Adds impersonation e2e test

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

test/e2e/framework/framework.go

@@ -2,6 +2,8 @@
 package framework
 
 import (
+	"fmt"
+
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
@@ -78,28 +80,46 @@ func (f *Framework) BeforeEach() {
 	Expect(err).NotTo(HaveOccurred())
 
 	By("Deploying kube-oidc-proxy")
-	proxyKeyBundle, proxyURL, err := f.helper.DeployProxy(f.Namespace, issuerURL, clientID, issuerKeyBundle)
+	proxyKeyBundle, proxyURL, err := f.helper.DeployProxy(f.Namespace,
+		issuerURL, clientID, issuerKeyBundle)
 	Expect(err).NotTo(HaveOccurred())
 
 	f.issuerURL, f.proxyURL = issuerURL, proxyURL
 	f.issuerKeyBundle, f.proxyKeyBundle = issuerKeyBundle, proxyKeyBundle
 
 	By("Creating Proxy Client")
-	f.ProxyClient, err = f.NewProxyClient()
-	Expect(err).NotTo(HaveOccurred())
+	f.ProxyClient = f.NewProxyClient()
 }
 
 // AfterEach deletes the namespace, after reading its events.
 func (f *Framework) AfterEach() {
+	By("Deleting kube-oidc-proxy deployment")
+	err := f.Helper().DeleteProxy(f.Namespace.Name)
+	Expect(err).NotTo(HaveOccurred())
+
+	By("Deleting mock OIDC issuer")
+	err = f.Helper().DeleteIssuer(f.Namespace.Name)
+	Expect(err).NotTo(HaveOccurred())
+
 	By("Deleting test namespace")
-	err := f.DeleteKubeNamespace(f.Namespace.Name)
+	err = f.DeleteKubeNamespace(f.Namespace.Name)
 	Expect(err).NotTo(HaveOccurred())
 
 	By("Waiting for test namespace to no longer exist")
 	err = f.WaitForKubeNamespaceNotExist(f.Namespace.Name)
 	Expect(err).NotTo(HaveOccurred())
 }
 
+func (f *Framework) DeployProxyWith(extraArgs ...string) {
+	By("Deleting kube-oidc-proxy deployment")
+	err := f.Helper().DeleteProxy(f.Namespace.Name)
+
+	By(fmt.Sprintf("Deploying kube-oidc-proxy with extra args %s", extraArgs))
+	f.proxyKeyBundle, f.proxyURL, err = f.helper.DeployProxy(f.Namespace, f.issuerURL,
+		clientID, f.issuerKeyBundle, extraArgs...)
+	Expect(err).NotTo(HaveOccurred())
+}
+
 func (f *Framework) Helper() *helper.Helper {
 	return f.helper
 }
@@ -116,23 +136,21 @@ func (f *Framework) ClientID() string {
 	return clientID
 }
 
-func (f *Framework) NewProxyRestConfig() (*rest.Config, error) {
-	return f.Helper().NewValidRestConfig(f.issuerKeyBundle, f.proxyKeyBundle,
+func (f *Framework) NewProxyRestConfig() *rest.Config {
+	config, err := f.Helper().NewValidRestConfig(f.issuerKeyBundle, f.proxyKeyBundle,
 		f.issuerURL, f.proxyURL, clientID)
+	Expect(err).NotTo(HaveOccurred())
+
+	return config
 }
 
-func (f *Framework) NewProxyClient() (kubernetes.Interface, error) {
-	proxyConfig, err := f.NewProxyRestConfig()
-	if err != nil {
-		return nil, err
-	}
+func (f *Framework) NewProxyClient() kubernetes.Interface {
+	proxyConfig := f.NewProxyRestConfig()
 
 	proxyClient, err := kubernetes.NewForConfig(proxyConfig)
-	if err != nil {
-		return nil, err
-	}
+	Expect(err).NotTo(HaveOccurred())
 
-	return proxyClient, nil
+	return proxyClient
 }
 
 func CasesDescribe(text string, body func()) bool {

test/e2e/framework/helper/deploy.go

@@ -20,12 +20,13 @@ const (
 	ProxyName  = "kube-oidc-proxy-e2e"
 )
 
-func (h *Helper) DeployProxy(ns *corev1.Namespace, issuerURL, clientID string, oidcKeyBundle *util.KeyBundle) (*util.KeyBundle, string, error) {
+func (h *Helper) DeployProxy(ns *corev1.Namespace, issuerURL, clientID string,
+	oidcKeyBundle *util.KeyBundle, extraArgs ...string) (*util.KeyBundle, string, error) {
 	cnt := corev1.Container{
 		Name:            ProxyName,
 		Image:           ProxyName,
 		ImagePullPolicy: corev1.PullNever,
-		Args: []string{
+		Args: append([]string{
 			"kube-oidc-proxy",
 			"--secure-port=6443",
 			"--tls-cert-file=/tls/cert.pem",
@@ -37,7 +38,7 @@ func (h *Helper) DeployProxy(ns *corev1.Namespace, issuerURL, clientID string, o
 			"--oidc-ca-file=/oidc/ca.pem",
 			"--oidc-ca-file=/oidc/ca.pem",
 			"--v=10",
-		},
+		}, extraArgs...),
 		VolumeMounts: []corev1.VolumeMount{
 			corev1.VolumeMount{
 				MountPath: "/tls",

