Merge pull request #90 from suzerain-io/easy_demo

Add <20 minutes Pinniped demo

test/integration/client_test.go

@@ -57,7 +57,7 @@ var maskKey = func(s string) string { return strings.ReplaceAll(s, "TESTING KEY"
 func TestClient(t *testing.T) {
 	library.SkipUnlessIntegration(t)
 	library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
-	tmcClusterToken := library.GetEnv(t, "PINNIPED_TMC_CLUSTER_TOKEN")
+	token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")
 
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
@@ -69,7 +69,7 @@ func TestClient(t *testing.T) {
 
 	// Using the CA bundle and host from the current (admin) kubeconfig, do the token exchange.
 	clientConfig := library.NewClientConfig(t)
-	resp, err := client.ExchangeToken(ctx, tmcClusterToken, string(clientConfig.CAData), clientConfig.Host)
+	resp, err := client.ExchangeToken(ctx, token, string(clientConfig.CAData), clientConfig.Host)
 	require.NoError(t, err)
 	require.NotNil(t, resp.Status.ExpirationTimestamp)
 	require.InDelta(t, time.Until(resp.Status.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))

test/integration/credentialrequest_test.go

@@ -10,6 +10,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"net/http"
+	"strings"
 	"testing"
 	"time"
 
@@ -28,6 +29,10 @@ import (
 func TestSuccessfulCredentialRequest(t *testing.T) {
 	library.SkipUnlessIntegration(t)
 	library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
+	testUsername := library.GetEnv(t, "PINNIPED_TEST_USER_USERNAME")
+	expectedTestUserGroups := strings.Split(
+		strings.ReplaceAll(library.GetEnv(t, "PINNIPED_TEST_USER_GROUPS"), " ", ""), ",",
+	)
 
 	response, err := makeRequest(t, validCredentialRequestSpecWithRealToken(t))
 	require.NoError(t, err)
@@ -39,6 +44,8 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 	require.NotNil(t, response.Status.Credential)
 	require.Empty(t, response.Status.Credential.Token)
 	require.NotEmpty(t, response.Status.Credential.ClientCertificateData)
+	require.Equal(t, testUsername, getCommonName(t, response.Status.Credential.ClientCertificateData))
+	require.ElementsMatch(t, expectedTestUserGroups, getOrganizations(t, response.Status.Credential.ClientCertificateData))
 	require.NotEmpty(t, response.Status.Credential.ClientKeyData)
 	require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
 	require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
@@ -65,7 +72,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 			Subjects: []rbacv1.Subject{{
 				Kind:     rbacv1.UserKind,
 				APIGroup: rbacv1.GroupName,
-				Name:     getCommonName(t, response.Status.Credential.ClientCertificateData),
+				Name:     testUsername,
 			}},
 			RoleRef: rbacv1.RoleRef{
 				Kind:     "ClusterRole",
@@ -85,34 +92,37 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
 		require.NotEmpty(t, listNamespaceResponse.Items)
 	})
 
-	t.Run("access as group", func(t *testing.T) {
-		addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
-			TypeMeta: metav1.TypeMeta{},
-			ObjectMeta: metav1.ObjectMeta{
-				Name: "integration-test-group-readonly-role-binding",
-			},
-			Subjects: []rbacv1.Subject{{
-				Kind:     rbacv1.GroupKind,
-				APIGroup: rbacv1.GroupName,
-				Name:     "tmc:member",
-			}},
-			RoleRef: rbacv1.RoleRef{
-				Kind:     "ClusterRole",
-				APIGroup: rbacv1.GroupName,
-				Name:     "view",
-			},
-		})
+	for _, group := range expectedTestUserGroups {
+		group := group
+		t.Run("access as group "+group, func(t *testing.T) {
+			addTestClusterRoleBinding(ctx, t, adminClient, &rbacv1.ClusterRoleBinding{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "integration-test-group-readonly-role-binding",
+				},
+				Subjects: []rbacv1.Subject{{
+					Kind:     rbacv1.GroupKind,
+					APIGroup: rbacv1.GroupName,
+					Name:     group,
+				}},
+				RoleRef: rbacv1.RoleRef{
+					Kind:     "ClusterRole",
+					APIGroup: rbacv1.GroupName,
+					Name:     "view",
+				},
+			})
 
-		// Use the client which is authenticated as the TMC group to list namespaces
-		var listNamespaceResponse *v1.NamespaceList
-		var canListNamespaces = func() bool {
-			listNamespaceResponse, err = clientWithCertFromCredentialRequest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
-			return err == nil
-		}
-		assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond)
-		require.NoError(t, err) // prints out the error and stops the test in case of failure
-		require.NotEmpty(t, listNamespaceResponse.Items)
-	})
+			// Use the client which is authenticated as the TMC group to list namespaces
+			var listNamespaceResponse *v1.NamespaceList
+			var canListNamespaces = func() bool {
+				listNamespaceResponse, err = clientWithCertFromCredentialRequest.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
+				return err == nil
+			}
+			assert.Eventually(t, canListNamespaces, 3*time.Second, 250*time.Millisecond)
+			require.NoError(t, err) // prints out the error and stops the test in case of failure
+			require.NotEmpty(t, listNamespaceResponse.Items)
+		})
+	}
 }
 
 func TestFailedCredentialRequestWhenTheRequestIsValidButTheTokenDoesNotAuthenticateTheUser(t *testing.T) {
@@ -183,11 +193,10 @@ func makeRequest(t *testing.T, spec v1alpha1.CredentialRequestSpec) (*v1alpha1.C
 }
 
 func validCredentialRequestSpecWithRealToken(t *testing.T) v1alpha1.CredentialRequestSpec {
-	tmcClusterToken := library.GetEnv(t, "PINNIPED_TMC_CLUSTER_TOKEN")
-
+	token := library.GetEnv(t, "PINNIPED_TEST_USER_TOKEN")
 	return v1alpha1.CredentialRequestSpec{
 		Type:  v1alpha1.TokenCredentialType,
-		Token: &v1alpha1.CredentialRequestTokenCredential{Value: tmcClusterToken},
+		Token: &v1alpha1.CredentialRequestTokenCredential{Value: token},
 	}
 }
 
@@ -224,3 +233,13 @@ func getCommonName(t *testing.T, certPEM string) string {
 
 	return cert.Subject.CommonName
 }
+
+func getOrganizations(t *testing.T, certPEM string) []string {
+	t.Helper()
+
+	pemBlock, _ := pem.Decode([]byte(certPEM))
+	cert, err := x509.ParseCertificate(pemBlock.Bytes)
+	require.NoError(t, err)
+
+	return cert.Subject.Organization
+}