Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

Make cluster-scoped permission encompass project-scoped #2207

Merged
merged 1 commit into from
Oct 5, 2023
Merged

Make cluster-scoped permission encompass project-scoped #2207

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion pkg/apis/internal.acorn.io/v1/appspec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,7 @@ func (p PolicyRule) Grants(currentNamespace string, requested PolicyRule) bool {

for _, ns := range p.ResolveNamespaces(currentNamespace) {
for _, requestedNamespace := range requested.ResolveNamespaces(currentNamespace) {
if ns == requestedNamespace &&
if (ns == requestedNamespace || ns == "") &&
matches(p.Verbs, requested.Verbs, false) &&
matches(p.APIGroups, requested.APIGroups, false) &&
matches(p.Resources, requested.Resources, false) &&
Expand Down
102 changes: 102 additions & 0 deletions pkg/apis/internal.acorn.io/v1/appspec_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,3 +149,105 @@ func TestSimplify(t *testing.T) {
},
}))
}

func TestGrantsAllClusterGrantsProject(t *testing.T) {
requested := []Permissions{
{
ServiceName: "foo",
Rules: []PolicyRule{
{
PolicyRule: rbacv1.PolicyRule{
Verbs: []string{"get"},
APIGroups: []string{"group-a"},
},
Scopes: []string{"project"},
},
},
},
}

granted := []Permissions{
{
ServiceName: "foo",
Rules: []PolicyRule{
{
PolicyRule: rbacv1.PolicyRule{
Verbs: []string{"get"},
APIGroups: []string{"group-a"},
},
Scopes: []string{"cluster"},
},
},
},
}
gotMissing, _ := GrantsAll("acorn", requested, granted)
assert.Equal(t, []Permissions(nil), gotMissing, "cluster permissions should grant project permissions")
}

func TestGrantsAllClusterGrantsNamespace(t *testing.T) {
requested := []Permissions{
{
ServiceName: "foo",
Rules: []PolicyRule{
{
PolicyRule: rbacv1.PolicyRule{
Verbs: []string{"get"},
APIGroups: []string{"group-a"},
},
Scopes: []string{"namespace:bar"},
},
},
},
}

granted := []Permissions{
{
ServiceName: "foo",
Rules: []PolicyRule{
{
PolicyRule: rbacv1.PolicyRule{
Verbs: []string{"get"},
APIGroups: []string{"group-a"},
},
Scopes: []string{"cluster"},
},
},
},
}
gotMissing, _ := GrantsAll("acorn", requested, granted)
assert.Equal(t, []Permissions(nil), gotMissing, "cluster permissions should grant namespace permissions")
}

func TestGrantsAllProjectNotGrantCluster(t *testing.T) {
requested := []Permissions{
{
ServiceName: "foo",
Rules: []PolicyRule{
{
PolicyRule: rbacv1.PolicyRule{
Verbs: []string{"get"},
APIGroups: []string{"group-a"},
},
Scopes: []string{"cluster"},
},
},
},
}

granted := []Permissions{
{
ServiceName: "foo",
Rules: []PolicyRule{
{
PolicyRule: rbacv1.PolicyRule{
Verbs: []string{"get"},
APIGroups: []string{"group-a"},
},
Scopes: []string{"project"},
},
},
},
}
gotMissing, _ := GrantsAll("acorn", requested, granted)
assert.Equal(t, requested, gotMissing, "project permissions should not grant cluster permissions")
}