From 3ea481e5e8171fd1de9f430fd44b38e85d0277d3 Mon Sep 17 00:00:00 2001 From: David Eads Date: Fri, 1 Sep 2017 14:41:22 -0400 Subject: [PATCH] message tweaks for kube --- .../kubernetes/master/master_config_test.go | 1 + test/cmd/authentication.sh | 8 ++++---- test/cmd/status.sh | 8 ++++---- test/integration/authorization_test.go | 16 ++++++++-------- test/integration/bootstrap_policy_test.go | 4 ++-- test/integration/oauth_cert_fallback_test.go | 2 +- 6 files changed, 20 insertions(+), 19 deletions(-) diff --git a/pkg/cmd/server/kubernetes/master/master_config_test.go b/pkg/cmd/server/kubernetes/master/master_config_test.go index 0489b114976e..a8685c0cc740 100644 --- a/pkg/cmd/server/kubernetes/master/master_config_test.go +++ b/pkg/cmd/server/kubernetes/master/master_config_test.go @@ -35,6 +35,7 @@ var expectedGroupPreferredVersions []string = []string{ "admissionregistration.k8s.io/v1alpha1", "apps/v1beta1,authentication.k8s.io/v1", "authorization.k8s.io/v1", + "authorization.openshift.io/v1", "autoscaling/v1", "batch/v1", "certificates.k8s.io/v1beta1", diff --git a/test/cmd/authentication.sh b/test/cmd/authentication.sh index be5211b0cc9d..ca41987d4ac9 100755 --- a/test/cmd/authentication.sh +++ b/test/cmd/authentication.sh @@ -47,21 +47,21 @@ os::cmd::expect_success "oc policy can-i --list" whoamitoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=whoami SCOPE=user:info USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" os::cmd::expect_success_and_text "oc get user/~ --token='${whoamitoken}'" "${username}" os::cmd::expect_success_and_text "oc whoami --token='${whoamitoken}'" "${username}" -os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in project \"${project}\"" +os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in the namespace \"${project}\"" listprojecttoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=listproject SCOPE=user:list-scoped-projects USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" # this token doesn't have rights to see any projects even though it can hit the list endpoint, so an empty list is correct # we'll add another scope that allows listing all known projects even if this token has no other powers in them. os::cmd::expect_success_and_not_text "oc get projects --token='${listprojecttoken}'" "${project}" os::cmd::expect_failure_and_text "oc get user/~ --token='${listprojecttoken}'" 'prevent this action; User "scoped-user" cannot get users at the cluster scope' -os::cmd::expect_failure_and_text "oc get pods --token='${listprojecttoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in project \"${project}\"" +os::cmd::expect_failure_and_text "oc get pods --token='${listprojecttoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in the namespace \"${project}\"" listprojecttoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=listallprojects SCOPE=user:list-projects USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" os::cmd::expect_success_and_text "oc get projects --token='${listprojecttoken}'" "${project}" adminnonescalatingpowerstoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=admin SCOPE=role:admin:* USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" os::cmd::expect_failure_and_text "oc get user/~ --token='${adminnonescalatingpowerstoken}'" 'prevent this action; User "scoped-user" cannot get users at the cluster scope' -os::cmd::expect_failure_and_text "oc get secrets --token='${adminnonescalatingpowerstoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list secrets in project \"${project}\"" +os::cmd::expect_failure_and_text "oc get secrets --token='${adminnonescalatingpowerstoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list secrets in the namespace \"${project}\"" os::cmd::expect_success_and_text "oc get 'projects/${project}' --token='${adminnonescalatingpowerstoken}' -n '${project}'" "${project}" allescalatingpowerstoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=clusteradmin SCOPE='role:cluster-admin:*:!' USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" @@ -69,7 +69,7 @@ os::cmd::expect_success_and_text "oc get user/~ --token='${allescalatingpowersto os::cmd::expect_success "oc get secrets --token='${allescalatingpowerstoken}' -n '${project}'" # scopes allow it, but authorization doesn't os::cmd::try_until_failure "oc get secrets --token='${allescalatingpowerstoken}' -n default" -os::cmd::expect_failure_and_text "oc get secrets --token='${allescalatingpowerstoken}' -n default" 'cannot list secrets in project' +os::cmd::expect_failure_and_text "oc get secrets --token='${allescalatingpowerstoken}' -n default" 'cannot list secrets in the namespace' os::cmd::expect_success_and_text "oc get projects --token='${allescalatingpowerstoken}'" "${project}" os::cmd::expect_success_and_text "oc policy can-i --list --token='${allescalatingpowerstoken}' -n '${project}'" 'get.