From c28efb85ff69109f9af80a9b49d8fe5b4eed8133 Mon Sep 17 00:00:00 2001
From: Cao Shufeng <caosf.fnst@cn.fujitsu.com>
Date: Thu, 1 Jun 2017 13:56:49 +0800
Subject: [PATCH] add cmd test for kubectl auth can-i

---
 hack/lib/test.sh                 | 12 ++++++++++++
 hack/make-rules/test-cmd-util.sh | 22 ++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/hack/lib/test.sh b/hack/lib/test.sh
index 575664a4dc..6e69fc4dd2 100644
--- a/hack/lib/test.sh
+++ b/hack/lib/test.sh
@@ -286,6 +286,18 @@ kube::test::if_has_not_string() {
   fi
 }
 
+kube::test::if_empty_string() {
+  local match=$1
+  if [ -n "$match" ]; then
+    echo "$match is not empty"
+    caller
+    return 1
+  else
+    echo "Successful"
+    return 0
+  fi
+}
+
 # Returns true if the required resource is part of supported resources.
 # Expects env vars:
 #   SUPPORTED_RESOURCES: Array of all resources supported by the apiserver. "*"
diff --git a/hack/make-rules/test-cmd-util.sh b/hack/make-rules/test-cmd-util.sh
index 76c1c1fd57..b5437005fc 100644
--- a/hack/make-rules/test-cmd-util.sh
+++ b/hack/make-rules/test-cmd-util.sh
@@ -68,6 +68,7 @@ statefulsets="statefulsets"
 static="static"
 storageclass="storageclass"
 subjectaccessreviews="subjectaccessreviews"
+selfsubjectaccessreviews="selfsubjectaccessreviews"
 thirdpartyresources="thirdpartyresources"
 customresourcedefinitions="customresourcedefinitions"
 daemonsets="daemonsets"
@@ -3795,6 +3796,27 @@ __EOF__
     rm "${SAR_RESULT_FILE}"
   fi
 
+  # kubectl auth can-i
+  # kube-apiserver is started with authorization mode AlwaysAllow, so kubectl can-i always returns yes
+  if kube::test::if_supports_resource "${subjectaccessreviews}" ; then
+    output_message=$(kubectl auth can-i '*' '*' 2>&1 "${kube_flags[@]}")
+    kube::test::if_has_string "${output_message}" "yes"
+
+    output_message=$(kubectl auth can-i get pods --subresource=log 2>&1 "${kube_flags[@]}")
+    kube::test::if_has_string "${output_message}" "yes"
+
+    output_message=$(kubectl auth can-i get invalid_resource 2>&1 "${kube_flags[@]}")
+    kube::test::if_has_string "${output_message}" "the server doesn't have a resource type"
+
+    output_message=$(kubectl auth can-i get /logs/ 2>&1 "${kube_flags[@]}")
+    kube::test::if_has_string "${output_message}" "yes"
+
+    output_message=$(! kubectl auth can-i get /logs/ --subresource=log 2>&1 "${kube_flags[@]}")
+    kube::test::if_has_string "${output_message}" "subresource can not be used with nonResourceURL"
+
+    output_message=$(kubectl auth can-i list jobs.batch/bar -n foo --quiet 2>&1 "${kube_flags[@]}")
+    kube::test::if_empty_string "${output_message}"
+  fi
 
   #####################
   # Retrieve multiple #