func TestAutomaticCreationOfPullSecrets(t *testing.T) {
saNamespace := api.NamespaceDefault
saName := serviceaccountadmission.DefaultServiceAccountName
_, clusterAdminConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// Get a service account token
saToken, err := waitForServiceAccountToken(clusterAdminKubeClient, saNamespace, saName, 20, time.Second)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(saToken) == 0 {
t.Errorf("token was not created")
}
// Get the matching dockercfg secret
saPullSecret, err := waitForServiceAccountPullSecret(clusterAdminKubeClient, saNamespace, saName, 20, time.Second)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if len(saPullSecret) == 0 {
t.Errorf("pull secret was not created")
}
}
func TestUnprivilegedNewProject(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
allowed, err := valerieOpenshiftClient.ProjectRequests().List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if allowed.Status != kapi.StatusSuccess {
t.Fatalf("expected %v, got %v", kapi.StatusSuccess, allowed.Status)
}
requestProject := oc.NewProjectOptions{
ProjectName: "new-project",
DisplayName: "display name here",
Description: "the special description",
Client: valerieOpenshiftClient,
Out: ioutil.Discard,
}
if err := requestProject.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
waitForProject(t, valerieOpenshiftClient, "new-project", 5*time.Second, 10)
if err := requestProject.Run(); !kapierrors.IsAlreadyExists(err) {
t.Fatalf("expected an already exists error, but got %v", err)
}
}
func TestImageStreamDelete(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
stream := mockImageStream()
if err := clusterAdminClient.ImageStreams(testutil.Namespace()).Delete(stream.Name); err == nil || !errors.IsNotFound(err) {
t.Fatalf("Unxpected non-error or type: %v", err)
}
actual, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Create(stream)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if err := clusterAdminClient.ImageStreams(testutil.Namespace()).Delete(actual.Name); err != nil {
t.Fatalf("Unxpected error: %v", err)
}
}
func setupBuildStrategyTest(t *testing.T) (clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
namespace := testutil.Namespace()
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err = testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err = testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, namespace, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectEditorClient, _, _, err = testutil.GetClientForUser(*clusterAdminClientConfig, "joe")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addJoe := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(namespace, projectAdminClient),
Users: []string{"joe"},
}
if err := addJoe.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(projectEditorClient, namespace, "create", authorizationapi.DockerBuildResource, true); err != nil {
t.Fatalf(err.Error())
}
// Create builder image stream and tag
imageStream := &imageapi.ImageStream{}
imageStream.Name = "builderimage"
_, err = clusterAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream)
if err != nil {
t.Fatalf("Couldn't create ImageStream: %v", err)
}
// Create image stream mapping
imageStreamMapping := &imageapi.ImageStreamMapping{}
imageStreamMapping.Name = "builderimage"
imageStreamMapping.Tag = "latest"
imageStreamMapping.Image.Name = "image-id"
imageStreamMapping.Image.DockerImageReference = "test/builderimage:latest"
err = clusterAdminClient.ImageStreamMappings(testutil.Namespace()).Create(imageStreamMapping)
if err != nil {
t.Fatalf("Couldn't create ImageStreamMapping: %v", err)
}
return
}
func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// can I get a subjectaccessreview on myself even if I have no rights to do it generally
askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "policybindings"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot create policybindings in project "openshift"`,
Namespace: "openshift",
},
}.run(t)
// I shouldn't be allowed to ask whether someone else can perform an action
askCanClusterAdminsCreateProject := &authorizationapi.LocalSubjectAccessReview{
Groups: util.NewStringSet("system:cluster-admins"),
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "projects"},
}
subjectAccessReviewTest{
localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"),
localReview: askCanClusterAdminsCreateProject,
err: `User "valerie" cannot create localsubjectaccessreviews in project "openshift"`,
}.run(t)
}
// TestProjectMustExist verifies that content cannot be added in a project that does not exist
func TestProjectMustExist(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
pod := &kapi.Pod{
ObjectMeta: kapi.ObjectMeta{Name: "pod"},
Spec: kapi.PodSpec{
Containers: []kapi.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
RestartPolicy: kapi.RestartPolicyAlways,
DNSPolicy: kapi.DNSClusterFirst,
},
}
_, err = clusterAdminKubeClient.Pods("test").Create(pod)
if err == nil {
t.Errorf("Expected an error on creation of a Kubernetes resource because namespace does not exist")
}
build := &buildapi.Build{
ObjectMeta: kapi.ObjectMeta{Name: "buildid", Namespace: "default"},
Parameters: buildapi.BuildParameters{
Source: buildapi.BuildSource{
Type: buildapi.BuildSourceGit,
Git: &buildapi.GitBuildSource{
URI: "http://github.com/my/repository",
},
ContextDir: "context",
},
Strategy: buildapi.BuildStrategy{
Type: buildapi.DockerBuildStrategyType,
DockerStrategy: &buildapi.DockerBuildStrategy{},
},
Output: buildapi.BuildOutput{
DockerImageReference: "repository/data",
},
},
Status: buildapi.BuildStatusNew,
}
_, err = clusterAdminClient.Builds("test").Create(build)
if err == nil {
t.Errorf("Expected an error on creation of a Origin resource because namespace does not exist")
}
}
func TestUnprivilegedNewProjectDenied(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role, err := clusterAdminClient.ClusterRoles().Get(bootstrappolicy.SelfProvisionerRoleName)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
role.Rules = []authorizationapi.PolicyRule{}
if _, err := clusterAdminClient.ClusterRoles().Update(role); err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// confirm that we have access to request the project
_, err = valerieOpenshiftClient.ProjectRequests().List(labels.Everything(), fields.Everything())
if err == nil {
t.Fatalf("expected error: %v", err)
}
expectedError := `You may not request a new project via this API.`
if (err != nil) && (err.Error() != expectedError) {
t.Fatalf("expected\n\t%v\ngot\n\t%v", expectedError, err.Error())
}
}
func TestBootstrapPolicyAuthenticatedUsersAgainstOpenshiftNamespace(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
valerieClientConfig := *clusterAdminClientConfig
valerieClientConfig.Username = ""
valerieClientConfig.Password = ""
valerieClientConfig.BearerToken = ""
valerieClientConfig.CertFile = ""
valerieClientConfig.KeyFile = ""
valerieClientConfig.CertData = nil
valerieClientConfig.KeyData = nil
accessToken, err := tokencmd.RequestToken(&valerieClientConfig, nil, "valerie", "security!")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieClientConfig.BearerToken = accessToken
valerieOpenshiftClient, err := client.New(&valerieClientConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
openshiftSharedResourcesNamespace := "openshift"
