github.com/argoproj/argo-cd@v1.8.7/server/rbacpolicy/rbacpolicy_test.go

github.com/argoproj/argo-cd@v1.8.7/server/rbacpolicy/rbacpolicy_test.go (about)

     1  package rbacpolicy
     2  
     3  import (
     4  	"fmt"
     5  	"testing"
     6  
     7  	jwt "github.com/dgrijalva/jwt-go/v4"
     8  	"github.com/stretchr/testify/assert"
     9  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    10  	"k8s.io/client-go/kubernetes/fake"
    11  
    12  	"github.com/argoproj/argo-cd/common"
    13  	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
    14  	"github.com/argoproj/argo-cd/test"
    15  	"github.com/argoproj/argo-cd/util/rbac"
    16  )
    17  
    18  func newFakeProj() *argoappv1.AppProject {
    19  	jwtTokenByRole := make(map[string]argoappv1.JWTTokens)
    20  	jwtTokenByRole["my-role"] = argoappv1.JWTTokens{Items: []argoappv1.JWTToken{{IssuedAt: 1234}}}
    21  
    22  	return &argoappv1.AppProject{
    23  		ObjectMeta: metav1.ObjectMeta{
    24  			Name:      "my-proj",
    25  			Namespace: test.FakeArgoCDNamespace,
    26  		},
    27  		Spec: argoappv1.AppProjectSpec{
    28  			Roles: []argoappv1.ProjectRole{
    29  				{
    30  					Name: "my-role",
    31  					Policies: []string{
    32  						"p, proj:my-proj:my-role, applications, create, my-proj/*, allow",
    33  					},
    34  					Groups: []string{
    35  						"my-org:my-team",
    36  					},
    37  					JWTTokens: []argoappv1.JWTToken{
    38  						{
    39  							IssuedAt: 1234,
    40  						},
    41  					},
    42  				},
    43  			},
    44  		},
    45  		Status: argoappv1.AppProjectStatus{JWTTokensByRole: jwtTokenByRole},
    46  	}
    47  }
    48  
    49  func TestEnforceAllPolicies(t *testing.T) {
    50  	kubeclientset := fake.NewSimpleClientset(test.NewFakeConfigMap())
    51  	projLister := test.NewFakeProjLister(newFakeProj())
    52  	enf := rbac.NewEnforcer(kubeclientset, test.FakeArgoCDNamespace, common.ArgoCDConfigMapName, nil)
    53  	enf.EnableLog(true)
    54  	_ = enf.SetBuiltinPolicy(`p, alice, applications, create, my-proj/*, allow`)
    55  	_ = enf.SetUserPolicy(`p, bob, applications, create, my-proj/*, allow`)
    56  	rbacEnf := NewRBACPolicyEnforcer(enf, projLister)
    57  	enf.SetClaimsEnforcerFunc(rbacEnf.EnforceClaims)
    58  
    59  	claims := jwt.MapClaims{"sub": "alice"}
    60  	assert.True(t, enf.Enforce(claims, "applications", "create", "my-proj/my-app"))
    61  	claims = jwt.MapClaims{"sub": "bob"}
    62  	assert.True(t, enf.Enforce(claims, "applications", "create", "my-proj/my-app"))
    63  	claims = jwt.MapClaims{"sub": "proj:my-proj:my-role", "iat": 1234}
    64  	assert.True(t, enf.Enforce(claims, "applications", "create", "my-proj/my-app"))
    65  	claims = jwt.MapClaims{"groups": []string{"my-org:my-team"}}
    66  	assert.True(t, enf.Enforce(claims, "applications", "create", "my-proj/my-app"))
    67  
    68  	claims = jwt.MapClaims{"sub": "cathy"}
    69  	assert.False(t, enf.Enforce(claims, "applications", "create", "my-proj/my-app"))
    70  
