Merge pull request rancher#44998 from anupama2501/webhookchecks_grv229

[2.9] Adding webhook checks for global roles v2
anupama2501 · Apr 5, 2024 · 7911791 · 7911791
2 parents 9ccc45e + 000301c
commit 7911791
Show file tree

Hide file tree

Showing 6 changed files with 377 additions and 11 deletions.
diff --git a/go.mod b/go.mod
@@ -59,7 +59,7 @@ require (
 	github.com/antihax/optional v1.0.0
 	github.com/containers/image/v5 v5.26.0
 	github.com/rancher/rancher/pkg/apis v0.0.0-20240126142034-676c3eb3dfa5
-	github.com/rancher/shepherd v0.0.0-20240401195459-dd0f1e7e8dca
+	github.com/rancher/shepherd v0.0.0-20240405160434-1192ba6d32ec
 	go.qase.io/client v0.0.0-20231114201952-65195ec001fa
 )
 

diff --git a/go.sum b/go.sum
@@ -1680,8 +1680,8 @@ github.com/rancher/remotedialer v0.3.0 h1:y1EO8JCsgZo0RcqTUp6U8FXcBAv27R+TLnWRcp
 github.com/rancher/remotedialer v0.3.0/go.mod h1:BwwztuvViX2JrLLUwDlsYt5DiyUwHLlzynRwkZLAY0Q=
 github.com/rancher/rke v1.5.3 h1:7mGn+NIL7KXk99NwWYBgoByh2+IfVCdws5ad3X/JIZY=
 github.com/rancher/rke v1.5.3/go.mod h1:wZaVWzW46OTuGvyxgRHXGUyJ/QP0zOkKESO9hBOwTaY=
-github.com/rancher/shepherd v0.0.0-20240401195459-dd0f1e7e8dca h1:KAHug2X7fO15XZzpH+AlxzuqXLwaPRWpJXDJbrFn8ds=
-github.com/rancher/shepherd v0.0.0-20240401195459-dd0f1e7e8dca/go.mod h1:CSj1hioOlfZpsd3Upu4A1bgv1jOf1eMICz4LL0KEJKA=
+github.com/rancher/shepherd v0.0.0-20240405160434-1192ba6d32ec h1:FQX/H9aIfu0LwMyzdYZpL4jZjkucj670w9JcvryPZh0=
+github.com/rancher/shepherd v0.0.0-20240405160434-1192ba6d32ec/go.mod h1:CSj1hioOlfZpsd3Upu4A1bgv1jOf1eMICz4LL0KEJKA=
 github.com/rancher/steve v0.0.0-20240314145706-870824dc8f49 h1:FVWzTCgR2bRcKIWqgJCa7L4s8J1S8HfCJMnqoSj99yg=
 github.com/rancher/steve v0.0.0-20240314145706-870824dc8f49/go.mod h1:+MET7wv8z6yycUt6NRDQzrd+h/j91tumImDg29w7eTw=
 github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007 h1:ru+mqGnxMmKeU0Q3XIDxkARvInDIqT1hH2amTcsjxI4=

diff --git a/tests/v2/validation/rbac/globalrolesv2/README.md b/tests/v2/validation/rbac/globalrolesv2/README.md
@@ -6,14 +6,14 @@ Global Roles v2 introduces enhanced capabilities, allowing users to define permi
 - Some tests require creating additional downstream cluster. Providing the provisioningInput parameter with appropriate values is mandatory unless you are skipping those tests.
 
 ## Test Setup
-Your GO suite should be set to `-run ^TestGlobalRolesV2TestSuite$`. You can find specific tests by checking the test file you plan to run.
+* For [globalroles_v2 checks](globalroles_v2_test.go), your GO suite should be set to `-run ^TestGlobalRolesV2TestSuite$`. You can find specific tests by checking the test file you plan to run.
+* For [globalroles_v2 webhook checks](globalroles_v2_webhook_test.go), your GO suite should be set to `-run ^TestGlobalRolesV2WebhookTestSuite$`. You can find specific tests by checking the test file you plan to run.
 
 In your config file, set the following:
-```
-rancher: 
+```yaml
+rancher:
   host: "rancher_server_address"
   adminToken: "rancher_admin_token"
-  userToken: "rancher_user_token"
   insecure: True
   cleanup: True
   clusterName: "downstream_cluster_name"
@@ -87,4 +87,4 @@ awsEC2Configs:
       isWindows: false
 sshPath: 
   sshPath: "ssh_path"
-```
+```
diff --git a/tests/v2/validation/rbac/globalrolesv2/globalroles_v2.go b/tests/v2/validation/rbac/globalrolesv2/globalroles_v2.go
@@ -1,6 +1,7 @@
 package globalrolesv2
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
@@ -19,6 +20,7 @@ import (
 	"github.com/rancher/shepherd/extensions/provisioning"
 	"github.com/rancher/shepherd/extensions/provisioninginput"
 
+	"github.com/rancher/shepherd/extensions/users"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -29,13 +31,17 @@ import (
 const (
 	roleOwner          = "cluster-owner"
 	roleMember         = "cluster-member"
+	roleProjectOwner   = "project-owner"
 	roleCrtbView       = "clusterroletemplatebindings-view"
 	roleProjectsCreate = "projects-create"
 	roleProjectsView   = "projects-view"
 	standardUser       = "user"
 	localcluster       = "local"
 	crtbOwnerLabel     = "authz.management.cattle.io/grb-owner"
 	namespace          = "fleet-default"
+	localPrefix        = "local://"
+	clusterContext     = "cluster"
+	projectContext     = "project"
 	bindingLabel       = "membership-binding-owner"
 )
 
@@ -209,3 +215,47 @@ func createDownstreamCluster(client *rancher.Client, clusterType string) (*manag
 
 	return clusterObject, steveObject, testClusterConfig, nil
 }
+
+func createGlobalRole(client *rancher.Client, inheritedClusterrole []string) (*v3.GlobalRole, error) {
+	globalRole.Name = namegen.AppendRandomString("testgr")
+	globalRole.InheritedClusterRoles = inheritedClusterrole
+	createdGlobalRole, err := rbac.CreateGlobalRole(client, &globalRole)
+	return createdGlobalRole, err
+}
+
+func createGlobalRoleAndUser(client *rancher.Client, inheritedClusterrole []string) (*management.User, error) {
+	globalRole, err := createGlobalRole(client, inheritedClusterrole)
+	if err != nil {
+		return nil, err
+	}
+
+	createdUser, err := users.CreateUserWithRole(client, users.UserConfig(), standardUser, globalRole.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	return createdUser, err
+}
+
+func crtbStatus(client *rancher.Client, crtbName string, selector labels.Selector) error {
+	ctx, cancel := context.WithTimeout(context.Background(), defaults.TwoMinuteTimeout)
+	defer cancel()
+
+	err := kwait.PollUntilContextCancel(ctx, defaults.FiveHundredMillisecondTimeout, false, func(ctx context.Context) (done bool, err error) {
+		crtbs, err := rbac.ListClusterRoleTemplateBindings(client, metav1.ListOptions{
+			LabelSelector: selector.String(),
+		})
+		if err != nil {
+			return false, err
+		}
+
+		for _, newcrtb := range crtbs.Items {
+			if crtbName == newcrtb.Name {
+				return false, nil
+			}
+		}
+		return true, nil
+	})
+
+	return err
+}