Merge pull request #132082 from aramase/aramase/t/kep_3331_revocation_unit_test

KEP-3331: Add test to simulate revocation via user validation rule using unique identifier (jti)
This commit is contained in:
Kubernetes Prow Robot
2025-06-03 15:46:37 -07:00
committed by GitHub

View File

@@ -4082,6 +4082,43 @@ func TestToken(t *testing.T) {
Name: "jane",
},
},
{
name: "using credential id and user validation rule to simulate revocation",
options: Options{
JWTAuthenticator: apiserver.JWTAuthenticator{
Issuer: apiserver.Issuer{
URL: "https://auth.example.com",
Audiences: []string{"my-client"},
},
ClaimMappings: apiserver.ClaimMappings{
Username: apiserver.PrefixedClaimOrExpression{
Expression: "claims.username",
},
},
UserValidationRules: []apiserver.UserValidationRule{
{
// While full token revocation is not supported, it is possible to approximate revocation by writing user info validation rules
// based on a unique identifier in the token, such as the jti claim (if present).
Expression: `!(user.extra[?'authentication.kubernetes.io/credential-id'][0].orValue('') in ["JTI=ea28ed49-2e11-4280-9ec5-bc3d1d84661a"])`,
Message: "credential is revoked",
},
},
},
now: func() time.Time { return now },
},
signingKey: loadRSAPrivKey(t, "testdata/rsa_1.pem", jose.RS256),
pubKeys: []*jose.JSONWebKey{
loadRSAKey(t, "testdata/rsa_1.pem", jose.RS256),
},
claims: fmt.Sprintf(`{
"iss": "https://auth.example.com",
"aud": "my-client",
"username": "jane",
"exp": %d,
"jti": "ea28ed49-2e11-4280-9ec5-bc3d1d84661a"
}`, valid.Unix()),
wantErr: `oidc: error evaluating user info validation rule: validation expression '!(user.extra[?'authentication.kubernetes.io/credential-id'][0].orValue('') in ["JTI=ea28ed49-2e11-4280-9ec5-bc3d1d84661a"])' failed: credential is revoked`,
},
}
var successTestCount, failureTestCount int