Skip to content

Commit

Permalink
add tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@juanvallejo
juanvallejo committed Sep 12, 2017
1 parent 7708358 commit 0f87e27
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 5 deletions.
3 changes: 3 additions & 0 deletions pkg/oc/admin/policy/modify_scc_test.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package policy

import (
"bytes"
"reflect"
"testing"

Expand Down Expand Up @@ -133,6 +134,8 @@ func TestModifySCC(t *testing.T) {
SCCInterface: fakeClient,
DefaultSubjectNamespace: "",
Subjects: tc.subjects,

Out: &bytes.Buffer{},
}

var err error
Expand Down
7 changes: 3 additions & 4 deletions pkg/oc/admin/policy/review.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,10 +110,9 @@ func (o *sccReviewOptions) Complete(f *clientcmd.Factory, args []string, cmd *co
o.RESTClientFactory = f.ClientForMapping

output := kcmdutil.GetFlagString(cmd, "output")
if len(output) != 0 {
if output != "json" && output != "yaml" {
return fmt.Errorf("invalid output format %q, only yaml|json supported", output)
}
wide := len(output) > 0 && output == "wide"

if len(output) != 0 && !wide {
printer, err := f.PrinterForCommand(cmd, false, nil, kprinters.PrintOptions{})
if err != nil {
return err
Expand Down
66 changes: 65 additions & 1 deletion test/cmd/policy.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,18 @@ source "$(dirname "${BASH_SOURCE}")/../../hack/lib/init.sh"
trap os::test::junit::reconcile_output EXIT

project="$( oc project -q )"
testpod="apiVersion: v1
kind: Pod
metadata:
name: testpod
spec:
containers:
- image: node
imagePullPolicy: IfNotPresent
name: testpod
volumes:
- emptyDir: {}
name: tmp"

os::test::junit::declare_suite_start "cmd/policy"
# This test validates user level policy
Expand Down Expand Up @@ -76,6 +88,59 @@ os::cmd::expect_success_and_not_text 'oc adm policy who-can create builds/docker
os::cmd::expect_success_and_not_text 'oc adm policy who-can create builds/source' 'system:authenticated'
os::cmd::expect_success_and_not_text 'oc adm policy who-can create builds/jenkinspipeline' 'system:authenticated'

# validate --output and --dry-run flags for oc-adm-policy sub-commands
os::cmd::expect_success_and_text 'oc adm policy remove-role-from-user admin namespaced-user -o yaml' 'name: admin'
os::cmd::expect_success_and_text 'oc adm policy add-role-to-user admin namespaced-user -o yaml' 'name: namespaced-user'

os::cmd::expect_success_and_text 'oc adm policy remove-role-from-user admin namespaced-user --dry-run' 'role "admin" removed: "namespaced\-user" \(dry run\)'
os::cmd::expect_success_and_text 'oc adm policy add-role-to-user admin namespaced-user --dry-run' 'role "admin" added: "namespaced\-user" \(dry run\)'

# ensure that running an `oc adm policy` sub-command with --output does not actually perform any changes
os::cmd::expect_success_and_text 'oc adm policy who-can create pods -o yaml' '\- namespaced\-user'

os::cmd::expect_success_and_text 'oc adm policy scc-subject-review -u namespaced-user --output yaml -f - << __EOF__
$testpod
__EOF__' 'name: testpod'
os::cmd::expect_success_and_text 'oc adm policy scc-subject-review -u namespaced-user --output wide -f - << __EOF__
$testpod
__EOF__' 'Pod/testpod'

os::cmd::expect_success_and_text 'oc adm policy scc-review --output yaml -f - << __EOF__
$testpod
__EOF__' 'allowedServiceAccounts: \[\]'

os::cmd::expect_success_and_text 'oc adm policy add-role-to-group view testgroup -o yaml' 'name: view'
os::cmd::expect_success_and_text 'oc adm policy add-cluster-role-to-group cluster-reader testgroup -o yaml' '\- testgroup'
os::cmd::expect_success_and_text 'oc adm policy add-cluster-role-to-user cluster-reader namespaced-user -o yaml' 'name: namespaced\-user'

