func TestPolicyBasedRestrictionOfBuildCreateAndCloneByStrategy(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
clusterAdminClient, projectAdminClient, projectEditorClient := setupBuildStrategyTest(t, false)
clients := map[string]*client.Client{"admin": projectAdminClient, "editor": projectEditorClient}
builds := map[string]*buildapi.Build{}
// Create builds to setup test
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
var err error
if builds[string(strategy)+clientType], err = createBuild(t, client.Builds(testutil.Namespace()), strategy); err != nil {
t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
// by default amdins and editors can clone builds
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := cloneBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); err != nil {
t.Errorf("unexpected clone error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
removeBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient)
// make sure builds are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := createBuild(t, client.Builds(testutil.Namespace()), strategy); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure build updates are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := updateBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure clone is rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := cloneBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
}
func TestPolicyBasedRestrictionOfBuildCreateAndCloneByStrategy(t *testing.T) {
defer testutil.DumpEtcdOnFailure(t)
clusterAdminClient, projectAdminClient, projectEditorClient := setupBuildStrategyTest(t, false)
clients := map[string]*client.Client{"admin": projectAdminClient, "editor": projectEditorClient}
builds := map[string]*buildapi.Build{}
restrictedStrategies := make(map[string]int)
for key, val := range buildStrategyTypesRestricted() {
restrictedStrategies[val] = key
}
// ensure that restricted strategy types can not be created
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
var err error
builds[string(strategy)+clientType], err = createBuild(t, client.Builds(testutil.Namespace()), strategy)
_, restricted := restrictedStrategies[strategy]
if kapierror.IsForbidden(err) && !restricted {
t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err)
} else if !kapierror.IsForbidden(err) && restricted {
t.Errorf("expected forbidden for strategy %s and client %s: Got success instead ", strategy, clientType)
}
}
}
grantRestrictedBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient)
// Create builds to setup test
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
var err error
if builds[string(strategy)+clientType], err = createBuild(t, client.Builds(testutil.Namespace()), strategy); err != nil {
t.Errorf("unexpected error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
// by default admins and editors can clone builds
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := cloneBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); err != nil {
t.Errorf("unexpected clone error for strategy %s and client %s: %v", strategy, clientType, err)
}
}
}
removeBuildStrategyRoleResources(t, clusterAdminClient, projectAdminClient, projectEditorClient)
// make sure builds are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := createBuild(t, client.Builds(testutil.Namespace()), strategy); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure build updates are rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := updateBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
// make sure clone is rejected
for _, strategy := range buildStrategyTypes() {
for clientType, client := range clients {
if _, err := cloneBuild(t, client.Builds(testutil.Namespace()), builds[string(strategy)+clientType]); !kapierror.IsForbidden(err) {
t.Errorf("expected forbidden for strategy %s and client %s: got %v", strategy, clientType, err)
}
}
}
}
