fix: impresonation regression for service accounts

Signed-off-by: Radek Gruchalski <[email protected]>

Author: rgruchalski-klarrio

internal/request/http.go

@@ -12,9 +12,18 @@ import (
 	authenticationv1 "k8s.io/api/authentication/v1"
 	authorizationv1 "k8s.io/api/authorization/v1"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+var defaultServiceAccountGroups = []string{
+	serviceaccount.AllServiceAccountsGroup,
+	user.AllAuthenticated}
+
+func GetDefaultServiceAccountGroups() []string {
+	return defaultServiceAccountGroups
+}
+
 type http struct {
 	*h.Request
 	authTypes                  []AuthType
@@ -34,6 +43,7 @@ func (h http) GetHTTPRequest() *h.Request {
 
 //nolint:funlen
 func (h http) GetUserAndGroups() (username string, groups []string, err error) {
+
 	for _, fn := range h.authenticationFns() {
 		// User authentication data is extracted according to the preferred order:
 		// in case of first match blocking the iteration
@@ -106,9 +116,10 @@ func (h http) GetUserAndGroups() (username string, groups []string, err error) {
 			// by appending the expected service account groups:
 			// - system:serviceaccounts:<namespace>
 			// - system:serviceaccounts
+			// - system:authenticated
 			if namespace, _, err := serviceaccount.SplitUsername(username); err == nil {
-				groups = append(groups, serviceaccount.AllServiceAccountsGroup)
 				groups = append(groups, fmt.Sprintf("%s%s", serviceaccount.ServiceAccountGroupPrefix, namespace))
+				groups = append(groups, defaultServiceAccountGroups...)
 			}
 		}()
 	}

internal/request/http_test.go

@@ -16,6 +16,8 @@ import (
 	authorizationv1 "k8s.io/api/authorization/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+
 	"github.com/projectcapsule/capsule-proxy/internal/request"
 )
 
@@ -101,6 +103,37 @@ func Test_http_GetUserAndGroups(t *testing.T) {
 			wantGroups:   []string{"ImpersonatedGroup"},
 			wantErr:      false,
 		},
+		{
+			name: "Certificate-ServiceAccount",
+			fields: fields{
+				Request: &http.Request{
+					Header: map[string][]string{
+						authenticationv1.ImpersonateUserHeader: {serviceaccount.ServiceAccountUsernamePrefix + "ns:account"},
+					},
+					TLS: &tls.ConnectionState{
+						PeerCertificates: []*x509.Certificate{
+							{
+								Subject: pkix.Name{
+									CommonName: serviceaccount.ServiceAccountUsernamePrefix + "ns:account",
+								},
+							},
+						},
+					},
+				},
+				authTypes: []request.AuthType{
+					request.BearerToken,
+					request.TLSCertificate,
+				},
+				client: testClient(func(ctx context.Context, obj client.Object) error {
+					ac := obj.(*authorizationv1.SubjectAccessReview)
+					ac.Status.Allowed = true
+					return nil
+				}),
+			},
+			wantUsername: serviceaccount.ServiceAccountUsernamePrefix + "ns:account",
+			wantGroups:   append([]string{fmt.Sprintf("%s%s", serviceaccount.ServiceAccountGroupPrefix, "ns")}, request.GetDefaultServiceAccountGroups()...),
+			wantErr:      false,
+		},
 		{
 			name: "Bearer",
 			fields: fields{