From af291a44c3a2e31ef58851d27aaa70e9a02fedaa Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Mon, 17 Mar 2025 15:38:35 -0700 Subject: [PATCH] Add unit test to validate email_verified in claim validation rules Signed-off-by: Anish Ramasekar --- .../apiserver/validation/validation_test.go | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go index 2e39d375f1c..6d761b59318 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go @@ -585,6 +585,61 @@ func TestValidateAuthenticationConfiguration(t *testing.T) { }, want: "", }, + { + name: "valid authentication configuration that uses verified email via claim validation rule", + in: &api.AuthenticationConfiguration{ + JWT: []api.JWTAuthenticator{ + { + Issuer: api.Issuer{ + URL: "https://issuer-url", + Audiences: []string{"audience"}, + }, + ClaimValidationRules: []api.ClaimValidationRule{ + { + // By explicitly comparing the value to true, we let type-checking see the result will be + // a boolean, and to make sure a non-boolean email_verified claim will be caught at runtime. + Expression: `claims.?email_verified.orValue(true) == true`, + }, + }, + // allow email claim only when email_verified is present and true + ClaimMappings: api.ClaimMappings{ + Username: api.PrefixedClaimOrExpression{ + Expression: `{claims.?email: "panda"}`, + }, + }, + }, + }, + }, + want: "", + }, + { + name: "valid authentication configuration that uses verified email via claim validation rule incorrectly", + in: &api.AuthenticationConfiguration{ + JWT: []api.JWTAuthenticator{ + { + Issuer: api.Issuer{ + URL: "https://issuer-url", + Audiences: []string{"audience"}, + }, + ClaimValidationRules: []api.ClaimValidationRule{ + { + // This expression was previously documented in the godoc for the JWT authenticator + // and was incorrect. It was changed to the above expression in the previous test case. + // Testing the old expression here to confirm it fails validation. + Expression: `claims.?email_verified.orValue(true)`, + }, + }, + // allow email claim only when email_verified is present and true + ClaimMappings: api.ClaimMappings{ + Username: api.PrefixedClaimOrExpression{ + Expression: `{claims.?email: "panda"}`, + }, + }, + }, + }, + }, + want: `[jwt[0].claimValidationRules[0].expression: Invalid value: "claims.?email_verified.orValue(true)": must evaluate to bool, jwt[0].claimMappings.username.expression: Invalid value: "{claims.?email: \"panda\"}": claims.email_verified must be used in claimMappings.username.expression or claimMappings.extra[*].valueExpression or claimValidationRules[*].expression when claims.email is used in claimMappings.username.expression]`, + }, { name: "valid authentication configuration", in: &api.AuthenticationConfiguration{