github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

return reason for allowed rbac authorizations

Browse Source 
includes the binding, role, and subject that allowed a request so audit can make use of it
This commit is contained in:
Jordan Liggitt
2018-01-19 13:17:32 -05:00
parent f9bb978ad6
commit b4fb25261e
3 changed files with 83 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/registry/rbac/validation/rule_test.go
View File

@@ -168,6 +168,7 @@ func TestAppliesTo(t *testing.T) {
user user.Info
namespace string
appliesTo bool
index int
testCase string
}{
{
@@ -176,6 +177,7 @@ func TestAppliesTo(t *testing.T) {
},
user: &user.DefaultInfo{Name: "foobar"},
appliesTo: true,
index: 0,
testCase: "single subject that matches username",
},
{
@@ -185,6 +187,7 @@ func TestAppliesTo(t *testing.T) {
},
user: &user.DefaultInfo{Name: "foobar"},
appliesTo: true,
index: 1,
testCase: "multiple subjects, one that matches username",
},
{
@@ -203,6 +206,7 @@ func TestAppliesTo(t *testing.T) {
},
user: &user.DefaultInfo{Name: "zimzam", Groups: []string{"foobar"}},
appliesTo: true,
index: 1,
testCase: "multiple subjects, one that match group",
},
{
@@ -213,6 +217,7 @@ func TestAppliesTo(t *testing.T) {
user: &user.DefaultInfo{Name: "zimzam", Groups: []string{"foobar"}},
namespace: "namespace1",
appliesTo: true,
index: 1,
testCase: "multiple subjects, one that match group, should ignore namespace",
},
{
@@ -224,6 +229,7 @@ func TestAppliesTo(t *testing.T) {
user: &user.DefaultInfo{Name: "system:serviceaccount:kube-system:default"},
namespace: "default",
appliesTo: true,
index: 2,
testCase: "multiple subjects with a service account that matches",
},
{
@@ -243,6 +249,7 @@ func TestAppliesTo(t *testing.T) {
user: &user.DefaultInfo{Name: "foobar", Groups: []string{user.AllAuthenticated}},
namespace: "default",
appliesTo: true,
index: 0,
testCase: "binding to all authenticated and unauthenticated subjects matches authenticated user",
},
{
@@ -253,14 +260,18 @@ func TestAppliesTo(t *testing.T) {
user: &user.DefaultInfo{Name: "system:anonymous", Groups: []string{user.AllUnauthenticated}},
namespace: "default",
appliesTo: true,
index: 1,
testCase: "binding to all authenticated and unauthenticated subjects matches anonymous user",
},
}
for _, tc := range tests {
got := appliesTo(tc.user, tc.subjects, tc.namespace)
gotIndex, got := appliesTo(tc.user, tc.subjects, tc.namespace)
if got != tc.appliesTo {
t.Errorf("case %q want appliesTo=%t, got appliesTo=%t", tc.testCase, tc.appliesTo, got)
}
if gotIndex != tc.index {
t.Errorf("case %q want index %d, got %d", tc.testCase, tc.index, gotIndex)
}
}
}