refactor(accesscontrol): add unit tests for CacheKey (#245)

This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey.
2025-09-06 01:41:00 +00:00 · 2024-08-28 10:06:21 +02:00
parent 01429f8528
commit 32c30149a6
3 changed files with 367 additions and 39 deletions
--- a/pkg/accesscontrol/access_store_test.go
+++ b/pkg/accesscontrol/access_store_test.go
@@ -0,0 +1,328 @@
+package accesscontrol
+
+import (
+	"fmt"
+	"slices"
+	"testing"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/cache"
+	"k8s.io/apiserver/pkg/authentication/user"
+)
+
+func TestAccessStore_CacheKey(t *testing.T) {
+	testUser := &user.DefaultInfo{
+		Name: "user-12345",
+		Groups: []string{
+			"users",
+			"mygroup",
+		},
+	}
+
+	tests := []struct {
+		name   string
+		store  *AccessStore
+		verify func(t *testing.T, store *AccessStore, res string)
+	}{
+		{
+			name: "consistently produces the same value",
+			store: &AccessStore{
+				usersPolicyRules: &policyRulesMock{
+					getRBFunc: func(s string) []*rbacv1.RoleBinding {
+						return []*rbacv1.RoleBinding{
+							makeRB("testns", "testrb", testUser.Name, "testrole"),
+						}
+					},
+					getCRBFunc: func(s string) []*rbacv1.ClusterRoleBinding {
+						return []*rbacv1.ClusterRoleBinding{
+							makeCRB("testcrb", testUser.Name, "testclusterrole"),
+						}
+					},
+				},
+				groupsPolicyRules: &policyRulesMock{},
+				roles: roleRevisionsMock(func(ns, name string) string {
+					return fmt.Sprintf("%s%srev", ns, name)
+				}),
+			},
+			verify: func(t *testing.T, store *AccessStore, res string) {
+				// iterate enough times to make possibly random iterators repeating order by coincidence
+				for range 5 {
+					if res != store.CacheKey(testUser) {
+						t.Fatal("CacheKey is not the same on consecutive runs")
+					}
+				}
+			},
+		},
+		{
+			name: "group permissions are taken into account",
+			store: &AccessStore{
+				usersPolicyRules: &policyRulesMock{},
+				groupsPolicyRules: &policyRulesMock{
+					getRBFunc: func(s string) []*rbacv1.RoleBinding {
+						return []*rbacv1.RoleBinding{
+							makeRB("testns", "testrb", testUser.Name, "testrole"),
+						}
+					},
+					getCRBFunc: func(s string) []*rbacv1.ClusterRoleBinding {
+						return []*rbacv1.ClusterRoleBinding{
+							makeCRB("testcrb", testUser.Name, "testclusterrole"),
+						}
+					},
+				},
+				roles: roleRevisionsMock(func(ns, name string) string {
+					return fmt.Sprintf("%s%srev", ns, name)
+				}),
+			},
+			verify: func(t *testing.T, store *AccessStore, res string) {
+				// remove users
+				testUserAlt := *testUser
+				testUserAlt.Groups = []string{}
+
+				if store.CacheKey(&testUserAlt) == res {
+					t.Fatal("CacheKey does not use groups for hashing")
+				}
+			},
+		},
+		{
+			name: "different groups order produces the same value",
+			store: &AccessStore{
+				usersPolicyRules: &policyRulesMock{},
+				groupsPolicyRules: &policyRulesMock{
+					getRBFunc: func(s string) []*rbacv1.RoleBinding {
+						if s == testUser.Groups[0] {
+							return []*rbacv1.RoleBinding{
+								makeRB("testns", "testrb", testUser.Name, "testrole"),
+							}
+						}
+						return nil
+					},
+					getCRBFunc: func(s string) []*rbacv1.ClusterRoleBinding {
