subject_locator_test.go

Documentation: k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac

     1  /*
     2  Copyright 2016 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package rbac
    18  
    19  import (
    20  	"reflect"
    21  	"testing"
    22  
    23  	rbacv1 "k8s.io/api/rbac/v1"
    24  	"k8s.io/apiserver/pkg/authentication/user"
    25  	"k8s.io/apiserver/pkg/authorization/authorizer"
    26  	rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
    27  )
    28  
    29  func TestSubjectLocator(t *testing.T) {
    30  	type actionToSubjects struct {
    31  		action   authorizer.Attributes
    32  		subjects []rbacv1.Subject
    33  	}
    34  
    35  	tests := []struct {
    36  		name                string
    37  		roles               []*rbacv1.Role
    38  		roleBindings        []*rbacv1.RoleBinding
    39  		clusterRoles        []*rbacv1.ClusterRole
    40  		clusterRoleBindings []*rbacv1.ClusterRoleBinding
    41  
    42  		superUser string
    43  
    44  		actionsToSubjects []actionToSubjects
    45  	}{
    46  		{
    47  			name: "no super user, star matches star",
    48  			clusterRoles: []*rbacv1.ClusterRole{
    49  				newClusterRole("admin", newRule("*", "*", "*", "*")),
    50  			},
    51  			clusterRoleBindings: []*rbacv1.ClusterRoleBinding{
    52  				newClusterRoleBinding("admin", "User:super-admin", "Group:super-admins"),
    53  			},
    54  			roleBindings: []*rbacv1.RoleBinding{
    55  				newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"),
    56  			},
    57  			actionsToSubjects: []actionToSubjects{
    58  				{
    59  					&defaultAttributes{"", "", "get", "Pods", "", "ns1", ""},
    60  					[]rbacv1.Subject{
    61  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup},
    62  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"},
    63  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"},
    64  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "admin"},
    65  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "admins"},
    66  					},
    67  				},
    68  				{
    69  					// cluster role matches star in namespace
    70  					&defaultAttributes{"", "", "*", "Pods", "", "*", ""},
    71  					[]rbacv1.Subject{
    72  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup},
    73  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"},
    74  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"},
    75  					},
    76  				},
    77  				{
    78  					// empty ns
    79  					&defaultAttributes{"", "", "*", "Pods", "", "", ""},
    80  					[]rbacv1.Subject{
    81  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup},
    82  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"},
    83  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"},
    84  					},
    85  				},
    86  			},
    87  		},
    88  		{
    89  			name:      "super user, local roles work",
    90  			superUser: "foo",
    91  			clusterRoles: []*rbacv1.ClusterRole{
    92  				newClusterRole("admin", newRule("*", "*", "*", "*")),
    93  			},
    94  			clusterRoleBindings: []*rbacv1.ClusterRoleBinding{
    95  				newClusterRoleBinding("admin", "User:super-admin", "Group:super-admins"),
    96  			},
    97  			roles: []*rbacv1.Role{
    98  				newRole("admin", "ns1", newRule("get", "*", "Pods", "*")),
    99  			},
   100  			roleBindings: []*rbacv1.RoleBinding{
   101  				newRoleBinding("ns1", "admin", bindToRole, "User:admin", "Group:admins"),
   102  			},
   103  			actionsToSubjects: []actionToSubjects{
   104  				{
   105  					&defaultAttributes{"", "", "get", "Pods", "", "ns1", ""},
   106  					[]rbacv1.Subject{
   107  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup},
   108  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "foo"},
   109  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"},
   110  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"},
   111  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "admin"},
   112  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "admins"},
   113  					},
   114  				},
   115  				{
   116  					// verb matchies correctly
   117  					&defaultAttributes{"", "", "create", "Pods", "", "ns1", ""},
   118  					[]rbacv1.Subject{
   119  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup},
   120  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "foo"},
   121  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"},
   122  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"},
   123  					},
   124  				},
   125  				{
   126  					// binding only works in correct ns
   127  					&defaultAttributes{"", "", "get", "Pods", "", "ns2", ""},
   128  					[]rbacv1.Subject{
   129  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup},
   130  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "foo"},
   131  						{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"},
   132  						{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"},
   133  					},
   134  				},
   135  			},
   136  		},
   137  	}
   138  	for _, tt := range tests {
   139  		ruleResolver, lister := rbacregistryvalidation.NewTestRuleResolver(tt.roles, tt.roleBindings, tt.clusterRoles, tt.clusterRoleBindings)
   140  		a := SubjectAccessEvaluator{tt.superUser, lister, lister, ruleResolver}
   141  		for i, action := range tt.actionsToSubjects {
   142  			actualSubjects, err := a.AllowedSubjects(action.action)
   143  			if err != nil {
   144  				t.Errorf("case %q %d: error %v", tt.name, i, err)
   145  			}
   146  			if !reflect.DeepEqual(actualSubjects, action.subjects) {
   147  				t.Errorf("case %q %d: expected\n%v\nactual\n%v", tt.name, i, action.subjects, actualSubjects)
   148  			}
   149  		}
   150  	}
   151  }
   152
View as plain text