if _, err := valerieOpenshiftClient.Templates(openshiftSharedResourcesNamespace).List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.Templates(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(openshiftSharedResourcesNamespace).List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreams(kapi.NamespaceDefault).List(labels.Everything(), fields.Everything()); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(openshiftSharedResourcesNamespace).Get("name", "tag"); !kapierror.IsNotFound(err) {
t.Errorf("unexpected error: %v", err)
}
if _, err := valerieOpenshiftClient.ImageStreamTags(kapi.NamespaceDefault).Get("name", "tag"); err == nil || !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
}
func TestAuthorizationRestrictedAccessForProjectAdmins(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = haroldClient.DeploymentConfigs("hammer-project").List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.DeploymentConfigs("hammer-project").List(labels.Everything(), fields.Everything())
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// projects are a special case where a get of a project actually sets a namespace. Make sure that
// the namespace is properly special cased and set for authorization rules
_, err = haroldClient.Projects().Get("hammer-project")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
_, err = markClient.Projects().Get("hammer-project")
if (err == nil) || !kapierror.IsForbidden(err) {
t.Fatalf("unexpected error: %v", err)
}
// wait for the project authorization cache to catch the change. It is on a one second period
waitForProject(t, haroldClient, "hammer-project", 1*time.Second, 10)
waitForProject(t, markClient, "mallet-project", 1*time.Second, 10)
}
func TestBootstrapPolicyOverwritePolicyCommand(t *testing.T) {
masterConfig, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
client, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := client.ClusterPolicies().Delete(authorizationapi.PolicyName); err != nil {
t.Errorf("unexpected error: %v", err)
}
// after the policy is deleted, we must wait for it to be cleared from the policy cache
err = wait.Poll(10*time.Millisecond, 10*time.Second, func() (bool, error) {
_, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything())
if err == nil {
return false, nil
}
if !kapierror.IsForbidden(err) {
t.Errorf("unexpected error: %v", err)
}
return true, nil
})
if err != nil {
t.Errorf("timeout: %v", err)
}
etcdClient, err := etcd.GetAndTestEtcdClient(masterConfig.EtcdClientInfo)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
etcdHelper, err := origin.NewEtcdStorage(etcdClient, masterConfig.EtcdStorageConfig.OpenShiftStorageVersion, masterConfig.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if err := admin.OverwriteBootstrapPolicy(etcdHelper, masterConfig.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
t.Errorf("unexpected error: %v", err)
}
if _, err := client.ClusterPolicies().List(labels.Everything(), fields.Everything()); err != nil {
t.Errorf("unexpected error: %v", err)
}
}
func TestGroupCommands(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
newGroup := &groupscmd.NewGroupOptions{clusterAdminClient.Groups(), "group1", []string{"first", "second", "third", "first"}}
if err := newGroup.AddGroup(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err := clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "second", "third"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
modifyUsers := &groupscmd.GroupModificationOptions{clusterAdminClient.Groups(), "group1", []string{"second", "fourth", "fifth"}}
if err := modifyUsers.AddUsers(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err = clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "second", "third", "fourth", "fifth"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
if err := modifyUsers.RemoveUsers(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
group1, err = clusterAdminClient.Groups().Get("group1")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if e, a := []string{"first", "third"}, group1.Users; !reflect.DeepEqual(e, a) {
t.Errorf("expected %v, actual %v", e, a)
}
}
func TestImageStreamCreate(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
stream := mockImageStream()
if _, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Create(&imageapi.ImageStream{}); err == nil || !errors.IsInvalid(err) {
t.Fatalf("Unexpected error: %v", err)
}
expected, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Create(stream)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if expected.Name == "" {
t.Errorf("Unexpected empty image Name %v", expected)
}
actual, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Get(stream.Name)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if !reflect.DeepEqual(expected, actual) {
t.Errorf("unexpected object: %s", util.ObjectDiff(expected, actual))
}
streams, err := clusterAdminClient.ImageStreams(testutil.Namespace()).List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if len(streams.Items) != 1 {
t.Errorf("Expected one image, got %#v", streams.Items)
}
}
func setup(t *testing.T) *client.Client {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeClient.Namespaces().Create(&kapi.Namespace{
ObjectMeta: kapi.ObjectMeta{Name: testutil.Namespace()},
})
return clusterAdminClient
}
func TestRootRedirect(t *testing.T) {
masterConfig, _, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
transport := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
}
req, err := http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL, nil)
req.Header.Set("Accept", "*/*")
resp, err := transport.RoundTrip(req)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if resp.StatusCode != http.StatusOK {
t.Errorf("Expected %d, got %d", http.StatusOK, resp.StatusCode)
}
if resp.Header.Get("Content-Type") != "application/json" {
t.Errorf("Expected %s, got %s", "application/json", resp.Header.Get("Content-Type"))
}
req, err = http.NewRequest("GET", masterConfig.AssetConfig.MasterPublicURL, nil)
req.Header.Set("Accept", "text/html")
resp, err = transport.RoundTrip(req)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if resp.StatusCode != http.StatusFound {
t.Errorf("Expected %d, got %d", http.StatusFound, resp.StatusCode)
}
if resp.Header.Get("Location") != masterConfig.AssetConfig.PublicURL {
t.Errorf("Expected %s, got %s", masterConfig.AssetConfig.PublicURL, resp.Header.Get("Location"))
}
// TODO add a test for when asset config is nil, the redirect should not occur in this case even when
// accept header contains text/html
}
func TestAuthorizationOnlyResolveRolesForBindingsThatMatter(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err = clusterAdminClient.ClusterRoles().Delete(bootstrappolicy.ViewRoleName); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
// try to add Valerie to a non-existent role
if err := addValerie.AddRole(); !kapierror.IsNotFound(err) {
t.Fatalf("unexpected error: %v", err)
}
}
func setupBuildControllerTest(counts controllerCount, t *testing.T) (*client.Client, *kclient.Client) {
master, clusterAdminKubeConfig, err := testutil.StartTestMaster()
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
checkErr(t, err)
_, err = clusterAdminKubeClient.Namespaces().Create(&kapi.Namespace{
ObjectMeta: kapi.ObjectMeta{Name: testutil.Namespace()},
})
checkErr(t, err)
