k8s.io/kubernetes@v1.29.3/pkg/registry/authorization/util/helpers_test.go (about)

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package util
    18  
    19  import (
    20  	"reflect"
    21  	"testing"
    22  
    23  	"k8s.io/apimachinery/pkg/util/sets"
    24  	"k8s.io/apiserver/pkg/authentication/user"
    25  	"k8s.io/apiserver/pkg/authorization/authorizer"
    26  	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
    27  )
    28  
    29  func TestResourceAttributesFrom(t *testing.T) {
    30  	knownResourceAttributesNames := sets.NewString(
    31  		// Fields we copy in ResourceAttributesFrom
    32  		"Verb",
    33  		"Namespace",
    34  		"Group",
    35  		"Version",
    36  		"Resource",
    37  		"Subresource",
    38  		"Name",
    39  
    40  		// Fields we copy in NonResourceAttributesFrom
    41  		"Path",
    42  		"Verb",
    43  	)
    44  	reflect.TypeOf(authorizationapi.ResourceAttributes{}).FieldByNameFunc(func(name string) bool {
    45  		if !knownResourceAttributesNames.Has(name) {
    46  			t.Errorf("authorizationapi.ResourceAttributes has a new field: %q. Add to ResourceAttributesFrom/NonResourceAttributesFrom as appropriate, then add to knownResourceAttributesNames", name)
    47  		}
    48  		return false
    49  	})
    50  
    51  	knownAttributesRecordFieldNames := sets.NewString(
    52  		// Fields we set in ResourceAttributesFrom
    53  		"User",
    54  		"Verb",
    55  		"Namespace",
    56  		"APIGroup",
    57  		"APIVersion",
    58  		"Resource",
    59  		"Subresource",
    60  		"Name",
    61  		"ResourceRequest",
    62  
    63  		// Fields we set in NonResourceAttributesFrom
    64  		"User",
    65  		"ResourceRequest",
    66  		"Path",
    67  		"Verb",
    68  	)
    69  	reflect.TypeOf(authorizer.AttributesRecord{}).FieldByNameFunc(func(name string) bool {
    70  		if !knownAttributesRecordFieldNames.Has(name) {
    71  			t.Errorf("authorizer.AttributesRecord has a new field: %q. Add to ResourceAttributesFrom/NonResourceAttributesFrom as appropriate, then add to knownAttributesRecordFieldNames", name)
    72  		}
    73  		return false
    74  	})
    75  }
    76  
    77  func TestAuthorizationAttributesFrom(t *testing.T) {
    78  	type args struct {
    79  		spec authorizationapi.SubjectAccessReviewSpec
    80  	}
    81  	tests := []struct {
    82  		name string
    83  		args args
    84  		want authorizer.AttributesRecord
    85  	}{
    86  		{
    87  			name: "nonresource",
    88  			args: args{
    89  				spec: authorizationapi.SubjectAccessReviewSpec{
    90  					User:                  "bob",
    91  					Groups:                []string{user.AllAuthenticated},
    92  					NonResourceAttributes: &authorizationapi.NonResourceAttributes{Verb: "get", Path: "/mypath"},
    93  					Extra:                 map[string]authorizationapi.ExtraValue{"scopes": {"scope-a", "scope-b"}},
    94  				},
    95  			},
    96  			want: authorizer.AttributesRecord{
    97  				User: &user.DefaultInfo{
    98  					Name:   "bob",
    99  					Groups: []string{user.AllAuthenticated},
   100  					Extra:  map[string][]string{"scopes": {"scope-a", "scope-b"}},
   101  				},
   102  				Verb: "get",
   103  				Path: "/mypath",
   104  			},
   105  		},
   106  		{
   107  			name: "resource",
   108  			args: args{
   109  				spec: authorizationapi.SubjectAccessReviewSpec{
   110  					User: "bob",
   111  					ResourceAttributes: &authorizationapi.ResourceAttributes{
   112  						Namespace:   "myns",
   113  						Verb:        "create",
   114  						Group:       "extensions",
   115  						Version:     "v1beta1",
   116  						Resource:    "deployments",
   117  						Subresource: "scale",
   118  						Name:        "mydeployment",
   119  					},
   120  				},
   121  			},
   122  			want: authorizer.AttributesRecord{
   123  				User: &user.DefaultInfo{
   124  					Name: "bob",
   125  				},
   126  				APIGroup:        "extensions",
   127  				APIVersion:      "v1beta1",
   128  				Namespace:       "myns",
   129  				Verb:            "create",
   130  				Resource:        "deployments",
   131  				Subresource:     "scale",
   132  				Name:            "mydeployment",
   133  				ResourceRequest: true,
   134  			},
   135  		},
   136  		{
   137  			name: "resource with no version",
   138  			args: args{
   139  				spec: authorizationapi.SubjectAccessReviewSpec{
   140  					User: "bob",
   141  					ResourceAttributes: &authorizationapi.ResourceAttributes{
   142  						Namespace:   "myns",
   143  						Verb:        "create",
   144  						Group:       "extensions",
   145  						Resource:    "deployments",
   146  						Subresource: "scale",
   147  						Name:        "mydeployment",
   148  					},
   149  				},
   150  			},
   151  			want: authorizer.AttributesRecord{
   152  				User: &user.DefaultInfo{
   153  					Name: "bob",
   154  				},
   155  				APIGroup:        "extensions",
   156  				APIVersion:      "*",
   157  				Namespace:       "myns",
   158  				Verb:            "create",
   159  				Resource:        "deployments",
   160  				Subresource:     "scale",
   161  				Name:            "mydeployment",
   162  				ResourceRequest: true,
   163  			},
   164  		},
   165  	}
   166  	for _, tt := range tests {
   167  		t.Run(tt.name, func(t *testing.T) {
   168  			if got := AuthorizationAttributesFrom(tt.args.spec); !reflect.DeepEqual(got, tt.want) {
   169  				t.Errorf("AuthorizationAttributesFrom() = %v, want %v", got, tt.want)
   170  			}
   171  		})
   172  	}
   173  }