Add AuthZ conformance e2e test suite

go.mod

@@ -46,7 +46,7 @@ require (
  knative.dev/hack v0.0.0-20240808014239-452e340cbb4b
  knative.dev/hack/schema v0.0.0-20240808014239-452e340cbb4b
  knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65
- knative.dev/reconciler-test v0.0.0-20240808014154-0ff820e7a190
+ knative.dev/reconciler-test v0.0.0-20240812164907-fc8ca94e4442
  sigs.k8s.io/yaml v1.4.0
 )
 

go.sum

@@ -845,8 +845,8 @@ knative.dev/hack/schema v0.0.0-20240808014239-452e340cbb4b h1:EtBwaPxjW9Cc6PAoD4
 knative.dev/hack/schema v0.0.0-20240808014239-452e340cbb4b/go.mod h1:jRH/sx6mwwuMVhvJgnzSaoYA1N4qaIkJa+zxEGtVA5I=
 knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65 h1:9r795uNPp2f/dIUzHlJW4Prz3U+8+1ZpW4z6EBUxpwc=
 knative.dev/pkg v0.0.0-20240812053209-cd3311cbab65/go.mod h1:2kizutszzGp+EcVXivdigNd6dUM7O77QaLUTZeKaN5s=
-knative.dev/reconciler-test v0.0.0-20240808014154-0ff820e7a190 h1:/wTrKcivj6TDqkADt2pQXNdtCsUH68sUKEmvYYHoZMc=
-knative.dev/reconciler-test v0.0.0-20240808014154-0ff820e7a190/go.mod h1:c7sotScqKgjO5QibmIG77za1uJbnFWrFsVHLhu6kJGA=
+knative.dev/reconciler-test v0.0.0-20240812164907-fc8ca94e4442 h1:vH1Z0GoAW36fp4fuunytLfeRtzqrFNipsXg/mIXMNAU=
+knative.dev/reconciler-test v0.0.0-20240812164907-fc8ca94e4442/go.mod h1:c7sotScqKgjO5QibmIG77za1uJbnFWrFsVHLhu6kJGA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

pkg/reconciler/broker/controller.go

@@ -93,6 +93,7 @@ func NewController(
  BrokerConditionTriggerChannel,
  BrokerConditionFilter,
  BrokerConditionAddressable,
+ eventingv1.BrokerConditionEventPoliciesReady,
  ))
 
  brokerFilter := pkgreconciler.AnnotationFilterFunc(brokerreconciler.ClassAnnotationKey, eventing.MTChannelBrokerClassValue, false /*allowUnset*/)

test/rekt/broker_test.go

@@ -23,6 +23,8 @@ import (
  "testing"
  "time"
 
+ "knative.dev/eventing/test/rekt/features/authz"
+
  "knative.dev/reconciler-test/pkg/feature"
 
  "knative.dev/pkg/system"
@@ -297,5 +299,8 @@ func TestBrokerSupportsAuthZ(t *testing.T) {
  eventshub.WithTLS(t),
  )
 
- env.TestSet(ctx, t, broker.BrokerSupportsAuthZ())
+ name := feature.MakeRandomK8sName("broker")
+ env.Prerequisite(ctx, t, broker.GoesReady(name, brokerresources.WithEnvConfig()...))
+
+ env.TestSet(ctx, t, authz.AddressableAuthZConformance(brokerresources.GVR(), "Broker", name))
 }

