istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/pkg/k8s/tokenreview/k8sauthn_test.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/pkg/k8s/tokenreview/k8sauthn_test.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package tokenreview
    16  
    17  import (
    18  	"fmt"
    19  	"testing"
    20  
    21  	authenticationv1 "k8s.io/api/authentication/v1"
    22  
    23  	"istio.io/istio/pkg/security"
    24  	"istio.io/istio/pkg/test/util/assert"
    25  )
    26  
    27  // TestGetTokenReviewResult verifies that getTokenReviewResult returns expected {<namespace>, <serviceaccountname>}.
    28  func TestGetTokenReviewResult(t *testing.T) {
    29  	testCases := []struct {
    30  		name           string
    31  		tokenReview    authenticationv1.TokenReview
    32  		expectedError  error
    33  		expectedResult security.KubernetesInfo
    34  	}{
    35  		{
    36  			name: "the service account authentication error",
    37  			tokenReview: authenticationv1.TokenReview{
    38  				Status: authenticationv1.TokenReviewStatus{
    39  					Error: "authentication error",
    40  				},
    41  			},
    42  			expectedError: fmt.Errorf("the service account authentication returns an error: authentication error"),
    43  		},
    44  		{
    45  			name: "not authenticated",
    46  			tokenReview: authenticationv1.TokenReview{
    47  				Status: authenticationv1.TokenReviewStatus{
    48  					Authenticated: false,
    49  				},
    50  			},
    51  			expectedError: fmt.Errorf("the token is not authenticated"),
    52  		},
    53  		{
    54  			name: "token is not a service account",
    55  			tokenReview: authenticationv1.TokenReview{
    56  				Status: authenticationv1.TokenReviewStatus{
    57  					Authenticated: true,
    58  					User: authenticationv1.UserInfo{
    59  						Groups: []string{
    60  							"system:serviceaccounts:default",
    61  						},
    62  					},
    63  				},
    64  			},
    65  			expectedError: fmt.Errorf("the token is not a service account"),
    66  		},
    67  		{
    68  			name: "invalid username",
    69  			tokenReview: authenticationv1.TokenReview{
    70  				Status: authenticationv1.TokenReviewStatus{
    71  					Authenticated: true,
    72  					User: authenticationv1.UserInfo{
    73  						Username: "system:serviceaccount:example-pod-sa",
    74  						Groups: []string{
    75  							"system:serviceaccounts",
    76  							"system:serviceaccounts:default",
    77  							"system:authenticated",
    78  						},
    79  					},
    80  				},
    81  			},
    82  			expectedError: fmt.Errorf("invalid username field in the token review result"),
    83  		},
    84  		{
    85  			name: "success",
    86  			tokenReview: authenticationv1.TokenReview{
    87  				Status: authenticationv1.TokenReviewStatus{
    88  					Authenticated: true,
    89  					User: authenticationv1.UserInfo{
    90  						Username: "system:serviceaccount:default:example-pod-sa",
    91  						UID:      "ff578a9e-65d3-11e8-aad2-42010a8a001d",
    92  						Groups: []string{
    93  							"system:serviceaccounts",
    94  							"system:serviceaccounts:default",
    95  							"system:authenticated",
    96  						},
    97  					},
    98  				},
    99  			},
   100  			expectedResult: security.KubernetesInfo{
   101  				PodNamespace:      "default",
   102  				PodServiceAccount: "example-pod-sa",
   103  			},
   104  		},
   105  		{
   106  			name: " pod token",
   107  			tokenReview: authenticationv1.TokenReview{
   108  				Status: authenticationv1.TokenReviewStatus{
   109  					Authenticated: true,
   110  					User: authenticationv1.UserInfo{
   111  						Username: "system:serviceaccount:default:example-pod-sa",
   112  						UID:      "ff578a9e-65d3-11e8-aad2-42010a8a001d",
   113  						Groups: []string{
   114  							"system:serviceaccounts",
   115  							"system:serviceaccounts:default",
   116  							"system:authenticated",
   117  						},
   118  						Extra: map[string]authenticationv1.ExtraValue{
   119  							PodNameKey: []string{"some-pod"},
   120  							PodUIDKey:  []string{"12345"},
   121  						},
   122  					},
   123  				},
   124  			},
   125  			expectedResult: security.KubernetesInfo{
   126  				PodNamespace:      "default",
   127  				PodServiceAccount: "example-pod-sa",
   128  				PodUID:            "12345",
   129  				PodName:           "some-pod",
   130  			},
   131  		},
   132  	}
   133  	for _, tc := range testCases {
   134  		t.Run(tc.name, func(t *testing.T) {
   135  			result, err := getTokenReviewResult(&tc.tokenReview)
   136  			assert.Equal(t, result, tc.expectedResult)
   137  			assert.Equal(t, err, tc.expectedError)
   138  		})
   139  	}
   140  }