Skip to content

Commit 86569ec

Browse files
r4f4r4f4
committed
aws/permissions: add KMS key permission unit tests.
1 parent d7c1514 commit 86569ec

File tree

2 files changed

+153
-13
lines changed

2 files changed

+153
-13
lines changed

pkg/asset/installconfig/aws/permissions.go

Lines changed: 17 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -351,19 +351,7 @@ func RequiredPermissionGroups(ic *types.InstallConfig) []PermissionGroup {
351351
permissionGroups = append(permissionGroups, PermissionCreateHostedZone)
352352
}
353353

354-
ec2RootVolume := aws.EC2RootVolume{}
355-
var awsMachinePoolUsingKMS, masterMachinePoolUsingKMS bool
356-
if ic.AWS.DefaultMachinePlatform != nil && ic.AWS.DefaultMachinePlatform.EC2RootVolume != ec2RootVolume {
357-
awsMachinePoolUsingKMS = len(ic.AWS.DefaultMachinePlatform.EC2RootVolume.KMSKeyARN) != 0
358-
}
359-
if ic.ControlPlane != nil &&
360-
ic.ControlPlane.Name == types.MachinePoolControlPlaneRoleName &&
361-
ic.ControlPlane.Platform.AWS != nil &&
362-
ic.ControlPlane.Platform.AWS.EC2RootVolume != ec2RootVolume {
363-
masterMachinePoolUsingKMS = len(ic.ControlPlane.Platform.AWS.EC2RootVolume.KMSKeyARN) != 0
364-
}
365-
// Add KMS encryption keys, if provided.
366-
if awsMachinePoolUsingKMS || masterMachinePoolUsingKMS {
354+
if includesKMSEncryptionKey(ic) {
367355
logrus.Debugf("Adding %s to the group of permissions", PermissionKMSEncryptionKeys)
368356
permissionGroups = append(permissionGroups, PermissionKMSEncryptionKeys)
369357
}
@@ -461,3 +449,19 @@ func includesCreateInstanceRole(installConfig *types.InstallConfig) bool {
461449
mpool.Set(installConfig.AWS.DefaultMachinePlatform)
462450
return len(mpool.IAMRole) == 0
463451
}
452+
453+
// includesKMSEncryptionKey checks if any KMS encryption keys are included in the install-config.
454+
func includesKMSEncryptionKey(installConfig *types.InstallConfig) bool {
455+
mpool := aws.MachinePool{}
456+
mpool.Set(installConfig.AWS.DefaultMachinePlatform)
457+
458+
if mp := installConfig.ControlPlane; mp != nil {
459+
mpool.Set(mp.Platform.AWS)
460+
}
461+
462+
for _, compute := range installConfig.Compute {
463+
mpool.Set(compute.Platform.AWS)
464+
}
465+
466+
return len(mpool.KMSKeyARN) > 0
467+
}

