scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-02 03:08:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

RBAC: don't allow rules to mix non-resource URLs and resources

Browse Source
This commit is contained in:
Eric Chiang
2016-08-01 17:47:47 -07:00
parent 472dcec7b2
commit 93947663d9
4 changed files with 262 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

264
pkg/apis/rbac/validation/validation_test.go
View File

@@ -172,54 +172,6 @@ func TestValidateRoleBindingUpdate(t *testing.T) {
}
}
func TestValidateRole(t *testing.T) {
errs := validateRole(
&rbac.Role{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
},
true,
)
if len(errs) != 0 {
t.Errorf("expected success: %v", errs)
}
errorCases := map[string]struct {
A rbac.Role
T field.ErrorType
F string
}{
"zero-length namespace": {
A: rbac.Role{
ObjectMeta: api.ObjectMeta{Name: "default"},
},
T: field.ErrorTypeRequired,
F: "metadata.namespace",
},
"zero-length name": {
A: rbac.Role{
ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault},
},
T: field.ErrorTypeRequired,
F: "metadata.name",
},
}
for k, v := range errorCases {
errs := validateRole(&v.A, true)
if len(errs) == 0 {
t.Errorf("expected failure %s for %v", k, v.A)
continue
}
for i := range errs {
if errs[i].Type != v.T {
t.Errorf("%s: expected errors to have type %s: %v", k, v.T, errs[i])
}
if errs[i].Field != v.F {
t.Errorf("%s: expected errors to have field %s: %v", k, v.F, errs[i])
}
}
}
}
func TestNonResourceURLCovers(t *testing.T) {
tests := []struct {
owner string
@@ -244,3 +196,219 @@ func TestNonResourceURLCovers(t *testing.T) {
}
}
}
type validateRoleTest struct {
role rbac.Role
isNamespaced bool
wantErr bool
errType field.ErrorType
field string
}
func (v validateRoleTest) test(t *testing.T) {
errs := validateRole(&v.role, v.isNamespaced)
if len(errs) == 0 {
if v.wantErr {
t.Fatal("expected validation error")
}
return
}
if !v.wantErr {
t.Errorf("didn't expect error, got %v", errs)
return
}
for i := range errs {
if errs[i].Type != v.errType {
t.Errorf("expected errors to have type %s: %v", v.errType, errs[i])
}
if errs[i].Field != v.field {
t.Errorf("expected errors to have field %s: %v", v.field, errs[i])
}
}
}
func TestValidateRoleZeroLengthNamespace(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{Name: "default"},
},
isNamespaced: true,
wantErr: true,
errType: field.ErrorTypeRequired,
field: "metadata.namespace",
}.test(t)
}
func TestValidateRoleZeroLengthName(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{Namespace: "default"},
},
isNamespaced: true,
wantErr: true,
errType: field.ErrorTypeRequired,
field: "metadata.name",
}.test(t)
}
func TestValidateRoleValidRole(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Namespace: "default",
Name: "default",
},
},
isNamespaced: true,
wantErr: false,
}.test(t)
}
func TestValidateRoleValidRoleNoNamespace(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Name: "default",
},
},
isNamespaced: false,
wantErr: false,
}.test(t)
}
func TestValidateRoleNonResourceURL(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Name: "default",
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get"},
NonResourceURLs: []string{"/*"},
},
},
},
isNamespaced: false,
wantErr: false,
}.test(t)
}
func TestValidateRoleNamespacedNonResourceURL(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Namespace: "default",
Name: "default",
},
Rules: []rbac.PolicyRule{
{
// non-resource URLs are invalid for namespaced rules
Verbs: []string{"get"},
NonResourceURLs: []string{"/*"},
},
},
},
isNamespaced: true,
wantErr: true,
errType: field.ErrorTypeInvalid,
field: "rules[0].nonResourceURLs",
}.test(t)
}
func TestValidateRoleNonResourceURLNoVerbs(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Name: "default",
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{},
NonResourceURLs: []string{"/*"},
},
},
},
isNamespaced: false,
wantErr: true,
errType: field.ErrorTypeRequired,
field: "rules[0].verbs",
}.test(t)
}
func TestValidateRoleMixedNonResourceAndResource(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Name: "default",
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get"},
NonResourceURLs: []string{"/*"},
APIGroups: []string{"v1"},
Resources: []string{"pods"},
},
},
},
wantErr: true,
errType: field.ErrorTypeInvalid,
field: "rules[0].nonResourceURLs",
}.test(t)
}
func TestValidateRoleValidResource(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Name: "default",
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get"},
APIGroups: []string{"v1"},
Resources: []string{"pods"},
},
},
},
wantErr: false,
}.test(t)
}
func TestValidateRoleNoAPIGroup(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Name: "default",
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get"},
Resources: []string{"pods"},
},
},
},
wantErr: true,
errType: field.ErrorTypeRequired,
field: "rules[0].apiGroups",
}.test(t)
}
func TestValidateRoleNoResources(t *testing.T) {
validateRoleTest{
role: rbac.Role{
ObjectMeta: api.ObjectMeta{
Name: "default",
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get"},
APIGroups: []string{"v1"},
},
},
},
wantErr: true,
errType: field.ErrorTypeRequired,
field: "rules[0].resources",
}.test(t)
}