github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/pkg/auth/authorizer/abac/abac_test.go

1269 lines
40 KiB
Go
Raw Normal View History

Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
/*
Remove "All rights reserved" from all the headers.
2016-06-03 00:25:58 +00:00
Copyright 2014 The Kubernetes Authors.
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package abac
import (
"io/ioutil"
"os"
add selfsubjectrulesreview api
2017-07-14 03:24:27 +00:00
"reflect"
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
"testing"
start the apimachinery repo
2017-01-11 14:09:48 +00:00
"k8s.io/apimachinery/pkg/runtime"
mechanical changes for move
2017-01-04 14:31:53 +00:00
"k8s.io/apiserver/pkg/authentication/user"
mechanicals
2017-01-04 15:39:05 +00:00
"k8s.io/apiserver/pkg/authorization/authorizer"
Remove all api.Scheme references by using explicit package aliases
2017-10-16 14:28:42 +00:00
"k8s.io/kubernetes/pkg/apis/abac"
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"k8s.io/kubernetes/pkg/apis/abac/v0"
"k8s.io/kubernetes/pkg/apis/abac/v1beta1"
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
)
func TestEmptyFile(t *testing.T) {
_, err := newWithContents(t, "")
if err != nil {
t.Errorf("unable to read policy file: %v", err)
}
}
func TestOneLineFileNoNewLine(t *testing.T) {
fix ABAC tests
2015-08-10 20:07:08 +00:00
_, err := newWithContents(t, `{"user":"scheduler", "readonly": true, "resource": "pods", "namespace":"ns1"}`)
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
if err != nil {
t.Errorf("unable to read policy file: %v", err)
}
}
func TestTwoLineFile(t *testing.T) {
fix ABAC tests
2015-08-10 20:07:08 +00:00
_, err := newWithContents(t, `{"user":"scheduler", "readonly": true, "resource": "pods"}
{"user":"scheduler", "readonly": true, "resource": "services"}
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
`)
if err != nil {
t.Errorf("unable to read policy file: %v", err)
}
}
// Test the file that we will point users at as an example.
func TestExampleFile(t *testing.T) {
_, err := NewFromFile("./example_policy_file.jsonl")
if err != nil {
t.Errorf("unable to read policy file: %v", err)
}
}
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
func TestAuthorizeV0(t *testing.T) {
fix ABAC tests
2015-08-10 20:07:08 +00:00
a, err := newWithContents(t, `{ "readonly": true, "resource": "events" }
{"user":"scheduler", "readonly": true, "resource": "pods" }
{"user":"scheduler", "resource": "bindings" }
{"user":"kubelet", "readonly": true, "resource": "bindings" }
{"user":"kubelet", "resource": "events" }
{"user":"alice", "namespace": "projectCaribou"}
{"user":"bob", "readonly": true, "namespace": "projectCaribou"}
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
`)
if err != nil {
t.Fatalf("unable to read policy file: %v", err)
}
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
authenticatedGroup := []string{user.AllAuthenticated}
uScheduler := user.DefaultInfo{Name: "scheduler", UID: "uid1", Groups: authenticatedGroup}
uAlice := user.DefaultInfo{Name: "alice", UID: "uid3", Groups: authenticatedGroup}
uChuck := user.DefaultInfo{Name: "chuck", UID: "uid5", Groups: authenticatedGroup}
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
testCases := []struct {
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
User user.DefaultInfo
Verb string
Resource string
NS string
APIGroup string
Path string
ExpectDecision authorizer.Decision
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
}{
// Scheduler can read pods
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uScheduler, Verb: "list", Resource: "pods", NS: "ns1", ExpectDecision: authorizer.DecisionAllow},
{User: uScheduler, Verb: "list", Resource: "pods", NS: "", ExpectDecision: authorizer.DecisionAllow},
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
// Scheduler cannot write pods
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uScheduler, Verb: "create", Resource: "pods", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uScheduler, Verb: "create", Resource: "pods", NS: "", ExpectDecision: authorizer.DecisionNoOpinion},
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
// Scheduler can write bindings
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uScheduler, Verb: "get", Resource: "bindings", NS: "ns1", ExpectDecision: authorizer.DecisionAllow},
{User: uScheduler, Verb: "get", Resource: "bindings", NS: "", ExpectDecision: authorizer.DecisionAllow},
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
// Alice can read and write anything in the right namespace.
