首页 发现 帮助
登录
tzeneto
/
custom-kube-scheduler
关注 1
点赞 0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: bb54b45d7e
分支列表 标签列表
custom-kube-...
/
kubernetes
/
pkg
/
registry
/
authorization
/
subjectaccessreview
/
rest_test.go

rest_test.go 6.3 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220 
  1. /*
    2. 

  2. Copyright 2017 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package subjectaccessreview
    18. 

  18. 

  19. import (
    20. 

  20. 	"context"
    21. 

  21. 	"errors"
    22. 

  22. 	"strings"
    23. 

  23. 	"testing"
    24. 

  24. 

  25. 	"reflect"
    26. 

  26. 

  27. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    28. 

  28. 	"k8s.io/apiserver/pkg/authentication/user"
    29. 

  29. 	"k8s.io/apiserver/pkg/authorization/authorizer"
    30. 

  30. 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
    31. 

  31. 	"k8s.io/apiserver/pkg/registry/rest"
    32. 

  32. 	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
    33. 

  33. )
    34. 

  34. 

  35. type fakeAuthorizer struct {
    36. 

  36. 	attrs authorizer.Attributes
    37. 

  37. 

  38. 	decision authorizer.Decision
    39. 

  39. 	reason   string
    40. 

  40. 	err      error
    41. 

  41. }
    42. 

  42. 

  43. func (f *fakeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
    44. 

  44. 	f.attrs = attrs
    45. 

  45. 	return f.decision, f.reason, f.err
    46. 

  46. }
    47. 

  47. 

  48. func TestCreate(t *testing.T) {
    49. 

  49. 	testcases := map[string]struct {
    50. 

  50. 		spec     authorizationapi.SubjectAccessReviewSpec
    51. 

  51. 		decision authorizer.Decision
    52. 

  52. 		reason   string
    53. 

  53. 		err      error
    54. 

  54. 

  55. 		expectedErr    string
    56. 

  56. 		expectedAttrs  authorizer.Attributes
    57. 

  57. 		expectedStatus authorizationapi.SubjectAccessReviewStatus
    58. 

  58. 	}{
    59. 

  59. 		"empty": {
    60. 

  60. 			expectedErr: "nonResourceAttributes or resourceAttributes",
    61. 

  61. 		},
    62. 

  62. 

  63. 		"nonresource rejected": {
    64. 

  64. 			spec: authorizationapi.SubjectAccessReviewSpec{
    65. 

  65. 				User:                  "bob",
    66. 

  66. 				NonResourceAttributes: &authorizationapi.NonResourceAttributes{Verb: "get", Path: "/mypath"},
    67. 

  67. 			},
    68. 

  68. 			decision: authorizer.DecisionNoOpinion,
    69. 

  69. 			reason:   "myreason",
    70. 

  70. 			err:      errors.New("myerror"),
    71. 

  71. 			expectedAttrs: authorizer.AttributesRecord{
    72. 

  72. 				User:            &user.DefaultInfo{Name: "bob"},
    73. 

  73. 				Verb:            "get",
    74. 

  74. 				Path:            "/mypath",
    75. 

  75. 				ResourceRequest: false,
    76. 

  76. 			},
    77. 

  77. 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
    78. 

  78. 				Allowed:         false,
    79. 

  79. 				Reason:          "myreason",
    80. 

  80. 				EvaluationError: "myerror",
    81. 

  81. 			},
    82. 

  82. 		},
    83. 

  83. 

  84. 		"nonresource allowed": {
    85. 

  85. 			spec: authorizationapi.SubjectAccessReviewSpec{
    86. 

  86. 				User:                  "bob",
    87. 

  87. 				NonResourceAttributes: &authorizationapi.NonResourceAttributes{Verb: "get", Path: "/mypath"},
    88. 

  88. 			},
    89. 

  89. 			decision: authorizer.DecisionAllow,
    90. 

  90. 			reason:   "allowed",
    91. 

  91. 			err:      nil,
    92. 

  92. 			expectedAttrs: authorizer.AttributesRecord{
    93. 

  93. 				User:            &user.DefaultInfo{Name: "bob"},
    94. 

  94. 				Verb:            "get",
    95. 

  95. 				Path:            "/mypath",
    96. 

  96. 				ResourceRequest: false,
    97. 

  97. 			},
    98. 

  98. 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
    99. 

  99. 				Allowed:         true,
    100. 

  100. 				Reason:          "allowed",
    101. 

  101. 				EvaluationError: "",
    102. 

  102. 			},
    103. 

  103. 		},
    104. 

  104. 

  105. 		"resource rejected": {
    106. 

  106. 			spec: authorizationapi.SubjectAccessReviewSpec{
    107. 

  107. 				User: "bob",
    108. 

  108. 				ResourceAttributes: &authorizationapi.ResourceAttributes{
    109. 

  109. 					Namespace:   "myns",
    110. 

  110. 					Verb:        "create",
    111. 

  111. 					Group:       "extensions",
    112. 

  112. 					Version:     "v1beta1",
    113. 

  113. 					Resource:    "deployments",
    114. 

  114. 					Subresource: "scale",
    115. 

  115. 					Name:        "mydeployment",
    116. 

  116. 				},
    117. 

  117. 			},
    118. 

  118. 			decision: authorizer.DecisionNoOpinion,
    119. 

  119. 			reason:   "myreason",
    120. 