if err := testutil.WaitForServiceAccounts(clusterAdminKubeClient, testutil.Namespace(), []string{bootstrappolicy.BuilderServiceAccountName, bootstrappolicy.DefaultServiceAccountName}); err != nil {
t.Errorf("unexpected error: %v", err)
}
openshiftConfig, err := origin.BuildMasterConfig(*master)
checkErr(t, err)
// Get the build controller clients, since those rely on service account tokens
// We don't want to proceed with the rest of the test until those are available
openshiftConfig.BuildControllerClients()
for i := 0; i < counts.BuildControllers; i++ {
openshiftConfig.RunBuildController()
}
for i := 0; i < counts.BuildPodControllers; i++ {
openshiftConfig.RunBuildPodController()
}
for i := 0; i < counts.ImageChangeControllers; i++ {
openshiftConfig.RunBuildImageChangeTriggerController()
}
for i := 0; i < counts.ConfigChangeControllers; i++ {
openshiftConfig.RunBuildConfigChangeController()
}
return clusterAdminClient, clusterAdminKubeClient
}
func setup(t *testing.T) *client.Client {
_, clusterAdminKubeConfigFile, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminKubeConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfigFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
projectAdminClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminKubeConfig, testutil.Namespace(), testutil.Namespace())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
return projectAdminClient
}
func TestImageStreamList(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
builds, err := clusterAdminClient.ImageStreams(testutil.Namespace()).List(labels.Everything(), fields.Everything())
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if len(builds.Items) != 0 {
t.Errorf("Expected no builds, got %#v", builds.Items)
}
}
func TestAuthorizationSubjectAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
dannyClient, err := testutil.GetClientForUser(*clusterAdminClientConfig, "danny")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
addDanny := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("default", clusterAdminClient),
Users: []string{"danny"},
}
if err := addDanny.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
askCanDannyGetProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "get", Resource: "projects"}
subjectAccessReviewTest{
description: "cluster admin told danny can get project default",
clientInterface: clusterAdminClient.SubjectAccessReviews("default"),
review: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in default",
Namespace: "default",
},
}.run(t)
subjectAccessReviewTest{
description: "cluster admin told danny cannot get projects cluster-wide",
clientInterface: clusterAdminClient.ClusterSubjectAccessReviews(),
review: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot get projects at the cluster scope`,
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "as danny, can I make cluster subject access reviews",
clientInterface: dannyClient.ClusterSubjectAccessReviews(),
review: askCanDannyGetProject,
err: `User "danny" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
askCanValerieGetProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "get", Resource: "projects"}
subjectAccessReviewTest{
description: "harold told valerie can get project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
subjectAccessReviewTest{
description: "mark told valerie cannot get project mallet-project",
clientInterface: markClient.SubjectAccessReviews("mallet-project"),
review: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot get projects in project "mallet-project"`,
Namespace: "mallet-project",
},
}.run(t)
askCanEdgarDeletePods := &authorizationapi.SubjectAccessReview{User: "******", Verb: "delete", Resource: "pods"}
subjectAccessReviewTest{
description: "mark told edgar can delete pods in mallet-project",
clientInterface: markClient.SubjectAccessReviews("mallet-project"),
review: askCanEdgarDeletePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in mallet-project",
Namespace: "mallet-project",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run subject access review in project mallet-project",
clientInterface: haroldClient.SubjectAccessReviews("mallet-project"),
review: askCanEdgarDeletePods,
err: `User "harold" cannot create subjectaccessreviews in project "mallet-project"`,
}.run(t)
askCanHaroldUpdateProject := &authorizationapi.SubjectAccessReview{User: "******", Verb: "update", Resource: "projects"}
subjectAccessReviewTest{
description: "harold told harold can update project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanHaroldUpdateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanClusterAdminsCreateProject := &authorizationapi.SubjectAccessReview{Groups: util.NewStringSet("system:cluster-admins"), Verb: "create", Resource: "projects"}
subjectAccessReviewTest{
description: "cluster admin told cluster admins can create projects",
clientInterface: clusterAdminClient.ClusterSubjectAccessReviews(),
review: askCanClusterAdminsCreateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by cluster rule:",
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run cluster subject access review",
clientInterface: haroldClient.ClusterSubjectAccessReviews(),
review: askCanClusterAdminsCreateProject,
err: `User "harold" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
askCanICreatePods := &authorizationapi.SubjectAccessReview{Verb: "create", Resource: "pods"}
subjectAccessReviewTest{
description: "harold told he can create pods in project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanICreatePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanICreatePolicyBindings := &authorizationapi.SubjectAccessReview{Verb: "create", Resource: "policybindings"}
subjectAccessReviewTest{
description: "harold told he can create policybindings in project hammer-project",
clientInterface: haroldClient.SubjectAccessReviews("hammer-project"),
review: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "harold" cannot create policybindings in project "hammer-project"`,
Namespace: "hammer-project",
},
}.run(t)
}
func TestAuthorizationResourceAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
requestWhoCanViewDeployments := &authorizationapi.ResourceAccessReview{Verb: "get", Resource: "deployments"}
{
test := resourceAccessReviewTest{
clientInterface: haroldClient.ResourceAccessReviews("hammer-project"),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: util.NewStringSet("harold", "valerie"),
Groups: globalClusterAdminGroups,
Namespace: "hammer-project",
},
}
test.response.Users.Insert(globalClusterAdminUsers.List()...)
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
{
test := resourceAccessReviewTest{
clientInterface: markClient.ResourceAccessReviews("mallet-project"),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: util.NewStringSet("mark", "edgar"),
Groups: globalClusterAdminGroups,
Namespace: "mallet-project",
},
}
test.response.Users.Insert(globalClusterAdminUsers.List()...)
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
// mark should not be able to make global access review requests
{
test := resourceAccessReviewTest{
clientInterface: markClient.ClusterResourceAccessReviews(),
review: requestWhoCanViewDeployments,
err: "cannot ",
}
test.run(t)
}
// a cluster-admin should be able to make global access review requests
{
test := resourceAccessReviewTest{
clientInterface: clusterAdminClient.ClusterResourceAccessReviews(),