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uAlice, Verb: "get", Resource: "pods", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "get", Resource: "widgets", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "get", Resource: "", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "update", Resource: "pods", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "update", Resource: "widgets", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "update", Resource: "", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "update", Resource: "foo", NS: "projectCaribou", APIGroup: "bar", ExpectDecision: authorizer.DecisionAllow},
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
// .. but not the wrong namespace.
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uAlice, Verb: "get", Resource: "pods", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uAlice, Verb: "get", Resource: "widgets", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uAlice, Verb: "get", Resource: "", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
// Chuck can read events, since anyone can.
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "get", Resource: "events", NS: "ns1", ExpectDecision: authorizer.DecisionAllow},
{User: uChuck, Verb: "get", Resource: "events", NS: "", ExpectDecision: authorizer.DecisionAllow},
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
// Chuck can't do other things.
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "update", Resource: "events", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uChuck, Verb: "get", Resource: "pods", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uChuck, Verb: "get", Resource: "floop", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
// Chunk can't access things with no kind or namespace
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "get", Path: "/", Resource: "", NS: "", ExpectDecision: authorizer.DecisionNoOpinion},
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
}
fix ABAC tests
2015-08-10 20:07:08 +00:00
for i, tc := range testCases {
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
attr := authorizer.AttributesRecord{
User: &tc.User,
Add verb to authorizer attributes
2015-09-29 01:11:51 +00:00
Verb: tc.Verb,
modify policy to correctly identify resource versus kind
2015-01-29 19:14:54 +00:00
Resource: tc.Resource,
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
Namespace: tc.NS,
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
APIGroup: tc.APIGroup,
Path: tc.Path,
ResourceRequest: len(tc.NS) > 0 || len(tc.Resource) > 0,
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
}
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
decision, _, _ := a.Authorize(attr)
if tc.ExpectDecision != decision {
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
t.Logf("tc: %v -> attr %v", tc, attr)
fix ABAC tests
2015-08-10 20:07:08 +00:00
t.Errorf("%d: Expected allowed=%v but actually allowed=%v\n\t%v",
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
i, tc.ExpectDecision, decision, tc)
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
}
}
}
add selfsubjectrulesreview api
2017-07-14 03:24:27 +00:00
func getResourceRules(infos []authorizer.ResourceRuleInfo) []authorizer.DefaultResourceRuleInfo {
rules := make([]authorizer.DefaultResourceRuleInfo, len(infos))
for i, info := range infos {
rules[i] = authorizer.DefaultResourceRuleInfo{
Verbs: info.GetVerbs(),
APIGroups: info.GetAPIGroups(),
Resources: info.GetResources(),
ResourceNames: info.GetResourceNames(),
}
}
return rules
}
func getNonResourceRules(infos []authorizer.NonResourceRuleInfo) []authorizer.DefaultNonResourceRuleInfo {
rules := make([]authorizer.DefaultNonResourceRuleInfo, len(infos))
for i, info := range infos {
rules[i] = authorizer.DefaultNonResourceRuleInfo{
Verbs: info.GetVerbs(),
NonResourceURLs: info.GetNonResourceURLs(),
}
}
return rules
}
func TestRulesFor(t *testing.T) {
a, err := newWithContents(t, `
{ "readonly": true, "resource": "events" }
{"user":"scheduler", "readonly": true, "resource": "pods" }
{"user":"scheduler", "resource": "bindings" }
{"user":"kubelet", "readonly": true, "resource": "pods" }
{"user":"kubelet", "resource": "events" }
{"user":"alice", "namespace": "projectCaribou"}
{"user":"bob", "readonly": true, "namespace": "projectCaribou"}
{"user":"bob", "readonly": true, "nonResourcePath": "*"}
