Merge pull request kubevirt#2497 from petrkotas/user-tests

Add run vm test for user on ocp
th3w4y · Aug 21, 2019 · 00f3065 · 00f3065
2 parents fff6e54 + 47ede3a
commit 00f3065
Show file tree

Hide file tree

Showing 2 changed files with 179 additions and 5 deletions.
diff --git a/tests/access_test.go b/tests/access_test.go
@@ -41,13 +41,17 @@ var _ = Describe("[rfe_id:500][crit:high][vendor:[email protected]][level:compon
 	edit := tests.EditServiceAccountName
 	admin := tests.AdminServiceAccountName
 
+	var k8sClient string
+
 	BeforeEach(func() {
+		k8sClient = tests.GetK8sCmdClient()
+		tests.SkipIfNoCmd(k8sClient)
+
 		tests.BeforeTestCleanup()
 	})
 
 	Describe("With default kubevirt service accounts", func() {
 		table.DescribeTable("should verify permissions on resources are correct for view, edit, and admin", func(resource string) {
-			tests.SkipIfNoCmd("kubectl")
 
 			viewVerbs := make(map[string]string)
 			editVerbs := make(map[string]string)
@@ -101,29 +105,29 @@ var _ = Describe("[rfe_id:500][crit:high][vendor:[email protected]][level:compon
 				By(fmt.Sprintf("verifying VIEW sa for verb %s", verb))
 				expectedRes, _ := viewVerbs[verb]
 				as := fmt.Sprintf("system:serviceaccount:%s:%s", namespace, view)
-				result, _, _ := tests.RunCommand("kubectl", "auth", "can-i", "--as", as, verb, resource)
+				result, _, _ := tests.RunCommand(k8sClient, "auth", "can-i", "--as", as, verb, resource)
 				Expect(result).To(ContainSubstring(expectedRes))
 
 				// EDIT
 				By(fmt.Sprintf("verifying EDIT sa for verb %s", verb))
 				expectedRes, _ = editVerbs[verb]
 				as = fmt.Sprintf("system:serviceaccount:%s:%s", namespace, edit)
-				result, _, _ = tests.RunCommand("kubectl", "auth", "can-i", "--as", as, verb, resource)
+				result, _, _ = tests.RunCommand(k8sClient, "auth", "can-i", "--as", as, verb, resource)
 				Expect(result).To(ContainSubstring(expectedRes))
 
 				// ADMIN
 				By(fmt.Sprintf("verifying ADMIN sa for verb %s", verb))
 				expectedRes, _ = adminVerbs[verb]
 				as = fmt.Sprintf("system:serviceaccount:%s:%s", namespace, admin)
-				result, _, _ = tests.RunCommand("kubectl", "auth", "can-i", "--as", as, verb, resource)
+				result, _, _ = tests.RunCommand(k8sClient, "auth", "can-i", "--as", as, verb, resource)
 				Expect(result).To(ContainSubstring(expectedRes))
 
