首頁 探索 說明
登入
tzeneto
/
custom-kube-scheduler
關註 1
讚好 0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: 713db4efe3
分支列表 標籤列表
custom-kube-...
/
kubernetes
/
test
/
integration
/
auth
/
svcaccttoken_test.go

svcaccttoken_test.go 29 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869 
  1. /*
    2. 

  2. Copyright 2017 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package auth
    18. 

  18. 

  19. import (
    20. 

  20. 	"bytes"
    21. 

  21. 	"context"
    22. 

  22. 	"crypto/ecdsa"
    23. 

  23. 	"encoding/base64"
    24. 

  24. 	"encoding/json"
    25. 

  25. 	"fmt"
    26. 

  26. 	"io/ioutil"
    27. 

  27. 	"net/http"
    28. 

  28. 	"net/url"
    29. 

  29. 	"reflect"
    30. 

  30. 	"strings"
    31. 

  31. 	"testing"
    32. 

  32. 	"time"
    33. 

  33. 

  34. 	jose "gopkg.in/square/go-jose.v2"
    35. 

  35. 	"gopkg.in/square/go-jose.v2/jwt"
    36. 

  36. 

  37. 	authenticationv1 "k8s.io/api/authentication/v1"
    38. 

  38. 	v1 "k8s.io/api/core/v1"
    39. 

  39. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    40. 

  40. 	"k8s.io/apimachinery/pkg/types"
    41. 

  41. 	"k8s.io/apiserver/pkg/authentication/authenticator"
    42. 

  42. 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
    43. 

  43. 	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
    44. 

  44. 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
    45. 

  45. 	utilfeature "k8s.io/apiserver/pkg/util/feature"
    46. 

  46. 	clientset "k8s.io/client-go/kubernetes"
    47. 

  47. 	v1listers "k8s.io/client-go/listers/core/v1"
    48. 

  48. 	"k8s.io/client-go/rest"
    49. 

  49. 	"k8s.io/client-go/tools/cache"
    50. 

  50. 	"k8s.io/client-go/util/keyutil"
    51. 

  51. 	featuregatetesting "k8s.io/component-base/featuregate/testing"
    52. 

  52. 	"k8s.io/kubernetes/pkg/apis/core"
    53. 

  53. 	serviceaccountgetter "k8s.io/kubernetes/pkg/controller/serviceaccount"
    54. 

  54. 	"k8s.io/kubernetes/pkg/features"
    55. 

  55. 	"k8s.io/kubernetes/pkg/serviceaccount"
    56. 

  56. 	"k8s.io/kubernetes/test/integration/framework"
    57. 

  57. )
    58. 

  58. 

  59. const ecdsaPrivateKey = `-----BEGIN EC PRIVATE KEY-----
    60. 

  60. MHcCAQEEIEZmTmUhuanLjPA2CLquXivuwBDHTt5XYwgIr/kA1LtRoAoGCCqGSM49
    61. 

  61. AwEHoUQDQgAEH6cuzP8XuD5wal6wf9M6xDljTOPLX2i8uIp/C/ASqiIGUeeKQtX0
    62. 

  62. /IR3qCXyThP/dbCiHrF3v1cuhBOHY8CLVg==
    63. 

  63. -----END EC PRIVATE KEY-----`
    64. 

  64. 

  65. func TestServiceAccountTokenCreate(t *testing.T) {
    66. 

  66. 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TokenRequest, true)()
    67. 

  67. 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountIssuerDiscovery, true)()
    68. 

  68. 

  69. 	// Build client config, clientset, and informers
    70. 

  70. 	sk, err := keyutil.ParsePrivateKeyPEM([]byte(ecdsaPrivateKey))
    71. 

  71. 	if err != nil {
    72. 

  72. 		t.Fatalf("err: %v", err)
    73. 

  73. 	}
    74. 

  74. 

  75. 	pk := sk.(*ecdsa.PrivateKey).PublicKey
    76. 

  76. 

  77. 	const iss = "https://foo.bar.example.com"
    78. 

  78. 	aud := authenticator.Audiences{"api"}
    79. 

  79. 

  80. 	maxExpirationSeconds := int64(60 * 60)
    81. 

  81. 	maxExpirationDuration, err := time.ParseDuration(fmt.Sprintf("%ds", maxExpirationSeconds))
    82. 

  82. 	if err != nil {
    83. 

  83. 		t.Fatalf("err: %v", err)
    84. 

  84. 	}
    85. 

  85. 

  86. 	gcs := &clientset.Clientset{}
    87. 

  87. 

  88. 	// Start the server
    89. 

  89. 	masterConfig := framework.NewIntegrationTestMasterConfig()
    90. 

  90. 	masterConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
    91. 

  91. 	masterConfig.GenericConfig.Authentication.APIAudiences = aud
    92. 

  92. 	masterConfig.GenericConfig.Authentication.Authenticator = bearertoken.New(
    93. 

  93. 		serviceaccount.JWTTokenAuthenticator(
    94. 

  94. 			iss,
    95. 

  95. 			[]interface{}{&pk},
    96. 

  96. 			aud,
    97. 

  97. 			serviceaccount.NewValidator(serviceaccountgetter.NewGetterFromClient(
    98. 

  98. 				gcs,
    99. 

  99. 				v1listers.NewSecretLister(newIndexer(func(namespace, name string) (interface{}, error) {
    100. 

  100. 					return gcs.CoreV1().Secrets(namespace).Get(context.TODO(), name, metav1.GetOptions{})
    101. 

  101. 				})),
    102. 

  102. 				v1listers.NewServiceAccountLister(newIndexer(func(namespace, name string) (interface{}, error) {
    103. 

  103. 					return gcs.CoreV1().ServiceAccounts(namespace).Get(context.TODO(), name, metav1.GetOptions{})
    104. 

  104. 				})),
    105. 

  105. 				v1listers.NewPodLister(newIndexer(func(namespace, name string) (interface{}, error) {
    106. 

  106. 					return gcs.CoreV1().Pods(namespace).Get(context.TODO(), name, metav1.GetOptions{})
    107. 

  107. 				})),
    108. 

