mirror of
				https://github.com/k3s-io/kubernetes.git
				synced 2025-10-25 10:00:53 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			622 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			622 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| /*
 | |
| Copyright 2016 The Kubernetes Authors.
 | |
| 
 | |
| Licensed under the Apache License, Version 2.0 (the "License");
 | |
| you may not use this file except in compliance with the License.
 | |
| You may obtain a copy of the License at
 | |
| 
 | |
|     http://www.apache.org/licenses/LICENSE-2.0
 | |
| 
 | |
| Unless required by applicable law or agreed to in writing, software
 | |
| distributed under the License is distributed on an "AS IS" BASIS,
 | |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| See the License for the specific language governing permissions and
 | |
| limitations under the License.
 | |
| */
 | |
| 
 | |
| package auth
 | |
| 
 | |
| import (
 | |
| 	"context"
 | |
| 	"fmt"
 | |
| 	"io"
 | |
| 	"io/ioutil"
 | |
| 	"net/http"
 | |
| 	"net/http/httputil"
 | |
| 	"strings"
 | |
| 	"testing"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/golang/glog"
 | |
| 
 | |
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 | |
| 	"k8s.io/apimachinery/pkg/runtime/schema"
 | |
| 	"k8s.io/apimachinery/pkg/watch"
 | |
| 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 | |
| 	"k8s.io/apiserver/pkg/authentication/token/tokenfile"
 | |
| 	"k8s.io/apiserver/pkg/authentication/user"
 | |
| 	"k8s.io/apiserver/pkg/authorization/authorizer"
 | |
| 	"k8s.io/apiserver/pkg/registry/generic"
 | |
| 	externalclientset "k8s.io/client-go/kubernetes"
 | |
| 	restclient "k8s.io/client-go/rest"
 | |
| 	watchtools "k8s.io/client-go/tools/watch"
 | |
| 	"k8s.io/client-go/transport"
 | |
| 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 | |
| 	"k8s.io/kubernetes/pkg/api/testapi"
 | |
| 	api "k8s.io/kubernetes/pkg/apis/core"
 | |
| 	rbacapi "k8s.io/kubernetes/pkg/apis/rbac"
 | |
| 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 | |
| 	"k8s.io/kubernetes/pkg/master"
 | |
| 	"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
 | |
| 	clusterrolestore "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/storage"
 | |
| 	"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
 | |
| 	clusterrolebindingstore "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/storage"
 | |
| 	"k8s.io/kubernetes/pkg/registry/rbac/role"
 | |
| 	rolestore "k8s.io/kubernetes/pkg/registry/rbac/role/storage"
 | |
| 	"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
 | |
| 	rolebindingstore "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/storage"
 | |
| 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
 | |
| 	"k8s.io/kubernetes/test/integration/framework"
 | |
| )
 | |
| 
 | |
| func clientForToken(user string) *http.Client {
 | |
| 	return &http.Client{
 | |
| 		Transport: transport.NewBearerAuthRoundTripper(
 | |
| 			user,
 | |
| 			transport.DebugWrappers(http.DefaultTransport),
 | |
| 		),
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func clientsetForToken(user string, config *restclient.Config) (clientset.Interface, externalclientset.Interface) {
 | |
| 	configCopy := *config
 | |
| 	configCopy.BearerToken = user
 | |
| 	return clientset.NewForConfigOrDie(&configCopy), externalclientset.NewForConfigOrDie(&configCopy)
 | |
| }
 | |
| 
 | |
| type testRESTOptionsGetter struct {
 | |
| 	config *master.Config
 | |
| }
 | |
| 
 | |
| func (getter *testRESTOptionsGetter) GetRESTOptions(resource schema.GroupResource) (generic.RESTOptions, error) {
 | |
| 	storageConfig, err := getter.config.ExtraConfig.StorageFactory.NewConfig(resource)
 | |
| 	if err != nil {
 | |
| 		return generic.RESTOptions{}, fmt.Errorf("failed to get storage: %v", err)
 | |
| 	}
 | |
| 	return generic.RESTOptions{StorageConfig: storageConfig, Decorator: generic.UndecoratedStorage, ResourcePrefix: resource.Resource}, nil
 | |
| }
 | |
| 
 | |
| func newRBACAuthorizer(config *master.Config) authorizer.Authorizer {
 | |
| 	optsGetter := &testRESTOptionsGetter{config}
 | |
| 	roleRegistry := role.AuthorizerAdapter{Registry: role.NewRegistry(rolestore.NewREST(optsGetter))}
 | |
| 	roleBindingRegistry := rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(rolebindingstore.NewREST(optsGetter))}
 | |
| 	clusterRoleRegistry := clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterrolestore.NewREST(optsGetter))}
 | |
| 	clusterRoleBindingRegistry := clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterrolebindingstore.NewREST(optsGetter))}
 | |
| 	return rbac.New(roleRegistry, roleBindingRegistry, clusterRoleRegistry, clusterRoleBindingRegistry)
 | |
| }
 | |
| 
 | |
| // bootstrapRoles are a set of RBAC roles which will be populated before the test.