review: requestWhoCanViewDeployments,
response: authorizationapi.ResourceAccessReviewResponse{
Users: globalClusterAdminUsers,
Groups: globalClusterAdminGroups,
},
}
test.response.Groups.Insert("system:cluster-readers")
test.run(t)
}
}
func TestTemplate(t *testing.T) {
_, path, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
for _, version := range []string{"v1", "v1beta3"} {
config, err := testutil.GetClusterAdminClientConfig(path)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
config.Version = version
config.Prefix = ""
c, err := client.New(config)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
template := &templateapi.Template{
Parameters: []templateapi.Parameter{
{
Name: "NAME",
Value: "test",
},
},
Objects: []runtime.Object{
&v1beta3.Service{
ObjectMeta: v1beta3.ObjectMeta{
Name: "${NAME}-tester",
Namespace: "somevalue",
},
Spec: v1beta3.ServiceSpec{
PortalIP: "1.2.3.4",
SessionAffinity: "some-bad-${VALUE}",
},
},
},
}
obj, err := c.TemplateConfigs("default").Create(template)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if len(obj.Objects) != 1 {
t.Fatalf("unexpected object: %#v", obj)
}
if err := runtime.DecodeList(obj.Objects, runtime.UnstructuredJSONScheme); err != nil {
t.Fatalf("unexpected error: %v", err)
}
svc := obj.Objects[0].(*runtime.Unstructured).Object
spec := svc["spec"].(map[string]interface{})
meta := svc["metadata"].(map[string]interface{})
// keep existing values
if spec["portalIP"] != "1.2.3.4" {
t.Fatalf("unexpected object: %#v", svc)
}
// replace a value
if meta["name"] != "test-tester" {
t.Fatalf("unexpected object: %#v", svc)
}
// clear namespace
if meta["namespace"] != "" {
t.Fatalf("unexpected object: %#v", svc)
}
// preserve values exactly
if spec["sessionAffinity"] != "some-bad-${VALUE}" {
t.Fatalf("unexpected object: %#v", svc)
}
}
}
func TestUserInitialization(t *testing.T) {
masterConfig, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
etcdClient, err := etcd.GetAndTestEtcdClient(masterConfig.EtcdClientInfo)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
etcdHelper, err := origin.NewEtcdStorage(etcdClient, masterConfig.EtcdStorageConfig.OpenShiftStorageVersion, masterConfig.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
userRegistry := userregistry.NewRegistry(useretcd.NewREST(etcdHelper))
identityRegistry := identityregistry.NewRegistry(identityetcd.NewREST(etcdHelper))
useridentityMappingRegistry := useridentitymapping.NewRegistry(useridentitymapping.NewREST(userRegistry, identityRegistry))
lookup := identitymapper.NewLookupIdentityMapper(useridentityMappingRegistry, userRegistry)
provisioner := identitymapper.NewAlwaysCreateUserIdentityToUserMapper(identityRegistry, userRegistry)
testcases := map[string]struct {
Identity authapi.UserIdentityInfo
Mapper authapi.UserIdentityMapper
CreateIdentity *api.Identity
CreateUser *api.User
CreateMapping *api.UserIdentityMapping
UpdateUser *api.User
ExpectedErr error
ExpectedUserName string
ExpectedFullName string
}{
"lookup missing identity": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: lookup,
ExpectedErr: kerrs.NewNotFound("UserIdentityMapping", "idp:bob"),
},
"lookup existing identity": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: lookup,
CreateUser: makeUser("mappeduser"),
CreateIdentity: makeIdentity("idp", "bob"),
CreateMapping: makeMapping("mappeduser", "idp:bob"),
ExpectedUserName: "******",
},
"provision missing identity and user": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: provisioner,
ExpectedUserName: "******",
},
"provision missing identity and user with preferred username and display name": {
Identity: makeIdentityInfo("idp", "bob", map[string]string{authapi.IdentityDisplayNameKey: "Bob, Sr.", authapi.IdentityPreferredUsernameKey: "admin"}),
Mapper: provisioner,
ExpectedUserName: "******",
ExpectedFullName: "Bob, Sr.",
},
"provision missing identity for existing user": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: provisioner,
CreateUser: makeUser("bob", "idp:bob"),
ExpectedUserName: "******",
},
"provision missing identity with conflicting user": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: provisioner,
CreateUser: makeUser("bob"),
ExpectedUserName: "******",
},
"provision missing identity with conflicting user and preferred username": {
Identity: makeIdentityInfo("idp", "bob", map[string]string{authapi.IdentityPreferredUsernameKey: "admin"}),
Mapper: provisioner,
CreateUser: makeUser("admin"),
ExpectedUserName: "******",
},
"provision with existing unmapped identity": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: provisioner,
CreateIdentity: makeIdentity("idp", "bob"),
ExpectedErr: kerrs.NewNotFound("UserIdentityMapping", "idp:bob"),
},
"provision with existing mapped identity with invalid user UID": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: provisioner,
CreateUser: makeUser("mappeduser"),
CreateIdentity: makeIdentityWithUserReference("idp", "bob", "mappeduser", "invalidUID"),
ExpectedErr: kerrs.NewNotFound("UserIdentityMapping", "idp:bob"),
},
"provision with existing mapped identity without user backreference": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: provisioner,
CreateUser: makeUser("mappeduser"),
CreateIdentity: makeIdentity("idp", "bob"),
CreateMapping: makeMapping("mappeduser", "idp:bob"),
// Update user to a version which does not reference the identity
UpdateUser: makeUser("mappeduser"),
ExpectedErr: kerrs.NewNotFound("UserIdentityMapping", "idp:bob"),
},
"provision returns existing mapping": {
Identity: makeIdentityInfo("idp", "bob", nil),
Mapper: provisioner,
CreateUser: makeUser("mappeduser"),
CreateIdentity: makeIdentity("idp", "bob"),
CreateMapping: makeMapping("mappeduser", "idp:bob"),
ExpectedUserName: "******",
},
}
for k, testcase := range testcases {
// Cleanup
if err := etcdHelper.RecursiveDelete(useretcd.EtcdPrefix, true); err != nil && !etcdstorage.IsEtcdNotFound(err) {
t.Fatalf("Could not clean up users: %v", err)
}
if err := etcdHelper.RecursiveDelete(identityetcd.EtcdPrefix, true); err != nil && !etcdstorage.IsEtcdNotFound(err) {
t.Fatalf("Could not clean up identities: %v", err)
}
// Pre-create items
if testcase.CreateUser != nil {
_, err := clusterAdminClient.Users().Create(testcase.CreateUser)
if err != nil {
t.Errorf("%s: Could not create user: %v", k, err)
continue
}
}
if testcase.CreateIdentity != nil {
_, err := clusterAdminClient.Identities().Create(testcase.CreateIdentity)
if err != nil {
t.Errorf("%s: Could not create identity: %v", k, err)
continue
}
}
if testcase.CreateMapping != nil {
_, err := clusterAdminClient.UserIdentityMappings().Update(testcase.CreateMapping)
if err != nil {
t.Errorf("%s: Could not create mapping: %v", k, err)
continue
}
}
if testcase.UpdateUser != nil {
if testcase.UpdateUser.ResourceVersion == "" {
existingUser, err := clusterAdminClient.Users().Get(testcase.UpdateUser.Name)
if err != nil {
t.Errorf("%s: Could not get user to update: %v", k, err)
continue
}
testcase.UpdateUser.ResourceVersion = existingUser.ResourceVersion
}
_, err := clusterAdminClient.Users().Update(testcase.UpdateUser)
if err != nil {
t.Errorf("%s: Could not update user: %v", k, err)
continue
}
}
// Spawn 5 simultaneous mappers to test race conditions
var wg sync.WaitGroup
for i := 0; i < 5; i++ {
wg.Add(1)
go func() {
defer wg.Done()
userInfo, err := testcase.Mapper.UserFor(testcase.Identity)
