scope authn infos to the given logicalcluster, add test to ensure it works

On-behalf-of: @SAP [email protected]

Author: xrstf

pkg/authentication/workspace.go renamed to pkg/authentication/authenticators.go

@@ -17,9 +17,13 @@ limitations under the License.
 package authentication
 
 import (
+	"fmt"
 	"net/http"
 
 	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/user"
+
+	"github.com/kcp-dev/kcp/pkg/proxy/lookup"
 )
 
 type workspaceAuthenticator struct{}
@@ -36,3 +40,37 @@ func (a *workspaceAuthenticator) AuthenticateRequest(req *http.Request) (*authen
 
 	return reqAuthenticator.AuthenticateRequest(req)
 }
+
+type clusterScoper struct {
+	delegate authenticator.Request
+}
+
+func withClusterScope(delegate authenticator.Request) authenticator.Request {
+	return &clusterScoper{
+		delegate: delegate,
+	}
+}
+
+func (a *clusterScoper) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
+	response, authenticated, ok := a.delegate.AuthenticateRequest(req)
+	if authenticated {
+		cluster := lookup.ClusterNameFrom(req.Context())
+
+		extra := response.User.GetExtra()
+		if extra == nil {
+			extra = map[string][]string{}
+		}
+		if true {
+			extra["authentication.kcp.io/scopes"] = append(extra["authentication.kcp.io/scopes"], fmt.Sprintf("cluster:%s", cluster))
+		}
+
+		response.User = &user.DefaultInfo{
+			Name:   response.User.GetName(),
+			UID:    response.User.GetUID(),
+			Groups: response.User.GetGroups(),
+			Extra:  extra,
+		}
+	}
+
+	return response, authenticated, ok
+}

pkg/authentication/filters.go

@@ -43,6 +43,9 @@ func WithWorkspaceAuthResolver(handler http.Handler, authIndex AuthenticatorInde
 			return
 		}
 
+		// make the authenticator always add the target cluster to the user scopes
+		authn = withClusterScope(authn)
+
 		req = req.WithContext(WithWorkspaceAuthenticator(req.Context(), authn))
 		handler.ServeHTTP(w, req)
 	})

pkg/server/localproxy.go

@@ -199,6 +199,7 @@ func WithLocalProxy(
 			cluster.Name = clusterName
 		}
 		ctx = request.WithCluster(ctx, cluster)
+		ctx = lookup.WithClusterName(ctx, cluster.Name)
 		ctx = lookup.WithWorkspaceType(ctx, r.Type)
 
 		handler.ServeHTTP(w, req.WithContext(ctx))

test/e2e/authentication/workspace_test.go

@@ -26,6 +26,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/xrstf/mockoidc"
 
+	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -239,6 +240,72 @@ func TestWorkspaceOIDC(t *testing.T) {
 	}
 }
 
+func TestUserScope(t *testing.T) {
+	framework.Suite(t, "control-plane")
+
+	ctx := context.Background()
+
+	// start kcp and setup clients
+	server := kcptesting.SharedKcpServer(t)
+
+	baseWsPath, _ := kcptesting.NewWorkspaceFixture(t, server, logicalcluster.NewPath("root"), kcptesting.WithNamePrefix("oidc-scope"))
+
+	kcpConfig := server.BaseConfig(t)
+	kubeClusterClient, err := kcpkubernetesclientset.NewForConfig(kcpConfig)
+	require.NoError(t, err)
+	kcpClusterClient, err := kcpclientset.NewForConfig(kcpConfig)
+	require.NoError(t, err)
+
+	mock, ca := startMockOIDC(t, server)
+	authConfig := createWorkspaceAuthentication(t, ctx, kcpClusterClient, baseWsPath, mock, ca)
+	wsType := createWorkspaceType(t, ctx, kcpClusterClient, baseWsPath, authConfig)
+
+	// create a new workspace with our new type
+	t.Log("Creating Workspaces...")
+	teamPath, teamWs := kcptesting.NewWorkspaceFixture(t, server, baseWsPath, kcptesting.WithName("team-a"), kcptesting.WithType(baseWsPath, tenancyv1alpha1.WorkspaceTypeName(wsType)))
+
+	var (
+		userName       = "peter"
+		userEmail      = "[email protected]"
+		userGroups     = []string{"developers", "admins"}
+		expectedGroups = []string{}
+	)
+
+	for _, group := range userGroups {
+		expectedGroups = append(expectedGroups, "oidc:"+group)
+	}
+
+	grantWorkspaceAccess(t, ctx, kubeClusterClient, teamPath, []rbacv1.Subject{{
+		Kind: "User",
+		Name: "oidc:" + userEmail,
+	}})
+
+	token := createOIDCToken(t, mock, userName, userEmail, userGroups)
+
+	peterClient, err := kcpkubernetesclientset.NewForConfig(framework.ConfigWithToken(token, kcpConfig))
+	require.NoError(t, err)
+
+	t.Logf("Creating SelfSubjectAccessReview in %s", teamPath)
+
+	var review *authenticationv1.SelfSubjectReview
+	require.Eventually(t, func() bool {
+		request := &authenticationv1.SelfSubjectReview{}
+
+		var err error
+		review, err = peterClient.Cluster(teamPath).AuthenticationV1().SelfSubjectReviews().Create(ctx, request, metav1.CreateOptions{})
+		if err != nil {
+			t.Log(err)
+		}
+
+		return err == nil
+	}, wait.ForeverTestTimeout, 500*time.Millisecond)
+
+	user := review.Status.UserInfo
+	require.Equal(t, "oidc:"+userEmail, user.Username)
+	require.Subset(t, user.Groups, expectedGroups)
+	require.Equal(t, user.Extra["authentication.kcp.io/scopes"], authenticationv1.ExtraValue{"cluster:" + teamWs.Spec.Cluster})
+}
+
 func createWorkspaceAuthentication(t *testing.T, ctx context.Context, client kcpclientset.ClusterInterface, workspace logicalcluster.Path, mock *mockoidc.MockOIDC, ca *crypto.CA) string {
 	name := fmt.Sprintf("mockoidc-%d", rand.Int())