k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/plugin/pkg/auth/authorizer/rbac/subject_locator_test.go (about) 1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package rbac 18 19 import ( 20 "reflect" 21 "testing" 22 23 rbacv1 "k8s.io/api/rbac/v1" 24 "k8s.io/apiserver/pkg/authentication/user" 25 "k8s.io/apiserver/pkg/authorization/authorizer" 26 rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation" 27 ) 28 29 func TestSubjectLocator(t *testing.T) { 30 type actionToSubjects struct { 31 action authorizer.Attributes 32 subjects []rbacv1.Subject 33 } 34 35 tests := []struct { 36 name string 37 roles []*rbacv1.Role 38 roleBindings []*rbacv1.RoleBinding 39 clusterRoles []*rbacv1.ClusterRole 40 clusterRoleBindings []*rbacv1.ClusterRoleBinding 41 42 superUser string 43 44 actionsToSubjects []actionToSubjects 45 }{ 46 { 47 name: "no super user, star matches star", 48 clusterRoles: []*rbacv1.ClusterRole{ 49 newClusterRole("admin", newRule("*", "*", "*", "*")), 50 }, 51 clusterRoleBindings: []*rbacv1.ClusterRoleBinding{ 52 newClusterRoleBinding("admin", "User:super-admin", "Group:super-admins"), 53 }, 54 roleBindings: []*rbacv1.RoleBinding{ 55 newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"), 56 }, 57 actionsToSubjects: []actionToSubjects{ 58 { 59 &defaultAttributes{"", "", "get", "Pods", "", "ns1", ""}, 60 []rbacv1.Subject{ 61 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup}, 62 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"}, 63 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"}, 64 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "admin"}, 65 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "admins"}, 66 }, 67 }, 68 { 69 // cluster role matches star in namespace 70 &defaultAttributes{"", "", "*", "Pods", "", "*", ""}, 71 []rbacv1.Subject{ 72 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup}, 73 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"}, 74 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"}, 75 }, 76 }, 77 { 78 // empty ns 79 &defaultAttributes{"", "", "*", "Pods", "", "", ""}, 80 []rbacv1.Subject{ 81 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup}, 82 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"}, 83 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"}, 84 }, 85 }, 86 }, 87 }, 88 { 89 name: "super user, local roles work", 90 superUser: "foo", 91 clusterRoles: []*rbacv1.ClusterRole{ 92 newClusterRole("admin", newRule("*", "*", "*", "*")), 93 }, 94 clusterRoleBindings: []*rbacv1.ClusterRoleBinding{ 95 newClusterRoleBinding("admin", "User:super-admin", "Group:super-admins"), 96 }, 97 roles: []*rbacv1.Role{ 98 newRole("admin", "ns1", newRule("get", "*", "Pods", "*")), 99 }, 100 roleBindings: []*rbacv1.RoleBinding{ 101 newRoleBinding("ns1", "admin", bindToRole, "User:admin", "Group:admins"), 102 }, 103 actionsToSubjects: []actionToSubjects{ 104 { 105 &defaultAttributes{"", "", "get", "Pods", "", "ns1", ""}, 106 []rbacv1.Subject{ 107 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup}, 108 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "foo"}, 109 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"}, 110 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"}, 111 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "admin"}, 112 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "admins"}, 113 }, 114 }, 115 { 116 // verb matchies correctly 117 &defaultAttributes{"", "", "create", "Pods", "", "ns1", ""}, 118 []rbacv1.Subject{ 119 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup}, 120 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "foo"}, 121 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"}, 122 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"}, 123 }, 124 }, 125 { 126 // binding only works in correct ns 127 &defaultAttributes{"", "", "get", "Pods", "", "ns2", ""}, 128 []rbacv1.Subject{ 129 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: user.SystemPrivilegedGroup}, 130 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "foo"}, 131 {Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "super-admin"}, 132 {Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "super-admins"}, 133 }, 134 }, 135 }, 136 }, 137 } 138 for _, tt := range tests { 139 ruleResolver, lister := rbacregistryvalidation.NewTestRuleResolver(tt.roles, tt.roleBindings, tt.clusterRoles, tt.clusterRoleBindings) 140 a := SubjectAccessEvaluator{tt.superUser, lister, lister, ruleResolver} 141 for i, action := range tt.actionsToSubjects { 142 actualSubjects, err := a.AllowedSubjects(action.action) 143 if err != nil { 144 t.Errorf("case %q %d: error %v", tt.name, i, err) 145 } 146 if !reflect.DeepEqual(actualSubjects, action.subjects) { 147 t.Errorf("case %q %d: expected\n%v\nactual\n%v", tt.name, i, action.subjects, actualSubjects) 148 } 149 } 150 } 151 }