-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add test for SubjectAccessReview authorization.
Signed-off-by: Martin Hesko <[email protected]>
- Loading branch information
1 parent
20053cc
commit 8143c68
Showing
5 changed files
with
111 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
49 changes: 49 additions & 0 deletions
49
testsuite/tests/singlecluster/authorino/identity/subject_access_review/conftest.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
"""Conftest for SubjectAccessReview related tests.""" | ||
|
||
import pytest | ||
|
||
from testsuite.httpx.auth import HeaderApiKeyAuth | ||
from testsuite.kubernetes.cluster_role import ClusterRole, ClusterRoleBinding | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def create_cluster_role(request, cluster, blame, module_label): | ||
"""Creates and returns a ClusterRole""" | ||
|
||
def _create_cluster_role(rules): | ||
cluster_role = ClusterRole.create_instance(cluster, blame("cr"), rules, labels={"app": module_label}) | ||
request.addfinalizer(cluster_role.delete) | ||
cluster_role.commit() | ||
return cluster_role | ||
|
||
return _create_cluster_role | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def create_cluster_role_binding(request, cluster, blame, module_label): | ||
"""Creates and returns a ClusterRoleBinding""" | ||
|
||
def _create_cluster_role_binding(cluster_role, service_accounts): | ||
cluster_role_binding = ClusterRoleBinding.create_instance( | ||
cluster, blame("crb"), cluster_role, service_accounts, labels={"app": module_label} | ||
) | ||
request.addfinalizer(cluster_role_binding.delete) | ||
cluster_role_binding.commit() | ||
return cluster_role_binding | ||
|
||
return _create_cluster_role_binding | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def bound_service_account(create_cluster_role, create_service_account, create_cluster_role_binding, audience): | ||
"""Create a ServiceAccount and bind it to a ClusterRole with given permissions""" | ||
cluster_role = create_cluster_role([{"nonResourceURLs": ["/get"], "verbs": ["get"]}]) | ||
service_account = create_service_account("tkn-auth") | ||
create_cluster_role_binding(cluster_role.model.metadata.name, [service_account.model.metadata.name]) | ||
return service_account.get_auth_token(audience) | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def auth(bound_service_account): | ||
"""Create request auth with service account token as API key""" | ||
return HeaderApiKeyAuth(bound_service_account, "Bearer") |
47 changes: 47 additions & 0 deletions
47
...ests/singlecluster/authorino/identity/subject_access_review/test_subject_access_review.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
"""Test kubernetes SubjectAccessReview authorization by verifying only a | ||
ServiceAccount bound to a ClusterRole is authorized to access a resource""" | ||
|
||
import pytest | ||
|
||
from testsuite.httpx.auth import HeaderApiKeyAuth | ||
from testsuite.kuadrant.policy.authorization import ValueFrom | ||
|
||
pytestmark = [pytest.mark.authorino] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization(authorization): | ||
"""Add kubernetes token-review and subject-access-review identity""" | ||
authorization.identity.add_kubernetes("token-review-host") | ||
user = ValueFrom("auth.identity.user.username") | ||
authorization.authorization.add_kubernetes("subject-access-review-host", user, None) | ||
return authorization | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def audience(hostname): | ||
"""Return hostname as only audience for the service account bound token""" | ||
return [hostname.hostname] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def service_account_token(create_service_account, audience): | ||
"""Create a non-authorized service account and request its bound token with the hostname as audience""" | ||
service_account = create_service_account("tkn-non-auth") | ||
return service_account.get_auth_token(audience) | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def auth2(service_account_token): | ||
"""Create request auth with service account token as API key""" | ||
return HeaderApiKeyAuth(service_account_token, "Bearer") | ||
|
||
|
||
def test_host_audience(client, auth, auth2): | ||
"""Test Kubernetes SubjectAccessReview functionality by setting up authentication and authorization for an endpoint | ||
and querying it with non-authorized and authorized ServiceAccount.""" | ||
response = client.get("/anything/get", auth=auth2) | ||
assert response.status_code == 403 | ||
|
||
response = client.get("/get", auth=auth) | ||
assert response.status_code == 200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters