setup the testing interface between test cases and utils backend

demonCoder95 · demonCoder95 · commit e1040a732c3f · 2024-11-20T12:34:41.000+01:00
diff --git a/test/e2e/authorization.go b/test/e2e/authorization.go
@@ -1,19 +1,88 @@
 package e2e
 
 import (
+	"context"
+
 	g "github.com/onsi/ginkgo/v2"
+	gomega "github.com/onsi/gomega"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/test/e2e/framework"
+)
+
+var (
+	allGroups = [][]string{
+		[]string{"FooBar"},
+		[]string{"ReadOnly"},
+		[]string{"PowerUser"},
+		[]string{"Emergency"},
+		[]string{"Manual"},
+		[]string{"system:serviceaccounts:kube-system"},
+		[]string{"CollaboratorEmergency"},
+		[]string{"CollaboratorManual"},
+		[]string{"Collaborator24x7"},
+		[]string{"CollaboratorPowerUser"},
+		[]string{"Administrator"},
+	}
 )
 
-var _ = g.Describe("Authorisation [RBAC] [Zalando]", func() {
+var _ = g.Describe("Authorization [RBAC] [Zalando]", func() {
+	var cs kubernetes.Interface
+
+	f := framework.NewDefaultFramework("authorization")
 
+	// Initialise the clientset before each test
+	g.BeforeEach(func() {
+		cs = f.ClientSet
+	})
+
+	// Test cases for all groups of users
 	g.Context("For all groups", func() {
+		var tc testCase
+		g.BeforeEach(func() {
+			tc.data.groups = allGroups
+			tc.data.users = []string{"test-user"}
+		})
 		g.When("the verb is impersonate", func() {
-			g.It("should deny access for users", func() {})
-			g.It("should deny access for service accounts", func() {})
+			g.BeforeEach(func() {
+				tc.data.verbs = []string{"impersonate"}
+			})
+
+			g.It("should deny access for users and groups", func() {
+				// This is safe to do since the BeforeEach block
+				// will clear these values for other specs.
+				// https://onsi.github.io/ginkgo/#organizing-specs-with-container-nodes
+				tc.data.resources = []string{"users", "groups"}
+				tc.run(context.TODO(), cs)
+				output := tc.output
+				gomega.Expect(output.denied).To(gomega.BeTrue())
+
+			})
+			g.It("should deny access for service accounts", func() {
+				tc.data.resources = []string{"serviceaccounts"}
+				tc.data.namespaces = []string{"", "teapot", "kube-system"}
+				tc.run(context.TODO(), cs)
+				output := tc.output
+				gomega.Expect(output.denied).To(gomega.BeTrue())
+			})
 		})
 		g.When("the verb is escalate", func() {
-			g.It("should deny access for cluster roles", func() {})
-			g.It("should deny access for roles in all namespaces", func() {})
+			g.BeforeEach(func() {
+				tc.data.verbs = []string{"escalate"}
+			})
+
+			g.It("should deny access for cluster roles", func() {
+				tc.data.resources = []string{"rbac.authorization.k8s.io/clusterrole"}
+				tc.run(context.TODO(), cs)
+				output := tc.output
+				gomega.Expect(output.denied).To(gomega.BeTrue())
+			})
+			g.It("should deny access for roles in all namespaces", func() {
+				tc.data.resources = []string{"rbac.authorization.k8s.io/role"}
+				tc.data.namespaces = []string{"", "teapot", "kube-system"}
+				tc.run(context.TODO(), cs)
+				output := tc.output
+				gomega.Expect(output.denied).To(gomega.BeTrue())
+			})
 		})
 	})
 
diff --git a/test/e2e/authorization_utils.go b/test/e2e/authorization_utils.go
@@ -2,37 +2,85 @@ package e2e
 
 import (
 	"context"
-	"fmt"
 
 	authv1 "k8s.io/api/authorization/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
 )
 
-func createSubjectAccessReview(ctx context.Context, cs kubernetes.Interface, sar authv1.SubjectAccessReview) (*authv1.SubjectAccessReview, error) {
-	return cs.AuthorizationV1().SubjectAccessReviews().Create(ctx, &sar, metav1.CreateOptions{})
+// testCase is a struct that represents a single testcase.
+type testCase struct {
+	data   testcaseData
+	output testcaseOutput
+}
+
+// testcaseData is a struct that makes it user-friendly to write testcases
+// more logically. This will be used to generate individual SubjectAccessReview
+// objects in order to test the authorization rules.
+type testcaseData struct {
+	namespaces       []string
+	names            []string
+	verbs            []string
+	apiGroups        []string
+	resources        []string
+	subresources     []string
+	nonResourceVerbs []string
+	nonResourcePaths []string
+	users            []string
+
+	// this is double slice since we need to check individually for
+	// each group of users. A single slice would mean that the same user
+	// is part of all the groups.
+	groups [][]string
 }
 
-func createLocalClient() (kubernetes.Interface, error) {
-	kubeconfigPath := "/workdir/test/e2e/kubeconfig"
+// testcaseOutput is a struct that represents the expected result of a testcase.
+// This is based on the SubjectAccessReviewStatus type. It provides simplicity in testcase
+// writing since one testcase can have multiple SubjectAccessReview objects
+// and we need to determine the "final" result and expose that as the testcase output.
+type testcaseOutput struct {
+	// the final result based on results of individual SubjectAccessReview objects
+	allowed, denied bool
+	// the set of reasons from individual SubjectAccessReview objects
+	reason []string
+}
 
-	// use the current context in kubeconfig
-	config, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath)
+func (t *testCase) run(ctx context.Context, cs kubernetes.Interface) error {
+	// Generate the list of SubjectAccessReview objects based on the testcase data
+	sars, err := generateSubjectAccessReviews(t.data)
 	if err != nil {
-		return nil, err
+		return err
 	}
 
-	client, err := kubernetes.NewForConfig(config)
+	// Create the SubjectAccessReview objects in the cluster
+	err = createSubjectAccessReviews(ctx, cs, sars)
 	if err != nil {
-		return nil, fmt.Errorf("unable to create a client: %v", err)
+		return err
 	}
 
-	return client, nil
+	// TODO: Implement the logic to determine the final result based on the results of individual SubjectAccessReview objects
+	return nil
 }
 
-type testCase struct {
-	name           string
-	sar            authv1.SubjectAccessReview
-	expectedStatus authv1.SubjectAccessReviewStatus
+// accessReviewGenerator generates a list of SubjectAccessReview objects based on the
+// testcase data provided.
+func generateSubjectAccessReviews(data testcaseData) ([]authv1.SubjectAccessReview, error) {
+	// TODO: Implement this function
+	return nil, nil
+}
+
+// createSubjectAccessReviews creates provided SubjectAccessReview objects in the cluster
+func createSubjectAccessReviews(ctx context.Context, cs kubernetes.Interface, sars []authv1.SubjectAccessReview) error {
+	for _, sar := range sars {
+		_, err := createSubjectAccessReview(ctx, cs, sar)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// createSubjectAccessReview creates a SubjectAccessReview object in the cluster
+func createSubjectAccessReview(ctx context.Context, cs kubernetes.Interface, sar authv1.SubjectAccessReview) (*authv1.SubjectAccessReview, error) {
+	return cs.AuthorizationV1().SubjectAccessReviews().Create(ctx, &sar, metav1.CreateOptions{})
 }
