1#!/usr/bin/env bash
2
3# Copyright 2018 The Kubernetes Authors.
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -o errexit
18set -o nounset
19set -o pipefail
20
21run_authorization_tests() {
22 set -o nounset
23 set -o errexit
24
25 kube::log::status "Testing authorization"
26
27 # check remote authorization endpoint, kubectl doesn't actually display the returned object so this isn't super useful
28 # but it proves that works
29 kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1.json --validate=false
30
31 SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json"
32 curl -kfsS -H "Content-Type:" -H 'Authorization: Bearer admin-token' "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}"
33 if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then
34 kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")"
35 else
36 kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" does not return as expected: $(cat "${SAR_RESULT_FILE}")"
37 exit 1
38 fi
39 rm "${SAR_RESULT_FILE}"
40
41 set +o nounset
42 set +o errexit
43}
44
45run_impersonation_tests() {
46 set -o nounset
47 set -o errexit
48
49 kube::log::status "Testing impersonation"
50
51 output_message=$(! kubectl get pods "${kube_flags_with_token[@]:?}" --as-group=foo 2>&1)
52 kube::test::if_has_string "${output_message}" 'without impersonating a user'
53
54 output_message=$(! kubectl get pods "${kube_flags_with_token[@]:?}" --as-uid=abc123 2>&1)
55 kube::test::if_has_string "${output_message}" 'without impersonating a user'
56
57 if kube::test::if_supports_resource "${csr:?}" ; then
58 # --as
59 kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1
60 kube::test::get_object_assert 'csr/foo' '{{.spec.username}}' 'user1'
61 kube::test::get_object_assert 'csr/foo' '{{range .spec.groups}}{{.}}{{end}}' 'system:authenticated'
62 kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}"
63
64 # --as-group
65 kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1 --as-group=group2 --as-group=group1 --as-group=,,,chameleon
66 kube::test::get_object_assert 'csr/foo' '{{len .spec.groups}}' '4'
67 kube::test::get_object_assert 'csr/foo' '{{range .spec.groups}}{{.}} {{end}}' 'group2 group1 ,,,chameleon system:authenticated '
68 kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}"
69
70 # --as-uid
71 kubectl create -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}" --as=user1 --as-uid=abc123
72 kube::test::get_object_assert 'csr/foo' '{{.spec.username}}' 'user1'
73 kube::test::get_object_assert 'csr/foo' '{{.spec.uid}}' 'abc123'
74 kubectl delete -f hack/testdata/csr.yml "${kube_flags_with_token[@]:?}"
75
76 fi
77
78 set +o nounset
79 set +o errexit
80}
View as plain text