Skip to content

Commit

Permalink
fixup! [Backend] Adjust apiserver/server tests to SubjectAccessReview
Browse files Browse the repository at this point in the history
  • Loading branch information
@elikatsis
elikatsis committed Nov 16, 2020
1 parent a8c8901 commit 53d4e9a
Show file tree
Hide file tree
Showing 9 changed files with 219 additions and 32 deletions.
11 changes: 10 additions & 1 deletion backend/src/apiserver/server/auth_server_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/spf13/viper"
"github.com/stretchr/testify/assert"
"google.golang.org/grpc/metadata"
authorizationv1 "k8s.io/api/authorization/v1"
)

func TestAuthorizeRequest_SingleUserMode(t *testing.T) {
Expand Down Expand Up @@ -94,7 +95,15 @@ func TestAuthorizeRequest_Unauthorized(t *testing.T) {

_, err := authServer.Authorize(ctx, request)
assert.Error(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")

resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbGet,
Group: common.RbacKubeflowGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeViewers,
}
assert.EqualError(t, err, wrapFailedAuthzRequestError(getPermissionDeniedError(ctx, resourceAttributes)).Error())
}

func TestAuthorizeRequest_EmptyUserIdPrefix(t *testing.T) {
Expand Down
10 changes: 5 additions & 5 deletions backend/src/apiserver/server/experiment_server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ func (s *ExperimentServer) CreateExperiment(ctx context.Context, request *api.Cr
}
err = s.canAccessExperiment(ctx, "", resourceAttributes)
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}

newExperiment, err := s.resourceManager.CreateExperiment(request.Experiment)
Expand All @@ -105,7 +105,7 @@ func (s *ExperimentServer) GetExperiment(ctx context.Context, request *api.GetEx

err := s.canAccessExperiment(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbGet})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}

experiment, err := s.resourceManager.GetExperiment(request.Id)
Expand Down Expand Up @@ -177,7 +177,7 @@ func (s *ExperimentServer) DeleteExperiment(ctx context.Context, request *api.De

err := s.canAccessExperiment(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbDelete})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}

err = s.resourceManager.DeleteExperiment(request.Id)
Expand Down Expand Up @@ -258,7 +258,7 @@ func (s *ExperimentServer) ArchiveExperiment(ctx context.Context, request *api.A

err := s.canAccessExperiment(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbArchive})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the requests.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
err = s.resourceManager.ArchiveExperiment(request.Id)
if err != nil {
Expand All @@ -274,7 +274,7 @@ func (s *ExperimentServer) UnarchiveExperiment(ctx context.Context, request *api

err := s.canAccessExperiment(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbUnarchive})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the requests.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
err = s.resourceManager.UnarchiveExperiment(request.Id)
if err != nil {
Expand Down
42 changes: 39 additions & 3 deletions backend/src/apiserver/server/experiment_server_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
"github.com/spf13/viper"
"github.com/stretchr/testify/assert"
"google.golang.org/grpc/metadata"
authorizationv1 "k8s.io/api/authorization/v1"
)

func TestCreateExperiment(t *testing.T) {
Expand Down Expand Up @@ -90,7 +91,19 @@ func TestCreateExperiment_Unauthorized(t *testing.T) {

_, err := server.CreateExperiment(ctx, &api.CreateExperimentRequest{Experiment: experiment})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbCreate,
Group: common.RbacPipelinesGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeExperiments,
Name: experiment.Name,
}
assert.EqualError(
t,
err,
wrapFailedAuthzRequestError(wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes))).Error(),
)
}

func TestCreateExperiment_Multiuser(t *testing.T) {
Expand Down Expand Up @@ -174,7 +187,19 @@ func TestGetExperiment_Unauthorized(t *testing.T) {

_, err := server.GetExperiment(ctx, &api.GetExperimentRequest{Id: experiment.UUID})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbGet,
Group: common.RbacPipelinesGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeExperiments,
Name: "exp1",
}
assert.EqualError(
t,
err,
wrapFailedAuthzRequestError(wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes))).Error(),
)
}

func TestGetExperiment_Multiuser(t *testing.T) {
Expand Down Expand Up @@ -282,7 +307,18 @@ func TestListExperiment_Unauthorized(t *testing.T) {
},
})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbList,
Group: common.RbacPipelinesGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeExperiments,
}
assert.EqualError(
t,
err,
wrapFailedAuthzApiResourcesError(wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes))).Error(),
)
}

func TestListExperiment_Multiuser(t *testing.T) {
Expand Down
10 changes: 5 additions & 5 deletions backend/src/apiserver/server/job_server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ func (s *JobServer) CreateJob(ctx context.Context, request *api.CreateJobRequest
}
err = s.canAccessJob(ctx, "", resourceAttributes)
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
}

Expand All @@ -131,7 +131,7 @@ func (s *JobServer) GetJob(ctx context.Context, request *api.GetJobRequest) (*ap

err := s.canAccessJob(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbGet})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}

job, err := s.resourceManager.GetJob(request.Id)
Expand Down Expand Up @@ -211,7 +211,7 @@ func (s *JobServer) EnableJob(ctx context.Context, request *api.EnableJobRequest

err := s.canAccessJob(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbEnable})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}

return s.enableJob(request.Id, true)
Expand All @@ -224,7 +224,7 @@ func (s *JobServer) DisableJob(ctx context.Context, request *api.DisableJobReque

err := s.canAccessJob(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbDisable})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}

return s.enableJob(request.Id, false)
Expand All @@ -237,7 +237,7 @@ func (s *JobServer) DeleteJob(ctx context.Context, request *api.DeleteJobRequest

err := s.canAccessJob(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbDelete})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}