test/e2e/suite/cases/impersonation/impersonation.go

@@ -0,0 +1,107 @@
+package impersonation
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/rest"
+
+	"github.com/jetstack/kube-oidc-proxy/test/e2e/framework"
+)
+
+var _ = framework.CasesDescribe("Impersonation", func() {
+	f := framework.NewDefaultFramework("impersonation")
+
+	It("should error at proxy when impersonation enabled and impersonation is attempted on a request", func() {
+		By("Impersonating as a user")
+		tryImpersonationClient(f, rest.ImpersonationConfig{
+			UserName: "[email protected]",
+		})
+
+		By("Impersonating as a group")
+		tryImpersonationClient(f, rest.ImpersonationConfig{
+			Groups: []string{
+				"group-1",
+				"group-2",
+			},
+		})
+
+		By("Impersonating as a extra")
+		tryImpersonationClient(f, rest.ImpersonationConfig{
+			Extra: map[string][]string{
+				"foo": {
+					"k1", "k2", "k3",
+				},
+				"bar": {
+					"k1", "k2", "k3",
+				},
+			},
+		})
+
+		By("Impersonating as a user, group and extra")
+		tryImpersonationClient(f, rest.ImpersonationConfig{
+			UserName: "[email protected]",
+			Groups: []string{
+				"group-1",
+				"group-2",
+			},
+			Extra: map[string][]string{
+				"foo": {
+					"k1", "k2", "k3",
+				},
+				"bar": {
+					"k1", "k2", "k3",
+				},
+			},
+		})
+	})
+
+	It("should not error at proxy when impersonation is disabled impersonation is attempted on a request", func() {
+		f.DeployProxyWith("--disable-impersonation")
+
+		// Should return a normal RBAC forbidden from Kubernetes. If is not a
+		// Kubernetes error then it came from the kube-oidc-proxy so error
+		client := f.NewProxyClient()
+		_, err := client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		if !k8sErrors.IsForbidden(err) {
+			Expect(err).NotTo(HaveOccurred())
+		}
+	})
+})
+
+func tryImpersonationClient(f *framework.Framework, impConfig rest.ImpersonationConfig) {
+	config := f.NewProxyRestConfig()
+	config.Impersonate = impConfig
+
+	tranConfig, err := config.TransportConfig()
+	Expect(err).NotTo(HaveOccurred())
+
+	client := http.DefaultClient
+	client.Transport = tranConfig.Transport
+
+	// send request with signed token to proxy
+	target := fmt.Sprintf("%s/api/v1/namespaces/%s/pods",
+		config.Host, f.Namespace.Name)
+
+	resp, err := client.Get(target)
+	Expect(err).NotTo(HaveOccurred())
+
+	body, err := ioutil.ReadAll(resp.Body)
+	Expect(err).NotTo(HaveOccurred())
+
+	expRespBody := []byte("Impersonation requests are disabled when using kube-oidc-proxy\n")
+
+	// check body and status code the token was rejected
+	if resp.StatusCode != http.StatusForbidden ||
+		!bytes.Equal(body, expRespBody) {
+	}
+	Expect(fmt.Errorf("expected status code %d with body %q, got= %d %q",
+		http.StatusForbidden, expRespBody, resp.StatusCode, body)).NotTo(HaveOccurred())
+}

test/e2e/suite/cases/token/token.go

@@ -49,11 +49,10 @@ var _ = framework.CasesDescribe("Token", func() {
 			f.IssuerURL(), f.ClientID(), time.Now()))
 
 		By("Valid token should return Kubernetes forbidden")
-		client, err := f.NewProxyClient()
-		Expect(err).NotTo(HaveOccurred())
+		client := f.NewProxyClient()
 
 		// if does not return with Kubernetes forbidden error then error
-		_, err = client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err := client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(err).NotTo(HaveOccurred())
 		}
@@ -65,9 +64,7 @@ func expectProxyUnauthorized(f *framework.Framework, tokenPayload []byte) {
 	signedToken, err := f.Helper().SignToken(f.IssuerKeyBundle(), tokenPayload)
 	Expect(err).NotTo(HaveOccurred())
 
-	proxyConfig, err := f.NewProxyRestConfig()
-	Expect(err).NotTo(HaveOccurred())
-
+	proxyConfig := f.NewProxyRestConfig()
 	client := http.DefaultClient
 	client.Transport = &wraperRT{
 		transport: proxyConfig.Transport,
@@ -89,5 +86,5 @@ func expectProxyUnauthorized(f *framework.Framework, tokenPayload []byte) {
 		!bytes.Equal(body, []byte("Unauthorized")) {
 	}
 	Expect(fmt.Errorf("expected status code %d with body Unauthorized, got= %d %q",
-		resp.StatusCode, body)).NotTo(HaveOccurred())
+		http.StatusForbidden, resp.StatusCode, body)).NotTo(HaveOccurred())
 }

test/e2e/suite/suite.go

@@ -1,6 +1,8 @@
 package suite
 
 import (
+	"path/filepath"
+
 	. "github.com/onsi/ginkgo"
 	log "github.com/sirupsen/logrus"