Sign In
golang
/
flannel
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e6edfac9cb
Branches Tags
flannel
/
vendor
/
k8s.io
/
kubernetes
/
pkg
/
apis
/
rbac
/
validation
/
validation_test.go

validation_test.go 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414 
  1. /*
    2. 

  2. Copyright 2016 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package validation
    18. 

  18. 

  19. import (
    20. 

  20. 	"testing"
    21. 

  21. 

  22. 	api "k8s.io/kubernetes/pkg/api"
    23. 

  23. 	"k8s.io/kubernetes/pkg/apis/rbac"
    24. 

  24. 	"k8s.io/kubernetes/pkg/util/validation/field"
    25. 

  25. )
    26. 

  26. 

  27. func TestValidateRoleBinding(t *testing.T) {
    28. 

  28. 	errs := validateRoleBinding(
    29. 

  29. 		&rbac.RoleBinding{
    30. 

  30. 			ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
    31. 

  31. 			RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
    32. 

  32. 			Subjects: []rbac.Subject{
    33. 

  33. 				{Name: "validsaname", Kind: rbac.ServiceAccountKind},
    34. 

  34. 				{Name: "valid@username", Kind: rbac.UserKind},
    35. 

  35. 				{Name: "valid@groupname", Kind: rbac.GroupKind},
    36. 

  36. 			},
    37. 

  37. 		},
    38. 

  38. 		true,
    39. 

  39. 	)
    40. 

  40. 	if len(errs) != 0 {
    41. 

  41. 		t.Errorf("expected success: %v", errs)
    42. 

  42. 	}
    43. 

  43. 

  44. 	errorCases := map[string]struct {
    45. 

  45. 		A rbac.RoleBinding
    46. 

  46. 		T field.ErrorType
    47. 

  47. 		F string
    48. 

  48. 	}{
    49. 

  49. 		"zero-length namespace": {
    50. 

  50. 			A: rbac.RoleBinding{
    51. 

  51. 				ObjectMeta: api.ObjectMeta{Name: "default"},
    52. 

  52. 				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
    53. 

  53. 			},
    54. 

  54. 			T: field.ErrorTypeRequired,
    55. 

  55. 			F: "metadata.namespace",
    56. 

  56. 		},
    57. 

  57. 		"zero-length name": {
    58. 

  58. 			A: rbac.RoleBinding{
    59. 

  59. 				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault},
    60. 

  60. 				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
    61. 

  61. 			},
    62. 

  62. 			T: field.ErrorTypeRequired,
    63. 

  63. 			F: "metadata.name",
    64. 

  64. 		},
    65. 

  65. 		"invalid ref": {
    66. 

  66. 			A: rbac.RoleBinding{
    67. 

  67. 				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "name"},
    68. 

  68. 				RoleRef:    api.ObjectReference{Namespace: "-192083", Name: "valid"},
    69. 

  69. 			},
    70. 

  70. 			T: field.ErrorTypeInvalid,
    71. 

  71. 			F: "roleRef.namespace",
    72. 

  72. 		},
    73. 

  73. 		"bad role": {
    74. 

  74. 			A: rbac.RoleBinding{
    75. 

  75. 				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "default"},
    76. 

  76. 				RoleRef:    api.ObjectReference{Namespace: "default"},
    77. 

  77. 			},
    78. 

  78. 			T: field.ErrorTypeRequired,
    79. 

  79. 			F: "roleRef.name",
    80. 

  80. 		},
    81. 

  81. 		"bad subject kind": {
    82. 

  82. 			A: rbac.RoleBinding{
    83. 

  83. 				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
    84. 

  84. 				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
    85. 

  85. 				Subjects:   []rbac.Subject{{Name: "subject"}},
    86. 

  86. 			},
    87. 

  87. 			T: field.ErrorTypeNotSupported,
    88. 

  88. 			F: "subjects[0].kind",
    89. 

  89. 		},
    90. 

  90. 		"bad subject name": {
    91. 