 | |
| type bootstrapRoles struct {
 | |
| 	roles               []rbacapi.Role
 | |
| 	roleBindings        []rbacapi.RoleBinding
 | |
| 	clusterRoles        []rbacapi.ClusterRole
 | |
| 	clusterRoleBindings []rbacapi.ClusterRoleBinding
 | |
| }
 | |
| 
 | |
| // bootstrap uses the provided client to create the bootstrap roles and role bindings.
 | |
| //
 | |
| // client should be authenticated as the RBAC super user.
 | |
| func (b bootstrapRoles) bootstrap(client clientset.Interface) error {
 | |
| 	for _, r := range b.clusterRoles {
 | |
| 		_, err := client.Rbac().ClusterRoles().Create(&r)
 | |
| 		if err != nil {
 | |
| 			return fmt.Errorf("failed to make request: %v", err)
 | |
| 		}
 | |
| 	}
 | |
| 	for _, r := range b.roles {
 | |
| 		_, err := client.Rbac().Roles(r.Namespace).Create(&r)
 | |
| 		if err != nil {
 | |
| 			return fmt.Errorf("failed to make request: %v", err)
 | |
| 		}
 | |
| 	}
 | |
| 	for _, r := range b.clusterRoleBindings {
 | |
| 		_, err := client.Rbac().ClusterRoleBindings().Create(&r)
 | |
| 		if err != nil {
 | |
| 			return fmt.Errorf("failed to make request: %v", err)
 | |
| 		}
 | |
| 	}
 | |
| 	for _, r := range b.roleBindings {
 | |
| 		_, err := client.Rbac().RoleBindings(r.Namespace).Create(&r)
 | |
| 		if err != nil {
 | |
| 			return fmt.Errorf("failed to make request: %v", err)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return nil
 | |
| }
 | |
| 
 | |
| // request is a test case which can.
 | |
| type request struct {
 | |
| 	// The bearer token sent as part of the request
 | |
| 	token string
 | |
| 
 | |
| 	// Resource metadata
 | |
| 	verb      string
 | |
| 	apiGroup  string
 | |
| 	resource  string
 | |
| 	namespace string
 | |
| 	name      string
 | |
| 
 | |
| 	// The actual resource.
 | |
| 	body string
 | |
| 
 | |
| 	// The expected return status of this request.
 | |
| 	expectedStatus int
 | |
| }
 | |
| 
 | |
| func (r request) String() string {
 | |
| 	return fmt.Sprintf("%s %s %s", r.token, r.verb, r.resource)
 | |
| }
 | |
| 
 | |
| type statusCode int
 | |
| 
 | |
| func (s statusCode) String() string {
 | |
| 	return fmt.Sprintf("%d %s", int(s), http.StatusText(int(s)))
 | |
| }
 | |
| 
 | |
| // Declare a set of raw objects to use.
 | |
| var (
 | |
| 	// Make a role binding with the version enabled in testapi.Rbac
 | |
| 	// This assumes testapi is using rbac.authorization.k8s.io/v1beta1 or rbac.authorization.k8s.io/v1, which are identical in structure.
