rancher/steve
1
0
Fork 0
mirror of https://github.com/rancher/steve.git synced 2025-07-05 19:16:38 +00:00
Code Issues Projects Releases Wiki Activity
53f2165aee
steve/pkg/accesscontrol/policy_rule_index_test.go

239 lines
5.2 KiB
Go
Raw Normal View History

refactor(accesscontrol): deterministic cache key hashing (#292) * refactor(accesscontrol): make addAccess directly accept PolicyRules * refactor(accesscontrol): add new types for encapsulating all needed data * refactor(accesscontrol): make getRules return resource version * refactor(accesscontrol): add new getRoleRefs to policyRuleIndex * refactor(accesscontrol): make accessStore use the new types and method * cleanup(accesscontrol): remove unused code * cleanup(accesscontrol): adapt tests * cleanup(accesscontrol): add some comments and remove unused function * refactor(accesscontrol): rework indexer to make it more readable and testable * Fix typo * test: consistent use of t.Error * test: refactor policyRulesMock to just use a map * misc: rename toUserInfo function * refactor: consistent sort by UID
2024-10-28 08:35:59 +00:00
package accesscontrol
import (
"slices"
"testing"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func Test_policyRuleIndex_roleBindingBySubject(t *testing.T) {
roleRef := rbacv1.RoleRef{Kind: "Role", Name: "testrole"}
tests := []struct {
name string
kind string
rb *rbacv1.RoleBinding
want []string
}{
{
name: "indexes users",
kind: "User",
rb: makeRB("testns", "testrb", roleRef, []rbacv1.Subject{
{
APIGroup: rbacGroup,
Kind: "User",
Name: "myuser",
},
}),
want: []string{"myuser"},
},
{
name: "indexes multiple subjects",
kind: "Group",
rb: makeRB("testns", "testrb", roleRef, []rbacv1.Subject{
{
APIGroup: rbacGroup,
Kind: "Group",
Name: "mygroup1",
},
{
APIGroup: rbacGroup,
Kind: "Group",
Name: "mygroup2",
},
}),
want: []string{"mygroup1", "mygroup2"},
},
{
name: "indexes svcaccounts in user mode",
kind: "User",
rb: makeRB("testns", "testrb", roleRef, []rbacv1.Subject{
{
APIGroup: "",
Kind: "ServiceAccount",
Name: "mysvcaccount",
Namespace: "testns",
},
}),
Revert "Fix not finding ClusterRoleBinding or RoleBinding for service account…" (#540) This reverts commit 0f4fd1fde6cbb90999a979dce173c8880d8ef82b.
2025-03-11 15:14:21 +00:00
want: []string{"serviceaccount:testns:mysvcaccount"},
refactor(accesscontrol): deterministic cache key hashing (#292) * refactor(accesscontrol): make addAccess directly accept PolicyRules * refactor(accesscontrol): add new types for encapsulating all needed data * refactor(accesscontrol): make getRules return resource version * refactor(accesscontrol): add new getRoleRefs to policyRuleIndex * refactor(accesscontrol): make accessStore use the new types and method * cleanup(accesscontrol): remove unused code * cleanup(accesscontrol): adapt tests * cleanup(accesscontrol): add some comments and remove unused function * refactor(accesscontrol): rework indexer to make it more readable and testable * Fix typo * test: consistent use of t.Error * test: refactor policyRulesMock to just use a map * misc: rename toUserInfo function * refactor: consistent sort by UID
2024-10-28 08:35:59 +00:00
},
{
name: "ignores svcaccounts in group mode",
kind: "Group",
rb: makeRB("testns", "testrb", roleRef, []rbacv1.Subject{
{
APIGroup: "",
Kind: "ServiceAccount",
Name: "mysvcaccount",
Namespace: "testns",
},
}),
want: []string{},
},
{
name: "ignores unknown subjects",
kind: "Group",
rb: makeRB("testns", "testrb", roleRef, []rbacv1.Subject{
{
APIGroup: rbacGroup,
Kind: "User",
Name: "myuser",
},
{
APIGroup: rbacGroup,
Kind: "Group",
Name: "mygroup1",
},
{
APIGroup: "custom.api.group",
Kind: "CustomGroup",
Name: "mygroup2",
},
}),
want: []string{"mygroup1"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
