e2e: add SubjectRulesReview tests

Signed-off-by: Dr. Stefan Schimanski <[email protected]>
kcp-dev · Jan 25, 2025 · bcfbbd7 · bcfbbd7
1 parent 3694cb6
commit bcfbbd7
Showing 1 changed file with 163 additions and 5 deletions.
diff --git a/test/e2e/authorizer/scopes_test.go b/test/e2e/authorizer/scopes_test.go
@@ -18,15 +18,22 @@ package authorizer
 
 import (
 	"context"
+	"fmt"
+	"sort"
 	"testing"
+	"time"
 
 	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 	"github.com/stretchr/testify/require"
 
 	authorizationv1 "k8s.io/api/authorization/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
-	"k8s.io/kubernetes/pkg/registry/rbac/validation"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/client-go/rest"
+	rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
 
 	"github.com/kcp-dev/kcp/test/e2e/framework"
 )
@@ -61,7 +68,7 @@ func TestSubjectAccessReview(t *testing.T) {
 			user:   "user",
 			groups: []string{"system:kcp:admin"},
 			extra: map[string]authorizationv1.ExtraValue{
-				validation.ScopeExtraKey: {"cluster:" + ws.Spec.Cluster},
+				rbacregistryvalidation.ScopeExtraKey: {"cluster:" + ws.Spec.Cluster},
 			},
 			wantAllowed: true,
 		},
@@ -70,7 +77,7 @@ func TestSubjectAccessReview(t *testing.T) {
 			user:   "user",
 			groups: []string{"system:kcp:admin"},
 			extra: map[string]authorizationv1.ExtraValue{
-				validation.ScopeExtraKey: {"cluster:" + ws.Spec.Cluster + ",cluster:another"},
+				rbacregistryvalidation.ScopeExtraKey: {"cluster:" + ws.Spec.Cluster + ",cluster:another"},
 			},
 			wantAllowed: true,
 		},
@@ -79,7 +86,7 @@ func TestSubjectAccessReview(t *testing.T) {
 			user:   "user",
 			groups: []string{"system:kcp:admin"},
 			extra: map[string]authorizationv1.ExtraValue{
-				validation.ScopeExtraKey: {"cluster:" + ws.Spec.Cluster, "cluster:another"},
+				rbacregistryvalidation.ScopeExtraKey: {"cluster:" + ws.Spec.Cluster, "cluster:another"},
 			},
 			wantAllowed: false,
 		},
@@ -88,7 +95,7 @@ func TestSubjectAccessReview(t *testing.T) {
 			user:   "user",
 			groups: []string{"system:kcp:admin"},
 			extra: map[string]authorizationv1.ExtraValue{
-				validation.ScopeExtraKey: {"cluster:root"},
+				rbacregistryvalidation.ScopeExtraKey: {"cluster:root"},
 			},
 			wantAllowed: false,
 		},
@@ -143,3 +150,154 @@ func TestSubjectAccessReview(t *testing.T) {
 		})
 	}
 }
+
+func TestSelfSubjectRulesReview(t *testing.T) {
+	t.Parallel()
+	framework.Suite(t, "control-plane")
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	server := framework.SharedKcpServer(t)
+	cfg := server.BaseConfig(t)
+	wsPath, ws := framework.NewOrganizationFixture(t, server)
+
+	t.Log("User scoped to a another workspace has no access in the beginning")
+	foreignConfig := rest.CopyConfig(cfg)
+	foreignConfig.Impersonate = rest.ImpersonationConfig{
+		UserName: "user",
+		Groups:   []string{user.AllAuthenticated},
+		Extra:    map[string][]string{rbacregistryvalidation.ScopeExtraKey: {"cluster:other"}}}
+	foreignClusterClient, err := kcpkubernetesclientset.NewForConfig(foreignConfig)
+	require.NoError(t, err)
+	req := &authorizationv1.SelfSubjectRulesReview{Spec: authorizationv1.SelfSubjectRulesReviewSpec{Namespace: "default"}}
+	_, err = foreignClusterClient.Cluster(wsPath).AuthorizationV1().SelfSubjectRulesReviews().Create(ctx, req, metav1.CreateOptions{})
+	require.Error(t, err)
+
+	t.Log("Give everybody authenticated access to the workspace")
+	kubeClusterClient, err := kcpkubernetesclientset.NewForConfig(cfg)
+	require.NoError(t, err)
+	_, err = kubeClusterClient.Cluster(wsPath).RbacV1().ClusterRoles().Create(ctx, &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: "sa-access"},
+		Rules:      []rbacv1.PolicyRule{{Verbs: []string{"access"}, NonResourceURLs: []string{"/"}}},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err, "failed to create cluster role")
+	_, err = kubeClusterClient.Cluster(wsPath).RbacV1().ClusterRoleBindings().Create(ctx, &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: "sa-access"},
+		Subjects:   []rbacv1.Subject{{Kind: "Group", APIGroup: "rbac.authorization.k8s.io", Name: "system:authenticated"}},
+		RoleRef:    rbacv1.RoleRef{Kind: "ClusterRole", Name: "sa-access", APIGroup: rbacv1.GroupName},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err, "failed to create cluster role binding")
+
+	t.Log("Wait until the cluster role binding is effective, i.e. the foreign use can access too")
+	require.NoError(t, err)