  108. 			)),
    109. 

  109. 		),
    110. 

  110. 	)
    111. 

  111. 

  112. 	tokenGenerator, err := serviceaccount.JWTTokenGenerator(iss, sk)
    113. 

  113. 	if err != nil {
    114. 

  114. 		t.Fatalf("err: %v", err)
    115. 

  115. 	}
    116. 

  116. 	masterConfig.ExtraConfig.ServiceAccountIssuer = tokenGenerator
    117. 

  117. 	masterConfig.ExtraConfig.ServiceAccountMaxExpiration = maxExpirationDuration
    118. 

  118. 	masterConfig.GenericConfig.Authentication.APIAudiences = aud
    119. 

  119. 

  120. 	masterConfig.ExtraConfig.ServiceAccountIssuerURL = iss
    121. 

  121. 	masterConfig.ExtraConfig.ServiceAccountJWKSURI = ""
    122. 

  122. 	masterConfig.ExtraConfig.ServiceAccountPublicKeys = []interface{}{&pk}
    123. 

  123. 

  124. 	master, _, closeFn := framework.RunAMaster(masterConfig)
    125. 

  125. 	defer closeFn()
    126. 

  126. 

  127. 	cs, err := clientset.NewForConfig(master.GenericAPIServer.LoopbackClientConfig)
    128. 

  128. 	if err != nil {
    129. 

  129. 		t.Fatalf("err: %v", err)
    130. 

  130. 	}
    131. 

  131. 	*gcs = *cs
    132. 

  132. 

  133. 	rc, err := rest.UnversionedRESTClientFor(master.GenericAPIServer.LoopbackClientConfig)
    134. 

  134. 	if err != nil {
    135. 

  135. 		t.Fatal(err)
    136. 

  136. 	}
    137. 

  137. 

  138. 	var (
    139. 

  139. 		sa = &v1.ServiceAccount{
    140. 

  140. 			ObjectMeta: metav1.ObjectMeta{
    141. 

  141. 				Name:      "test-svcacct",
    142. 

  142. 				Namespace: "myns",
    143. 

  143. 			},
    144. 

  144. 		}
    145. 

  145. 		pod = &v1.Pod{
    146. 

  146. 			ObjectMeta: metav1.ObjectMeta{
    147. 

  147. 				Name:      "test-pod",
    148. 

  148. 				Namespace: sa.Namespace,
    149. 

  149. 			},
    150. 

  150. 			Spec: v1.PodSpec{
    151. 

  151. 				ServiceAccountName: sa.Name,
    152. 

  152. 				Containers:         []v1.Container{{Name: "test-container", Image: "nginx"}},
    153. 

  153. 			},
    154. 

  154. 		}
    155. 

  155. 		otherpod = &v1.Pod{
    156. 

  156. 			ObjectMeta: metav1.ObjectMeta{
    157. 

  157. 				Name:      "other-test-pod",
    158. 

  158. 				Namespace: sa.Namespace,
    159. 

  159. 			},
    160. 

  160. 			Spec: v1.PodSpec{
    161. 

  161. 				ServiceAccountName: "other-" + sa.Name,
    162. 

  162. 				Containers:         []v1.Container{{Name: "test-container", Image: "nginx"}},
    163. 

  163. 			},
    164. 

  164. 		}
    165. 

  165. 		secret = &v1.Secret{
    166. 

  166. 			ObjectMeta: metav1.ObjectMeta{
    167. 

  167. 				Name:      "test-secret",
    168. 

  168. 				Namespace: sa.Namespace,
    169. 

  169. 			},
    170. 

  170. 		}
    171. 

  171. 

  172. 		wrongUID = types.UID("wrong")
    173. 

  173. 		noUID    = types.UID("")
    174. 

  174. 	)
    175. 

  175. 

  176. 	t.Run("bound to service account", func(t *testing.T) {
    177. 

  177. 		treq := &authenticationv1.TokenRequest{
    178. 

  178. 			Spec: authenticationv1.TokenRequestSpec{
    179. 

  179. 				Audiences: []string{"api"},
    180. 

  180. 			},
    181. 

  181. 		}
    182. 

  182. 

  183. 		if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err == nil {
    184. 

  184. 			t.Fatalf("expected err creating token for nonexistant svcacct but got: %#v", resp)
    185. 

  185. 		}
    186. 

  186. 		sa, delSvcAcct := createDeleteSvcAcct(t, cs, sa)
    187. 

  187. 		defer delSvcAcct()
    188. 

  188. 

  189. 		treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{})
    190. 

  190. 		if err != nil {
    191. 

  191. 			t.Fatalf("err: %v", err)
    192. 

  192. 		}
    193. 

  193. 

  194. 		checkPayload(t, treq.Status.Token, `"system:serviceaccount:myns:test-svcacct"`, "sub")
    195. 

  195. 		checkPayload(t, treq.Status.Token, `["api"]`, "aud")
    196. 

  196. 		checkPayload(t, treq.Status.Token, "null", "kubernetes.io", "pod")
    197. 

  197. 		checkPayload(t, treq.Status.Token, "null", "kubernetes.io", "secret")
    198. 

  198. 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
    199. 

  199. 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
    200. 

  200. 

  201. 		info := doTokenReview(t, cs, treq, false)
    202. 

  202. 		if info.Extra != nil {
    203. 

  203. 			t.Fatalf("expected Extra to be nil but got: %#v", info.Extra)
    204. 

  204. 		}
    205. 

  205. 		delSvcAcct()
    206. 

  206. 		doTokenReview(t, cs, treq, true)
    207. 

  207. 	})
    208. 

  208. 

  209. 	t.Run("bound to service account and pod", func(t *testing.T) {
    210. 

  210. 		treq := &authenticationv1.TokenRequest{
    211. 

  211. 			Spec: authenticationv1.TokenRequestSpec{
    212. 

  212. 				Audiences: []string{"api"},
    213. 

  213. 				BoundObjectRef: &authenticationv1.BoundObjectReference{
    214. 

  214. 					Kind:       "Pod",
    215. 

  215. 					APIVersion: "v1",
    216. 

  216. 					Name:       pod.Name,
    217. 

  217. 				},
    218. 