 | |
| 	// TODO: rework or remove testapi usage to allow writing integration tests that don't depend on envvars
 | |
| 	writeJobsRoleBinding = `
 | |
| {
 | |
|   "apiVersion": "` + testapi.Rbac.GroupVersion().String() + `",
 | |
|   "kind": "RoleBinding",
 | |
|   "metadata": {
 | |
|     "name": "pi"%s
 | |
|   },
 | |
|   "roleRef": {
 | |
|     "apiGroup": "rbac.authorization.k8s.io",
 | |
|     "kind": "ClusterRole",
 | |
|     "name": "write-jobs"
 | |
|   },
 | |
|   "subjects": [{
 | |
|     "apiGroup": "rbac.authorization.k8s.io",
 | |
|     "kind": "User",
 | |
|     "name": "admin"
 | |
|   }]
 | |
| }`
 | |
| 
 | |
| 	aJob = `
 | |
| {
 | |
|   "apiVersion": "batch/v1",
 | |
|   "kind": "Job",
 | |
|   "metadata": {
 | |
|     "name": "pi"%s
 | |
|   },
 | |
|   "spec": {
 | |
|     "template": {
 | |
|       "metadata": {
 | |
|         "name": "a",
 | |
|         "labels": {
 | |
|           "name": "pijob"
 | |
|         }
 | |
|       },
 | |
|       "spec": {
 | |
|         "containers": [
 | |
|           {
 | |
|             "name": "pi",
 | |
|             "image": "perl",
 | |
|             "command": [
 | |
|               "perl",
 | |
|               "-Mbignum=bpi",
 | |
|               "-wle",
 | |
|               "print bpi(2000)"
 | |
|             ]
 | |
|           }
 | |
|         ],
 | |
|         "restartPolicy": "Never"
 | |
|       }
 | |
|     }
 | |
|   }
 | |
| }
 | |
| `
 | |
| 	aLimitRange = `
 | |
| {
 | |
|   "apiVersion": "v1",
 | |
|   "kind": "LimitRange",
 | |
|   "metadata": {
 | |
|     "name": "a"%s
 | |
|   }
 | |
| }
 | |
| `
 | |
| 	podNamespace = `
 | |
| {
 | |
|   "apiVersion": "` + testapi.Groups[api.GroupName].GroupVersion().String() + `",
 | |
|   "kind": "Namespace",
 | |
|   "metadata": {
 | |
| 	"name": "pod-namespace"%s
 | |
|   }
 | |
| }
 | |
| `
 | |
| 	jobNamespace = `
 | |
| {
 | |
|   "apiVersion": "` + testapi.Groups[api.GroupName].GroupVersion().String() + `",
 | |
|   "kind": "Namespace",
 | |
|   "metadata": {
 | |
| 	"name": "job-namespace"%s
 | |
|   }
 | |
| }
 | |
| `
 | |
| 	forbiddenNamespace = `
 | |
| {
 | |
|   "apiVersion": "` + testapi.Groups[api.GroupName].GroupVersion().String() + `",
 | |
|   "kind": "Namespace",
 | |
|   "metadata": {
 | |
| 	"name": "forbidden-namespace"%s
 | |
|   }
 | |
| }
 | |
| `
 | |
| 	limitRangeNamespace = `
 | |
| {
 | |
|   "apiVersion": "` + testapi.Groups[api.GroupName].GroupVersion().String() + `",
 | |
|   "kind": "Namespace",
 | |
|   "metadata": {
 | |
| 	"name": "limitrange-namespace"%s
 | |
|   }
 | |
| }
 | |
| `
 | |
| )
 | |
| 
 | |
| // Declare some PolicyRules beforehand.
