k8s.io/kubernetes@v1.29.3/pkg/registry/admissionregistration/validatingadmissionpolicy/authz_test.go (about) 1 /* 2 Copyright 2022 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package validatingadmissionpolicy 18 19 import ( 20 "context" 21 "testing" 22 23 "k8s.io/apimachinery/pkg/runtime/schema" 24 "k8s.io/apiserver/pkg/authentication/user" 25 "k8s.io/apiserver/pkg/authorization/authorizer" 26 "k8s.io/apiserver/pkg/endpoints/request" 27 "k8s.io/kubernetes/pkg/registry/admissionregistration/resolver" 28 ) 29 30 func TestAuthorization(t *testing.T) { 31 for _, tc := range []struct { 32 name string 33 userInfo user.Info 34 auth AuthFunc 35 resourceResolver resolver.ResourceResolverFunc 36 expectErr bool 37 }{ 38 { 39 name: "superuser", 40 userInfo: &user.DefaultInfo{Groups: []string{user.SystemPrivilegedGroup}}, 41 expectErr: false, // success despite always-denying authorizer 42 auth: func(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) { 43 return authorizer.DecisionDeny, "", nil 44 }, 45 }, 46 { 47 name: "authorized", 48 userInfo: &user.DefaultInfo{Groups: []string{user.AllAuthenticated}}, 49 auth: func(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) { 50 if a.GetResource() == "replicalimits" { 51 return authorizer.DecisionAllow, "", nil 52 } 53 return authorizer.DecisionDeny, "", nil 54 }, 55 resourceResolver: func(gvk schema.GroupVersionKind) (schema.GroupVersionResource, error) { 56 return schema.GroupVersionResource{ 57 Group: "rules.example.com", 58 Version: "v1", 59 Resource: "replicalimits", 60 }, nil 61 }, 62 expectErr: false, 63 }, 64 { 65 name: "denied", 66 userInfo: &user.DefaultInfo{Groups: []string{user.AllAuthenticated}}, 67 auth: func(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) { 68 if a.GetResource() == "configmaps" { 69 return authorizer.DecisionAllow, "", nil 70 } 71 return authorizer.DecisionDeny, "", nil 72 }, 73 resourceResolver: func(gvk schema.GroupVersionKind) (schema.GroupVersionResource, error) { 74 return schema.GroupVersionResource{ 75 Group: "rules.example.com", 76 Version: "v1", 77 Resource: "replicalimits", 78 }, nil 79 }, 80 expectErr: true, 81 }, 82 } { 83 t.Run(tc.name, func(t *testing.T) { 84 strategy := NewStrategy(tc.auth, tc.resourceResolver) 85 t.Run("create", func(t *testing.T) { 86 ctx := request.WithUser(context.Background(), tc.userInfo) 87 errs := strategy.Validate(ctx, validValidatingAdmissionPolicy()) 88 if len(errs) > 0 != tc.expectErr { 89 t.Errorf("expected error: %v but got error: %v", tc.expectErr, errs) 90 } 91 }) 92 t.Run("update", func(t *testing.T) { 93 ctx := request.WithUser(context.Background(), tc.userInfo) 94 obj := validValidatingAdmissionPolicy() 95 objWithUpdatedParamKind := obj.DeepCopy() 96 objWithUpdatedParamKind.Spec.ParamKind.APIVersion += "1" 97 errs := strategy.ValidateUpdate(ctx, obj, objWithUpdatedParamKind) 98 if len(errs) > 0 != tc.expectErr { 99 t.Errorf("expected error: %v but got error: %v", tc.expectErr, errs) 100 } 101 }) 102 }) 103 } 104 } 105 106 type AuthFunc func(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) 107 108 func (f AuthFunc) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) { 109 return f(ctx, a) 110 }