mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-13 02:33:34 +00:00
vendor files
This commit is contained in:
Serguei Bezverkhi
52
vendor/k8s.io/kubernetes/pkg/controller/certificates/approver/BUILD
generated
vendored
Normal file
52
vendor/k8s.io/kubernetes/pkg/controller/certificates/approver/BUILD
generated
vendored
Normal file
@ -0,0 +1,52 @@
|
||||
package(default_visibility = ["//visibility:public"])
|
||||
|
||||
load(
|
||||
"@io_bazel_rules_go//go:def.bzl",
|
||||
"go_library",
|
||||
"go_test",
|
||||
)
|
||||
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["sarapprove_test.go"],
|
||||
importpath = "k8s.io/kubernetes/pkg/controller/certificates/approver",
|
||||
library = ":go_default_library",
|
||||
deps = [
|
||||
"//pkg/apis/certificates/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/api/authorization/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes/fake:go_default_library",
|
||||
"//vendor/k8s.io/client-go/testing:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["sarapprove.go"],
|
||||
importpath = "k8s.io/kubernetes/pkg/controller/certificates/approver",
|
||||
deps = [
|
||||
"//pkg/apis/certificates/v1beta1:go_default_library",
|
||||
"//pkg/controller/certificates:go_default_library",
|
||||
"//pkg/features:go_default_library",
|
||||
"//vendor/k8s.io/api/authorization/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||
"//vendor/k8s.io/client-go/informers/certificates/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [":package-srcs"],
|
||||
tags = ["automanaged"],
|
||||
)
|
||||
228
vendor/k8s.io/kubernetes/pkg/controller/certificates/approver/sarapprove.go
generated
vendored
Normal file
228
vendor/k8s.io/kubernetes/pkg/controller/certificates/approver/sarapprove.go
generated
vendored
Normal file
@ -0,0 +1,228 @@
|
||||
/*
|
||||
Copyright 2016 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Package approver implements an automated approver for kubelet certificates.
|
||||
package approver
|
||||
|
||||
import (
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"strings"
|
||||
|
||||
authorization "k8s.io/api/authorization/v1beta1"
|
||||
capi "k8s.io/api/certificates/v1beta1"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
certificatesinformers "k8s.io/client-go/informers/certificates/v1beta1"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
k8s_certificates_v1beta1 "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
|
||||
"k8s.io/kubernetes/pkg/controller/certificates"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
)
|
||||
|
||||
type csrRecognizer struct {
|
||||
recognize func(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool
|
||||
permission authorization.ResourceAttributes
|
||||
successMessage string
|
||||
}
|
||||
|
||||
type sarApprover struct {
|
||||
client clientset.Interface
|
||||
recognizers []csrRecognizer
|
||||
}
|
||||
|
||||
func NewCSRApprovingController(client clientset.Interface, csrInformer certificatesinformers.CertificateSigningRequestInformer) *certificates.CertificateController {
|
||||
approver := &sarApprover{
|
||||
client: client,
|
||||
recognizers: recognizers(),
|
||||
}
|
||||
return certificates.NewCertificateController(
|
||||
client,
|
||||
csrInformer,
|
||||
approver.handle,
|
||||
)
|
||||
}
|
||||
|
||||
func recognizers() []csrRecognizer {
|
||||
recognizers := []csrRecognizer{
|
||||
{
|
||||
recognize: isSelfNodeClientCert,
|
||||
permission: authorization.ResourceAttributes{Group: "certificates.k8s.io", Resource: "certificatesigningrequests", Verb: "create", Subresource: "selfnodeclient"},
|
||||
successMessage: "Auto approving self kubelet client certificate after SubjectAccessReview.",
|
||||
},
|
||||
{
|
||||
recognize: isNodeClientCert,
|
||||
permission: authorization.ResourceAttributes{Group: "certificates.k8s.io", Resource: "certificatesigningrequests", Verb: "create", Subresource: "nodeclient"},
