github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/atc/integration/rbac_test.go (about)

     1  package integration_test
     2  
     3  import (
     4  	"fmt"
     5  	"io/ioutil"
     6  	"net/http"
     7  	"os"
     8  	"path/filepath"
     9  
    10  	"github.com/pf-qiu/concourse/v6/atc"
    11  	"github.com/concourse/flag"
    12  	. "github.com/onsi/ginkgo"
    13  	. "github.com/onsi/gomega"
    14  )
    15  
    16  var _ = Describe("RBAC", func() {
    17  
    18  	var team atc.Team
    19  	var pipelineData = []byte(`
    20  ---
    21  jobs:
    22  - name: simple
    23  `)
    24  
    25  	JustBeforeEach(func() {
    26  		team = atc.Team{
    27  			Name: "some-team",
    28  			Auth: atc.TeamAuth{
    29  				"viewer": map[string][]string{
    30  					"users":  []string{"local:v-user"},
    31  					"groups": []string{},
    32  				},
    33  				"pipeline-operator": map[string][]string{
    34  					"users":  []string{"local:po-user"},
    35  					"groups": []string{},
    36  				},
    37  				"member": map[string][]string{
    38  					"users":  []string{"local:m-user"},
    39  					"groups": []string{},
    40  				},
    41  				"owner": map[string][]string{
    42  					"users":  []string{"local:o-user", "local:test"},
    43  					"groups": []string{},
    44  				},
    45  			},
    46  		}
    47  
    48  		setupTeam(atcURL, team)
    49  		setupPipeline(atcURL, team.Name, pipelineData)
    50  	})
    51  
    52  	Context("Default RBAC values", func() {
    53  
    54  		Context("when there are defined roles for users", func() {
    55  			Context("when the role is viewer", func() {
    56  				It("should be able to view pipelines", func() {
    57  					ccClient := login(atcURL, "v-user", "v-user")
    58  
    59  					pipelines, err := ccClient.Team(team.Name).ListPipelines()
    60  					Expect(err).ToNot(HaveOccurred())
    61  					Expect(pipelines).To(HaveLen(1))
    62  				})
    63  
    64  				It("should NOT be able to set pipelines", func() {
    65  					ccClient := login(atcURL, "v-user", "v-user")
    66  
    67  					_, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false)
    68  					Expect(err).To(MatchError(ContainSubstring("forbidden")))
    69  				})
    70  			})
    71  
    72  			Context("when the role is pipeline-operator", func() {
    73  				It("should be able to view the pipelines", func() {
    74  					ccClient := login(atcURL, "po-user", "po-user")
    75  
    76  					pipelines, err := ccClient.Team(team.Name).ListPipelines()
    77  					Expect(err).ToNot(HaveOccurred())
    78  					Expect(pipelines).To(HaveLen(1))
    79  				})
    80  
    81  				It("should NOT be able to set pipelines", func() {
    82  					ccClient := login(atcURL, "po-user", "po-user")
    83  
    84  					_, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false)
    85  					Expect(err).To(MatchError(ContainSubstring("forbidden")))
    86  				})
    87  			})
    88  
    89  			Context("when the role is member", func() {
    90  				It("should be able to view the pipelines", func() {
    91  					ccClient := login(atcURL, "m-user", "m-user")
    92  
    93  					pipelines, err := ccClient.Team(team.Name).ListPipelines()
    94  					Expect(err).ToNot(HaveOccurred())
    95  					Expect(pipelines).To(HaveLen(1))
    96  				})
    97  
    98  				It("should be able to set pipelines", func() {
    99  					ccClient := login(atcURL, "m-user", "m-user")
   100  
   101  					_, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false)
   102  					Expect(err).ToNot(HaveOccurred())
   103  				})
   104  			})
   105  
   106  			Context("when the role is owner", func() {
   107  				It("should be able to view the pipelines", func() {
   108  					ccClient := login(atcURL, "o-user", "o-user")
   109  
   110  					pipelines, err := ccClient.Team(team.Name).ListPipelines()
   111  					Expect(err).ToNot(HaveOccurred())
