Google Git
Sign in
apache / cloudstack-kubernetes-provider / b13b4a31891ea31a105db83bf019224b9407aa9e / . / vendor / k8s.io / kubernetes / pkg / kubectl / cmd / create / create_role_test.go
blob: 82a52b525db546685c403ca9e57f96f7dd019a5b [file] [log] [blame]
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package create
import (
"reflect"
"testing"
rbac "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/equality"
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/cli-runtime/pkg/genericclioptions"
"k8s.io/client-go/rest/fake"
cmdtesting "k8s.io/kubernetes/pkg/kubectl/cmd/testing"
"k8s.io/kubernetes/pkg/kubectl/scheme"
)
func TestCreateRole(t *testing.T) {
roleName := "my-role"
tf := cmdtesting.NewTestFactory().WithNamespace("test")
defer tf.Cleanup()
tf.Client = &fake.RESTClient{}
tf.ClientConfigVal = cmdtesting.DefaultClientConfig()
tests := map[string]struct {
verbs string
resources string
resourceNames string
expectedRole *rbac.Role
}{
"test-duplicate-resources": {
verbs: "get,watch,list",
resources: "pods,pods",
expectedRole: &rbac.Role{
TypeMeta: v1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"},
ObjectMeta: v1.ObjectMeta{
Name: roleName,
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
Resources: []string{"pods"},
APIGroups: []string{""},
ResourceNames: []string{},
},
},
},
},
"test-subresources": {
verbs: "get,watch,list",
resources: "replicasets/scale",
expectedRole: &rbac.Role{
TypeMeta: v1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"},
ObjectMeta: v1.ObjectMeta{
Name: roleName,
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
Resources: []string{"replicasets/scale"},
APIGroups: []string{"extensions"},
ResourceNames: []string{},
},
},
},
},
"test-subresources-with-apigroup": {
verbs: "get,watch,list",
resources: "replicasets.extensions/scale",
expectedRole: &rbac.Role{
TypeMeta: v1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"},
ObjectMeta: v1.ObjectMeta{
Name: roleName,
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
Resources: []string{"replicasets/scale"},
APIGroups: []string{"extensions"},
ResourceNames: []string{},
},
},
},
},
"test-valid-case-with-multiple-apigroups": {
verbs: "get,watch,list",
resources: "pods,deployments.extensions",
expectedRole: &rbac.Role{
TypeMeta: v1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"},
ObjectMeta: v1.ObjectMeta{
Name: roleName,
},
Rules: []rbac.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
Resources: []string{"pods"},
APIGroups: []string{""},
ResourceNames: []string{},
},
{
Verbs: []string{"get", "watch", "list"},
Resources: []string{"deployments"},
APIGroups: []string{"extensions"},
ResourceNames: []string{},
},
},
},
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ioStreams, _, buf, _ := genericclioptions.NewTestIOStreams()
cmd := NewCmdCreateRole(tf, ioStreams)
cmd.Flags().Set("dry-run", "true")
cmd.Flags().Set("output", "yaml")
cmd.Flags().Set("verb", test.verbs)
cmd.Flags().Set("resource", test.resources)
if test.resourceNames != "" {
cmd.Flags().Set("resource-name", test.resourceNames)
}
cmd.Run(cmd, []string{roleName})
actual := &rbac.Role{}
if err := runtime.DecodeInto(scheme.Codecs.UniversalDecoder(), buf.Bytes(), actual); err != nil {
t.Log(string(buf.Bytes()))
t.Fatal(err)
}
if !equality.Semantic.DeepEqual(test.expectedRole, actual) {
t.Errorf("%s", diff.ObjectReflectDiff(test.expectedRole, actual))
}
})
}
}
func TestValidate(t *testing.T) {
tf := cmdtesting.NewTestFactory().WithNamespace("test")
defer tf.Cleanup()
tests := map[string]struct {
roleOptions *CreateRoleOptions
expectErr bool
}{
"test-missing-name": {
roleOptions: &CreateRoleOptions{},
expectErr: true,
},
"test-missing-verb": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
},
expectErr: true,
},
"test-missing-resource": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"get"},
},
expectErr: true,
},
"test-missing-resource-existing-apigroup": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"get"},
Resources: []ResourceOptions{
{
Group: "extensions",
},
},
},
expectErr: true,
},
"test-missing-resource-existing-subresource": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"get"},
