Skip to content

Commit b955d45

Browse files
author
Craig Jellick
committed
Adding test for cleanup of legacy role bindings
This change adds a test to the `test_rbac.py` file to confirm that the legacy role bindings are being cleaned up correctly.
1 parent 6ea187f commit b955d45

1 file changed

Lines changed: 59 additions & 4 deletions

File tree

tests/core/test_rbac.py

Lines changed: 59 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,10 @@
11
import kubernetes
22
from rancher import ApiError
3+
34
from .common import random_str
4-
from .conftest import wait_until_available,\
5-
cluster_and_client, kubernetes_api_client, wait_for
5+
from .conftest import wait_until_available, \
6+
cluster_and_client, kubernetes_api_client, wait_for, ClusterContext, \
7+
admin_pc
68

79

810
def test_multi_user(admin_mc, user_mc):
@@ -150,7 +152,7 @@ def test_removing_user_from_cluster(admin_pc, admin_mc, user_mc, admin_cc,
150152

151153
# Find the expected k8s clusterRoleBinding
152154
crbs = api_instance.list_cluster_role_binding(
153-
label_selector=prtb.uuid+"="+mbo)
155+
label_selector=prtb.uuid + "=" + mbo)
154156

155157
assert len(crbs.items) == 1
156158

@@ -160,7 +162,7 @@ def test_removing_user_from_cluster(admin_pc, admin_mc, user_mc, admin_cc,
160162

161163
def crb_callback():
162164
crbs = api_instance.list_cluster_role_binding(
163-
label_selector=prtb.uuid+"="+mbo)
165+
label_selector=prtb.uuid + "=" + mbo)
164166
return len(crbs.items) == 0
165167

166168
def fail_handler():
@@ -205,3 +207,56 @@ def test_user_role_permissions(admin_mc, user_factory, remove_resource):
205207
role_templates = user2.client.list_role_template()
206208
assert len(role_templates.data) == 0, ("user2 does not have permission " +
207209
"to view roleTemplates")
210+
211+
212+
def test_permissions_can_be_removed(admin_cc, admin_mc, user_mc,
213+
request, remove_resource):
214+
def create_project_and_add_user():
215+
admin_pc_instance = admin_pc(request, admin_cc)
216+
217+
prtb = admin_mc.client.create_project_role_template_binding(
218+
userId=user_mc.user.id,
219+
roleTemplateId="project-member",
220+
projectId=admin_pc_instance.project.id,
221+
)
222+
remove_resource(prtb)
223+
return admin_pc_instance, prtb
224+
225+
admin_pc1, _ = create_project_and_add_user()
226+
admin_pc2, prtb2 = create_project_and_add_user()
227+
228+
def add_namespace_to_project(admin_pc):
229+
def safe_remove(client, resource):
230+
try:
231+
client.delete(resource)
232+
except ApiError:
233+
pass
234+
235+
ns = admin_cc.client.create_namespace(name=random_str(),
236+
projectId=admin_pc.project.id)
237+
request.addfinalizer(lambda: safe_remove(admin_cc.client, ns))
238+
239+
def ns_active():
240+
new_ns = admin_cc.client.reload(ns)
241+
return new_ns.state == 'active'
242+
243+
wait_for(ns_active)
244+
245+
add_namespace_to_project(admin_pc1)
246+
247+
def new_user_cc(user_mc):
248+
cluster, client = cluster_and_client('local', user_mc.client)
249+
return ClusterContext(user_mc, cluster, client)
250+
251+
user_cc = new_user_cc(user_mc)
252+
assert len(user_cc.client.list_namespace()) == 1
253+
254+
add_namespace_to_project(admin_pc2)
255+
256+
user_cc = new_user_cc(user_mc)
257+
assert len(user_cc.client.list_namespace()) == 2
258+
259+
admin_mc.client.delete(prtb2)
260+
261+
user_cc = new_user_cc(user_mc)
262+
assert len(user_cc.client.list_namespace()) == 1

0 commit comments

Comments
 (0)