package scope import ( "strings" "testing" oauthapi "github.com/openshift/origin/pkg/oauth/api" ) func TestValidateScopeRestrictions(t *testing.T) { testCases := []struct { name string scopes []string client *oauthapi.OAuthClient expectedErrors []string }{ { name: "unrestricted allows any", scopes: []string{"one"}, client: &oauthapi.OAuthClient{}, }, { name: "unrestricted allows empty", scopes: []string{""}, client: &oauthapi.OAuthClient{}, }, { name: "unrestricted allows none", scopes: []string{}, client: &oauthapi.OAuthClient{}, }, { name: "simple literal", scopes: []string{"one"}, client: &oauthapi.OAuthClient{ ScopeRestrictions: []oauthapi.ScopeRestriction{{ExactValues: []string{"two", "one"}}}, }, }, { name: "simple must match", scopes: []string{"missing"}, client: &oauthapi.OAuthClient{ ScopeRestrictions: []oauthapi.ScopeRestriction{{ExactValues: []string{"two", "one"}}}, }, expectedErrors: []string{`missing not found in [two one]`}, }, { name: "cluster role name must match", scopes: []string{ClusterRoleIndicator + "three:alfa"}, client: &oauthapi.OAuthClient{ ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{ RoleNames: []string{"one", "two"}, Namespaces: []string{"alfa", "bravo"}, AllowEscalation: false, }}}, }, expectedErrors: []string{`role:three:alfa does not use an approved name`}, }, { name: "cluster role namespace must match", scopes: []string{ClusterRoleIndicator + "two:charlie"}, client: &oauthapi.OAuthClient{ ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{ RoleNames: []string{"one", "two"}, Namespaces: []string{"alfa", "bravo"}, AllowEscalation: false, }}}, }, expectedErrors: []string{`role:two:charlie does not use an approved namespace`}, }, { name: "cluster role escalation must match", scopes: []string{ClusterRoleIndicator + "two:bravo:!"}, client: &oauthapi.OAuthClient{ ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{ RoleNames: []string{"one", "two"}, Namespaces: []string{"alfa", "bravo"}, AllowEscalation: false, }}}, }, expectedErrors: []string{`role:two:bravo:! is not allowed to escalate`}, }, { name: "cluster role matches", scopes: []string{ClusterRoleIndicator + "two:bravo:!"}, client: &oauthapi.OAuthClient{ ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{ RoleNames: []string{"one", "two"}, Namespaces: []string{"alfa", "bravo"}, AllowEscalation: true, }}}, }, }, { name: "cluster role matches 2", scopes: []string{ClusterRoleIndicator + "two:bravo"}, client: &oauthapi.OAuthClient{ ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{ RoleNames: []string{"one", "two"}, Namespaces: []string{"alfa", "bravo"}, AllowEscalation: false, }}}, }, }, { name: "cluster role star matches", scopes: []string{ClusterRoleIndicator + "two:bravo"}, client: &oauthapi.OAuthClient{ ScopeRestrictions: []oauthapi.ScopeRestriction{{ClusterRole: &oauthapi.ClusterRoleScopeRestriction{ RoleNames: []string{"one", "two", "*"}, Namespaces: []string{"alfa", "bravo", "*"}, AllowEscalation: true, }}}, }, }, } for _, tc := range testCases { err := ValidateScopeRestrictions(tc.client, tc.scopes...) if err != nil && len(tc.expectedErrors) == 0 { t.Errorf("%s: unexpected error: %v", tc.name, err) continue } if err == nil && len(tc.expectedErrors) > 0 { t.Errorf("%s: missing error: %v", tc.name, tc.expectedErrors) continue } if err == nil && len(tc.expectedErrors) == 0 { continue } for _, expectedErr := range tc.expectedErrors { if !strings.Contains(err.Error(), expectedErr) { t.Errorf("%s: error %v missing %v", tc.name, err, expectedErr) } } } }