+	framework.Eventually(t, func() (bool, string) {
+		req := &authorizationv1.SelfSubjectRulesReview{Spec: authorizationv1.SelfSubjectRulesReviewSpec{Namespace: "default"}}
+		_, err := foreignClusterClient.Cluster(wsPath).AuthorizationV1().SelfSubjectRulesReviews().Create(ctx, req, metav1.CreateOptions{})
+		return err == nil, fmt.Sprintf("%v", err)
+	}, wait.ForeverTestTimeout, time.Millisecond*100)
+
+	// These rules will always exist as soon as a user has access
+	authenticatedBaseRules := []authorizationv1.ResourceRule{
+		{Verbs: []string{"create"}, APIGroups: []string{"authentication.k8s.io"}, Resources: []string{"selfsubjectreviews"}},
+		{Verbs: []string{"create"}, APIGroups: []string{"authorization.k8s.io"}, Resources: []string{"selfsubjectaccessreviews", "selfsubjectrulesreviews"}},
+	}
+
+	type tests struct {
+		name      string
+		user      string
+		groups    []string
+		extra     map[string][]string
+		wantRules []authorizationv1.ResourceRule
+		wantError bool
+	}
+	for _, tt := range []tests{
+		{
+			name: "normal user",
+			user: "user", groups: []string{"system:kcp:admin"},
+			wantRules: append([]authorizationv1.ResourceRule{
+				{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			}, authenticatedBaseRules...),
+		},
+		{
+			name: "in-scope users",
+			user: "user", groups: []string{"system:kcp:admin"}, extra: map[string][]string{rbacregistryvalidation.ScopeExtraKey: {"cluster:" + ws.Spec.Cluster}},
+			wantRules: append([]authorizationv1.ResourceRule{
+				{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			}, authenticatedBaseRules...),
+		},
+		{
+			name: "out-of-scoped users",
+			user: "user", groups: []string{"system:kcp:admin"}, extra: map[string][]string{rbacregistryvalidation.ScopeExtraKey: {"cluster:other"}},
+			wantRules: authenticatedBaseRules,
+		},
+		{
+			name: "service account",
+			user: "system:serviceaccount:default:default", groups: []string{"system:kcp:admin"},
+			wantRules: append([]authorizationv1.ResourceRule{
+				{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			}, authenticatedBaseRules...),
+		},
+		{
+			name: "service account with cluster",
+			user: "system:serviceaccount:default:default", groups: []string{"system:kcp:admin"}, extra: map[string][]string{serviceaccount.ClusterNameKey: {ws.Spec.Cluster}},
+			wantRules: append([]authorizationv1.ResourceRule{
+				{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			}, authenticatedBaseRules...),
+		},
+		{
+			name: "admin scoped to other cluster",
+			user: "user", groups: []string{"system:kcp:admin", user.AllAuthenticated}, extra: map[string][]string{rbacregistryvalidation.ScopeExtraKey: {"cluster:other"}},
+			wantRules: authenticatedBaseRules,
+		},
+		{
+			name: "service account with scope to other cluster",
+			user: "system:serviceaccount:default:default", groups: []string{"system:kcp:admin"}, extra: map[string][]string{
+				serviceaccount.ClusterNameKey:        {ws.Spec.Cluster},
+				rbacregistryvalidation.ScopeExtraKey: {"cluster:other"},
+			},
+			wantRules: authenticatedBaseRules,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			// impersonate as user, using the cfg as the base.
+			impersonationConfig := rest.CopyConfig(cfg)
+			impersonationConfig.Impersonate = rest.ImpersonationConfig{
+				UserName: tt.user,
+				Groups:   tt.groups,
+				Extra:    tt.extra,
+			}
+			if impersonationConfig.Impersonate.Extra == nil {
+				impersonationConfig.Impersonate.Extra = map[string][]string{}
+			}
+			impersonatedClient, err := kcpkubernetesclientset.NewForConfig(impersonationConfig)
+			require.NoError(t, err)
+
+			req := &authorizationv1.SelfSubjectRulesReview{
+				Spec: authorizationv1.SelfSubjectRulesReviewSpec{
+					Namespace: "default",
+				},
+			}
+			resp, err := impersonatedClient.Cluster(wsPath).AuthorizationV1().SelfSubjectRulesReviews().Create(ctx, req, metav1.CreateOptions{})
+			if tt.wantError {
+				require.Error(t, err)
+				return
+			} else {
+				require.NoError(t, err)
+			}
+
+			sort.Sort(sortedResourceRules(resp.Status.ResourceRules))
+			sort.Sort(sortedResourceRules(tt.wantRules))
+			require.Equal(t, tt.wantRules, resp.Status.ResourceRules)
+		})
+	}
+}
+
+type sortedResourceRules []authorizationv1.ResourceRule
+
+func (r sortedResourceRules) Len() int           { return len(r) }
+func (r sortedResourceRules) Swap(i, j int)      { r[i], r[j] = r[j], r[i] }
+func (r sortedResourceRules) Less(i, j int) bool { return r[i].String() < r[j].String() }