Refactor common rbac test code into function

Signed-off-by: William Lightning <wlightning@fuelmedical.com>
2018-09-18 15:57:23 -07:00 · 2018-09-18 15:57:23 -07:00 · d22a62d7a4
commit d22a62d7a4
parent 57bf83dea4
1 changed files with 68 additions and 114 deletions
--- a/test/e2e/certificate/certificate_rbac.go
+++ b/test/e2e/certificate/certificate_rbac.go
@ -35,125 +35,79 @@ var _ = framework.CertManagerDescribe("Service Account", func() {
 	Context("with read access", func() {
 		It("shouldn't be able to create certificates", func() {
-			serviceAccountClient := f.KubeClientSet.CoreV1().ServiceAccounts(f.Namespace.Name)
+			clusterRole := "view"
-			roleBindingClient := f.KubeClientSet.RbacV1().ClusterRoleBindings()
+			verb := "create"
 			resource := "certificates"
-			viewServiceAccountName := "test-view-create"
+			hasAccess := rbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
-
+			Expect(hasAccess).Should(BeFalse())
 			By("Creating a service account")
 			viewServiceAccount := &v1.ServiceAccount{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: viewServiceAccountName,
 				},
 			}
 			_, err := serviceAccountClient.Create(viewServiceAccount)
 			Expect(err).NotTo(HaveOccurred())
 			By("Creating ClusterRoleBinding to view user role")
 			viewRoleBinding := &rbacv1.ClusterRoleBinding{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: viewServiceAccountName + "-rb",
 				},
 				Subjects: []rbacv1.Subject{
 					{Kind: "ServiceAccount", Name: viewServiceAccountName, Namespace: f.Namespace.Name},
 				},
 				RoleRef: rbacv1.RoleRef{
 					APIGroup: "rbac.authorization.k8s.io",
 					Kind:     "ClusterRole",
 					Name:     "view",
 				},
 			}
 			_, err = roleBindingClient.Create(viewRoleBinding)
 			Expect(err).NotTo(HaveOccurred())
 			By("Sleeping for a second.") // to allow RBAC to propagate
 			time.Sleep(time.Second)
 			By("Impersonating the Service Account")
 			var impersonateConfig *rest.Config
 			impersonateConfig = f.Config
 			impersonateConfig.Impersonate.UserName = "system:serviceaccount:" + f.Namespace.Name + ":" + viewServiceAccountName
 			impersonateClient, err := kubernetes.NewForConfig(impersonateConfig)
 			Expect(err).NotTo(HaveOccurred())
 			By("Submitting a self subject access review")
 			sarClient := impersonateClient.AuthorizationV1().SelfSubjectAccessReviews()
 			sar := &authorizationv1.SelfSubjectAccessReview{
 				Spec: authorizationv1.SelfSubjectAccessReviewSpec{
 					ResourceAttributes: &authorizationv1.ResourceAttributes{
 						Namespace: f.Namespace.Name,
 						Verb:      "create",
 						Group:     "certmanager.k8s.io",
 						Resource:  "certificates",
 					},
 				},
 			}
 			response, err := sarClient.Create(sar)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(response.Status.Allowed).Should(BeFalse())
 		})
 		It("should be able to get certificates", func() {
-			serviceAccountClient := f.KubeClientSet.CoreV1().ServiceAccounts(f.Namespace.Name)
+			clusterRole := "view"
-			roleBindingClient := f.KubeClientSet.RbacV1().ClusterRoleBindings()
+			verb := "get"
 			resource := "certificates"
-			viewServiceAccountName := "test-view-get"
+			hasAccess := rbacClusterRoleHasAccessToResource(f, clusterRole, verb, resource)
-
+			Expect(hasAccess).Should(BeTrue())
 			By("Creating a service account")
 			viewServiceAccount := &v1.ServiceAccount{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: viewServiceAccountName,
 				},
 			}
 			_, err := serviceAccountClient.Create(viewServiceAccount)
 			Expect(err).NotTo(HaveOccurred())
 			By("Creating ClusterRoleBinding to view user role")
