From 0cb90973b0274d7782306a0ebc9d880ac99d2a3b Mon Sep 17 00:00:00 2001
From: Joe Betz <jpbetz@google.com>
Date: Fri, 25 Oct 2024 18:42:54 -0400
Subject: [PATCH] Add authz test for deny when relevant fields are not changed

---
 .../authz_test.go                             | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/pkg/registry/admissionregistration/mutatingadmissionpolicybinding/authz_test.go b/pkg/registry/admissionregistration/mutatingadmissionpolicybinding/authz_test.go
index b8229782d13..f7fe0e390b6 100644
--- a/pkg/registry/admissionregistration/mutatingadmissionpolicybinding/authz_test.go
+++ b/pkg/registry/admissionregistration/mutatingadmissionpolicybinding/authz_test.go
@@ -100,6 +100,28 @@ func TestAuthorization(t *testing.T) {
 			},
 			expectErrContains: "permission on the object referenced by paramRef",
 		},
+		{
+			name:     "deny but relevant fields not updated",
+			userInfo: &user.DefaultInfo{Groups: []string{user.AllAuthenticated}},
+			auth: func(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+				return authorizer.DecisionDeny, "", nil
+			},
+			policyGetter: func(ctx context.Context, name string) (*admissionregistration.MutatingAdmissionPolicy, error) {
+				return &admissionregistration.MutatingAdmissionPolicy{
+					ObjectMeta: metav1.ObjectMeta{Name: "replicalimit-policy.example.com"},
+					Spec: admissionregistration.MutatingAdmissionPolicySpec{
+						ParamKind: &admissionregistration.ParamKind{Kind: "Params", APIVersion: "foo.example.com/v1"},
+					},
+				}, nil
+			},
+			resourceResolver: func(gvk schema.GroupVersionKind) (schema.GroupVersionResource, error) {
+				return schema.GroupVersionResource{
+					Group:    "foo.example.com",
+					Version:  "v1",
+					Resource: "params",
+				}, nil
+			},
+		},
 		{
 			name:     "unable to parse paramRef",
 			userInfo: &user.DefaultInfo{Groups: []string{user.AllAuthenticated}},