Merge pull request #3566 from ntnn/kcp3513-oidcfixtures

kcp-ci-bot · web-flow · commit 138cf2a7da68 · 2025-09-03T11:01:36.000+02:00
Move e2e mockoidc to authfixtures
diff --git a/test/e2e/authentication/workspace_test.go b/test/e2e/authentication/workspace_test.go
@@ -19,7 +19,6 @@ package authentication
 import (
 	"context"
 	"fmt"
-	"math/rand"
 	"testing"
 	"time"
 
@@ -39,7 +38,7 @@ import (
 	tenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
 	kcpclientset "github.com/kcp-dev/kcp/sdk/client/clientset/versioned/cluster"
 	kcptesting "github.com/kcp-dev/kcp/sdk/testing"
-	"github.com/kcp-dev/kcp/sdk/testing/third_party/library-go/crypto"
+	"github.com/kcp-dev/kcp/test/e2e/fixtures/authfixtures"
 	"github.com/kcp-dev/kcp/test/e2e/framework"
 )
 
@@ -61,19 +60,19 @@ func TestWorkspaceOIDC(t *testing.T) {
 
 	// start a two mock OIDC servers that will listen on random ports
 	// (only for discovery and keyset handling, no actual login workflows)
-	mockA, ca := startMockOIDC(t, server)
-	mockB, _ := startMockOIDC(t, server)
+	mockA, ca := authfixtures.StartMockOIDC(t, server)
+	mockB, _ := authfixtures.StartMockOIDC(t, server)
 
 	// setup a new workspace auth config that uses mockoidc's server, one for
 	// each of our mockoidc servers
-	authConfigA := createWorkspaceAuthentication(t, ctx, kcpClusterClient, baseWsPath, mockA, ca)
-	authConfigB := createWorkspaceAuthentication(t, ctx, kcpClusterClient, baseWsPath, mockB, ca)
+	authConfigA := authfixtures.CreateWorkspaceOIDCAuthentication(t, ctx, kcpClusterClient, baseWsPath, mockA, ca)
+	authConfigB := authfixtures.CreateWorkspaceOIDCAuthentication(t, ctx, kcpClusterClient, baseWsPath, mockB, ca)
 
 	// use these configs in new WorkspaceTypes and create one extra workspace type that allows
 	// both mockoidc issuers
-	wsTypeA := createWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, authConfigA)
-	wsTypeB := createWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, authConfigB)
-	wsTypeC := createWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, authConfigA, authConfigB)
+	wsTypeA := authfixtures.CreateWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, "with-oidc-a", authConfigA)
+	wsTypeB := authfixtures.CreateWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, "with-oidc-b", authConfigB)
+	wsTypeC := authfixtures.CreateWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, "with-oidc-c", authConfigA, authConfigB)
 
 	// create a new workspace with our new type
 	t.Log("Creating Workspaces...")
@@ -89,15 +88,15 @@ func TestWorkspaceOIDC(t *testing.T) {
 	}
 
 	// grant permissions to random users and groups
-	grantWorkspaceAccess(t, ctx, kubeClusterClient, teamAPath, []rbacv1.Subject{{
+	authfixtures.GrantWorkspaceAccess(t, ctx, kubeClusterClient, teamAPath, "grant-oidc-user", "cluster-admin", []rbacv1.Subject{{
 		Kind: "User",
 		Name: "oidc:user-a@example.com",
 	}, {
 		Kind: "Group",
 		Name: "oidc:developers",
 	}})
 
-	grantWorkspaceAccess(t, ctx, kubeClusterClient, teamBPath, []rbacv1.Subject{{
+	authfixtures.GrantWorkspaceAccess(t, ctx, kubeClusterClient, teamBPath, "grant-oidc-user", "cluster-admin", []rbacv1.Subject{{
 		Kind: "User",
 		Name: "oidc:user-b@example.com",
 	}, {
@@ -108,7 +107,7 @@ func TestWorkspaceOIDC(t *testing.T) {
 		Name: "oidc:developers",
 	}})
 
-	grantWorkspaceAccess(t, ctx, kubeClusterClient, teamCPath, []rbacv1.Subject{{
+	authfixtures.GrantWorkspaceAccess(t, ctx, kubeClusterClient, teamCPath, "grant-oidc-user", "cluster-admin", []rbacv1.Subject{{
 		Kind: "User",
 		Name: "oidc:user-c@example.com",
 	}, {
@@ -224,7 +223,7 @@ func TestWorkspaceOIDC(t *testing.T) {
 		t.Run(testcase.name, func(t *testing.T) {
 			t.Parallel()
 
