github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/atc/integration/rbac_test.go (about) 1 package integration_test 2 3 import ( 4 "fmt" 5 "io/ioutil" 6 "net/http" 7 "os" 8 "path/filepath" 9 10 "github.com/pf-qiu/concourse/v6/atc" 11 "github.com/concourse/flag" 12 . "github.com/onsi/ginkgo" 13 . "github.com/onsi/gomega" 14 ) 15 16 var _ = Describe("RBAC", func() { 17 18 var team atc.Team 19 var pipelineData = []byte(` 20 --- 21 jobs: 22 - name: simple 23 `) 24 25 JustBeforeEach(func() { 26 team = atc.Team{ 27 Name: "some-team", 28 Auth: atc.TeamAuth{ 29 "viewer": map[string][]string{ 30 "users": []string{"local:v-user"}, 31 "groups": []string{}, 32 }, 33 "pipeline-operator": map[string][]string{ 34 "users": []string{"local:po-user"}, 35 "groups": []string{}, 36 }, 37 "member": map[string][]string{ 38 "users": []string{"local:m-user"}, 39 "groups": []string{}, 40 }, 41 "owner": map[string][]string{ 42 "users": []string{"local:o-user", "local:test"}, 43 "groups": []string{}, 44 }, 45 }, 46 } 47 48 setupTeam(atcURL, team) 49 setupPipeline(atcURL, team.Name, pipelineData) 50 }) 51 52 Context("Default RBAC values", func() { 53 54 Context("when there are defined roles for users", func() { 55 Context("when the role is viewer", func() { 56 It("should be able to view pipelines", func() { 57 ccClient := login(atcURL, "v-user", "v-user") 58 59 pipelines, err := ccClient.Team(team.Name).ListPipelines() 60 Expect(err).ToNot(HaveOccurred()) 61 Expect(pipelines).To(HaveLen(1)) 62 }) 63 64 It("should NOT be able to set pipelines", func() { 65 ccClient := login(atcURL, "v-user", "v-user") 66 67 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false) 68 Expect(err).To(MatchError(ContainSubstring("forbidden"))) 69 }) 70 }) 71 72 Context("when the role is pipeline-operator", func() { 73 It("should be able to view the pipelines", func() { 74 ccClient := login(atcURL, "po-user", "po-user") 75 76 pipelines, err := ccClient.Team(team.Name).ListPipelines() 77 Expect(err).ToNot(HaveOccurred()) 78 Expect(pipelines).To(HaveLen(1)) 79 }) 80 81 It("should NOT be able to set pipelines", func() { 82 ccClient := login(atcURL, "po-user", "po-user") 83 84 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false) 85 Expect(err).To(MatchError(ContainSubstring("forbidden"))) 86 }) 87 }) 88 89 Context("when the role is member", func() { 90 It("should be able to view the pipelines", func() { 91 ccClient := login(atcURL, "m-user", "m-user") 92 93 pipelines, err := ccClient.Team(team.Name).ListPipelines() 94 Expect(err).ToNot(HaveOccurred()) 95 Expect(pipelines).To(HaveLen(1)) 96 }) 97 98 It("should be able to set pipelines", func() { 99 ccClient := login(atcURL, "m-user", "m-user") 100 101 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false) 102 Expect(err).ToNot(HaveOccurred()) 103 }) 104 }) 105 106 Context("when the role is owner", func() { 107 It("should be able to view the pipelines", func() { 108 ccClient := login(atcURL, "o-user", "o-user") 109 110 pipelines, err := ccClient.Team(team.Name).ListPipelines() 111 Expect(err).ToNot(HaveOccurred()) 112 Expect(pipelines).To(HaveLen(1)) 113 }) 114 115 It("should be able to set