github.com/verrazzano/verrazzano@v1.7.0/cluster-operator/controllers/quickcreate/controller/oci/credentials_test.go

github.com/verrazzano/verrazzano@v1.7.0/cluster-operator/controllers/quickcreate/controller/oci/credentials_test.go (about)

     1  // Copyright (c) 2023, Oracle and/or its affiliates.
     2  // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
     3  
     4  package oci_test
     5  
     6  import (
     7  	"context"
     8  	_ "embed"
     9  	"encoding/json"
    10  	"github.com/stretchr/testify/assert"
    11  	vmcv1alpha1 "github.com/verrazzano/verrazzano/cluster-operator/apis/clusters/v1alpha1"
    12  	"github.com/verrazzano/verrazzano/cluster-operator/controllers/quickcreate/controller/oci"
    13  	corev1 "k8s.io/api/core/v1"
    14  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    15  	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
    16  	"k8s.io/apimachinery/pkg/runtime"
    17  	apiyaml "k8s.io/apimachinery/pkg/util/yaml"
    18  	clipkg "sigs.k8s.io/controller-runtime/pkg/client"
    19  	"sigs.k8s.io/controller-runtime/pkg/client/fake"
    20  	"testing"
    21  )
    22  
    23  var (
    24  	testRef = vmcv1alpha1.NamespacedRef{
    25  		Name:      "test",
    26  		Namespace: "test",
    27  	}
    28  	scheme *runtime.Scheme
    29  	//go:embed testdata/identity-base.yaml
    30  	testIdentityBase []byte
    31  	//go:embed testdata/patch-allow-all.yaml
    32  	testPatchAllowAll []byte
    33  	//go:embed testdata/patch-allow-default-ns.yaml
    34  	testPatchAllowDefaultNs []byte
    35  	//go:embed testdata/patch-allow-test-ns.yaml
    36  	testPatchAllowTestNs []byte
    37  	//go:embed testdata/patch-allow-test-ns-by-selector.yaml
    38  	testPatchAllowTestNsBySelector []byte
    39  )
    40  
    41  func init() {
    42  	scheme = runtime.NewScheme()
    43  	_ = corev1.AddToScheme(scheme)
    44  	_ = vmcv1alpha1.AddToScheme(scheme)
    45  }
    46  
    47  func TestLoadCredentials(t *testing.T) {
    48  	selectorNamespace := &corev1.Namespace{
    49  		ObjectMeta: metav1.ObjectMeta{
    50  			Name: testRef.Name,
    51  			Labels: map[string]string{
    52  				"foo": "bar",
    53  			},
    54  		},
    55  	}
    56  	clusterNamespace := testRef.Namespace
    57  	var tests = []struct {
    58  		name     string
    59  		cli      clipkg.Client
    60  		hasError bool
    61  	}{
    62  		{
    63  			"access when identity allows test namespace by selector",
    64  			fake.NewClientBuilder().WithScheme(scheme).WithObjects(newTestIdentity(testPatchAllowTestNsBySelector), newTestSecret(), selectorNamespace).Build(),
    65  			false,
    66  		},
    67  		{
    68  			"access when identity allows test namespace",
    69  			fake.NewClientBuilder().WithScheme(scheme).WithObjects(newTestIdentity(testPatchAllowTestNs), newTestSecret()).Build(),
    70  			false,
    71  		},
    72  		{
    73  			"deny when identity allows a namespace that isn't the test namespaces",
    74  			fake.NewClientBuilder().WithScheme(scheme).WithObjects(newTestIdentity(testPatchAllowDefaultNs), newTestSecret()).Build(),
    75  			true,
    76  		},
    77  		{
    78  			"allow when identity allows all namespaces",
    79  			fake.NewClientBuilder().WithScheme(scheme).WithObjects(newTestIdentity(testPatchAllowAll), newTestSecret()).Build(),
    80  			false,
    81  		},
    82  		{
    83  			"deny when identity has no allowedNamespaces",
    84  			fake.NewClientBuilder().WithScheme(scheme).WithObjects(newTestIdentity(nil)).Build(),
    85  			true,
    86  		},
    87  		{
    88  			"deny when identity not found",
    89  			fake.NewClientBuilder().WithScheme(scheme).Build(),
    90  			true,
    91  		},
    92  	}
    93  
    94  	for _, tt := range tests {
    95  		t.Run(tt.name, func(t *testing.T) {
    96  			c, err := oci.CredentialsLoaderImpl{}.GetCredentialsIfAllowed(context.TODO(), tt.cli, testRef.AsNamespacedName(), clusterNamespace)
    97  			if tt.hasError {
    98  				assert.Error(t, err)
    99  				assert.Nil(t, c)
   100  			} else {
   101  				assert.NoError(t, err)
   102  				assert.NotNil(t, c)
   103  			}
   104  		})
   105  	}
   106  }
   107  
   108  func newTestIdentity(allowedNamespaces []byte) *unstructured.Unstructured {
   109  	j, _ := apiyaml.ToJSON(testIdentityBase)
   110  	obj, _ := runtime.Decode(unstructured.UnstructuredJSONScheme, j)
   111  	identity := obj.(*unstructured.Unstructured)
   112  	if len(allowedNamespaces) > 0 {
   113  		allowedNamespacesJSON, _ := apiyaml.ToJSON(allowedNamespaces)
   114  		m := map[string]interface{}{}
   115  		_ = json.Unmarshal(allowedNamespacesJSON, &m)
   116  		identity.Object["spec"].(map[string]interface{})["allowedNamespaces"] = m
   117  	}
   118  	return identity
   119  }
   120  
   121  func newTestSecret() *corev1.Secret {
   122  	return &corev1.Secret{
   123  		ObjectMeta: metav1.ObjectMeta{
   124  			Name:      testRef.Name,
   125  			Namespace: testRef.Namespace,
   126  		},
   127  		Data: map[string][]byte{},
   128  	}
   129  }