apiserver/plugin/pkg/authorizer/webhook/webhook_test.go

/*
Copyright 2024 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package webhook

import (
	"errors"
	"reflect"
	"testing"

	authorizationv1 "k8s.io/api/authorization/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/fields"
	"k8s.io/apimachinery/pkg/labels"
	"k8s.io/apimachinery/pkg/selection"
	"k8s.io/apiserver/pkg/authorization/authorizer"
	genericfeatures "k8s.io/apiserver/pkg/features"
	utilfeature "k8s.io/apiserver/pkg/util/feature"
	featuregatetesting "k8s.io/component-base/featuregate/testing"
)

func mustLabelRequirement(selector string) labels.Requirements {
	ret, err := labels.Parse(selector)
	if err != nil {
		panic(err)
	}
	requirements, _ := ret.Requirements()
	return requirements
}

func Test_resourceAttributesFrom(t *testing.T) {
	type args struct {
		attr authorizer.Attributes
	}
	tests := []struct {
		name                        string
		args                        args
		want                        *authorizationv1.ResourceAttributes
		enableAuthorizationSelector bool
	}{
		{
			name: "field selector: don't parse when disabled",
			args: args{
				attr: authorizer.AttributesRecord{
					FieldSelectorRequirements: fields.Requirements{
						fields.OneTermEqualSelector("foo", "bar").Requirements()[0],
					},
					FieldSelectorParsingErr: nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{},
		},
		{
			name: "label selector: don't parse when disabled",
			args: args{
				attr: authorizer.AttributesRecord{
					LabelSelectorRequirements: mustLabelRequirement("foo in (bar,baz)"),
					LabelSelectorParsingErr:   nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{},
		},
		{
			name: "field selector: ignore error",
			args: args{
				attr: authorizer.AttributesRecord{
					FieldSelectorRequirements: fields.Requirements{
						fields.OneTermEqualSelector("foo", "bar").Requirements()[0],
					},
					FieldSelectorParsingErr: errors.New("failed"),
				},
			},
			want: &authorizationv1.ResourceAttributes{
				FieldSelector: &authorizationv1.FieldSelectorAttributes{
					Requirements: []metav1.FieldSelectorRequirement{{Key: "foo", Operator: "In", Values: []string{"bar"}}},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "label selector: ignore error",
			args: args{
				attr: authorizer.AttributesRecord{
					LabelSelectorRequirements: mustLabelRequirement("foo in (bar,baz)"),
					LabelSelectorParsingErr:   errors.New("failed"),
				},
			},
			want: &authorizationv1.ResourceAttributes{
				LabelSelector: &authorizationv1.LabelSelectorAttributes{
					Requirements: []metav1.LabelSelectorRequirement{{Key: "foo", Operator: "In", Values: []string{"bar", "baz"}}},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "field selector: equals, double equals, in",
			args: args{
				attr: authorizer.AttributesRecord{
					FieldSelectorRequirements: fields.Requirements{
						{Operator: selection.Equals, Field: "foo", Value: "bar"},
						{Operator: selection.DoubleEquals, Field: "one", Value: "two"},
						{Operator: selection.In, Field: "apple", Value: "banana"},
					},
					FieldSelectorParsingErr: nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{
				FieldSelector: &authorizationv1.FieldSelectorAttributes{
					Requirements: []metav1.FieldSelectorRequirement{
						{
							Key:      "foo",
							Operator: "In",
							Values:   []string{"bar"},
						},
						{
							Key:      "one",
							Operator: "In",
							Values:   []string{"two"},
						},
						{
							Key:      "apple",
							Operator: "In",
							Values:   []string{"banana"},
						},
					},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "field selector: not equals, not in",
			args: args{
				attr: authorizer.AttributesRecord{
					FieldSelectorRequirements: fields.Requirements{
						{Operator: selection.NotEquals, Field: "foo", Value: "bar"},
						{Operator: selection.NotIn, Field: "apple", Value: "banana"},
					},
					FieldSelectorParsingErr: nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{
				FieldSelector: &authorizationv1.FieldSelectorAttributes{
					Requirements: []metav1.FieldSelectorRequirement{
						{
							Key:      "foo",
							Operator: "NotIn",
							Values:   []string{"bar"},
						},
						{
							Key:      "apple",
							Operator: "NotIn",