   112  					Expect(pipelines).To(HaveLen(1))
   113  				})
   114  
   115  				It("should be able to set pipelines", func() {
   116  					ccClient := login(atcURL, "o-user", "o-user")
   117  
   118  					_, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false)
   119  					Expect(err).ToNot(HaveOccurred())
   120  				})
   121  
   122  				It("can update the auth for a team", func() {
   123  					team.Auth = atc.TeamAuth{
   124  						"viewer": map[string][]string{
   125  							"users":  []string{"local:v-user"},
   126  							"groups": []string{},
   127  						},
   128  						"owner": map[string][]string{
   129  							"users":  []string{"local:o-user", "local:test"},
   130  							"groups": []string{},
   131  						},
   132  					}
   133  
   134  					ccClient := login(atcURL, "o-user", "o-user")
   135  					createdTeam, _, _, _, err := ccClient.Team(team.Name).CreateOrUpdate(team)
   136  
   137  					Expect(err).ToNot(HaveOccurred())
   138  					Expect(createdTeam.Name).To(Equal(team.Name))
   139  					Expect(createdTeam.Auth).To(Equal(team.Auth))
   140  				})
   141  			})
   142  		})
   143  	})
   144  
   145  	Context("Customize RBAC", func() {
   146  
   147  		var (
   148  			rbac string
   149  			tmp  string
   150  		)
   151  
   152  		BeforeEach(func() {
   153  			var err error
   154  			tmp, err = ioutil.TempDir("", fmt.Sprintf("tmp-%d", GinkgoParallelNode()))
   155  			Expect(err).ToNot(HaveOccurred())
   156  		})
   157  
   158  		AfterEach(func() {
   159  			err := os.RemoveAll(tmp)
   160  			Expect(err).NotTo(HaveOccurred())
   161  		})
   162  
   163  		Context("when trying to customize an action that doesn't exist", func() {
   164  			BeforeEach(func() {
   165  				rbac = `
   166  ---
   167  viewer:
   168  - NotSaveConfig
   169  `
   170  			})
   171  
   172  			It("errors", func() {
   173  				file := filepath.Join(tmp, "rbac-not-action.yml")
   174  				err := ioutil.WriteFile(file, []byte(rbac), 0755)
   175  				Expect(err).ToNot(HaveOccurred())
   176  
   177  				cmd.ConfigRBAC = flag.File(file)
   178  
   179  				// workaround to avoid panic due to registering http handlers multiple times
   180  				http.DefaultServeMux = new(http.ServeMux)
   181  
   182  				_, err = cmd.Runner([]string{})
   183  				Expect(err).To(MatchError(ContainSubstring("failed to customize roles: unknown action NotSaveConfig")))
   184  			})
   185  		})
   186  
   187  		Context("when trying to customize a role that doesn't exist", func() {
   188  			BeforeEach(func() {
   189  				rbac = `
   190  ---
   191  not-viewer:
   192  - SaveConfig
   193  `
   194  			})
   195  
   196  			It("errors", func() {
   197  				file := filepath.Join(tmp, "rbac-not-role.yml")
   198  				err := ioutil.WriteFile(file, []byte(rbac), 0755)
   199  				Expect(err).ToNot(HaveOccurred())
   200  
   201  				cmd.ConfigRBAC = flag.File(file)
   202  
   203  				// workaround to avoid panic due to registering http handlers multiple times
   204  				http.DefaultServeMux = new(http.ServeMux)
   205  
   206  				_, err = cmd.Runner([]string{})
   207  				Expect(err).To(MatchError(ContainSubstring("failed to customize roles: unknown role not-viewer")))
   208  			})
   209  		})
   210  
   211  		Context("when successfully customizing a role", func() {
   212  			BeforeEach(func() {
   213  				rbac = `
   214  ---
   215  viewer:
   216  - SaveConfig
   217  `
   218  				file := filepath.Join(tmp, "rbac.yml")
   219  				err := ioutil.WriteFile(file, []byte(rbac), 0755)
   220  				Expect(err).ToNot(HaveOccurred())
   221  
   222  				cmd.ConfigRBAC = flag.File(file)
   223  			})
   224  
   225  			It("viewer should be able to set pipelines", func() {
   226  				ccClient := login(atcURL, "v-user", "v-user")
   227  
   228  				_, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false)
   229  				Expect(err).ToNot(HaveOccurred())
   230  			})
   231  		})
   232  	})
   233  })