(e2e) add e2e test for user defined service account

tkashem · tkashem · commit 5c992e065791 · 2019-06-26T18:45:06.000-04:00
diff --git a/test/e2e/installplan_e2e_test.go b/test/e2e/installplan_e2e_test.go
@@ -65,11 +65,15 @@ func buildInstallPlanCleanupFunc(crc versioned.Interface, namespace string, inst
 }
 
 func fetchInstallPlan(t *testing.T, c versioned.Interface, name string, checkPhase checkInstallPlanFunc) (*v1alpha1.InstallPlan, error) {
+	return fetchInstallPlanWithNamespace(t, c, name, testNamespace, checkPhase)
+}
+
+func fetchInstallPlanWithNamespace(t *testing.T, c versioned.Interface, name string, namespace string, checkPhase checkInstallPlanFunc) (*v1alpha1.InstallPlan, error) {
 	var fetchedInstallPlan *v1alpha1.InstallPlan
 	var err error
 
 	err = wait.Poll(pollInterval, pollDuration, func() (bool, error) {
-		fetchedInstallPlan, err = c.OperatorsV1alpha1().InstallPlans(testNamespace).Get(name, metav1.GetOptions{})
+		fetchedInstallPlan, err = c.OperatorsV1alpha1().InstallPlans(namespace).Get(name, metav1.GetOptions{})
 		if err != nil || fetchedInstallPlan == nil {
 			return false, err
 		}
diff --git a/test/e2e/scoped_client_test.go b/test/e2e/scoped_client_test.go
@@ -0,0 +1,134 @@
+package e2e
+
+import (
+	"testing"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/operatorclient"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/scoped"
+)
+
+// TestScopedClient ensures that we we can create a scoped client bound to a
+// service account and then we can use the scoped client to make API calls.
+func TestScopedClient(t *testing.T) {
+	defer cleaner.NotifyTestComplete(t, false)
+
+	require.NotEmpty(t, kubeConfigPath)
+
+	config, err := clientcmd.BuildConfigFromFlags("", *kubeConfigPath)
+	require.NoError(t, err)
+
+	kubeclient := newKubeClient(t)
+	crclient := newCRClient(t)
+
+	logger := logrus.New()
+
+	tests := []struct {
+		name       string
+		grant      func(namespace, name string) (cleanup cleanupFunc)
+		assertFunc func(errGot error)
+	}{
+		// The parent test invokes 'Get' API on non existent objects. If the
+		// scoped client has enough permission, we expect a NotFound error code.
+		// Otherwise, we expect a 'Forbidden' error code due to lack of permission.
+		{
+			// The service account does not have any permission granted to it.
+			// We expect the get api call to return 'Forbidden' error due to
+			// lack of permission.
+			name: "ServiceAccountDoesNotHaveAnyPermission",
+			assertFunc: func(errGot error) {
+				require.True(t, k8serrors.IsForbidden(errGot))
+			},
+		},
+		{
+			// The service account does have permission granted to it.
+			// We expect the get api call to return 'NotFound' error.
+			name: "ServiceAccountHasPermission",
+			grant: func(namespace, name string) (cleanup cleanupFunc) {
+				cleanup = grantPermission(t, kubeclient, namespace, name)
+				return
+			},
+			assertFunc: func(errGot error) {
+				require.True(t, k8serrors.IsNotFound(errGot))
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Steps:
+			// 1. Create a new namespace
+			// 2. Create a service account.
+			// 3. Grant permission(s) to the service account if specified.
+			// 4. Get scoped client instance(s)
+			// 5. Invoke Get API call on non existent object(s) to check if
+			//    the call can be made successfully.
+			namespace := genName("a")
+			_, cleanupNS := newNamespace(t, kubeclient, namespace)
+			defer cleanupNS()
+
+			saName := genName("user-defined-")
+			sa, cleanupSA := newServiceAccount(t, kubeclient, namespace, saName)
+			defer cleanupSA()
+
+			waitForServiceAccountSecretAvailable(t, kubeclient, sa.GetNamespace(), sa.GetName())
+
+			strategy := scoped.NewClientAttenuator(logger, config, kubeclient, crclient)
+			getter := func() (reference *corev1.ObjectReference, err error) {
+				reference = &corev1.ObjectReference{
+					Namespace: namespace,
+					Name:      saName,
+				}
+
+				return
+			}
+
+			if tt.grant != nil {
+				cleanupPerm := tt.grant(sa.GetNamespace(), sa.GetName())
+				defer cleanupPerm()
+			}
+
+			// We expect to get scoped client instance(s).
+			kubeclientGot, crclientGot, errGot := strategy.AttenuateClient(getter)
+			require.NoError(t, errGot)
+			require.NotNil(t, kubeclientGot)
+			require.NotNil(t, crclientGot)
+
+			_, errGot = kubeclientGot.KubernetesInterface().CoreV1().ConfigMaps(namespace).Get(genName("does-not-exist-"), metav1.GetOptions{})
+			require.Error(t, errGot)
+			tt.assertFunc(errGot)
+
+			_, errGot = crclientGot.OperatorsV1alpha1().CatalogSources(namespace).Get(genName("does-not-exist-"), metav1.GetOptions{})
+			require.Error(t, errGot)
+			tt.assertFunc(errGot)
+		})
+	}
+}
+
+func waitForServiceAccountSecretAvailable(t *testing.T, client operatorclient.ClientInterface, namespace, name string) *corev1.ServiceAccount {
+	var sa *corev1.ServiceAccount
+	err := wait.Poll(5*time.Second, time.Minute, func() (bool, error) {
+		sa, err := client.KubernetesInterface().CoreV1().ServiceAccounts(namespace).Get(name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+
+		if len(sa.Secrets) > 0 {
+			return true, nil
+		}
+
+		return false, nil
+
+	})
+
+	require.NoError(t, err)
+	return sa
+}
diff --git a/test/e2e/user_defined_sa_test.go b/test/e2e/user_defined_sa_test.go