Resources: []ResourceOptions{
{
SubResource: "scale",
},
},
},
expectErr: true,
},
"test-invalid-verb": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"invalid-verb"},
Resources: []ResourceOptions{
{
Resource: "pods",
},
},
},
expectErr: true,
},
"test-nonresource-verb": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"post"},
Resources: []ResourceOptions{
{
Resource: "pods",
},
},
},
expectErr: true,
},
"test-special-verb": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"use"},
Resources: []ResourceOptions{
{
Resource: "pods",
},
},
},
expectErr: true,
},
"test-mix-verbs": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"impersonate", "use"},
Resources: []ResourceOptions{
{
Resource: "userextras",
SubResource: "scopes",
},
},
},
expectErr: true,
},
"test-special-verb-with-wrong-apigroup": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"impersonate"},
Resources: []ResourceOptions{
{
Resource: "userextras",
SubResource: "scopes",
Group: "extensions",
},
},
},
expectErr: true,
},
"test-invalid-resource": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"get"},
Resources: []ResourceOptions{
{
Resource: "invalid-resource",
},
},
},
expectErr: true,
},
"test-resource-name-with-multiple-resources": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"get"},
Resources: []ResourceOptions{
{
Resource: "pods",
},
{
Resource: "deployments",
Group: "extensions",
},
},
ResourceNames: []string{"foo"},
},
expectErr: false,
},
"test-valid-case": {
roleOptions: &CreateRoleOptions{
Name: "role-binder",
Verbs: []string{"get", "list", "bind"},
Resources: []ResourceOptions{
{
Resource: "roles",
Group: "rbac.authorization.k8s.io",
},
},
ResourceNames: []string{"foo"},
},
expectErr: false,
},
"test-valid-case-with-subresource": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"get", "list"},
Resources: []ResourceOptions{
{
Resource: "replicasets",
SubResource: "scale",
},
},
ResourceNames: []string{"bar"},
},
expectErr: false,
},
"test-valid-case-with-additional-resource": {
roleOptions: &CreateRoleOptions{
Name: "my-role",
Verbs: []string{"impersonate"},
Resources: []ResourceOptions{
{
Resource: "userextras",
SubResource: "scopes",
Group: "authentication.k8s.io",
},
},
},
expectErr: false,
},
}
for name, test := range tests {
var err error
test.roleOptions.Mapper, err = tf.ToRESTMapper()
if err != nil {
t.Fatal(err)
}
err = test.roleOptions.Validate()
if test.expectErr && err == nil {
t.Errorf("%s: expect error happens but validate passes.", name)
}
if !test.expectErr && err != nil {
t.Errorf("%s: unexpected error: %v", name, err)
}
}
}
func TestComplete(t *testing.T) {
roleName := "my-role"
tf := cmdtesting.NewTestFactory().WithNamespace("test")
defer tf.Cleanup()
tf.Client = &fake.RESTClient{}
tf.ClientConfigVal = cmdtesting.DefaultClientConfig()
defaultTestResources := "pods,deployments.extensions"
tests := map[string]struct {
params []string
resources string
roleOptions *CreateRoleOptions
expected *CreateRoleOptions
expectErr bool
}{
"test-missing-name": {
params: []string{},
resources: defaultTestResources,
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created").WithTypeSetter(scheme.Scheme),
},
expectErr: true,
},
"test-duplicate-verbs": {
params: []string{roleName},
resources: defaultTestResources,
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created").WithTypeSetter(scheme.Scheme),
Name: roleName,
Verbs: []string{
"get",
"watch",
"list",
"get",
},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{
"get",
"watch",
"list",
},
Resources: []ResourceOptions{
{
Resource: "pods",
Group: "",
},
{
Resource: "deployments",
Group: "extensions",
},
},
ResourceNames: []string{},
},
expectErr: false,
},
"test-verball": {
params: []string{roleName},
resources: defaultTestResources,
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created").WithTypeSetter(scheme.Scheme),
Name: roleName,
Verbs: []string{
"get",
"watch",
"list",
"*",
},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "pods",
Group: "",
},
{
Resource: "deployments",
Group: "extensions",
},
},
ResourceNames: []string{},
},
expectErr: false,
},
"test-allresource": {
params: []string{roleName},
resources: "*,pods",
