Add AuthZ conformance e2e test suite (#8150)

* Add authz test suite for addressables * Run ./hack/update-deps.sh --upgrade to get latest reconciler-test changes * Use eventshub.OIDCSubject(sub) * Fix Broker EventPolicy status condition set * Enable NotReady checks again * Fix style issues * Update test/rekt/features/authz/addressable_authz_conformance.go Co-authored-by: Calum Murray <cmurray@redhat.com> * Update test/rekt/features/authz/addressable_authz_conformance.go Co-authored-by: Calum Murray <cmurray@redhat.com> --------- Co-authored-by: Calum Murray <cmurray@redhat.com>
knative · Aug 13, 2024 · 71d5d5f · 71d5d5f
1 parent e41da98
commit 71d5d5f
Showing 4 changed files with 159 additions and 158 deletions.
diff --git a/pkg/reconciler/broker/controller.go b/pkg/reconciler/broker/controller.go
@@ -93,6 +93,7 @@ func NewController(
 		BrokerConditionTriggerChannel,
 		BrokerConditionFilter,
 		BrokerConditionAddressable,
+		eventingv1.BrokerConditionEventPoliciesReady,
 	))
 
 	brokerFilter := pkgreconciler.AnnotationFilterFunc(brokerreconciler.ClassAnnotationKey, eventing.MTChannelBrokerClassValue, false /*allowUnset*/)

diff --git a/test/rekt/broker_test.go b/test/rekt/broker_test.go
@@ -23,6 +23,8 @@ import (
 	"testing"
 	"time"
 
+	"knative.dev/eventing/test/rekt/features/authz"
+
 	"knative.dev/reconciler-test/pkg/feature"
 
 	"knative.dev/pkg/system"
@@ -297,5 +299,8 @@ func TestBrokerSupportsAuthZ(t *testing.T) {
 		eventshub.WithTLS(t),
 	)
 
