Adds passthrough e2e tests

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

cmd/app/options/kube_oidc_proxy.go

@@ -18,10 +18,10 @@ type KubeOIDCProxyOptions struct {
 func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&t.Audiences, "token-passthrough-audiences", t.Audiences, ""+
 		"(Alpha) List of the identifiers that the resource server presented with the token "+
-		"identifies as. The resoure server will verify that non OIDC tokens are intended "+
+		"identifies as. The resource server will verify that non OIDC tokens are intended "+
 		"for at least one of the audiences in this list. If no audiences are "+
 		"provided, the audience will default to the audience of the Kubernetes "+
-		"apiserver.")
+		"apiserver. Only used when --token-passthrough is also enabled.")
 
 	fs.BoolVar(&t.Enabled, "token-passthrough", t.Enabled, ""+
 		"(Alpha) Requests with Bearer tokens that fail OIDC validation are tried against "+

test/e2e/framework/helper/pod.go

@@ -13,7 +13,7 @@ import (
 func (h *Helper) WaitForPodReady(namespace, name string, timeout time.Duration) error {
 	log.Infof("Waiting for Pod to become ready %s/%s", namespace, name)
 
-	err := wait.PollImmediate(time.Second*2, timeout, func() (bool, error) {
+	err := wait.PollImmediate(time.Second*5, timeout, func() (bool, error) {
 		pod, err := h.KubeClient.CoreV1().Pods(namespace).Get(name, metav1.GetOptions{})
 		if err != nil {
 			return false, err
@@ -50,7 +50,8 @@ func (h *Helper) WaitForPodReady(namespace, name string, timeout time.Duration)
 
 func (h *Helper) WaitForPodDeletion(namespace, name string, timeout time.Duration) error {
 	log.Infof("Waiting for Pod to be deleted %s/%s", namespace, name)
-	err := wait.PollImmediate(time.Second*2, timeout, func() (bool, error) {
+
+	err := wait.PollImmediate(time.Second*5, timeout, func() (bool, error) {
 		pod, err := h.KubeClient.CoreV1().Pods(namespace).Get(name, metav1.GetOptions{})
 		if k8sErrors.IsNotFound(err) {
 			return true, nil

test/e2e/framework/helper/requester.go

@@ -0,0 +1,43 @@
+package helper
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+type Requester struct {
+	transport http.RoundTripper
+	token     string
+	client    *http.Client
+}
+
+func (h *Helper) NewRequester(transport http.RoundTripper, token string) *Requester {
+	r := &Requester{
+		token: token,
+	}
+
+	r.client = http.DefaultClient
+	r.client.Transport = r
+
+	return r
+}
+
+func (r *Requester) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Add("Authorization", fmt.Sprintf("bearer %s", r.token))
+	return r.transport.RoundTrip(req)
+}
+
+func (r *Requester) Get(target string) ([]byte, int, error) {
+	resp, err := r.client.Get(target)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return body, resp.StatusCode, nil
+}

test/e2e/framework/helper/secrets.go

@@ -0,0 +1,19 @@
+package helper
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func (h *Helper) GetServiceAccountSecret(ns, name string) (*corev1.Secret, error) {
+	sa, err := h.KubeClient.CoreV1().ServiceAccounts(ns).Get(name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	sec, err := h.KubeClient.CoreV1().Secrets(ns).Get(sa.Secrets[0].Name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	return sec, nil
+}

test/e2e/framework/helper/token.go

@@ -16,7 +16,7 @@ import (
 func (h *Helper) NewValidRestConfig(issuerBundle, proxyBundle *util.KeyBundle,
 	issuerURL, proxyURL, clientID string) (*rest.Config, error) {
 
-	// valid token with exp in 10 minutes
+	// Valid token with exp in 10 minutes
 	tokenPayload := h.NewTokenPayload(issuerURL, clientID,
 		time.Now().Add(time.Minute*10))
 	signedToken, err := h.SignToken(issuerBundle, tokenPayload)
@@ -64,7 +64,7 @@ func (h *Helper) SignToken(issuerBundle *util.KeyBundle, tokenPayload []byte) (s
 }
 
 func (h *Helper) NewTokenPayload(issuerURL, clientID string, exp time.Time) []byte {
-	// valid for 10 mins
+	// Valid for 10 mins
 	return []byte(fmt.Sprintf(`{
 	"iss":"%s",
 	"aud":["%s","aud-2"],

test/e2e/suite/cases/doc.go

@@ -1,6 +1,7 @@
 package cases
 
 import (
+	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/impersonation"
 	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/rbac"
 	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/token"
 )

test/e2e/suite/cases/impersonation/impersonation.go

@@ -64,13 +64,14 @@ var _ = framework.CasesDescribe("Impersonation", func() {
 	})
 
