From 7d8c7ddea5ec8471caf333385a0f24b48e062bc5 Mon Sep 17 00:00:00 2001 From: William Lightning Date: Wed, 19 Sep 2018 10:26:18 -0700 Subject: [PATCH] Build out issuer_rbac tests based on certificate_rbac tests Signed-off-by: William Lightning --- test/e2e/issuer/BUILD.bazel | 1 + test/e2e/issuer/issuer_rbac.go | 204 +++++++++++++++++++++++++++++++++ 2 files changed, 205 insertions(+) create mode 100644 test/e2e/issuer/issuer_rbac.go diff --git a/test/e2e/issuer/BUILD.bazel b/test/e2e/issuer/BUILD.bazel index 6e32968ee..e799d59e4 100644 --- a/test/e2e/issuer/BUILD.bazel +++ b/test/e2e/issuer/BUILD.bazel @@ -5,6 +5,7 @@ go_library( srcs = [ "issuer_acme.go", "issuer_ca.go", + "issuer_rbac.go", "issuer_vault.go", ], importpath = "github.com/jetstack/cert-manager/test/e2e/issuer", diff --git a/test/e2e/issuer/issuer_rbac.go b/test/e2e/issuer/issuer_rbac.go new file mode 100644 index 000000000..0ee7d5706 --- /dev/null +++ b/test/e2e/issuer/issuer_rbac.go @@ -0,0 +1,204 @@ +/* +Copyright 2018 The Jetstack cert-manager contributors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package issuer + +import ( + "github.com/jetstack/cert-manager/test/e2e/framework" + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +var _ = framework.CertManagerDescribe("Service Account", func() { + f := framework.NewDefaultFramework("issuer-rbac") + resource := "issuers" // this file is related to issuers + + Context("with namespace view access", func() { + clusterRole := "view" + It("shouldn't be able to create issuers", func() { + verb := "create" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeFalse()) + }) + + It("shouldn't be able to delete issuers", func() { + verb := "delete" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeFalse()) + }) + + It("shouldn't be able to delete collections of issuers", func() { + verb := "deletecollection" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeFalse()) + }) + + It("shouldn't be able to patch issuers", func() { + verb := "patch" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeFalse()) + }) + + It("shouldn't be able to update issuers", func() { + verb := "update" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeFalse()) + }) + + It("should be able to get issuers", func() { + verb := "get" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to list issuers", func() { + verb := "list" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to watch issuers", func() { + verb := "watch" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + }) + Context("with namespace edit access", func() { + clusterRole := "edit" + It("should be able to create issuers", func() { + verb := "create" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to delete issuers", func() { + verb := "delete" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to delete collections of issuers", func() { + verb := "deletecollection" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to patch issuers", func() { + verb := "patch" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to update issuers", func() { + verb := "update" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to get issuers", func() { + verb := "get" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to list issuers", func() { + verb := "list" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to watch issuers", func() { + verb := "watch" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + }) + + Context("with namespace admin access", func() { + clusterRole := "admin" + It("should be able to create issuers", func() { + verb := "create" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to delete issuers", func() { + verb := "delete" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to delete collections of issuers", func() { + verb := "deletecollection" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to patch issuers", func() { + verb := "patch" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to update issuers", func() { + verb := "update" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to get issuers", func() { + verb := "get" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to list issuers", func() { + verb := "list" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + + It("should be able to watch issuers", func() { + verb := "watch" + + hasAccess := framework.RbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource) + Expect(hasAccess).Should(BeTrue()) + }) + }) +})