 			viewRoleBinding := &rbacv1.ClusterRoleBinding{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: viewServiceAccountName + "-rb",
 				},
 				Subjects: []rbacv1.Subject{
 					{Kind: "ServiceAccount", Name: viewServiceAccountName, Namespace: f.Namespace.Name},
 				},
 				RoleRef: rbacv1.RoleRef{
 					APIGroup: "rbac.authorization.k8s.io",
 					Kind:     "ClusterRole",
 					Name:     "view",
 				},
 			}
 			_, err = roleBindingClient.Create(viewRoleBinding)
 			Expect(err).NotTo(HaveOccurred())
 			By("Sleeping for a second.") // to allow RBAC to propagate
 			time.Sleep(time.Second)
 			By("Impersonating the Service Account")
 			var impersonateConfig *rest.Config
 			impersonateConfig = f.Config
 			impersonateConfig.Impersonate.UserName = "system:serviceaccount:" + f.Namespace.Name + ":" + viewServiceAccountName
 			impersonateClient, err := kubernetes.NewForConfig(impersonateConfig)
 			Expect(err).NotTo(HaveOccurred())
 			By("Submitting a self subject access review")
 			sarClient := impersonateClient.AuthorizationV1().SelfSubjectAccessReviews()
 			sar := &authorizationv1.SelfSubjectAccessReview{
 				Spec: authorizationv1.SelfSubjectAccessReviewSpec{
 					ResourceAttributes: &authorizationv1.ResourceAttributes{
 						Namespace: f.Namespace.Name,
 						Verb:      "get",
 						Group:     "certmanager.k8s.io",
 						Resource:  "certificates",
 					},
 				},
 			}
 			response, err := sarClient.Create(sar)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(response.Status.Allowed).Should(BeTrue())
 		})
 	})
 })
 func rbacClusterRoleHasAccessToResource(f *framework.Framework, clusterRole string, verb string, resource string) bool {
 	By("Creating a service account")
 	viewServiceAccount := &v1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "rbac-test-",
 		},
 	}
 	serviceAccountClient := f.KubeClientSet.CoreV1().ServiceAccounts(f.Namespace.Name)
 	serviceAccount, err := serviceAccountClient.Create(viewServiceAccount)
 	Expect(err).NotTo(HaveOccurred())
 	viewServiceAccountName := serviceAccount.Name
 	By("Creating ClusterRoleBinding to view " + clusterRole + " clusterRole")
 	viewRoleBinding := &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: viewServiceAccountName + "-rb-",
 		},
 		Subjects: []rbacv1.Subject{
 			{Kind: "ServiceAccount", Name: viewServiceAccountName, Namespace: f.Namespace.Name},
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
 			Name:     clusterRole,
 		},
 	}
 	roleBindingClient := f.KubeClientSet.RbacV1().ClusterRoleBindings()
 	_, err = roleBindingClient.Create(viewRoleBinding)
 	Expect(err).NotTo(HaveOccurred())
 	By("Sleeping for a second.")
 	// to allow RBAC to propagate
 	time.Sleep(time.Second)
 	By("Impersonating the Service Account")
 	var impersonateConfig *rest.Config
 	impersonateConfig = f.Config
 	impersonateConfig.Impersonate.UserName = "system:serviceaccount:" + f.Namespace.Name + ":" + viewServiceAccountName
 	impersonateClient, err := kubernetes.NewForConfig(impersonateConfig)
 	Expect(err).NotTo(HaveOccurred())
 	By("Submitting a self subject access review")
 	sarClient := impersonateClient.AuthorizationV1().SelfSubjectAccessReviews()
 	sar := &authorizationv1.SelfSubjectAccessReview{
 		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
 			ResourceAttributes: &authorizationv1.ResourceAttributes{
 				Namespace: f.Namespace.Name,
 				Verb:      verb,
 				Group:     "certmanager.k8s.io",
 				Resource:  resource,
 			},
 		},
 	}
 	response, err := sarClient.Create(sar)
 	Expect(err).NotTo(HaveOccurred())
 	return response.Status.Allowed
 }