diff --git a/pkg/server/server.go b/pkg/server/server.go index 13bb3cd80..b46007e01 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -380,6 +380,7 @@ func (h *handler) authenticateEndpoint(w http.ResponseWriter, req *http.Request) userExtra["sessionName"] = authenticationv1beta1.ExtraValue{identity.SessionName} userExtra["accessKeyId"] = authenticationv1beta1.ExtraValue{identity.AccessKeyID} userExtra["principalId"] = authenticationv1beta1.ExtraValue{identity.UserID} + userExtra["sigs.k8s.io/aws-iam-authenticator/principalId"] = authenticationv1beta1.ExtraValue{identity.UserID} } json.NewEncoder(w).Encode(authenticationv1beta1.TokenReview{ diff --git a/pkg/server/server_test.go b/pkg/server/server_test.go index eb2ce541e..bacf858fc 100644 --- a/pkg/server/server_test.go +++ b/pkg/server/server_test.go @@ -500,11 +500,12 @@ func TestAuthenticateVerifierRoleMapping(t *testing.T) { "aws-iam-authenticator:0123456789012:Test", []string{"sys:admin", "listers"}, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/Test"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/Test"}, - "sessionName": authenticationv1beta1.ExtraValue{"TestSession"}, - "accessKeyId": authenticationv1beta1.ExtraValue{"ABCDEF"}, - "principalId": authenticationv1beta1.ExtraValue{"Test"}, + "arn": {"arn:aws:iam::0123456789012:role/Test"}, + "canonicalArn": {"arn:aws:iam::0123456789012:role/Test"}, + "sessionName": {"TestSession"}, + "accessKeyId": {"ABCDEF"}, + "principalId": {"Test"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"Test"}, })) validateMetrics(t, validateOpts{success: 1}) } @@ -543,11 +544,12 @@ func TestAuthenticateVerifierRoleMappingCRD(t *testing.T) { "aws-iam-authenticator:0123456789012:Test", []string{"sys:admin", "listers"}, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/Test"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/Test"}, - "sessionName": authenticationv1beta1.ExtraValue{"TestSession"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"Test"}, + "arn": {"arn:aws:iam::0123456789012:role/Test"}, + "canonicalArn": {"arn:aws:iam::0123456789012:role/Test"}, + "sessionName": {"TestSession"}, + "accessKeyId": {""}, + "principalId": {"Test"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"Test"}, })) validateMetrics(t, validateOpts{success: 1}) } @@ -590,11 +592,12 @@ func TestAuthenticateVerifierUserMapping(t *testing.T) { "aws-iam-authenticator:0123456789012:Test", []string{"sys:admin", "listers"}, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:user/Test"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:user/Test"}, - "sessionName": authenticationv1beta1.ExtraValue{"TestSession"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"Test"}, + "arn": {"arn:aws:iam::0123456789012:user/Test"}, + "canonicalArn": {"arn:aws:iam::0123456789012:user/Test"}, + "sessionName": {"TestSession"}, + "accessKeyId": {""}, + "principalId": {"Test"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"Test"}, })) validateMetrics(t, validateOpts{success: 1}) } @@ -633,11 +636,12 @@ func TestAuthenticateVerifierUserMappingCRD(t *testing.T) { "aws-iam-authenticator:0123456789012:Test", []string{"sys:admin", "listers"}, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:user/Test"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:user/Test"}, - "sessionName": authenticationv1beta1.ExtraValue{"TestSession"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"Test"}, + "arn": {"arn:aws:iam::0123456789012:user/Test"}, + "canonicalArn": {"arn:aws:iam::0123456789012:user/Test"}, + "sessionName": {"TestSession"}, + "accessKeyId": {""}, + "principalId": {"Test"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"Test"}, })) validateMetrics(t, validateOpts{success: 1}) } @@ -676,11 +680,12 @@ func TestAuthenticateVerifierAccountMappingForUser(t *testing.T) { "aws-iam-authenticator:0123456789012:Test", nil, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:user/Test"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:user/Test"}, - "sessionName": authenticationv1beta1.ExtraValue{"TestSession"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"Test"}, + "arn": {"arn:aws:iam::0123456789012:user/Test"}, + "canonicalArn": {"arn:aws:iam::0123456789012:user/Test"}, + "sessionName": {"TestSession"}, + "accessKeyId": {""}, + "principalId": {"Test"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"Test"}, })) validateMetrics(t, validateOpts{success: 