Skip to content

Commit

Permalink
authorizer: simplify unit tests by less helpers
Browse files Browse the repository at this point in the history 
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
  • Loading branch information
@sttts
sttts committed Jan 11, 2025
1 parent 8479e5d commit 7622c82
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 43 deletions.
28 changes: 14 additions & 14 deletions pkg/authorization/requiredgroups_authorizer_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,25 +41,25 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
}{
"deep SAR": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-unknown"),
requestingUser: &user.DefaultInfo{Name: "user-unknown"},
deepSARHeader: true,
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to deep SAR request",
},
"missing cluster in request": {
requestingUser: newUser("user-unknown"),
requestingUser: &user.DefaultInfo{Name: "user-unknown"},
wantDecision: authorizer.DecisionNoOpinion,
wantReason: "empty cluster name",
},
"system:kcp:logical-cluster-admin can always pass": {
requestedWorkspace: "root:ready",
requestingUser: newUser("lcluster-admin", "system:kcp:logical-cluster-admin"),
requestingUser: &user.DefaultInfo{Name: "lcluster-admin", Groups: []string{"system:kcp:logical-cluster-admin"}},
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to logical cluster admin access",
},
"system:kcp:external-logical-cluster-admin can always pass": {
requestedWorkspace: "root:ready",
requestingUser: newUser("external-lcluster-admin", "system:kcp:external-logical-cluster-admin"),
requestingUser: &user.DefaultInfo{Name: "external-lcluster-admin", Groups: []string{"system:kcp:external-logical-cluster-admin"}},
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to external logical cluster admin access",
},
Expand All @@ -77,14 +77,14 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is granted access to logical cluster without required groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "system:authenticated"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"system:authenticated"}},
wantDecision: authorizer.DecisionAllow,
logicalCluster: &v1alpha1.LogicalCluster{},
wantReason: "delegating due to logical cluster does not require groups",
},
"permitted user is denied access to logical cluster with required groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "system:authenticated"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"system:authenticated"}},
wantDecision: authorizer.DecisionDeny,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand All @@ -97,7 +97,7 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is allowed access to logical cluster with matching all of multiple disjunctive groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "special-group-1", "special-group-2"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"special-group-1", "special-group-2"}},
wantDecision: authorizer.DecisionAllow,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand All @@ -110,7 +110,7 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is allowed access to logical cluster with matching one of multiple disjunctive groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "special-group-1", "other-group"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"special-group-1", "other-group"}},
wantDecision: authorizer.DecisionAllow,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand All @@ -123,7 +123,7 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is allowed access to logical cluster with multiple conjunctive groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "special-group-1", "special-group-2"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"special-group-1", "special-group-2"}},
wantDecision: authorizer.DecisionAllow,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand All @@ -136,7 +136,7 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is denied access to logical cluster with multiple conjunctive groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "special-group-1", "other-group"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"special-group-1", "other-group"}},
wantDecision: authorizer.DecisionDeny,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand All @@ -149,7 +149,7 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is allowed access to logical cluster with matching two of multiple conjunctive and disjunctive groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "special-group-1", "special-group-2"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"special-group-1", "special-group-2"}},
wantDecision: authorizer.DecisionAllow,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand All @@ -162,7 +162,7 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is allowed access to logical cluster with matching one of multiple conjunctive and disjunctive groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "special-group-3"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"special-group-3"}},
wantDecision: authorizer.DecisionAllow,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand All @@ -175,7 +175,7 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is denied access to logical cluster with matching only one of multiple conjunctive and disjunctive groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "special-group-1"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"special-group-1"}},
wantDecision: authorizer.DecisionDeny,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand All @@ -188,7 +188,7 @@ func TestRequiredGroupsAuthorizer(t *testing.T) {
},
"permitted user is denied access to logical cluster with matching none of multiple conjunctive and disjunctive groups": {
requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "system:authenticated"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"system:authenticated"}},
wantDecision: authorizer.DecisionDeny,
logicalCluster: &v1alpha1.LogicalCluster{
ObjectMeta: v1.ObjectMeta{
Expand Down
43 changes: 14 additions & 29 deletions pkg/authorization/workspace_content_authorizer_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,21 +40,6 @@ import (
corev1alpha1listers "github.com/kcp-dev/kcp/sdk/client/listers/core/v1alpha1"
)

func newUser(name string, groups ...string) *user.DefaultInfo {
return &user.DefaultInfo{
Name: name,
Groups: groups,
}
}

