e2e: add SelfSubjectReview test for impersonation scoping

sttts · sttts · commit d9736ba25d69 · 2025-01-16T09:19:26.000+01:00
Signed-off-by: Dr. Stefan Schimanski &lt;stefan.schimanski@gmail.com&gt;
diff --git a/test/e2e/authorizer/impersonate_test.go b/test/e2e/authorizer/impersonate_test.go
@@ -21,14 +21,15 @@ import (
 	"testing"
 	"time"
 
-	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 	"github.com/stretchr/testify/require"
 
+	authenticationv1 "k8s.io/api/authentication/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/rest"
 
+	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
 	tenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
 	kcpclientset "github.com/kcp-dev/kcp/sdk/client/clientset/versioned/cluster"
 	"github.com/kcp-dev/kcp/test/e2e/framework"
@@ -81,3 +82,42 @@ func TestImpersonation(t *testing.T) {
 		return apierrors.IsForbidden(err)
 	}, wait.ForeverTestTimeout, time.Millisecond*100, "user-1 should NOT be able to edit its own workspace status with impersonation")
 }
+
+func TestImpersonateScoping(t *testing.T) {
+	t.Parallel()
+	framework.Suite(t, "control-plane")
+
+	ctx, cancelFn := context.WithCancel(context.Background())
+	t.Cleanup(cancelFn)
+
+	server := framework.SharedKcpServer(t)
+	cfg := server.BaseConfig(t)
+
+	org, ws := framework.NewOrganizationFixture(t, server)
+
+	kubeClusterClient, err := kcpkubernetesclientset.NewForConfig(cfg)
+	require.NoError(t, err)
+
+	t.Log("Make user-1 an admin of the org")
+	framework.AdmitWorkspaceAccess(ctx, t, kubeClusterClient, org, []string{"user-1"}, []string{"cluster-admin"}, true)
+	user1Cfg := framework.StaticTokenUserConfig("user-1", cfg)
+
+	t.Logf("Impersonate user-1 as some group")
+	user1Cfg.Impersonate = rest.ImpersonationConfig{
+		UserName: "user-1",
+		Groups:   []string{"elephant"},
+	}
+	user1Client, err := kcpkubernetesclientset.NewForConfig(user1Cfg)
+	require.NoError(t, err)
+
+	t.Logf("Scoping should be added in SelfSubjectReview")
+	require.Eventually(t, func() bool {
+		r, err := user1Client.AuthenticationV1().SelfSubjectReviews().Cluster(org).Create(ctx, &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
+		if err != nil {
+			return false
+		}
+
+		require.Contains(t, r.Status.UserInfo.Extra["authentication.kcp.io/scopes"], "cluster:"+ws.Spec.Cluster, "scoping to cluster:%s should be added in SelfSubjectReview", ws.Spec.Cluster)
+		return true
+	}, wait.ForeverTestTimeout, time.Millisecond*100, "scoping should be added in SelfSubjectReview")
+}
