Build out issuer_rbac tests based on certificate_rbac tests

Signed-off-by: William Lightning <wlightning@fuelmedical.com>
2018-09-19 10:26:18 -07:00 · 2018-09-19 10:26:18 -07:00 · 7d8c7ddea5
commit 7d8c7ddea5
parent 180af301eb
2 changed files with 205 additions and 0 deletions
--- a/test/e2e/issuer/BUILD.bazel
+++ b/test/e2e/issuer/BUILD.bazel
@ -5,6 +5,7 @@ go_library(
    srcs = [
        "issuer_acme.go",
        "issuer_ca.go",
+        "issuer_rbac.go",
        "issuer_vault.go",
    ],
    importpath = "github.com/jetstack/cert-manager/test/e2e/issuer",
--- a/test/e2e/issuer/issuer_rbac.go
+++ b/test/e2e/issuer/issuer_rbac.go
@ -0,0 +1,204 @@
+/*
+Copyright 2018 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package issuer
+
+import (
+	"github.com/jetstack/cert-manager/test/e2e/framework"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = framework.CertManagerDescribe("Service Account", func() {
+	f := framework.NewDefaultFramework("issuer-rbac")
+	resource := "issuers" // this file is related to issuers
+
+	Context("with namespace view access", func() {
+		clusterRole := "view"
+		It("shouldn't be able to create issuers", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to delete issuers", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to delete collections of issuers", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to patch issuers", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("shouldn't be able to update issuers", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
+		})
+
+		It("should be able to get issuers", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list issuers", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch issuers", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+	Context("with namespace edit access", func() {
+		clusterRole := "edit"
+		It("should be able to create issuers", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete issuers", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete collections of issuers", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to patch issuers", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to update issuers", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to get issuers", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list issuers", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch issuers", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+
+	Context("with namespace admin access", func() {
+		clusterRole := "admin"
+		It("should be able to create issuers", func() {
+			verb := "create"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete issuers", func() {
+			verb := "delete"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to delete collections of issuers", func() {
+			verb := "deletecollection"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to patch issuers", func() {
+			verb := "patch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to update issuers", func() {
+			verb := "update"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to get issuers", func() {
+			verb := "get"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to list issuers", func() {
+			verb := "list"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+
+		It("should be able to watch issuers", func() {
+			verb := "watch"
+
+			hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
+		})
+	})
+})