func newUserWithExtra(name string, extra map[string][]string, groups ...string) *user.DefaultInfo {
return &user.DefaultInfo{
Name: name,
Groups: groups,
Extra: extra,
}
}

func newServiceAccountWithCluster(name string, cluster string, groups ...string) *user.DefaultInfo {
extra := make(map[string][]string)
if len(cluster) > 0 {
Expand Down Expand Up @@ -93,31 +78,31 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
testName: "unknown requested workspace",

requestedWorkspace: "root:unknown",
requestingUser: newUser("user-access"),
requestingUser: &user.DefaultInfo{Name: "user-access"},
wantDecision: authorizer.DecisionDeny,
wantReason: "LogicalCluster not found",
},
{
testName: "workspace without parent",

requestedWorkspace: "rootwithoutparent",
requestingUser: newUser("user-access"),
requestingUser: &user.DefaultInfo{Name: "user-access"},
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to user logical cluster access",
},
{
testName: "non-permitted user is not allowed",

requestedWorkspace: "root:ready",
requestingUser: newUser("user-unknown"),
requestingUser: &user.DefaultInfo{Name: "user-unknown"},
wantDecision: authorizer.DecisionNoOpinion,
wantReason: "no verb=access permission on /",
},
{
testName: "permitted user is granted access",

requestedWorkspace: "root:ready",
requestingUser: newUser("user-access", "system:authenticated"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"system:authenticated"}},
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to user logical cluster access",
},
Expand All @@ -133,19 +118,19 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
testName: "user with scope to this cluster is allowed",

requestedWorkspace: "root:ready",
requestingUser: newUserWithExtra("user-access", map[string][]string{
requestingUser: &user.DefaultInfo{Name: "user-access", Extra: map[string][]string{
"authentication.kcp.io/scopes": {"cluster:root:ready"},
}),
}},
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to user logical cluster access",
},
{
testName: "user with scope to another cluster is denied",

requestedWorkspace: "root:ready",
requestingUser: newUserWithExtra("user-access", map[string][]string{
requestingUser: &user.DefaultInfo{Name: "user-access", Extra: map[string][]string{
"authentication.kcp.io/scopes": {"cluster:anotherws"},
}),
}},
wantDecision: authorizer.DecisionNoOpinion,
wantReason: "out of scope",
},
Expand All @@ -161,7 +146,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
testName: "user is granted access on root",

requestedWorkspace: "root",
requestingUser: newUser("somebody", "system:authenticated"),
requestingUser: &user.DefaultInfo{Name: "somebody", Groups: []string{"system:authenticated"}},
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to user logical cluster access",
},
Expand Down Expand Up @@ -201,33 +186,33 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
testName: "system:kcp:logical-cluster-admin can always pass",

requestedWorkspace: "root:non-existent",
requestingUser: newUser("lcluster-admin", "system:kcp:logical-cluster-admin"),
requestingUser: &user.DefaultInfo{Name: "lcluster-admin", Groups: []string{"system:kcp:logical-cluster-admin"}},
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to logical cluster admin access",
},
{
testName: "system:kcp:logical-cluster-admin can always pass with exeception if scoped",

requestedWorkspace: "root:non-existent",
requestingUser: newUserWithExtra("lcluster-admin", map[string][]string{
requestingUser: &user.DefaultInfo{Name: "lcluster-admin", Extra: map[string][]string{
"authentication.kcp.io/scopes": {"cluster:other"},
}, "system:kcp:logical-cluster-admin"),
}, Groups: []string{"system:kcp:logical-cluster-admin"}},
wantDecision: authorizer.DecisionDeny,
wantReason: "LogicalCluster not found",
},
{
testName: "permitted user is granted access to initializing workspace",

requestedWorkspace: "root:initializing",
requestingUser: newUser("user-access", "system:authenticated"),
requestingUser: &user.DefaultInfo{Name: "user-access", Groups: []string{"system:authenticated"}},
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to user logical cluster access",
},
{
testName: "any user passed for deep SAR",

requestedWorkspace: "root:ready",
requestingUser: newUser("user-unknown"),
requestingUser: &user.DefaultInfo{Name: "user-unknown"},
deepSARHeader: true,
wantDecision: authorizer.DecisionAllow,
wantReason: "delegating due to deep SAR request",
Expand Down

0 comments on commit 7622c82

Please sign in to comment.