test/cmd fixes

- Fix test/cmd/admin.sh - Fix images-old-policy - Fix test/cmd/policy.sh - Temp fix for test/cmd/router.sh Signed-off-by: Monis Khan <mkhan@redhat.com>
openshift · Aug 17, 2017 · 806d7be · 806d7be
1 parent c51da07
commit 806d7be
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 24 deletions.
diff --git a/pkg/oc/admin/router/router.go b/pkg/oc/admin/router/router.go
@@ -864,7 +864,8 @@ func ignoreError(e error, saName string, roleBindingName string) bool {
 		return false
 	}
 	return (details.Kind == "serviceaccounts" && details.Name == saName) ||
-		(details.Kind == "clusterrolebinding" && details.Name == roleBindingName)
+		(details.Kind == "clusterrolebinding" && details.Name == roleBindingName) ||
+		(details.Kind == "clusterrolebindings" && details.Name == roleBindingName) // TODO we should not need to do this
 }
 
 // generateRoleBindingName generates a name for the rolebinding object if it is

diff --git a/test/cmd/admin.sh b/test/cmd/admin.sh
@@ -292,8 +292,7 @@ os::cmd::expect_success 'oadm policy add-role-to-user admin adduser -n ui-test-p
 # Make sure project can be listed by oc (after auth cache syncs)
 os::cmd::try_until_text 'oc get projects' 'ui\-test\-project'
 # Make sure users got added
-os::cmd::expect_success_and_text "oc describe policybinding ':default' -n ui-test-project" 'createuser'
-os::cmd::expect_success_and_text "oc describe policybinding ':default' -n ui-test-project" 'adduser'
+os::cmd::expect_success_and_text "oc get rolebinding admin -n ui-test-project -o jsonpath='{.subjects[*].name}'" '^createuser adduser$'
 echo "ui-project-commands: ok"
 os::test::junit::declare_suite_end
 
@@ -303,7 +302,7 @@ os::cmd::expect_success 'oadm new-project recreated-project --admin="createuser1
 os::cmd::expect_success 'oc delete project recreated-project'
 os::cmd::try_until_failure 'oc get project recreated-project'
 os::cmd::expect_success 'oadm new-project recreated-project --admin="createuser2"'
-os::cmd::expect_success_and_text "oc describe policybinding ':default' -n recreated-project" 'createuser2'
+os::cmd::expect_success_and_text "oc get rolebinding admin -n recreated-project -o jsonpath='{.subjects[*].name}'" '^createuser2$'
 echo "new-project: ok"
 os::test::junit::declare_suite_end
 
@@ -408,31 +407,28 @@ os::cmd::expect_success_and_not_text 'oc get scc/restricted -o yaml' 'topic: my-
 echo "reconcile-scc: ok"
 os::test::junit::declare_suite_end
 
-os::test::junit::declare_suite_start "cmd/admin/policybinding-not-required"
+os::test::junit::declare_suite_start "cmd/admin/rolebinding-allowed"
 # Admin can bind local roles without cluster-admin permissions
 os::cmd::expect_success "oc create -f test/extended/testdata/roles/empty-role.yaml -n '${project}'"
-os::cmd::expect_success "oc delete 'policybinding/${project}:default' -n '${project}'"
 os::cmd::expect_success 'oadm policy add-role-to-user admin local-admin  -n '${project}''
-os::cmd::try_until_text "oc policy who-can get policybindings -n '${project}'" "local-admin"
 os::cmd::expect_success 'oc login -u local-admin -p pw'
 os::cmd::expect_success 'oc policy add-role-to-user empty-role other --role-namespace='${project}' -n '${project}''
 os::cmd::expect_success 'oc login -u system:admin'
 os::cmd::expect_success "oc delete role/empty-role -n '${project}'"
-echo "policybinding-not-required: ok"
+echo "cmd/admin/rolebinding-allowed: ok"
 os::test::junit::declare_suite_end
 
-os::test::junit::declare_suite_start "cmd/admin/policybinding-local-only"
+os::test::junit::declare_suite_start "cmd/admin/rolebinding-local-only"
 # Admin cannot bind local roles from different namespace
 otherproject='someotherproject'
 os::cmd::expect_success "oc new-project '${otherproject}'"
 os::cmd::expect_success "oc create -f test/extended/testdata/roles/empty-role.yaml -n '${project}'"
 os::cmd::expect_success 'oadm policy add-role-to-user admin local-admin  -n '${otherproject}''
-os::cmd::try_until_text "oc policy who-can get policybindings -n '${otherproject}'" "local-admin"
 os::cmd::expect_success 'oc login -u local-admin -p pw'
-os::cmd::expect_failure_and_text 'oc policy add-role-to-user empty-role other --role-namespace='${project}' -n '${otherproject}'' "\"${project}:default\" not found"
+os::cmd::expect_failure_and_text 'oc policy add-role-to-user empty-role other --role-namespace='${project}' -n '${otherproject}'' "invalid origin role binding empty-role: attempts to reference role in namespace \"${project}\" instead of current namespace \"${otherproject}\""
 os::cmd::expect_success 'oc login -u system:admin'
 os::cmd::expect_success "oc delete role/empty-role -n '${project}'"
-echo "policybinding-local-only: ok"
+echo "rolebinding-local-only: ok"
 os::test::junit::declare_suite_end
 