pipelines", func() { 116 ccClient := login(atcURL, "o-user", "o-user") 117 118 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false) 119 Expect(err).ToNot(HaveOccurred()) 120 }) 121 122 It("can update the auth for a team", func() { 123 team.Auth = atc.TeamAuth{ 124 "viewer": map[string][]string{ 125 "users": []string{"local:v-user"}, 126 "groups": []string{}, 127 }, 128 "owner": map[string][]string{ 129 "users": []string{"local:o-user", "local:test"}, 130 "groups": []string{}, 131 }, 132 } 133 134 ccClient := login(atcURL, "o-user", "o-user") 135 createdTeam, _, _, _, err := ccClient.Team(team.Name).CreateOrUpdate(team) 136 137 Expect(err).ToNot(HaveOccurred()) 138 Expect(createdTeam.Name).To(Equal(team.Name)) 139 Expect(createdTeam.Auth).To(Equal(team.Auth)) 140 }) 141 }) 142 }) 143 }) 144 145 Context("Customize RBAC", func() { 146 147 var ( 148 rbac string 149 tmp string 150 ) 151 152 BeforeEach(func() { 153 var err error 154 tmp, err = ioutil.TempDir("", fmt.Sprintf("tmp-%d", GinkgoParallelNode())) 155 Expect(err).ToNot(HaveOccurred()) 156 }) 157 158 AfterEach(func() { 159 err := os.RemoveAll(tmp) 160 Expect(err).NotTo(HaveOccurred()) 161 }) 162 163 Context("when trying to customize an action that doesn't exist", func() { 164 BeforeEach(func() { 165 rbac = ` 166 --- 167 viewer: 168 - NotSaveConfig 169 ` 170 }) 171 172 It("errors", func() { 173 file := filepath.Join(tmp, "rbac-not-action.yml") 174 err := ioutil.WriteFile(file, []byte(rbac), 0755) 175 Expect(err).ToNot(HaveOccurred()) 176 177 cmd.ConfigRBAC = flag.File(file) 178 179 // workaround to avoid panic due to registering http handlers multiple times 180 http.DefaultServeMux = new(http.ServeMux) 181 182 _, err = cmd.Runner([]string{}) 183 Expect(err).To(MatchError(ContainSubstring("failed to customize roles: unknown action NotSaveConfig"))) 184 }) 185 }) 186 187 Context("when trying to customize a role that doesn't exist", func() { 188 BeforeEach(func() { 189 rbac = ` 190 --- 191 not-viewer: 192 - SaveConfig 193 ` 194 }) 195 196 It("errors", func() { 197 file := filepath.Join(tmp, "rbac-not-role.yml") 198 err := ioutil.WriteFile(file, []byte(rbac), 0755) 199 Expect(err).ToNot(HaveOccurred()) 200 201 cmd.ConfigRBAC = flag.File(file) 202 203 // workaround to avoid panic due to registering http handlers multiple times 204 http.DefaultServeMux = new(http.ServeMux) 205 206 _, err = cmd.Runner([]string{}) 207 Expect(err).To(MatchError(ContainSubstring("failed to customize roles: unknown role not-viewer"))) 208 }) 209 }) 210 211 Context("when successfully customizing a role", func() { 212 BeforeEach(func() { 213 rbac = ` 214 --- 215 viewer: 216 - SaveConfig 217 ` 218 file := filepath.Join(tmp, "rbac.yml") 219 err := ioutil.WriteFile(file, []byte(rbac), 0755) 220 Expect(err).ToNot(HaveOccurred()) 221 222 cmd.ConfigRBAC = flag.File(file) 223 }) 224 225 It("viewer should be able to set pipelines", func() { 226 ccClient := login(atcURL, "v-user", "v-user") 227 228 _, _, _, err := ccClient.Team(team.Name).CreateOrUpdatePipelineConfig(atc.PipelineRef{Name: "pipeline-new"}, "0", pipelineData, false) 229 Expect(err).ToNot(HaveOccurred()) 230 }) 231 }) 232 }) 233 })