app: add unit tests for the authorizer setup

ibihim · ibihim · commit d53adc17a4ad · 2025-05-27T16:48:21.000+02:00
In particular it seems to be useful to verify the order of authorization
as well.
diff --git a/cmd/kube-rbac-proxy/app/setup_authorizer_test.go b/cmd/kube-rbac-proxy/app/setup_authorizer_test.go
@@ -0,0 +1,282 @@
+/*
+Copyright 2025 the kube-rbac-proxy maintainers. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/brancz/kube-rbac-proxy/pkg/authorization"
+	"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
+	"github.com/brancz/kube-rbac-proxy/pkg/authorization/static"
+	"github.com/brancz/kube-rbac-proxy/pkg/server"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	serverconfig "k8s.io/apiserver/pkg/server"
+)
+
+type mockAuthorizer func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error)
+
+func (m mockAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
+	return m(ctx, a)
+}
+
+func TestSetupAuthorizer_AllowPathsWithRewriteAndStaticAuth(t *testing.T) {
+	mockDelegated := mockAuthorizer(
+		func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
+			if a.GetUser().GetName() == "system:serviceaccount:default:client-with-rbac" {
+				return authorizer.DecisionAllow, "delegated allow", nil
+			}
+			return authorizer.DecisionNoOpinion, "i don't care", nil
+		},
+	)
+
+	mockErr := mockAuthorizer(
+		func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
+			return authorizer.DecisionDeny, "delegated deny", fmt.Errorf("delegated error")
+		},
+	)
+
+	krbInfo := &server.KubeRBACProxyInfo{
+		AllowPaths: []string{"/metrics"},
+		Authorization: &authorization.AuthzConfig{
+			RewriteAttributesConfig: &rewrite.RewriteAttributesConfig{
+				Rewrites: &rewrite.SubjectAccessReviewRewrites{
+					ByHTTPHeader: &rewrite.HTTPHeaderRewriteConfig{
+						Name: "x-namespace",
+					},
+				},
+				ResourceAttributes: &rewrite.ResourceAttributes{
+					Resource:  "namespaces",
+					Namespace: "{{ .Value }}",
+				},
+			},
+			Static: []static.StaticAuthorizationConfig{
+				{
+					User: static.UserConfig{
+						Name: "system:serviceaccount:default:client-with-static",
+					},
+					ResourceRequest: true,
+					Resource:        "namespaces",
+					Namespace:       "kube-system",
+					Verb:            "get",
+				},
+			},
+		},
+	}
+
+	for _, tt := range []struct {
+		name             string
+		user             string
+		verb             string
+		path             string
+		headerValue      string
+		mockAuthz        authorizer.Authorizer
+		expectDecision   authorizer.Decision
+		expectAuthzError bool
+	}{
+		{
+			name:           "non-allow-path should be denied",
+			user:           "system:serviceaccount:default:client-with-static",
+			verb:           "get",
+			path:           "/forbidden",
+			expectDecision: authorizer.DecisionDeny,
+		},
+		{
+			name:           "allow-path with static auth match should be allowed",
+			user:           "system:serviceaccount:default:client-with-static",
+			verb:           "get",
+			path:           "/metrics",
+			headerValue:    "kube-system",
+			expectDecision: authorizer.DecisionAllow,
+		},
+		{
+			name:           "allow-path with no static match but delegated match should be allowed",
+			user:           "system:serviceaccount:default:client-with-rbac",
+			verb:           "get",
+			path:           "/metrics",
+			headerValue:    "default",
+			expectDecision: authorizer.DecisionAllow,
+		},
+		{
+			name:           "allow-path with no static match and no delegated match should be denied",
+			user:           "other-user",
+			verb:           "get",
+			path:           "/metrics",
+			headerValue:    "other-namespace",
+			expectDecision: authorizer.DecisionDeny, // The krp logic is to deny on no-opinion
+		},
+		{
+			name:             "everything looks fine, except that we receive an error from the delegated authz",
+			user:             "system:serviceaccount:default:client-with-rbac",
+			verb:             "get",
+			path:             "/metrics",
+			headerValue:      "default",
+			mockAuthz:        mockErr,
+			expectDecision:   authorizer.DecisionDeny,
+			expectAuthzError: true,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.name == "allow-path with no static match and no delegated match should be denied" {
+				fmt.Println("watch me")