if err != nil {
if testcase.ExpectedErr == nil {
t.Errorf("%s: Expected success, got error '%v'", k, err)
} else if err.Error() != testcase.ExpectedErr.Error() {
t.Errorf("%s: Expected error %v, got '%v'", k, testcase.ExpectedErr.Error(), err)
}
return
}
if err == nil && testcase.ExpectedErr != nil {
t.Errorf("%s: Expected error '%v', got none", k, testcase.ExpectedErr)
return
}
if userInfo.GetName() != testcase.ExpectedUserName {
t.Errorf("%s: Expected username %s, got %s", k, testcase.ExpectedUserName, userInfo.GetName())
return
}
user, err := clusterAdminClient.Users().Get(userInfo.GetName())
if err != nil {
t.Errorf("%s: Error getting user: %v", k, err)
}
if user.FullName != testcase.ExpectedFullName {
t.Errorf("%s: Expected full name %s, got %s", k, testcase.ExpectedFullName, user.FullName)
}
}()
}
wg.Wait()
}
}
// TestOldLocalResourceAccessReviewEndpoint checks to make sure that the old resource access review endpoint still functions properly
// this is needed to support old who-can client
func TestOldLocalResourceAccessReviewEndpoint(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
namespace := "hammer-project"
// simple check
{
rar := &authorizationapi.ResourceAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Verb: "get",
Resource: "imagestreams/layers",
},
}
actualResponse := &authorizationapi.ResourceAccessReviewResponse{}
err := haroldClient.Post().Namespace(namespace).Resource("resourceAccessReviews").Body(rar).Do().Into(actualResponse)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
expectedResponse := &authorizationapi.ResourceAccessReviewResponse{
Namespace: namespace,
Users: util.NewStringSet("harold", "system:serviceaccount:hammer-project:builder"),
Groups: util.NewStringSet("system:cluster-admins", "system:masters", "system:serviceaccounts:hammer-project"),
}
if (actualResponse.Namespace != expectedResponse.Namespace) ||
!reflect.DeepEqual(actualResponse.Users.List(), expectedResponse.Users.List()) ||
!reflect.DeepEqual(actualResponse.Groups.List(), expectedResponse.Groups.List()) {
t.Errorf("review\n\t%#v\nexpected\n\t%#v\ngot\n\t%#v", rar, expectedResponse, actualResponse)
}
}
// namespace forced to allowed namespace so we can't trick the server into leaking
{
rar := &authorizationapi.ResourceAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Namespace: "sneaky-user",
Verb: "get",
Resource: "imagestreams/layers",
},
}
actualResponse := &authorizationapi.ResourceAccessReviewResponse{}
err := haroldClient.Post().Namespace(namespace).Resource("resourceAccessReviews").Body(rar).Do().Into(actualResponse)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
expectedResponse := &authorizationapi.ResourceAccessReviewResponse{
Namespace: namespace,
Users: util.NewStringSet("harold", "system:serviceaccount:hammer-project:builder"),
Groups: util.NewStringSet("system:cluster-admins", "system:masters", "system:serviceaccounts:hammer-project"),
}
if (actualResponse.Namespace != expectedResponse.Namespace) ||
!reflect.DeepEqual(actualResponse.Users.List(), expectedResponse.Users.List()) ||
!reflect.DeepEqual(actualResponse.Groups.List(), expectedResponse.Groups.List()) {
t.Errorf("review\n\t%#v\nexpected\n\t%#v\ngot\n\t%#v", rar, expectedResponse, actualResponse)
}
}
}
func TestLogin(t *testing.T) {
clientcmd.DefaultCluster = clientcmdapi.Cluster{Server: ""}
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
username := "******"
password := "******"
project := "the-singularity-is-near"
server := clusterAdminClientConfig.Host
loginOptions := newLoginOptions(server, username, password, true)
if err := loginOptions.GatherInfo(); err != nil {
t.Fatalf("Error trying to determine server info: %v", err)
}
if loginOptions.Username != username {
t.Fatalf("Unexpected user after authentication: %#v", loginOptions)
}
newProjectOptions := &newproject.NewProjectOptions{
Client: clusterAdminClient,
ProjectName: project,
AdminRole: bootstrappolicy.AdminRoleName,
AdminUser: username,
}
if err := newProjectOptions.Run(false); err != nil {
t.Fatalf("unexpected error, a project is required to continue: %v", err)
}
oClient, _ := client.New(loginOptions.Config)
p, err := oClient.Projects().Get(project)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if p.Name != project {
t.Fatalf("unexpected project: %#v", p)
}
// TODO Commented because of incorrectly hitting cache when listing projects.
// Should be enabled again when cache eviction is properly fixed.
// err = loginOptions.GatherProjectInfo()
// if err != nil {
// t.Fatalf("unexpected error: %v", err)
// }
// if loginOptions.Project != project {
// t.Fatalf("Expected project %v but got %v", project, loginOptions.Project)
// }
// configFile, err := ioutil.TempFile("", "openshiftconfig")
// if err != nil {
// t.Fatalf("unexpected error: %v", err)
// }
// defer os.Remove(configFile.Name())
// if _, err = loginOptions.SaveConfig(configFile.Name()); err != nil {
// t.Fatalf("unexpected error: %v", err)
// }
userWhoamiOptions := cmd.WhoAmIOptions{UserInterface: oClient.Users(), Out: ioutil.Discard}
retrievedUser, err := userWhoamiOptions.WhoAmI()
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if retrievedUser.Name != username {
t.Errorf("expected %v, got %v", retrievedUser.Name, username)
}
adminWhoamiOptions := cmd.WhoAmIOptions{UserInterface: clusterAdminClient.Users(), Out: ioutil.Discard}
retrievedAdmin, err := adminWhoamiOptions.WhoAmI()
if err != nil {
t.Errorf("unexpected error: %v", err)
}
if retrievedAdmin.Name != "system:admin" {
t.Errorf("expected %v, got %v", retrievedAdmin.Name, "system:admin")
}
}
func TestBasicUserBasedGroupManipulation(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
valerieOpenshiftClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
// make sure we don't get back system groups
firstValerie, err := clusterAdminClient.Users().Get("valerie")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if len(firstValerie.Groups) != 0 {
t.Errorf("unexpected groups: %v", firstValerie.Groups)
}
// make sure that user/~ returns groups for unbacked users
expectedClusterAdminGroups := []string{"system:cluster-admins"}
clusterAdminUser, err := clusterAdminClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !reflect.DeepEqual(clusterAdminUser.Groups, expectedClusterAdminGroups) {
t.Errorf("expected %v, got %v", clusterAdminUser.Groups, expectedClusterAdminGroups)
}
valerieGroups := []string{"theGroup"}
firstValerie.Groups = append(firstValerie.Groups, valerieGroups...)
_, err = clusterAdminClient.Users().Update(firstValerie)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
// make sure that user/~ doesn't get back system groups when it merges
secondValerie, err := valerieOpenshiftClient.Users().Get("~")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !reflect.DeepEqual(secondValerie.Groups, valerieGroups) {
t.Errorf("expected %v, got %v", secondValerie.Groups, valerieGroups)
}
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err == nil {
t.Fatalf("expected error")
}
emptyProject := &projectapi.Project{}
emptyProject.Name = "empty"
_, err = clusterAdminClient.Projects().Create(emptyProject)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
roleBinding := &authorizationapi.RoleBinding{}
roleBinding.Name = "admins"
roleBinding.RoleRef.Name = "admin"
roleBinding.Groups = util.NewStringSet(valerieGroups...)
