From 1acbfba57678a1df52f19aeff9c647cb359d02a4 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Fri, 24 Apr 2015 11:17:04 -0400 Subject: [PATCH] Added basic apiserver authz tests. --- pkg/apiserver/authz_test.go | 68 +++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 pkg/apiserver/authz_test.go diff --git a/pkg/apiserver/authz_test.go b/pkg/apiserver/authz_test.go new file mode 100644 index 00000000000..9a0d616f4f9 --- /dev/null +++ b/pkg/apiserver/authz_test.go @@ -0,0 +1,68 @@ +/* +Copyright 2014 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package apiserver + +import ( + "testing" +) + +// NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer +// and always return nil. +func TestNewAlwaysAllowAuthorizer(t *testing.T) { + aaa := NewAlwaysAllowAuthorizer() + if result := aaa.Authorize(nil); result != nil { + t.Errorf("AlwaysAllowAuthorizer.Authorize did not return nil. (%s)", result) + } +} + +// NewAlwaysDenyAuthorizer must return a struct which implements authorizer.Authorizer +// and always return an error as everything is forbidden. +func TestNewAlwaysDenyAuthorizer(t *testing.T) { + ada := NewAlwaysDenyAuthorizer() + if result := ada.Authorize(nil); result == nil { + t.Errorf("AlwaysDenyAuthorizer.Authorize returned nil instead of error.") + } +} + +// NewAuthorizerFromAuthorizationConfig has multiple return possibilities. This test +// validates that errors are returned only when proper. +func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) { + // Unknown modes should return errors + if _, err := NewAuthorizerFromAuthorizationConfig("DoesNotExist", ""); err == nil { + t.Errorf("NewAuthorizerFromAuthorizationConfig using a fake mode should have returned an error") + } + + // ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile + // but error if one is given + for _, config := range []string{ModeAlwaysAllow, ModeAlwaysDeny} { + if _, err := NewAuthorizerFromAuthorizationConfig(config, ""); err != nil { + t.Errorf("NewAuthorizerFromAuthorizationConfig with %s returned an error: %s", err, config) + } + if _, err := NewAuthorizerFromAuthorizationConfig(config, "shoulderror"); err == nil { + t.Errorf("NewAuthorizerFromAuthorizationConfig with %s should have returned an error", config) + } + } + + // ModeABAC requires a policy file + if _, err := NewAuthorizerFromAuthorizationConfig(ModeABAC, ""); err == nil { + t.Errorf("NewAuthorizerFromAuthorizationConfig using a fake mode should have returned an error") + } + // ModeABAC should not error if a valid policy path is provided + if _, err := NewAuthorizerFromAuthorizationConfig(ModeABAC, "../auth/authorizer/abac/example_policy_file.jsonl"); err != nil { + t.Errorf("NewAuthorizerFromAuthorizationConfig errored while using a valid policy file: %s", err) + } +}