package authorizer import ( "testing" kapi "k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api/unversioned" "k8s.io/kubernetes/pkg/auth/user" "k8s.io/kubernetes/pkg/util/sets" "k8s.io/kubernetes/pkg/util/uuid" authorizationapi "github.com/openshift/origin/pkg/authorization/api" "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" ) func TestClusterAdminUseGroup(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "root", Groups: []string{bootstrappolicy.ClusterAdminGroup}}), attributes: &DefaultAuthorizationAttributes{ APIGroup: "extensions", Verb: "create", Resource: "jobs", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.clusterBindings = newDefaultClusterPolicyBindings() test.test(t) } func TestClusterReaderUseGroup(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "root", Groups: []string{bootstrappolicy.ClusterReaderGroup}}), attributes: &DefaultAuthorizationAttributes{ APIGroup: "extensions", Verb: "list", Resource: "jobs", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.clusterBindings = newDefaultClusterPolicyBindings() test.test(t) } func TestInvalidRole(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Brad"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "buildConfigs", }, expectedAllowed: false, expectedError: "unable to interpret:", } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newInvalidExtensionPolicies() test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newInvalidExtensionBindings() test.test(t) } func TestInvalidRoleButRuleNotUsed(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Brad"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "buildConfigs", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newInvalidExtensionPolicies() test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newInvalidExtensionBindings() test.test(t) } func TestViewerGetAllowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Victor"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "pods", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestViewerGetAllowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Victor"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "pods", }, expectedAllowed: false, expectedReason: `User "Victor" cannot get pods in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestViewerGetDisallowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Victor"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "policies", }, expectedAllowed: false, expectedReason: `User "Victor" cannot get policies in project "mallet"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestViewerGetDisallowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Victor"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "policies", }, expectedAllowed: false, expectedReason: `User "Victor" cannot get policies in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestViewerCreateAllowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Victor"}), attributes: &DefaultAuthorizationAttributes{ Verb: "create", Resource: "pods", }, expectedAllowed: false, expectedReason: `User "Victor" cannot create pods in project "mallet"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestViewerCreateAllowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Victor"}), attributes: &DefaultAuthorizationAttributes{ Verb: "create", Resource: "pods", }, expectedAllowed: false, expectedReason: `User "Victor" cannot create pods in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestEditorUpdateAllowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Edgar"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "pods", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestEditorUpdateAllowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Edgar"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "pods", }, expectedAllowed: false, expectedReason: `User "Edgar" cannot update pods in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestEditorUpdateDisallowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Edgar"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "roleBindings", }, expectedAllowed: false, expectedReason: `User "Edgar" cannot update roleBindings in project "mallet"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestEditorUpdateDisallowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Edgar"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "roleBindings", }, expectedAllowed: false, expectedReason: `User "Edgar" cannot update roleBindings in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestEditorGetAllowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Edgar"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "pods", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestEditorGetAllowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Edgar"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "pods", }, expectedAllowed: false, expectedReason: `User "Edgar" cannot get pods in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestAdminUpdateAllowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Matthew"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "roleBindings", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestAdminUpdateAllowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Matthew"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "roleBindings", }, expectedAllowed: false, expectedReason: `User "Matthew" cannot update