func newAuthorizer(policyClient policyclient.ReadOnlyPolicyClient, projectRequestDenyMessage string) authorizer.Authorizer {
authorizer := authorizer.NewAuthorizer(rulevalidation.NewDefaultRuleResolver(
rulevalidation.PolicyGetter(policyClient),
rulevalidation.BindingLister(policyClient),
rulevalidation.ClusterPolicyGetter(policyClient),
rulevalidation.ClusterBindingLister(policyClient),
), authorizer.NewForbiddenMessageResolver(projectRequestDenyMessage))
return authorizer
}
func TestAuthorize(t *testing.T) {
testCases := []struct {
name string
user user.Info
attributes defaultauthorizer.DefaultAuthorizationAttributes
delegateAuthAllowed bool
expectedCalled bool
expectedAllowed bool
expectedErr string
expectedMsg string
}{
{
name: "no user",
expectedErr: `user missing from context`,
},
{
name: "no extra",
user: &user.DefaultInfo{},
expectedCalled: true,
},
{
name: "empty extra",
user: &user.DefaultInfo{Extra: map[string][]string{}},
expectedCalled: true,
},
{
name: "empty scopes",
user: &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {}}},
expectedCalled: true,
},
{
name: "bad scope",
user: &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"does-not-exist"}}},
expectedMsg: `scopes [does-not-exist] prevent this action; User "" cannot "" "" with name "" in project "ns"`,
expectedErr: `no scope evaluator found for "does-not-exist"`,
},
{
name: "bad scope 2",
user: &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:dne"}}},
expectedMsg: `scopes [user:dne] prevent this action; User "" cannot "" "" with name "" in project "ns"`,
expectedErr: `unrecognized scope: user:dne`,
},
{
name: "scope doesn't cover",
user: &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:info"}}},
attributes: defaultauthorizer.DefaultAuthorizationAttributes{Verb: "get", Resource: "users", ResourceName: "harold"},
expectedMsg: `scopes [user:info] prevent this action; User "" cannot get users in project "ns"`,
},
{
name: "scope covers",
user: &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:info"}}},
attributes: defaultauthorizer.DefaultAuthorizationAttributes{Verb: "get", Resource: "users", ResourceName: "~"},
expectedCalled: true,
},
{
name: "scope covers for discovery",
user: &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:info"}}},
attributes: defaultauthorizer.DefaultAuthorizationAttributes{Verb: "get", NonResourceURL: true, URL: "/api"},
expectedCalled: true,
},
}
for _, tc := range testCases {
delegate := &fakeAuthorizer{allowed: tc.delegateAuthAllowed}
authorizer := NewAuthorizer(delegate, nil, defaultauthorizer.NewForbiddenMessageResolver(""))
ctx := kapi.WithNamespace(kapi.NewContext(), "ns")
if tc.user != nil {
ctx = kapi.WithUser(ctx, tc.user)
}
actualAllowed, actualMsg, actualErr := authorizer.Authorize(ctx, tc.attributes)
switch {
case len(tc.expectedErr) == 0 && actualErr == nil:
case len(tc.expectedErr) == 0 && actualErr != nil:
t.Errorf("%s: unexpected error: %v", tc.name, actualErr)
case len(tc.expectedErr) != 0 && actualErr == nil:
t.Errorf("%s: missing error: %v", tc.name, tc.expectedErr)
case len(tc.expectedErr) != 0 && actualErr != nil:
if !strings.Contains(actualErr.Error(), tc.expectedErr) {
t.Errorf("%s: expected %v, got %v", tc.name, tc.expectedErr, actualErr)
}
}
if tc.expectedMsg != actualMsg {
t.Errorf("%s: expected %v, got %v", tc.name, tc.expectedMsg, actualMsg)
}
if tc.expectedAllowed != actualAllowed {
t.Errorf("%s: expected %v, got %v", tc.name, tc.expectedAllowed, actualAllowed)
}
if tc.expectedCalled != delegate.called {
t.Errorf("%s: expected %v, got %v", tc.name, tc.expectedCalled, delegate.called)
}
}
}
func newAuthorizer(ruleResolver rulevalidation.AuthorizationRuleResolver, informerFactory shared.InformerFactory, projectRequestDenyMessage string) authorizer.Authorizer {
messageMaker := authorizer.NewForbiddenMessageResolver(projectRequestDenyMessage)
roleBasedAuthorizer := authorizer.NewAuthorizer(ruleResolver, messageMaker)
scopeLimitedAuthorizer := scope.NewAuthorizer(roleBasedAuthorizer, informerFactory.ClusterPolicies().Lister().ClusterPolicies(), messageMaker)
return scopeLimitedAuthorizer
}
func newAuthorizer(ruleResolver rulevalidation.AuthorizationRuleResolver, policyClient policyclient.ReadOnlyPolicyClient, projectRequestDenyMessage string) authorizer.Authorizer {
messageMaker := authorizer.NewForbiddenMessageResolver(projectRequestDenyMessage)
roleBasedAuthorizer := authorizer.NewAuthorizer(ruleResolver, messageMaker)
scopeLimitedAuthorizer := scope.NewAuthorizer(roleBasedAuthorizer, policyClient, messageMaker)
return scopeLimitedAuthorizer
}