Adds token e2e test

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

test/e2e/framework/framework.go

@@ -25,6 +25,7 @@ type Framework struct {
 	BaseName string
 
 	KubeClientSet kubernetes.Interface
+	ProxyClient   kubernetes.Interface
 
 	Namespace *corev1.Namespace
 
@@ -82,6 +83,10 @@ func (f *Framework) BeforeEach() {
 
 	f.issuerURL, f.proxyURL = issuerURL, proxyURL
 	f.issuerKeyBundle, f.proxyKeyBundle = issuerKeyBundle, proxyKeyBundle
+
+	By("Creating Proxy Client")
+	f.ProxyClient, err = f.NewProxyClient()
+	Expect(err).NotTo(HaveOccurred())
 }
 
 // AfterEach deletes the namespace, after reading its events.
@@ -99,11 +104,37 @@ func (f *Framework) Helper() *helper.Helper {
 	return f.helper
 }
 
-func (f *Framework) NewValidRestConfig() (*rest.Config, error) {
+func (f *Framework) IssuerKeyBundle() *util.KeyBundle {
+	return f.issuerKeyBundle
+}
+
+func (f *Framework) IssuerURL() string {
+	return f.issuerURL
+}
+
+func (f *Framework) ClientID() string {
+	return clientID
+}
+
+func (f *Framework) NewProxyRestConfig() (*rest.Config, error) {
 	return f.Helper().NewValidRestConfig(f.issuerKeyBundle, f.proxyKeyBundle,
 		f.issuerURL, f.proxyURL, clientID)
 }
 
+func (f *Framework) NewProxyClient() (kubernetes.Interface, error) {
+	proxyConfig, err := f.NewProxyRestConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	proxyClient, err := kubernetes.NewForConfig(proxyConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return proxyClient, nil
+}
+
 func CasesDescribe(text string, body func()) bool {
 	return Describe("[TEST] "+text, body)
 }

test/e2e/framework/helper/token.go

@@ -13,25 +13,15 @@ import (
 	"github.com/jetstack/kube-oidc-proxy/test/e2e/util"
 )
 
-func (h *Helper) NewValidRestConfig(issuerBundle, proxyBundle *util.KeyBundle, issuerURL, proxyURL, clientID string) (*rest.Config, error) {
-	signer, err := jose.NewSigner(jose.SigningKey{
-		Algorithm: jose.SignatureAlgorithm("RS256"),
-		Key:       issuerBundle.Key,
-	}, nil)
-	if err != nil {
-		return nil, fmt.Errorf("failed to initialise new jwt signer: %s", err)
-	}
-
-	token := h.newValidToken(issuerURL, clientID)
+func (h *Helper) NewValidRestConfig(issuerBundle, proxyBundle *util.KeyBundle,
+	issuerURL, proxyURL, clientID string) (*rest.Config, error) {
 
-	jwt, err := signer.Sign(token)
+	// valid token with exp in 10 minutes
+	tokenPayload := h.NewTokenPayload(issuerURL, clientID,
+		time.Now().Add(time.Minute*10))
+	signedToken, err := h.SignToken(issuerBundle, tokenPayload)
 	if err != nil {
-		return nil, fmt.Errorf("failed to sign jwt: %s", err)
-	}
-
-	signedToken, err := jwt.CompactSerialize()
-	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to sign token %q: %s", tokenPayload, err)
 	}
 
 	certPool := x509.NewCertPool()
@@ -51,13 +41,35 @@ func (h *Helper) NewValidRestConfig(issuerBundle, proxyBundle *util.KeyBundle, i
 	}, nil
 }
 
-func (h *Helper) newValidToken(issuerURL, clientID string) []byte {
+func (h *Helper) SignToken(issuerBundle *util.KeyBundle, tokenPayload []byte) (string, error) {
+	signer, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm("RS256"),
+		Key:       issuerBundle.Key,
+	}, nil)
+	if err != nil {
+		return "", fmt.Errorf("failed to initialise new jwt signer: %s", err)
+	}
+
+	jwt, err := signer.Sign(tokenPayload)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign jwt: %s", err)
+	}
+
+	signedToken, err := jwt.CompactSerialize()
+	if err != nil {
+		return "", err
+	}
+
+	return signedToken, nil
+}
+
+func (h *Helper) NewTokenPayload(issuerURL, clientID string, exp time.Time) []byte {
 	// valid for 10 mins
 	return []byte(fmt.Sprintf(`{
 	"iss":"%s",
 	"aud":["%s","aud-2"],
 	"email":"[email protected]",
 	"groups":["group-1","group-2"],
 	"exp":%d
-	}`, issuerURL, clientID, time.Now().Add(time.Minute*10).Unix()))
+	}`, issuerURL, clientID, exp.Unix()))
 }