 	It("should not error at proxy when impersonation is disabled impersonation is attempted on a request", func() {
+		By("Enabling the disabling of impersonation")
 		f.DeployProxyWith("--disable-impersonation")
 
-		// Should return a normal RBAC forbidden from Kubernetes. If is not a
-		// Kubernetes error then it came from the kube-oidc-proxy so error
-		client := f.NewProxyClient()
-		_, err := client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
-		if !k8sErrors.IsForbidden(err) {
+		// Should return an Unauthorized response from Kubernetes as it does not
+		// trust the OIDC token we have presented however it has been authenticated
+		// by kube-oidc-proxy.
+		_, err := f.NewProxyClient().CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		if !k8sErrors.IsUnauthorized(err) {
 			Expect(err).NotTo(HaveOccurred())
 		}
 	})

test/e2e/suite/cases/passthrough/passthrough.go

@@ -0,0 +1,130 @@
+package impersonation
+
+import (
+	"bytes"
+	"fmt"
+	"net/http"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+
+	"github.com/jetstack/kube-oidc-proxy/test/e2e/framework"
+)
+
+var _ = framework.CasesDescribe("Passthrough", func() {
+	f := framework.NewDefaultFramework("passthrough")
+
+	var saToken string
+
+	JustBeforeEach(func() {
+		By("Creating List Pods Role")
+		_, err := f.Helper().KubeClient.RbacV1().Roles(f.Namespace.Name).Create(
+			&rbacv1.Role{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "e2e-impersonation-pods-list",
+				},
+				Rules: []rbacv1.PolicyRule{
+					{
+						APIGroups: []string{""},
+						Resources: []string{"pods"},
+						Verbs:     []string{"get", "list"},
+					},
+				},
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		// Create bindings for both the OIDC user and default ServiceAccount
+		By("Creating List Pods RoleBinding")
+		_, err = f.Helper().KubeClient.RbacV1().RoleBindings(f.Namespace.Name).Create(
+			&rbacv1.RoleBinding{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "e2e-impersonation-pods-list",
+				},
+				Subjects: []rbacv1.Subject{
+					{Name: "[email protected]", Kind: "User"},
+					{Name: "default", Kind: "ServiceAccount"},
+				},
+				RoleRef: rbacv1.RoleRef{
+					Name: "e2e-impersonation-pods-list", Kind: "Role"},
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Geting the token for the default ServiceAccount")
+		sec, err := f.Helper().GetServiceAccountSecret(f.Namespace.Name, "default")
+		Expect(err).NotTo(HaveOccurred())
+
+		saTokenBytes, ok := sec.Data[corev1.ServiceAccountTokenKey]
+		if !ok {
+			err = fmt.Errorf("expected token to be present in secret %s/%s (%s): %+v",
+				sec.Name, sec.Namespace, corev1.ServiceAccountTokenKey, sec.Data)
+			Expect(err).NotTo(HaveOccurred())
+		}
+
+		saToken = string(saTokenBytes)
+	})
+
+	JustAfterEach(func() {
+		By("Deleting List Pods Role")
+		err := f.Helper().KubeClient.RbacV1().Roles(f.Namespace.Name).Delete(
+			"e2e-impersonation-pods-list", nil)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Creating List Pods RoleBinding")
+		err = f.Helper().KubeClient.RbacV1().RoleBindings(f.Namespace.Name).Delete(
+			"e2e-impersonation-pods-list", nil)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("error when a valid OIDC token is used but return correct when passthrough is disabled", func() {
+		By("A valid OIDC token should respond without error")
+		proxyClient := f.NewProxyClient()
+		_, err := proxyClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Using a ServiceAccount token should error by the proxy")
+
+		// Create requester using the ServiceAccount token
+		proxyConfig := f.NewProxyRestConfig()
+		requester := f.Helper().NewRequester(proxyConfig.Transport, saToken)
+
+		// Send request with signed token to proxy
+		target := fmt.Sprintf("%s/api/v1/namespaces/%s/pods",
+			proxyConfig.Host, f.Namespace.Name)
+
+		body, statusCode, err := requester.Get(target)
+		Expect(err).NotTo(HaveOccurred())
+
+		// Check body and status code the token was rejected
+		if statusCode != http.StatusForbidden ||
+			!bytes.Equal(body, []byte("Unauthorized")) {
+		}
+		Expect(fmt.Errorf("expected status code %d with body Unauthorized, got= %d %q",
+			http.StatusForbidden, statusCode, body)).NotTo(HaveOccurred())
+	})
+
+	It("should not error on a valid OIDC token nor a valid ServiceAccount token with passthrough enabled", func() {
+		By("Enabling passthrough with Audience of the API Server")
+		f.DeployProxyWith("--token-passthrough")
+
+		By("A valid OIDC token should respond without error")
+		proxyClient := f.NewProxyClient()
+		_, err := proxyClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Using a ServiceAccount token should not error")
+
+		// Create kube client using ServiceAccount token
+		proxyConfig := f.NewProxyRestConfig()
+		proxyConfig.BearerToken = saToken
+		kubeProxyClient, err := kubernetes.NewForConfig(proxyConfig)
+		Expect(err).NotTo(HaveOccurred())
+
+		_, err = kubeProxyClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		Expect(err).NotTo(HaveOccurred())
+	})
+})

