Integrates the review token with flag - disabled by default

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

cmd/run.go

@@ -22,6 +22,7 @@ import (
 	"github.com/jetstack/kube-oidc-proxy/cmd/options"
 	"github.com/jetstack/kube-oidc-proxy/pkg/probe"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy"
+	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview"
 	"github.com/jetstack/kube-oidc-proxy/pkg/version"
 )
 
@@ -95,14 +96,24 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 				return err
 			}
 
+			// Init token reviewer if enabled
+			var tokenReviewer *tokenreview.TokenReview
+			if tpOptions.Enabled {
+				tokenReviewer, err = tokenreview.New(restConfig, tpOptions.Audiences)
+				if err != nil {
+					return err
+				}
+			}
+
 			// oidc auther from config
 			reqAuther := bearertoken.New(oidcAuther)
 			secureServingInfo := new(server.SecureServingInfo)
 			if err := ssoptionsWithLB.ApplyTo(&secureServingInfo, nil); err != nil {
 				return err
 			}
 
-			p := proxy.New(restConfig, reqAuther, secureServingInfo)
+			p := proxy.New(restConfig, reqAuther, tokenReviewer,
+				secureServingInfo)
 
 			// run proxy
 			waitCh, err := p.Run(stopCh)

pkg/e2e/e2e.go

@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -40,9 +41,10 @@ type E2E struct {
 	proxyClient    *http.Client
 	proxyCmd       *exec.Cmd
 	proxyPort      string
-	proxyCert      []byte
 	proxyTransport *http.Transport
 
+	proxyKeyCertPair *util.KeyCertPair
+
 	tmpDir string
 }
 
@@ -141,24 +143,24 @@ func (e *E2E) newIssuerProxyPair() (*http.Transport, error) {
 	}
 	e.issuer = issuer
 
-	proxyCertPath, proxyKeyPath, _, proxyCert, err := util.NewTLSSelfSignedCertKey(pairTmpDir, "")
+	pkcp, err := util.NewTLSSelfSignedCertKey(pairTmpDir, "")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create key pair: %s", err)
 	}
-	e.proxyCert = proxyCert
+	e.proxyKeyCertPair = pkcp
 
 	signer, err := jose.NewSigner(jose.SigningKey{
 		Algorithm: jose.SignatureAlgorithm("RS256"),
-		Key:       issuer.Key(),
+		Key:       issuer.KeyCertPair().Key,
 	}, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialise new jwt signer: %s", err)
 	}
 	e.signer = signer
 
 	certPool := x509.NewCertPool()
-	if ok := certPool.AppendCertsFromPEM(proxyCert); !ok {
-		return nil, fmt.Errorf("failed to append proxy cert data to cert pool %s", proxyCertPath)
+	if ok := certPool.AppendCertsFromPEM(pkcp.Cert); !ok {
+		return nil, fmt.Errorf("failed to append proxy cert data to cert pool %s", pkcp.CertPath)
 	}
 
 	transport := &http.Transport{
@@ -175,16 +177,16 @@ func (e *E2E) newIssuerProxyPair() (*http.Transport, error) {
 
 	cmd := exec.Command("../../kube-oidc-proxy",
 		fmt.Sprintf("--oidc-issuer-url=https://127.0.0.1:%s", issuer.Port()),
-		fmt.Sprintf("--oidc-ca-file=%s", issuer.CertPath()),
+		fmt.Sprintf("--oidc-ca-file=%s", e.issuer.KeyCertPair().CertPath),
 		"--oidc-client-id=kube-oidc-proxy_e2e_client-id",
 		"--oidc-username-claim=e2e-username-claim",
 		"--oidc-groups-claim=e2e-groups-claim",
 		"--oidc-signing-algs=RS256",
 
 		"--bind-address=127.0.0.1",
-		fmt.Sprintf("--secure-port=%s", proxyPort),
-		fmt.Sprintf("--tls-cert-file=%s", proxyCertPath),
-		fmt.Sprintf("--tls-private-key-file=%s", proxyKeyPath),
+		fmt.Sprintf("--secure-port=%s", e.proxyPort),
+		fmt.Sprintf("--tls-cert-file=%s", e.proxyKeyCertPair.CertPath),
+		fmt.Sprintf("--tls-private-key-file=%s", e.proxyKeyCertPair.KeyPath),
 
 		fmt.Sprintf("--kubeconfig=%s", e.kubeKubeconfig),
 	)
@@ -245,7 +247,7 @@ func (e *E2E) proxyRestClient() (*rest.Config, error) {
 			},
 		},
 		TLSClientConfig: rest.TLSClientConfig{
-			CAData: e.proxyCert,
+			CAData: e.proxyKeyCertPair.Cert,
 		},
 