+			}
+
+			if tt.mockAuthz == nil {
+				tt.mockAuthz = mockDelegated
+			}
+
+			authz, err := setupAuthorizer(krbInfo, &serverconfig.AuthorizationInfo{
+				Authorizer: tt.mockAuthz,
+			})
+			if err != nil {
+				t.Fatalf("setupAuthorizer failed: %v", err)
+			}
+
+			req, _ := http.NewRequest("GET", "http://example.com"+tt.path, nil)
+			if tt.headerValue != "" {
+				req.Header.Set("x-namespace", tt.headerValue)
+			}
+
+			params := []string{}
+			if tt.headerValue != "" {
+				params = append(params, tt.headerValue)
+			}
+			ctx := rewrite.WithKubeRBACProxyParams(context.Background(), params)
+
+			attr := authorizer.AttributesRecord{
+				User:            &user.DefaultInfo{Name: tt.user},
+				Verb:            tt.verb,
+				Path:            tt.path,
+				ResourceRequest: false,
+			}
+
+			decision, reason, err := authz.Authorize(ctx, &attr)
+			if err != nil && !tt.expectAuthzError {
+				t.Fatalf("Authorization failed: %v", err)
+			}
+			if err == nil && tt.expectAuthzError {
+				t.Fatalf("Authorization should have failed, but didn't")
+			}
+			if decision != tt.expectDecision {
+				t.Errorf("Expected decision %v, got %v (reason: %s)", tt.expectDecision, decision, reason)
+			}
+		})
+	}
+}
+
+func TestSetupAuthorizer_IgnorePathsWithResourceAttributes(t *testing.T) {
+	mockDelegated := mockAuthorizer(
+		func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
+			if a.GetUser().GetName() == "system:serviceaccount:default:client-with-rbac" {
+				return authorizer.DecisionAllow, "delegated allow", nil
+			}
+			return authorizer.DecisionNoOpinion, "i don't care", nil
+		},
+	)
+
+	krbInfo := &server.KubeRBACProxyInfo{
+		IgnorePaths: []string{"/healthz"},
+		Authorization: &authorization.AuthzConfig{
+			RewriteAttributesConfig: &rewrite.RewriteAttributesConfig{
+				ResourceAttributes: &rewrite.ResourceAttributes{
+					Resource:  "namespaces",
+					Namespace: "kube-system",
+				},
+			},
+			Static: []static.StaticAuthorizationConfig{
+				{
+					User: static.UserConfig{
+						Name: "system:serviceaccount:default:client-with-static",
+					},
+					ResourceRequest: true,
+					Resource:        "namespaces",
+					Namespace:       "kube-system",
+					Verb:            "get",
+				},
+			},
+		},
+	}
+
+	delegatedAuthz := &serverconfig.AuthorizationInfo{
+		Authorizer: mockDelegated,
+	}
+
+	authz, err := setupAuthorizer(krbInfo, delegatedAuthz)
+	if err != nil {
+		t.Fatalf("setupAuthorizer failed: %v", err)
+	}
+
+	for _, tt := range []struct {
+		name           string
+		user           user.Info
+		verb           string
+		path           string
+		expectDecision authorizer.Decision
+	}{
+		{
+			name:           "ignore-path should be allowed",
+			user:           &user.DefaultInfo{Name: "any-user"},
+			verb:           "get",
+			path:           "/healthz",
+			expectDecision: authorizer.DecisionAllow,
+		},
+		{
+			name:           "non-ignore-path with static auth match should be allowed",
+			user:           &user.DefaultInfo{Name: "system:serviceaccount:default:client-with-static"},
+			verb:           "get",
+			path:           "/metrics",
+			expectDecision: authorizer.DecisionAllow,
+		},
+		{
+			name:           "non-ignore-path with no static match but delegated match should be allowed",
+			user:           &user.DefaultInfo{Name: "system:serviceaccount:default:client-with-rbac"},
+			verb:           "get",
+			path:           "/metrics",
+			expectDecision: authorizer.DecisionAllow,
+		},
+		{
+			name:           "non-ignore-path with no static and no delegated match should be denied",
+			user:           &user.DefaultInfo{Name: "unknown-user"},
+			verb:           "get",
+			path:           "/metrics",
+			expectDecision: authorizer.DecisionDeny,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := context.Background()
+
+			attr := authorizer.AttributesRecord{
+				User:            tt.user,
+				Verb:            tt.verb,
+				Path:            tt.path,
+				ResourceRequest: false,
+			}
+
+			decision, reason, err := authz.Authorize(ctx, &attr)
+			if err != nil {
+				t.Fatalf("Authorization failed: %v", err)
+			}
+
+			if decision != tt.expectDecision {
+				t.Errorf("Expected decision %v, got %v (reason: %s)", tt.expectDecision, decision, reason)
+			}
+		})
+	}
+}