|
||||
successMessage: "Auto approving kubelet client certificate after SubjectAccessReview.",
|
||||
},
|
||||
}
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
|
||||
recognizers = append(recognizers, csrRecognizer{
|
||||
recognize: isSelfNodeServerCert,
|
||||
permission: authorization.ResourceAttributes{Group: "certificates.k8s.io", Resource: "certificatesigningrequests", Verb: "create", Subresource: "selfnodeserver"},
|
||||
successMessage: "Auto approving self kubelet server certificate after SubjectAccessReview.",
|
||||
})
|
||||
}
|
||||
return recognizers
|
||||
}
|
||||
|
||||
func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error {
|
||||
if len(csr.Status.Certificate) != 0 {
|
||||
return nil
|
||||
}
|
||||
if approved, denied := certificates.GetCertApprovalCondition(&csr.Status); approved || denied {
|
||||
return nil
|
||||
}
|
||||
x509cr, err := k8s_certificates_v1beta1.ParseCSR(csr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
|
||||
}
|
||||
|
||||
tried := []string{}
|
||||
|
||||
for _, r := range a.recognizers {
|
||||
if !r.recognize(csr, x509cr) {
|
||||
continue
|
||||
}
|
||||
|
||||
tried = append(tried, r.permission.Subresource)
|
||||
|
||||
approved, err := a.authorize(csr, r.permission)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if approved {
|
||||
appendApprovalCondition(csr, r.successMessage)
|
||||
_, err = a.client.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(csr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error updating approval for csr: %v", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
if len(tried) != 0 {
|
||||
return certificates.IgnorableError("recognized csr %q as %v but subject access review was not approved", csr.Name, tried)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a *sarApprover) authorize(csr *capi.CertificateSigningRequest, rattrs authorization.ResourceAttributes) (bool, error) {
|
||||
extra := make(map[string]authorization.ExtraValue)
|
||||
for k, v := range csr.Spec.Extra {
|
||||
extra[k] = authorization.ExtraValue(v)
|
||||
}
|
||||
|
||||
sar := &authorization.SubjectAccessReview{
|
||||
Spec: authorization.SubjectAccessReviewSpec{
|
||||
User: csr.Spec.Username,
|
||||
UID: csr.Spec.UID,
|
||||
Groups: csr.Spec.Groups,
|
||||
Extra: extra,
|
||||
ResourceAttributes: &rattrs,
|
||||
},
|
||||
}
|
||||
sar, err := a.client.AuthorizationV1beta1().SubjectAccessReviews().Create(sar)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
return sar.Status.Allowed, nil
|
||||
}
|
||||
|
||||
func appendApprovalCondition(csr *capi.CertificateSigningRequest, message string) {
|
||||
csr.Status.Conditions = append(csr.Status.Conditions, capi.CertificateSigningRequestCondition{
|
||||
Type: capi.CertificateApproved,
|
||||
Reason: "AutoApproved",
|
||||
Message: message,
|
||||
})
|
||||
}
|
||||
|
||||
func hasExactUsages(csr *capi.CertificateSigningRequest, usages []capi.KeyUsage) bool {
|
||||
if len(usages) != len(csr.Spec.Usages) {
|
||||
return false
|
||||
}
|
||||
|
||||
usageMap := map[capi.KeyUsage]struct{}{}
|
||||
for _, u := range usages {
|
||||
usageMap[u] = struct{}{}
|
||||
}
|
||||
|
||||
for _, u := range csr.Spec.Usages {
|
||||
if _, ok := usageMap[u]; !ok {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
var kubeletClientUsages = []capi.KeyUsage{
|
||||
capi.UsageKeyEncipherment,
|
||||
capi.UsageDigitalSignature,
|
||||
capi.UsageClientAuth,
|
||||
}
|
||||
|
||||
func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
|
||||
if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) {
|
||||
return false
|
||||
}
|
||||
if (len(x509cr.DNSNames) > 0) || (len(x509cr.EmailAddresses) > 0) || (len(x509cr.IPAddresses) > 0) {
|
||||
return false
|
||||
}
|
||||
if !hasExactUsages(csr, kubeletClientUsages) {
|
||||
return false
|
||||
}
|
||||
