151 lines
4.5 KiB
Go
151 lines
4.5 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package validation
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"k8s.io/apiserver/pkg/apis/audit"
|
|
)
|
|
|
|
func TestValidatePolicy(t *testing.T) {
|
|
validRules := []audit.PolicyRule{
|
|
{ // Defaulting rule
|
|
Level: audit.LevelMetadata,
|
|
}, { // Matching non-humans
|
|
Level: audit.LevelNone,
|
|
UserGroups: []string{"system:serviceaccounts", "system:nodes"},
|
|
}, { // Specific request
|
|
Level: audit.LevelRequestResponse,
|
|
Verbs: []string{"get"},
|
|
Resources: []audit.GroupResources{{Group: "rbac.authorization.k8s.io", Resources: []string{"roles", "rolebindings"}}},
|
|
Namespaces: []string{"kube-system"},
|
|
}, { // Some non-resource URLs
|
|
Level: audit.LevelMetadata,
|
|
UserGroups: []string{"developers"},
|
|
NonResourceURLs: []string{
|
|
"/logs*",
|
|
"/healthz*",
|
|
"/metrics",
|
|
"*",
|
|
},
|
|
}, { // Omit RequestReceived stage
|
|
Level: audit.LevelMetadata,
|
|
OmitStages: []audit.Stage{
|
|
audit.Stage("RequestReceived"),
|
|
},
|
|
},
|
|
}
|
|
successCases := []audit.Policy{}
|
|
for _, rule := range validRules {
|
|
successCases = append(successCases, audit.Policy{Rules: []audit.PolicyRule{rule}})
|
|
}
|
|
successCases = append(successCases, audit.Policy{}) // Empty policy is valid.
|
|
successCases = append(successCases, audit.Policy{OmitStages: []audit.Stage{ // Policy with omitStages
|
|
audit.Stage("RequestReceived")}})
|
|
successCases = append(successCases, audit.Policy{Rules: validRules}) // Multiple rules.
|
|
|
|
for i, policy := range successCases {
|
|
if errs := ValidatePolicy(&policy); len(errs) != 0 {
|
|
t.Errorf("[%d] Expected policy %#v to be valid: %v", i, policy, errs)
|
|
}
|
|
}
|
|
|
|
invalidRules := []audit.PolicyRule{
|
|
{}, // Empty rule (missing Level)
|
|
{ // Missing level
|
|
Verbs: []string{"get"},
|
|
Resources: []audit.GroupResources{{Resources: []string{"secrets"}}},
|
|
Namespaces: []string{"kube-system"},
|
|
}, { // Invalid Level
|
|
Level: "FooBar",
|
|
}, { // NonResourceURLs + Namespaces
|
|
Level: audit.LevelMetadata,
|
|
Namespaces: []string{"default"},
|
|
NonResourceURLs: []string{"/logs*"},
|
|
}, { // NonResourceURLs + ResourceKinds
|
|
Level: audit.LevelMetadata,
|
|
Resources: []audit.GroupResources{{Resources: []string{"secrets"}}},
|
|
NonResourceURLs: []string{"/logs*"},
|
|
}, { // invalid group name
|
|
Level: audit.LevelMetadata,
|
|
Resources: []audit.GroupResources{{Group: "rbac.authorization.k8s.io/v1beta1", Resources: []string{"roles"}}},
|
|
}, { // invalid non-resource URLs
|
|
Level: audit.LevelMetadata,
|
|
NonResourceURLs: []string{
|
|
"logs",
|
|
"/healthz*",
|
|
},
|
|
}, { // empty non-resource URLs
|
|
Level: audit.LevelMetadata,
|
|
NonResourceURLs: []string{
|
|
"",
|
|
"/healthz*",
|
|
},
|
|
}, { // invalid non-resource URLs with multi "*"
|
|
Level: audit.LevelMetadata,
|
|
NonResourceURLs: []string{
|
|
"/logs/*/*",
|
|
"/metrics",
|
|
},
|
|
}, { // invalid non-resrouce URLs with "*" not in the end
|
|
Level: audit.LevelMetadata,
|
|
NonResourceURLs: []string{
|
|
"/logs/*.log",
|
|
"/metrics",
|
|
},
|
|
},
|
|
{ // ResourceNames without Resources
|
|
Level: audit.LevelMetadata,
|
|
Verbs: []string{"get"},
|
|
Resources: []audit.GroupResources{{ResourceNames: []string{"leader"}}},
|
|
Namespaces: []string{"kube-system"},
|
|
},
|
|
{ // invalid omitStages in rule
|
|
Level: audit.LevelMetadata,
|
|
OmitStages: []audit.Stage{
|
|
audit.Stage("foo"),
|
|
},
|
|
},
|
|
}
|
|
errorCases := []audit.Policy{}
|
|
for _, rule := range invalidRules {
|
|
errorCases = append(errorCases, audit.Policy{Rules: []audit.PolicyRule{rule}})
|
|
}
|
|
|
|
// Multiple rules.
|
|
errorCases = append(errorCases, audit.Policy{Rules: append(validRules, audit.PolicyRule{})})
|
|
|
|
// invalid omitStages in policy
|
|
policy := audit.Policy{OmitStages: []audit.Stage{
|
|
audit.Stage("foo"),
|
|
},
|
|
Rules: []audit.PolicyRule{
|
|
{
|
|
Level: audit.LevelMetadata,
|
|
},
|
|
},
|
|
}
|
|
errorCases = append(errorCases, policy)
|
|
|
|
for i, policy := range errorCases {
|
|
if errs := ValidatePolicy(&policy); len(errs) == 0 {
|
|
t.Errorf("[%d] Expected policy %#v to be invalid!", i, policy)
|
|
}
|
|
}
|
|
}
|