forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauthorizer_test.go
79 lines (68 loc) · 2.86 KB
/
authorizer_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package browsersafe
import (
"testing"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
)
func TestBrowserSafeAuthorizer(t *testing.T) {
for name, tc := range map[string]struct {
attributes authorizer.Attributes
expectedVerb string
expectedSubresource string
expectedReason string
}{
"non-resource": {
attributes: authorizer.AttributesRecord{ResourceRequest: false, Verb: "GET"},
expectedVerb: "GET",
},
"non-proxy": {
attributes: authorizer.AttributesRecord{ResourceRequest: true, Verb: "get", Resource: "pods", Subresource: "logs"},
expectedVerb: "get",
expectedSubresource: "logs",
},
"unsafe proxy subresource": {
attributes: authorizer.AttributesRecord{ResourceRequest: true, Verb: "get", Resource: "pods", Subresource: "proxy"},
expectedVerb: "get",
expectedSubresource: "unsafeproxy",
expectedReason: "proxy subresource changed to unsafeproxy",
},
"unsafe proxy verb": {
attributes: authorizer.AttributesRecord{ResourceRequest: true, Verb: "proxy", Resource: "nodes"},
expectedVerb: "unsafeproxy",
expectedReason: "proxy verb changed to unsafeproxy",
},
"unsafe proxy verb anonymous": {
attributes: authorizer.AttributesRecord{ResourceRequest: true, Verb: "proxy", Resource: "nodes",
User: &user.DefaultInfo{Name: "system:anonymous", Groups: []string{"system:unauthenticated"}}},
expectedVerb: "unsafeproxy",
expectedReason: "proxy verb changed to unsafeproxy",
},
"proxy subresource authenticated": {
attributes: authorizer.AttributesRecord{ResourceRequest: true, Verb: "get", Resource: "pods", Subresource: "proxy",
User: &user.DefaultInfo{Name: "bob", Groups: []string{"system:authenticated"}}},
expectedVerb: "get",
expectedSubresource: "proxy",
},
} {
delegateAuthorizer := &recordingAuthorizer{}
safeAuthorizer := NewBrowserSafeAuthorizer(delegateAuthorizer, "system:authenticated")
authorized, reason, err := safeAuthorizer.Authorize(tc.attributes)
if authorized == authorizer.DecisionAllow || reason != tc.expectedReason || err != nil {
t.Errorf("%s: unexpected output: %v %s %v", name, authorized, reason, err)
continue
}
if delegateAuthorizer.attributes.GetVerb() != tc.expectedVerb {
t.Errorf("%s: expected verb %s, got %s", name, tc.expectedVerb, delegateAuthorizer.attributes.GetVerb())
}
if delegateAuthorizer.attributes.GetSubresource() != tc.expectedSubresource {
t.Errorf("%s: expected verb %s, got %s", name, tc.expectedSubresource, delegateAuthorizer.attributes.GetSubresource())
}
}
}
type recordingAuthorizer struct {
attributes authorizer.Attributes
}
func (t *recordingAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
t.attributes = a
return authorizer.DecisionNoOpinion, "", nil
}