if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func isSelfNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
|
||||
if !isNodeClientCert(csr, x509cr) {
|
||||
return false
|
||||
}
|
||||
if csr.Spec.Username != x509cr.Subject.CommonName {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
var kubeletServerUsages = []capi.KeyUsage{
|
||||
capi.UsageKeyEncipherment,
|
||||
capi.UsageDigitalSignature,
|
||||
capi.UsageServerAuth,
|
||||
}
|
||||
|
||||
func isSelfNodeServerCert(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
|
||||
if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) {
|
||||
return false
|
||||
}
|
||||
if len(x509cr.DNSNames) == 0 || len(x509cr.IPAddresses) == 0 {
|
||||
return false
|
||||
}
|
||||
if !hasExactUsages(csr, kubeletServerUsages) {
|
||||
return false
|
||||
}
|
||||
if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") {
|
||||
return false
|
||||
}
|
||||
if csr.Spec.Username != x509cr.Subject.CommonName {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
370
vendor/k8s.io/kubernetes/pkg/controller/certificates/approver/sarapprove_test.go
generated
vendored
Normal file
370
vendor/k8s.io/kubernetes/pkg/controller/certificates/approver/sarapprove_test.go
generated
vendored
Normal file
@ -0,0 +1,370 @@
|
||||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package approver
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"math/rand"
|
||||
"net"
|
||||
"testing"
|
||||
|
||||
authorization "k8s.io/api/authorization/v1beta1"
|
||||
capi "k8s.io/api/certificates/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/client-go/kubernetes/fake"
|
||||
testclient "k8s.io/client-go/testing"
|
||||
k8s_certificates_v1beta1 "k8s.io/kubernetes/pkg/apis/certificates/v1beta1"
|
||||
)
|
||||
|
||||
func TestHasKubeletUsages(t *testing.T) {
|
||||
cases := []struct {
|
||||
usages []capi.KeyUsage
|
||||
expected bool
|
||||
}{
|
||||
{
|
||||
usages: nil,
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
usages: []capi.KeyUsage{},
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
usages: []capi.KeyUsage{
|
||||
capi.UsageKeyEncipherment,
|
||||
capi.UsageDigitalSignature,
|
||||
},
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
usages: []capi.KeyUsage{
|
||||
capi.UsageKeyEncipherment,
|
||||
capi.UsageDigitalSignature,
|
||||
capi.UsageServerAuth,
|
||||
},
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
usages: []capi.KeyUsage{
|
||||
capi.UsageKeyEncipherment,
|
||||
capi.UsageDigitalSignature,
|
||||
capi.UsageClientAuth,
|
||||
},
|
||||
expected: true,
|
||||
},
|
||||
}
|
||||
for _, c := range cases {
|
||||
if hasExactUsages(&capi.CertificateSigningRequest{
|
||||
Spec: capi.CertificateSigningRequestSpec{
|
||||
Usages: c.usages,
|
||||
},
|
||||
}, kubeletClientUsages) != c.expected {
|
||||
t.Errorf("unexpected result of hasKubeletUsages(%v), expecting: %v", c.usages, c.expected)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandle(t *testing.T) {
|
||||
cases := []struct {
|
||||
message string
|
||||
allowed bool
|
||||
recognized bool
|
||||
err bool
|
||||
verify func(*testing.T, []testclient.Action)
|
||||
}{
|
||||
{
|
||||
recognized: false,
|
||||
allowed: false,
|
||||
verify: func(t *testing.T, as []testclient.Action) {
|
||||
if len(as) != 0 {
|
||||
t.Errorf("expected no client calls but got: %#v", as)
|
||||
}
|
||||
},
|
||||
},
|
||||
{
|
||||
recognized: false,
|
||||
allowed: true,
|
||||
verify: func(t *testing.T, as []testclient.Action) {
|
||||
if len(as) != 0 {
|
||||
t.Errorf("expected no client calls but got: %#v", as)
|
||||
}
|
||||
},
|
||||
},
|
||||
{
|
||||
recognized: true,
|
||||
allowed: false,
|
||||
verify: func(t *testing.T, as []testclient.Action) {
|
||||
if len(as) != 1 {
|
||||
t.Errorf("expected 1 call but got: %#v", as)
|
||||
return
|
||||
}
|
||||
_ = as[0].(testclient.CreateActionImpl)
|