 				// DEFAULT - the default should always return 'no' for ever verb.
 				// This is primarily a sanity check.
 				By(fmt.Sprintf("verifying DEFAULT sa for verb %s", verb))
 				expectedRes = "no"
 				as = fmt.Sprintf("system:serviceaccount:%s:default", namespace)
-				result, _, _ = tests.RunCommand("kubectl", "auth", "can-i", "--as", as, verb, resource)
+				result, _, _ = tests.RunCommand(k8sClient, "auth", "can-i", "--as", as, verb, resource)
 				Expect(result).To(ContainSubstring(expectedRes))
 			}
 		},
@@ -241,4 +245,80 @@ var _ = Describe("[rfe_id:500][crit:high][vendor:[email protected]][level:compon
 			table.Entry("on vm restart", "virtualmachines", "restart"),
 		)
 	})
+
+	Describe("With regular OpenShift user", func() {
+		BeforeEach(func() {
+			tests.SkipIfNoCmd("oc")
+		})
+
+		const testUser = "testuser"
+
+		testRights := func(resource, right string) {
+			verbsList := []string{"get", "list", "watch", "delete", "create", "update", "patch", "deletecollection"}
+
+			for _, verb := range verbsList {
+				// AS A TEST USER
+				By(fmt.Sprintf("verifying user rights for verb %s", verb))
+				result, _, _ := tests.RunCommand(k8sClient, "auth", "can-i", "--as", testUser, verb, resource)
+				Expect(result).To(ContainSubstring(right))
+			}
+		}
+
+		Context("should fail without admin rights for the project", func() {
+			BeforeEach(func() {
+				By("Ensuring the cluster has new test user")
+				stdOut, stdErr, err := tests.RunCommandWithNS("", k8sClient, "create", "user", testUser)
+				Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+
+				stdOut, stdErr, err = tests.RunCommandWithNS("", k8sClient, "project", tests.NamespaceTestDefault)
+				Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+			})
+
+			AfterEach(func() {
+				stdOut, stdErr, err := tests.RunCommandWithNS("", k8sClient, "delete", "user", testUser)
+				Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+			})
+
+			table.DescribeTable("should verify permissions on resources are correct for view, edit, and admin", func(resource string) {
+				testRights(resource, "no")
+			},
+				table.Entry("given a vmi", "virtualmachineinstances"),
+				table.Entry("given a vm", "virtualmachines"),
+				table.Entry("given a vmi preset", "virtualmachineinstancepresets"),
+				table.Entry("given a vmi replica set", "virtualmachineinstancereplicasets"),
+				table.Entry("given a vmi migration", "virtualmachineinstancemigrations"),
+			)
+		})
+
+		Context("should succeed with admin rights for the project", func() {
+			BeforeEach(func() {
+				By("Ensuring the cluster has new test user")
+				stdOut, stdErr, err := tests.RunCommandWithNS("", k8sClient, "create", "user", testUser)
+				Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+
+				By("Ensuring user has the admin rights for the test namespace project")
+				// This is ussually done in backgroung when creating new user with login and by creating new project by that user
+				stdOut, stdErr, err = tests.RunCommandWithNS("", k8sClient, "adm", "policy", "add-role-to-user", "-n", tests.NamespaceTestDefault, "admin", testUser)
+				Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+
+				stdOut, stdErr, err = tests.RunCommandWithNS("", k8sClient, "project", tests.NamespaceTestDefault)
+				Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+			})
+
+			AfterEach(func() {
+				stdOut, stdErr, err := tests.RunCommandWithNS("", k8sClient, "delete", "user", testUser)
+				Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+			})
+
+			table.DescribeTable("should verify permissions on resources are correct the test user", func(resource string) {
+				testRights(resource, "yes")
+			},
+				table.Entry("[test_id:2894]given a vmi", "virtualmachineinstances"),
+				table.Entry("[test_id:2831]given a vm", "virtualmachines"),
+				table.Entry("[test_id:2835]given a vmi preset", "virtualmachineinstancepresets"),
+				table.Entry("[test_id:2836][crit:low]given a vmi replica set", "virtualmachineinstancereplicasets"),
+				table.Entry("[test_id:2837]given a vmi migration", "virtualmachineinstancemigrations"),
+			)
+		})
+	})
 })
diff --git a/tests/vm_test.go b/tests/vm_test.go
@@ -1188,6 +1188,100 @@ var _ = Describe("[rfe_id:1177][crit:medium][vendor:[email protected]][level:com
 			Expect(strings.HasPrefix(stdErr, "Error from server (NotFound): virtualmachines.kubevirt.io")).To(BeTrue(), "should fail when deleting non existent VM")
 		})
 