os::cmd::expect_success_and_text 'oc adm policy add-role-to-group view testgroup --dry-run' 'role "view" added: "testgroup" \(dry run\)'
os::cmd::expect_success_and_text 'oc adm policy add-cluster-role-to-group cluster-reader testgroup --dry-run' 'cluster role "cluster\-reader" added: "testgroup" \(dry run\)'
os::cmd::expect_success_and_text 'oc adm policy add-cluster-role-to-user cluster-reader namespaced-user --dry-run' 'cluster role "cluster\-reader" added: "namespaced\-user" \(dry run\)'

os::cmd::expect_success 'oc adm policy add-role-to-group view testgroup'
os::cmd::expect_success_and_text 'oc adm policy remove-role-from-group view testgroup -o yaml' 'subjects: \[\]'
os::cmd::expect_success_and_text 'oc adm policy remove-cluster-role-from-group cluster-reader testgroup -o yaml' 'name: cluster\-readers'
os::cmd::expect_success_and_text 'oc adm policy remove-cluster-role-from-user cluster-reader namespaced-user -o yaml' 'name: cluster\-reader'

os::cmd::expect_success_and_text 'oc adm policy remove-role-from-group view testgroup --dry-run' 'role "view" removed: "testgroup" \(dry run\)'
os::cmd::expect_success_and_text 'oc adm policy remove-cluster-role-from-group cluster-reader testgroup --dry-run' 'cluster role "cluster\-reader" removed: "testgroup" \(dry run\)'
os::cmd::expect_success_and_text 'oc adm policy remove-cluster-role-from-user cluster-reader namespaced-user --dry-run' 'cluster role "cluster\-reader" removed: "namespaced\-user" \(dry run\)'

os::cmd::expect_success_and_text 'oc adm policy remove-user namespaced-user -o yaml' "namespace: ${project}"
os::cmd::expect_success_and_text 'oc adm policy remove-user namespaced-user --dry-run' "Removing admin from users \[namespaced\-user\] in project ${project}"

os::cmd::expect_success_and_text 'oc adm policy add-scc-to-user anyuid namespaced-user -o yaml' '\- namespaced\-user'
os::cmd::expect_success_and_text 'oc adm policy add-scc-to-user anyuid namespaced-user --dry-run' 'scc "anyuid" added to: \["namespaced\-user"\] \(dry run\)'

os::cmd::expect_success_and_text 'oc adm policy add-scc-to-group anyuid testgroup -o yaml' '\- testgroup'
os::cmd::expect_success_and_text 'oc adm policy add-scc-to-group anyuid testgroup --dry-run' 'scc "anyuid" added to groups: \["testgroup"\] \(dry run\)'

os::cmd::expect_success_and_not_text 'oc adm policy remove-scc-from-user anyuid namespaced-user -o yaml' '\- namespaced\-user'
os::cmd::expect_success_and_text 'oc adm policy remove-scc-from-user anyuid namespaced-user --dry-run' 'scc "anyuid" removed from: \["namespaced\-user"\] \(dry run\)'

os::cmd::expect_success_and_not_text 'oc adm policy remove-scc-from-group anyuid testgroup -o yaml' '\- testgroup'
os::cmd::expect_success_and_text 'oc adm policy remove-scc-from-group anyuid testgroup --dry-run' 'scc "anyuid" removed from groups: \["testgroup"\] \(dry run\)'

# ensure system:authenticated users can not create custom builds by default, but can if explicitly granted access
os::cmd::expect_success_and_not_text 'oc adm policy who-can create builds/custom' 'system:authenticated'
os::cmd::expect_success_and_text 'oc adm policy add-cluster-role-to-group system:build-strategy-custom system:authenticated' 'cluster role "system:build-strategy-custom" added: "system:authenticated"'
Expand Down Expand Up @@ -139,7 +204,6 @@ os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testda
os::cmd::expect_success "oc login -u system:admin -n '${project}'"
os::cmd::expect_success 'oc delete project policy-second'


# adjust the cluster-admin role to check defaulting and coverage checks
# this is done here instead of an integration test because we need to make sure the actual yaml serializations work
workingdir=$(mktemp -d)
Expand Down

0 comments on commit 0f87e27

Please sign in to comment.