Add authorization checking to Kubernetes package (#2207)

* Initial implementation of OpenShift authz checking * Remove unused interactions in delete cassettes * Add CanDeploy to filter deployable environments, maintain full list in kubeClient * Implement authz check for DeleteDeployment * Implement remaining methods, add tests for access control failure on builds * Fix URLProvider changes, add tests for CanDeploy * Better test error conditions * Clean up code * Add more internal environments to kubeclient tests * Improve documentation, avoid boolean parameter for getting namespace * Also check for wildcard rules * Reduce size of go-vcr cassettes
fabric8-services · Sep 10, 2018 · 426e11b · 426e11b
1 parent c2816aa
commit 426e11b
Show file tree

Hide file tree

Showing 34 changed files with 8,786 additions and 9,099 deletions.
diff --git a/controller/deployments_urlprovider.go b/controller/deployments_urlprovider.go
@@ -199,23 +199,20 @@ func (up *tenantURLProvider) GetEnvironmentMapping() map[string]string {
 			log.Error(nil, map[string]interface{}{
 				"namespace": envNS,
 			}, "namespace has no type")
-		} else if !isInternalNamespace(*envName) {
+		} else {
 			result[*envName] = envNS
 		}
 	}
 	return result
 }
 
 // Types of namespaces where the user does not deploy applications
-var internalNamespaceTypes = []string{"user", "che", "jenkins"}
+var internalNamespaceTypes = map[string]struct{}{"user": {}, "che": {}, "jenkins": {}}
 
-func isInternalNamespace(envType string) bool {
-	for _, internalType := range internalNamespaceTypes {
-		if envType == internalType {
-			return true
-		}
-	}
-	return false
+// CanDeploy returns true if the environment type provided can be deployed to as part of a pipeline
+func (up *tenantURLProvider) CanDeploy(envType string) bool {
+	_, pres := internalNamespaceTypes[envType]
+	return !pres
 }
 
 func (up *tenantURLProvider) GetAPIToken() (*string, error) {

diff --git a/controller/deployments_urlprovider_test.go b/controller/deployments_urlprovider_test.go
@@ -225,22 +225,31 @@ func TestTenantGetEnvironmentMapping(t *testing.T) {
 			testName:  "Basic",
 			inputFile: "user-services.json",
 			expectedMap: map[string]string{
-				"run":   "theuser-run",
-				"stage": "theuser-stage",
+				"user":    "theuser",
+				"run":     "theuser-run",
+				"stage":   "theuser-stage",
+				"che":     "theuser-che",
+				"jenkins": "theuser-jenkins",
 			},
 		},
 		{
 			testName:  "No Type",
 			inputFile: "user-services-no-type.json",
 			expectedMap: map[string]string{
-				"run": "theuser-run",
+				"user":    "theuser",
+				"run":     "theuser-run",
+				"che":     "theuser-che",
+				"jenkins": "theuser-jenkins",
 			},
 		},
 		{
 			testName:  "Empty Type",
 			inputFile: "user-services-empty-type.json",
 			expectedMap: map[string]string{
-				"run": "theuser-run",
+				"user":    "theuser",
+				"run":     "theuser-run",
+				"che":     "theuser-che",
+				"jenkins": "theuser-jenkins",
 			},
 		},
 	}
@@ -259,6 +268,29 @@ func TestTenantGetEnvironmentMapping(t *testing.T) {
 	}
 }
 
+func TestTenantCanDeploy(t *testing.T) {
+	testCases := []struct {
+		envType  string
+		expected bool
+	}{
+		{"user", false},
+		{"test", true},
+		{"stage", true},
+		{"run", true},
+		{"che", false},
+		{"jenkins", false},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.envType, func(t *testing.T) {
+			provider, err := getDefaultTenantProvider()
+			require.NoError(t, err)
+			result := provider.CanDeploy(testCase.envType)
+			require.Equal(t, testCase.expected, result, "Incorrect result from CanDeploy")
+		})
+	}
+}
+
 //////////////////////////////////////////////////////////////////////////////////////////////////
 
 func tostring(item interface{}) string {