  91. 			A: rbac.RoleBinding{
    92. 

  92. 				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
    93. 

  93. 				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
    94. 

  94. 				Subjects:   []rbac.Subject{{Name: "subject:bad", Kind: rbac.ServiceAccountKind}},
    95. 

  95. 			},
    96. 

  96. 			T: field.ErrorTypeInvalid,
    97. 

  97. 			F: "subjects[0].name",
    98. 

  98. 		},
    99. 

  99. 		"missing subject name": {
    100. 

  100. 			A: rbac.RoleBinding{
    101. 

  101. 				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"},
    102. 

  102. 				RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
    103. 

  103. 				Subjects:   []rbac.Subject{{Kind: rbac.ServiceAccountKind}},
    104. 

  104. 			},
    105. 

  105. 			T: field.ErrorTypeRequired,
    106. 

  106. 			F: "subjects[0].name",
    107. 

  107. 		},
    108. 

  108. 	}
    109. 

  109. 	for k, v := range errorCases {
    110. 

  110. 		errs := validateRoleBinding(&v.A, true)
    111. 

  111. 		if len(errs) == 0 {
    112. 

  112. 			t.Errorf("expected failure %s for %v", k, v.A)
    113. 

  113. 			continue
    114. 

  114. 		}
    115. 

  115. 		for i := range errs {
    116. 

  116. 			if errs[i].Type != v.T {
    117. 

  117. 				t.Errorf("%s: expected errors to have type %s: %v", k, v.T, errs[i])
    118. 

  118. 			}
    119. 

  119. 			if errs[i].Field != v.F {
    120. 

  120. 				t.Errorf("%s: expected errors to have field %s: %v", k, v.F, errs[i])
    121. 

  121. 			}
    122. 

  122. 		}
    123. 

  123. 	}
    124. 

  124. }
    125. 

  125. 

  126. func TestValidateRoleBindingUpdate(t *testing.T) {
    127. 

  127. 	old := &rbac.RoleBinding{
    128. 

  128. 		ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
    129. 

  129. 		RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
    130. 

  130. 	}
    131. 

  131. 

  132. 	errs := validateRoleBindingUpdate(
    133. 

  133. 		&rbac.RoleBinding{
    134. 

  134. 			ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
    135. 

  135. 			RoleRef:    api.ObjectReference{Namespace: "master", Name: "valid"},
    136. 

  136. 		},
    137. 

  137. 		old,
    138. 

  138. 		true,
    139. 

  139. 	)
    140. 

  140. 	if len(errs) != 0 {
    141. 

  141. 		t.Errorf("expected success: %v", errs)
    142. 

  142. 	}
    143. 

  143. 

  144. 	errorCases := map[string]struct {
    145. 

  145. 		A rbac.RoleBinding
    146. 

  146. 		T field.ErrorType
    147. 

  147. 		F string
    148. 

  148. 	}{
    149. 

  149. 		"changedRef": {
    150. 

  150. 			A: rbac.RoleBinding{
    151. 

  151. 				ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master", ResourceVersion: "1"},
    152. 

  152. 				RoleRef:    api.ObjectReference{Namespace: "master", Name: "changed"},
    153. 

  153. 			},
    154. 

  154. 			T: field.ErrorTypeInvalid,
    155. 

  155. 			F: "roleRef",
    156. 

  156. 		},
    157. 

  157. 	}
    158. 

  158. 	for k, v := range errorCases {
    159. 

  159. 		errs := validateRoleBindingUpdate(&v.A, old, true)
    160. 

  160. 		if len(errs) == 0 {
    161. 

  161. 			t.Errorf("expected failure %s for %v", k, v.A)
    162. 

  162. 			continue
    163. 

  163. 		}
    164. 

  164. 		for i := range errs {
    165. 

  165. 			if errs[i].Type != v.T {
    166. 

  166. 				t.Errorf("%s: expected errors to have type %s: %v", k, v.T, errs[i])
    167. 

  167. 			}
    168. 

  168. 			if errs[i].Field != v.F {
    169. 

