From 1a85431007375a6868c8e51b8eb3151d91d562d8 Mon Sep 17 00:00:00 2001 From: Ali Ok Date: Thu, 28 May 2020 15:54:09 +0300 Subject: [PATCH] Conformance tests for channel control plane aggregated addressable resolver ClusterRole --- ..._addressable_resolver_cluster_role_test.go | 30 +++++++++ ...sable_resolver_cluster_role_test_helper.go | 64 +++++++++++++++++++ ...le_manipulator_cluster_role_test_helper.go | 47 ++------------ test/conformance/helpers/rbac.go | 46 +++++++++++++ 4 files changed, 147 insertions(+), 40 deletions(-) create mode 100644 test/conformance/channel_addressable_resolver_cluster_role_test.go create mode 100644 test/conformance/helpers/channel_addressable_resolver_cluster_role_test_helper.go create mode 100644 test/conformance/helpers/rbac.go diff --git a/test/conformance/channel_addressable_resolver_cluster_role_test.go b/test/conformance/channel_addressable_resolver_cluster_role_test.go new file mode 100644 index 00000000000..01ac9417fe8 --- /dev/null +++ b/test/conformance/channel_addressable_resolver_cluster_role_test.go @@ -0,0 +1,30 @@ +// +build e2e + +/* +Copyright 2020 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package conformance + +import ( + "testing" + + "knative.dev/eventing/test/conformance/helpers" + "knative.dev/eventing/test/lib" +) + +func TestChannelAddressableResolverClusterRoleTest(t *testing.T) { + helpers.TestChannelAddressableResolverClusterRoleTestRunner(t, channelTestRunner, lib.SetupClientOptionNoop) +} diff --git a/test/conformance/helpers/channel_addressable_resolver_cluster_role_test_helper.go b/test/conformance/helpers/channel_addressable_resolver_cluster_role_test_helper.go new file mode 100644 index 00000000000..d1edc7b14fa --- /dev/null +++ b/test/conformance/helpers/channel_addressable_resolver_cluster_role_test_helper.go @@ -0,0 +1,64 @@ +/* +Copyright 2020 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package helpers + +import ( + "testing" + + "fmt" + + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/storage/names" + + "knative.dev/eventing/test/lib" +) + +func TestChannelAddressableResolverClusterRoleTestRunner( + t *testing.T, + channelTestRunner lib.ChannelTestRunner, + options ...lib.SetupClientOption, +) { + + const aggregationClusterRoleName = "addressable-resolver" + var permissionTestCaseVerbs = []string{"get", "list", "watch"} + + channelTestRunner.RunTests(t, lib.FeatureBasic, func(st *testing.T, channel metav1.TypeMeta) { + client := lib.Setup(st, true, options...) + defer lib.TearDown(client) + + gvr, _ := meta.UnsafeGuessKindToResource(channel.GroupVersionKind()) + + saName := names.SimpleNameGenerator.GenerateName("conformance-test-channel-addressable-resolver-") + client.CreateServiceAccountOrFail(saName) + client.CreateClusterRoleBindingOrFail( + saName, + aggregationClusterRoleName, + saName+"-cluster-role-binding", + ) + client.WaitForAllTestResourcesReadyOrFail() + + for _, verb := range permissionTestCaseVerbs { + t.Run(fmt.Sprintf("AddressableResolverClusterRole can do %s on %s", verb, gvr), func(t *testing.T) { + ServiceAccountCanDoVerbOnResourceOrFail(client, gvr, "", saName, verb) + }) + t.Run(fmt.Sprintf("AddressableResolverClusterRole can do %s on status subresource of %s", verb, gvr), func(t *testing.T) { + ServiceAccountCanDoVerbOnResourceOrFail(client, gvr, "status", saName, verb) + }) + } + }) +} diff --git a/test/conformance/helpers/channel_channelable_manipulator_cluster_role_test_helper.go b/test/conformance/helpers/channel_channelable_manipulator_cluster_role_test_helper.go index f97bc8c9472..ded9976d310 100644 --- a/test/conformance/helpers/channel_channelable_manipulator_cluster_role_test_helper.go +++ b/test/conformance/helpers/channel_channelable_manipulator_cluster_role_test_helper.go @@ -21,25 +21,22 @@ import ( "fmt" - authv1 "k8s.io/api/authorization/v1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/storage/names" "knative.dev/eventing/test/lib" ) -const aggregationClusterRoleName = "channelable-manipulator" - -var permissionTestCaseVerbs = []string{"get", "list", "watch", "update", "patch"} - func TestChannelChannelableManipulatorClusterRoleTestRunner( t *testing.T, channelTestRunner lib.ChannelTestRunner, options ...lib.SetupClientOption, ) { + const aggregationClusterRoleName = "channelable-manipulator" + var permissionTestCaseVerbs = []string{"get", "list", "watch", "update", "patch"} + channelTestRunner.RunTests(t, lib.FeatureBasic, func(st *testing.T, channel metav1.TypeMeta) { client := lib.Setup(st, true, options...) defer lib.TearDown(client) @@ -55,45 +52,15 @@ func TestChannelChannelableManipulatorClusterRoleTestRunner( ) client.WaitForAllTestResourcesReadyOrFail() + // From spec: (...) ClusterRole MUST include permissions to create, get, list, watch, patch, + // and update the CRD's custom objects and their status. for _, verb := range permissionTestCaseVerbs { t.Run(fmt.Sprintf("ChannelableManipulatorClusterRole can do %s on %s", verb, gvr), func(t *testing.T) { - serviceAccountCanDoVerbOnResource(st, client, gvr, "", saName, verb) + ServiceAccountCanDoVerbOnResourceOrFail(client, gvr, "", saName, verb) }) t.Run(fmt.Sprintf("ChannelableManipulatorClusterRole can do %s on status subresource of %s", verb, gvr), func(t *testing.T) { - serviceAccountCanDoVerbOnResource(st, client, gvr, "status", saName, verb) + ServiceAccountCanDoVerbOnResourceOrFail(client, gvr, "status", saName, verb) }) } }) } - -func serviceAccountCanDoVerbOnResource(st *testing.T, client *lib.Client, gvr schema.GroupVersionResource, subresource string, saName string, verb string) { - // From spec: (...) ClusterRole MUST include permissions to create, get, list, watch, patch, - // and update the CRD's custom objects and their status. - allowed, err := isAllowed(saName, client, verb, gvr, subresource) - if err != nil { - client.T.Fatalf("Error while checking if %q is not allowed on %s.%s/%s subresource:%q. err: %q", verb, gvr.Resource, gvr.Group, gvr.Version, subresource, err) - } - if !allowed { - client.T.Fatalf("Operation %q is not allowed on %s.%s/%s subresource:%q", verb, gvr.Resource, gvr.Group, gvr.Version, subresource) - } -} - -func isAllowed(saName string, client *lib.Client, verb string, gvr schema.GroupVersionResource, subresource string) (bool, error) { - - r, err := client.Kube.Kube.AuthorizationV1().SubjectAccessReviews().Create(&authv1.SubjectAccessReview{ - Spec: authv1.SubjectAccessReviewSpec{ - User: fmt.Sprintf("system:serviceaccount:%s:%s", client.Namespace, saName), - ResourceAttributes: &authv1.ResourceAttributes{ - Verb: verb, - Group: gvr.Group, - Version: gvr.Version, - Resource: gvr.Resource, - Subresource: subresource, - }, - }, - }) - if err != nil { - return false, err - } - return r.Status.Allowed, nil -} diff --git a/test/conformance/helpers/rbac.go b/test/conformance/helpers/rbac.go new file mode 100644 index 00000000000..d96d19ad9a6 --- /dev/null +++ b/test/conformance/helpers/rbac.go @@ -0,0 +1,46 @@ +/* +Copyright 2020 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package helpers + +import ( + "fmt" + + authv1 "k8s.io/api/authorization/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "knative.dev/eventing/test/lib" +) + +func ServiceAccountCanDoVerbOnResourceOrFail(client *lib.Client, gvr schema.GroupVersionResource, subresource string, saName string, verb string) { + r, err := client.Kube.Kube.AuthorizationV1().SubjectAccessReviews().Create(&authv1.SubjectAccessReview{ + Spec: authv1.SubjectAccessReviewSpec{ + User: fmt.Sprintf("system:serviceaccount:%s:%s", client.Namespace, saName), + ResourceAttributes: &authv1.ResourceAttributes{ + Verb: verb, + Group: gvr.Group, + Version: gvr.Version, + Resource: gvr.Resource, + Subresource: subresource, + }, + }, + }) + if err != nil { + client.T.Fatalf("Error while checking if %q is not allowed on %s.%s/%s subresource:%q. err: %q", verb, gvr.Resource, gvr.Group, gvr.Version, subresource, err) + } + if !r.Status.Allowed { + client.T.Fatalf("Operation %q is not allowed on %s.%s/%s subresource:%q", verb, gvr.Resource, gvr.Group, gvr.Version, subresource) + } +}