roleBindings in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestAdminUpdateStatusInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Matthew"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "pods/status", }, expectedAllowed: false, expectedReason: `User "Matthew" cannot update pods/status in project "mallet"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestAdminGetStatusInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Matthew"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "pods/status", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestAdminUpdateDisallowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Matthew"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "policies", }, expectedAllowed: false, expectedReason: `User "Matthew" cannot update policies in project "mallet"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestAdminUpdateDisallowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Matthew"}), attributes: &DefaultAuthorizationAttributes{ Verb: "update", Resource: "roles", }, expectedAllowed: false, expectedReason: `User "Matthew" cannot update roles in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestAdminGetAllowedKindInMallet(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Matthew"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "policies", }, expectedAllowed: true, expectedReason: "allowed by rule in mallet", } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func TestAdminGetAllowedKindInAdze(t *testing.T) { test := &authorizeTest{ context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "adze"), &user.DefaultInfo{Name: "Matthew"}), attributes: &DefaultAuthorizationAttributes{ Verb: "get", Resource: "policies", }, expectedAllowed: false, expectedReason: `User "Matthew" cannot get policies in project "adze"`, } test.clusterPolicies = newDefaultClusterPolicies() test.policies = newAdzePolicies() test.policies = append(test.policies, newMalletPolicies()...) test.clusterBindings = newDefaultClusterPolicyBindings() test.bindings = newAdzeBindings() test.bindings = append(test.bindings, newMalletBindings()...) test.test(t) } func newMalletPolicies() []authorizationapi.Policy { return []authorizationapi.Policy{ { ObjectMeta: kapi.ObjectMeta{ Name: authorizationapi.PolicyName, Namespace: "mallet", }, Roles: map[string]*authorizationapi.Role{}, }} } func newMalletBindings() []authorizationapi.PolicyBinding { return []authorizationapi.PolicyBinding{ { ObjectMeta: kapi.ObjectMeta{ Name: authorizationapi.ClusterPolicyBindingName, Namespace: "mallet", }, RoleBindings: map[string]*authorizationapi.RoleBinding{ "projectAdmins": { ObjectMeta: kapi.ObjectMeta{ Name: "projectAdmins", Namespace: "mallet", }, RoleRef: kapi.ObjectReference{ Name: bootstrappolicy.AdminRoleName, }, Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Matthew"}}, }, "viewers": { ObjectMeta: kapi.ObjectMeta{ Name: "viewers", Namespace: "mallet", }, RoleRef: kapi.ObjectReference{ Name: bootstrappolicy.ViewRoleName, }, Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Victor"}}, }, "editors": { ObjectMeta: kapi.ObjectMeta{ Name: "editors", Namespace: "mallet", }, RoleRef: kapi.ObjectReference{ Name: bootstrappolicy.EditRoleName, }, Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Edgar"}}, }, }, }, } } func newInvalidExtensionPolicies() []authorizationapi.Policy { return []authorizationapi.Policy{ { ObjectMeta: kapi.ObjectMeta{ Name: authorizationapi.PolicyName, Namespace: "mallet", }, Roles: map[string]*authorizationapi.Role{ "badExtension": { ObjectMeta: kapi.ObjectMeta{ Name: "failure", Namespace: "mallet", }, Rules: []authorizationapi.PolicyRule{ { APIGroups: []string{""}, Verbs: sets.NewString("watch", "list", "get"), Resources: sets.NewString("buildConfigs"), AttributeRestrictions: &authorizationapi.Role{}, }, { APIGroups: []string{""}, Verbs: sets.NewString("update"), Resources: sets.NewString("buildConfigs"), }, }, }, }, }} } func newInvalidExtensionBindings() []authorizationapi.PolicyBinding { return []authorizationapi.PolicyBinding{ { ObjectMeta: kapi.ObjectMeta{ Name: "mallet", Namespace: "mallet", }, RoleBindings: map[string]*authorizationapi.RoleBinding{ "borked": { ObjectMeta: kapi.ObjectMeta{ Name: "borked", Namespace: "mallet", }, RoleRef: kapi.ObjectReference{ Name: "badExtension", Namespace: "mallet", }, Subjects: []kapi.ObjectReference{{Kind: authorizationapi.UserKind, Name: "Brad"}}, }, }, }, } } func GetBootstrapPolicy() *authorizationapi.ClusterPolicy { policy := &authorizationapi.ClusterPolicy{ ObjectMeta: kapi.ObjectMeta{ Name: authorizationapi.PolicyName, CreationTimestamp: unversioned.Now(), UID: uuid.NewUUID(), }, LastModified: unversioned.Now(), Roles: make(map[string]*authorizationapi.ClusterRole), } roles := bootstrappolicy.GetBootstrapClusterRoles() for i := range roles { policy.Roles[roles[i].Name] = &roles[i] } return policy } func GetBootstrapPolicyBinding() *authorizationapi.ClusterPolicyBinding { policyBinding := &authorizationapi.ClusterPolicyBinding{ ObjectMeta: kapi.ObjectMeta{ Name: ":Default", CreationTimestamp: unversioned.Now(), UID: uuid.NewUUID(), }, LastModified: unversioned.Now(), RoleBindings: make(map[string]*authorizationapi.ClusterRoleBinding), } bindings := bootstrappolicy.GetBootstrapClusterRoleBindings() for i := range bindings { policyBinding.RoleBindings[bindings[i].Name] = &bindings[i] } return policyBinding }