github.com/chenbh/concourse/v6@v6.4.2/atc/integration/rbac_test.go (about) 1 package integration_test 2 3 import ( 4 "fmt" 5 "io/ioutil" 6 "net/http" 7 "os" 8 "path/filepath" 9 10 "github.com/chenbh/concourse/v6/atc" 11 "github.com/concourse/flag" 12 . "github.com/onsi/ginkgo" 13 . "github.com/onsi/gomega" 14 ) 15 16 var _ = Describe("RBAC", func() { 17 18 var team atc.Team 19 var pipelineData = []byte(` 20 --- 21 jobs: 22 - name: simple 23 `) 24 25 JustBeforeEach(func() { 26 team = atc.Team{ 27 Name: "some-team", 28 Auth: atc.TeamAuth{ 29 "viewer": map[string][]string{ 30 "users": []string{"local:v-user"}, 31 "groups": []string{}, 32 }, 33 "pipeline-operator": map[string][]string{ 34 "users": []string{"local:po-user"}, 35 "groups": []string{}, 36 }, 37 "member": map[string][]string{ 38 "users": []string{"local:m-user"}, 39 "groups": []string{}, 40 }, 41 "owner": map[string][]string{ 42 "users": []string{"local:o-user", "local:test"}, 43 "groups": []string{}, 44 }, 45 }, 46 } 47 48 setupTeam(atcURL, team) 49 setupPipeline(atcURL, team.Name, pipelineData) 50 }) 51 52 Context("Default RBAC values", func() { 53 54 Context("when there are defined roles for users", func() { 55 Context("when the role is viewer", func() { 56 It("should be able to view pipelines", func() { 57 ccClient := login(atcURL, "v-user", "v-user") 58 59 pipelines, err := ccClient.Team(team.Name).ListPipelines() 60 Expect(err).ToNot(HaveOccurred()) 61 Expect(pipelines).To(HaveLen(1)) 62 }) 63 64 It("should NOT be able to set pipelines", func() { 65 ccClient := login(atcURL, "v-user", "v-user") 66 67 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig("pipeline-new", "0", pipelineData, false) 68 Expect(err).To(HaveOccurred()) 69 Expect(err.Error()).To(Equal("forbidden")) 70 }) 71 }) 72 73 Context("when the role is pipeline-operator", func() { 74 It("should be able to view the pipelines", func() { 75 ccClient := login(atcURL, "po-user", "po-user") 76 77 pipelines, err := ccClient.Team(team.Name).ListPipelines() 78 Expect(err).ToNot(HaveOccurred()) 79 Expect(pipelines).To(HaveLen(1)) 80 }) 81 82 It("should NOT be able to set pipelines", func() { 83 ccClient := login(atcURL, "po-user", "po-user") 84 85 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig("pipeline-new", "0", pipelineData, false) 86 Expect(err).To(HaveOccurred()) 87 Expect(err.Error()).To(Equal("forbidden")) 88 }) 89 }) 90 91 Context("when the role is member", func() { 92 It("should be able to view the pipelines", func() { 93 ccClient := login(atcURL, "m-user", "m-user") 94 95 pipelines, err := ccClient.Team(team.Name).ListPipelines() 96 Expect(err).ToNot(HaveOccurred()) 97 Expect(pipelines).To(HaveLen(1)) 98 }) 99 100 It("should be able to set pipelines", func() { 101 ccClient := login(atcURL, "m-user", "m-user") 102 103 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig("pipeline-new", "0", pipelineData, false) 104 Expect(err).ToNot(HaveOccurred()) 105 }) 106 }) 107 108 Context("when the role is owner", func() { 109 It("should be able to view the pipelines", func() { 110 ccClient := login(atcURL, "o-user", "o-user") 111 112 pipelines, err := ccClient.Team(team.Name).ListPipelines() 113 Expect(err).ToNot(HaveOccurred()) 114 