test/e2e/suite/cases/token/token.go

@@ -3,7 +3,6 @@ package token
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"time"
 
@@ -16,16 +15,6 @@ import (
 	"github.com/jetstack/kube-oidc-proxy/test/e2e/framework"
 )
 
-type wraperRT struct {
-	transport http.RoundTripper
-	token     string
-}
-
-func (w *wraperRT) RoundTrip(r *http.Request) (*http.Response, error) {
-	r.Header.Add("Authorization", fmt.Sprintf("bearer %s", w.token))
-	return w.transport.RoundTrip(r)
-}
-
 var _ = framework.CasesDescribe("Token", func() {
 	f := framework.NewDefaultFramework("token")
 
@@ -51,7 +40,7 @@ var _ = framework.CasesDescribe("Token", func() {
 		By("Valid token should return Kubernetes forbidden")
 		client := f.NewProxyClient()
 
-		// if does not return with Kubernetes forbidden error then error
+		// If does not return with Kubernetes forbidden error then error
 		_, err := client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(err).NotTo(HaveOccurred())
@@ -60,31 +49,24 @@ var _ = framework.CasesDescribe("Token", func() {
 })
 
 func expectProxyUnauthorized(f *framework.Framework, tokenPayload []byte) {
-	// build client using given token payload
+	// Build client using given token payload
 	signedToken, err := f.Helper().SignToken(f.IssuerKeyBundle(), tokenPayload)
 	Expect(err).NotTo(HaveOccurred())
 
 	proxyConfig := f.NewProxyRestConfig()
-	client := http.DefaultClient
-	client.Transport = &wraperRT{
-		transport: proxyConfig.Transport,
-		token:     signedToken,
-	}
+	requester := f.Helper().NewRequester(proxyConfig.Transport, signedToken)
 
-	// send request with signed token to proxy
+	// Send request with signed token to proxy
 	target := fmt.Sprintf("%s/api/v1/namespaces/%s/pods",
 		proxyConfig.Host, f.Namespace.Name)
 
-	resp, err := client.Get(target)
-	Expect(err).NotTo(HaveOccurred())
-
-	body, err := ioutil.ReadAll(resp.Body)
+	body, statusCode, err := requester.Get(target)
 	Expect(err).NotTo(HaveOccurred())
 
-	// check body and status code the token was rejected
-	if resp.StatusCode != http.StatusForbidden ||
+	// Check body and status code the token was rejected
+	if statusCode != http.StatusForbidden ||
 		!bytes.Equal(body, []byte("Unauthorized")) {
 	}
 	Expect(fmt.Errorf("expected status code %d with body Unauthorized, got= %d %q",
-		http.StatusForbidden, resp.StatusCode, body)).NotTo(HaveOccurred())
+		http.StatusForbidden, statusCode, body)).NotTo(HaveOccurred())
 }