  218. 			},
    219. 

  219. 		}
    220. 

  220. 

  221. 		if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err == nil {
    222. 

  222. 			t.Fatalf("expected err creating token for nonexistant svcacct but got: %#v", resp)
    223. 

  223. 		}
    224. 

  224. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    225. 

  225. 		defer del()
    226. 

  226. 

  227. 		if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err == nil {
    228. 

  228. 			t.Fatalf("expected err creating token bound to nonexistant pod but got: %#v", resp)
    229. 

  229. 		}
    230. 

  230. 		pod, delPod := createDeletePod(t, cs, pod)
    231. 

  231. 		defer delPod()
    232. 

  232. 

  233. 		// right uid
    234. 

  234. 		treq.Spec.BoundObjectRef.UID = pod.UID
    235. 

  235. 		if _, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err != nil {
    236. 

  236. 			t.Fatalf("err: %v", err)
    237. 

  237. 		}
    238. 

  238. 		// wrong uid
    239. 

  239. 		treq.Spec.BoundObjectRef.UID = wrongUID
    240. 

  240. 		if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err == nil {
    241. 

  241. 			t.Fatalf("expected err creating token bound to pod with wrong uid but got: %#v", resp)
    242. 

  242. 		}
    243. 

  243. 		// no uid
    244. 

  244. 		treq.Spec.BoundObjectRef.UID = noUID
    245. 

  245. 		treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{})
    246. 

  246. 		if err != nil {
    247. 

  247. 			t.Fatalf("err: %v", err)
    248. 

  248. 		}
    249. 

  249. 

  250. 		checkPayload(t, treq.Status.Token, `"system:serviceaccount:myns:test-svcacct"`, "sub")
    251. 

  251. 		checkPayload(t, treq.Status.Token, `["api"]`, "aud")
    252. 

  252. 		checkPayload(t, treq.Status.Token, `"test-pod"`, "kubernetes.io", "pod", "name")
    253. 

  253. 		checkPayload(t, treq.Status.Token, "null", "kubernetes.io", "secret")
    254. 

  254. 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
    255. 

  255. 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
    256. 

  256. 

  257. 		info := doTokenReview(t, cs, treq, false)
    258. 

  258. 		if len(info.Extra) != 2 {
    259. 

  259. 			t.Fatalf("expected Extra have length of 2 but was length %d: %#v", len(info.Extra), info.Extra)
    260. 

  260. 		}
    261. 

  261. 		if expected := map[string]authenticationv1.ExtraValue{
    262. 

  262. 			"authentication.kubernetes.io/pod-name": {pod.ObjectMeta.Name},
    263. 

  263. 			"authentication.kubernetes.io/pod-uid":  {string(pod.ObjectMeta.UID)},
    264. 

  264. 		}; !reflect.DeepEqual(info.Extra, expected) {
    265. 

  265. 			t.Fatalf("unexpected Extra:\ngot:\t%#v\nwant:\t%#v", info.Extra, expected)
    266. 

  266. 		}
    267. 

  267. 		delPod()
    268. 

  268. 		doTokenReview(t, cs, treq, true)
    269. 

  269. 	})
    270. 

  270. 

  271. 	t.Run("bound to service account and secret", func(t *testing.T) {
    272. 

  272. 		treq := &authenticationv1.TokenRequest{
    273. 

  273. 			Spec: authenticationv1.TokenRequestSpec{
    274. 

  274. 				Audiences: []string{"api"},
    275. 

  275. 				BoundObjectRef: &authenticationv1.BoundObjectReference{
    276. 

  276. 					Kind:       "Secret",
    277. 

  277. 					APIVersion: "v1",
    278. 

  278. 					Name:       secret.Name,
    279. 

  279. 					UID:        secret.UID,
    280. 

  280. 				},
    281. 

  281. 			},
    282. 

  282. 		}
    283. 

  283. 

  284. 		if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err == nil {
    285. 

  285. 			t.Fatalf("expected err creating token for nonexistant svcacct but got: %#v", resp)
    286. 

  286. 		}
    287. 

  287. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    288. 

  288. 		defer del()
    289. 

  289. 

  290. 		if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err == nil {
    291. 

  291. 			t.Fatalf("expected err creating token bound to nonexistant secret but got: %#v", resp)
    292. 

  292. 		}
    293. 

  293. 		secret, delSecret := createDeleteSecret(t, cs, secret)
    294. 

  294. 		defer delSecret()
    295. 

  295. 

  296. 		// right uid
    297. 

  297. 		treq.Spec.BoundObjectRef.UID = secret.UID
    298. 

  298. 		if _, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err != nil {
    299. 

  299. 			t.Fatalf("err: %v", err)
    300. 

  300. 		}
    301. 

  301. 		// wrong uid
    302. 

  302. 		treq.Spec.BoundObjectRef.UID = wrongUID
    303. 

  303. 		if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err == nil {
    304. 

  304. 			t.Fatalf("expected err creating token bound to secret with wrong uid but got: %#v", resp)
    305. 

  305. 		}
    306. 

  306. 		// no uid
    307. 

  307. 		treq.Spec.BoundObjectRef.UID = noUID
    308. 

  308. 		treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{})
    309. 

  309. 		if err != nil {
    310. 

  310. 			t.Fatalf("err: %v", err)
    311. 

  311. 		}
    312. 

  312. 

  313. 		checkPayload(t, treq.Status.Token, `"system:serviceaccount:myns:test-svcacct"`, "sub")
    314. 

  314. 		checkPayload(t, treq.Status.Token, `["api"]`, "aud")
    315. 

  315. 		checkPayload(t, treq.Status.Token, `null`, "kubernetes.io", "pod")
    316. 

  316. 		checkPayload(t, treq.Status.Token, `"test-secret"`, "kubernetes.io", "secret", "name")
    317. 

  317. 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
    318. 

  318. 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
    319. 

  319. 

  320. 		doTokenReview(t, cs, treq, false)
    321. 

  321. 		delSecret()
    322. 

  322. 		doTokenReview(t, cs, treq, true)
    323. 

