1
16
17 package util
18
19 import (
20 "reflect"
21 "testing"
22
23 "k8s.io/apimachinery/pkg/util/sets"
24 "k8s.io/apiserver/pkg/authentication/user"
25 "k8s.io/apiserver/pkg/authorization/authorizer"
26 authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
27 )
28
29 func TestResourceAttributesFrom(t *testing.T) {
30 knownResourceAttributesNames := sets.NewString(
31
32 "Verb",
33 "Namespace",
34 "Group",
35 "Version",
36 "Resource",
37 "Subresource",
38 "Name",
39
40
41 "Path",
42 "Verb",
43 )
44 reflect.TypeOf(authorizationapi.ResourceAttributes{}).FieldByNameFunc(func(name string) bool {
45 if !knownResourceAttributesNames.Has(name) {
46 t.Errorf("authorizationapi.ResourceAttributes has a new field: %q. Add to ResourceAttributesFrom/NonResourceAttributesFrom as appropriate, then add to knownResourceAttributesNames", name)
47 }
48 return false
49 })
50
51 knownAttributesRecordFieldNames := sets.NewString(
52
53 "User",
54 "Verb",
55 "Namespace",
56 "APIGroup",
57 "APIVersion",
58 "Resource",
59 "Subresource",
60 "Name",
61 "ResourceRequest",
62
63
64 "User",
65 "ResourceRequest",
66 "Path",
67 "Verb",
68 )
69 reflect.TypeOf(authorizer.AttributesRecord{}).FieldByNameFunc(func(name string) bool {
70 if !knownAttributesRecordFieldNames.Has(name) {
71 t.Errorf("authorizer.AttributesRecord has a new field: %q. Add to ResourceAttributesFrom/NonResourceAttributesFrom as appropriate, then add to knownAttributesRecordFieldNames", name)
72 }
73 return false
74 })
75 }
76
77 func TestAuthorizationAttributesFrom(t *testing.T) {
78 type args struct {
79 spec authorizationapi.SubjectAccessReviewSpec
80 }
81 tests := []struct {
82 name string
83 args args
84 want authorizer.AttributesRecord
85 }{
86 {
87 name: "nonresource",
88 args: args{
89 spec: authorizationapi.SubjectAccessReviewSpec{
90 User: "bob",
91 Groups: []string{user.AllAuthenticated},
92 NonResourceAttributes: &authorizationapi.NonResourceAttributes{Verb: "get", Path: "/mypath"},
93 Extra: map[string]authorizationapi.ExtraValue{"scopes": {"scope-a", "scope-b"}},
94 },
95 },
96 want: authorizer.AttributesRecord{
97 User: &user.DefaultInfo{
98 Name: "bob",
99 Groups: []string{user.AllAuthenticated},
100 Extra: map[string][]string{"scopes": {"scope-a", "scope-b"}},
101 },
102 Verb: "get",
103 Path: "/mypath",
104 },
105 },
106 {
107 name: "resource",
108 args: args{
109 spec: authorizationapi.SubjectAccessReviewSpec{
110 User: "bob",
111 ResourceAttributes: &authorizationapi.ResourceAttributes{
112 Namespace: "myns",
113 Verb: "create",
114 Group: "extensions",
115 Version: "v1beta1",
116 Resource: "deployments",
117 Subresource: "scale",
118 Name: "mydeployment",
119 },
120 },
121 },
122 want: authorizer.AttributesRecord{
123 User: &user.DefaultInfo{
124 Name: "bob",
125 },
126 APIGroup: "extensions",
127 APIVersion: "v1beta1",
128 Namespace: "myns",
129 Verb: "create",
130 Resource: "deployments",
131 Subresource: "scale",
132 Name: "mydeployment",
133 ResourceRequest: true,
134 },
135 },
136 {
137 name: "resource with no version",
138 args: args{
139 spec: authorizationapi.SubjectAccessReviewSpec{
140 User: "bob",
141 ResourceAttributes: &authorizationapi.ResourceAttributes{
142 Namespace: "myns",
143 Verb: "create",
144 Group: "extensions",
145 Resource: "deployments",
146 Subresource: "scale",
147 Name: "mydeployment",
148 },
149 },
150 },
151 want: authorizer.AttributesRecord{
152 User: &user.DefaultInfo{
153 Name: "bob",
154 },
155 APIGroup: "extensions",
156 APIVersion: "*",
157 Namespace: "myns",
158 Verb: "create",
159 Resource: "deployments",
160 Subresource: "scale",
161 Name: "mydeployment",
162 ResourceRequest: true,
163 },
164 },
165 }
166 for _, tt := range tests {
167 t.Run(tt.name, func(t *testing.T) {
168 if got := AuthorizationAttributesFrom(tt.args.spec); !reflect.DeepEqual(got, tt.want) {
169 t.Errorf("AuthorizationAttributesFrom() = %v, want %v", got, tt.want)
170 }
171 })
172 }
173 }
174
View as plain text