...

Source file src/github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/iam/comparison.go

Documentation: github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/iam 

     1  // Copyright 2022 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package testiam
    16  
    17  import (
    18  	"reflect"
    19  	"testing"
    20  
    21  	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/apis/iam/v1beta1"
    22  
    23  	"github.com/google/go-cmp/cmp"
    24  )
    25  
    26  type conditionKey struct {
    27  	Description string
    28  	Expression  string
    29  	Title       string
    30  }
    31  
    32  type bindingKey struct {
    33  	Role      string
    34  	Condition conditionKey
    35  }
    36  
    37  func SameBindings(a, b []v1beta1.IAMPolicyBinding) bool {
    38  	return reflect.DeepEqual(bindingsMap(a), bindingsMap(b))
    39  }
    40  
    41  // If slice a contains all bindings in slice b, return true.
    42  func ContainsBindings(a, b []v1beta1.IAMPolicyBinding) bool {
    43  	bindingMapA := bindingsMap(a)
    44  	bindingMapB := bindingsMap(b)
    45  	for k, v := range bindingMapB {
    46  		if _, ok := bindingMapA[k]; !ok {
    47  			return false
    48  		}
    49  		for m, _ := range v {
    50  			if _, ok := bindingMapA[k][m]; !ok {
    51  				return false
    52  			}
    53  		}
    54  	}
    55  	return true
    56  }
    57  
    58  func SameAuditConfigs(a, b []v1beta1.IAMPolicyAuditConfig) bool {
    59  	return reflect.DeepEqual(auditConfigsMap(a), auditConfigsMap(b))
    60  }
    61  
    62  func SameAuditLogConfigs(a, b []v1beta1.AuditLogConfig) bool {
    63  	return reflect.DeepEqual(auditLogConfigsMap(a), auditLogConfigsMap(b))
    64  }
    65  
    66  func bindingsMap(bindings []v1beta1.IAMPolicyBinding) map[bindingKey]map[v1beta1.Member]bool {
    67  	bindingKeyToMembers := make(map[bindingKey]map[v1beta1.Member]bool)
    68  	for _, b := range bindings {
    69  		key := bindingKeyFromBinding(b)
    70  		if _, ok := bindingKeyToMembers[key]; !ok {
    71  			bindingKeyToMembers[key] = make(map[v1beta1.Member]bool)
    72  		}
    73  		members := bindingKeyToMembers[key]
    74  		for _, m := range b.Members {
    75  			members[m] = true
    76  		}
    77  	}
    78  	return bindingKeyToMembers
    79  }
    80  
    81  func bindingKeyFromBinding(b v1beta1.IAMPolicyBinding) bindingKey {
    82  	return bindingKey{
    83  		Role:      b.Role,
    84  		Condition: conditionKeyFromCondition(b.Condition),
    85  	}
    86  }
    87  
    88  func conditionKeyFromCondition(c *v1beta1.IAMCondition) conditionKey {
    89  	if c == nil {
    90  		return conditionKey{}
    91  	}
    92  	return conditionKey{
    93  		Description: c.Description,
    94  		Expression:  c.Expression,
    95  		Title:       c.Title,
    96  	}
    97  }
    98  
    99  func auditConfigsMap(auditConfigs []v1beta1.IAMPolicyAuditConfig) map[string]map[string]map[v1beta1.Member]bool {
   100  	serviceToAuditLogConfigsMap := make(map[string]map[string]map[v1beta1.Member]bool)
   101  	for _, a := range auditConfigs {
   102  		serviceToAuditLogConfigsMap[a.Service] = auditLogConfigsMap(a.AuditLogConfigs)
   103  	}
   104  	return serviceToAuditLogConfigsMap
   105  }
   106  
   107  func auditLogConfigsMap(auditLogConfigs []v1beta1.AuditLogConfig) map[string]map[v1beta1.Member]bool {
   108  	logTypeToMembers := make(map[string]map[v1beta1.Member]bool)
   109  	for _, a := range auditLogConfigs {
   110  		if _, ok := logTypeToMembers[a.LogType]; !ok {
   111  			logTypeToMembers[a.LogType] = make(map[v1beta1.Member]bool)
   112  		}
   113  		members := logTypeToMembers[a.LogType]
   114  		for _, m := range a.ExemptedMembers {
   115  			members[m] = true
   116  		}
   117  	}
   118  	return logTypeToMembers
   119  }
   120  
   121  func AssertSamePolicy(t *testing.T, k8sPolicy, gcpPolicy *v1beta1.IAMPolicy) {
   122  	if !reflect.DeepEqual(k8sPolicy.Spec.ResourceReference, gcpPolicy.Spec.ResourceReference) {
   123  		diff := cmp.Diff(k8sPolicy.Spec.ResourceReference, gcpPolicy.Spec.ResourceReference)
   124  		t.Fatalf("GCP policy has incorrect resource reference. Diff (-want, +got):\n%v", diff)
   125  	}
   126  	if !SameBindings(k8sPolicy.Spec.Bindings, gcpPolicy.Spec.Bindings) {
   127  		t.Fatalf("GCP policy has incorrect bindings; got: %v, want: %v", gcpPolicy.Spec.Bindings, k8sPolicy.Spec.Bindings)
   128  	}
   129  	if !SameAuditConfigs(k8sPolicy.Spec.AuditConfigs, gcpPolicy.Spec.AuditConfigs) {
   130  		t.Fatalf("GCP policy has incorrect audit configs; got: %v, want: %v", gcpPolicy.Spec.AuditConfigs, k8sPolicy.Spec.AuditConfigs)
   131  	}
   132  }
   133  

View as plain text