  323. 	})
    324. 

  324. 

  325. 	t.Run("bound to service account and pod running as different service account", func(t *testing.T) {
    326. 

  326. 		treq := &authenticationv1.TokenRequest{
    327. 

  327. 			Spec: authenticationv1.TokenRequestSpec{
    328. 

  328. 				Audiences: []string{"api"},
    329. 

  329. 				BoundObjectRef: &authenticationv1.BoundObjectReference{
    330. 

  330. 					Kind:       "Pod",
    331. 

  331. 					APIVersion: "v1",
    332. 

  332. 					Name:       otherpod.Name,
    333. 

  333. 				},
    334. 

  334. 			},
    335. 

  335. 		}
    336. 

  336. 

  337. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    338. 

  338. 		defer del()
    339. 

  339. 		_, del = createDeletePod(t, cs, otherpod)
    340. 

  340. 		defer del()
    341. 

  341. 

  342. 		if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err == nil {
    343. 

  343. 			t.Fatalf("expected err but got: %#v", resp)
    344. 

  344. 		}
    345. 

  345. 	})
    346. 

  346. 

  347. 	t.Run("expired token", func(t *testing.T) {
    348. 

  348. 		treq := &authenticationv1.TokenRequest{
    349. 

  349. 			Spec: authenticationv1.TokenRequestSpec{
    350. 

  350. 				Audiences: []string{"api"},
    351. 

  351. 			},
    352. 

  352. 		}
    353. 

  353. 

  354. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    355. 

  355. 		defer del()
    356. 

  356. 

  357. 		treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{})
    358. 

  358. 		if err != nil {
    359. 

  359. 			t.Fatalf("err: %v", err)
    360. 

  360. 		}
    361. 

  361. 

  362. 		doTokenReview(t, cs, treq, false)
    363. 

  363. 

  364. 		// backdate the token
    365. 

  365. 		then := time.Now().Add(-2 * time.Hour)
    366. 

  366. 		sc := &jwt.Claims{
    367. 

  367. 			Subject:   apiserverserviceaccount.MakeUsername(sa.Namespace, sa.Name),
    368. 

  368. 			Audience:  jwt.Audience([]string{"api"}),
    369. 

  369. 			IssuedAt:  jwt.NewNumericDate(then),
    370. 

  370. 			NotBefore: jwt.NewNumericDate(then),
    371. 

  371. 			Expiry:    jwt.NewNumericDate(then.Add(time.Duration(60*60) * time.Second)),
    372. 

  372. 		}
    373. 

  373. 		coresa := core.ServiceAccount{
    374. 

  374. 			ObjectMeta: sa.ObjectMeta,
    375. 

  375. 		}
    376. 

  376. 		_, pc := serviceaccount.Claims(coresa, nil, nil, 0, nil)
    377. 

  377. 		tok, err := masterConfig.ExtraConfig.ServiceAccountIssuer.GenerateToken(sc, pc)
    378. 

  378. 		if err != nil {
    379. 

  379. 			t.Fatalf("err signing expired token: %v", err)
    380. 

  380. 		}
    381. 

  381. 

  382. 		treq.Status.Token = tok
    383. 

  383. 		doTokenReview(t, cs, treq, true)
    384. 

  384. 	})
    385. 

  385. 

  386. 	t.Run("a token without an api audience is invalid", func(t *testing.T) {
    387. 

  387. 		treq := &authenticationv1.TokenRequest{
    388. 

  388. 			Spec: authenticationv1.TokenRequestSpec{
    389. 

  389. 				Audiences: []string{"not-the-api"},
    390. 

  390. 			},
    391. 

  391. 		}
    392. 

  392. 

  393. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    394. 

  394. 		defer del()
    395. 

  395. 

  396. 		treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{})
    397. 

  397. 		if err != nil {
    398. 

  398. 			t.Fatalf("err: %v", err)
    399. 

  399. 		}
    400. 

  400. 

  401. 		doTokenReview(t, cs, treq, true)
    402. 

  402. 	})
    403. 

  403. 

  404. 	t.Run("a tokenrequest without an audience is valid against the api", func(t *testing.T) {
    405. 

  405. 		treq := &authenticationv1.TokenRequest{
    406. 

  406. 			Spec: authenticationv1.TokenRequestSpec{},
    407. 

  407. 		}
    408. 

  408. 

  409. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    410. 

  410. 		defer del()
    411. 

  411. 

  412. 		treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{})
    413. 

  413. 		if err != nil {
    414. 

  414. 			t.Fatalf("err: %v", err)
    415. 

  415. 		}
    416. 

  416. 

  417. 		checkPayload(t, treq.Status.Token, `["api"]`, "aud")
    418. 

  418. 

  419. 		doTokenReview(t, cs, treq, false)
    420. 

  420. 	})
    421. 

  421. 

  422. 	t.Run("a token should be invalid after recreating same name pod", func(t *testing.T) {
    423. 

  423. 		treq := &authenticationv1.TokenRequest{
    424. 

  424. 			Spec: authenticationv1.TokenRequestSpec{
    425. 

  425. 				Audiences: []string{"api"},
    426. 

  426. 				BoundObjectRef: &authenticationv1.BoundObjectReference{
    427. 

  427. 					Kind:       "Pod",
    428. 

  428. 					APIVersion: "v1",
    429. 

  429. 					Name:       pod.Name,
    430. 

  430. 				},
    431. 

  431. 			},
    432. 

  432. 		}
    433. 

  433. 

  434. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    435. 

  435. 		defer del()
    436. 

  436. 		originalPod, originalDelPod := createDeletePod(t, cs, pod)
    437. 

  437. 		defer originalDelPod()
    438. 

  438. 

  439. 		treq.Spec.BoundObjectRef.UID = originalPod.UID
    440. 

  440. 		if treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err != nil {
    441. 

  441. 			t.Fatalf("err: %v", err)
    442. 

  442. 		}
    443. 

  443. 

  444. 		checkPayload(t, treq.Status.Token, `"system:serviceaccount:myns:test-svcacct"`, "sub")
    445. 

  445. 		checkPayload(t, treq.Status.Token, `["api"]`, "aud")
    446. 