 os::test::junit::declare_suite_start "cmd/admin/user-group-cascade"

diff --git a/test/cmd/images-old-policy.sh b/test/cmd/images-old-policy.sh
@@ -17,6 +17,7 @@ os::test::junit::declare_suite_start "cmd/images-old-policy"
 
 os::cmd::expect_success "oadm policy add-role-to-user admin image-user -n '${project}'"
 os::cmd::expect_success "oc delete clusterrole/admin --cascade=false"
+os::cmd::expect_failure "oc get clusterrole/admin"
 os::cmd::expect_success "oc create -f '${OS_ROOT}/test/testdata/admin-role-minus-create-istag.yaml'"
 
 os::cmd::try_until_text "oc policy who-can get pods -n ${project}" "image-user"

diff --git a/test/cmd/policy.sh b/test/cmd/policy.sh
@@ -160,19 +160,19 @@ cp ${OS_ROOT}/test/testdata/bootstrappolicy/alternate_cluster_admin.yaml ${worki
 os::util::sed "s/RESOURCE_VERSION/${resourceversion}/g" ${workingdir}/alternate_cluster_admin.yaml
 os::cmd::expect_success "oc replace --config=${new_kubeconfig} clusterrole/alternate-cluster-admin -f ${workingdir}/alternate_cluster_admin.yaml"
 
-# alternate-cluster-admin can restrict himself to no groups
+# alternate-cluster-admin can restrict himself to less groups (no star)
 os::cmd::try_until_text "oc policy who-can update clusterrroles" "alternate-cluster-admin-user"
 resourceversion=$(oc get clusterrole/alternate-cluster-admin -o=jsonpath="{.metadata.resourceVersion}")
 cp ${OS_ROOT}/test/testdata/bootstrappolicy/cluster_admin_without_apigroups.yaml ${workingdir}
 os::util::sed "s/RESOURCE_VERSION/${resourceversion}/g" ${workingdir}/cluster_admin_without_apigroups.yaml
 os::cmd::expect_success "oc replace --config=${new_kubeconfig} clusterrole/alternate-cluster-admin -f ${workingdir}/cluster_admin_without_apigroups.yaml"
 
-# alternate-cluster-admin should NOT have the power add back star now
+# alternate-cluster-admin should NOT have the power add back star now (anything other than star is considered less so this mimics testing against no groups)
 os::cmd::try_until_failure "oc policy who-can update hpa.autoscaling | grep -q alternate-cluster-admin-user"
 resourceversion=$(oc get clusterrole/alternate-cluster-admin -o=jsonpath="{.metadata.resourceVersion}")
 cp ${OS_ROOT}/test/testdata/bootstrappolicy/alternate_cluster_admin.yaml ${workingdir}
 os::util::sed "s/RESOURCE_VERSION/${resourceversion}/g" ${workingdir}/alternate_cluster_admin.yaml
-os::cmd::expect_failure_and_text "oc replace --config=${new_kubeconfig} clusterrole/alternate-cluster-admin -f ${workingdir}/alternate_cluster_admin.yaml" "cannot grant extra privileges"
+os::cmd::expect_failure_and_text "oc replace --config=${new_kubeconfig} clusterrole/alternate-cluster-admin -f ${workingdir}/alternate_cluster_admin.yaml" "attempt to grant extra privileges"
 
 # This test validates cluster level policy for serviceaccounts
 # ensure service account cannot list pods at the namespace level

diff --git a/test/extended/testdata/roles/policy-roles.yaml b/test/extended/testdata/roles/policy-roles.yaml
@@ -49,14 +49,6 @@ objects:
       - selfsubjectaccessreviews
       verbs:
       - create
-  - apiVersion: v1
-    groupNames:
-    - system:authenticated
-    kind: PolicyBinding
-    metadata:
-      name: "${NAMESPACE}:default"
-    policyRef:
-      namespace: ${NAMESPACE}
   - apiVersion: v1
     groupNames:
     - system:authenticated

diff --git a/test/testdata/bootstrappolicy/cluster_admin_without_apigroups.yaml b/test/testdata/bootstrappolicy/cluster_admin_without_apigroups.yaml
@@ -5,7 +5,9 @@ metadata:
   name: alternate-cluster-admin
   resourceVersion: "RESOURCE_VERSION"
 rules:
-- apiGroups: []
+- apiGroups:
+  - ''  # Allow mutation of Origin policy so we can proxy to RBAC
+  - 'rbac.authorization.k8s.io'  # Allow mutation of RBAC so we can test escalation
   attributeRestrictions: null
   resources:
   - '*'