{"group":"a", "resource": "bindings" }
{"group":"b", "readonly": true, "nonResourcePath": "*"}
`)
if err != nil {
t.Fatalf("unable to read policy file: %v", err)
}
authenticatedGroup := []string{user.AllAuthenticated}
uScheduler := user.DefaultInfo{Name: "scheduler", UID: "uid1", Groups: authenticatedGroup}
uKubelet := user.DefaultInfo{Name: "kubelet", UID: "uid2", Groups: []string{"a", "b"}}
uAlice := user.DefaultInfo{Name: "alice", UID: "uid3", Groups: authenticatedGroup}
uBob := user.DefaultInfo{Name: "bob", UID: "uid4", Groups: authenticatedGroup}
uChuck := user.DefaultInfo{Name: "chuck", UID: "uid5", Groups: []string{"a", "b"}}
testCases := []struct {
User user.DefaultInfo
Namespace string
ExpectResourceRules []authorizer.DefaultResourceRuleInfo
ExpectNonResourceRules []authorizer.DefaultNonResourceRuleInfo
}{
{
User: uScheduler,
Namespace: "ns1",
ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"events"},
},
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"pods"},
},
{
Verbs: []string{"*"},
APIGroups: []string{"*"},
Resources: []string{"bindings"},
},
},
ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{},
},
{
User: uKubelet,
Namespace: "ns1",
ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"pods"},
},
{
Verbs: []string{"*"},
APIGroups: []string{"*"},
Resources: []string{"events"},
},
{
Verbs: []string{"*"},
APIGroups: []string{"*"},
Resources: []string{"bindings"},
},
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"*"},
},
},
ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{
{
Verbs: []string{"get", "list", "watch"},
NonResourceURLs: []string{"*"},
},
},
},
{
User: uAlice,
Namespace: "projectCaribou",
ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"events"},
},
{
Verbs: []string{"*"},
APIGroups: []string{"*"},
Resources: []string{"*"},
},
},
ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{},
},
{
User: uBob,
Namespace: "projectCaribou",
ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"events"},
},
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"*"},
},
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"*"},
},
},
ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{
{
Verbs: []string{"get", "list", "watch"},
NonResourceURLs: []string{"*"},
},
},
},
{
User: uChuck,
Namespace: "ns1",
ExpectResourceRules: []authorizer.DefaultResourceRuleInfo{
{
Verbs: []string{"*"},
APIGroups: []string{"*"},
Resources: []string{"bindings"},
},
{
Verbs: []string{"get", "list", "watch"},
APIGroups: []string{"*"},
Resources: []string{"*"},
},
},
ExpectNonResourceRules: []authorizer.DefaultNonResourceRuleInfo{
{
Verbs: []string{"get", "list", "watch"},
NonResourceURLs: []string{"*"},
},
},
},
}
for i, tc := range testCases {
attr := authorizer.AttributesRecord{
User: &tc.User,
Namespace: tc.Namespace,
}
resourceRules, nonResourceRules, _, _ := a.RulesFor(attr.GetUser(), attr.GetNamespace())
actualResourceRules := getResourceRules(resourceRules)
if !reflect.DeepEqual(tc.ExpectResourceRules, actualResourceRules) {
t.Logf("tc: %v -> attr %v", tc, attr)
t.Errorf("%d: Expected: \n%#v\n but actual: \n%#v\n",
i, tc.ExpectResourceRules, actualResourceRules)
}
actualNonResourceRules := getNonResourceRules(nonResourceRules)
if !reflect.DeepEqual(tc.ExpectNonResourceRules, actualNonResourceRules) {
t.Logf("tc: %v -> attr %v", tc, attr)
t.Errorf("%d: Expected: \n%#v\n but actual: \n%#v\n",
i, tc.ExpectNonResourceRules, actualNonResourceRules)
}
}
}
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
func TestAuthorizeV1beta1(t *testing.T) {
a, err := newWithContents(t,
`
# Comment line, after a blank line
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"*", "readonly": true, "nonResourcePath": "/api"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"*", "nonResourcePath": "/custom"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"*", "nonResourcePath": "/root/*"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"noresource", "nonResourcePath": "*"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"*", "readonly": true, "resource": "events", "namespace": "*"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"scheduler", "readonly": true, "resource": "pods", "namespace": "*"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"scheduler", "resource": "bindings", "namespace": "*"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"kubelet", "readonly": true, "resource": "bindings", "namespace": "*"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"kubelet", "resource": "events", "namespace": "*"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"alice", "resource": "*", "namespace": "projectCaribou"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"bob", "readonly": true, "resource": "*", "namespace": "projectCaribou"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"debbie", "resource": "pods", "namespace": "projectCaribou"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"apigroupuser", "resource": "*", "namespace": "projectAnyGroup", "apiGroup": "*"}}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"apigroupuser", "resource": "*", "namespace": "projectEmptyGroup", "apiGroup": "" }}
{"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"apigroupuser", "resource": "*", "namespace": "projectXGroup", "apiGroup": "x"}}`)
if err != nil {
t.Fatalf("unable to read policy file: %v", err)
}
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
authenticatedGroup := []string{user.AllAuthenticated}
uScheduler := user.DefaultInfo{Name: "scheduler", UID: "uid1", Groups: authenticatedGroup}
uAlice := user.DefaultInfo{Name: "alice", UID: "uid3", Groups: authenticatedGroup}
uChuck := user.DefaultInfo{Name: "chuck", UID: "uid5", Groups: authenticatedGroup}
uDebbie := user.DefaultInfo{Name: "debbie", UID: "uid6", Groups: authenticatedGroup}
uNoResource := user.DefaultInfo{Name: "noresource", UID: "uid7", Groups: authenticatedGroup}
uAPIGroup := user.DefaultInfo{Name: "apigroupuser", UID: "uid8", Groups: authenticatedGroup}
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
testCases := []struct {
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
User user.DefaultInfo
Verb string
Resource string
APIGroup string
NS string
Path string
ExpectDecision authorizer.Decision
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
}{
// Scheduler can read pods
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uScheduler, Verb: "list", Resource: "pods", NS: "ns1", ExpectDecision: authorizer.DecisionAllow},
{User: uScheduler, Verb: "list", Resource: "pods", NS: "", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// Scheduler cannot write pods
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uScheduler, Verb: "create", Resource: "pods", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uScheduler, Verb: "create", Resource: "pods", NS: "", ExpectDecision: authorizer.DecisionNoOpinion},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// Scheduler can write bindings
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uScheduler, Verb: "get", Resource: "bindings", NS: "ns1", ExpectDecision: authorizer.DecisionAllow},
{User: uScheduler, Verb: "get", Resource: "bindings", NS: "", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// Alice can read and write anything in the right namespace.
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uAlice, Verb: "get", Resource: "pods", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "get", Resource: "widgets", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "get", Resource: "", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "update", Resource: "pods", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "update", Resource: "widgets", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
{User: uAlice, Verb: "update", Resource: "", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// .. but not the wrong namespace.
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uAlice, Verb: "get", Resource: "pods", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uAlice, Verb: "get", Resource: "widgets", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uAlice, Verb: "get", Resource: "", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// Debbie can write to pods in the right namespace
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uDebbie, Verb: "update", Resource: "pods", NS: "projectCaribou", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// Chuck can read events, since anyone can.
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "get", Resource: "events", NS: "ns1", ExpectDecision: authorizer.DecisionAllow},
{User: uChuck, Verb: "get", Resource: "events", NS: "", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// Chuck can't do other things.
