Add test for user removed from project

This test validates that a user that is added a project can see the
cluster and once removed can no longer see the cluster.

.gitignore

@@ -18,3 +18,4 @@
 __pycache__
 /management-state
 /rancher
+*.pytest_cache

tests/core/conftest.py

@@ -88,7 +88,7 @@ def cluster_and_client(cluster_id, mgmt_client):
 
 @pytest.fixture
 def admin_pc(request, admin_cc):
-    """Returns a ProjectContect for a newly created project in the local
+    """Returns a ProjectContext for a newly created project in the local
     cluster for the default global admin user. The project will be deleted
     when this fixture is cleaned up."""
     admin = admin_cc.management.client
@@ -106,13 +106,15 @@ def admin_pc(request, admin_cc):
 
 
 @pytest.fixture
-def user_mc(admin_mc):
+def user_mc(admin_mc, remove_resource):
     """Returns a ManagementContext for a newly created standard user"""
     admin = admin_mc.client
     username = random_str()
     password = random_str()
     user = admin.create_user(username=username, password=password)
-    admin.create_global_role_binding(userId=user.id, globalRoleId='user')
+    remove_resource(user)
+    grb = admin.create_global_role_binding(userId=user.id, globalRoleId='user')
+    remove_resource(grb)
     response = requests.post(AUTH_URL, json={
         'username': username,
         'password': password,
@@ -188,7 +190,13 @@ def remove_resource(admin_mc, request):
     client = admin_mc.client
 
     def _cleanup(resource):
-        request.addfinalizer(lambda: client.delete(resource))
+        def clean():
+            try:
+                client.delete(resource)
+            except ApiError as e:
+                if e.error.status != 404:
+                    raise e
+        request.addfinalizer(clean)
 
     return _cleanup
 

tests/core/test_rbac.py

@@ -1,4 +1,5 @@
 import kubernetes
+from rancher import ApiError
 from .common import random_str
 from .conftest import wait_until_available,\
     cluster_and_client, kubernetes_api_client, wait_for
@@ -112,3 +113,54 @@ def can_create_ns():
     })
     response = auth.create_self_subject_access_review(access_review)
     assert response.status.allowed is True
+
+
+def test_removing_user_from_cluster(admin_pc, admin_mc, user_mc, admin_cc,
+                                    remove_resource):
+    """Test that a user added to a project in a cluster is able to see that
+    cluster and after being removed from the project they are no longer able
+    to see the cluster.
+    """
+
+    # Yes, this is misspelled, it's how the actual label is spelled.
+    mbo = 'memberhsip-binding-owner'
+
+    admin_client = admin_mc.client
+    prtb = admin_client.create_project_role_template_binding(
+        userId=user_mc.user.id,
+        roleTemplateId="project-member",
+        projectId=admin_pc.project.id,
+    )
+    remove_resource(prtb)
+
+    # Verify the user can see the cluster
+    wait_until_available(user_mc.client, admin_cc.cluster)
+
+    api_instance = kubernetes.client.RbacAuthorizationV1Api(
+        admin_mc.k8s_client)
+
+    # Find the expected k8s clusterRoleBinding
+    crbs = api_instance.list_cluster_role_binding(
+        label_selector=prtb.uuid+"="+mbo)
+
+    assert len(crbs.items) == 1
+
+    # Delete the projectRoleTemplateBinding, this should cause the user to no
+    # longer be able to see the cluster
+    admin_mc.client.delete(prtb)
+
+    def crb_callback():
+        crbs = api_instance.list_cluster_role_binding(
+            label_selector=prtb.uuid+"="+mbo)
+        return len(crbs.items) == 0
+
+    def fail_handler():
+        return "failed waiting for cluster role binding to be deleted"
+
+    wait_for(crb_callback, fail_handler=fail_handler)
+
+    try:
+        cluster = user_mc.client.by_id_cluster(admin_cc.cluster.id)
+        assert cluster is None
+    except ApiError as e:
+        assert e.error.status == 403

tests/requirements.txt

@@ -1,5 +1,5 @@
 git+https://github.com/rancher/client-python.git@fb39798a240b2af6af011f2b69caeea037fe9a08
-websocket-client==0.23.0
+websocket-client==0.48.0
 PyJWT==1.4.0
 
 flake8==2.5.1