_, err = clusterAdminClient.RoleBindings("empty").Create(roleBinding)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if err := testutil.WaitForPolicyUpdate(valerieOpenshiftClient, "empty", "get", "pods", true); err != nil {
t.Error(err)
}
// make sure that user groups are respected for policy
_, err = valerieOpenshiftClient.Projects().Get("empty")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
}
func TestAuthorizationSubjectAccessReview(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
markClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "mallet-project", "mark")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
dannyClient, _, dannyConfig, err := testutil.GetClientForUser(*clusterAdminClientConfig, "danny")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
addDanny := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("default", clusterAdminClient),
Users: []string{"danny"},
}
if err := addDanny.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
askCanDannyGetProject := &authorizationapi.SubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
}
subjectAccessReviewTest{
description: "cluster admin told danny can get project default",
localInterface: clusterAdminClient.LocalSubjectAccessReviews("default"),
localReview: &authorizationapi.LocalSubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in default",
Namespace: "default",
},
}.run(t)
subjectAccessReviewTest{
description: "cluster admin told danny cannot get projects cluster-wide",
clusterInterface: clusterAdminClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot get projects at the cluster scope`,
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "as danny, can I make cluster subject access reviews",
clusterInterface: dannyClient.SubjectAccessReviews(),
clusterReview: askCanDannyGetProject,
err: `User "danny" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
addValerie := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("hammer-project", haroldClient),
Users: []string{"valerie"},
}
if err := addValerie.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
addEdgar := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.EditRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor("mallet-project", markClient),
Users: []string{"edgar"},
}
if err := addEdgar.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
askCanValerieGetProject := &authorizationapi.LocalSubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"},
}
subjectAccessReviewTest{
description: "harold told valerie can get project hammer-project",
localInterface: haroldClient.LocalSubjectAccessReviews("hammer-project"),
localReview: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
subjectAccessReviewTest{
description: "mark told valerie cannot get project mallet-project",
localInterface: markClient.LocalSubjectAccessReviews("mallet-project"),
localReview: askCanValerieGetProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "valerie" cannot get projects in project "mallet-project"`,
Namespace: "mallet-project",
},
}.run(t)
askCanEdgarDeletePods := &authorizationapi.LocalSubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "delete", Resource: "pods"},
}
subjectAccessReviewTest{
description: "mark told edgar can delete pods in mallet-project",
localInterface: markClient.LocalSubjectAccessReviews("mallet-project"),
localReview: askCanEdgarDeletePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in mallet-project",
Namespace: "mallet-project",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run subject access review in project mallet-project",
localInterface: haroldClient.LocalSubjectAccessReviews("mallet-project"),
localReview: askCanEdgarDeletePods,
err: `User "harold" cannot create localsubjectaccessreviews in project "mallet-project"`,
}.run(t)
askCanHaroldUpdateProject := &authorizationapi.LocalSubjectAccessReview{
User: "******",
Action: authorizationapi.AuthorizationAttributes{Verb: "update", Resource: "projects"},
}
subjectAccessReviewTest{
description: "harold told harold can update project hammer-project",
localInterface: haroldClient.LocalSubjectAccessReviews("hammer-project"),
localReview: askCanHaroldUpdateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanClusterAdminsCreateProject := &authorizationapi.SubjectAccessReview{
Groups: util.NewStringSet("system:cluster-admins"),
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "projects"},
}
subjectAccessReviewTest{
description: "cluster admin told cluster admins can create projects",
clusterInterface: clusterAdminClient.SubjectAccessReviews(),
clusterReview: askCanClusterAdminsCreateProject,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by cluster rule",
Namespace: "",
},
}.run(t)
subjectAccessReviewTest{
description: "harold denied ability to run cluster subject access review",
clusterInterface: haroldClient.SubjectAccessReviews(),
clusterReview: askCanClusterAdminsCreateProject,
err: `User "harold" cannot create subjectaccessreviews at the cluster scope`,
}.run(t)
askCanICreatePods := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "pods"},
}
subjectAccessReviewTest{
description: "harold told he can create pods in project hammer-project",
localInterface: haroldClient.LocalSubjectAccessReviews("hammer-project"),
localReview: askCanICreatePods,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: "allowed by rule in hammer-project",
Namespace: "hammer-project",
},
}.run(t)
askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "policybindings"},
}
subjectAccessReviewTest{
description: "harold told he can create policybindings in project hammer-project",
localInterface: haroldClient.LocalSubjectAccessReviews("hammer-project"),
localReview: askCanICreatePolicyBindings,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "harold" cannot create policybindings in project "hammer-project"`,
Namespace: "hammer-project",
},
}.run(t)
// impersonate SAR tests
// impersonated empty token SAR shouldn't be allowed at all
// impersonated danny token SAR shouldn't be allowed to see pods in hammer or in cluster
// impersonated danny token SAR should be allowed to see pods in default
// we need a token client for overriding
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
otherAdminClient, _, _, err := testutil.GetClientForUser(*clusterAdminClientConfig, "other-admin")
if err != nil {
t.Fatalf("error requesting token: %v", err)
}
addOtherAdmin := &policy.RoleModificationOptions{
RoleNamespace: "",
RoleName: bootstrappolicy.ClusterAdminRoleName,
RoleBindingAccessor: policy.NewClusterRoleBindingAccessor(clusterAdminClient),
Users: []string{"other-admin"},
}
if err := addOtherAdmin.AddRole(); err != nil {
t.Errorf("unexpected error: %v", err)
}
subjectAccessReviewTest{
description: "empty token impersonate can't see pods in namespace",
localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("hammer-project", ""),
localReview: &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
err: `impersonating token may not be empty`,
}.run(t)
subjectAccessReviewTest{
description: "empty token impersonate can't see pods in cluster",
clusterInterface: otherAdminClient.ImpersonateSubjectAccessReviews(""),
clusterReview: &authorizationapi.SubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
err: `impersonating token may not be empty`,
}.run(t)
subjectAccessReviewTest{
description: "danny impersonate can't see pods in hammer namespace",
localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("hammer-project", dannyConfig.BearerToken),
localReview: &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot list pods in project "hammer-project"`,
Namespace: "hammer-project",
},
}.run(t)
subjectAccessReviewTest{
description: "danny impersonate can't see pods in cluster",
clusterInterface: otherAdminClient.ImpersonateSubjectAccessReviews(dannyConfig.BearerToken),
clusterReview: &authorizationapi.SubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "danny" cannot list all pods in the cluster`,
},
}.run(t)
subjectAccessReviewTest{
description: "danny impersonate can see pods in default",
localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("default", dannyConfig.BearerToken),
localReview: &authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"},
},
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: `allowed by rule in default`,
Namespace: "default",
},
}.run(t)
}
func TestTriggers_imageChange(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("error starting master: %v", err)
}
openshiftClusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("error getting OpenShift cluster admin client: %v", err)
}
openshiftClusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("error getting cluster admin client config: %v", err)
}
openshiftProjectAdminClient, err := testutil.CreateNewProject(openshiftClusterAdminClient, *openshiftClusterAdminClientConfig, testutil.Namespace(), "bob")
if err != nil {
t.Fatalf("error creating project: %v", err)
}
imageStream := &imageapi.ImageStream{ObjectMeta: kapi.ObjectMeta{Name: "test-image-stream"}}
config := deploytest.OkDeploymentConfig(0)
config.Namespace = testutil.Namespace()
configWatch, err := openshiftProjectAdminClient.DeploymentConfigs(testutil.Namespace()).Watch(labels.Everything(), fields.Everything(), "0")
if err != nil {
t.Fatalf("Couldn't subscribe to Deployments %v", err)
}
defer configWatch.Stop()
if imageStream, err = openshiftProjectAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream); err != nil {
t.Fatalf("Couldn't create ImageStream: %v", err)
}
imageWatch, err := openshiftProjectAdminClient.ImageStreams(testutil.Namespace()).Watch(labels.Everything(), fields.Everything(), "0")
if err != nil {
t.Fatalf("Couldn't subscribe to ImageStreams: %s", err)
}
defer imageWatch.Stop()
// Make a function which can create a new tag event for the image stream and
// then wait for the stream status to be asynchronously updated.