  446. 		checkPayload(t, treq.Status.Token, `"test-pod"`, "kubernetes.io", "pod", "name")
    447. 

  447. 		checkPayload(t, treq.Status.Token, "null", "kubernetes.io", "secret")
    448. 

  448. 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
    449. 

  449. 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
    450. 

  450. 

  451. 		doTokenReview(t, cs, treq, false)
    452. 

  452. 		originalDelPod()
    453. 

  453. 		doTokenReview(t, cs, treq, true)
    454. 

  454. 

  455. 		_, recreateDelPod := createDeletePod(t, cs, pod)
    456. 

  456. 		defer recreateDelPod()
    457. 

  457. 

  458. 		doTokenReview(t, cs, treq, true)
    459. 

  459. 	})
    460. 

  460. 

  461. 	t.Run("a token should be invalid after recreating same name secret", func(t *testing.T) {
    462. 

  462. 		treq := &authenticationv1.TokenRequest{
    463. 

  463. 			Spec: authenticationv1.TokenRequestSpec{
    464. 

  464. 				Audiences: []string{"api"},
    465. 

  465. 				BoundObjectRef: &authenticationv1.BoundObjectReference{
    466. 

  466. 					Kind:       "Secret",
    467. 

  467. 					APIVersion: "v1",
    468. 

  468. 					Name:       secret.Name,
    469. 

  469. 					UID:        secret.UID,
    470. 

  470. 				},
    471. 

  471. 			},
    472. 

  472. 		}
    473. 

  473. 

  474. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    475. 

  475. 		defer del()
    476. 

  476. 

  477. 		originalSecret, originalDelSecret := createDeleteSecret(t, cs, secret)
    478. 

  478. 		defer originalDelSecret()
    479. 

  479. 

  480. 		treq.Spec.BoundObjectRef.UID = originalSecret.UID
    481. 

  481. 		if treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err != nil {
    482. 

  482. 			t.Fatalf("err: %v", err)
    483. 

  483. 		}
    484. 

  484. 

  485. 		checkPayload(t, treq.Status.Token, `"system:serviceaccount:myns:test-svcacct"`, "sub")
    486. 

  486. 		checkPayload(t, treq.Status.Token, `["api"]`, "aud")
    487. 

  487. 		checkPayload(t, treq.Status.Token, `null`, "kubernetes.io", "pod")
    488. 

  488. 		checkPayload(t, treq.Status.Token, `"test-secret"`, "kubernetes.io", "secret", "name")
    489. 

  489. 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
    490. 

  490. 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
    491. 

  491. 

  492. 		doTokenReview(t, cs, treq, false)
    493. 

  493. 		originalDelSecret()
    494. 

  494. 		doTokenReview(t, cs, treq, true)
    495. 

  495. 

  496. 		_, recreateDelSecret := createDeleteSecret(t, cs, secret)
    497. 

  497. 		defer recreateDelSecret()
    498. 

  498. 

  499. 		doTokenReview(t, cs, treq, true)
    500. 

  500. 	})
    501. 

  501. 

  502. 	t.Run("a token request within expiration time", func(t *testing.T) {
    503. 

  503. 		normalExpirationTime := maxExpirationSeconds - 10*60
    504. 

  504. 		treq := &authenticationv1.TokenRequest{
    505. 

  505. 			Spec: authenticationv1.TokenRequestSpec{
    506. 

  506. 				Audiences:         []string{"api"},
    507. 

  507. 				ExpirationSeconds: &normalExpirationTime,
    508. 

  508. 				BoundObjectRef: &authenticationv1.BoundObjectReference{
    509. 

  509. 					Kind:       "Secret",
    510. 

  510. 					APIVersion: "v1",
    511. 

  511. 					Name:       secret.Name,
    512. 

  512. 					UID:        secret.UID,
    513. 

  513. 				},
    514. 

  514. 			},
    515. 

  515. 		}
    516. 

  516. 

  517. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    518. 

  518. 		defer del()
    519. 

  519. 

  520. 		originalSecret, originalDelSecret := createDeleteSecret(t, cs, secret)
    521. 

  521. 		defer originalDelSecret()
    522. 

  522. 

  523. 		treq.Spec.BoundObjectRef.UID = originalSecret.UID
    524. 

  524. 		if treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err != nil {
    525. 

  525. 			t.Fatalf("err: %v", err)
    526. 

  526. 		}
    527. 

  527. 

  528. 		checkPayload(t, treq.Status.Token, `"system:serviceaccount:myns:test-svcacct"`, "sub")
    529. 

  529. 		checkPayload(t, treq.Status.Token, `["api"]`, "aud")
    530. 

  530. 		checkPayload(t, treq.Status.Token, `null`, "kubernetes.io", "pod")
    531. 

  531. 		checkPayload(t, treq.Status.Token, `"test-secret"`, "kubernetes.io", "secret", "name")
    532. 

  532. 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
    533. 

  533. 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
    534. 

  534. 		checkExpiration(t, treq, normalExpirationTime)
    535. 

  535. 

  536. 		doTokenReview(t, cs, treq, false)
    537. 

  537. 		originalDelSecret()
    538. 

  538. 		doTokenReview(t, cs, treq, true)
    539. 

  539. 

  540. 		_, recreateDelSecret := createDeleteSecret(t, cs, secret)
    541. 

  541. 		defer recreateDelSecret()
    542. 

  542. 

  543. 		doTokenReview(t, cs, treq, true)
    544. 

  544. 	})
    545. 

  545. 

  546. 	t.Run("a token request with out-of-range expiration", func(t *testing.T) {
    547. 

  547. 		tooLongExpirationTime := maxExpirationSeconds + 10*60
    548. 

  548. 		treq := &authenticationv1.TokenRequest{
    549. 

  549. 			Spec: authenticationv1.TokenRequestSpec{
    550. 

  550. 				Audiences:         []string{"api"},
    551. 

  551. 				ExpirationSeconds: &tooLongExpirationTime,
    552. 

  552. 				BoundObjectRef: &authenticationv1.BoundObjectReference{
    553. 

  553. 					Kind:       "Secret",
    554. 

  554. 					APIVersion: "v1",
    555. 

  555. 					Name:       secret.Name,
    556. 

  556. 					UID:        secret.UID,
    557. 

  557. 				},
    558. 

