Skip to content

Commit 11f12e6

Browse files
stttssttts
committed
authorizer/content: clarify test that root is not special
Signed-off-by: Dr. Stefan Schimanski <stefan.schimanski@gmail.com>
1 parent 2d7f797 commit 11f12e6

File tree

1 file changed

+14
-14
lines changed

1 file changed

+14
-14
lines changed

pkg/authorization/workspace_content_authorizer_test.go

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -125,7 +125,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
125125
wantReason: "delegating due to user logical cluster access",
126126
},
127127
{
128-
testName: "user with scope to another cluster is denied",
128+
testName: "user with scope to another cluster is not allowed",
129129

130130
requestedWorkspace: "root:ready",
131131
requestingUser: &user.DefaultInfo{Name: "user-access", Extra: map[string][]string{
@@ -143,26 +143,26 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
143143
wantReason: "delegating due to local service account access",
144144
},
145145
{
146-
testName: "user is granted access on root",
146+
testName: "a authenticated user is granted access on root:authenticated",
147147

148-
requestedWorkspace: "root",
148+
requestedWorkspace: "root:authenticated",
149149
requestingUser: &user.DefaultInfo{Name: "somebody", Groups: []string{"system:authenticated"}},
150150
wantDecision: authorizer.DecisionAllow,
151151
wantReason: "delegating due to user logical cluster access",
152152
},
153153
{
154-
testName: "service account from other cluster is denied on root",
154+
testName: "service account from other cluster is denied on root:authenticated",
155155

156-
requestedWorkspace: "root",
156+
requestedWorkspace: "root:authenticated",
157157
requestingUser: newServiceAccountWithCluster("somebody", "someworkspace", "system:authenticated"),
158158
wantDecision: authorizer.DecisionDeny,
159159
wantReason: "foreign service account",
160160
},
161161
{
162-
testName: "service account from root cluster is granted access on root",
162+
testName: "service account from root:authenticated cluster is granted access on root:authenticated",
163163

164-
requestedWorkspace: "root",
165-
requestingUser: newServiceAccountWithCluster("somebody", "root", "system:authenticated"),
164+
requestedWorkspace: "root:authenticated",
165+
requestingUser: newServiceAccountWithCluster("somebody", "root:authenticated", "system:authenticated"),
166166
wantDecision: authorizer.DecisionAllow,
167167
wantReason: "delegating due to local service account access",
168168
},
@@ -248,9 +248,9 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
248248
&v1.ClusterRoleBinding{
249249
ObjectMeta: metav1.ObjectMeta{
250250
Annotations: map[string]string{
251-
logicalcluster.AnnotationKey: "root",
251+
logicalcluster.AnnotationKey: "root:authenticated",
252252
},
253-
Name: "system:authenticated:access",
253+
Name: "system:authenticated:root:authenticated:access",
254254
},
255255
Subjects: []v1.Subject{
256256
{
@@ -270,7 +270,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
270270
Annotations: map[string]string{
271271
logicalcluster.AnnotationKey: "root:ready",
272272
},
273-
Name: "user-access-ready-access",
273+
Name: "user-access:root:ready:access",
274274
},
275275
Subjects: []v1.Subject{
276276
{
@@ -290,7 +290,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
290290
Annotations: map[string]string{
291291
logicalcluster.AnnotationKey: "root:initializing",
292292
},
293-
Name: "user-access-initializing-access",
293+
Name: "user-access:root:initializing:access",
294294
},
295295
Subjects: []v1.Subject{
296296
{
@@ -310,7 +310,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
310310
Annotations: map[string]string{
311311
logicalcluster.AnnotationKey: "rootwithoutparent",
312312
},
313-
Name: "system:authenticated:access",
313+
Name: "user-access:rootwithoutparent:access",
314314
},
315315
Subjects: []v1.Subject{
316316
{
@@ -343,7 +343,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
343343

344344
localIndexer := cache.NewIndexer(kcpcache.MetaClusterNamespaceKeyFunc, cache.Indexers{})
345345
require.NoError(t, localIndexer.Add(&corev1alpha1.LogicalCluster{
346-
ObjectMeta: metav1.ObjectMeta{Name: corev1alpha1.LogicalClusterName, Annotations: map[string]string{logicalcluster.AnnotationKey: "root"}},
346+
ObjectMeta: metav1.ObjectMeta{Name: corev1alpha1.LogicalClusterName, Annotations: map[string]string{logicalcluster.AnnotationKey: "root:authenticated"}},
347347
Status: corev1alpha1.LogicalClusterStatus{Phase: corev1alpha1.LogicalClusterPhaseReady},
348348
}))
349349
require.NoError(t, localIndexer.Add(&corev1alpha1.LogicalCluster{

0 commit comments

Comments
 (0)