-	env.TestSet(ctx, t, broker.BrokerSupportsAuthZ())
+	name := feature.MakeRandomK8sName("broker")
+	env.Prerequisite(ctx, t, broker.GoesReady(name, brokerresources.WithEnvConfig()...))
+
+	env.TestSet(ctx, t, authz.AddressableAuthZConformance(brokerresources.GVR(), "Broker", name))
 }
diff --git a/test/rekt/features/authz/addressable_authz_conformance.go b/test/rekt/features/authz/addressable_authz_conformance.go
@@ -0,0 +1,152 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authz
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"knative.dev/eventing/test/rekt/resources/eventpolicy"
+	"knative.dev/eventing/test/rekt/resources/pingsource"
+	"knative.dev/reconciler-test/pkg/environment"
+
+	"knative.dev/eventing/test/rekt/features/featureflags"
+
+	"github.com/cloudevents/sdk-go/v2/test"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"knative.dev/reconciler-test/pkg/eventshub"
+	eventassert "knative.dev/reconciler-test/pkg/eventshub/assert"
+	"knative.dev/reconciler-test/pkg/feature"
+	"knative.dev/reconciler-test/pkg/k8s"
+)
+
+func AddressableAuthZConformance(gvr schema.GroupVersionResource, kind, name string) *feature.FeatureSet {
+	fs := feature.FeatureSet{
+		Name: fmt.Sprintf("%s handles authorization in requests correctly", kind),
+		Features: []*feature.Feature{
+			addressableAllowsAuthorizedRequest(gvr, kind, name),
+			addressableRejectsUnauthorizedRequest(gvr, kind, name),
+			addressableBecomesUnreadyOnUnreadyEventPolicy(gvr, kind, name),
+		},
+	}
+	return &fs
+}
+
+func addressableAllowsAuthorizedRequest(gvr schema.GroupVersionResource, kind, name string) *feature.Feature {
+	f := feature.NewFeatureNamed(fmt.Sprintf("%s accepts authorized request", kind))
+
+	f.Prerequisite("OIDC authentication is enabled", featureflags.AuthenticationOIDCEnabled())
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
+	source := feature.MakeRandomK8sName("source")
+	eventPolicy := feature.MakeRandomK8sName("eventpolicy")
+	sourceSubject := feature.MakeRandomK8sName("source-oidc-identity")
+
+	event := test.FullEvent()
+
+	// Install event policy
+	f.Setup("Install the EventPolicy", func(ctx context.Context, t feature.T) {
+		namespace := environment.FromContext(ctx).Namespace()
+		eventpolicy.Install(
+			eventPolicy,
+			eventpolicy.WithToRef(
+				gvr.GroupVersion().WithKind(kind),
+				name),
+			eventpolicy.WithFromSubject(fmt.Sprintf("system:serviceaccount:%s:%s", namespace, sourceSubject)),
+		)(ctx, t)
+	})
+	f.Setup(fmt.Sprintf("EventPolicy for %s %s is ready", kind, name), k8s.IsReady(gvr, name))
+
+	// Install source
+	f.Requirement("install source", eventshub.Install(
+		source,
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
+		eventshub.InputEvent(event),
+		eventshub.OIDCSubject(sourceSubject),
+	))
+
+	f.Alpha(kind).
+		Must("event sent", eventassert.OnStore(source).MatchSentEvent(test.HasId(event.ID())).Exact(1)).
+		Must("get 202 on response", eventassert.OnStore(source).Match(eventassert.MatchStatusCode(202)).AtLeast(1))
+
+	return f
+}
+
+func addressableRejectsUnauthorizedRequest(gvr schema.GroupVersionResource, kind, name string) *feature.Feature {
+	f := feature.NewFeatureNamed(fmt.Sprintf("%s rejects unauthorized request", kind))
+
+	f.Prerequisite("OIDC authentication is enabled", featureflags.AuthenticationOIDCEnabled())
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
+	source := feature.MakeRandomK8sName("source")
+	eventPolicy := feature.MakeRandomK8sName("eventpolicy")
+
+	event := test.FullEvent()
+
+	// Install event policy
+	f.Setup("Install the EventPolicy with from subject that does not match", eventpolicy.Install(
+		eventPolicy,
+		eventpolicy.WithToRef(
+			gvr.GroupVersion().WithKind(kind),
+			name),
+		eventpolicy.WithFromSubject("system:serviceaccount:default:unknown-identity"),
+	))
+	f.Setup(fmt.Sprintf("EventPolicy for %s %s is ready", kind, name), k8s.IsReady(gvr, name))
+
+	// Install source
+	f.Requirement("install source", eventshub.Install(
+		source,
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
+		eventshub.InputEvent(event),
+		eventshub.InitialSenderDelay(10*time.Second),
+	))
+
+	f.Alpha(kind).
+		Must("event sent", eventassert.OnStore(source).MatchSentEvent(test.HasId(event.ID())).Exact(1)).
+		Must("get 403 on response", eventassert.OnStore(source).Match(eventassert.MatchStatusCode(403)).AtLeast(1))
+
+	return f
+}
+
+func addressableBecomesUnreadyOnUnreadyEventPolicy(gvr schema.GroupVersionResource, kind, name string) *feature.Feature {
+	f := feature.NewFeatureNamed(fmt.Sprintf("%s becomes NotReady when EventPolicy is NotReady", kind))
+
+	f.Prerequisite("OIDC authentication is enabled", featureflags.AuthenticationOIDCEnabled())
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
+	eventPolicy := feature.MakeRandomK8sName("eventpolicy")
+
+	f.Setup(fmt.Sprintf("%s is ready initially", kind), k8s.IsReady(gvr, name))
+
+	// Install event policy
+	f.Requirement("Install the EventPolicy", eventpolicy.Install(
+		eventPolicy,
+		eventpolicy.WithToRef(
+			gvr.GroupVersion().WithKind(kind),
+			name),
+		eventpolicy.WithFromRef(pingsource.Gvr().GroupVersion().WithKind("PingSource"), "doesnt-exist", "doesnt-exist"),
+	))
+	f.Requirement(fmt.Sprintf("EventPolicy for %s %s is NotReady", kind, name), k8s.IsNotReady(gvr, name))
+
+	f.Alpha(kind).Must("become NotReady with NotReady EventPolicy ", k8s.IsNotReady(gvr, name))
+
+	return f
+}
diff --git a/test/rekt/features/broker/authz_feature.go b/test/rekt/features/broker/authz_feature.go