+						if s == testUser.Groups[1] {
+							return []*rbacv1.ClusterRoleBinding{
+								makeCRB("testcrb", testUser.Name, "testclusterrole"),
+							}
+						}
+						return nil
+					},
+				},
+				roles: roleRevisionsMock(func(ns, name string) string {
+					return fmt.Sprintf("%s%srev", ns, name)
+				}),
+			},
+			verify: func(t *testing.T, store *AccessStore, res string) {
+				// swap order of groups
+				testUserAlt := &user.DefaultInfo{Name: testUser.Name, Groups: slices.Clone(testUser.Groups)}
+				slices.Reverse(testUserAlt.Groups)
+
+				if store.CacheKey(testUserAlt) != res {
+					t.Fatal("CacheKey varies depending on groups order")
+				}
+			},
+		},
+		{
+			name: "role changes produce a different value",
+			store: &AccessStore{
+				usersPolicyRules: &policyRulesMock{
+					getRBFunc: func(s string) []*rbacv1.RoleBinding {
+						return []*rbacv1.RoleBinding{
+							makeRB("testns", "testrb", testUser.Name, "testrole"),
+						}
+					},
+				},
+				groupsPolicyRules: &policyRulesMock{},
+				roles: roleRevisionsMock(func(ns, name string) string {
+					return "rev1"
+				}),
+			},
+			verify: func(t *testing.T, store *AccessStore, res string) {
+				store.roles = roleRevisionsMock(func(ns, name string) string {
+					return "rev2"
+
+				})
+				if store.CacheKey(testUser) == res {
+					t.Fatal("CacheKey did not change when on role change")
+				}
+			},
+		},
+		{
+			name: "new groups produce a different value",
+			store: &AccessStore{
+				usersPolicyRules: &policyRulesMock{},
+				groupsPolicyRules: &policyRulesMock{
+					getRBFunc: func(s string) []*rbacv1.RoleBinding {
+						return []*rbacv1.RoleBinding{
+							makeRB("testns", "testrb", testUser.Name, "testrole"),
+						}
+					},
+					getCRBFunc: func(s string) []*rbacv1.ClusterRoleBinding {
+						if s == "newgroup" {
+							return []*rbacv1.ClusterRoleBinding{
+								makeCRB("testcrb", testUser.Name, "testclusterrole"),
+							}
+						}
+						return nil
+					},
+				},
+				roles: roleRevisionsMock(func(ns, name string) string {
+					return fmt.Sprintf("%s%srev", ns, name)
+				}),
+			},
+			verify: func(t *testing.T, store *AccessStore, res string) {
+				testUserAlt := &user.DefaultInfo{
+					Name:   testUser.Name,
+					Groups: append(slices.Clone(testUser.Groups), "newgroup"),
+				}
+				if store.CacheKey(testUserAlt) == res {
+					t.Fatal("CacheKey did not change when new group was added")
+				}
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tt.verify(t, tt.store, tt.store.CacheKey(testUser))
+		})
+	}
+}
+
+func TestAccessStore_AccessFor(t *testing.T) {
+	testUser := &user.DefaultInfo{
+		Name:   "test-user",
+		Groups: []string{"users", "mygroup"},
+	}
+	asCache := cache.NewLRUExpireCache(10)
+	store := &AccessStore{
+		usersPolicyRules: &policyRulesMock{
+			getRBFunc: func(s string) []*rbacv1.RoleBinding {
+				return []*rbacv1.RoleBinding{
+					makeRB("testns", "testrb", testUser.Name, "testrole"),
+				}
+			},
+			getFunc: func(_ string) *AccessSet {
+				return &AccessSet{
+					set: map[key]resourceAccessSet{
+						{"get", corev1.Resource("ConfigMap")}: map[Access]bool{
+							{Namespace: All, ResourceName: All}: true,