*pods' diff --git a/test/cmd/status.sh b/test/cmd/status.sh index c003f9e75672..1652cce4a228 100755 --- a/test/cmd/status.sh +++ b/test/cmd/status.sh @@ -44,7 +44,7 @@ os::cmd::expect_success_and_text "oc login --server=${KUBERNETES_MASTER} --certi os::cmd::expect_success_and_text 'oc status' "You don't have any projects. You can try to create a new project, by running" os::cmd::expect_success_and_text 'oc status --all-namespaces' "Showing all projects on server" # make sure `oc status` does not re-use the "no projects" message from `oc login` if -n is specified -os::cmd::expect_failure_and_text 'oc status -n forbidden' 'Error from server \(Forbidden\): User "test-user" cannot get project "forbidden"' +os::cmd::expect_failure_and_text 'oc status -n forbidden' 'Error from server \(Forbidden\): User "test-user" cannot get projects in the namespace "forbidden"' # create a new project os::cmd::expect_success "oc new-project project-bar --display-name='my project' --description='test project'" @@ -52,7 +52,7 @@ os::cmd::expect_success_and_text "oc project" 'Using project "project-bar"' # make sure `oc status` does not use "no projects" message if there is a project created os::cmd::expect_success_and_text 'oc status' "In project my project \(project-bar\) on server" -os::cmd::expect_failure_and_text 'oc status -n forbidden' 'Error from server \(Forbidden\): User "test-user" cannot get project "forbidden"' +os::cmd::expect_failure_and_text 'oc status -n forbidden' 'Error from server \(Forbidden\): User "test-user" cannot get projects in the namespace "forbidden"' # create a second project os::cmd::expect_success "oc new-project project-bar-2 --display-name='my project 2' --description='test project 2'" @@ -62,7 +62,7 @@ os::cmd::expect_success_and_text "oc project" 'Using project "project-bar-2"' # message since `project-bar` still exists os::cmd::expect_success_and_text "oc delete project project-bar-2" 'project "project-bar-2" deleted' # the deletion is asynchronous and can take a while, so wait until we see the error -os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test-user" cannot get project "project-bar-2"' +os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test-user" cannot get projects in the namespace "project-bar-2"' # delete "project-bar" and test that `oc status` still does not return the "no projects" message. # Although we are deleting the last remaining project, the current context's namespace is still set @@ -71,7 +71,7 @@ os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test os::cmd::expect_success "oc project project-bar" os::cmd::expect_success "oc delete project project-bar" # the deletion is asynchronous and can take a while, so wait until we see the error -os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test-user" cannot get project "project-bar"' +os::cmd::try_until_text "oc status" 'Error from server \(Forbidden\): User "test-user" cannot get projects in the namespace "project-bar"' os::cmd::try_until_not_text "oc get projects" "project-bar" os::cmd::try_until_not_text "oc get projects" "project-bar-2" os::cmd::expect_success "oc logout" diff --git a/test/integration/authorization_test.go b/test/integration/authorization_test.go index ca544fca11fb..f89548cb7a10 100644 --- a/test/integration/authorization_test.go +++ b/test/integration/authorization_test.go @@ -1174,8 +1174,8 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { localReview: askCanEdgarDeletePods, kubeAuthInterface: haroldSARGetter, kubeNamespace: "mallet-project", - err: `User "harold" cannot create localsubjectaccessreviews in project "mallet-project"`, - kubeErr: `User "harold" cannot create localsubjectaccessreviews.authorization.k8s.io in project "mallet-project"`, + err: `User "harold" cannot create localsubjectaccessreviews in the namespace "mallet-project"`, + kubeErr: `User "harold" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "mallet-project"`, }.run(t) subjectAccessReviewTest{ description: "system:anonymous denied ability to run subject access review in project mallet-project", @@ -1183,8 +1183,8 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { localReview: askCanEdgarDeletePods, kubeAuthInterface: anonymousSARGetter, kubeNamespace: "mallet-project", - err: `User "system:anonymous" cannot create localsubjectaccessreviews in project "mallet-project"`, - kubeErr: `User "system:anonymous" cannot create localsubjectaccessreviews.authorization.k8s.io in project "mallet-project"`, + err: `User "system:anonymous" cannot create localsubjectaccessreviews in the namespace "mallet-project"`, + kubeErr: `User "system:anonymous" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "mallet-project"`, }.run(t) // ensure message does not leak whether the namespace exists or not subjectAccessReviewTest{ @@ -1193,8 +1193,8 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { localReview: askCanEdgarDeletePods, kubeAuthInterface: haroldSARGetter, kubeNamespace: "nonexistent-project", - err: `User "harold" cannot create localsubjectaccessreviews in project "nonexistent-project"`, - kubeErr: `User "harold" cannot create localsubjectaccessreviews.authorization.k8s.io in project "nonexistent-project"`, + err: `User "harold" cannot create localsubjectaccessreviews in the namespace "nonexistent-project"`, + kubeErr: `User "harold" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "nonexistent-project"`, }.run(t) subjectAccessReviewTest{ description: "system:anonymous denied ability to run subject access review in project nonexistent-project", @@ -1202,8 +1202,8 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { localReview: askCanEdgarDeletePods, kubeAuthInterface: anonymousSARGetter, kubeNamespace: "nonexistent-project", - err: `User "system:anonymous" cannot create localsubjectaccessreviews in project "nonexistent-project"`, - kubeErr: `User "system:anonymous" cannot create localsubjectaccessreviews.authorization.k8s.io in project "nonexistent-project"`, + err: `User "system:anonymous" cannot create localsubjectaccessreviews in the namespace "nonexistent-project"`, + kubeErr: `User "system:anonymous" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "nonexistent-project"`, }.run(t) askCanHaroldUpdateProject := &authorizationapi.LocalSubjectAccessReview{ diff --git a/test/integration/bootstrap_policy_test.go b/test/integration/bootstrap_policy_test.go index 55015c871b04..c537b2b2dd82 100644 --- a/test/integration/bootstrap_policy_test.go +++ b/test/integration/bootstrap_policy_test.go @@ -112,8 +112,8 @@ func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) { localReview: askCanClusterAdminsCreateProject, kubeAuthInterface: valerieKubeClient.Authorization(), kubeNamespace: "openshift", - err: `User "valerie" cannot create localsubjectaccessreviews in project "openshift"`, - kubeErr: `User "valerie" cannot create localsubjectaccessreviews.authorization.k8s.io in project "openshift"`, + err: `User "valerie" cannot create localsubjectaccessreviews in the namespace "openshift"`, + kubeErr: `User "valerie" cannot create localsubjectaccessreviews.authorization.k8s.io in the namespace "openshift"`, }.run(t) } diff --git a/test/integration/oauth_cert_fallback_test.go b/test/integration/oauth_cert_fallback_test.go index 32fdf5cd3a8f..2461818dc459 100644 --- a/test/integration/oauth_cert_fallback_test.go +++ b/test/integration/oauth_cert_fallback_test.go @@ -35,7 +35,7 @@ func TestOAuthCertFallback(t *testing.T) { certUser = "system:admin" unauthorizedError = "the server has asked for the client to provide credentials (get users ~)" - anonymousError = `User "system:anonymous" cannot get users at the cluster scope` + anonymousError = `User "system:anonymous" cannot get users at the cluster scope.: "User \"system:anonymous\" cannot get users at the cluster scope" (get users ~)` ) // Build master config