err = s.resourceManager.DeleteJob(request.Id)
Expand Down
82 changes: 76 additions & 6 deletions backend/src/apiserver/server/job_server_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"github.com/stretchr/testify/assert"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
authorizationv1 "k8s.io/api/authorization/v1"
)

var (
Expand Down Expand Up @@ -262,7 +263,19 @@ func TestCreateJob_Unauthorized(t *testing.T) {
server := NewJobServer(manager, &JobServerOptions{CollectMetrics: false})
_, err := server.CreateJob(ctx, &api.CreateJobRequest{Job: commonApiJob})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbCreate,
Group: common.RbacPipelinesGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeJobs,
Name: commonApiJob.Name,
}
assert.EqualError(
t,
err,
wrapFailedAuthzRequestError(wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes))).Error(),
)
}

func TestGetJob_Unauthorized(t *testing.T) {
Expand All @@ -284,7 +297,19 @@ func TestGetJob_Unauthorized(t *testing.T) {

_, err = server.GetJob(ctx, &api.GetJobRequest{Id: job.Id})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbGet,
Group: common.RbacPipelinesGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeJobs,
Name: job.Name,
}
assert.EqualError(
t,
err,
wrapFailedAuthzRequestError(wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes))).Error(),
)
}

func TestGetJob_Multiuser(t *testing.T) {
Expand Down Expand Up @@ -322,7 +347,21 @@ func TestListJobs_Unauthorized(t *testing.T) {
},
})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbList,
Group: common.RbacPipelinesGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeJobs,
}
assert.EqualError(
t,
err,
util.Wrap(
wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes)),
"Failed to authorize with namespace in experiment resource reference.",
).Error(),
)

_, err = server.ListJobs(ctx, &api.ListJobsRequest{
ResourceReferenceKey: &api.ResourceKey{
Expand All @@ -331,7 +370,14 @@ func TestListJobs_Unauthorized(t *testing.T) {
},
})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
assert.EqualError(
t,
err,
util.Wrap(
wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes)),
"Failed to authorize with namespace resource reference.",
).Error(),
)
}

func TestListJobs_Multiuser(t *testing.T) {
Expand Down Expand Up @@ -455,7 +501,19 @@ func TestEnableJob_Unauthorized(t *testing.T) {

_, err = server.EnableJob(ctx, &api.EnableJobRequest{Id: job.Id})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbEnable,
Group: common.RbacPipelinesGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeJobs,
Name: commonApiJob.Name,
}
assert.EqualError(
t,
err,
wrapFailedAuthzRequestError(wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes))).Error(),
)
}

func TestEnableJob_Multiuser(t *testing.T) {
Expand Down Expand Up @@ -495,7 +553,19 @@ func TestDisableJob_Unauthorized(t *testing.T) {

_, err = server.DisableJob(ctx, &api.DisableJobRequest{Id: job.Id})
assert.NotNil(t, err)
assert.Contains(t, err.Error(), "Unauthorized access")
resourceAttributes := &authorizationv1.ResourceAttributes{
Namespace: "ns1",
Verb: common.RbacResourceVerbDisable,
Group: common.RbacPipelinesGroup,
Version: common.RbacPipelinesVersion,
Resource: common.RbacResourceTypeJobs,
Name: job.Name,
}
assert.EqualError(
t,
err,
wrapFailedAuthzRequestError(wrapFailedAuthzApiResourcesError(getPermissionDeniedError(ctx, resourceAttributes))).Error(),
)
}

func TestDisableJob_Multiuser(t *testing.T) {
Expand Down
14 changes: 7 additions & 7 deletions backend/src/apiserver/server/run_server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func (s *RunServer) CreateRun(ctx context.Context, request *api.CreateRunRequest
}
err = s.canAccessRun(ctx, "", resourceAttributes)
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
}

Expand All @@ -150,7 +150,7 @@ func (s *RunServer) GetRun(ctx context.Context, request *api.GetRunRequest) (*ap

err := s.canAccessRun(ctx, request.RunId, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbGet})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}

run, err := s.resourceManager.GetRun(request.RunId)
Expand Down Expand Up @@ -230,7 +230,7 @@ func (s *RunServer) ArchiveRun(ctx context.Context, request *api.ArchiveRunReque

err := s.canAccessRun(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbArchive})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
err = s.resourceManager.ArchiveRun(request.Id)
if err != nil {
Expand All @@ -246,7 +246,7 @@ func (s *RunServer) UnarchiveRun(ctx context.Context, request *api.UnarchiveRunR

err := s.canAccessRun(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbUnarchive})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
err = s.resourceManager.UnarchiveRun(request.Id)
if err != nil {
Expand All @@ -262,7 +262,7 @@ func (s *RunServer) DeleteRun(ctx context.Context, request *api.DeleteRunRequest

err := s.canAccessRun(ctx, request.Id, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbDelete})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
err = s.resourceManager.DeleteRun(request.Id)
if err != nil {
Expand Down Expand Up @@ -337,7 +337,7 @@ func (s *RunServer) TerminateRun(ctx context.Context, request *api.TerminateRunR

err := s.canAccessRun(ctx, request.RunId, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbTerminate})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
err = s.resourceManager.TerminateRun(request.RunId)
if err != nil {
Expand All @@ -353,7 +353,7 @@ func (s *RunServer) RetryRun(ctx context.Context, request *api.RetryRunRequest)

err := s.canAccessRun(ctx, request.RunId, &authorizationv1.ResourceAttributes{Verb: common.RbacResourceVerbRetry})
if err != nil {
return nil, util.Wrap(err, "Failed to authorize the request.")
return nil, util.Wrap(err, "Failed to authorize the request")
}
err = s.resourceManager.RetryRun(request.RunId)
if err != nil {
Expand Down
Loading

0 comments on commit 53d4e9a

Please sign in to comment.