github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 14:37:00 +00:00
Code Issues Projects Releases Wiki Activity

Added non-randomized tests of matching FlowSchema rules

Browse Source
This commit is contained in:
Mike Spreitzer 2020-02-27 23:36:19 -05:00
parent 79377454e8
commit 21f78f3348
1 changed files with 244 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

244
staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go
View File

@ -21,7 +21,11 @@ import (
"math/rand"
"testing"
fcv1a1 "k8s.io/api/flowcontrol/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/endpoints/request"
fcfmt "k8s.io/apiserver/pkg/util/flowcontrol/format"
)
@ -76,3 +80,243 @@ func TestPolicyRules(t *testing.T) {
})
}
}
func TestLiterals(t *testing.T) {
ui := &user.DefaultInfo{Name: "goodu", UID: "1",
Groups: []string{"goodg1", "goodg2"}}
reqRN := RequestDigest{
&request.RequestInfo{
IsResourceRequest: true,
Path: "/apis/gooda/v1/namespaces/goodn/goods",
Verb: "goodv",
APIPrefix: "apis",
APIGroup: "gooda",
APIVersion: "v1",
Namespace: "goodn",
Resource: "goods",
Name: "eman",
Parts: []string{"goods", "eman"}},
ui}
reqRU := RequestDigest{
&request.RequestInfo{
IsResourceRequest: true,
Path: "/apis/gooda/v1/goods",
Verb: "goodv",
APIPrefix: "apis",
APIGroup: "gooda",
APIVersion: "v1",
Namespace: "",
Resource: "goods",
Name: "eman",
Parts: []string{"goods", "eman"}},
ui}
reqN := RequestDigest{
&request.RequestInfo{
IsResourceRequest: false,
Path: "/openapi/v2",
Verb: "goodv"},
ui}
checkRules(t, true, reqRN, []fcv1a1.PolicyRulesWithSubjects{{
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup,
Group: &fcv1a1.GroupSubject{"goodg1"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"*"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup,
Group: &fcv1a1.GroupSubject{"*"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"*"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"*"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"*"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"*"}}}},
})
checkRules(t, false, reqRN, []fcv1a1.PolicyRulesWithSubjects{{
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"badu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup,
Group: &fcv1a1.GroupSubject{"badg"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"badv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"bada"},
Resources: []string{"goods"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"bads"},
Namespaces: []string{"goodn"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
Namespaces: []string{"badn"}}}},
})
checkRules(t, true, reqRU, []fcv1a1.PolicyRulesWithSubjects{{
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
ClusterScope: true}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"*"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
ClusterScope: true}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"*"},
Resources: []string{"goods"},
ClusterScope: true}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"*"},
ClusterScope: true}}}})
checkRules(t, false, reqRU, []fcv1a1.PolicyRulesWithSubjects{{
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"badv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
ClusterScope: true}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"bada"},
Resources: []string{"goods"},
ClusterScope: true}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"bads"},
ClusterScope: true}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
ResourceRules: []fcv1a1.ResourcePolicyRule{{
Verbs: []string{"goodv"},
APIGroups: []string{"gooda"},
Resources: []string{"goods"},
ClusterScope: false}}},
})
checkRules(t, true, reqN, []fcv1a1.PolicyRulesWithSubjects{{
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
NonResourceRules: []fcv1a1.NonResourcePolicyRule{{
Verbs: []string{"goodv"},
NonResourceURLs: []string{"/openapi/v2"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
NonResourceRules: []fcv1a1.NonResourcePolicyRule{{
Verbs: []string{"*"},
NonResourceURLs: []string{"/openapi/v2"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
NonResourceRules: []fcv1a1.NonResourcePolicyRule{{
Verbs: []string{"goodv"},
NonResourceURLs: []string{"*"}}}},
})
checkRules(t, false, reqN, []fcv1a1.PolicyRulesWithSubjects{{
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
NonResourceRules: []fcv1a1.NonResourcePolicyRule{{
Verbs: []string{"badv"},
NonResourceURLs: []string{"/openapi/v2"}}}}, {
Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser,
User: &fcv1a1.UserSubject{"goodu"}}},
NonResourceRules: []fcv1a1.NonResourcePolicyRule{{
Verbs: []string{"goodv"},
NonResourceURLs: []string{"/closedapi/v2"}}}},
})
}
func checkRules(t *testing.T, expectMatch bool, digest RequestDigest, rules []fcv1a1.PolicyRulesWithSubjects) {
for idx, rule := range rules {
fs := &fcv1a1.FlowSchema{
ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("rule%d", idx)},
Spec: fcv1a1.FlowSchemaSpec{
Rules: []fcv1a1.PolicyRulesWithSubjects{rule}}}
actualMatch := matchesFlowSchema(digest, fs)
if expectMatch != actualMatch {
t.Errorf("expectMatch=%v, actualMatch=%v, digest=%#+v, fs=%s", expectMatch, actualMatch, digest, fcfmt.Fmt(fs))
}
}
}