func TestPolicyBasedRestrictionOfBuildConfigCreateAndInstantiateByStrategy(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
clusterAdminClient, projectAdminClient, projectEditorClient := setupBuildStrategyTest(t, true)
clients := map[string]*client.Client{"admin": projectAdminClient, "editor": projectEditorClient}
buildConfigs := map[string]*buildapi.BuildConfig{}
// by default admins and editors can create all type of buildconfigs
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
var err error
if buildConfigs[string(strategy)+clientType], err = createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy); err != nil {
t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
// by default admins and editors can instantiate build configs
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := instantiateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); err != nil {
t.Errorf("unexpected instantiate error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
removeBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient)
// make sure buildconfigs are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure buildconfig updates are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := updateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure instantiate is rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := instantiateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
}
func GetRepositoryBuildConfigs(name string, out io.Writer) error {
client, err := getClient()
if err != nil {
return err
}
ns := os.Getenv("POD_NAMESPACE")
buildConfigList, err := client.BuildConfigs(ns).List(kapi.ListOptions{})
if err != nil {
return err
}
matchingBuildConfigs := []*buildapi.BuildConfig{}
for _, bc := range buildConfigList.Items {
repoAnnotation, hasAnnotation := bc.Annotations[gitRepositoryAnnotationKey]
if hasAnnotation {
if repoAnnotation == name {
matchingBuildConfigs = append(matchingBuildConfigs, &bc)
}
continue
}
if bc.Name == name {
matchingBuildConfigs = append(matchingBuildConfigs, &bc)
}
}
for _, bc := range matchingBuildConfigs {
var ref string
if bc.Spec.Source.Git != nil {
ref = bc.Spec.Source.Git.Ref
}
if ref == "" {
ref = "master"
}
fmt.Fprintf(out, "%s %s\n", bc.Name, ref)
}
return nil
}
func TestPolicyBasedRestrictionOfBuildConfigCreateAndInstantiateByStrategy(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
clusterAdminClient, projectAdminClient, projectEditorClient := setupBuildStrategyTest(t, true)
clients := map[string]*client.Client{"admin": projectAdminClient, "editor": projectEditorClient}
buildConfigs := map[string]*buildapi.BuildConfig{}
restrictedStrategies := make(map[string]int)
for key, val := range buildStrategyTypesRestricted() {
restrictedStrategies[val] = key
}
// ensure that restricted strategy types can not be created
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
var err error
buildConfigs[string(strategy)+clientType], err = createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy)
_, restricted := restrictedStrategies[strategy]
if kapierror.IsForbidden(err) && !restricted {
t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err)
} else if !kapierror.IsForbidden(err) && restricted {
t.Errorf("expected forbidden for strategy %s and client %s: Got success instead ", strategy, clientType)
}
}
}
grantRestrictedBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient)
// by default admins and editors can create source, docker, and jenkinspipline buildconfigs
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
var err error
if buildConfigs[string(strategy)+clientType], err = createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy); err != nil {
t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
// by default admins and editors can instantiate build configs
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := instantiateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); err != nil {
t.Errorf("unexpected instantiate error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
removeBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient)
// make sure buildconfigs are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := createBuildConfig(t, client.BuildConfigs(testutil.Namespace()), strategy); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure buildconfig updates are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := updateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure instantiate is rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := instantiateBuildConfig(t, client.BuildConfigs(testutil.Namespace()), buildConfigs[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
}