-			token := createOIDCToken(t, testcase.mock, testcase.username, testcase.email, testcase.groups)
+			token := authfixtures.CreateOIDCToken(t, testcase.mock, testcase.username, testcase.email, testcase.groups)
 
 			client, err := kcpkubernetesclientset.NewForConfig(framework.ConfigWithToken(token, kcpConfig))
 			require.NoError(t, err)
@@ -268,9 +267,9 @@ func TestUserScope(t *testing.T) {
 	kcpClusterClient, err := kcpclientset.NewForConfig(kcpConfig)
 	require.NoError(t, err)
 
-	mock, ca := startMockOIDC(t, server)
-	authConfig := createWorkspaceAuthentication(t, ctx, kcpClusterClient, baseWsPath, mock, ca)
-	wsType := createWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, authConfig)
+	mock, ca := authfixtures.StartMockOIDC(t, server)
+	authConfig := authfixtures.CreateWorkspaceOIDCAuthentication(t, ctx, kcpClusterClient, baseWsPath, mock, ca)
+	wsType := authfixtures.CreateWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, "with-oidc", authConfig)
 
 	// create a new workspace with our new type
 	t.Log("Creating Workspaces...")
@@ -287,12 +286,12 @@ func TestUserScope(t *testing.T) {
 		expectedGroups = append(expectedGroups, "oidc:"+group)
 	}
 
-	grantWorkspaceAccess(t, ctx, kubeClusterClient, teamPath, []rbacv1.Subject{{
+	authfixtures.GrantWorkspaceAccess(t, ctx, kubeClusterClient, teamPath, "grant-oidc-user", "cluster-admin", []rbacv1.Subject{{
 		Kind: "User",
 		Name: "oidc:" + userEmail,
 	}})
 
-	token := createOIDCToken(t, mock, userName, userEmail, userGroups)
+	token := authfixtures.CreateOIDCToken(t, mock, userName, userEmail, userGroups)
 
 	peterClient, err := kcpkubernetesclientset.NewForConfig(framework.ConfigWithToken(token, kcpConfig))
 	require.NoError(t, err)
@@ -334,7 +333,7 @@ func TestForbiddenSystemAccess(t *testing.T) {
 	kcpClusterClient, err := kcpclientset.NewForConfig(kcpConfig)
 	require.NoError(t, err)
 
-	mock, ca := startMockOIDC(t, server)
+	mock, ca := authfixtures.StartMockOIDC(t, server)
 
 	// create an evil AuthConfig that would not prefix OIDC-provided groups, theoretically allowing
 	// users to become part of system groups.
@@ -345,7 +344,7 @@ func TestForbiddenSystemAccess(t *testing.T) {
 		},
 		Spec: tenancyv1alpha1.WorkspaceAuthenticationConfigurationSpec{
 			JWT: []tenancyv1alpha1.JWTAuthenticator{
-				mockJWTAuthenticator(t, mock, ca, "", ""),
+				authfixtures.MockJWTAuthenticator(t, mock, ca, "", ""),
 			},
 		},
 	}
@@ -354,20 +353,20 @@ func TestForbiddenSystemAccess(t *testing.T) {
 	_, err = kcpClusterClient.Cluster(baseWsPath).TenancyV1alpha1().WorkspaceAuthenticationConfigurations().Create(ctx, authConfig, metav1.CreateOptions{})
 	require.NoError(t, err)
 
-	wsType := createWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, authConfig.Name)
+	wsType := authfixtures.CreateWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, "with-oidc", authConfig.Name)
 
 	// create a new workspace with our new type
 	t.Log("Creating Workspaces...")
 	teamPath, _ := kcptesting.NewWorkspaceFixture(t, server, baseWsPath, kcptesting.WithName("team-a"), kcptesting.WithType(baseWsPath, tenancyv1alpha1.WorkspaceTypeName(wsType)))
 
 	// give a dummy user access
-	grantWorkspaceAccess(t, ctx, kubeClusterClient, teamPath, []rbacv1.Subject{{
+	authfixtures.GrantWorkspaceAccess(t, ctx, kubeClusterClient, teamPath, "grant-oidc-user", "cluster-admin", []rbacv1.Subject{{
 		Kind: "User",
 		Name: "dummy@example.com",
 	}})
 
 	// wait until the authenticator is ready
-	token := createOIDCToken(t, mock, "dummy", "dummy@example.com", nil)
+	token := authfixtures.CreateOIDCToken(t, mock, "dummy", "dummy@example.com", nil)
 
 	client, err := kcpkubernetesclientset.NewForConfig(framework.ConfigWithToken(token, kcpConfig))
 	require.NoError(t, err)
@@ -406,7 +405,7 @@ func TestForbiddenSystemAccess(t *testing.T) {
 		t.Run(testcase.name, func(t *testing.T) {
 			t.Parallel()
 
