package authorizer
import (
"testing"
"k8s.io/kubernetes/pkg/auth/user"
)
func TestDefaultForbiddenMessages(t *testing.T) {
messageResolver := NewForbiddenMessageResolver("")
apiForbidden, err := messageResolver.defaultForbiddenMessageMaker.MakeMessage(MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Namespace: "foo",
Attributes: DefaultAuthorizationAttributes{
Verb: "get",
Resource: "pods",
ResourceName: "hammer",
},
})
if err != nil {
t.Errorf("unexpected error: %v", err)
}
expectedAPIForbidden := `User "chris" cannot "get" "pods" with name "hammer" in project "foo"`
if expectedAPIForbidden != apiForbidden {
t.Errorf("expected %v, got %v", expectedAPIForbidden, apiForbidden)
}
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Namespace: "foo",
Attributes: DefaultAuthorizationAttributes{
Verb: "post",
NonResourceURL: true,
URL: "/anything",
},
},
`User "chris" cannot "post" on "/anything"`,
}.run(t)
}
func TestProjectRequestForbiddenMessage(t *testing.T) {
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Attributes: DefaultAuthorizationAttributes{
Verb: "create",
Resource: "projectrequests",
},
},
DefaultProjectRequestForbidden,
}.run(t)
}
func TestNamespacedForbiddenMessage(t *testing.T) {
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Namespace: "foo",
Attributes: DefaultAuthorizationAttributes{
Verb: "create",
Resource: "builds",
},
},
`User "chris" cannot create builds in project "foo"`,
}.run(t)
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Namespace: "foo",
Attributes: DefaultAuthorizationAttributes{
Verb: "get",
Resource: "builds",
},
},
`User "chris" cannot get builds in project "foo"`,
}.run(t)
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Namespace: "foo",
Attributes: DefaultAuthorizationAttributes{
Verb: "list",
Resource: "builds",
},
},
`User "chris" cannot list builds in project "foo"`,
}.run(t)
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Namespace: "foo",
Attributes: DefaultAuthorizationAttributes{
Verb: "update",
Resource: "builds",
},
},
`User "chris" cannot update builds in project "foo"`,
}.run(t)
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Namespace: "foo",
Attributes: DefaultAuthorizationAttributes{
Verb: "delete",
Resource: "builds",
},
},
`User "chris" cannot delete builds in project "foo"`,
}.run(t)
}
func TestRootScopedForbiddenMessage(t *testing.T) {
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Attributes: DefaultAuthorizationAttributes{
Verb: "create",
Resource: "builds",
},
},
`User "chris" cannot create builds at the cluster scope`,
}.run(t)
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Attributes: DefaultAuthorizationAttributes{
Verb: "get",
Resource: "builds",
},
},
`User "chris" cannot get builds at the cluster scope`,
}.run(t)
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Attributes: DefaultAuthorizationAttributes{
Verb: "list",
Resource: "builds",
},
},
`User "chris" cannot list all builds in the cluster`,
}.run(t)
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Attributes: DefaultAuthorizationAttributes{
Verb: "update",
Resource: "builds",
},
},
`User "chris" cannot update builds at the cluster scope`,
}.run(t)
messageTest{
MessageContext{
User: &user.DefaultInfo{Name: "chris"},
Attributes: DefaultAuthorizationAttributes{
Verb: "delete",
Resource: "builds",
},
},
`User "chris" cannot delete builds at the cluster scope`,
}.run(t)
}
type messageTest struct {
messageContext MessageContext
expected string
}
func (test messageTest) run(t *testing.T) {
messageResolver := NewForbiddenMessageResolver("")
forbidden, err := messageResolver.MakeMessage(test.messageContext)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if test.expected != forbidden {
t.Errorf("expected %v, got %v", test.expected, forbidden)
}
}