||||
},
|
||||
err: true,
|
||||
},
|
||||
{
|
||||
recognized: true,
|
||||
allowed: true,
|
||||
verify: func(t *testing.T, as []testclient.Action) {
|
||||
if len(as) != 2 {
|
||||
t.Errorf("expected two calls but got: %#v", as)
|
||||
return
|
||||
}
|
||||
_ = as[0].(testclient.CreateActionImpl)
|
||||
a := as[1].(testclient.UpdateActionImpl)
|
||||
if got, expected := a.Verb, "update"; got != expected {
|
||||
t.Errorf("got: %v, expected: %v", got, expected)
|
||||
}
|
||||
if got, expected := a.Resource, (schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}); got != expected {
|
||||
t.Errorf("got: %v, expected: %v", got, expected)
|
||||
}
|
||||
if got, expected := a.Subresource, "approval"; got != expected {
|
||||
t.Errorf("got: %v, expected: %v", got, expected)
|
||||
}
|
||||
csr := a.Object.(*capi.CertificateSigningRequest)
|
||||
if len(csr.Status.Conditions) != 1 {
|
||||
t.Errorf("expected CSR to have approved condition: %#v", csr)
|
||||
}
|
||||
c := csr.Status.Conditions[0]
|
||||
if got, expected := c.Type, capi.CertificateApproved; got != expected {
|
||||
t.Errorf("got: %v, expected: %v", got, expected)
|
||||
}
|
||||
if got, expected := c.Reason, "AutoApproved"; got != expected {
|
||||
t.Errorf("got: %v, expected: %v", got, expected)
|
||||
}
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, c := range cases {
|
||||
t.Run(fmt.Sprintf("recognized:%v,allowed: %v,err: %v", c.recognized, c.allowed, c.err), func(t *testing.T) {
|
||||
client := &fake.Clientset{}
|
||||
client.AddReactor("create", "subjectaccessreviews", func(action testclient.Action) (handled bool, ret runtime.Object, err error) {
|
||||
return true, &authorization.SubjectAccessReview{
|
||||
Status: authorization.SubjectAccessReviewStatus{
|
||||
Allowed: c.allowed,
|
||||
},
|
||||
}, nil
|
||||
})
|
||||
approver := sarApprover{
|
||||
client: client,
|
||||
recognizers: []csrRecognizer{
|
||||
{
|
||||
successMessage: "tester",
|
||||
permission: authorization.ResourceAttributes{Group: "foo", Resource: "bar", Subresource: "baz"},
|
||||
recognize: func(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool {
|
||||
return c.recognized
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
csr := makeTestCsr()
|
||||
if err := approver.handle(csr); err != nil && !c.err {
|
||||
t.Errorf("unexpected err: %v", err)
|
||||
}
|
||||
c.verify(t, client.Actions())
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSelfNodeServerCertRecognizer(t *testing.T) {
|
||||
defaultCSR := csrBuilder{
|
||||
cn: "system:node:foo",
|
||||
orgs: []string{"system:nodes"},
|
||||
requestor: "system:node:foo",
|
||||
usages: []capi.KeyUsage{
|
||||
capi.UsageKeyEncipherment,
|
||||
capi.UsageDigitalSignature,
|
||||
capi.UsageServerAuth,
|
||||
},
|
||||
dns: []string{"node"},
|
||||
ips: []net.IP{net.ParseIP("192.168.0.1")},
|
||||
}
|
||||
|
||||
testCases := []struct {
|
||||
description string
|
||||
csrBuilder csrBuilder
|
||||
expectedOutcome bool
|
||||
}{
|
||||
{
|
||||
description: "Success - all requirements met",
|
||||
csrBuilder: defaultCSR,
|
||||
expectedOutcome: true,
|
||||
},
|
||||
{
|
||||
description: "No organization",
|
||||
csrBuilder: func(b csrBuilder) csrBuilder {
|
||||
b.orgs = []string{}
|
||||
return b
|
||||
}(defaultCSR),
|
||||
expectedOutcome: false,
|
||||
},
|
||||
{
|
||||
description: "Wrong organization",
|
||||
csrBuilder: func(b csrBuilder) csrBuilder {
|
||||
b.orgs = append(b.orgs, "new-org")
|
||||
return b
|
||||
}(defaultCSR),
|
||||
expectedOutcome: false,
|
||||
},
|
||||
{
|
||||
description: "Wrong usages",
|
||||
csrBuilder: func(b csrBuilder) csrBuilder {
|
||||
b.usages = []capi.KeyUsage{}
|
||||
return b
|
||||
}(defaultCSR),
|
||||
expectedOutcome: false,
|
||||
},
|
||||
{
|
||||
description: "Wrong common name",
|
||||
csrBuilder: func(b csrBuilder) csrBuilder {
|
||||
