scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-02 03:08:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

change rbac roleref type

Browse Source
This commit is contained in:
deads2k
2016-08-24 14:23:27 -04:00
parent 80f56d831c
commit 8c788233e7
12 changed files with 281 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
pkg/apis/rbac/validation/validation_test.go
View File

@@ -24,11 +24,126 @@ import (
"k8s.io/kubernetes/pkg/util/validation/field"
)
func TestValidateClusterRoleBinding(t *testing.T) {
errs := ValidateClusterRoleBinding(
&rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{
{Name: "validsaname", Namespace: "foo", Kind: rbac.ServiceAccountKind},
{Name: "valid@username", Kind: rbac.UserKind},
{Name: "valid@groupname", Kind: rbac.GroupKind},
},
},
)
if len(errs) != 0 {
t.Errorf("expected success: %v", errs)
}
errorCases := map[string]struct {
A rbac.ClusterRoleBinding
T field.ErrorType
F string
}{
"bad group": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: "rbac.GroupName", Kind: "ClusterRole", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.apiGroup",
},
"bad kind": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Type", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.kind",
},
"reference role": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.kind",
},
"zero-length name": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
},
T: field.ErrorTypeRequired,
F: "metadata.name",
},
"bad role": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole"},
},
T: field.ErrorTypeRequired,
F: "roleRef.name",
},
"bad subject kind": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{{Name: "subject"}},
},
T: field.ErrorTypeNotSupported,
F: "subjects[0].kind",
},
"bad subject name": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{{Namespace: "foo", Name: "subject:bad", Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeInvalid,
F: "subjects[0].name",
},
"missing SA namespace": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{{Name: "good", Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeRequired,
F: "subjects[0].namespace",
},
"missing subject name": {
A: rbac.ClusterRoleBinding{
ObjectMeta: api.ObjectMeta{Name: "master"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: "valid"},
Subjects: []rbac.Subject{{Namespace: "foo", Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeRequired,
F: "subjects[0].name",
},
}
for k, v := range errorCases {
errs := ValidateClusterRoleBinding(&v.A)
if len(errs) == 0 {
t.Errorf("expected failure %s for %v", k, v.A)
continue
}
for i := range errs {
if errs[i].Type != v.T {
t.Errorf("%s: expected errors to have type %s: %v", k, v.T, errs[i])
}
if errs[i].Field != v.F {
t.Errorf("%s: expected errors to have field %s: %v", k, v.F, errs[i])
}
}
}
}
func TestValidateRoleBinding(t *testing.T) {
errs := ValidateRoleBinding(
&rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{
{Name: "validsaname", Kind: rbac.ServiceAccountKind},
{Name: "valid@username", Kind: rbac.UserKind},
@@ -45,10 +160,26 @@ func TestValidateRoleBinding(t *testing.T) {
T field.ErrorType
F string
}{
"bad group": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: "rbac.GroupName", Kind: "ClusterRole", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.apiGroup",
},
"bad kind": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Type", Name: "valid"},
},
T: field.ErrorTypeNotSupported,
F: "roleRef.kind",
},
"zero-length namespace": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Name: "default"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
},
T: field.ErrorTypeRequired,
F: "metadata.namespace",
@@ -56,23 +187,15 @@ func TestValidateRoleBinding(t *testing.T) {
"zero-length name": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
},
T: field.ErrorTypeRequired,
F: "metadata.name",
},
"invalid ref": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "name"},
RoleRef: api.ObjectReference{Namespace: "-192083", Name: "valid"},
},
T: field.ErrorTypeInvalid,
F: "roleRef.namespace",
},
"bad role": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "default"},
RoleRef: api.ObjectReference{Namespace: "default"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role"},
},
T: field.ErrorTypeRequired,
F: "roleRef.name",
@@ -80,7 +203,7 @@ func TestValidateRoleBinding(t *testing.T) {
"bad subject kind": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{{Name: "subject"}},
},
T: field.ErrorTypeNotSupported,
@@ -89,7 +212,7 @@ func TestValidateRoleBinding(t *testing.T) {
"bad subject name": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{{Name: "subject:bad", Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeInvalid,
@@ -98,7 +221,7 @@ func TestValidateRoleBinding(t *testing.T) {
"missing subject name": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
Subjects: []rbac.Subject{{Kind: rbac.ServiceAccountKind}},
},
T: field.ErrorTypeRequired,
@@ -125,13 +248,13 @@ func TestValidateRoleBinding(t *testing.T) {
func TestValidateRoleBindingUpdate(t *testing.T) {
old := &rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
}
errs := ValidateRoleBindingUpdate(
&rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "valid"},
},
old,
)
@@ -147,7 +270,7 @@ func TestValidateRoleBindingUpdate(t *testing.T) {
"changedRef": {
A: rbac.RoleBinding{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
RoleRef: api.ObjectReference{Namespace: "master", Name: "changed"},
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "changed"},
},
T: field.ErrorTypeInvalid,
F: "roleRef",