  558. 			},
    559. 

  559. 		}
    560. 

  560. 

  561. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    562. 

  562. 		defer del()
    563. 

  563. 

  564. 		originalSecret, originalDelSecret := createDeleteSecret(t, cs, secret)
    565. 

  565. 		defer originalDelSecret()
    566. 

  566. 

  567. 		treq.Spec.BoundObjectRef.UID = originalSecret.UID
    568. 

  568. 		if treq, err = cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(context.TODO(), sa.Name, treq, metav1.CreateOptions{}); err != nil {
    569. 

  569. 			t.Fatalf("err: %v", err)
    570. 

  570. 		}
    571. 

  571. 

  572. 		checkPayload(t, treq.Status.Token, `"system:serviceaccount:myns:test-svcacct"`, "sub")
    573. 

  573. 		checkPayload(t, treq.Status.Token, `["api"]`, "aud")
    574. 

  574. 		checkPayload(t, treq.Status.Token, `null`, "kubernetes.io", "pod")
    575. 

  575. 		checkPayload(t, treq.Status.Token, `"test-secret"`, "kubernetes.io", "secret", "name")
    576. 

  576. 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
    577. 

  577. 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
    578. 

  578. 		checkExpiration(t, treq, maxExpirationSeconds)
    579. 

  579. 

  580. 		doTokenReview(t, cs, treq, false)
    581. 

  581. 		originalDelSecret()
    582. 

  582. 		doTokenReview(t, cs, treq, true)
    583. 

  583. 

  584. 		_, recreateDelSecret := createDeleteSecret(t, cs, secret)
    585. 

  585. 		defer recreateDelSecret()
    586. 

  586. 

  587. 		doTokenReview(t, cs, treq, true)
    588. 

  588. 	})
    589. 

  589. 

  590. 	t.Run("a token is valid against the HTTP-provided service account issuer metadata", func(t *testing.T) {
    591. 

  591. 		sa, del := createDeleteSvcAcct(t, cs, sa)
    592. 

  592. 		defer del()
    593. 

  593. 

  594. 		t.Log("get token")
    595. 

  595. 		tokenRequest, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(
    596. 

  596. 			context.TODO(),
    597. 

  597. 			sa.Name,
    598. 

  598. 			&authenticationv1.TokenRequest{
    599. 

  599. 				Spec: authenticationv1.TokenRequestSpec{
    600. 

  600. 					Audiences: []string{"api"},
    601. 

  601. 				},
    602. 

  602. 			}, metav1.CreateOptions{})
    603. 

  603. 		if err != nil {
    604. 

  604. 			t.Fatalf("unexpected error creating token: %v", err)
    605. 

  605. 		}
    606. 

  606. 		token := tokenRequest.Status.Token
    607. 

  607. 		if token == "" {
    608. 

  608. 			t.Fatal("no token")
    609. 

  609. 		}
    610. 

  610. 

  611. 		t.Log("get discovery doc")
    612. 

  612. 		discoveryDoc := struct {
    613. 

  613. 			Issuer string `json:"issuer"`
    614. 

  614. 			JWKS   string `json:"jwks_uri"`
    615. 

  615. 		}{}
    616. 

  616. 

  617. 		// A little convoluted, but the base path is hidden inside the RESTClient.
    618. 

  618. 		// We can't just use the RESTClient, because it throws away the headers
    619. 

  619. 		// before returning a result, and we need to check the headers.
    620. 

  620. 		discoveryURL := rc.Get().AbsPath("/.well-known/openid-configuration").URL().String()
    621. 

  621. 		resp, err := rc.Client.Get(discoveryURL)
    622. 

  622. 		if err != nil {
    623. 

  623. 			t.Fatalf("error getting metadata: %v", err)
    624. 

  624. 		}
    625. 

  625. 		defer resp.Body.Close()
    626. 

  626. 

  627. 		if resp.StatusCode != http.StatusOK {
    628. 

  628. 			t.Errorf("got status: %v, want: %v", resp.StatusCode, http.StatusOK)
    629. 

  629. 		}
    630. 

  630. 		if got, want := resp.Header.Get("Content-Type"), "application/json"; got != want {
    631. 

  631. 			t.Errorf("got Content-Type: %v, want: %v", got, want)
    632. 

  632. 		}
    633. 

  633. 		if got, want := resp.Header.Get("Cache-Control"), "public, max-age=3600"; got != want {
    634. 

  634. 			t.Errorf("got Cache-Control: %v, want: %v", got, want)
    635. 

  635. 		}
    636. 

  636. 

  637. 		b, err := ioutil.ReadAll(resp.Body)
    638. 

  638. 		if err != nil {
    639. 

  639. 			t.Fatal(err)
    640. 

  640. 		}
    641. 

  641. 		md := bytes.NewBuffer(b)
    642. 

  642. 		t.Logf("raw discovery doc response:\n---%s\n---", md.String())
    643. 

  643. 		if md.Len() == 0 {
    644. 

  644. 			t.Fatal("empty response for discovery doc")
    645. 

  645. 		}
    646. 

  646. 

  647. 		if err := json.NewDecoder(md).Decode(&discoveryDoc); err != nil {
    648. 

  648. 			t.Fatalf("could not decode metadata: %v", err)
    649. 

  649. 		}
    650. 

  650. 		if discoveryDoc.Issuer != iss {
    651. 

  651. 			t.Fatalf("invalid issuer in discovery doc: got %s, want %s",
    652. 

  652. 				discoveryDoc.Issuer, iss)
    653. 

  653. 		}
    654. 

  654. 		// Parse the JWKSURI see if the path is what we expect. Since the
    655. 

  655. 		// integration test framework hardcodes 192.168.10.4 as the PublicAddress,
    656. 

  656. 		// which results in the same for ExternalAddress, we expect the JWKS URI
    657. 

  657. 		// to be 192.168.10.4:443, even if that's not necessarily the external
    658. 

