authorization: rm anonymous user test cases

With AUTH 509, we are removing unauthenticed user group from every role binding, making it impossible for system:anonymous to make a SelfAccessReview
openshift · Apr 3, 2024 · e6db344 · e6db344
1 parent 568217e
commit e6db344
Showing 1 changed file with 1 addition and 34 deletions.
diff --git a/test/extended/authorization/authorization.go b/test/extended/authorization/authorization.go
@@ -525,7 +525,7 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] authorization", f
 				AddUserAdminToProject(oc, malletProjectName, markName)
 				// TODO should be done by mark
 				edgarEditRoleBindingName := AddUserEditToProject(oc, malletProjectName, edgarName)
-				anonEditRoleBindingName := AddUserEditToProject(oc, hammerProjectName, "system:anonymous")
+				// anonEditRoleBindingName := AddUserEditToProject(oc, hammerProjectName, "system:anonymous")
 				dannyViewRoleBindingName := AddUserViewToProject(oc, "default", dannyName)
 
 				g.By("creating clients")
@@ -727,17 +727,6 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] authorization", f
 						Namespace: hammerProjectName,
 					},
 				}.run(t)
-				subjectAccessReviewTest{
-					description:       "system:anonymous told he can create pods in project hammer-project",
-					localInterface:    anonymousAuthorizationClient.LocalSubjectAccessReviews(hammerProjectName),
-					localReview:       askCanICreatePods,
-					kubeAuthInterface: anonymousSARGetter,
-					response: authorizationv1.SubjectAccessReviewResponse{
-						Allowed:   true,
-						Reason:    `RBAC: allowed by RoleBinding "` + anonEditRoleBindingName + `/` + hammerProjectName + `" of ClusterRole "edit" to User "system:anonymous"`,
-						Namespace: hammerProjectName,
-					},
-				}.run(t)
 
 				// test checking self permissions when denied
 				subjectAccessReviewTest{
@@ -751,17 +740,6 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] authorization", f
 						Namespace: malletProjectName,
 					},
 				}.run(t)
-				subjectAccessReviewTest{
-					description:       "system:anonymous told he cannot create pods in project mallet-project",
-					localInterface:    anonymousAuthorizationClient.LocalSubjectAccessReviews(malletProjectName),
-					localReview:       askCanICreatePods,
-					kubeAuthInterface: anonymousSARGetter,
-					response: authorizationv1.SubjectAccessReviewResponse{
-						Allowed:   false,
-						Reason:    "",
-						Namespace: malletProjectName,
-					},
-				}.run(t)
 
 				// test checking self-permissions doesn't leak whether namespace exists or not
 				// We carry a patch to allow this
@@ -776,17 +754,6 @@ var _ = g.Describe("[sig-auth][Feature:OpenShiftAuthorization] authorization", f
 						Namespace: "nonexistent-project",
 					},
 				}.run(t)
-				subjectAccessReviewTest{
-					description:       "system:anonymous told he cannot create pods in project nonexistent-project",
-					localInterface:    anonymousAuthorizationClient.LocalSubjectAccessReviews("nonexistent-project"),
-					localReview:       askCanICreatePods,
-					kubeAuthInterface: anonymousSARGetter,
-					response: authorizationv1.SubjectAccessReviewResponse{
-						Allowed:   false,
-						Reason:    "",
-						Namespace: "nonexistent-project",
-					},
-				}.run(t)
 
 				askCanICreatePolicyBindings := &authorizationv1.LocalSubjectAccessReview{
 					Action: authorizationv1.Action{Verb: "create", Resource: "policybindings"},