test/rekt/features/authz/addressable_authz_conformance.go

@@ -0,0 +1,152 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authz
+
+import (
+ "context"
+ "fmt"
+ "time"
+
+ "knative.dev/eventing/test/rekt/resources/eventpolicy"
+ "knative.dev/eventing/test/rekt/resources/pingsource"
+ "knative.dev/reconciler-test/pkg/environment"
+
+ "knative.dev/eventing/test/rekt/features/featureflags"
+
+ "github.com/cloudevents/sdk-go/v2/test"
+ "k8s.io/apimachinery/pkg/runtime/schema"
+ "knative.dev/reconciler-test/pkg/eventshub"
+ eventassert "knative.dev/reconciler-test/pkg/eventshub/assert"
+ "knative.dev/reconciler-test/pkg/feature"
+ "knative.dev/reconciler-test/pkg/k8s"
+)
+
+func AddressableAuthZConformance(gvr schema.GroupVersionResource, kind, name string) *feature.FeatureSet {
+ fs := feature.FeatureSet{
+ Name: fmt.Sprintf("%s handles authorization in requests correctly", kind),
+ Features: []*feature.Feature{
+ addressableAllowsAuthorizedRequest(gvr, kind, name),
+ addressableRejectsUnauthorizedRequest(gvr, kind, name),
+ addressableBecomesUnreadyOnUnreadyEventPolicy(gvr, kind, name),
+ },
+ }
+ return &fs
+}
+
+func addressableAllowsAuthorizedRequest(gvr schema.GroupVersionResource, kind, name string) *feature.Feature {
+ f := feature.NewFeatureNamed(fmt.Sprintf("%s accepts authorized request", kind))
+
+ f.Prerequisite("OIDC authentication is enabled", featureflags.AuthenticationOIDCEnabled())
+ f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+ f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
+ source := feature.MakeRandomK8sName("source")
+ eventPolicy := feature.MakeRandomK8sName("eventpolicy")
+ sourceSubject := feature.MakeRandomK8sName("source-oidc-identity")
+
+ event := test.FullEvent()
+
+ // Install event policy
+ f.Setup("Install the EventPolicy", func(ctx context.Context, t feature.T) {
+ namespace := environment.FromContext(ctx).Namespace()
+ eventpolicy.Install(
+ eventPolicy,
+ eventpolicy.WithToRef(
+ gvr.GroupVersion().WithKind(kind),
+ name),
+ eventpolicy.WithFromSubject(fmt.Sprintf("system:serviceaccount:%s:%s", namespace, sourceSubject)),
+ )(ctx, t)
+ })
+ f.Setup(fmt.Sprintf("EventPolicy for %s %s is ready", kind, name), k8s.IsReady(gvr, name))
+
+ // Install source
+ f.Requirement("install source", eventshub.Install(
+ source,
+ eventshub.StartSenderToResourceTLS(gvr, name, nil),
+ eventshub.InputEvent(event),
+ eventshub.OIDCSubject(sourceSubject),
+ ))
+
+ f.Alpha(kind).
+ Must("event sent", eventassert.OnStore(source).MatchSentEvent(test.HasId(event.ID())).Exact(1)).
+ Must("get 202 on response", eventassert.OnStore(source).Match(eventassert.MatchStatusCode(202)).AtLeast(1))
+
+ return f
+}
+
+func addressableRejectsUnauthorizedRequest(gvr schema.GroupVersionResource, kind, name string) *feature.Feature {
+ f := feature.NewFeatureNamed(fmt.Sprintf("%s rejects unauthorized request", kind))
+
+ f.Prerequisite("OIDC authentication is enabled", featureflags.AuthenticationOIDCEnabled())
+ f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+ f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
+ source := feature.MakeRandomK8sName("source")
+ eventPolicy := feature.MakeRandomK8sName("eventpolicy")
+
+ event := test.FullEvent()
+
+ // Install event policy
+ f.Setup("Install the EventPolicy", eventpolicy.Install(
+ eventPolicy,
+ eventpolicy.WithToRef(
+ gvr.GroupVersion().WithKind(kind),
+ name),
+ eventpolicy.WithFromSubject("system:serviceaccount:default:unknown-identity"),
+ ))
+ f.Setup(fmt.Sprintf("EventPolicy for %s %s is ready", kind, name), k8s.IsReady(gvr, name))
+
+ // Install source
+ f.Requirement("install source", eventshub.Install(
+ source,
+ eventshub.StartSenderToResourceTLS(gvr, name, nil),
+ eventshub.InputEvent(event),
+ eventshub.InitialSenderDelay(10*time.Second),
+ ))
+
+ f.Alpha(kind).
+ Must("event sent", eventassert.OnStore(source).MatchSentEvent(test.HasId(event.ID())).Exact(1)).
+ Must("get 202 on response", eventassert.OnStore(source).Match(eventassert.MatchStatusCode(403)).AtLeast(1))
+
+ return f
+}
+
+func addressableBecomesUnreadyOnUnreadyEventPolicy(gvr schema.GroupVersionResource, kind, name string) *feature.Feature {
+ f := feature.NewFeatureNamed(fmt.Sprintf("%s becomes NotReady when EventPolicy is NotReady", kind))
+
+ f.Prerequisite("OIDC authentication is enabled", featureflags.AuthenticationOIDCEnabled())
+ f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+ f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
+ eventPolicy := feature.MakeRandomK8sName("eventpolicy")
+
+ f.Setup(fmt.Sprintf("%s is ready initially", kind), k8s.IsReady(gvr, name))
+
+ // Install event policy
+ f.Requirement("Install the EventPolicy", eventpolicy.Install(
+ eventPolicy,
+ eventpolicy.WithToRef(
+ gvr.GroupVersion().WithKind(kind),
+ name),
+ eventpolicy.WithFromRef(pingsource.Gvr().GroupVersion().WithKind("PingSource"), "doesnt-exist", "doesnt-exist"),
+ ))
+ f.Requirement(fmt.Sprintf("EventPolicy for %s %s is NotReady", kind, name), k8s.IsNotReady(gvr, name))
+
+ f.Alpha(kind).Must("become NotReady with NotReady EventPolicy ", k8s.IsNotReady(gvr, name))
+
+ return f
+}

vendor/knative.dev/reconciler-test/pkg/eventshub/options.go

@@ -234,6 +234,21 @@ func OIDCReceiverAudience(aud string) EventsHubOption {
  return compose(envOption(OIDCReceiverAudienceEnv, aud), envOIDCEnabled())
 }
 
+// VerifyEventFormat has the receiver verify the event format when receiving events
+func VerifyEventFormat(format string) EventsHubOption {
+ return compose(envOption("EVENT_FORMAT", format))
+}
+
+// VerifyEventFormat has the receiver verify the event format is structured when receiving events
+func VerifyEventFormatStructured() EventsHubOption {
+ return VerifyEventFormat("json")
+}
+
+// VerifyEventFormat has the receiver verify the event format is binary when receiving events
+func VerifyEventFormatBinary() EventsHubOption {
+ return VerifyEventFormat("binary")
+}
+
 // --- Sender options
 
 // InitialSenderDelay defines how much the sender has to wait (in millisecond), when started, before start sending events.
@@ -334,6 +349,11 @@ func OIDCCorruptedSignature() EventsHubOption {
  return compose(envOption(OIDCGenerateCorruptedSignatureTokenEnv, "true"), envOIDCEnabled())
 }
 
+// OIDCSubject sets the name of the OIDC subject to use by the sender. If this option is not set, it defaults to "oidc-<eventshub-name>"
+func OIDCSubject(sub string) EventsHubOption {
+ return compose(envOption(OIDCSubjectEnv, sub), envOIDCEnabled())
+}
+
 // OIDCToken adds the given token used for OIDC authentication to the request.
 func OIDCToken(jwt string) EventsHubOption {
  return compose(envOption(OIDCTokenEnv, jwt), envOIDCEnabled())