add some UTs

Azure · Aug 1, 2023 · a02e4aa · a02e4aa
1 parent 53014f6
commit a02e4aa
Showing 1 changed file with 103 additions and 19 deletions.
diff --git a/pkg/webhook/validation/uservalidation_test.go b/pkg/webhook/validation/uservalidation_test.go
@@ -1,13 +1,17 @@
 package validation
 
 import (
+	"context"
 	"fmt"
 	"testing"
 
+	"github.com/crossplane/crossplane-runtime/pkg/test"
 	"github.com/stretchr/testify/assert"
-	v1 "k8s.io/api/authentication/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	fleetv1alpha1 "go.goms.io/fleet/apis/v1alpha1"
@@ -19,11 +23,11 @@ func TestValidateUserForFleetResource(t *testing.T) {
 		resKind          string
 		namespacedName   types.NamespacedName
 		whiteListedUsers []string
-		userInfo         v1.UserInfo
+		userInfo         authenticationv1.UserInfo
 		wantResponse     admission.Response
 	}{
 		"allow user in system:masters group": {
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{mastersGroup},
 			},
@@ -32,7 +36,7 @@ func TestValidateUserForFleetResource(t *testing.T) {
 			wantResponse:   admission.Allowed(fmt.Sprintf(fleetResourceAllowedFormat, "test-user", []string{mastersGroup}, "Role", types.NamespacedName{Name: "test-role", Namespace: "test-namespace"})),
 		},
 		"allow white listed user not in system:masters group": {
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -42,7 +46,7 @@ func TestValidateUserForFleetResource(t *testing.T) {
 			wantResponse:     admission.Allowed(fmt.Sprintf(fleetResourceAllowedFormat, "test-user", []string{"test-group"}, "RoleBinding", types.NamespacedName{Name: "test-role-binding", Namespace: "test-namespace"})),
 		},
 		"allow valid service account": {
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{serviceAccountsGroup},
 			},
@@ -51,7 +55,7 @@ func TestValidateUserForFleetResource(t *testing.T) {
 			wantResponse:   admission.Allowed(fmt.Sprintf(fleetResourceAllowedFormat, "test-user", []string{serviceAccountsGroup}, "RoleBinding", types.NamespacedName{Name: "test-role-binding", Namespace: "test-namespace"})),
 		},
 		"fail to validate user with invalid username, groups": {
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -74,13 +78,13 @@ func TestValidateUserForFleetCRD(t *testing.T) {
 		group            string
 		namespacedName   types.NamespacedName
 		whiteListedUsers []string
-		userInfo         v1.UserInfo
+		userInfo         authenticationv1.UserInfo
 		wantResponse     admission.Response
 	}{
 		"allow user in system:masters group to modify other CRD": {
 			group:          "other-group",
 			namespacedName: types.NamespacedName{Name: "test-crd"},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"system:masters"},
 			},
@@ -89,7 +93,7 @@ func TestValidateUserForFleetCRD(t *testing.T) {
 		"allow user in system:masters group to modify fleet CRD": {
 			group:          "fleet.azure.com",
 			namespacedName: types.NamespacedName{Name: "memberclusters.fleet.azure.com"},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"system:masters"},
 			},
@@ -98,7 +102,7 @@ func TestValidateUserForFleetCRD(t *testing.T) {
 		"allow white listed user to modify fleet CRD": {
 			group:          "fleet.azure.com",
 			namespacedName: types.NamespacedName{Name: "memberclusters.fleet.azure.com"},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -108,7 +112,7 @@ func TestValidateUserForFleetCRD(t *testing.T) {
 		"deny user not in system:masters group to modify fleet CRD": {
 			group:          "fleet.azure.com",
 			namespacedName: types.NamespacedName{Name: "memberclusters.fleet.azure.com"},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -129,7 +133,7 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 		currentMC        fleetv1alpha1.MemberCluster
 		oldMC            fleetv1alpha1.MemberCluster
 		whiteListedUsers []string
-		userInfo         v1.UserInfo
+		userInfo         authenticationv1.UserInfo
 		wantResponse     admission.Response
 	}{
 		"allow any user to modify MC labels": {
@@ -150,7 +154,7 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 					Name: "test-mc",