 		APIPath: "/api",
@@ -265,5 +267,47 @@ func (e *E2E) cleanup() {
 				err)
 		}
 
+		e.proxyCmd = nil
+	}
+}
+
+func (e *E2E) runProxy(extraArgs ...string) error {
+	if e.issuer == nil {
+		return errors.New("failed to run proxy: issuer not ready")
+	}
+
+	args := append(
+		[]string{
+			fmt.Sprintf("--oidc-issuer-url=https://127.0.0.1:%s", e.issuer.Port()),
+			fmt.Sprintf("--oidc-ca-file=%s", e.issuer.KeyCertPair().CertPath),
+			"--oidc-client-id=kube-oidc-proxy_e2e_client-id",
+			"--oidc-username-claim=e2e-username-claim",
+			"--oidc-groups-claim=e2e-groups-claim",
+			"--oidc-signing-algs=RS256",
+			"--v=5",
+
+			"--bind-address=127.0.0.1",
+			fmt.Sprintf("--secure-port=%s", e.proxyPort),
+			fmt.Sprintf("--tls-cert-file=%s", e.proxyKeyCertPair.CertPath),
+			fmt.Sprintf("--tls-private-key-file=%s", e.proxyKeyCertPair.KeyPath),
+
+			fmt.Sprintf("--kubeconfig=%s", e.kubeKubeconfig),
+		},
+		extraArgs...,
+	)
+
+	cmd := exec.Command("../../kube-oidc-proxy", args...)
+
+	cmd.Stderr = os.Stderr
+	cmd.Stdout = os.Stdout
+	if err := cmd.Start(); err != nil {
+		return err
 	}
+
+	e.proxyCmd = cmd
+
+	// wait more than enough for proxy to become ready
+	time.Sleep(time.Second * 13)
+
+	return nil
 }

pkg/e2e/issuer/issuer.go

@@ -2,22 +2,21 @@
 package issuer
 
 import (
-	"crypto/rsa"
 	"encoding/base64"
 	"fmt"
 	"net/http"
 	"time"
 
-	"github.com/jetstack/kube-oidc-proxy/pkg/util"
 	"k8s.io/klog"
+
+	"github.com/jetstack/kube-oidc-proxy/pkg/util"
 )
 
 type Issuer struct {
-	tlsDir            string
-	listenPort        string
-	certPath, keyPath string
+	tlsDir     string
+	listenPort string
 
-	sk *rsa.PrivateKey
+	keyCertPair *util.KeyCertPair
 }
 
 func New(tlsDir string) *Issuer {
@@ -33,18 +32,16 @@ func (i *Issuer) Run() error {
 	}
 	i.listenPort = listenPort
 
-	certPath, keyPath, sk, _, err := util.NewTLSSelfSignedCertKey(i.tlsDir, "oidc-issuer")
+	kcp, err := util.NewTLSSelfSignedCertKey(i.tlsDir, "oidc-issuer")
 	if err != nil {
 		return fmt.Errorf("failed to create issuer key pair: %s", err)
 	}
-	i.certPath = certPath
-	i.keyPath = keyPath
-	i.sk = sk
+	i.keyCertPair = kcp
 
 	serveAddr := fmt.Sprintf("127.0.0.1:%s", i.listenPort)
 
 	go func() {
-		err = http.ListenAndServeTLS(serveAddr, i.certPath, i.keyPath, i)
+		err = http.ListenAndServeTLS(serveAddr, i.keyCertPair.CertPath, i.keyCertPair.KeyPath, i)
 		if err != nil {
 			klog.Errorf("failed to server secure tls: %s", err)
 		}
@@ -80,16 +77,8 @@ func (i *Issuer) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (i *Issuer) CertPath() string {
-	return i.certPath
-}
-
-func (i *Issuer) KeyPath() string {
-	return i.keyPath
-}
-
-func (i *Issuer) Key() *rsa.PrivateKey {
-	return i.sk
+func (i *Issuer) KeyCertPair() *util.KeyCertPair {
+	return i.keyCertPair
 }
 
 func (i *Issuer) Port() string {
@@ -128,7 +117,7 @@ func (i *Issuer) wellKnownResponse() []byte {
 }
 
 func (i *Issuer) CertsDisc() []byte {
-	n := base64.RawURLEncoding.EncodeToString(i.sk.N.Bytes())
+	n := base64.RawURLEncoding.EncodeToString(i.keyCertPair.Key.N.Bytes())
 
 	return []byte(fmt.Sprintf(`{
 	  "keys": [

pkg/e2e/rbac_test.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"testing"
 
-	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -15,23 +14,11 @@ const (
 )
 
 func Test_Rbac(t *testing.T) {
-	if e2eSuite == nil {
-		t.Skip("e2eSuite not defined")
-		return
-	}
+	mustSkipMissingSuite(t)
+	mustNamespace(t, namespaceRbacTest)
 
-	coreclient := e2eSuite.kubeclient.CoreV1()
 	rbacclient := e2eSuite.kubeclient.RbacV1()
 
-	_, err := coreclient.Namespaces().Create(&corev1.Namespace{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: namespaceRbacTest,
-		},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	validToken := e2eSuite.validToken()
 
 	urlPods := fmt.Sprintf(
@@ -88,7 +75,7 @@ func Test_Rbac(t *testing.T) {
 	for _, resource := range []string{
 		"pods", "services", "secrets",
 	} {
-		_, err = rbacclient.Roles(namespaceRbacTest).Create(&rbacv1.Role{
+		_, err := rbacclient.Roles(namespaceRbacTest).Create(&rbacv1.Role{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      fmt.Sprintf("test-username-role-%s", resource),
 				Namespace: namespaceRbacTest,
@@ -107,7 +94,7 @@ func Test_Rbac(t *testing.T) {
 	}
 
 	// group-1 role-binding should give access to pods
-	_, err = e2eSuite.kubeclient.RbacV1().RoleBindings(namespaceRbacTest).Create(
+	_, err := e2eSuite.kubeclient.RbacV1().RoleBindings(namespaceRbacTest).Create(
 		&rbacv1.RoleBinding{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "test-username-binding-group-1",