test/e2e/suite/cases/doc.go

@@ -2,4 +2,5 @@ package cases
 
 import (
 	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/rbac"
+	_ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/token"
 )

test/e2e/suite/cases/rbac/rbac.go

@@ -9,44 +9,34 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
 
 	"github.com/jetstack/kube-oidc-proxy/test/e2e/framework"
 )
 
 var _ = framework.CasesDescribe("RBAC", func() {
 	f := framework.NewDefaultFramework("rbac")
 
-	var rClient *kubernetes.Clientset
-	JustBeforeEach(func() {
-		config, err := f.NewValidRestConfig()
-		Expect(err).NotTo(HaveOccurred())
-
-		rClient, err = kubernetes.NewForConfig(config)
-		Expect(err).NotTo(HaveOccurred())
-	})
-
 	It("should return with a forbidden request with a valid token without rbac", func() {
 		By("Attempting to Get Pods")
-		_, err := rClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err := f.ProxyClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
 
 		By("Attempting to Get Services")
-		_, err = rClient.CoreV1().Services(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Services(f.Namespace.Name).List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
 
 		By("Attempting to Get Secrets")
-		_, err = rClient.CoreV1().Secrets(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Secrets(f.Namespace.Name).List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
 
 		By("Attempting to Get Nodes")
-		_, err = rClient.CoreV1().Nodes().List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Nodes().List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
@@ -87,23 +77,23 @@ var _ = framework.CasesDescribe("RBAC", func() {
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Pods")
-		_, err = rClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Services")
-		_, err = rClient.CoreV1().Services(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Services(f.Namespace.Name).List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
 
 		By("Attempting to Get Secrets")
-		_, err = rClient.CoreV1().Secrets(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Secrets(f.Namespace.Name).List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
 
 		By("Attempting to Get Nodes")
-		_, err = rClient.CoreV1().Nodes().List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Nodes().List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
@@ -123,21 +113,21 @@ var _ = framework.CasesDescribe("RBAC", func() {
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Pods")
-		_, err = rClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Services")
-		_, err = rClient.CoreV1().Services(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Services(f.Namespace.Name).List(metav1.ListOptions{})
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Secrets")
-		_, err = rClient.CoreV1().Secrets(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Secrets(f.Namespace.Name).List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
 
 		By("Attempting to Get Nodes")
-		_, err = rClient.CoreV1().Nodes().List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Nodes().List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}
@@ -157,19 +147,19 @@ var _ = framework.CasesDescribe("RBAC", func() {
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Pods")
-		_, err = rClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Services")
-		_, err = rClient.CoreV1().Services(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Services(f.Namespace.Name).List(metav1.ListOptions{})
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Secrets")
-		_, err = rClient.CoreV1().Secrets(f.Namespace.Name).List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Secrets(f.Namespace.Name).List(metav1.ListOptions{})
 		Expect(err).NotTo(HaveOccurred())
 
 		By("Attempting to Get Nodes")
-		_, err = rClient.CoreV1().Nodes().List(metav1.ListOptions{})
+		_, err = f.ProxyClient.CoreV1().Nodes().List(metav1.ListOptions{})
 		if !k8sErrors.IsForbidden(err) {
 			Expect(fmt.Errorf("expected forbidden error, got=%s", err)).NotTo(HaveOccurred())
 		}