-			token := createOIDCToken(t, mock, testcase.username, testcase.email, testcase.groups)
+			token := authfixtures.CreateOIDCToken(t, mock, testcase.username, testcase.email, testcase.groups)
 
 			client, err := kcpkubernetesclientset.NewForConfig(framework.ConfigWithToken(token, kcpConfig))
 			require.NoError(t, err)
@@ -545,69 +544,3 @@ func TestAcceptableWorkspaceAuthenticationConfigurations(t *testing.T) {
 		})
 	}
 }
-
-func createWorkspaceAuthentication(t *testing.T, ctx context.Context, client kcpclientset.ClusterInterface, workspace logicalcluster.Path, mock *mockoidc.MockOIDC, ca *crypto.CA) string {
-	name := fmt.Sprintf("mockoidc-%d", rand.Int())
-
-	// setup a new workspace auth config that uses mockoidc's server
-	authConfig := &tenancyv1alpha1.WorkspaceAuthenticationConfiguration{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name,
-		},
-		Spec: tenancyv1alpha1.WorkspaceAuthenticationConfigurationSpec{
-			JWT: []tenancyv1alpha1.JWTAuthenticator{
-				mockJWTAuthenticator(t, mock, ca, "oidc:", "oidc:"),
-			},
-		},
-	}
-
-	t.Logf("Creating WorkspaceAuthenticationConfguration %s...", name)
-	_, err := client.Cluster(workspace).TenancyV1alpha1().WorkspaceAuthenticationConfigurations().Create(ctx, authConfig, metav1.CreateOptions{})
-	require.NoError(t, err)
-
-	return name
-}
-
-func createWorkspaceType(t *testing.T, ctx context.Context, client kcpclientset.ClusterInterface, workspace logicalcluster.Path, authConfigNames ...string) string {
-	name := fmt.Sprintf("with-oidc-%d", rand.Int())
-
-	configs := []tenancyv1alpha1.AuthenticationConfigurationReference{}
-	for _, name := range authConfigNames {
-		configs = append(configs, tenancyv1alpha1.AuthenticationConfigurationReference{
-			Name: name,
-		})
-	}
-
-	// setup a new workspace auth config that uses mockoidc's server
-	wsType := &tenancyv1alpha1.WorkspaceType{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name,
-		},
-		Spec: tenancyv1alpha1.WorkspaceTypeSpec{
-			AuthenticationConfigurations: configs,
-		},
-	}
-
-	t.Logf("Creating WorkspaceType %s...", name)
-	_, err := client.Cluster(workspace).TenancyV1alpha1().WorkspaceTypes().Create(ctx, wsType, metav1.CreateOptions{})
-	require.NoError(t, err)
-
-	return name
-}
-
-func grantWorkspaceAccess(t *testing.T, ctx context.Context, client kcpkubernetesclientset.ClusterInterface, workspace logicalcluster.Path, subjects []rbacv1.Subject) {
-	crb := &rbacv1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "allow-oidc-user",
-		},
-		RoleRef: rbacv1.RoleRef{
-			Kind: "ClusterRole",
-			Name: "cluster-admin",
-		},
-		Subjects: subjects,
-	}
-
-	t.Log("Creating ClusterRoleBinding...")
-	_, err := client.Cluster(workspace).RbacV1().ClusterRoleBindings().Create(ctx, crb, metav1.CreateOptions{})
-	require.NoError(t, err)
-}
diff --git a/test/e2e/fixtures/authfixtures/authfixtures.go b/test/e2e/fixtures/authfixtures/authfixtures.go
@@ -0,0 +1,75 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authfixtures
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
+	"github.com/kcp-dev/logicalcluster/v3"
+
+	tenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
+	kcpclientset "github.com/kcp-dev/kcp/sdk/client/clientset/versioned/cluster"
+)
+
+func CreateWorkspaceType(t *testing.T, ctx context.Context, client kcpclientset.ClusterInterface, workspace logicalcluster.Path, name string, authConfigNames ...string) string {
+	configs := []tenancyv1alpha1.AuthenticationConfigurationReference{}
+	for _, name := range authConfigNames {
+		configs = append(configs, tenancyv1alpha1.AuthenticationConfigurationReference{
+			Name: name,
+		})
+	}
+
+	// setup a new workspace auth config that uses mockoidc's server
+	wsType := &tenancyv1alpha1.WorkspaceType{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: tenancyv1alpha1.WorkspaceTypeSpec{
+			AuthenticationConfigurations: configs,
+		},
+	}
+
+	t.Logf("Creating WorkspaceType %s...", name)
+	_, err := client.Cluster(workspace).TenancyV1alpha1().WorkspaceTypes().Create(ctx, wsType, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	return name
+}
+
+func GrantWorkspaceAccess(t *testing.T, ctx context.Context, client kcpkubernetesclientset.ClusterInterface, workspace logicalcluster.Path, name, clusterRole string, subjects []rbacv1.Subject) {
+	crb := &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		RoleRef: rbacv1.RoleRef{
+			Kind: "ClusterRole",
+			Name: clusterRole,
+		},
+		Subjects: subjects,
+	}
+
+	t.Log("Creating ClusterRoleBinding...")
+	_, err := client.Cluster(workspace).RbacV1().ClusterRoleBindings().Create(ctx, crb, metav1.CreateOptions{})
+	require.NoError(t, err)
+}
diff --git a/test/e2e/fixtures/authfixtures/mockoidc.go b/test/e2e/fixtures/authfixtures/mockoidc.go
@@ -14,11 +14,14 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package authentication
+package authfixtures
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
+	"math/rand"
 	"net"
 	"path/filepath"
 	"sync"
@@ -28,15 +31,19 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/xrstf/mockoidc"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/utils/ptr"
 