Expect(pipelines).To(HaveLen(1)) 115 }) 116 117 It("should be able to set pipelines", func() { 118 ccClient := login(atcURL, "o-user", "o-user") 119 120 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig("pipeline-new", "0", pipelineData, false) 121 Expect(err).ToNot(HaveOccurred()) 122 }) 123 124 It("can update the auth for a team", func() { 125 team.Auth = atc.TeamAuth{ 126 "viewer": map[string][]string{ 127 "users": []string{"local:v-user"}, 128 "groups": []string{}, 129 }, 130 "owner": map[string][]string{ 131 "users": []string{"local:o-user", "local:test"}, 132 "groups": []string{}, 133 }, 134 } 135 136 ccClient := login(atcURL, "o-user", "o-user") 137 createdTeam, _, _, _, err := ccClient.Team(team.Name).CreateOrUpdate(team) 138 139 Expect(err).ToNot(HaveOccurred()) 140 Expect(createdTeam.Name).To(Equal(team.Name)) 141 Expect(createdTeam.Auth).To(Equal(team.Auth)) 142 }) 143 }) 144 }) 145 }) 146 147 Context("Customize RBAC", func() { 148 149 var ( 150 rbac string 151 tmp string 152 ) 153 154 BeforeEach(func() { 155 var err error 156 tmp, err = ioutil.TempDir("", fmt.Sprintf("tmp-%d", GinkgoParallelNode())) 157 Expect(err).ToNot(HaveOccurred()) 158 }) 159 160 AfterEach(func() { 161 err := os.RemoveAll(tmp) 162 Expect(err).NotTo(HaveOccurred()) 163 }) 164 165 Context("when trying to customize an action that doesn't exist", func() { 166 BeforeEach(func() { 167 rbac = ` 168 --- 169 viewer: 170 - NotSaveConfig 171 ` 172 }) 173 174 It("errors", func() { 175 file := filepath.Join(tmp, "rbac-not-action.yml") 176 err := ioutil.WriteFile(file, []byte(rbac), 0755) 177 Expect(err).ToNot(HaveOccurred()) 178 179 cmd.ConfigRBAC = flag.File(file) 180 181 // workaround to avoid panic due to registering http handlers multiple times 182 http.DefaultServeMux = new(http.ServeMux) 183 184 _, err = cmd.Runner([]string{}) 185 Expect(err).To(MatchError(ContainSubstring("failed to customize roles: unknown action NotSaveConfig"))) 186 }) 187 }) 188 189 Context("when trying to customize a role that doesn't exist", func() { 190 BeforeEach(func() { 191 rbac = ` 192 --- 193 not-viewer: 194 - SaveConfig 195 ` 196 }) 197 198 It("errors", func() { 199 file := filepath.Join(tmp, "rbac-not-role.yml") 200 err := ioutil.WriteFile(file, []byte(rbac), 0755) 201 Expect(err).ToNot(HaveOccurred()) 202 203 cmd.ConfigRBAC = flag.File(file) 204 205 // workaround to avoid panic due to registering http handlers multiple times 206 http.DefaultServeMux = new(http.ServeMux) 207 208 _, err = cmd.Runner([]string{}) 209 Expect(err).To(MatchError(ContainSubstring("failed to customize roles: unknown role not-viewer"))) 210 }) 211 }) 212 213 Context("when successfully customizing a role", func() { 214 BeforeEach(func() { 215 rbac = ` 216 --- 217 viewer: 218 - SaveConfig 219 ` 220 file := filepath.Join(tmp, "rbac.yml") 221 err := ioutil.WriteFile(file, []byte(rbac), 0755) 222 Expect(err).ToNot(HaveOccurred()) 223 224 cmd.ConfigRBAC = flag.File(file) 225 }) 226 227 It("viewer should be able to set pipelines", func() { 228 ccClient := login(atcURL, "v-user", "v-user") 229 230 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig("pipeline-new", "0", pipelineData, false) 231 Expect(err).ToNot(HaveOccurred()) 232 }) 233 }) 234 }) 235 })