From 4adb2dc1ebcdbaae5ccc3754b74bd4d8a6e41907 Mon Sep 17 00:00:00 2001 From: Alex Kalenyuk Date: Wed, 13 Dec 2023 20:38:38 +0200 Subject: [PATCH] Add test for checking user-facing resources can be manipulated This should gate us from introducing user-facing resources that cannot be manipulated by non-cluster-admin. Signed-off-by: Alex Kalenyuk --- tests/rbac_test.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/tests/rbac_test.go b/tests/rbac_test.go index 4d08cd753b..5282969f91 100644 --- a/tests/rbac_test.go +++ b/tests/rbac_test.go @@ -2,6 +2,8 @@ package tests import ( "context" + "fmt" + "strings" "time" . "github.com/onsi/ginkgo/v2" @@ -147,6 +149,34 @@ var _ = Describe("Aggregated role in-action tests", Serial, func() { Entry("[test_id:3949]can do everything with edit", "edit"), ) + DescribeTable("check all user facing resources can be manipulated by non-cluster-admin", func(user string) { + var namespacedCDIAPIResourcesPlural []string + // Also retrieves API resources that are not served via CRDs + outputAPIResources, err := f.RunKubectlCommand("api-resources", "--namespaced", "-o", "name") + Expect(err).ToNot(HaveOccurred(), "ERR: %s, OUT: %s", err, outputAPIResources) + for _, apiResource := range strings.Split(strings.TrimSpace(outputAPIResources), "\n") { + if strings.Contains(apiResource, "cdi.kubevirt.io") { + plural := strings.Split(apiResource, ".")[0] + namespacedCDIAPIResourcesPlural = append(namespacedCDIAPIResourcesPlural, plural) + } + } + fmt.Fprintf(GinkgoWriter, "CDI namespaced API resources: %+v\n", namespacedCDIAPIResourcesPlural) + Expect(len(namespacedCDIAPIResourcesPlural)).To(BeNumerically(">=", 5)) + + createServiceAccount(f.K8sClient, f.Namespace.Name, user) + createRoleBinding(f.K8sClient, user, f.Namespace.Name, user) + + for _, resource := range namespacedCDIAPIResourcesPlural { + sa := fmt.Sprintf("system:serviceaccount:%s:%s", f.Namespace.Name, user) + result, err := f.RunKubectlCommand("auth", "can-i", "--as", sa, "*", resource, "--namespace", f.Namespace.Name) + Expect(err).ToNot(HaveOccurred(), "no permission for %s, result: %s", resource, result) + Expect(strings.TrimSpace(result)).To(Equal("yes")) + } + }, + Entry("[test_id:XXXX]for admin", "admin"), + Entry("[test_id:XXXX]for edit", "edit"), + ) + It("[test_id:3950]view datavolume permission checks", func() { const user = "view" var cdiClient cdiClientset.Interface