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created"),
Name: roleName,
Verbs: []string{"*"},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "*",
},
},
ResourceNames: []string{},
},
expectErr: false,
},
"test-allresource-subresource": {
params: []string{roleName},
resources: "*/scale,pods",
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created"),
Name: roleName,
Verbs: []string{"*"},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "*",
SubResource: "scale",
},
{
Resource: "pods",
},
},
ResourceNames: []string{},
},
expectErr: false,
},
"test-allresrouce-allgroup": {
params: []string{roleName},
resources: "*.*,pods",
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created"),
Name: roleName,
Verbs: []string{"*"},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "*",
Group: "*",
},
{
Resource: "pods",
},
},
ResourceNames: []string{},
},
expectErr: false,
},
"test-allresource-allgroup-subresource": {
params: []string{roleName},
resources: "*.*/scale,pods",
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created"),
Name: roleName,
Verbs: []string{"*"},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "*",
Group: "*",
SubResource: "scale",
},
{
Resource: "pods",
},
},
ResourceNames: []string{},
},
expectErr: false,
},
"test-allresource-specificgroup": {
params: []string{roleName},
resources: "*.extensions,pods",
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created"),
Name: roleName,
Verbs: []string{"*"},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "*",
Group: "extensions",
},
{
Resource: "pods",
},
},
ResourceNames: []string{},
},
expectErr: false,
},
"test-allresource-specificgroup-subresource": {
params: []string{roleName},
resources: "*.extensions/scale,pods",
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created"),
Name: roleName,
Verbs: []string{"*"},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "*",
Group: "extensions",
SubResource: "scale",
},
{
Resource: "pods",
},
},
ResourceNames: []string{},
},
expectErr: false,
},
"test-duplicate-resourcenames": {
params: []string{roleName},
resources: defaultTestResources,
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created").WithTypeSetter(scheme.Scheme),
Name: roleName,
Verbs: []string{"*"},
ResourceNames: []string{"foo", "foo"},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "pods",
Group: "",
},
{
Resource: "deployments",
Group: "extensions",
},
},
ResourceNames: []string{"foo"},
},
expectErr: false,
},
"test-valid-complete-case": {
params: []string{roleName},
resources: defaultTestResources,
roleOptions: &CreateRoleOptions{
PrintFlags: genericclioptions.NewPrintFlags("created").WithTypeSetter(scheme.Scheme),
Name: roleName,
Verbs: []string{"*"},
ResourceNames: []string{"foo"},
},
expected: &CreateRoleOptions{
Name: roleName,
Verbs: []string{"*"},
Resources: []ResourceOptions{
{
Resource: "pods",
Group: "",
},
{
Resource: "deployments",
Group: "extensions",
},
},
ResourceNames: []string{"foo"},
},
expectErr: false,
},
}
for name, test := range tests {
cmd := NewCmdCreateRole(tf, genericclioptions.NewTestIOStreamsDiscard())
cmd.Flags().Set("resource", test.resources)
err := test.roleOptions.Complete(tf, cmd, test.params)
if !test.expectErr && err != nil {
t.Errorf("%s: unexpected error: %v", name, err)
}
if test.expectErr {
if err != nil {
continue
} else {
t.Errorf("%s: expect error happens but test passes.", name)
}
}
if test.roleOptions.Name != test.expected.Name {
t.Errorf("%s:\nexpected name:\n%#v\nsaw name:\n%#v", name, test.expected.Name, test.roleOptions.Name)
}
if !reflect.DeepEqual(test.roleOptions.Verbs, test.expected.Verbs) {
t.Errorf("%s:\nexpected verbs:\n%#v\nsaw verbs:\n%#v", name, test.expected.Verbs, test.roleOptions.Verbs)
}
if !reflect.DeepEqual(test.roleOptions.Resources, test.expected.Resources) {
t.Errorf("%s:\nexpected resources:\n%#v\nsaw resources:\n%#v", name, test.expected.Resources, test.roleOptions.Resources)
}
if !reflect.DeepEqual(test.roleOptions.ResourceNames, test.expected.ResourceNames) {
t.Errorf("%s:\nexpected resource names:\n%#v\nsaw resource names:\n%#v", name, test.expected.ResourceNames, test.roleOptions.ResourceNames)
}
}
}