.CertificateSigningRequestStatus{
Conditions: []certificatesv1.CertificateSigningRequestCondition{
{
Type: certificatesv1.CertificateApproved,
Status: corev1.ConditionTrue,
Reason: "WhoAmICSRTest",
},
},
},
}, metav1.UpdateOptions{})
require.NoError(t, err)
crtPEM, err := csr.WaitForCertificate(ctx, kubeClient, csrName, csrUID)
require.NoError(t, err)
csrConfig := library.NewAnonymousClientRestConfig(t)
csrConfig.CertData = crtPEM
csrConfig.KeyData = keyPEM
whoAmI, err := library.NewKubeclient(t, csrConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
require.NoError(t, err)
require.Equal(t,
&identityv1alpha1.WhoAmIRequest{
Status: identityv1alpha1.WhoAmIRequestStatus{
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
User: identityv1alpha1.UserInfo{
Username: "panda-man",
Groups: []string{
"need-more-sleep",
"living-the-dream",
"system:authenticated",
},
},
},
},
},
whoAmI,
)
}
func TestWhoAmI_Anonymous(t *testing.T) {
_ = library.IntegrationEnv(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
anonymousConfig := library.NewAnonymousClientRestConfig(t)
whoAmI, err := library.NewKubeclient(t, anonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
require.NoError(t, err)
// this also asserts that all users, even unauthenticated ones, can call this API when anonymous is enabled
// this test will need to be skipped when we start running the integration tests against AKS clusters
require.Equal(t,
&identityv1alpha1.WhoAmIRequest{
Status: identityv1alpha1.WhoAmIRequestStatus{
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
User: identityv1alpha1.UserInfo{
Username: "system:anonymous",
Groups: []string{
"system:unauthenticated",
},
},
},
},
},
whoAmI,
)
}
func TestWhoAmI_ImpersonateDirectly(t *testing.T) {
_ = library.IntegrationEnv(t)
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
impersonationConfig := library.NewClientConfig(t)
impersonationConfig.Impersonate = rest.ImpersonationConfig{
UserName: "solaire",
Groups: []string{"astora", "lordran"},
Extra: map[string][]string{
"covenant": {"warrior-of-sunlight"},
"loves": {"sun", "co-op"},
},
}
whoAmI, err := library.NewKubeclient(t, impersonationConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
require.NoError(t, err)
require.Equal(t,
&identityv1alpha1.WhoAmIRequest{
Status: identityv1alpha1.WhoAmIRequestStatus{
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
User: identityv1alpha1.UserInfo{
Username: "solaire",
UID: "", // no way to impersonate UID: https://github.com/kubernetes/kubernetes/issues/93699
Groups: []string{
"astora",
"lordran",
"system:authenticated", // impersonation will add this implicitly
},
Extra: map[string]identityv1alpha1.ExtraValue{
"covenant": {"warrior-of-sunlight"},
"loves": {"sun", "co-op"},
},
},
},
},
},
whoAmI,
)
impersonationAnonymousConfig := library.NewClientConfig(t)
impersonationAnonymousConfig.Impersonate.UserName = "system:anonymous"
whoAmIAnonymous, err := library.NewKubeclient(t, impersonationAnonymousConfig).PinnipedConcierge.IdentityV1alpha1().WhoAmIRequests().
Create(ctx, &identityv1alpha1.WhoAmIRequest{}, metav1.CreateOptions{})
require.NoError(t, err)
require.Equal(t,
&identityv1alpha1.WhoAmIRequest{
Status: identityv1alpha1.WhoAmIRequestStatus{
KubernetesUserInfo: identityv1alpha1.KubernetesUserInfo{
User: identityv1alpha1.UserInfo{
Username: "system:anonymous",
Groups: []string{
"system:unauthenticated", // impersonation will add this implicitly
},
},
},
},
},
whoAmIAnonymous,
)
}
func TestWhoAmI_ImpersonateViaProxy(t *testing.T) {
_ = library.IntegrationEnv(t)
// TODO: add this test after the impersonation proxy is done
// this should test all forms of auth understood by the proxy (certs, SA token, token cred req, anonymous, etc)
// remember that impersonation does not support UID: https://github.com/kubernetes/kubernetes/issues/93699
}