+						},
+					},
+				}
+			},
+		},
+		groupsPolicyRules: &policyRulesMock{
+			getCRBFunc: func(s string) []*rbacv1.ClusterRoleBinding {
+				if s == "mygroup" {
+					return []*rbacv1.ClusterRoleBinding{
+						makeCRB("testcrb", testUser.Name, "testclusterrole"),
+					}
+				}
+				return nil
+			},
+			getFunc: func(_ string) *AccessSet {
+				return &AccessSet{
+					set: map[key]resourceAccessSet{
+						{"list", appsv1.Resource("Deployment")}: map[Access]bool{
+							{Namespace: "testns", ResourceName: All}: true,
+						},
+					},
+				}
+			},
+		},
+		roles: roleRevisionsMock(func(ns, name string) string {
+			return fmt.Sprintf("%s%srev", ns, name)
+		}),
+		cache: asCache,
+	}
+
+	validateAccessSet := func(as *AccessSet) {
+		if as == nil {
+			t.Fatal("AccessFor() returned nil")
+		}
+		if as.ID == "" {
+			t.Fatal("AccessSet has empty ID")
+		}
+		if !as.Grants("get", corev1.Resource("ConfigMap"), "default", "cm") ||
+			!as.Grants("list", appsv1.Resource("Deployment"), "testns", "deploy") {
+			t.Error("AccessSet does not grant desired permissions")
+		}
+		// wrong verbs
+		if as.Grants("delete", corev1.Resource("ConfigMap"), "default", "cm") ||
+			as.Grants("get", appsv1.Resource("Deployment"), "testns", "deploy") ||
+			// wrong resource
+			as.Grants("get", corev1.Resource("Secret"), "testns", "s") {
+			t.Error("AccessSet grants undesired permissions")
+		}
+	}
+
+	as := store.AccessFor(testUser)
+	validateAccessSet(as)
+	if got, want := len(asCache.Keys()), 1; got != want {
+		t.Errorf("Unexpected number of cache keys: got %d, want %d", got, want)
+	}
+
+	as = store.AccessFor(testUser)
+	validateAccessSet(as)
+	if got, want := len(asCache.Keys()), 1; got != want {
+		t.Errorf("Unexpected increase in cache size, got %d, want %d", got, want)
+	}
+
+	store.PurgeUserData(as.ID)
+	if got, want := len(asCache.Keys()), 0; got != want {
+		t.Errorf("Cache was not purged, got len %d, want %d", got, want)
+	}
+}
+
+func makeRB(ns, name, user, role string) *rbacv1.RoleBinding {
+	return &rbacv1.RoleBinding{
+		ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: name},
+		Subjects: []rbacv1.Subject{
+			{Name: user},
+		},
+		RoleRef: rbacv1.RoleRef{Name: role},
+	}
+}
+
+func makeCRB(name, user, role string) *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: name},
+		Subjects: []rbacv1.Subject{
+			{Name: user},
+		},
+		RoleRef: rbacv1.RoleRef{Name: role},
+	}
+}
+
+type policyRulesMock struct {
+	getFunc    func(string) *AccessSet
+	getRBFunc  func(string) []*rbacv1.RoleBinding
+	getCRBFunc func(string) []*rbacv1.ClusterRoleBinding
+}
+
+func (p policyRulesMock) get(s string) *AccessSet {
+	if p.getFunc == nil {
+		return nil
+	}
+	return p.getFunc(s)
+}
+
+func (p policyRulesMock) getRoleBindings(s string) []*rbacv1.RoleBinding {
+	if p.getRBFunc == nil {
+		return nil
+	}
+	return p.getRBFunc(s)
+}
+
+func (p policyRulesMock) getClusterRoleBindings(s string) []*rbacv1.ClusterRoleBinding {
+	if p.getCRBFunc == nil {
+		return nil
+	}
+	return p.getCRBFunc(s)
+}
+
+type roleRevisionsMock func(ns, name string) string
+
+func (fn roleRevisionsMock) roleRevision(ns, name string) string {
+	return fn(ns, name)
+}