createTagEvent := func(image string) {
mapping := &imageapi.ImageStreamMapping{
ObjectMeta: kapi.ObjectMeta{Name: imageStream.Name},
Tag: "latest",
Image: imageapi.Image{
ObjectMeta: kapi.ObjectMeta{
Name: image,
},
DockerImageReference: fmt.Sprintf("registry:8080/openshift/test-image@%s", image),
},
}
if err := openshiftProjectAdminClient.ImageStreamMappings(testutil.Namespace()).Create(mapping); err != nil {
t.Fatalf("unexpected error: %v", err)
}
t.Log("Waiting for image stream mapping to be reflected in the IS status...")
statusLoop:
for {
select {
case event := <-imageWatch.ResultChan():
stream := event.Object.(*imageapi.ImageStream)
if _, ok := stream.Status.Tags["latest"]; ok {
t.Logf("ImageStream %s now has Status with tags: %#v", stream.Name, stream.Status.Tags)
break statusLoop
} else {
t.Logf("Still waiting for latest tag status on ImageStream %s", stream.Name)
}
}
}
}
if config, err = openshiftProjectAdminClient.DeploymentConfigs(testutil.Namespace()).Create(config); err != nil {
t.Fatalf("Couldn't create DeploymentConfig: %v", err)
}
createTagEvent("sha256:00000000000000000000000000000001")
var newConfig *deployapi.DeploymentConfig
t.Log("Waiting for a new deployment config in response to ImageStream update")
waitForNewConfig:
for {
select {
case event := <-configWatch.ResultChan():
if event.Type == watchapi.Modified {
newConfig = event.Object.(*deployapi.DeploymentConfig)
break waitForNewConfig
}
}
}
if e, a := 1, newConfig.LatestVersion; e != a {
t.Fatalf("expected config version %d, got %d", e, a)
}
}
func TestWebhookGitHubPushWithImage(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
err = testutil.CreateNamespace(clusterAdminKubeConfig, testutil.Namespace())
if err != nil {
t.Errorf("unexpected error: %v", err)
}
clusterAdminKubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
checkErr(t, err)
if err := testutil.WaitForServiceAccounts(clusterAdminKubeClient, testutil.Namespace(), []string{bootstrappolicy.BuilderServiceAccountName, bootstrappolicy.DefaultServiceAccountName}); err != nil {
t.Errorf("unexpected error: %v", err)
}
// create imagerepo
imageStream := &imageapi.ImageStream{
ObjectMeta: kapi.ObjectMeta{Name: "image-stream"},
Spec: imageapi.ImageStreamSpec{
DockerImageRepository: "registry:3000/integration/imageStream",
Tags: map[string]imageapi.TagReference{
"validTag": {
From: &kapi.ObjectReference{
Kind: "DockerImage",
Name: "registry:3000/integration/imageStream:success",
},
},
},
},
}
if _, err := clusterAdminClient.ImageStreams(testutil.Namespace()).Create(imageStream); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
ism := &imageapi.ImageStreamMapping{
ObjectMeta: kapi.ObjectMeta{Name: "image-stream"},
Tag: "validTag",
Image: imageapi.Image{
ObjectMeta: kapi.ObjectMeta{
Name: "myimage",
},
DockerImageReference: "registry:3000/integration/imageStream:success",
},
}
if err := clusterAdminClient.ImageStreamMappings(testutil.Namespace()).Create(ism); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
// create buildconfig
buildConfig := mockBuildConfigImageParms("originalImage", "imageStream", "validTag")
if _, err := clusterAdminClient.BuildConfigs(testutil.Namespace()).Create(buildConfig); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
watch, err := clusterAdminClient.Builds(testutil.Namespace()).Watch(labels.Everything(), fields.Everything(), "0")
if err != nil {
t.Fatalf("Couldn't subscribe to builds: %v", err)
}
defer watch.Stop()
for _, s := range []string{
"/oapi/v1/namespaces/" + testutil.Namespace() + "/buildconfigs/pushbuild/webhooks/secret101/github",
} {
// trigger build event sending push notification
postFile(clusterAdminClient.RESTClient.Client, "push", "pushevent.json", clusterAdminClientConfig.Host+s, http.StatusOK, t)
event := <-watch.ResultChan()
actual := event.Object.(*buildapi.Build)
// FIXME: I think the build creation is fast and in some situlation we miss
// the BuildPhaseNew here. Note that this is not a bug, in future we should
// move this to use go routine to capture all events.
if actual.Status.Phase != buildapi.BuildPhaseNew && actual.Status.Phase != buildapi.BuildPhasePending {
t.Errorf("Expected %s or %s, got %s", buildapi.BuildPhaseNew, buildapi.BuildPhasePending, actual.Status.Phase)
}
if actual.Spec.Strategy.DockerStrategy.From.Name != "originalImage" {
t.Errorf("Expected %s, got %s", "originalImage", actual.Spec.Strategy.DockerStrategy.From.Name)
}
}
}
func TestDNS(t *testing.T) {
masterConfig, clientFile, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
localIP := net.ParseIP("127.0.0.1")
var masterIP net.IP
// verify service DNS entry is visible
stop := make(chan struct{})
util.Until(func() {
m1 := &dns.Msg{
MsgHdr: dns.MsgHdr{Id: dns.Id(), RecursionDesired: false},
Question: []dns.Question{{"kubernetes.default.svc.cluster.local.", dns.TypeA, dns.ClassINET}},
}
in, err := dns.Exchange(m1, masterConfig.DNSConfig.BindAddress)
if err != nil {
t.Logf("unexpected error: %v", err)
return
}
if len(in.Answer) != 1 {
t.Logf("unexpected answer: %#v", in)
return
}
if a, ok := in.Answer[0].(*dns.A); ok {
if a.A == nil {
t.Fatalf("expected an A record with an IP: %#v", a)
}
masterIP = a.A
} else {
t.Fatalf("expected an A record: %#v", in)
}
t.Log(in)
close(stop)
}, 50*time.Millisecond, stop)
client, err := testutil.GetClusterAdminKubeClient(clientFile)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
for {
if _, err := client.Services(kapi.NamespaceDefault).Create(&kapi.Service{
ObjectMeta: kapi.ObjectMeta{
Name: "headless",
},
Spec: kapi.ServiceSpec{
ClusterIP: kapi.ClusterIPNone,
Ports: []kapi.ServicePort{{Port: 443}},
},
}); err != nil {
if errors.IsForbidden(err) {
t.Logf("forbidden, sleeping: %v", err)
time.Sleep(100 * time.Millisecond)
continue
}
t.Fatalf("unexpected error: %v", err)
}
if _, err := client.Endpoints(kapi.NamespaceDefault).Create(&kapi.Endpoints{
ObjectMeta: kapi.ObjectMeta{
Name: "headless",
},
Subsets: []kapi.EndpointSubset{{
Addresses: []kapi.EndpointAddress{{IP: "172.0.0.1"}},
Ports: []kapi.EndpointPort{
{Port: 2345},
},
}},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
break
}
