add localSAR

2025-11-03 19:58:17 +00:00 · 2016-09-09 14:48:44 -04:00
parent ac8aae584d
commit 8fac64b43f
14 changed files with 431 additions and 35 deletions
--- a/pkg/apis/authorization/validation/validation_test.go
+++ b/pkg/apis/authorization/validation/validation_test.go
@@ -20,6 +20,7 @@ import (
 	"strings"
 	"testing"

+	"k8s.io/kubernetes/pkg/api"
 	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
 	"k8s.io/kubernetes/pkg/util/validation/field"
 )
@@ -133,3 +134,68 @@ func TestValidateSelfSAR(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateLocalSAR(t *testing.T) {
+	successCases := []authorizationapi.LocalSubjectAccessReview{
+		{
+			Spec: authorizationapi.SubjectAccessReviewSpec{
+				ResourceAttributes: &authorizationapi.ResourceAttributes{},
+				User:               "user",
+			},
+		},
+	}
+	for _, successCase := range successCases {
+		if errs := ValidateLocalSubjectAccessReview(&successCase); len(errs) != 0 {
+			t.Errorf("expected success: %v", errs)
+		}
+	}
+
+	errorCases := []struct {
+		name string
+		obj  *authorizationapi.LocalSubjectAccessReview
+		msg  string
+	}{
+		{
+			name: "name",
+			obj: &authorizationapi.LocalSubjectAccessReview{
+				ObjectMeta: api.ObjectMeta{Name: "a"},
+				Spec: authorizationapi.SubjectAccessReviewSpec{
+					ResourceAttributes: &authorizationapi.ResourceAttributes{},
+					User:               "user",
+				},
+			},
+			msg: "must be empty except for namespace",
+		},
+		{
+			name: "namespace conflict",
+			obj: &authorizationapi.LocalSubjectAccessReview{
+				ObjectMeta: api.ObjectMeta{Namespace: "a"},
+				Spec: authorizationapi.SubjectAccessReviewSpec{
+					ResourceAttributes: &authorizationapi.ResourceAttributes{},
+					User:               "user",
+				},
+			},
+			msg: "must match metadata.namespace",
+		},
+		{
+			name: "nonresource",
+			obj: &authorizationapi.LocalSubjectAccessReview{
+				ObjectMeta: api.ObjectMeta{Namespace: "a"},
+				Spec: authorizationapi.SubjectAccessReviewSpec{
+					NonResourceAttributes: &authorizationapi.NonResourceAttributes{},
+					User: "user",
+				},
+			},
+			msg: "disallowed on this kind of request",
+		},
+	}
+
+	for _, c := range errorCases {
+		errs := ValidateLocalSubjectAccessReview(c.obj)
+		if len(errs) == 0 {
+			t.Errorf("%s: expected failure for %q", c.name, c.msg)
+		} else if !strings.Contains(errs[0].Error(), c.msg) {
+			t.Errorf("%s: unexpected error: %q, expected: %q", c.name, errs[0], c.msg)
+		}
+	}
+}