							Values:   []string{"banana"},
						},
					},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "field selector: unknown operator skipped",
			args: args{
				attr: authorizer.AttributesRecord{
					FieldSelectorRequirements: fields.Requirements{
						{Operator: selection.NotEquals, Field: "foo", Value: "bar"},
						{Operator: selection.Operator("bad"), Field: "apple", Value: "banana"},
					},
					FieldSelectorParsingErr: nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{
				FieldSelector: &authorizationv1.FieldSelectorAttributes{
					Requirements: []metav1.FieldSelectorRequirement{
						{
							Key:      "foo",
							Operator: "NotIn",
							Values:   []string{"bar"},
						},
					},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "field selector: no requirements has no fieldselector",
			args: args{
				attr: authorizer.AttributesRecord{
					FieldSelectorRequirements: fields.Requirements{
						{Operator: selection.Operator("bad"), Field: "apple", Value: "banana"},
					},
					FieldSelectorParsingErr: nil,
				},
			},
			want:                        &authorizationv1.ResourceAttributes{},
			enableAuthorizationSelector: true,
		},
		{
			name: "label selector: in, equals, double equals",
			args: args{
				attr: authorizer.AttributesRecord{
					LabelSelectorRequirements: mustLabelRequirement("foo in (bar,baz), one=two, apple==banana"),
					LabelSelectorParsingErr:   nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{
				LabelSelector: &authorizationv1.LabelSelectorAttributes{
					Requirements: []metav1.LabelSelectorRequirement{
						{
							Key:      "apple",
							Operator: "In",
							Values:   []string{"banana"},
						},
						{
							Key:      "foo",
							Operator: "In",
							Values:   []string{"bar", "baz"},
						},
						{
							Key:      "one",
							Operator: "In",
							Values:   []string{"two"},
						},
					},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "label selector: not in, not equals",
			args: args{
				attr: authorizer.AttributesRecord{
					LabelSelectorRequirements: mustLabelRequirement("foo notin (bar,baz), one!=two"),
					LabelSelectorParsingErr:   nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{
				LabelSelector: &authorizationv1.LabelSelectorAttributes{
					Requirements: []metav1.LabelSelectorRequirement{
						{
							Key:      "foo",
							Operator: "NotIn",
							Values:   []string{"bar", "baz"},
						},
						{
							Key:      "one",
							Operator: "NotIn",
							Values:   []string{"two"},
						},
					},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "label selector: exists, not exists",
			args: args{
				attr: authorizer.AttributesRecord{
					LabelSelectorRequirements: mustLabelRequirement("foo, !one"),
					LabelSelectorParsingErr:   nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{
				LabelSelector: &authorizationv1.LabelSelectorAttributes{
					Requirements: []metav1.LabelSelectorRequirement{
						{
							Key:      "foo",
							Operator: "Exists",
						},
						{
							Key:      "one",
							Operator: "DoesNotExist",
						},
					},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "label selector: unknown operator skipped",
			args: args{
				attr: authorizer.AttributesRecord{
					LabelSelectorRequirements: mustLabelRequirement("foo != bar, apple > 1"),
					LabelSelectorParsingErr:   nil,
				},
			},
			want: &authorizationv1.ResourceAttributes{
				LabelSelector: &authorizationv1.LabelSelectorAttributes{
					Requirements: []metav1.LabelSelectorRequirement{
						{
							Key:      "foo",
							Operator: "NotIn",
							Values:   []string{"bar"},
						},
					},
				},
			},
			enableAuthorizationSelector: true,
		},
		{
			name: "label selector: no requirements has no labelselector",
			args: args{
				attr: authorizer.AttributesRecord{
					LabelSelectorRequirements: mustLabelRequirement("apple > 1"),
					LabelSelectorParsingErr:   nil,
				},
			},
			want:                        &authorizationv1.ResourceAttributes{},
			enableAuthorizationSelector: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, tt.enableAuthorizationSelector)

			if got := resourceAttributesFrom(tt.args.attr); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("resourceAttributesFrom() = %v, want %v", got, tt.want)
			}
		})
	}
}