 | |
| var (
 | |
| 	ruleAllowAll  = rbacapi.NewRule("*").Groups("*").Resources("*").RuleOrDie()
 | |
| 	ruleReadPods  = rbacapi.NewRule("list", "get", "watch").Groups("").Resources("pods").RuleOrDie()
 | |
| 	ruleWriteJobs = rbacapi.NewRule("*").Groups("batch").Resources("*").RuleOrDie()
 | |
| )
 | |
| 
 | |
| func TestRBAC(t *testing.T) {
 | |
| 	superUser := "admin/system:masters"
 | |
| 
 | |
| 	tests := []struct {
 | |
| 		bootstrapRoles bootstrapRoles
 | |
| 
 | |
| 		requests []request
 | |
| 	}{
 | |
| 		{
 | |
| 			bootstrapRoles: bootstrapRoles{
 | |
| 				clusterRoles: []rbacapi.ClusterRole{
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "allow-all"},
 | |
| 						Rules:      []rbacapi.PolicyRule{ruleAllowAll},
 | |
| 					},
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "read-pods"},
 | |
| 						Rules:      []rbacapi.PolicyRule{ruleReadPods},
 | |
| 					},
 | |
| 				},
 | |
| 				clusterRoleBindings: []rbacapi.ClusterRoleBinding{
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "read-pods"},
 | |
| 						Subjects: []rbacapi.Subject{
 | |
| 							{Kind: "User", Name: "pod-reader"},
 | |
| 						},
 | |
| 						RoleRef: rbacapi.RoleRef{Kind: "ClusterRole", Name: "read-pods"},
 | |
| 					},
 | |
| 				},
 | |
| 			},
 | |
| 			requests: []request{
 | |
| 				// Create the namespace used later in the test
 | |
| 				{superUser, "POST", "", "namespaces", "", "", podNamespace, http.StatusCreated},
 | |
| 
 | |
| 				{superUser, "GET", "", "pods", "", "", "", http.StatusOK},
 | |
| 				{superUser, "GET", "", "pods", "pod-namespace", "a", "", http.StatusNotFound},
 | |
| 				{superUser, "POST", "", "pods", "pod-namespace", "", aPod, http.StatusCreated},
 | |
| 				{superUser, "GET", "", "pods", "pod-namespace", "a", "", http.StatusOK},
 | |
| 
 | |
| 				{"bob", "GET", "", "pods", "", "", "", http.StatusForbidden},
 | |
| 				{"bob", "GET", "", "pods", "pod-namespace", "a", "", http.StatusForbidden},
 | |
| 
 | |
| 				{"pod-reader", "GET", "", "pods", "", "", "", http.StatusOK},
 | |
| 				{"pod-reader", "POST", "", "pods", "pod-namespace", "", aPod, http.StatusForbidden},
 | |
| 			},
 | |
| 		},
 | |
| 		{
 | |
| 			bootstrapRoles: bootstrapRoles{
 | |
| 				clusterRoles: []rbacapi.ClusterRole{
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "write-jobs"},
 | |
| 						Rules:      []rbacapi.PolicyRule{ruleWriteJobs},
 | |
| 					},
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "create-rolebindings"},
 | |
| 						Rules: []rbacapi.PolicyRule{
 | |
| 							rbacapi.NewRule("create").Groups("rbac.authorization.k8s.io").Resources("rolebindings").RuleOrDie(),
 | |
| 						},
 | |
| 					},
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "bind-any-clusterrole"},
 | |
| 						Rules: []rbacapi.PolicyRule{
 | |
| 							rbacapi.NewRule("bind").Groups("rbac.authorization.k8s.io").Resources("clusterroles").RuleOrDie(),
 | |
| 						},
 | |
| 					},
 | |
| 				},
 | |
| 				clusterRoleBindings: []rbacapi.ClusterRoleBinding{
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "write-jobs"},
 | |
| 						Subjects:   []rbacapi.Subject{{Kind: "User", Name: "job-writer"}},
 | |
| 						RoleRef:    rbacapi.RoleRef{Kind: "ClusterRole", Name: "write-jobs"},
 | |
| 					},
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "create-rolebindings"},
 | |
| 						Subjects: []rbacapi.Subject{
 | |
| 							{Kind: "User", Name: "job-writer"},
 | |
| 							{Kind: "User", Name: "nonescalating-rolebinding-writer"},
 | |
| 							{Kind: "User", Name: "any-rolebinding-writer"},
 | |
| 						},
 | |