test/e2e/suite/cases/token/token.go

@@ -0,0 +1,93 @@
+package token
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/jetstack/kube-oidc-proxy/test/e2e/framework"
+)
+
+type wraperRT struct {
+	transport http.RoundTripper
+	token     string
+}
+
+func (w *wraperRT) RoundTrip(r *http.Request) (*http.Response, error) {
+	r.Header.Add("Authorization", fmt.Sprintf("bearer %s", w.token))
+	return w.transport.RoundTrip(r)
+}
+
+var _ = framework.CasesDescribe("Token", func() {
+	f := framework.NewDefaultFramework("token")
+
+	It("should error when tokens are wrong for the issuer", func() {
+		By("No token should error")
+		expectProxyUnauthorized(f, nil)
+
+		By("Bad token should error")
+		expectProxyUnauthorized(f, []byte("bad token"))
+
+		By("Wrong issuer should error")
+		expectProxyUnauthorized(f, f.Helper().NewTokenPayload(
+			"incorrect-issuer", f.ClientID(), time.Now().Add(time.Minute)))
+
+		By("Wrong audience should error")
+		expectProxyUnauthorized(f, f.Helper().NewTokenPayload(
+			f.IssuerURL(), "wrong-aud", time.Now().Add(time.Minute)))
+
+		By("Token expires now")
+		expectProxyUnauthorized(f, f.Helper().NewTokenPayload(
+			f.IssuerURL(), f.ClientID(), time.Now()))
+
+		By("Valid token should return Kubernetes forbidden")
+		client, err := f.NewProxyClient()
+		Expect(err).NotTo(HaveOccurred())
+
+		// if does not return with Kubernetes forbidden error then error
+		_, err = client.CoreV1().Pods(f.Namespace.Name).List(metav1.ListOptions{})
+		if !k8sErrors.IsForbidden(err) {
+			Expect(err).NotTo(HaveOccurred())
+		}
+	})
+})
+
+func expectProxyUnauthorized(f *framework.Framework, tokenPayload []byte) {
+	// build client using given token payload
+	signedToken, err := f.Helper().SignToken(f.IssuerKeyBundle(), tokenPayload)
+	Expect(err).NotTo(HaveOccurred())
+
+	proxyConfig, err := f.NewProxyRestConfig()
+	Expect(err).NotTo(HaveOccurred())
+
+	client := http.DefaultClient
+	client.Transport = &wraperRT{
+		transport: proxyConfig.Transport,
+		token:     signedToken,
+	}
+
+	// send request with signed token to proxy
+	target := fmt.Sprintf("%s/api/v1/namespaces/%s/pods",
+		proxyConfig.Host, f.Namespace.Name)
+
+	resp, err := client.Get(target)
+	Expect(err).NotTo(HaveOccurred())
+
+	body, err := ioutil.ReadAll(resp.Body)
+	Expect(err).NotTo(HaveOccurred())
+
+	// check body and status code the token was rejected
+	if resp.StatusCode != http.StatusForbidden ||
+		!bytes.Equal(body, []byte("Unauthorized")) {
+	}
+	Expect(fmt.Errorf("expected status code %d with body Unauthorized, got= %d %q",
+		resp.StatusCode, body)).NotTo(HaveOccurred())
+}

test/e2e/suite/suite.go

@@ -14,16 +14,16 @@ var (
 )
 
 var _ = SynchronizedBeforeSuite(func() []byte {
-	//var err error
-	//env, err = environment.Create(1, 3)
-	//if err != nil {
-	//	log.Fatalf("Error provisioning environment: %v", err)
-	//}
+	var err error
+	env, err = environment.Create(1, 3)
+	if err != nil {
+		log.Fatalf("Error provisioning environment: %v", err)
+	}
 
-	//cfg.KubeConfigPath = env.KubeConfigPath()
-	//cfg.Kubectl = filepath.Join(env.RootPath(), "bin", "kubectl")
-	//cfg.RepoRoot = env.RootPath()
-	//cfg.Environment = env
+	cfg.KubeConfigPath = env.KubeConfigPath()
+	cfg.Kubectl = filepath.Join(env.RootPath(), "bin", "kubectl")
+	cfg.RepoRoot = env.RootPath()
+	cfg.Environment = env
 
 	cfg.KubeConfigPath = "/home/josh/.kube/kind-config-kube-oidc-proxy-e2e"
 	cfg.Kubectl = "/home/josh/go/src/github.com/jetstack/kube-oidc-proxy/bin/kubectl"
@@ -42,10 +42,10 @@ var globalLogs map[string]string
 
 var _ = SynchronizedAfterSuite(func() {},
 	func() {
-		//if env != nil {
-		//	if err := env.Destory(); err != nil {
-		//		log.Fatalf("Failed to destory environment: %s", err)
-		//	}
-		//}
+		if env != nil {
+			if err := env.Destory(); err != nil {
+				log.Fatalf("Failed to destory environment: %s", err)
+			}
+		}
 	},
 )