Refactor common rbac test code into function

Signed-off-by: William Lightning <wlightning@fuelmedical.com>
2018-09-18 15:57:23 -07:00 · 2018-09-18 15:57:23 -07:00 · d22a62d7a4
commit d22a62d7a4
parent 57bf83dea4
1 changed files with 68 additions and 114 deletions
--- a/test/e2e/certificate/certificate_rbac.go
+++ b/test/e2e/certificate/certificate_rbac.go
@ -35,125 +35,79 @@ var _ = framework.CertManagerDescribe("Service Account", func() {

 	Context("with read access", func() {
 		It("shouldn't be able to create certificates", func() {
-			serviceAccountClient := f.KubeClientSet.CoreV1().ServiceAccounts(f.Namespace.Name)
-			roleBindingClient := f.KubeClientSet.RbacV1().ClusterRoleBindings()
+			clusterRole := "view"
+			verb := "create"
+			resource := "certificates"

-			viewServiceAccountName := "test-view-create"
-
-			By("Creating a service account")
-			viewServiceAccount := &v1.ServiceAccount{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: viewServiceAccountName,
-				},
-			}
-			_, err := serviceAccountClient.Create(viewServiceAccount)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Creating ClusterRoleBinding to view user role")
-			viewRoleBinding := &rbacv1.ClusterRoleBinding{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: viewServiceAccountName + "-rb",
-				},
-				Subjects: []rbacv1.Subject{
-					{Kind: "ServiceAccount", Name: viewServiceAccountName, Namespace: f.Namespace.Name},
-				},
-				RoleRef: rbacv1.RoleRef{
-					APIGroup: "rbac.authorization.k8s.io",
-					Kind:     "ClusterRole",
-					Name:     "view",
-				},
-			}
-			_, err = roleBindingClient.Create(viewRoleBinding)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Sleeping for a second.") // to allow RBAC to propagate
-			time.Sleep(time.Second)
-
-			By("Impersonating the Service Account")
-			var impersonateConfig *rest.Config
-			impersonateConfig = f.Config
-			impersonateConfig.Impersonate.UserName = "system:serviceaccount:" + f.Namespace.Name + ":" + viewServiceAccountName
-			impersonateClient, err := kubernetes.NewForConfig(impersonateConfig)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Submitting a self subject access review")
-			sarClient := impersonateClient.AuthorizationV1().SelfSubjectAccessReviews()
-
-			sar := &authorizationv1.SelfSubjectAccessReview{
-				Spec: authorizationv1.SelfSubjectAccessReviewSpec{
-					ResourceAttributes: &authorizationv1.ResourceAttributes{
-						Namespace: f.Namespace.Name,
-						Verb:      "create",
-						Group:     "certmanager.k8s.io",
-						Resource:  "certificates",
-					},
-				},
-			}
-
-			response, err := sarClient.Create(sar)
-			Expect(err).NotTo(HaveOccurred())
-			Expect(response.Status.Allowed).Should(BeFalse())
+			hasAccess := rbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeFalse())
 		})

 		It("should be able to get certificates", func() {
-			serviceAccountClient := f.KubeClientSet.CoreV1().ServiceAccounts(f.Namespace.Name)
-			roleBindingClient := f.KubeClientSet.RbacV1().ClusterRoleBindings()
+			clusterRole := "view"
+			verb := "get"
+			resource := "certificates"

