From 41d6396baa1d21831a19ed94ed5861415fdc1c2e Mon Sep 17 00:00:00 2001 From: ybelMekk Date: Mon, 27 Sep 2021 14:19:27 +0200 Subject: [PATCH] restrict creating of applications to team-namespaces --- cmd/aiven/create_cmd.go | 2 +- pkg/aiven/aiven_test.go | 16 +++--------- pkg/common/common.go | 10 +++++--- pkg/common/common_test.go | 52 +++++++++++++++++++++++++++++++++++++++ pkg/test/helpers.go | 10 ++++++++ 5 files changed, 72 insertions(+), 18 deletions(-) create mode 100644 pkg/common/common_test.go diff --git a/cmd/aiven/create_cmd.go b/cmd/aiven/create_cmd.go index 4564acf3..da20d834 100644 --- a/cmd/aiven/create_cmd.go +++ b/cmd/aiven/create_cmd.go @@ -57,7 +57,7 @@ nais aiven create username namespace -e 10 | nais aiven create username namespac aivenConfig := aiven.SetupAiven(client.SetupClient(), username, namespace, pool, secretName, expiry) aivenApp, err := aivenConfig.GenerateApplication() if err != nil { - return fmt.Errorf("an error occurred generating aivenApplication %s", err) + return fmt.Errorf("an error occurred generating 'AivenApplication': %s", err) } log.Default().Printf("use: '%s get %s %s' to generate configuration secrets.", "nais aiven", aivenApp.Spec.SecretName, aivenApp.Namespace) return nil diff --git a/pkg/aiven/aiven_test.go b/pkg/aiven/aiven_test.go index 5c230446..15e9a444 100644 --- a/pkg/aiven/aiven_test.go +++ b/pkg/aiven/aiven_test.go @@ -2,23 +2,16 @@ package aiven import ( aiven_nais_io_v1 "github.com/nais/liberator/pkg/apis/aiven.nais.io/v1" - "github.com/nais/nais-cli/pkg/client" "github.com/nais/nais-cli/pkg/common" + "github.com/nais/nais-cli/pkg/test" "github.com/stretchr/testify/assert" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/client/fake" "testing" "time" ) -var scheme = runtime.NewScheme() - func TestAivenGenerateApplicationCreated(t *testing.T) { - - client.InitScheme(scheme) - username := "user" team := "team" pool := "pool" @@ -35,7 +28,7 @@ func TestAivenGenerateApplicationCreated(t *testing.T) { }, } - fakeClient := fake.NewFakeClientWithScheme(scheme, &namespace) + fakeClient := test.BuildWithScheme(&namespace).Build() aiven := SetupAiven(fakeClient, username, team, pool, secretName, expiry) currentAivenApp, err := aiven.GenerateApplication() assert.NoError(t, err) @@ -51,9 +44,6 @@ func TestAivenGenerateApplicationCreated(t *testing.T) { } func TestAivenGenerateApplicationUpdated(t *testing.T) { - - client.InitScheme(scheme) - username := "user" team := "team" pool := "pool" @@ -77,7 +67,7 @@ func TestAivenGenerateApplicationUpdated(t *testing.T) { }, } - fakeClient := fake.NewFakeClientWithScheme(scheme, &namespace, &aivenApp) + fakeClient := test.BuildWithScheme(&namespace, &aivenApp).Build() aiven := SetupAiven(fakeClient, username, team, pool, secretName, expiry) currentAivenApp, err := aiven.GenerateApplication() assert.NoError(t, err) diff --git a/pkg/common/common.go b/pkg/common/common.go index 67a9c927..e3507392 100644 --- a/pkg/common/common.go +++ b/pkg/common/common.go @@ -25,11 +25,13 @@ func WriteToFile(dest, filename string, value []byte) error { } func ValidateNamespace(ctx context.Context, client ctrl.Client, name string, namespace *v1.Namespace) error { - err := client.Get(ctx, ctrl.ObjectKey{ - Name: name, - }, namespace) + err := client.Get(ctx, ctrl.ObjectKey{Name: name}, namespace) if err != nil { - return fmt.Errorf("getting namespace: %s", err) + return fmt.Errorf("getting namespace: %w", err) + } + + if namespace.GetLabels()["shared"] == "true" { + return fmt.Errorf("shared namespace is not allowed: %s", name) } return nil } diff --git a/pkg/common/common_test.go b/pkg/common/common_test.go new file mode 100644 index 00000000..571c5d54 --- /dev/null +++ b/pkg/common/common_test.go @@ -0,0 +1,52 @@ +package common + +import ( + "context" + "github.com/nais/nais-cli/pkg/test" + "github.com/stretchr/testify/assert" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "testing" +) + +var scheme = runtime.NewScheme() + +func TestValidateNamespaceShared(t *testing.T) { + ctx := context.Background() + namespaceName := "default" + + namespace := &v1.Namespace{ + TypeMeta: metav1.TypeMeta{ + Kind: "Namespace", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: namespaceName, + Labels: map[string]string{"shared": "true"}, + }, + } + + fakeClient := test.BuildWithScheme(namespace).Build() + err := ValidateNamespace(ctx, fakeClient, namespaceName, namespace) + assert.EqualError(t, err, "shared namespace is not allowed: default") +} + +func TestValidNamespace(t *testing.T) { + ctx := context.Background() + namespaceName := "team-namespace" + + namespace := &v1.Namespace{ + TypeMeta: metav1.TypeMeta{ + Kind: "Namespace", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: namespaceName, + }, + } + + fakeClient := test.BuildWithScheme(namespace).Build() + err := ValidateNamespace(ctx, fakeClient, namespaceName, namespace) + assert.NoError(t, err) +} diff --git a/pkg/test/helpers.go b/pkg/test/helpers.go index 6d3bd3c9..cf762d2c 100644 --- a/pkg/test/helpers.go +++ b/pkg/test/helpers.go @@ -1,14 +1,19 @@ package test import ( + "github.com/nais/nais-cli/pkg/client" "github.com/stretchr/testify/assert" "io/ioutil" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" "os" + "sigs.k8s.io/controller-runtime/pkg/client/fake" "testing" ) +var scheme = runtime.NewScheme() + func SetupDest(t *testing.T) string { tempDir, err := ioutil.TempDir(os.TempDir(), "test-") assert.NoError(t, err) @@ -38,3 +43,8 @@ func SetupSecret(envKeys []string) *v1.Secret { } return createdSecret } + +func BuildWithScheme(objects ...runtime.Object) *fake.ClientBuilder { + client.InitScheme(scheme) + return fake.NewClientBuilder().WithScheme(scheme).WithRuntimeObjects(objects...) +}