| 						RoleRef: rbacapi.RoleRef{Kind: "ClusterRole", Name: "create-rolebindings"},
 | |
| 					},
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "bind-any-clusterrole"},
 | |
| 						Subjects:   []rbacapi.Subject{{Kind: "User", Name: "any-rolebinding-writer"}},
 | |
| 						RoleRef:    rbacapi.RoleRef{Kind: "ClusterRole", Name: "bind-any-clusterrole"},
 | |
| 					},
 | |
| 				},
 | |
| 				roleBindings: []rbacapi.RoleBinding{
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "write-jobs", Namespace: "job-namespace"},
 | |
| 						Subjects:   []rbacapi.Subject{{Kind: "User", Name: "job-writer-namespace"}},
 | |
| 						RoleRef:    rbacapi.RoleRef{Kind: "ClusterRole", Name: "write-jobs"},
 | |
| 					},
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "create-rolebindings", Namespace: "job-namespace"},
 | |
| 						Subjects: []rbacapi.Subject{
 | |
| 							{Kind: "User", Name: "job-writer-namespace"},
 | |
| 							{Kind: "User", Name: "any-rolebinding-writer-namespace"},
 | |
| 						},
 | |
| 						RoleRef: rbacapi.RoleRef{Kind: "ClusterRole", Name: "create-rolebindings"},
 | |
| 					},
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "bind-any-clusterrole", Namespace: "job-namespace"},
 | |
| 						Subjects:   []rbacapi.Subject{{Kind: "User", Name: "any-rolebinding-writer-namespace"}},
 | |
| 						RoleRef:    rbacapi.RoleRef{Kind: "ClusterRole", Name: "bind-any-clusterrole"},
 | |
| 					},
 | |
| 				},
 | |
| 			},
 | |
| 			requests: []request{
 | |
| 				// Create the namespace used later in the test
 | |
| 				{superUser, "POST", "", "namespaces", "", "", jobNamespace, http.StatusCreated},
 | |
| 				{superUser, "POST", "", "namespaces", "", "", forbiddenNamespace, http.StatusCreated},
 | |
| 
 | |
| 				{"user-with-no-permissions", "POST", "batch", "jobs", "job-namespace", "", aJob, http.StatusForbidden},
 | |
| 				{"user-with-no-permissions", "GET", "batch", "jobs", "job-namespace", "pi", "", http.StatusForbidden},
 | |
| 
 | |
| 				// job-writer-namespace cannot write to the "forbidden-namespace"
 | |
| 				{"job-writer-namespace", "GET", "batch", "jobs", "forbidden-namespace", "", "", http.StatusForbidden},
 | |
| 				{"job-writer-namespace", "GET", "batch", "jobs", "forbidden-namespace", "pi", "", http.StatusForbidden},
 | |
| 				{"job-writer-namespace", "POST", "batch", "jobs", "forbidden-namespace", "", aJob, http.StatusForbidden},
 | |
| 				{"job-writer-namespace", "GET", "batch", "jobs", "forbidden-namespace", "pi", "", http.StatusForbidden},
 | |
| 
 | |
| 				// job-writer can write to any namespace
 | |
| 				{"job-writer", "GET", "batch", "jobs", "forbidden-namespace", "", "", http.StatusOK},
 | |
| 				{"job-writer", "GET", "batch", "jobs", "forbidden-namespace", "pi", "", http.StatusNotFound},
 | |
| 				{"job-writer", "POST", "batch", "jobs", "forbidden-namespace", "", aJob, http.StatusCreated},
 | |
| 				{"job-writer", "GET", "batch", "jobs", "forbidden-namespace", "pi", "", http.StatusOK},
 | |
| 
 | |
| 				{"job-writer-namespace", "GET", "batch", "jobs", "job-namespace", "", "", http.StatusOK},
 | |
| 				{"job-writer-namespace", "GET", "batch", "jobs", "job-namespace", "pi", "", http.StatusNotFound},
 | |
| 				{"job-writer-namespace", "POST", "batch", "jobs", "job-namespace", "", aJob, http.StatusCreated},
 | |
| 				{"job-writer-namespace", "GET", "batch", "jobs", "job-namespace", "pi", "", http.StatusOK},
 | |
| 
 | |
| 				// cannot bind role anywhere
 | |
| 				{"user-with-no-permissions", "POST", "rbac.authorization.k8s.io", "rolebindings", "job-namespace", "", writeJobsRoleBinding, http.StatusForbidden},
 | |