pkg/asset/installconfig/aws/permissions_test.go

Lines changed: 136 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -275,3 +275,139 @@ func TestIAMRolePermissions(t *testing.T) {
275275
})
276276
})
277277
}
278+
279+
func TestIncludesKMSEncryptionKeys(t *testing.T) {
280+
t.Run("Should be true when", func(t *testing.T) {
281+
t.Run("KMS key specified for defaultMachinePlatform", func(t *testing.T) {
282+
ic := basicInstallConfig()
283+
ic.AWS.DefaultMachinePlatform = &aws.MachinePool{
284+
EC2RootVolume: aws.EC2RootVolume{
285+
KMSKeyARN: "custom-default-key",
286+
},
287+
}
288+
assert.True(t, includesKMSEncryptionKey(&ic))
289+
})
290+
t.Run("KMS key specified for controlPlane", func(t *testing.T) {
291+
ic := basicInstallConfig()
292+
ic.ControlPlane = &types.MachinePool{
293+
Platform: types.MachinePoolPlatform{
294+
AWS: &aws.MachinePool{
295+
EC2RootVolume: aws.EC2RootVolume{
296+
KMSKeyARN: "custom-master-key",
297+
},
298+
},
299+
},
300+
}
301+
assert.True(t, includesKMSEncryptionKey(&ic))
302+
})
303+
t.Run("KMS key specified for compute", func(t *testing.T) {
304+
ic := basicInstallConfig()
305+
ic.Compute = []types.MachinePool{
306+
{
307+
Platform: types.MachinePoolPlatform{
308+
AWS: &aws.MachinePool{
309+
EC2RootVolume: aws.EC2RootVolume{
310+
KMSKeyARN: "custom-worker-key",
311+
},
312+
},
313+
},
314+
},
315+
}
316+
assert.True(t, includesKMSEncryptionKey(&ic))
317+
})
318+
t.Run("KMS key specified for controlPlane and compute", func(t *testing.T) {
319+
ic := basicInstallConfig()
320+
ic.ControlPlane = &types.MachinePool{
321+
Platform: types.MachinePoolPlatform{
322+
AWS: &aws.MachinePool{
323+
EC2RootVolume: aws.EC2RootVolume{
324+
KMSKeyARN: "custom-master-key",
325+
},
326+
},
327+
},
328+
}
329+
ic.Compute = []types.MachinePool{
330+
{
331+
Platform: types.MachinePoolPlatform{
332+
AWS: &aws.MachinePool{
333+
EC2RootVolume: aws.EC2RootVolume{
334+
KMSKeyARN: "custom-worker-key",
335+
},
336+
},
337+
},
338+
},
339+
}
340+
assert.True(t, includesKMSEncryptionKey(&ic))
341+
})
342+
})
343+
t.Run("Should be false when", func(t *testing.T) {
344+
t.Run("no machine types specified", func(t *testing.T) {
345+
ic := basicInstallConfig()
346+
assert.False(t, includesKMSEncryptionKey(&ic))
347+
})
348+
t.Run("no KMS keys specified", func(t *testing.T) {
349+
ic := basicInstallConfig()
350+
ic.AWS.DefaultMachinePlatform = &aws.MachinePool{}
351+
ic.ControlPlane = &types.MachinePool{
352+
Platform: types.MachinePoolPlatform{
353+
AWS: &aws.MachinePool{},
354+
},
355+
}
356+
ic.Compute = []types.MachinePool{
357+
{
358+
Platform: types.MachinePoolPlatform{
359+
AWS: &aws.MachinePool{},
360+
},
361+
},
362+
}
363+
assert.False(t, includesKMSEncryptionKey(&ic))
364+
})
365+
})
366+
}
367+
368+
func TestKMSKeyPermissions(t *testing.T) {
369+
t.Run("Should include KMS key permissions", func(t *testing.T) {
370+
t.Run("when KMS key specified for controlPlane", func(t *testing.T) {
371+
ic := validInstallConfig()
372+
ic.ControlPlane.Platform.AWS.EC2RootVolume = aws.EC2RootVolume{
373+
KMSKeyARN: "custom-master-key",
374+
}
375+
requiredPerms := RequiredPermissionGroups(ic)
376+
assert.Contains(t, requiredPerms, PermissionKMSEncryptionKeys)
377+
})
378+
t.Run("when KMS key specified for compute", func(t *testing.T) {
379+
ic := validInstallConfig()
380+
ic.Compute[0].Platform.AWS.EC2RootVolume = aws.EC2RootVolume{
381+
KMSKeyARN: "custom-worker-key",
382+
}
383+
requiredPerms := RequiredPermissionGroups(ic)
384+
assert.Contains(t, requiredPerms, PermissionKMSEncryptionKeys)
385+
})
386+
t.Run("when KMS key specified for defaultMachinePlatform", func(t *testing.T) {
387+
ic := validInstallConfig()
388+
ic.AWS.DefaultMachinePlatform = &aws.MachinePool{
389+
EC2RootVolume: aws.EC2RootVolume{
390+
KMSKeyARN: "custom-default-key",
391+
},
392+
}
393+
requiredPerms := RequiredPermissionGroups(ic)
394+
assert.Contains(t, requiredPerms, PermissionKMSEncryptionKeys)
395+
})
396+
})
397+
398+
t.Run("Should not include KMS key permissions", func(t *testing.T) {
399+
t.Run("when no machine types specified", func(t *testing.T) {
400+
ic := validInstallConfig()
401+
ic.ControlPlane = nil
402+
ic.Compute = nil
403+
requiredPerms := RequiredPermissionGroups(ic)
404+
assert.NotContains(t, requiredPerms, PermissionKMSEncryptionKeys)
405+
})
406+
t.Run("when no KMS keys specified", func(t *testing.T) {
407+
ic := validInstallConfig()
408+
ic.AWS.DefaultMachinePlatform = &aws.MachinePool{}
409+
requiredPerms := RequiredPermissionGroups(ic)
410+
assert.NotContains(t, requiredPerms, PermissionKMSEncryptionKeys)
411+
})
412+
})
413+
}

0 commit comments

Comments
 (0)