validate nonResourceURL in create clusterrole

jimethn · Aug 18, 2017 · 42c41a0 · 42c41a0
1 parent 2820b45
commit 42c41a0
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 1 deletion.
diff --git a/pkg/kubectl/cmd/create_clusterrole.go b/pkg/kubectl/cmd/create_clusterrole.go
@@ -19,6 +19,7 @@ package cmd
 import (
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/spf13/cobra"
 
@@ -133,6 +134,20 @@ func (c *CreateClusterRoleOptions) Validate() error {
 				return fmt.Errorf("invalid verb: '%s' for nonResourceURL", v)
 			}
 		}
+
+		for _, nonResourceURL := range c.NonResourceURLs {
+			if nonResourceURL == "*" {
+				continue
+			}
+
+			if nonResourceURL == "" || !strings.HasPrefix(nonResourceURL, "/") {
+				return fmt.Errorf("nonResourceURL should start with /")
+			}
+
+			if strings.ContainsRune(nonResourceURL[:len(nonResourceURL)-1], '*') {
+				return fmt.Errorf("nonResourceURL only supports wildcard matches when '*' is at the end")
+			}
+		}
 	}
 
 	return nil

diff --git a/pkg/kubectl/cmd/create_clusterrole_test.go b/pkg/kubectl/cmd/create_clusterrole_test.go
@@ -375,6 +375,46 @@ func TestClusterRoleValidate(t *testing.T) {
 			},
 			expectErr: false,
 		},
+		"test-invalid-empty-non-resource-url": {
+			clusterRoleOptions: &CreateClusterRoleOptions{
+				CreateRoleOptions: &CreateRoleOptions{
+					Name:  "my-clusterrole",
+					Verbs: []string{"create"},
+				},
+				NonResourceURLs: []string{""},
+			},
+			expectErr: true,
+		},
+		"test-invalid-non-resource-url": {
+			clusterRoleOptions: &CreateClusterRoleOptions{
+				CreateRoleOptions: &CreateRoleOptions{
+					Name:  "my-clusterrole",
+					Verbs: []string{"create"},
+				},
+				NonResourceURLs: []string{"logs"},
+			},
+			expectErr: true,
+		},
+		"test-invalid-non-resource-url-with-*": {
+			clusterRoleOptions: &CreateClusterRoleOptions{
+				CreateRoleOptions: &CreateRoleOptions{
+					Name:  "my-clusterrole",
+					Verbs: []string{"create"},
+				},
+				NonResourceURLs: []string{"/logs/*/"},
+			},
+			expectErr: true,
+		},
+		"test-invalid-non-resource-url-with-multiple-*": {
+			clusterRoleOptions: &CreateClusterRoleOptions{
+				CreateRoleOptions: &CreateRoleOptions{
+					Name:  "my-clusterrole",
+					Verbs: []string{"create"},
+				},
+				NonResourceURLs: []string{"/logs*/*"},
+			},
+			expectErr: true,
+		},
 		"test-invalid-verb-for-non-resource-url": {
 			clusterRoleOptions: &CreateClusterRoleOptions{
 				CreateRoleOptions: &CreateRoleOptions{
@@ -397,7 +437,7 @@ func TestClusterRoleValidate(t *testing.T) {
 						},
 					},
 				},
-				NonResourceURLs: []string{"/logs/"},
+				NonResourceURLs: []string{"/logs/", "/logs/*"},
 			},
 			expectErr: false,
 		},