| 				// can only bind role in namespace where they have explicit bind permission
 | |
| 				{"any-rolebinding-writer-namespace", "POST", "rbac.authorization.k8s.io", "rolebindings", "forbidden-namespace", "", writeJobsRoleBinding, http.StatusForbidden},
 | |
| 				// can only bind role in namespace where they have covering permissions
 | |
| 				{"job-writer-namespace", "POST", "rbac.authorization.k8s.io", "rolebindings", "forbidden-namespace", "", writeJobsRoleBinding, http.StatusForbidden},
 | |
| 				{"job-writer-namespace", "POST", "rbac.authorization.k8s.io", "rolebindings", "job-namespace", "", writeJobsRoleBinding, http.StatusCreated},
 | |
| 				{superUser, "DELETE", "rbac.authorization.k8s.io", "rolebindings", "job-namespace", "pi", "", http.StatusOK},
 | |
| 				// can bind role in any namespace where they have covering permissions
 | |
| 				{"job-writer", "POST", "rbac.authorization.k8s.io", "rolebindings", "forbidden-namespace", "", writeJobsRoleBinding, http.StatusCreated},
 | |
| 				{superUser, "DELETE", "rbac.authorization.k8s.io", "rolebindings", "forbidden-namespace", "pi", "", http.StatusOK},
 | |
| 				// cannot bind role because they don't have covering permissions
 | |
| 				{"nonescalating-rolebinding-writer", "POST", "rbac.authorization.k8s.io", "rolebindings", "job-namespace", "", writeJobsRoleBinding, http.StatusForbidden},
 | |
| 				// can bind role because they have explicit bind permission
 | |
| 				{"any-rolebinding-writer", "POST", "rbac.authorization.k8s.io", "rolebindings", "job-namespace", "", writeJobsRoleBinding, http.StatusCreated},
 | |
| 				{superUser, "DELETE", "rbac.authorization.k8s.io", "rolebindings", "job-namespace", "pi", "", http.StatusOK},
 | |
| 				{"any-rolebinding-writer-namespace", "POST", "rbac.authorization.k8s.io", "rolebindings", "job-namespace", "", writeJobsRoleBinding, http.StatusCreated},
 | |
| 				{superUser, "DELETE", "rbac.authorization.k8s.io", "rolebindings", "job-namespace", "pi", "", http.StatusOK},
 | |
| 			},
 | |
| 		},
 | |
| 		{
 | |
| 			bootstrapRoles: bootstrapRoles{
 | |
| 				clusterRoles: []rbacapi.ClusterRole{
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "allow-all"},
 | |
| 						Rules:      []rbacapi.PolicyRule{ruleAllowAll},
 | |
| 					},
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "update-limitranges"},
 | |
| 						Rules: []rbacapi.PolicyRule{
 | |
| 							rbacapi.NewRule("update").Groups("").Resources("limitranges").RuleOrDie(),
 | |
| 						},
 | |
| 					},
 | |
| 				},
 | |
| 				clusterRoleBindings: []rbacapi.ClusterRoleBinding{
 | |
| 					{
 | |
| 						ObjectMeta: metav1.ObjectMeta{Name: "update-limitranges"},
 | |
| 						Subjects: []rbacapi.Subject{
 | |
| 							{Kind: "User", Name: "limitrange-updater"},
 | |
| 						},
 | |
| 						RoleRef: rbacapi.RoleRef{Kind: "ClusterRole", Name: "update-limitranges"},
 | |
| 					},
 | |
| 				},
 | |
| 			},
 | |
| 			requests: []request{
 | |
| 				// Create the namespace used later in the test
 | |
| 				{superUser, "POST", "", "namespaces", "", "", limitRangeNamespace, http.StatusCreated},
 | |
| 
 | |
| 				{"limitrange-updater", "PUT", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusForbidden},
 | |
| 				{superUser, "PUT", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusCreated},
 | |
| 				{superUser, "PUT", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusOK},
 | |
| 				{"limitrange-updater", "PUT", "", "limitranges", "limitrange-namespace", "a", aLimitRange, http.StatusOK},
 | |
| 			},
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	for i, tc := range tests {
 | |
| 		// Create an API Server.