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "update", Resource: "events", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uChuck, Verb: "get", Resource: "pods", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uChuck, Verb: "get", Resource: "floop", NS: "ns1", ExpectDecision: authorizer.DecisionNoOpinion},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// Chuck can't access things with no resource or namespace
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "get", Path: "/", Resource: "", NS: "", ExpectDecision: authorizer.DecisionNoOpinion},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// but can access /api
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "get", Path: "/api", Resource: "", NS: "", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// though he cannot write to it
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "create", Path: "/api", Resource: "", NS: "", ExpectDecision: authorizer.DecisionNoOpinion},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// while he can write to /custom
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "update", Path: "/custom", Resource: "", NS: "", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// he cannot get "/root"
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "get", Path: "/root", Resource: "", NS: "", ExpectDecision: authorizer.DecisionNoOpinion},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// but can get any subpath
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uChuck, Verb: "get", Path: "/root/", Resource: "", NS: "", ExpectDecision: authorizer.DecisionAllow},
{User: uChuck, Verb: "get", Path: "/root/test/1/2/3", Resource: "", NS: "", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// the user "noresource" can get any non-resource request
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uNoResource, Verb: "get", Path: "", Resource: "", NS: "", ExpectDecision: authorizer.DecisionAllow},
{User: uNoResource, Verb: "get", Path: "/", Resource: "", NS: "", ExpectDecision: authorizer.DecisionAllow},
{User: uNoResource, Verb: "get", Path: "/foo/bar/baz", Resource: "", NS: "", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// but cannot get any request where IsResourceRequest() == true
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uNoResource, Verb: "get", Path: "/", Resource: "", NS: "bar", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uNoResource, Verb: "get", Path: "/foo/bar/baz", Resource: "foo", NS: "bar", ExpectDecision: authorizer.DecisionNoOpinion},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// Test APIGroup matching
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
{User: uAPIGroup, Verb: "get", APIGroup: "x", Resource: "foo", NS: "projectAnyGroup", ExpectDecision: authorizer.DecisionAllow},
{User: uAPIGroup, Verb: "get", APIGroup: "x", Resource: "foo", NS: "projectEmptyGroup", ExpectDecision: authorizer.DecisionNoOpinion},
{User: uAPIGroup, Verb: "get", APIGroup: "x", Resource: "foo", NS: "projectXGroup", ExpectDecision: authorizer.DecisionAllow},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
}
for i, tc := range testCases {
attr := authorizer.AttributesRecord{
User: &tc.User,
Verb: tc.Verb,
Resource: tc.Resource,
APIGroup: tc.APIGroup,
Namespace: tc.NS,
ResourceRequest: len(tc.NS) > 0 || len(tc.Resource) > 0,
Path: tc.Path,
}
// t.Logf("tc %2v: %v -> attr %v", i, tc, attr)
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
decision, _, _ := a.Authorize(attr)
if tc.ExpectDecision != decision {
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
t.Errorf("%d: Expected allowed=%v but actually allowed=%v, for case %+v & %+v",
move authorizers over to new interface
2017-09-29 21:21:40 +00:00
i, tc.ExpectDecision, decision, tc, attr)
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
}
}
}
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
func TestSubjectMatches(t *testing.T) {
testCases := map[string]struct {
User user.DefaultInfo
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy runtime.Object
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch bool
}{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
"v0 empty policy does not match unauthed user": {
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "",
Group: "",
},
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
ExpectMatch: false,
},
"v0 * user policy does not match unauthed user": {
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Policy: &v0.Policy{
User: "*",
Group: "",
},
ExpectMatch: false,
},
"v0 * group policy does not match unauthed user": {
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Policy: &v0.Policy{
User: "",
Group: "*",
},
ExpectMatch: false,
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
},
"v0 empty policy matches authed user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "",
Group: "",
},
ExpectMatch: true,
},
"v0 empty policy matches authed user with groups": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"a", "b", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "",
Group: "",
},
ExpectMatch: true,
},
"v0 user policy does not match unauthed user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "Foo",
Group: "",
},
ExpectMatch: false,
},
"v0 user policy does not match different user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Bar", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "Foo",
Group: "",
},
ExpectMatch: false,
},
"v0 user policy is case-sensitive": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "foo", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "Foo",
Group: "",
},
ExpectMatch: false,
},
"v0 user policy does not match substring": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "FooBar", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "Foo",
Group: "",
},
ExpectMatch: false,
},
"v0 user policy matches username": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "Foo",
Group: "",
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: true,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v0 group policy does not match unauthed user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "",
Group: "Foo",
},
ExpectMatch: false,
},
"v0 group policy does not match user in different group": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "FooBar", Groups: []string{"B", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "",
Group: "A",
},
ExpectMatch: false,
},
"v0 group policy is case-sensitive": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "",
Group: "b",
},
ExpectMatch: false,
},
"v0 group policy does not match substring": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "BBB", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "",
Group: "B",
},
ExpectMatch: false,
},
"v0 group policy matches user in group": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "",
Group: "B",