  169. 				t.Errorf("%s: expected errors to have field %s: %v", k, v.F, errs[i])
    170. 

  170. 			}
    171. 

  171. 		}
    172. 

  172. 	}
    173. 

  173. }
    174. 

  174. 

  175. func TestNonResourceURLCovers(t *testing.T) {
    176. 

  176. 	tests := []struct {
    177. 

  177. 		owner     string
    178. 

  178. 		requested string
    179. 

  179. 		want      bool
    180. 

  180. 	}{
    181. 

  181. 		{"*", "/api", true},
    182. 

  182. 		{"/api", "/api", true},
    183. 

  183. 		{"/apis", "/api", false},
    184. 

  184. 		{"/api/v1", "/api", false},
    185. 

  185. 		{"/api/v1", "/api/v1", true},
    186. 

  186. 		{"/api/*", "/api/v1", true},
    187. 

  187. 		{"/api/*", "/api", false},
    188. 

  188. 		{"/api/*/*", "/api/v1", false},
    189. 

  189. 		{"/*/v1/*", "/api/v1", false},
    190. 

  190. 	}
    191. 

  191. 

  192. 	for _, tc := range tests {
    193. 

  193. 		got := nonResourceURLCovers(tc.owner, tc.requested)
    194. 

  194. 		if got != tc.want {
    195. 

  195. 			t.Errorf("nonResourceURLCovers(%q, %q): want=(%t), got=(%t)", tc.owner, tc.requested, tc.want, got)
    196. 

  196. 		}
    197. 

  197. 	}
    198. 

  198. }
    199. 

  199. 

  200. type validateRoleTest struct {
    201. 

  201. 	role         rbac.Role
    202. 

  202. 	isNamespaced bool
    203. 

  203. 	wantErr      bool
    204. 

  204. 	errType      field.ErrorType
    205. 

  205. 	field        string
    206. 

  206. }
    207. 

  207. 

  208. func (v validateRoleTest) test(t *testing.T) {
    209. 

  209. 	errs := validateRole(&v.role, v.isNamespaced)
    210. 

  210. 	if len(errs) == 0 {
    211. 

  211. 		if v.wantErr {
    212. 

  212. 			t.Fatal("expected validation error")
    213. 

  213. 		}
    214. 

  214. 		return
    215. 

  215. 	}
    216. 

  216. 	if !v.wantErr {
    217. 

  217. 		t.Errorf("didn't expect error, got %v", errs)
    218. 

  218. 		return
    219. 

  219. 	}
    220. 

  220. 	for i := range errs {
    221. 

  221. 		if errs[i].Type != v.errType {
    222. 

  222. 			t.Errorf("expected errors to have type %s: %v", v.errType, errs[i])
    223. 

  223. 		}
    224. 

  224. 		if errs[i].Field != v.field {
    225. 

  225. 			t.Errorf("expected errors to have field %s: %v", v.field, errs[i])
    226. 

  226. 		}
    227. 

  227. 	}
    228. 

  228. }
    229. 

  229. 

  230. func TestValidateRoleZeroLengthNamespace(t *testing.T) {
    231. 

  231. 	validateRoleTest{
    232. 

  232. 		role: rbac.Role{
    233. 

  233. 			ObjectMeta: api.ObjectMeta{Name: "default"},
    234. 

  234. 		},
    235. 

  235. 		isNamespaced: true,
    236. 

  236. 		wantErr:      true,
    237. 

  237. 		errType:      field.ErrorTypeRequired,
    238. 

  238. 		field:        "metadata.namespace",
    239. 

  239. 	}.test(t)
    240. 

  240. }
    241. 

  241. 

  242. func TestValidateRoleZeroLengthName(t *testing.T) {
    243. 

  243. 	validateRoleTest{
    244. 

  244. 		role: rbac.Role{
    245. 

  245. 			ObjectMeta: api.ObjectMeta{Namespace: "default"},
    246. 

  246. 		},
    247. 

  247. 		isNamespaced: true,
    248. 