  120. 			err:      errors.New("myerror"),
    121. 

  121. 			expectedAttrs: authorizer.AttributesRecord{
    122. 

  122. 				User:            &user.DefaultInfo{Name: "bob"},
    123. 

  123. 				Namespace:       "myns",
    124. 

  124. 				Verb:            "create",
    125. 

  125. 				APIGroup:        "extensions",
    126. 

  126. 				APIVersion:      "v1beta1",
    127. 

  127. 				Resource:        "deployments",
    128. 

  128. 				Subresource:     "scale",
    129. 

  129. 				Name:            "mydeployment",
    130. 

  130. 				ResourceRequest: true,
    131. 

  131. 			},
    132. 

  132. 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
    133. 

  133. 				Allowed:         false,
    134. 

  134. 				Denied:          false,
    135. 

  135. 				Reason:          "myreason",
    136. 

  136. 				EvaluationError: "myerror",
    137. 

  137. 			},
    138. 

  138. 		},
    139. 

  139. 

  140. 		"resource allowed": {
    141. 

  141. 			spec: authorizationapi.SubjectAccessReviewSpec{
    142. 

  142. 				User: "bob",
    143. 

  143. 				ResourceAttributes: &authorizationapi.ResourceAttributes{
    144. 

  144. 					Namespace:   "myns",
    145. 

  145. 					Verb:        "create",
    146. 

  146. 					Group:       "extensions",
    147. 

  147. 					Version:     "v1beta1",
    148. 

  148. 					Resource:    "deployments",
    149. 

  149. 					Subresource: "scale",
    150. 

  150. 					Name:        "mydeployment",
    151. 

  151. 				},
    152. 

  152. 			},
    153. 

  153. 			decision: authorizer.DecisionAllow,
    154. 

  154. 			reason:   "allowed",
    155. 

  155. 			err:      nil,
    156. 

  156. 			expectedAttrs: authorizer.AttributesRecord{
    157. 

  157. 				User:            &user.DefaultInfo{Name: "bob"},
    158. 

  158. 				Namespace:       "myns",
    159. 

  159. 				Verb:            "create",
    160. 

  160. 				APIGroup:        "extensions",
    161. 

  161. 				APIVersion:      "v1beta1",
    162. 

  162. 				Resource:        "deployments",
    163. 

  163. 				Subresource:     "scale",
    164. 

  164. 				Name:            "mydeployment",
    165. 

  165. 				ResourceRequest: true,
    166. 

  166. 			},
    167. 

  167. 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
    168. 

  168. 				Allowed:         true,
    169. 

  169. 				Denied:          false,
    170. 

  170. 				Reason:          "allowed",
    171. 

  171. 				EvaluationError: "",
    172. 

  172. 			},
    173. 

  173. 		},
    174. 

  174. 

  175. 		"resource denied": {
    176. 

  176. 			spec: authorizationapi.SubjectAccessReviewSpec{
    177. 

  177. 				User:               "bob",
    178. 

  178. 				ResourceAttributes: &authorizationapi.ResourceAttributes{},
    179. 

  179. 			},
    180. 

  180. 			decision: authorizer.DecisionDeny,
    181. 

  181. 			expectedAttrs: authorizer.AttributesRecord{
    182. 

  182. 				User:            &user.DefaultInfo{Name: "bob"},
    183. 

  183. 				ResourceRequest: true,
    184. 

  184. 			},
    185. 

  185. 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
    186. 

  186. 				Allowed: false,
    187. 

  187. 				Denied:  true,
    188. 

  188. 			},
    189. 

  189. 		},
    190. 

  190. 	}
    191. 

  191. 

  192. 	for k, tc := range testcases {
    193. 

  193. 		auth := &fakeAuthorizer{
    194. 

  194. 			decision: tc.decision,
    195. 

  195. 			reason:   tc.reason,
    196. 

  196. 			err:      tc.err,
    197. 

  197. 		}
    198. 

  198. 		storage := NewREST(auth)
    199. 

  199. 

  200. 		result, err := storage.Create(genericapirequest.NewContext(), &authorizationapi.SubjectAccessReview{Spec: tc.spec}, rest.ValidateAllObjectFunc, &metav1.CreateOptions{})
    201. 

  201. 		if err != nil {
    202. 

  202. 			if tc.expectedErr != "" {
    203. 

  203. 				if !strings.Contains(err.Error(), tc.expectedErr) {
    204. 

  204. 					t.Errorf("%s: expected %s to contain %q", k, err, tc.expectedErr)
    205. 

  205. 				}
    206. 

  206. 			} else {
    207. 

  207. 				t.Errorf("%s: %v", k, err)
    208. 

  208. 			}
    209. 

  209. 			continue
    210. 

  210. 		}
    211. 

  211. 		if !reflect.DeepEqual(auth.attrs, tc.expectedAttrs) {
    212. 

  212. 			t.Errorf("%s: expected\n%#v\ngot\n%#v", k, tc.expectedAttrs, auth.attrs)
    213. 

  213. 		}
    214. 

  214. 		status := result.(*authorizationapi.SubjectAccessReview).Status
    215. 

  215. 		if !reflect.DeepEqual(status, tc.expectedStatus) {
    216. 

  216. 			t.Errorf("%s: expected\n%#v\ngot\n%#v", k, tc.expectedStatus, status)
    217. 

  217. 		}
    218. 

  218. 	}
    219. 

  219. }
    220. 

  220.