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: true,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v0 user and group policy requires user match": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Bar", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "Foo",
Group: "B",
},
ExpectMatch: false,
},
"v0 user and group policy requires group match": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "Foo",
Group: "D",
},
ExpectMatch: false,
},
"v0 user and group policy matches": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v0.Policy{
User: "Foo",
Group: "B",
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: true,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 empty policy does not match unauthed user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
"v1 * user policy does not match unauthed user": {
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
Group: "",
},
},
ExpectMatch: false,
},
"v1 * group policy does not match unauthed user": {
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "*",
},
},
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 empty policy does not match authed user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 empty policy does not match authed user with groups": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"a", "b", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 user policy does not match unauthed user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "Foo",
Group: "",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 user policy does not match different user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Bar", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "Foo",
Group: "",
},
},
ExpectMatch: false,
},
"v1 user policy is case-sensitive": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "foo", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "Foo",
Group: "",
},
},
ExpectMatch: false,
},
"v1 user policy does not match substring": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "FooBar", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "Foo",
Group: "",
},
},
ExpectMatch: false,
},
"v1 user policy matches username": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "Foo",
Group: "",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: true,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 group policy does not match unauthed user": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "Foo",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 group policy does not match user in different group": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "FooBar", Groups: []string{"B", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "A",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 group policy is case-sensitive": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "b",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 group policy does not match substring": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "BBB", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "B",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 group policy matches user in group": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "",
Group: "B",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: true,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 user and group policy requires user match": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Bar", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "Foo",
Group: "B",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 user and group policy requires group match": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "Foo",
Group: "D",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: false,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
"v1 user and group policy matches": {
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: user.DefaultInfo{Name: "Foo", Groups: []string{"A", "B", "C", user.AllAuthenticated}},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "Foo",
Group: "B",
},
},
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
ExpectMatch: true,
},
}
for k, tc := range testCases {
Remove all api.Scheme references by using explicit package aliases
2017-10-16 14:28:42 +00:00
policy := &abac.Policy{}
if err := abac.Scheme.Convert(tc.Policy, policy, nil); err != nil {
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
t.Errorf("%s: error converting: %v", k, err)
continue
}
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
attr := authorizer.AttributesRecord{
User: &tc.User,
}
add selfsubjectrulesreview api
2017-07-14 03:24:27 +00:00
actualMatch := subjectMatches(*policy, attr.GetUser())
Initial addition of groups to user/policy
2014-12-16 15:20:05 +00:00
if tc.ExpectMatch != actualMatch {
t.Errorf("%v: Expected actorMatches=%v but actually got=%v",
k, tc.ExpectMatch, actualMatch)
}
}
}
add selfsubjectrulesreview api
2017-07-14 03:24:27 +00:00
func newWithContents(t *testing.T, contents string) (policyList, error) {
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
f, err := ioutil.TempFile("", "abac_test")
if err != nil {
t.Fatalf("unexpected error creating policyfile: %v", err)
}
f.Close()
defer os.Remove(f.Name())
if err := ioutil.WriteFile(f.Name(), []byte(contents), 0700); err != nil {
t.Fatalf("unexpected error writing policyfile: %v", err)
}
pl, err := NewFromFile(f.Name())
return pl, err
}
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
func TestPolicy(t *testing.T) {
tests := []struct {
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
policy runtime.Object
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
attr authorizer.Attributes
matches bool
name string
}{
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// v0 mismatches
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
{
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
policy: &v0.Policy{
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
Readonly: true,
},
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Verb: "create",
},
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
matches: false,
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
name: "v0 read-only mismatch",
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
{
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
policy: &v0.Policy{
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
User: "foo",
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Name: "bar",
Groups: []string{user.AllAuthenticated},
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
},
matches: false,
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
name: "v0 user name mis-match",
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
{
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
policy: &v0.Policy{
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
Resource: "foo",
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Resource: "bar",
ResourceRequest: true,
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
matches: false,
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
name: "v0 resource mis-match",
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