 				},
 			},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -174,7 +178,7 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 					Name: "test-mc",
 				},
 			},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -204,7 +208,7 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 					State: fleetv1alpha1.ClusterStateJoin,
 				},
 			},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"system:masters"},
 			},
@@ -235,7 +239,7 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 					Name: "test-mc",
 				},
 			},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"system:masters"},
 			},
@@ -273,7 +277,7 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 				},
 			},
 			whiteListedUsers: []string{"test-user"},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -303,7 +307,7 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 					State: fleetv1alpha1.ClusterStateJoin,
 				},
 			},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -334,7 +338,7 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 				},
 			},
 			whiteListedUsers: []string{"test-user1"},
-			userInfo: v1.UserInfo{
+			userInfo: authenticationv1.UserInfo{
 				Username: "test-user",
 				Groups:   []string{"test-group"},
 			},
@@ -349,3 +353,83 @@ func TestValidateMemberClusterUpdate(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateUserForInternalMemberCluster(t *testing.T) {
+	testCases := map[string]struct {
+		client           client.Client
+		namespacedName   types.NamespacedName
+		whiteListedUsers []string
+		userInfo         authenticationv1.UserInfo
+		wantResponse     admission.Response
+	}{
+		"allow user in IMC identity": {
+			client: &test.MockClient{
+				MockList: func(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
+					l := list.(*fleetv1alpha1.MemberClusterList)
+					*l = fleetv1alpha1.MemberClusterList{
+						Items: []fleetv1alpha1.MemberCluster{
+							{
+								ObjectMeta: metav1.ObjectMeta{
+									Name:      "test-mc",
+									Namespace: "test-namespace",
+								},
+								Spec: fleetv1alpha1.MemberClusterSpec{
+									Identity: rbacv1.Subject{
+										Name: "test-identity",
+									},
+								},
+							},
+						},
+					}
+					return nil
+				},
+			},
+			namespacedName: types.NamespacedName{
+				Name: "test-mc",
+			},
+			userInfo: authenticationv1.UserInfo{
+				Username: "test-identity",
+				Groups:   []string{"test-group"},
+			},
+			wantResponse: admission.Allowed(fmt.Sprintf(fleetResourceAllowedFormat, "test-identity", []string{"test-group"}, "InternalMemberCluster", types.NamespacedName{Name: "test-mc"})),
+		},
+		"allow hub-agent-sa in IMC identity": {
+			client: &test.MockClient{
+				MockList: func(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error {
+					l := list.(*fleetv1alpha1.MemberClusterList)
+					*l = fleetv1alpha1.MemberClusterList{
+						Items: []fleetv1alpha1.MemberCluster{
+							{
+								ObjectMeta: metav1.ObjectMeta{
+									Name:      "test-mc",
+									Namespace: "test-namespace",
+								},
+								Spec: fleetv1alpha1.MemberClusterSpec{
+									Identity: rbacv1.Subject{
+										Name: "hub-agent-sa",
+									},
+								},
+							},
+						},
+					}
+					return nil
+				},
+			},
+			namespacedName: types.NamespacedName{
+				Name: "test-mc",
+			},
+			userInfo: authenticationv1.UserInfo{
+				Username: "system:serviceaccount:fleet-system:hub-agent-sa",
+				Groups:   []string{"system:serviceaccounts"},
+			},
+			wantResponse: admission.Allowed(fmt.Sprintf(fleetResourceAllowedFormat, "system:serviceaccount:fleet-system:hub-agent-sa", []string{"system:serviceaccounts"}, "InternalMemberCluster", types.NamespacedName{Name: "test-mc"})),
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			gotResult := ValidateUserForInternalMemberCluster(context.Background(), testCase.client, testCase.namespacedName, testCase.whiteListedUsers, testCase.userInfo)
+			assert.Equal(t, testCase.wantResponse, gotResult, utils.TestCaseMsg, testName)
+		})
+	}
+}