  248. 		wantErr:      true,
    249. 

  249. 		errType:      field.ErrorTypeRequired,
    250. 

  250. 		field:        "metadata.name",
    251. 

  251. 	}.test(t)
    252. 

  252. }
    253. 

  253. 

  254. func TestValidateRoleValidRole(t *testing.T) {
    255. 

  255. 	validateRoleTest{
    256. 

  256. 		role: rbac.Role{
    257. 

  257. 			ObjectMeta: api.ObjectMeta{
    258. 

  258. 				Namespace: "default",
    259. 

  259. 				Name:      "default",
    260. 

  260. 			},
    261. 

  261. 		},
    262. 

  262. 		isNamespaced: true,
    263. 

  263. 		wantErr:      false,
    264. 

  264. 	}.test(t)
    265. 

  265. }
    266. 

  266. 

  267. func TestValidateRoleValidRoleNoNamespace(t *testing.T) {
    268. 

  268. 	validateRoleTest{
    269. 

  269. 		role: rbac.Role{
    270. 

  270. 			ObjectMeta: api.ObjectMeta{
    271. 

  271. 				Name: "default",
    272. 

  272. 			},
    273. 

  273. 		},
    274. 

  274. 		isNamespaced: false,
    275. 

  275. 		wantErr:      false,
    276. 

  276. 	}.test(t)
    277. 

  277. }
    278. 

  278. 

  279. func TestValidateRoleNonResourceURL(t *testing.T) {
    280. 

  280. 	validateRoleTest{
    281. 

  281. 		role: rbac.Role{
    282. 

  282. 			ObjectMeta: api.ObjectMeta{
    283. 

  283. 				Name: "default",
    284. 

  284. 			},
    285. 

  285. 			Rules: []rbac.PolicyRule{
    286. 

  286. 				{
    287. 

  287. 					Verbs:           []string{"get"},
    288. 

  288. 					NonResourceURLs: []string{"/*"},
    289. 

  289. 				},
    290. 

  290. 			},
    291. 

  291. 		},
    292. 

  292. 		isNamespaced: false,
    293. 

  293. 		wantErr:      false,
    294. 

  294. 	}.test(t)
    295. 

  295. }
    296. 

  296. 

  297. func TestValidateRoleNamespacedNonResourceURL(t *testing.T) {
    298. 

  298. 	validateRoleTest{
    299. 

  299. 		role: rbac.Role{
    300. 

  300. 			ObjectMeta: api.ObjectMeta{
    301. 

  301. 				Namespace: "default",
    302. 

  302. 				Name:      "default",
    303. 

  303. 			},
    304. 

  304. 			Rules: []rbac.PolicyRule{
    305. 

  305. 				{
    306. 

  306. 					// non-resource URLs are invalid for namespaced rules
    307. 

  307. 					Verbs:           []string{"get"},
    308. 

  308. 					NonResourceURLs: []string{"/*"},
    309. 

  309. 				},
    310. 

  310. 			},
    311. 

  311. 		},
    312. 

  312. 		isNamespaced: true,
    313. 

  313. 		wantErr:      true,
    314. 

  314. 		errType:      field.ErrorTypeInvalid,
    315. 

  315. 		field:        "rules[0].nonResourceURLs",
    316. 

  316. 	}.test(t)
    317. 

  317. }
    318. 

  318. 

  319. func TestValidateRoleNonResourceURLNoVerbs(t *testing.T) {
    320. 

  320. 	validateRoleTest{
    321. 

  321. 		role: rbac.Role{
    322. 

  322. 			ObjectMeta: api.ObjectMeta{
    323. 

  323. 				Name: "default",
    324. 

  324. 			},
    325. 

  325. 			Rules: []rbac.PolicyRule{
    326. 

  326. 				{
    327. 

  327. 					Verbs:           []string{},
    328. 

  328. 					NonResourceURLs: []string{"/*"},
    329. 

  329. 				},
    330. 

  330. 			},
    331. 