{
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
policy: &v0.Policy{
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
User: "foo",
Resource: "foo",
Namespace: "foo",
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Name: "foo",
Groups: []string{user.AllAuthenticated},
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Resource: "foo",
Namespace: "foo",
ResourceRequest: true,
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
matches: true,
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
name: "v0 namespace mis-match",
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
// v0 matches
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
policy: &v0.Policy{},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
ResourceRequest: true,
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
matches: true,
name: "v0 null resource",
},
{
policy: &v0.Policy{
Readonly: true,
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Verb: "get",
},
matches: true,
name: "v0 read-only match",
},
{
policy: &v0.Policy{
User: "foo",
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Name: "foo",
Groups: []string{user.AllAuthenticated},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
},
},
matches: true,
name: "v0 user name match",
},
{
policy: &v0.Policy{
Resource: "foo",
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Resource: "foo",
ResourceRequest: true,
},
matches: true,
name: "v0 resource match",
},
// v1 mismatches
{
policy: &v1beta1.Policy{},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
ResourceRequest: true,
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
matches: false,
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
name: "v1 null",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "foo",
},
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Name: "bar",
Groups: []string{user.AllAuthenticated},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
},
ResourceRequest: true,
},
matches: false,
name: "v1 user name mis-match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
Readonly: true,
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
ResourceRequest: true,
},
matches: false,
name: "v1 read-only mismatch",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
Resource: "foo",
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Resource: "bar",
ResourceRequest: true,
},
matches: false,
name: "v1 resource mis-match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "foo",
Namespace: "barr",
Resource: "baz",
},
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Name: "foo",
Groups: []string{user.AllAuthenticated},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
},
Namespace: "bar",
Resource: "baz",
ResourceRequest: true,
},
matches: false,
name: "v1 namespace mis-match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
NonResourcePath: "/api",
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Path: "/api2",
ResourceRequest: false,
},
matches: false,
name: "v1 non-resource mis-match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
NonResourcePath: "/api/*",
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Path: "/api2/foo",
ResourceRequest: false,
},
matches: false,
name: "v1 non-resource wildcard subpath mis-match",
},
// v1 matches
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "foo",
},
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Name: "foo",
Groups: []string{user.AllAuthenticated},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
},
ResourceRequest: true,
},
matches: true,
name: "v1 user match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
ResourceRequest: true,
},
matches: true,
name: "v1 user wildcard match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
Group: "bar",
},
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Name: "foo",
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Groups: []string{"bar", user.AllAuthenticated},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
},
ResourceRequest: true,
},
matches: true,
name: "v1 group match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
Group: "*",
},
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Name: "foo",
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Groups: []string{"bar", user.AllAuthenticated},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
},
ResourceRequest: true,
},
matches: true,
name: "v1 group wildcard match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
Readonly: true,
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Verb: "get",
ResourceRequest: true,
},
matches: true,
name: "v1 read-only match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
Resource: "foo",
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Resource: "foo",
ResourceRequest: true,
},
matches: true,
name: "v1 resource match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "foo",
Namespace: "bar",
Resource: "baz",
},
},
attr: authorizer.AttributesRecord{
User: &user.DefaultInfo{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
Name: "foo",
Groups: []string{user.AllAuthenticated},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
},
Namespace: "bar",
Resource: "baz",
ResourceRequest: true,
},
matches: true,
name: "v1 namespace match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
NonResourcePath: "/api",
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Path: "/api",
ResourceRequest: false,
},
matches: true,
name: "v1 non-resource match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
NonResourcePath: "*",
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Path: "/api",
ResourceRequest: false,
},
matches: true,
name: "v1 non-resource wildcard match",
},
{
policy: &v1beta1.Policy{
Spec: v1beta1.PolicySpec{
User: "*",
NonResourcePath: "/api/*",
},
},
attr: authorizer.AttributesRecord{
Convert user/group * to match authenticated users only in ABAC
2016-12-19 14:25:51 +00:00
User: &user.DefaultInfo{
Name: "foo",
Groups: []string{user.AllAuthenticated},
},
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
Path: "/api/foo",
ResourceRequest: false,
},
matches: true,
name: "v1 non-resource wildcard subpath match",
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
},
}
for _, test := range tests {
Remove all api.Scheme references by using explicit package aliases
2017-10-16 14:28:42 +00:00
policy := &abac.Policy{}
if err := abac.Scheme.Convert(test.policy, policy, nil); err != nil {
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
t.Errorf("%s: error converting: %v", test.name, err)
continue
}
matches := matches(*policy, test.attr)
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
if test.matches != matches {
Add non-resource and API group support to ABAC authorizer, version ABAC policy rules
2015-11-20 06:14:49 +00:00
t.Errorf("%s: expected: %t, saw: %t", test.name, test.matches, matches)
continue
Expand test coverage in master, kubectl/cmd/util, pkg/registry/resourcequota, and api/rest.
2015-03-07 10:00:45 +00:00
}
}
}