From 21f78f3348736f242541f7b66e191aa1dce78c47 Mon Sep 17 00:00:00 2001 From: Mike Spreitzer Date: Thu, 27 Feb 2020 23:36:19 -0500 Subject: [PATCH 1/2] Added non-randomized tests of matching FlowSchema rules --- .../pkg/util/flowcontrol/match_test.go | 244 ++++++++++++++++++ 1 file changed, 244 insertions(+) diff --git a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go index 298698cb523..fdfa9a028ab 100644 --- a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go +++ b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go @@ -21,7 +21,11 @@ import ( "math/rand" "testing" + fcv1a1 "k8s.io/api/flowcontrol/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/apiserver/pkg/endpoints/request" fcfmt "k8s.io/apiserver/pkg/util/flowcontrol/format" ) @@ -76,3 +80,243 @@ func TestPolicyRules(t *testing.T) { }) } } + +func TestLiterals(t *testing.T) { + ui := &user.DefaultInfo{Name: "goodu", UID: "1", + Groups: []string{"goodg1", "goodg2"}} + reqRN := RequestDigest{ + &request.RequestInfo{ + IsResourceRequest: true, + Path: "/apis/gooda/v1/namespaces/goodn/goods", + Verb: "goodv", + APIPrefix: "apis", + APIGroup: "gooda", + APIVersion: "v1", + Namespace: "goodn", + Resource: "goods", + Name: "eman", + Parts: []string{"goods", "eman"}}, + ui} + reqRU := RequestDigest{ + &request.RequestInfo{ + IsResourceRequest: true, + Path: "/apis/gooda/v1/goods", + Verb: "goodv", + APIPrefix: "apis", + APIGroup: "gooda", + APIVersion: "v1", + Namespace: "", + Resource: "goods", + Name: "eman", + Parts: []string{"goods", "eman"}}, + ui} + reqN := RequestDigest{ + &request.RequestInfo{ + IsResourceRequest: false, + Path: "/openapi/v2", + Verb: "goodv"}, + ui} + checkRules(t, true, reqRN, []fcv1a1.PolicyRulesWithSubjects{{ + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup, + Group: &fcv1a1.GroupSubject{"goodg1"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"*"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup, + Group: &fcv1a1.GroupSubject{"*"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"*"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"*"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"*"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"*"}}}}, + }) + checkRules(t, false, reqRN, []fcv1a1.PolicyRulesWithSubjects{{ + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"badu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup, + Group: &fcv1a1.GroupSubject{"badg"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"badv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"bada"}, + Resources: []string{"goods"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"bads"}, + Namespaces: []string{"goodn"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + Namespaces: []string{"badn"}}}}, + }) + checkRules(t, true, reqRU, []fcv1a1.PolicyRulesWithSubjects{{ + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + ClusterScope: true}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"*"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + ClusterScope: true}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"*"}, + Resources: []string{"goods"}, + ClusterScope: true}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"*"}, + ClusterScope: true}}}}) + checkRules(t, false, reqRU, []fcv1a1.PolicyRulesWithSubjects{{ + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"badv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + ClusterScope: true}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"bada"}, + Resources: []string{"goods"}, + ClusterScope: true}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"bads"}, + ClusterScope: true}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + ResourceRules: []fcv1a1.ResourcePolicyRule{{ + Verbs: []string{"goodv"}, + APIGroups: []string{"gooda"}, + Resources: []string{"goods"}, + ClusterScope: false}}}, + }) + checkRules(t, true, reqN, []fcv1a1.PolicyRulesWithSubjects{{ + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ + Verbs: []string{"goodv"}, + NonResourceURLs: []string{"/openapi/v2"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ + Verbs: []string{"*"}, + NonResourceURLs: []string{"/openapi/v2"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ + Verbs: []string{"goodv"}, + NonResourceURLs: []string{"*"}}}}, + }) + checkRules(t, false, reqN, []fcv1a1.PolicyRulesWithSubjects{{ + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ + Verbs: []string{"badv"}, + NonResourceURLs: []string{"/openapi/v2"}}}}, { + Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, + User: &fcv1a1.UserSubject{"goodu"}}}, + NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ + Verbs: []string{"goodv"}, + NonResourceURLs: []string{"/closedapi/v2"}}}}, + }) +} + +func checkRules(t *testing.T, expectMatch bool, digest RequestDigest, rules []fcv1a1.PolicyRulesWithSubjects) { + for idx, rule := range rules { + fs := &fcv1a1.FlowSchema{ + ObjectMeta: metav1.ObjectMeta{Name: fmt.Sprintf("rule%d", idx)}, + Spec: fcv1a1.FlowSchemaSpec{ + Rules: []fcv1a1.PolicyRulesWithSubjects{rule}}} + actualMatch := matchesFlowSchema(digest, fs) + if expectMatch != actualMatch { + t.Errorf("expectMatch=%v, actualMatch=%v, digest=%#+v, fs=%s", expectMatch, actualMatch, digest, fcfmt.Fmt(fs)) + } + } +} From 4a4852ca9a1ffc439e2c476d7057a8be9f081055 Mon Sep 17 00:00:00 2001 From: Mike Spreitzer Date: Wed, 4 Mar 2020 21:47:19 -0500 Subject: [PATCH 2/2] Hopefully plainer test strings --- .../pkg/util/flowcontrol/match_test.go | 178 +++++++++--------- 1 file changed, 89 insertions(+), 89 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go index fdfa9a028ab..787905fa2f2 100644 --- a/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go +++ b/staging/src/k8s.io/apiserver/pkg/util/flowcontrol/match_test.go @@ -87,201 +87,201 @@ func TestLiterals(t *testing.T) { reqRN := RequestDigest{ &request.RequestInfo{ IsResourceRequest: true, - Path: "/apis/gooda/v1/namespaces/goodn/goods", - Verb: "goodv", + Path: "/apis/goodapig/v1/namespaces/goodns/goodrscs", + Verb: "goodverb", APIPrefix: "apis", - APIGroup: "gooda", + APIGroup: "goodapig", APIVersion: "v1", - Namespace: "goodn", - Resource: "goods", + Namespace: "goodns", + Resource: "goodrscs", Name: "eman", - Parts: []string{"goods", "eman"}}, + Parts: []string{"goodrscs", "eman"}}, ui} reqRU := RequestDigest{ &request.RequestInfo{ IsResourceRequest: true, - Path: "/apis/gooda/v1/goods", - Verb: "goodv", + Path: "/apis/goodapig/v1/goodrscs", + Verb: "goodverb", APIPrefix: "apis", - APIGroup: "gooda", + APIGroup: "goodapig", APIVersion: "v1", Namespace: "", - Resource: "goods", + Resource: "goodrscs", Name: "eman", - Parts: []string{"goods", "eman"}}, + Parts: []string{"goodrscs", "eman"}}, ui} reqN := RequestDigest{ &request.RequestInfo{ IsResourceRequest: false, Path: "/openapi/v2", - Verb: "goodv"}, + Verb: "goodverb"}, ui} checkRules(t, true, reqRN, []fcv1a1.PolicyRulesWithSubjects{{ Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup, Group: &fcv1a1.GroupSubject{"goodg1"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"*"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup, Group: &fcv1a1.GroupSubject{"*"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ Verbs: []string{"*"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, + Verbs: []string{"goodverb"}, APIGroups: []string{"*"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, Resources: []string{"*"}, - Namespaces: []string{"goodn"}}}}, { + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, Namespaces: []string{"*"}}}}, }) checkRules(t, false, reqRN, []fcv1a1.PolicyRulesWithSubjects{{ Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"badu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindGroup, Group: &fcv1a1.GroupSubject{"badg"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"badv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"badverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"bada"}, - Resources: []string{"goods"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"goodverb"}, + APIGroups: []string{"badapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"bads"}, - Namespaces: []string{"goodn"}}}}, { + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"badrscs"}, + Namespaces: []string{"goodns"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, - Namespaces: []string{"badn"}}}}, + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, + Namespaces: []string{"badns"}}}}, }) checkRules(t, true, reqRU, []fcv1a1.PolicyRulesWithSubjects{{ Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, ClusterScope: true}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ Verbs: []string{"*"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, ClusterScope: true}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, + Verbs: []string{"goodverb"}, APIGroups: []string{"*"}, - Resources: []string{"goods"}, + Resources: []string{"goodrscs"}, ClusterScope: true}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, Resources: []string{"*"}, ClusterScope: true}}}}) checkRules(t, false, reqRU, []fcv1a1.PolicyRulesWithSubjects{{ Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"badv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, + Verbs: []string{"badverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, ClusterScope: true}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"bada"}, - Resources: []string{"goods"}, + Verbs: []string{"goodverb"}, + APIGroups: []string{"badapig"}, + Resources: []string{"goodrscs"}, ClusterScope: true}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"bads"}, + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"badrscs"}, ClusterScope: true}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, ResourceRules: []fcv1a1.ResourcePolicyRule{{ - Verbs: []string{"goodv"}, - APIGroups: []string{"gooda"}, - Resources: []string{"goods"}, + Verbs: []string{"goodverb"}, + APIGroups: []string{"goodapig"}, + Resources: []string{"goodrscs"}, ClusterScope: false}}}, }) checkRules(t, true, reqN, []fcv1a1.PolicyRulesWithSubjects{{ Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ - Verbs: []string{"goodv"}, + Verbs: []string{"goodverb"}, NonResourceURLs: []string{"/openapi/v2"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, @@ -291,19 +291,19 @@ func TestLiterals(t *testing.T) { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ - Verbs: []string{"goodv"}, + Verbs: []string{"goodverb"}, NonResourceURLs: []string{"*"}}}}, }) checkRules(t, false, reqN, []fcv1a1.PolicyRulesWithSubjects{{ Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ - Verbs: []string{"badv"}, + Verbs: []string{"badverb"}, NonResourceURLs: []string{"/openapi/v2"}}}}, { Subjects: []fcv1a1.Subject{{Kind: fcv1a1.SubjectKindUser, User: &fcv1a1.UserSubject{"goodu"}}}, NonResourceRules: []fcv1a1.NonResourcePolicyRule{{ - Verbs: []string{"goodv"}, + Verbs: []string{"goodverb"}, NonResourceURLs: []string{"/closedapi/v2"}}}}, }) }