func TestPolicyBasedRestrictionOfBuildCreateAndCloneByStrategy(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) clusterAdminClient, projectAdminClient, projectEditorClient := setupBuildStrategyTest(t, false) clients := map[string]*client.Client{"admin": projectAdminClient, "editor": projectEditorClient} builds := map[string]*buildapi.Build{} // Create builds to setup test for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { var err error if builds[string(strategy)+clientType], err = createBuild(t, client.Builds(testutil.Namespace()), strategy); err != nil { t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err) } } } // by default amdins and editors can clone builds for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := cloneBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); err != nil { t.Errorf("unexpected clone error for strategy %s and client %s: %v", strategy, clientType, err) } } } removeBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient) // make sure builds are rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := createBuild(t, client.Builds(testutil.Namespace()), strategy); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } // make sure build updates are rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := updateBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } // make sure clone is rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := cloneBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } }
func TestPolicyBasedRestrictionOfBuildCreateAndCloneByStrategy(t *testing.T) { defer testutil.DumpEtcdOnFailure(t) clusterAdminClient, projectAdminClient, projectEditorClient := setupBuildStrategyTest(t, false) clients := map[string]*client.Client{"admin": projectAdminClient, "editor": projectEditorClient} builds := map[string]*buildapi.Build{} restrictedStrategies := make(map[string]int) for key, val := range buildStrategyTypesRestricted() { restrictedStrategies[val] = key } // ensure that restricted strategy types can not be created for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { var err error builds[string(strategy)+clientType], err = createBuild(t, client.Builds(testutil.Namespace()), strategy) _, restricted := restrictedStrategies[strategy] if kapierror.IsForbidden(err) && !restricted { t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err) } else if !kapierror.IsForbidden(err) && restricted { t.Errorf("expected forbidden for strategy %s and client %s: Got success instead ", strategy, clientType) } } } grantRestrictedBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient) // Create builds to setup test for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { var err error if builds[string(strategy)+clientType], err = createBuild(t, client.Builds(testutil.Namespace()), strategy); err != nil { t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err) } } } // by default admins and editors can clone builds for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := cloneBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); err != nil { t.Errorf("unexpected clone error for strategy %s and client %s: %v", strategy, clientType, err) } } } removeBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient) // make sure builds are rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := createBuild(t, client.Builds(testutil.Namespace()), strategy); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } // make sure build updates are rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := updateBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } // make sure clone is rejected for _, strategy := range buildStrategyTypes() { for clientType, client := range clients { if _, err := cloneBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); !kapierror.IsForbidden(err) { t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err) } } } }