1}) } @@ -719,11 +724,12 @@ func TestAuthenticateVerifierAccountMappingForUserCRD(t *testing.T) { "aws-iam-authenticator:0123456789012:Test", nil, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:user/Test"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:user/Test"}, - "sessionName": authenticationv1beta1.ExtraValue{"TestSession"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"Test"}, + "arn": {"arn:aws:iam::0123456789012:user/Test"}, + "canonicalArn": {"arn:aws:iam::0123456789012:user/Test"}, + "sessionName": {"TestSession"}, + "accessKeyId": {""}, + "principalId": {"Test"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"Test"}, })) validateMetrics(t, validateOpts{success: 1}) } @@ -762,11 +768,12 @@ func TestAuthenticateVerifierAccountMappingForRole(t *testing.T) { "aws-iam-authenticator:0123456789012:Test", nil, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:assumed-role/Test/extra"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/Test"}, - "sessionName": authenticationv1beta1.ExtraValue{"TestSession"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"Test"}, + "arn": {"arn:aws:iam::0123456789012:assumed-role/Test/extra"}, + "canonicalArn": {"arn:aws:iam::0123456789012:role/Test"}, + "sessionName": {"TestSession"}, + "accessKeyId": {""}, + "principalId": {"Test"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"Test"}, })) validateMetrics(t, validateOpts{success: 1}) } @@ -805,11 +812,12 @@ func TestAuthenticateVerifierAccountMappingForRoleCRD(t *testing.T) { "aws-iam-authenticator:0123456789012:Test", nil, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:assumed-role/Test/extra"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/Test"}, - "sessionName": authenticationv1beta1.ExtraValue{"TestSession"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"Test"}, + "arn": {"arn:aws:iam::0123456789012:assumed-role/Test/extra"}, + "canonicalArn": {"arn:aws:iam::0123456789012:role/Test"}, + "sessionName": {"TestSession"}, + "accessKeyId": {""}, + "principalId": {"Test"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"Test"}, })) validateMetrics(t, validateOpts{success: 1}) } @@ -853,11 +861,12 @@ func TestAuthenticateVerifierNodeMapping(t *testing.T) { "aws-iam-authenticator:0123456789012:TestNodeRole", []string{"system:nodes", "system:bootstrappers"}, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/TestNodeRole"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/TestNodeRole"}, - "sessionName": authenticationv1beta1.ExtraValue{"i-0c6f21bf1f24f9708"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"TestNodeRole"}, + "arn": {"arn:aws:iam::0123456789012:role/TestNodeRole"}, + "canonicalArn": {"arn:aws:iam::0123456789012:role/TestNodeRole"}, + "sessionName": {"i-0c6f21bf1f24f9708"}, + "accessKeyId": {""}, + "principalId": {"TestNodeRole"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"TestNodeRole"}, })) validateMetrics(t, validateOpts{success: 1}) @@ -898,11 +907,12 @@ func TestAuthenticateVerifierNodeMappingCRD(t *testing.T) { "aws-iam-authenticator:0123456789012:TestNodeRole", []string{"system:nodes", "system:bootstrappers"}, map[string]authenticationv1beta1.ExtraValue{ - "arn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/TestNodeRole"}, - "canonicalArn": authenticationv1beta1.ExtraValue{"arn:aws:iam::0123456789012:role/TestNodeRole"}, - "sessionName": authenticationv1beta1.ExtraValue{"i-0c6f21bf1f24f9708"}, - "accessKeyId": authenticationv1beta1.ExtraValue{""}, - "principalId": authenticationv1beta1.ExtraValue{"TestNodeRole"}, + "arn": {"arn:aws:iam::0123456789012:role/TestNodeRole"}, + "canonicalArn": {"arn:aws:iam::0123456789012:role/TestNodeRole"}, + "sessionName": {"i-0c6f21bf1f24f9708"}, + "accessKeyId": {""}, + "principalId": {"TestNodeRole"}, + "sigs.k8s.io/aws-iam-authenticator/principalId": {"TestNodeRole"}, })) validateMetrics(t, validateOpts{success: 1})