  331. 		},
    332. 

  332. 		isNamespaced: false,
    333. 

  333. 		wantErr:      true,
    334. 

  334. 		errType:      field.ErrorTypeRequired,
    335. 

  335. 		field:        "rules[0].verbs",
    336. 

  336. 	}.test(t)
    337. 

  337. }
    338. 

  338. 

  339. func TestValidateRoleMixedNonResourceAndResource(t *testing.T) {
    340. 

  340. 	validateRoleTest{
    341. 

  341. 		role: rbac.Role{
    342. 

  342. 			ObjectMeta: api.ObjectMeta{
    343. 

  343. 				Name: "default",
    344. 

  344. 			},
    345. 

  345. 			Rules: []rbac.PolicyRule{
    346. 

  346. 				{
    347. 

  347. 					Verbs:           []string{"get"},
    348. 

  348. 					NonResourceURLs: []string{"/*"},
    349. 

  349. 					APIGroups:       []string{"v1"},
    350. 

  350. 					Resources:       []string{"pods"},
    351. 

  351. 				},
    352. 

  352. 			},
    353. 

  353. 		},
    354. 

  354. 		wantErr: true,
    355. 

  355. 		errType: field.ErrorTypeInvalid,
    356. 

  356. 		field:   "rules[0].nonResourceURLs",
    357. 

  357. 	}.test(t)
    358. 

  358. }
    359. 

  359. 

  360. func TestValidateRoleValidResource(t *testing.T) {
    361. 

  361. 	validateRoleTest{
    362. 

  362. 		role: rbac.Role{
    363. 

  363. 			ObjectMeta: api.ObjectMeta{
    364. 

  364. 				Name: "default",
    365. 

  365. 			},
    366. 

  366. 			Rules: []rbac.PolicyRule{
    367. 

  367. 				{
    368. 

  368. 					Verbs:     []string{"get"},
    369. 

  369. 					APIGroups: []string{"v1"},
    370. 

  370. 					Resources: []string{"pods"},
    371. 

  371. 				},
    372. 

  372. 			},
    373. 

  373. 		},
    374. 

  374. 		wantErr: false,
    375. 

  375. 	}.test(t)
    376. 

  376. }
    377. 

  377. 

  378. func TestValidateRoleNoAPIGroup(t *testing.T) {
    379. 

  379. 	validateRoleTest{
    380. 

  380. 		role: rbac.Role{
    381. 

  381. 			ObjectMeta: api.ObjectMeta{
    382. 

  382. 				Name: "default",
    383. 

  383. 			},
    384. 

  384. 			Rules: []rbac.PolicyRule{
    385. 

  385. 				{
    386. 

  386. 					Verbs:     []string{"get"},
    387. 

  387. 					Resources: []string{"pods"},
    388. 

  388. 				},
    389. 

  389. 			},
    390. 

  390. 		},
    391. 

  391. 		wantErr: true,
    392. 

  392. 		errType: field.ErrorTypeRequired,
    393. 

  393. 		field:   "rules[0].apiGroups",
    394. 

  394. 	}.test(t)
    395. 

  395. }
    396. 

  396. 

  397. func TestValidateRoleNoResources(t *testing.T) {
    398. 

  398. 	validateRoleTest{
    399. 

  399. 		role: rbac.Role{
    400. 

  400. 			ObjectMeta: api.ObjectMeta{
    401. 

  401. 				Name: "default",
    402. 

  402. 			},
    403. 

  403. 			Rules: []rbac.PolicyRule{
    404. 

  404. 				{
    405. 

  405. 					Verbs:     []string{"get"},
    406. 

  406. 					APIGroups: []string{"v1"},
    407. 

  407. 				},
    408. 

  408. 			},
    409. 

  409. 		},
    410. 

  410. 		wantErr: true,
    411. 

  411. 		errType: field.ErrorTypeRequired,
    412. 

  412. 		field:   "rules[0].resources",
    413. 

  413. 	}.test(t)
    414. 

  414. }
    415.