+		Context("as ordinary OCP user trough test service account", func() {
+			BeforeEach(func() {
+				tests.SkipIfNoCmd("oc")
+			})
+
+			const testUser = "testuser"
+			var token string
+
+			Context("should succeed with right rights", func() {
+				BeforeEach(func() {
+					By("Ensuring the cluster has new test serviceaccount")
+					stdOut, stdErr, err := tests.RunCommand(k8sClient, "create", "serviceaccount", testUser)
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+
+					By("Ensuring user has the admin rights for the test namespace project")
+					// This simulates the ordinary user as an admin in his project
+					stdOut, stdErr, err = tests.RunCommand(k8sClient, "adm", "policy", "add-role-to-user", "admin", fmt.Sprintf("system:serviceaccount:%s:%s", tests.NamespaceTestDefault, testUser))
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+
+					token, stdErr, err = tests.RunCommand(k8sClient, "serviceaccounts", "get-token", testUser)
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+				})
+
+				AfterEach(func() {
+					stdOut, stdErr, err := tests.RunCommand(k8sClient, "adm", "policy", "remove-role-from-user", "admin", fmt.Sprintf("system:serviceaccount:%s:%s", tests.NamespaceTestDefault, testUser))
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+
+					stdOut, stdErr, err = tests.RunCommand(k8sClient, "delete", "serviceaccount", testUser)
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+				})
+
+				It("[test_id:2839]should create VM via command line", func() {
+					vmi = tests.NewRandomVMIWithEphemeralDisk(tests.ContainerDiskFor(tests.ContainerDiskAlpine))
+					vm := tests.NewRandomVirtualMachine(vmi, true)
+
+					vmJson, err = tests.GenerateVMJson(vm, workDir)
+					Expect(err).ToNot(HaveOccurred(), "Cannot generate VMs manifest")
+
+					By("Creating VM using k8s client binary")
+					stdOut, stdErr, err := tests.RunCommand(k8sClient, "--token", token, "create", "-f", vmJson)
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+
+					By("Waiting for VMI to start")
+					waitForVMIStart(virtClient, vmi)
+
+					By("Listing running pods")
+					stdout, _, err := tests.RunCommand(k8sClient, "--token", token, "get", "pods")
+					Expect(err).ToNot(HaveOccurred())
+
+					By("Ensuring pod is running")
+					expectedPodName := getExpectedPodName(vm)
+					podRunningRe, err := regexp.Compile(fmt.Sprintf("%s.*Running", expectedPodName))
+					Expect(err).ToNot(HaveOccurred())
+
+					Expect(podRunningRe.FindString(stdout)).ToNot(Equal(""), "Pod is not Running")
+
+					By("Checking that VM is running")
+					stdout, _, err = tests.RunCommand(k8sClient, "--token", token, "describe", "vmis", vm.GetName())
+					Expect(err).ToNot(HaveOccurred())
+
+					Expect(vmRunningRe.FindString(stdout)).ToNot(Equal(""), "VMI is not Running")
+				})
+			})
+
+			Context("should fail without right rights", func() {
+				BeforeEach(func() {
+					By("Ensuring the cluster has new test serviceaccount")
+					stdOut, stdErr, err := tests.RunCommandWithNS("", k8sClient, "create", "serviceaccount", testUser)
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+
+					token, stdErr, err = tests.RunCommandWithNS("", k8sClient, "serviceaccounts", "get-token", testUser)
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+				})
+
+				AfterEach(func() {
+					stdOut, stdErr, err := tests.RunCommandWithNS("", k8sClient, "delete", "serviceaccount", testUser)
+					Expect(err).ToNot(HaveOccurred(), "ERR: %s", stdOut+stdErr)
+				})
+
+				It("should create VM via command line", func() {
+					vmi = tests.NewRandomVMIWithEphemeralDisk(tests.ContainerDiskFor(tests.ContainerDiskAlpine))
+					vm := tests.NewRandomVirtualMachine(vmi, true)
+
+					vmJson, err = tests.GenerateVMJson(vm, workDir)
+					Expect(err).ToNot(HaveOccurred(), "Cannot generate VMs manifest")
+
+					By("Creating VM using k8s client binary")
+					stdOut, stdErr, err := tests.RunCommand(k8sClient, "--token", token, "create", "-f", vmJson)
+					Expect(err).To(HaveOccurred(), "The call for VM creation should fail")
+					Expect(stdOut+stdErr).To(ContainSubstring("no RBAC policy matched"), "should be rejected due to not access rights")
+				})
+			})
+		})
+
 	})
 })