 | |
| 		masterConfig := framework.NewIntegrationTestMasterConfig()
 | |
| 		masterConfig.GenericConfig.Authorization.Authorizer = newRBACAuthorizer(masterConfig)
 | |
| 		masterConfig.GenericConfig.Authentication.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{
 | |
| 			superUser:                          {Name: "admin", Groups: []string{"system:masters"}},
 | |
| 			"any-rolebinding-writer":           {Name: "any-rolebinding-writer"},
 | |
| 			"any-rolebinding-writer-namespace": {Name: "any-rolebinding-writer-namespace"},
 | |
| 			"bob":                              {Name: "bob"},
 | |
| 			"job-writer":                       {Name: "job-writer"},
 | |
| 			"job-writer-namespace":             {Name: "job-writer-namespace"},
 | |
| 			"nonescalating-rolebinding-writer": {Name: "nonescalating-rolebinding-writer"},
 | |
| 			"pod-reader":                       {Name: "pod-reader"},
 | |
| 			"limitrange-updater":               {Name: "limitrange-updater"},
 | |
| 			"user-with-no-permissions":         {Name: "user-with-no-permissions"},
 | |
| 		}))
 | |
| 		_, s, closeFn := framework.RunAMaster(masterConfig)
 | |
| 		defer closeFn()
 | |
| 
 | |
| 		clientConfig := &restclient.Config{Host: s.URL, ContentConfig: restclient.ContentConfig{NegotiatedSerializer: legacyscheme.Codecs}}
 | |
| 
 | |
| 		// Bootstrap the API Server with the test case's initial roles.
 | |
| 		superuserClient, _ := clientsetForToken(superUser, clientConfig)
 | |
| 		if err := tc.bootstrapRoles.bootstrap(superuserClient); err != nil {
 | |
| 			t.Errorf("case %d: failed to apply initial roles: %v", i, err)
 | |
| 			continue
 | |
| 		}
 | |
| 		previousResourceVersion := make(map[string]float64)
 | |
| 
 | |
| 		for j, r := range tc.requests {
 | |
| 			testGroup, ok := testapi.Groups[r.apiGroup]
 | |
| 			if !ok {
 | |
| 				t.Errorf("case %d %d: unknown api group %q, %s", i, j, r.apiGroup, r)
 | |
| 				continue
 | |
| 			}
 | |
| 			path := testGroup.ResourcePath(r.resource, r.namespace, r.name)
 | |
| 
 | |
| 			var body io.Reader
 | |
| 			if r.body != "" {
 | |
| 				sub := ""
 | |
| 				if r.verb == "PUT" {
 | |
| 					// For update operations, insert previous resource version
 | |
| 					if resVersion := previousResourceVersion[getPreviousResourceVersionKey(path, "")]; resVersion != 0 {
 | |
| 						sub += fmt.Sprintf(",\"resourceVersion\": \"%v\"", resVersion)
 | |
| 					}
 | |
| 				}
 | |
| 				body = strings.NewReader(fmt.Sprintf(r.body, sub))
 | |
| 			}
 | |
| 
 | |
| 			req, err := http.NewRequest(r.verb, s.URL+path, body)
 | |
| 			if err != nil {
 | |
| 				t.Fatalf("failed to create request: %v", err)
 | |
| 			}
 | |
| 
 | |
| 			func() {
 | |
| 				reqDump, err := httputil.DumpRequest(req, true)
 | |
| 				if err != nil {
 | |
| 					t.Fatalf("failed to dump request: %v", err)
 | |
| 					return
 | |
| 				}
 | |
| 
 | |
| 				resp, err := clientForToken(r.token).Do(req)
 | |
| 				if err != nil {
 | |
| 					t.Errorf("case %d, req %d: failed to make request: %v", i, j, err)
 | |
| 					return
 | |
| 				}
 | |
| 				defer resp.Body.Close()
 | |
| 
 | |
| 				respDump, err := httputil.DumpResponse(resp, true)
 | |
| 				if err != nil {
 | |
| 					t.Fatalf("failed to dump response: %v", err)
 | |
| 					return
 | |
| 				}
 | |
| 
 | |
| 				if resp.StatusCode != r.expectedStatus {
 | |
| 					// When debugging is on, dump the entire request and response. Very helpful for
 | |
| 					// debugging malformed test cases.