  658. 		// IP of the test machine.
    659. 

  659. 		expectJWKSURI := (&url.URL{
    660. 

  660. 			Scheme: "https",
    661. 

  661. 			Host:   "192.168.10.4:443",
    662. 

  662. 			Path:   serviceaccount.JWKSPath,
    663. 

  663. 		}).String()
    664. 

  664. 		if discoveryDoc.JWKS != expectJWKSURI {
    665. 

  665. 			t.Fatalf("unexpected jwks_uri in discovery doc: got %s, want %s",
    666. 

  666. 				discoveryDoc.JWKS, expectJWKSURI)
    667. 

  667. 		}
    668. 

  668. 

  669. 		// Since the test framework hardcodes the host, we combine our client's
    670. 

  670. 		// scheme and host with serviceaccount.JWKSPath. We know that this is what was
    671. 

  671. 		// in the discovery doc because we checked that it matched above.
    672. 

  672. 		jwksURI := rc.Get().AbsPath(serviceaccount.JWKSPath).URL().String()
    673. 

  673. 		t.Log("get jwks from", jwksURI)
    674. 

  674. 		resp, err = rc.Client.Get(jwksURI)
    675. 

  675. 		if err != nil {
    676. 

  676. 			t.Fatalf("error getting jwks: %v", err)
    677. 

  677. 		}
    678. 

  678. 		defer resp.Body.Close()
    679. 

  679. 

  680. 		if resp.StatusCode != http.StatusOK {
    681. 

  681. 			t.Errorf("got status: %v, want: %v", resp.StatusCode, http.StatusOK)
    682. 

  682. 		}
    683. 

  683. 		if got, want := resp.Header.Get("Content-Type"), "application/jwk-set+json"; got != want {
    684. 

  684. 			t.Errorf("got Content-Type: %v, want: %v", got, want)
    685. 

  685. 		}
    686. 

  686. 		if got, want := resp.Header.Get("Cache-Control"), "public, max-age=3600"; got != want {
    687. 

  687. 			t.Errorf("got Cache-Control: %v, want: %v", got, want)
    688. 

  688. 		}
    689. 

  689. 

  690. 		b, err = ioutil.ReadAll(resp.Body)
    691. 

  691. 		if err != nil {
    692. 

  692. 			t.Fatal(err)
    693. 

  693. 		}
    694. 

  694. 		ks := bytes.NewBuffer(b)
    695. 

  695. 		if ks.Len() == 0 {
    696. 

  696. 			t.Fatal("empty jwks")
    697. 

  697. 		}
    698. 

  698. 		t.Logf("raw JWKS: \n---\n%s\n---", ks.String())
    699. 

  699. 

  700. 		jwks := jose.JSONWebKeySet{}
    701. 

  701. 		if err := json.NewDecoder(ks).Decode(&jwks); err != nil {
    702. 

  702. 			t.Fatalf("could not decode JWKS: %v", err)
    703. 

  703. 		}
    704. 

  704. 		if len(jwks.Keys) != 1 {
    705. 

  705. 			t.Fatalf("len(jwks.Keys) = %d, want 1", len(jwks.Keys))
    706. 

  706. 		}
    707. 

  707. 		key := jwks.Keys[0]
    708. 

  708. 		tok, err := jwt.ParseSigned(token)
    709. 

  709. 		if err != nil {
    710. 

  710. 			t.Fatalf("could not parse token %q: %v", token, err)
    711. 

  711. 		}
    712. 

  712. 		var claims jwt.Claims
    713. 

  713. 		if err := tok.Claims(key, &claims); err != nil {
    714. 

  714. 			t.Fatalf("could not validate claims on token: %v", err)
    715. 

  715. 		}
    716. 

  716. 		if err := claims.Validate(jwt.Expected{Issuer: discoveryDoc.Issuer}); err != nil {
    717. 

  717. 			t.Fatalf("invalid claims: %v", err)
    718. 

  718. 		}
    719. 

  719. 	})
    720. 

  720. }
    721. 

  721. 

  722. func doTokenReview(t *testing.T, cs clientset.Interface, treq *authenticationv1.TokenRequest, expectErr bool) authenticationv1.UserInfo {
    723. 

  723. 	t.Helper()
    724. 

  724. 	trev, err := cs.AuthenticationV1().TokenReviews().Create(context.TODO(), &authenticationv1.TokenReview{
    725. 

  725. 		Spec: authenticationv1.TokenReviewSpec{
    726. 

  726. 			Token: treq.Status.Token,
    727. 

  727. 		},
    728. 

  728. 	}, metav1.CreateOptions{})
    729. 

  729. 	if err != nil {
    730. 

  730. 		t.Fatalf("err: %v", err)
    731. 

  731. 	}
    732. 

  732. 	t.Logf("status: %+v", trev.Status)
    733. 

  733. 	if (trev.Status.Error != "") && !expectErr {
    734. 

  734. 		t.Fatalf("expected no error but got: %v", trev.Status.Error)
    735. 

  735. 	}
    736. 

  736. 	if (trev.Status.Error == "") && expectErr {
    737. 

  737. 		t.Fatalf("expected error but got: %+v", trev.Status)
    738. 

  738. 	}
    739. 

  739. 	if !trev.Status.Authenticated && !expectErr {
    740. 

  740. 		t.Fatal("expected token to be authenticated but it wasn't")
    741. 

  741. 	}
    742. 

  742. 	return trev.Status.User
    743. 

  743. }
    744. 

  744. 

  745. func checkPayload(t *testing.T, tok string, want string, parts ...string) {
    746. 

  746. 	t.Helper()
    747. 

  747. 	got := getSubObject(t, getPayload(t, tok), parts...)
    748. 

  748. 	if got != want {
    749. 

  749. 		t.Errorf("unexpected payload.\nsaw:\t%v\nwant:\t%v", got, want)
    750. 

  750. 	}
    751. 

  751. }
    752. 

  752. 

  753. func checkExpiration(t *testing.T, treq *authenticationv1.TokenRequest, expectedExpiration int64) {
    754. 

  754. 	t.Helper()
    755. 