-			viewServiceAccountName := "test-view-get"
-
-			By("Creating a service account")
-			viewServiceAccount := &v1.ServiceAccount{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: viewServiceAccountName,
-				},
-			}
-			_, err := serviceAccountClient.Create(viewServiceAccount)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Creating ClusterRoleBinding to view user role")
-			viewRoleBinding := &rbacv1.ClusterRoleBinding{
-				ObjectMeta: metav1.ObjectMeta{
-					Name: viewServiceAccountName + "-rb",
-				},
-				Subjects: []rbacv1.Subject{
-					{Kind: "ServiceAccount", Name: viewServiceAccountName, Namespace: f.Namespace.Name},
-				},
-				RoleRef: rbacv1.RoleRef{
-					APIGroup: "rbac.authorization.k8s.io",
-					Kind:     "ClusterRole",
-					Name:     "view",
-				},
-			}
-			_, err = roleBindingClient.Create(viewRoleBinding)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Sleeping for a second.") // to allow RBAC to propagate
-			time.Sleep(time.Second)
-
-			By("Impersonating the Service Account")
-			var impersonateConfig *rest.Config
-			impersonateConfig = f.Config
-			impersonateConfig.Impersonate.UserName = "system:serviceaccount:" + f.Namespace.Name + ":" + viewServiceAccountName
-			impersonateClient, err := kubernetes.NewForConfig(impersonateConfig)
-			Expect(err).NotTo(HaveOccurred())
-
-			By("Submitting a self subject access review")
-			sarClient := impersonateClient.AuthorizationV1().SelfSubjectAccessReviews()
-
-			sar := &authorizationv1.SelfSubjectAccessReview{
-				Spec: authorizationv1.SelfSubjectAccessReviewSpec{
-					ResourceAttributes: &authorizationv1.ResourceAttributes{
-						Namespace: f.Namespace.Name,
-						Verb:      "get",
-						Group:     "certmanager.k8s.io",
-						Resource:  "certificates",
-					},
-				},
-			}
-
-			response, err := sarClient.Create(sar)
-			Expect(err).NotTo(HaveOccurred())
-			Expect(response.Status.Allowed).Should(BeTrue())
+			hasAccess := rbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
+			Expect(hasAccess).Should(BeTrue())
 		})
 	})
 })
+
+func rbacClusterRoleHasAccessToResource(f *framework.Framework, clusterRole string, verb string, resource string) bool {
+	By("Creating a service account")
+	viewServiceAccount := &v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "rbac-test-",
+		},
+	}
+	serviceAccountClient := f.KubeClientSet.CoreV1().ServiceAccounts(f.Namespace.Name)
+	serviceAccount, err := serviceAccountClient.Create(viewServiceAccount)
+	Expect(err).NotTo(HaveOccurred())
+	viewServiceAccountName := serviceAccount.Name
+
+	By("Creating ClusterRoleBinding to view " + clusterRole + " clusterRole")
+	viewRoleBinding := &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: viewServiceAccountName + "-rb-",
+		},
+		Subjects: []rbacv1.Subject{
+			{Kind: "ServiceAccount", Name: viewServiceAccountName, Namespace: f.Namespace.Name},
+		},
+		RoleRef: rbacv1.RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     clusterRole,
+		},
+	}
+	roleBindingClient := f.KubeClientSet.RbacV1().ClusterRoleBindings()
+	_, err = roleBindingClient.Create(viewRoleBinding)
+	Expect(err).NotTo(HaveOccurred())
+
+	By("Sleeping for a second.")
+	// to allow RBAC to propagate
+	time.Sleep(time.Second)
+
+	By("Impersonating the Service Account")
+	var impersonateConfig *rest.Config
+	impersonateConfig = f.Config
+	impersonateConfig.Impersonate.UserName = "system:serviceaccount:" + f.Namespace.Name + ":" + viewServiceAccountName
+	impersonateClient, err := kubernetes.NewForConfig(impersonateConfig)
+	Expect(err).NotTo(HaveOccurred())
+
+	By("Submitting a self subject access review")
+	sarClient := impersonateClient.AuthorizationV1().SelfSubjectAccessReviews()
+	sar := &authorizationv1.SelfSubjectAccessReview{
+		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authorizationv1.ResourceAttributes{
+				Namespace: f.Namespace.Name,
+				Verb:      verb,
+				Group:     "certmanager.k8s.io",
+				Resource:  resource,
+			},
+		},
+	}
+	response, err := sarClient.Create(sar)
+	Expect(err).NotTo(HaveOccurred())
+	return response.Status.Allowed
+}