b.cn = "wrong-common-name"
|
||||
return b
|
||||
}(defaultCSR),
|
||||
expectedOutcome: false,
|
||||
},
|
||||
}
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.description, func(t *testing.T) {
|
||||
csr := makeFancyTestCsr(tc.csrBuilder)
|
||||
x509cr, err := k8s_certificates_v1beta1.ParseCSR(csr)
|
||||
if err != nil {
|
||||
t.Errorf("unexpected err: %v", err)
|
||||
}
|
||||
if isSelfNodeServerCert(csr, x509cr) != tc.expectedOutcome {
|
||||
t.Errorf("expected recognized to be %v", tc.expectedOutcome)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestRecognizers(t *testing.T) {
|
||||
goodCases := []func(b *csrBuilder){
|
||||
func(b *csrBuilder) {
|
||||
},
|
||||
}
|
||||
|
||||
testRecognizer(t, goodCases, isNodeClientCert, true)
|
||||
testRecognizer(t, goodCases, isSelfNodeClientCert, true)
|
||||
|
||||
badCases := []func(b *csrBuilder){
|
||||
func(b *csrBuilder) {
|
||||
b.cn = "mike"
|
||||
},
|
||||
func(b *csrBuilder) {
|
||||
b.orgs = nil
|
||||
},
|
||||
func(b *csrBuilder) {
|
||||
b.orgs = []string{"system:master"}
|
||||
},
|
||||
func(b *csrBuilder) {
|
||||
b.usages = append(b.usages, capi.UsageServerAuth)
|
||||
},
|
||||
}
|
||||
|
||||
testRecognizer(t, badCases, isNodeClientCert, false)
|
||||
testRecognizer(t, badCases, isSelfNodeClientCert, false)
|
||||
|
||||
// cn different then requestor
|
||||
differentCN := []func(b *csrBuilder){
|
||||
func(b *csrBuilder) {
|
||||
b.requestor = "joe"
|
||||
},
|
||||
func(b *csrBuilder) {
|
||||
b.cn = "system:node:bar"
|
||||
},
|
||||
}
|
||||
|
||||
testRecognizer(t, differentCN, isNodeClientCert, true)
|
||||
testRecognizer(t, differentCN, isSelfNodeClientCert, false)
|
||||
}
|
||||
|
||||
func testRecognizer(t *testing.T, cases []func(b *csrBuilder), recognizeFunc func(csr *capi.CertificateSigningRequest, x509cr *x509.CertificateRequest) bool, shouldRecognize bool) {
|
||||
for _, c := range cases {
|
||||
b := csrBuilder{
|
||||
cn: "system:node:foo",
|
||||
orgs: []string{"system:nodes"},
|
||||
requestor: "system:node:foo",
|
||||
usages: []capi.KeyUsage{
|
||||
capi.UsageKeyEncipherment,
|
||||
capi.UsageDigitalSignature,
|
||||
capi.UsageClientAuth,
|
||||
},
|
||||
}
|
||||
c(&b)
|
||||
t.Run(fmt.Sprintf("csr:%#v", b), func(t *testing.T) {
|
||||
csr := makeFancyTestCsr(b)
|
||||
x509cr, err := k8s_certificates_v1beta1.ParseCSR(csr)
|
||||
if err != nil {
|
||||
t.Errorf("unexpected err: %v", err)
|
||||
}
|
||||
if recognizeFunc(csr, x509cr) != shouldRecognize {
|
||||
t.Errorf("expected recognized to be %v", shouldRecognize)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// noncryptographic for faster testing
|
||||
// DO NOT COPY THIS CODE
|
||||
var insecureRand = rand.New(rand.NewSource(0))
|
||||
|
||||
func makeTestCsr() *capi.CertificateSigningRequest {
|
||||
return makeFancyTestCsr(csrBuilder{cn: "test-cert"})
|
||||
}
|
||||
|
||||
type csrBuilder struct {
|
||||
cn string
|
||||
orgs []string
|
||||
requestor string
|
||||
usages []capi.KeyUsage
|
||||
dns []string
|
||||
emails []string
|
||||
ips []net.IP
|
||||
}
|
||||
|
||||
func makeFancyTestCsr(b csrBuilder) *capi.CertificateSigningRequest {
|
||||
pk, err := ecdsa.GenerateKey(elliptic.P224(), insecureRand)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
csrb, err := x509.CreateCertificateRequest(insecureRand, &x509.CertificateRequest{
|
||||
Subject: pkix.Name{
|
||||
CommonName: b.cn,
|
||||
Organization: b.orgs,
|
||||
},
|
||||
DNSNames: b.dns,
|
||||
EmailAddresses: b.emails,
|
||||
IPAddresses: b.ips,
|
||||
}, pk)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
return &capi.CertificateSigningRequest{
|
||||
Spec: capi.CertificateSigningRequestSpec{
|
||||
Username: b.requestor,
|
||||
Usages: b.usages,
|
||||
Request: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrb}),
|
||||
},
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user