+	"github.com/kcp-dev/logicalcluster/v3"
+
 	tenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
+	kcpclientset "github.com/kcp-dev/kcp/sdk/client/clientset/versioned/cluster"
 	kcptestingserver "github.com/kcp-dev/kcp/sdk/testing/server"
 	"github.com/kcp-dev/kcp/sdk/testing/third_party/library-go/crypto"
 )
 
-func startMockOIDC(t *testing.T, server kcptestingserver.RunningServer) (*mockoidc.MockOIDC, *crypto.CA) {
+func StartMockOIDC(t *testing.T, server kcptestingserver.RunningServer) (*mockoidc.MockOIDC, *crypto.CA) {
 	// start a mock OIDC server that will listen on a random port
 	// (only for discovery and keyset handling, no actual login workflows)
 	caDir := server.CADirectory()
@@ -86,7 +93,7 @@ func startMockOIDC(t *testing.T, server kcptestingserver.RunningServer) (*mockoi
 	return m, ca
 }
 
-func mockJWTAuthenticator(t *testing.T, m *mockoidc.MockOIDC, ca *crypto.CA, userPrefix, groupPrefix string) tenancyv1alpha1.JWTAuthenticator {
+func MockJWTAuthenticator(t *testing.T, m *mockoidc.MockOIDC, ca *crypto.CA, userPrefix, groupPrefix string) tenancyv1alpha1.JWTAuthenticator {
 	cfg := m.Config()
 
 	caCert, _, err := ca.Config.GetPEMBytes()
@@ -113,7 +120,7 @@ func mockJWTAuthenticator(t *testing.T, m *mockoidc.MockOIDC, ca *crypto.CA, use
 
 var tokenLock sync.Mutex
 
-func createOIDCToken(t *testing.T, mock *mockoidc.MockOIDC, subject, email string, groups []string) string {
+func CreateOIDCToken(t *testing.T, mock *mockoidc.MockOIDC, subject, email string, groups []string) string {
 	var (
 		cfg                 = mock.Config()
 		now                 = mockoidc.NowFunc()
@@ -159,3 +166,25 @@ func createOIDCToken(t *testing.T, mock *mockoidc.MockOIDC, subject, email strin
 
 	return token
 }
+
+func CreateWorkspaceOIDCAuthentication(t *testing.T, ctx context.Context, client kcpclientset.ClusterInterface, workspace logicalcluster.Path, mock *mockoidc.MockOIDC, ca *crypto.CA) string {
+	name := fmt.Sprintf("mockoidc-%d", rand.Int())
+
+	// setup a new workspace auth config that uses mockoidc's server
+	authConfig := &tenancyv1alpha1.WorkspaceAuthenticationConfiguration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: tenancyv1alpha1.WorkspaceAuthenticationConfigurationSpec{
+			JWT: []tenancyv1alpha1.JWTAuthenticator{
+				MockJWTAuthenticator(t, mock, ca, "oidc:", "oidc:"),
+			},
+		},
+	}
+
+	t.Logf("Creating WorkspaceAuthenticationConfguration %s...", name)
+	_, err := client.Cluster(workspace).TenancyV1alpha1().WorkspaceAuthenticationConfigurations().Create(ctx, authConfig, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	return name
+}
