e2e: add SubjectRulesReview tests

Signed-off-by: Dr. Stefan Schimanski <[email protected]>
kcp-dev · Jan 24, 2025 · 408f06d · 408f06d
1 parent 8b594fe
commit 408f06d
Showing 1 changed file with 121 additions and 0 deletions.
diff --git a/test/e2e/authorizer/scopes_test.go b/test/e2e/authorizer/scopes_test.go
@@ -18,6 +18,7 @@ package authorizer
 
 import (
 	"context"
+	"sort"
 	"testing"
 
 	kcpkubernetesclientset "github.com/kcp-dev/client-go/kubernetes"
@@ -26,6 +27,8 @@ import (
 	authorizationv1 "k8s.io/api/authorization/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/client-go/rest"
 	"k8s.io/kubernetes/pkg/registry/rbac/validation"
 
 	"github.com/kcp-dev/kcp/test/e2e/framework"
@@ -143,3 +146,121 @@ func TestSubjectAccessReview(t *testing.T) {
 		})
 	}
 }
+
+func TestSelfSubjectRulesReview(t *testing.T) {
+	t.Parallel()
+	framework.Suite(t, "control-plane")
+
+	server := framework.SharedKcpServer(t)
+	cfg := server.BaseConfig(t)
+	wsPath, ws := framework.NewOrganizationFixture(t, server)
+
+	// These rules will always exist as soon as a user has access
+	authenticatedBaseRules := []authorizationv1.ResourceRule{
+		{Verbs: []string{"create"}, APIGroups: []string{"authentication.k8s.io"}, Resources: []string{"selfsubjectreviews"}},
+		{Verbs: []string{"create"}, APIGroups: []string{"authorization.k8s.io"}, Resources: []string{"selfsubjectaccessreviews", "selfsubjectrulesreviews"}},
+	}
+
+	type tests struct {
+		name      string
+		user      string
+		groups    []string
+		extra     map[string][]string
+		wantRules []authorizationv1.ResourceRule
+		wantError bool
+	}
+	for _, tt := range []tests{
+		{
+			name: "normal user",
+			user: "user", groups: []string{"system:kcp:admin"},
+			wantRules: append([]authorizationv1.ResourceRule{
+				{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			}, authenticatedBaseRules...),
+		},
+		{
+			name: "in-scope users",
+			user: "user", groups: []string{"system:kcp:admin"}, extra: map[string][]string{validation.ScopeExtraKey: {"cluster:" + ws.Spec.Cluster}},
+			wantRules: append([]authorizationv1.ResourceRule{
+				{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			}, authenticatedBaseRules...),
+		},
+		{
+			name: "out-of-scoped users",
+			user: "user", groups: []string{"system:kcp:admin"}, extra: map[string][]string{validation.ScopeExtraKey: {"cluster:other"}},
+			wantRules: authenticatedBaseRules,
+		},
+		{
+			name: "service account",
+			user: "system:serviceaccount:default:default", groups: []string{"system:kcp:admin"},
+			wantRules: append([]authorizationv1.ResourceRule{
+				{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			}, authenticatedBaseRules...),
+		},
+		{
+			name: "service account with cluster",
+			user: "system:serviceaccount:default:default", groups: []string{"system:kcp:admin"}, extra: map[string][]string{serviceaccount.ClusterNameKey: {ws.Spec.Cluster}},
+			wantRules: append([]authorizationv1.ResourceRule{
+				{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}},
+			}, authenticatedBaseRules...),
+		},
+		{
+			name: "service account with other cluster",
+			user: "system:serviceaccount:default:default", groups: []string{"system:kcp:admin"}, extra: map[string][]string{serviceaccount.ClusterNameKey: {"other"}},
+			wantError: true,
+		},
+		{
+			name: "admin scoped to other cluster",
+			user: "user", groups: []string{"system:kcp:admin", user.AllAuthenticated}, extra: map[string][]string{validation.ScopeExtraKey: {"cluster:other"}},
+			wantRules: authenticatedBaseRules,
+		},
+		{
+			name: "service account with scope to other cluster",
+			user: "system:serviceaccount:default:default", groups: []string{"system:kcp:admin"}, extra: map[string][]string{
+				serviceaccount.ClusterNameKey: {ws.Spec.Cluster},
+				validation.ScopeExtraKey:      {"cluster:other"},
+			},
+			wantRules: authenticatedBaseRules,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			// impersonate as user, using the cfg as the base.
+			impersonationConfig := rest.CopyConfig(cfg)
+			impersonationConfig.Impersonate = rest.ImpersonationConfig{
+				UserName: tt.user,
+				Groups:   tt.groups,
+				Extra:    tt.extra,
+			}
+			if impersonationConfig.Impersonate.Extra == nil {
+				impersonationConfig.Impersonate.Extra = map[string][]string{}
+			}
+			impersonatedClient, err := kcpkubernetesclientset.NewForConfig(impersonationConfig)
+			require.NoError(t, err)
+
+			req := &authorizationv1.SelfSubjectRulesReview{
+				Spec: authorizationv1.SelfSubjectRulesReviewSpec{
+					Namespace: "default",
+				},
+			}
+			resp, err := impersonatedClient.Cluster(wsPath).AuthorizationV1().SelfSubjectRulesReviews().Create(ctx, req, metav1.CreateOptions{})
+			if tt.wantError {
+				require.Error(t, err)
+				return
+			} else {
+				require.NoError(t, err)
+			}
+
+			sort.Sort(sortedResourceRules(resp.Status.ResourceRules))
+			sort.Sort(sortedResourceRules(tt.wantRules))
+			require.Equal(t, tt.wantRules, resp.Status.ResourceRules)
+		})
+	}
+}
+
+type sortedResourceRules []authorizationv1.ResourceRule
+
+func (r sortedResourceRules) Len() int           { return len(r) }
+func (r sortedResourceRules) Swap(i, j int)      { r[i], r[j] = r[j], r[i] }
+func (r sortedResourceRules) Less(i, j int) bool { return r[i].String() < r[j].String() }