  755. 	if treq.Spec.ExpirationSeconds == nil {
    756. 

  756. 		t.Errorf("unexpected nil expiration seconds.")
    757. 

  757. 	}
    758. 

  758. 	if *treq.Spec.ExpirationSeconds != expectedExpiration {
    759. 

  759. 		t.Errorf("unexpected expiration seconds.\nsaw:\t%d\nwant:\t%d", treq.Spec.ExpirationSeconds, expectedExpiration)
    760. 

  760. 	}
    761. 

  761. }
    762. 

  762. 

  763. func getSubObject(t *testing.T, b string, parts ...string) string {
    764. 

  764. 	t.Helper()
    765. 

  765. 	var obj interface{}
    766. 

  766. 	obj = make(map[string]interface{})
    767. 

  767. 	if err := json.Unmarshal([]byte(b), &obj); err != nil {
    768. 

  768. 		t.Fatalf("err: %v", err)
    769. 

  769. 	}
    770. 

  770. 	for _, part := range parts {
    771. 

  771. 		obj = obj.(map[string]interface{})[part]
    772. 

  772. 	}
    773. 

  773. 	out, err := json.Marshal(obj)
    774. 

  774. 	if err != nil {
    775. 

  775. 		t.Fatalf("err: %v", err)
    776. 

  776. 	}
    777. 

  777. 	return string(out)
    778. 

  778. }
    779. 

  779. 

  780. func getPayload(t *testing.T, b string) string {
    781. 

  781. 	t.Helper()
    782. 

  782. 	parts := strings.Split(b, ".")
    783. 

  783. 	if len(parts) != 3 {
    784. 

  784. 		t.Fatalf("token did not have three parts: %v", b)
    785. 

  785. 	}
    786. 

  786. 	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
    787. 

  787. 	if err != nil {
    788. 

  788. 		t.Fatalf("failed to base64 decode token: %v", err)
    789. 

  789. 	}
    790. 

  790. 	return string(payload)
    791. 

  791. }
    792. 

  792. 

  793. func createDeleteSvcAcct(t *testing.T, cs clientset.Interface, sa *v1.ServiceAccount) (*v1.ServiceAccount, func()) {
    794. 

  794. 	t.Helper()
    795. 

  795. 	sa, err := cs.CoreV1().ServiceAccounts(sa.Namespace).Create(context.TODO(), sa, metav1.CreateOptions{})
    796. 

  796. 	if err != nil {
    797. 

  797. 		t.Fatalf("err: %v", err)
    798. 

  798. 	}
    799. 

  799. 	done := false
    800. 

  800. 	return sa, func() {
    801. 

  801. 		t.Helper()
    802. 

  802. 		if done {
    803. 

  803. 			return
    804. 

  804. 		}
    805. 

  805. 		done = true
    806. 

  806. 		if err := cs.CoreV1().ServiceAccounts(sa.Namespace).Delete(context.TODO(), sa.Name, nil); err != nil {
    807. 

  807. 			t.Fatalf("err: %v", err)
    808. 

  808. 		}
    809. 

  809. 	}
    810. 

  810. }
    811. 

  811. 

  812. func createDeletePod(t *testing.T, cs clientset.Interface, pod *v1.Pod) (*v1.Pod, func()) {
    813. 

  813. 	t.Helper()
    814. 

  814. 	pod, err := cs.CoreV1().Pods(pod.Namespace).Create(context.TODO(), pod, metav1.CreateOptions{})
    815. 

  815. 	if err != nil {
    816. 

  816. 		t.Fatalf("err: %v", err)
    817. 

  817. 	}
    818. 

  818. 	done := false
    819. 

  819. 	return pod, func() {
    820. 

  820. 		t.Helper()
    821. 

  821. 		if done {
    822. 

  822. 			return
    823. 

  823. 		}
    824. 

  824. 		done = true
    825. 

  825. 		if err := cs.CoreV1().Pods(pod.Namespace).Delete(context.TODO(), pod.Name, nil); err != nil {
    826. 

  826. 			t.Fatalf("err: %v", err)
    827. 

  827. 		}
    828. 

  828. 	}
    829. 

  829. }
    830. 

  830. 

  831. func createDeleteSecret(t *testing.T, cs clientset.Interface, sec *v1.Secret) (*v1.Secret, func()) {
    832. 

  832. 	t.Helper()
    833. 

  833. 	sec, err := cs.CoreV1().Secrets(sec.Namespace).Create(context.TODO(), sec, metav1.CreateOptions{})
    834. 

  834. 	if err != nil {
    835. 

  835. 		t.Fatalf("err: %v", err)
    836. 

  836. 	}
    837. 

  837. 	done := false
    838. 

  838. 	return sec, func() {
    839. 

  839. 		t.Helper()
    840. 

  840. 		if done {
    841. 

  841. 			return
    842. 

  842. 		}
    843. 

  843. 		done = true
    844. 

  844. 		if err := cs.CoreV1().Secrets(sec.Namespace).Delete(context.TODO(), sec.Name, nil); err != nil {
    845. 

  845. 			t.Fatalf("err: %v", err)
    846. 

  846. 		}
    847. 

  847. 	}
    848. 

  848. }
    849. 

  849. 

  850. func newIndexer(get func(namespace, name string) (interface{}, error)) cache.Indexer {
    851. 

  851. 	return &fakeIndexer{get: get}
    852. 

  852. }
    853. 

  853. 

  854. type fakeIndexer struct {
    855. 

  855. 	cache.Indexer
    856. 

  856. 	get func(namespace, name string) (interface{}, error)
    857. 

  857. }
    858. 

  858. 

  859. func (f *fakeIndexer) GetByKey(key string) (interface{}, bool, error) {
    860. 

  860. 	parts := strings.SplitN(key, "/", 2)
    861. 

  861. 	namespace := parts[0]
    862. 

  862. 	name := ""
    863. 

  863. 	if len(parts) == 2 {
    864. 

  864. 		name = parts[1]
    865. 

  865. 	}
    866. 

  866. 	obj, err := f.get(namespace, name)
    867. 

  867. 	return obj, err == nil, err
    868. 

  868. }
    869. 

  869.