    71  	// AWS cognito returns its groups in  cognito:groups
    72  	rbacEnf.SetScopes([]string{"cognito:groups"})
    73  	claims = jwt.MapClaims{"cognito:groups": []string{"my-org:my-team"}}
    74  	assert.True(t, enf.Enforce(claims, "applications", "create", "my-proj/my-app"))
    75  }
    76  
    77  func TestEnforceActionActions(t *testing.T) {
    78  	kubeclientset := fake.NewSimpleClientset(test.NewFakeConfigMap())
    79  	projLister := test.NewFakeProjLister(newFakeProj())
    80  	enf := rbac.NewEnforcer(kubeclientset, test.FakeArgoCDNamespace, common.ArgoCDConfigMapName, nil)
    81  	enf.EnableLog(true)
    82  	_ = enf.SetBuiltinPolicy(fmt.Sprintf(`p, alice, applications, %s/*, my-proj/*, allow
    83  p, bob, applications, %s/argoproj.io/Rollout/*, my-proj/*, allow
    84  p, cam, applications, %s/argoproj.io/Rollout/resume, my-proj/*, allow
    85  `, ActionAction, ActionAction, ActionAction))
    86  	rbacEnf := NewRBACPolicyEnforcer(enf, projLister)
    87  	enf.SetClaimsEnforcerFunc(rbacEnf.EnforceClaims)
    88  
    89  	// Alice has wild-card approval for all actions
    90  	claims := jwt.MapClaims{"sub": "alice"}
    91  	assert.True(t, enf.Enforce(claims, "applications", ActionAction+"/argoproj.io/Rollout/resume", "my-proj/my-app"))
    92  	claims = jwt.MapClaims{"sub": "alice"}
    93  	assert.True(t, enf.Enforce(claims, "applications", ActionAction+"/argoproj.io/NewCrd/abort", "my-proj/my-app"))
    94  	// Bob has wild-card approval for all actions under argoproj.io/Rollout
    95  	claims = jwt.MapClaims{"sub": "bob"}
    96  	assert.True(t, enf.Enforce(claims, "applications", ActionAction+"/argoproj.io/Rollout/resume", "my-proj/my-app"))
    97  	claims = jwt.MapClaims{"sub": "bob"}
    98  	assert.False(t, enf.Enforce(claims, "applications", ActionAction+"/argoproj.io/NewCrd/abort", "my-proj/my-app"))
    99  	// Cam only has approval for actions/argoproj.io/Rollout:resume
   100  	claims = jwt.MapClaims{"sub": "cam"}
   101  	assert.True(t, enf.Enforce(claims, "applications", ActionAction+"/argoproj.io/Rollout/resume", "my-proj/my-app"))
   102  	claims = jwt.MapClaims{"sub": "cam"}
   103  	assert.False(t, enf.Enforce(claims, "applications", ActionAction+"/argoproj.io/Rollout/abort", "my-proj/my-app"))
   104  
   105  	// Eve does not have approval for any actions
   106  	claims = jwt.MapClaims{"sub": "eve"}
   107  	assert.False(t, enf.Enforce(claims, "applications", ActionAction+"/argoproj.io/Rollout/resume", "my-proj/my-app"))
   108  }
   109  
   110  func TestGetScopes_DefaultScopes(t *testing.T) {
   111  	rbacEnforcer := NewRBACPolicyEnforcer(nil, nil)
   112  
   113  	scopes := rbacEnforcer.GetScopes()
   114  	assert.Equal(t, scopes, defaultScopes)
   115  }
   116  
   117  func TestGetScopes_CustomScopes(t *testing.T) {
   118  	rbacEnforcer := NewRBACPolicyEnforcer(nil, nil)
   119  	customScopes := []string{"custom"}
   120  	rbacEnforcer.SetScopes(customScopes)
   121  
   122  	scopes := rbacEnforcer.GetScopes()
   123  	assert.Equal(t, scopes, customScopes)
   124  }