indexFunc := roleBindingBySubjectIndexer(tt.kind)
if got, err := indexFunc(tt.rb); err != nil {
t.Error(err)
} else if !slices.Equal(got, tt.want) {
t.Errorf("roleBindingBySubjectIndexer() got = %v, want %v", got, tt.want)
}
})
}
}
func Test_policyRuleIndex_clusterRoleBindingBySubject(t *testing.T) {
roleRef := rbacv1.RoleRef{Kind: "ClusterRole", Name: "testclusterrole"}
tests := []struct {
name string
kind string
crb *rbacv1.ClusterRoleBinding
want []string
}{
{
name: "ignores if RoleRef is a Role",
kind: "User",
crb: makeCRB("testcrb", rbacv1.RoleRef{Kind: "Role", Name: "testrole"}, []rbacv1.Subject{
{
APIGroup: rbacGroup,
Kind: "User",
Name: "myuser",
},
}),
want: []string{},
},
{
name: "indexes users",
kind: "User",
crb: makeCRB("testcrb", roleRef, []rbacv1.Subject{
{
APIGroup: rbacGroup,
Kind: "User",
Name: "myuser",
},
}),
want: []string{"myuser"},
},
{
name: "indexes multiple subjects",
kind: "Group",
crb: makeCRB("testcrb", roleRef, []rbacv1.Subject{
{
APIGroup: rbacGroup,
Kind: "Group",
Name: "mygroup1",
},
{
APIGroup: rbacGroup,
Kind: "Group",
Name: "mygroup2",
},
}),
want: []string{"mygroup1", "mygroup2"},
},
{
name: "indexes svcaccounts in user mode",
kind: "User",
crb: makeCRB("testcrb", roleRef, []rbacv1.Subject{
{
APIGroup: "",
Kind: "ServiceAccount",
Name: "mysvcaccount",
Namespace: "testns",
},
}),
Revert "Fix not finding ClusterRoleBinding or RoleBinding for service account…" (#540) This reverts commit 0f4fd1fde6cbb90999a979dce173c8880d8ef82b.
2025-03-11 15:14:21 +00:00
want: []string{"serviceaccount:testns:mysvcaccount"},
refactor(accesscontrol): deterministic cache key hashing (#292) * refactor(accesscontrol): make addAccess directly accept PolicyRules * refactor(accesscontrol): add new types for encapsulating all needed data * refactor(accesscontrol): make getRules return resource version * refactor(accesscontrol): add new getRoleRefs to policyRuleIndex * refactor(accesscontrol): make accessStore use the new types and method * cleanup(accesscontrol): remove unused code * cleanup(accesscontrol): adapt tests * cleanup(accesscontrol): add some comments and remove unused function * refactor(accesscontrol): rework indexer to make it more readable and testable * Fix typo * test: consistent use of t.Error * test: refactor policyRulesMock to just use a map * misc: rename toUserInfo function * refactor: consistent sort by UID
2024-10-28 08:35:59 +00:00
},
{
name: "ignores svcaccounts in group mode",
kind: "Group",
crb: makeCRB("testcrb", roleRef, []rbacv1.Subject{
{
APIGroup: "",
Kind: "ServiceAccount",
Name: "mysvcaccount",
Namespace: "testns",
},
}),
want: []string{},
},
{
name: "ignores unknown subjects",
kind: "Group",
crb: makeCRB("testcrb", roleRef, []rbacv1.Subject{
{
APIGroup: rbacGroup,
Kind: "User",
Name: "myuser",
},
{
APIGroup: rbacGroup,
Kind: "Group",
Name: "mygroup1",
},
{
APIGroup: "custom.api.group",
Kind: "CustomGroup",
Name: "mygroup2",
},
}),
want: []string{"mygroup1"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
indexFunc := clusterRoleBindingBySubjectIndexer(tt.kind)
if got, err := indexFunc(tt.crb); err != nil {
t.Error(err)
} else if !slices.Equal(got, tt.want) {
t.Errorf("clusterRoleBindingBySubjectIndexer() got = %v, want %v", got, tt.want)
}
})
}
}
func makeRB(namespace, name string, roleRef rbacv1.RoleRef, subjects []rbacv1.Subject) *rbacv1.RoleBinding {
return &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Namespace: namespace,
Name: name,
},
RoleRef: roleRef,
Subjects: subjects,
}
}
func makeCRB(name string, roleRef rbacv1.RoleRef, subjects []rbacv1.Subject) *rbacv1.ClusterRoleBinding {
return &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
RoleRef: roleRef,
Subjects: subjects,
}
}
Reference in New Issue Copy Permalink