Skip to content

Commit

Permalink
chore(RHTAPATCH-1069): unit-tests for runAccessCheck
Browse files Browse the repository at this point in the history
Add unit-tests to `runAccessCheck`.
We decided to perform the tests using the same test suite
we are using for the functional tests, using testenv.
It is setting up a real environment for us, and we don't
have to deal with ugly fakes when using the k8s authorization.

Signed-off-by: Omer Turner <[email protected]>
  • Loading branch information
Omeramsc committed Jul 16, 2024
1 parent e17d6bc commit e4ede16
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 6 deletions.
2 changes: 0 additions & 2 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,6 @@ func getNamespacesWithAccess(
for _, verb := range []string{"create", "list", "watch", "delete"} {
for _, resource := range []string{"applications", "components"} {
allowed, err := runAccessCheck(
e,
authCl,
c.Request().Header["X-Email"][0],
ns.Name,
Expand Down Expand Up @@ -169,7 +168,6 @@ func getUserNamespaces(e *echo.Echo, nameReq labels.Requirement) ([]core.Namespa

// check if a user can perform a specific verb on a specific resource in namespace
func runAccessCheck(
e *echo.Echo,
authCl authorizationv1Client.AuthorizationV1Interface,
user string,
namespace string,
Expand Down
42 changes: 38 additions & 4 deletions cmd/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
k8sapi "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"

"context"
"os"
Expand All @@ -23,6 +24,7 @@ import (
"k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/config"
"sigs.k8s.io/controller-runtime/pkg/envtest"
)

Expand All @@ -39,7 +41,7 @@ type HTTPheader struct {
var k8sClient client.Client
var testEnv *envtest.Environment

func createRole(k8sClient client.Client, nsName string, roleName string) {
func createRole(k8sClient client.Client, nsName string, roleName string, verbs []string) {
role := &rbacv1.Role{
ObjectMeta: metav1.ObjectMeta{
Name: roleName,
Expand All @@ -49,7 +51,7 @@ func createRole(k8sClient client.Client, nsName string, roleName string) {
{
APIGroups: []string{"appstudio.redhat.com"},
Resources: []string{"applications", "components"},
Verbs: []string{"create", "list", "watch", "delete"},
Verbs: verbs,
},
},
}
Expand Down Expand Up @@ -249,8 +251,8 @@ var _ = BeforeSuite(func() {
createNamespace(k8sClient, "test-tenant")
createNamespace(k8sClient, "test-tenant-2")
createNamespace(k8sClient, "test-tenant-3")
createRole(k8sClient, "test-tenant", "namespace-access")
createRole(k8sClient, "test-tenant-2", "namespace-access-2")
createRole(k8sClient, "test-tenant", "namespace-access", []string{"create", "list", "watch", "delete"})
createRole(k8sClient, "test-tenant-2", "namespace-access-2", []string{"create", "list", "watch", "delete"})
createRoleBinding(k8sClient, "namespace-access-user-binding", "test-tenant", user1, "namespace-access")
createRoleBinding(k8sClient, "namespace-access-user-binding-2", "test-tenant", user2, "namespace-access")
createRoleBinding(k8sClient, "namespace-access-user-binding-3", "test-tenant-2", user2, "namespace-access-2")
Expand All @@ -267,3 +269,35 @@ var _ = AfterSuite(func() {
Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("Error killing the server during test teardown: %v", err))
}
})

var _ = DescribeTable("TestRunAccessCheck", func(user string, namespace string, resource string, verb string, expectedResult bool) {
cfg, _ := config.GetConfig()
clientset, _ := kubernetes.NewForConfig(cfg)
authCl := clientset.AuthorizationV1()

boolresult, err := runAccessCheck(authCl, user, namespace, "appstudio.redhat.com", resource, verb)
Expect(boolresult).To(Equal(expectedResult))
Expect(err).NotTo(HaveOccurred(), "Unexpected error testing RunAccessCheck")
},
Entry(
"A user that has access to the resource should return true (user1 have permission to 'create' on test-tenant-1)",
"[email protected]",
"test-tenant",
"applications",
"create",
true),
Entry(
"A user that does not have any premissions on the namespace should return false (user1 don't have access to test-tenant-2)",
"[email protected]",
"test-tenant-2",
"applications",
"create",
false),
Entry(
"A user that does not have the permissions to perform the specific action on the namespace should return false (user1 don't have permission to 'patch' on test-tenant-1)",
"[email protected]",
"test-tenant-1",
"applications",
"patch",
false),
)

0 comments on commit e4ede16

Please sign in to comment.