headlessIP := net.ParseIP("172.0.0.1")
if _, err := client.Services(kapi.NamespaceDefault).Create(&kapi.Service{
ObjectMeta: kapi.ObjectMeta{
Name: "headless2",
},
Spec: kapi.ServiceSpec{
ClusterIP: kapi.ClusterIPNone,
Ports: []kapi.ServicePort{{Port: 443}},
},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err := client.Endpoints(kapi.NamespaceDefault).Create(&kapi.Endpoints{
ObjectMeta: kapi.ObjectMeta{
Name: "headless2",
},
Subsets: []kapi.EndpointSubset{{
Addresses: []kapi.EndpointAddress{{IP: "172.0.0.2"}},
Ports: []kapi.EndpointPort{
{Port: 2345, Name: "other"},
{Port: 2346, Name: "http"},
},
}},
}); err != nil {
t.Fatalf("unexpected error: %v", err)
}
headless2IP := net.ParseIP("172.0.0.2")
tests := []struct {
dnsQuestionName string
recursionExpected bool
retry bool
expect []*net.IP
srv []*dns.SRV
}{
{ // wildcard resolution of a service works
dnsQuestionName: "foo.kubernetes.default.svc.cluster.local.",
expect: []*net.IP{&masterIP},
},
{ // resolving endpoints of a service works
dnsQuestionName: "_endpoints.kubernetes.default.svc.cluster.local.",
expect: []*net.IP{&localIP},
},
{ // openshift override works
dnsQuestionName: "openshift.default.svc.cluster.local.",
expect: []*net.IP{&masterIP},
},
{ // headless service
dnsQuestionName: "headless.default.svc.cluster.local.",
expect: []*net.IP{&headlessIP},
},
{ // specific port of a headless service
dnsQuestionName: "unknown-port-2345.e1.headless.default.svc.cluster.local.",
expect: []*net.IP{&headlessIP},
},
{ // SRV record for that service
dnsQuestionName: "headless.default.svc.cluster.local.",
srv: []*dns.SRV{
{
Target: "unknown-port-2345.e1.headless.",
Port: 2345,
},
},
},
{ // the SRV record resolves to the IP
dnsQuestionName: "unknown-port-2345.e1.headless.default.svc.cluster.local.",
expect: []*net.IP{&headlessIP},
},
{ // headless 2 service
dnsQuestionName: "headless2.default.svc.cluster.local.",
expect: []*net.IP{&headless2IP},
},
{ // SRV records for that service
dnsQuestionName: "headless2.default.svc.cluster.local.",
srv: []*dns.SRV{
{
Target: "http.e1.headless2.",
Port: 2346,
},
{
Target: "other.e1.headless2.",
Port: 2345,
},
},
},
{ // the SRV record resolves to the IP
dnsQuestionName: "other.e1.headless2.default.svc.cluster.local.",
expect: []*net.IP{&headless2IP},
},
{
dnsQuestionName: "www.google.com.",
recursionExpected: false,
},
}
for i, tc := range tests {
qType := dns.TypeA
if tc.srv != nil {
qType = dns.TypeSRV
}
m1 := &dns.Msg{
MsgHdr: dns.MsgHdr{Id: dns.Id(), RecursionDesired: false},
Question: []dns.Question{{tc.dnsQuestionName, qType, dns.ClassINET}},
}
ch := make(chan struct{})
count := 0
util.Until(func() {
count++
if count > 100 {
t.Errorf("%d: failed after max iterations", i)
close(ch)
return
}
in, err := dns.Exchange(m1, masterConfig.DNSConfig.BindAddress)
if err != nil {
return
}
switch {
case tc.srv != nil:
if len(in.Answer) != len(tc.srv) {
t.Logf("%d: incorrect number of answers: %#v", i, in)
return
}
case tc.recursionExpected:
if len(in.Answer) == 0 {
t.Errorf("%d: expected forward resolution: %#v", i, in)
}
close(ch)
return
default:
if len(in.Answer) != len(tc.expect) {
t.Logf("%d: did not resolve or unexpected forward resolution: %#v", i, in)
return
}
}
for _, answer := range in.Answer {
switch a := answer.(type) {
case *dns.A:
matches := false
if a.A != nil {
for _, expect := range tc.expect {
if a.A.String() == expect.String() {
matches = true
break
}
}
}
if !matches {
t.Errorf("A record does not match any expected answer: %v", a.A)
}
case *dns.SRV:
matches := false
for _, expect := range tc.srv {
if expect.Port == a.Port && expect.Target == a.Target {
matches = true
break
}
}
if !matches {
t.Errorf("SRV record does not match any expected answer: %#v", a)
}
default:
t.Errorf("expected an A or SRV record: %#v", in)
}
}
t.Log(in)
close(ch)
}, 50*time.Millisecond, ch)
}
}
// TestOldLocalSubjectAccessReviewEndpoint checks to make sure that the old subject access review endpoint still functions properly
// this is needed to support old docker registry images
func TestOldLocalSubjectAccessReviewEndpoint(t *testing.T) {
_, clusterAdminKubeConfig, err := testutil.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
haroldClient, err := testutil.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, "hammer-project", "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
namespace := "hammer-project"
// simple check
{
sar := &authorizationapi.SubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Verb: "get",
Resource: "imagestreams/layers",
},
}
actualResponse := &authorizationapi.SubjectAccessReviewResponse{}
err := haroldClient.Post().Namespace(namespace).Resource("subjectAccessReviews").Body(sar).Do().Into(actualResponse)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
expectedResponse := &authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: `allowed by rule in hammer-project`,
Namespace: namespace,
}
if (actualResponse.Namespace != expectedResponse.Namespace) ||
(actualResponse.Allowed != expectedResponse.Allowed) ||
(!strings.HasPrefix(actualResponse.Reason, expectedResponse.Reason)) {
t.Errorf("review\n\t%#v\nexpected\n\t%#v\ngot\n\t%#v", sar, expectedResponse, actualResponse)
}
}
// namespace forced to allowed namespace so we can't trick the server into leaking
{
sar := &authorizationapi.SubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Namespace: "sneaky-user",
Verb: "get",
Resource: "imagestreams/layers",
},
}
actualResponse := &authorizationapi.SubjectAccessReviewResponse{}
err := haroldClient.Post().Namespace(namespace).Resource("subjectAccessReviews").Body(sar).Do().Into(actualResponse)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
expectedResponse := &authorizationapi.SubjectAccessReviewResponse{
Allowed: true,
Reason: `allowed by rule in hammer-project`,
Namespace: namespace,
}
if (actualResponse.Namespace != expectedResponse.Namespace) ||
(actualResponse.Allowed != expectedResponse.Allowed) ||
(!strings.HasPrefix(actualResponse.Reason, expectedResponse.Reason)) {
t.Errorf("review\n\t%#v\nexpected\n\t%#v\ngot\n\t%#v", sar, expectedResponse, actualResponse)
}
}
}
