From 03382a9b699a0fb723c30d43317812d772ad6ae8 Mon Sep 17 00:00:00 2001
From: Ali Ok <aliok@redhat.com>
Date: Thu, 28 May 2020 15:54:09 +0300
Subject: [PATCH] Conformance tests for channel control plane aggregated
 addressable resolver ClusterRole

---
 ...le_manipulator_cluster_role_test_helper.go | 47 +++----------------
 test/conformance/helpers/rbac.go              | 30 ++++++++++++
 2 files changed, 37 insertions(+), 40 deletions(-)
 create mode 100644 test/conformance/helpers/rbac.go

diff --git a/test/conformance/helpers/channel_channelable_manipulator_cluster_role_test_helper.go b/test/conformance/helpers/channel_channelable_manipulator_cluster_role_test_helper.go
index f97bc8c9472..ded9976d310 100644
--- a/test/conformance/helpers/channel_channelable_manipulator_cluster_role_test_helper.go
+++ b/test/conformance/helpers/channel_channelable_manipulator_cluster_role_test_helper.go
@@ -21,25 +21,22 @@ import (
 
 	"fmt"
 
-	authv1 "k8s.io/api/authorization/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/storage/names"
 
 	"knative.dev/eventing/test/lib"
 )
 
-const aggregationClusterRoleName = "channelable-manipulator"
-
-var permissionTestCaseVerbs = []string{"get", "list", "watch", "update", "patch"}
-
 func TestChannelChannelableManipulatorClusterRoleTestRunner(
 	t *testing.T,
 	channelTestRunner lib.ChannelTestRunner,
 	options ...lib.SetupClientOption,
 ) {
 
+	const aggregationClusterRoleName = "channelable-manipulator"
+	var permissionTestCaseVerbs = []string{"get", "list", "watch", "update", "patch"}
+
 	channelTestRunner.RunTests(t, lib.FeatureBasic, func(st *testing.T, channel metav1.TypeMeta) {
 		client := lib.Setup(st, true, options...)
 		defer lib.TearDown(client)
@@ -55,45 +52,15 @@ func TestChannelChannelableManipulatorClusterRoleTestRunner(
 		)
 		client.WaitForAllTestResourcesReadyOrFail()
 
+		// From spec: (...) ClusterRole MUST include permissions to create, get, list, watch, patch,
+		// and update the CRD's custom objects and their status.
 		for _, verb := range permissionTestCaseVerbs {
 			t.Run(fmt.Sprintf("ChannelableManipulatorClusterRole can do %s on %s", verb, gvr), func(t *testing.T) {
-				serviceAccountCanDoVerbOnResource(st, client, gvr, "", saName, verb)
+				ServiceAccountCanDoVerbOnResourceOrFail(client, gvr, "", saName, verb)
 			})
 			t.Run(fmt.Sprintf("ChannelableManipulatorClusterRole can do %s on status subresource of %s", verb, gvr), func(t *testing.T) {
-				serviceAccountCanDoVerbOnResource(st, client, gvr, "status", saName, verb)
+				ServiceAccountCanDoVerbOnResourceOrFail(client, gvr, "status", saName, verb)
 			})
 		}
 	})
 }
-
-func serviceAccountCanDoVerbOnResource(st *testing.T, client *lib.Client, gvr schema.GroupVersionResource, subresource string, saName string, verb string) {
-	// From spec: (...) ClusterRole MUST include permissions to create, get, list, watch, patch,
-	// and update the CRD's custom objects and their status.
-	allowed, err := isAllowed(saName, client, verb, gvr, subresource)
-	if err != nil {
-		client.T.Fatalf("Error while checking if %q is not allowed on %s.%s/%s subresource:%q. err: %q", verb, gvr.Resource, gvr.Group, gvr.Version, subresource, err)
-	}
-	if !allowed {
-		client.T.Fatalf("Operation %q is not allowed on %s.%s/%s subresource:%q", verb, gvr.Resource, gvr.Group, gvr.Version, subresource)
-	}
-}
-
-func isAllowed(saName string, client *lib.Client, verb string, gvr schema.GroupVersionResource, subresource string) (bool, error) {
-
-	r, err := client.Kube.Kube.AuthorizationV1().SubjectAccessReviews().Create(&authv1.SubjectAccessReview{
-		Spec: authv1.SubjectAccessReviewSpec{
-			User: fmt.Sprintf("system:serviceaccount:%s:%s", client.Namespace, saName),
-			ResourceAttributes: &authv1.ResourceAttributes{
-				Verb:        verb,
-				Group:       gvr.Group,
-				Version:     gvr.Version,
-				Resource:    gvr.Resource,
-				Subresource: subresource,
-			},
-		},
-	})
-	if err != nil {
-		return false, err
-	}
-	return r.Status.Allowed, nil
-}
diff --git a/test/conformance/helpers/rbac.go b/test/conformance/helpers/rbac.go
new file mode 100644
index 00000000000..c5ee7505cc7
--- /dev/null
+++ b/test/conformance/helpers/rbac.go
@@ -0,0 +1,30 @@
+package helpers
+
+import (
+	"fmt"
+
+	authv1 "k8s.io/api/authorization/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"knative.dev/eventing/test/lib"
+)
+
+func ServiceAccountCanDoVerbOnResourceOrFail(client *lib.Client, gvr schema.GroupVersionResource, subresource string, saName string, verb string) {
+	r, err := client.Kube.Kube.AuthorizationV1().SubjectAccessReviews().Create(&authv1.SubjectAccessReview{
+		Spec: authv1.SubjectAccessReviewSpec{
+			User: fmt.Sprintf("system:serviceaccount:%s:%s", client.Namespace, saName),
+			ResourceAttributes: &authv1.ResourceAttributes{
+				Verb:        verb,
+				Group:       gvr.Group,
+				Version:     gvr.Version,
+				Resource:    gvr.Resource,
+				Subresource: subresource,
+			},
+		},
+	})
+	if err != nil {
+		client.T.Fatalf("Error while checking if %q is not allowed on %s.%s/%s subresource:%q. err: %q", verb, gvr.Resource, gvr.Group, gvr.Version, subresource, err)
+	}
+	if !r.Status.Allowed {
+		client.T.Fatalf("Operation %q is not allowed on %s.%s/%s subresource:%q", verb, gvr.Resource, gvr.Group, gvr.Version, subresource)
+	}
+}