 | |
| 					//
 | |
| 					// To turn on debugging, use the '-args' flag.
 | |
| 					//
 | |
| 					//    go test -v -tags integration -run RBAC -args -v 10
 | |
| 					//
 | |
| 					glog.V(8).Infof("case %d, req %d: %s\n%s\n", i, j, reqDump, respDump)
 | |
| 					t.Errorf("case %d, req %d: %s expected %q got %q", i, j, r, statusCode(r.expectedStatus), statusCode(resp.StatusCode))
 | |
| 				}
 | |
| 
 | |
| 				b, _ := ioutil.ReadAll(resp.Body)
 | |
| 
 | |
| 				if r.verb == "POST" && (resp.StatusCode/100) == 2 {
 | |
| 					// For successful create operations, extract resourceVersion
 | |
| 					id, currentResourceVersion, err := parseResourceVersion(b)
 | |
| 					if err == nil {
 | |
| 						key := getPreviousResourceVersionKey(path, id)
 | |
| 						previousResourceVersion[key] = currentResourceVersion
 | |
| 					} else {
 | |
| 						t.Logf("error in trying to extract resource version: %s", err)
 | |
| 					}
 | |
| 				}
 | |
| 			}()
 | |
| 		}
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func TestBootstrapping(t *testing.T) {
 | |
| 	superUser := "admin/system:masters"
 | |
| 
 | |
| 	masterConfig := framework.NewIntegrationTestMasterConfig()
 | |
| 	masterConfig.GenericConfig.Authorization.Authorizer = newRBACAuthorizer(masterConfig)
 | |
| 	masterConfig.GenericConfig.Authentication.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{
 | |
| 		superUser: {Name: "admin", Groups: []string{"system:masters"}},
 | |
| 	}))
 | |
| 	_, s, closeFn := framework.RunAMaster(masterConfig)
 | |
| 	defer closeFn()
 | |
| 
 | |
| 	clientset := clientset.NewForConfigOrDie(&restclient.Config{BearerToken: superUser, Host: s.URL, ContentConfig: restclient.ContentConfig{GroupVersion: testapi.Groups[api.GroupName].GroupVersion()}})
 | |
| 
 | |
| 	watcher, err := clientset.Rbac().ClusterRoles().Watch(metav1.ListOptions{ResourceVersion: "0"})
 | |
| 	if err != nil {
 | |
| 		t.Fatalf("unexpected error: %v", err)
 | |
| 	}
 | |
| 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 | |
| 	defer cancel()
 | |
| 	_, err = watchtools.UntilWithoutRetry(ctx, watcher, func(event watch.Event) (bool, error) {
 | |
| 		if event.Type != watch.Added {
 | |
| 			return false, nil
 | |
| 		}
 | |
| 		return true, nil
 | |
| 	})
 | |
| 	if err != nil {
 | |
| 		t.Fatalf("unexpected error: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	clusterRoles, err := clientset.Rbac().ClusterRoles().List(metav1.ListOptions{})
 | |
| 	if err != nil {
 | |
| 		t.Fatalf("unexpected error: %v", err)
 | |
| 	}
 | |
| 	if len(clusterRoles.Items) == 0 {
 | |
| 		t.Fatalf("missing cluster roles")
 | |
| 	}
 | |
| 
 | |
| 	for _, clusterRole := range clusterRoles.Items {
 | |
| 		if clusterRole.Name == "cluster-admin" {
 | |
| 			return
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	t.Errorf("missing cluster-admin: %v", clusterRoles)
 | |
| 
 | |
| 	healthBytes, err := clientset.Discovery().RESTClient().Get().AbsPath("/healthz/poststarthook/rbac/bootstrap-roles").DoRaw()
 | |
| 	if err != nil {
 | |
| 		t.Error(err)
 | |
| 	}
 | |
| 	t.Errorf("error bootstrapping roles: %s", string(healthBytes))
 | |
| }
 |