11import kubernetes
22from rancher import ApiError
3+
34from .common import random_str
4- from .conftest import wait_until_available ,\
5- cluster_and_client , kubernetes_api_client , wait_for
5+ from .conftest import wait_until_available , \
6+ cluster_and_client , kubernetes_api_client , wait_for , ClusterContext , \
7+ admin_pc
68
79
810def test_multi_user (admin_mc , user_mc ):
@@ -150,7 +152,7 @@ def test_removing_user_from_cluster(admin_pc, admin_mc, user_mc, admin_cc,
150152
151153 # Find the expected k8s clusterRoleBinding
152154 crbs = api_instance .list_cluster_role_binding (
153- label_selector = prtb .uuid + "=" + mbo )
155+ label_selector = prtb .uuid + "=" + mbo )
154156
155157 assert len (crbs .items ) == 1
156158
@@ -160,7 +162,7 @@ def test_removing_user_from_cluster(admin_pc, admin_mc, user_mc, admin_cc,
160162
161163 def crb_callback ():
162164 crbs = api_instance .list_cluster_role_binding (
163- label_selector = prtb .uuid + "=" + mbo )
165+ label_selector = prtb .uuid + "=" + mbo )
164166 return len (crbs .items ) == 0
165167
166168 def fail_handler ():
@@ -205,3 +207,56 @@ def test_user_role_permissions(admin_mc, user_factory, remove_resource):
205207 role_templates = user2 .client .list_role_template ()
206208 assert len (role_templates .data ) == 0 , ("user2 does not have permission " +
207209 "to view roleTemplates" )
210+
211+
212+ def test_permissions_can_be_removed (admin_cc , admin_mc , user_mc ,
213+ request , remove_resource ):
214+ def create_project_and_add_user ():
215+ admin_pc_instance = admin_pc (request , admin_cc )
216+
217+ prtb = admin_mc .client .create_project_role_template_binding (
218+ userId = user_mc .user .id ,
219+ roleTemplateId = "project-member" ,
220+ projectId = admin_pc_instance .project .id ,
221+ )
222+ remove_resource (prtb )
223+ return admin_pc_instance , prtb
224+
225+ admin_pc1 , _ = create_project_and_add_user ()
226+ admin_pc2 , prtb2 = create_project_and_add_user ()
227+
228+ def add_namespace_to_project (admin_pc ):
229+ def safe_remove (client , resource ):
230+ try :
231+ client .delete (resource )
232+ except ApiError :
233+ pass
234+
235+ ns = admin_cc .client .create_namespace (name = random_str (),
236+ projectId = admin_pc .project .id )
237+ request .addfinalizer (lambda : safe_remove (admin_cc .client , ns ))
238+
239+ def ns_active ():
240+ new_ns = admin_cc .client .reload (ns )
241+ return new_ns .state == 'active'
242+
243+ wait_for (ns_active )
244+
245+ add_namespace_to_project (admin_pc1 )
246+
247+ def new_user_cc (user_mc ):
248+ cluster , client = cluster_and_client ('local' , user_mc .client )
249+ return ClusterContext (user_mc , cluster , client )
250+
251+ user_cc = new_user_cc (user_mc )
252+ assert len (user_cc .client .list_namespace ()) == 1
253+
254+ add_namespace_to_project (admin_pc2 )
255+
256+ user_cc = new_user_cc (user_mc )
257+ assert len (user_cc .client .list_namespace ()) == 2
258+
259+ admin_mc .client .delete (prtb2 )
260+
261+ user_cc = new_user_cc (user_mc )
262+ assert len (user_cc .client .list_namespace ()) == 1
0 commit comments