diff --git a/test/cmd/authentication.sh b/test/cmd/authentication.sh index 58d0172557f2..2b045cd61879 100755 --- a/test/cmd/authentication.sh +++ b/test/cmd/authentication.sh @@ -47,7 +47,7 @@ os::cmd::expect_success "oc policy can-i --list" whoamitoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=whoami SCOPE=user:info USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" os::cmd::expect_success_and_text "oc get user/~ --token='${whoamitoken}'" "${username}" os::cmd::expect_success_and_text "oc whoami --token='${whoamitoken}'" "${username}" -os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in project \"${project}\"" +os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "pods is forbidden: User \"scoped-user\" cannot list pods in the namespace \"${project}\"" listprojecttoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=listproject SCOPE=user:list-scoped-projects USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" # this token doesn't have rights to see any projects even though it can hit the list endpoint, so an empty list is correct diff --git a/test/cmd/basicresources.sh b/test/cmd/basicresources.sh index 52f611937045..f84dcbdb615a 100755 --- a/test/cmd/basicresources.sh +++ b/test/cmd/basicresources.sh @@ -235,7 +235,7 @@ project=$(oc project -q) os::cmd::expect_success 'oc policy add-role-to-user view view-user' os::cmd::expect_success 'oc login -u view-user -p anything' os::cmd::try_until_success 'oc project ${project}' -os::cmd::expect_failure_and_text "oc set env dc/test-deployment-config --list --resolve" "cannot get secrets in project" +os::cmd::expect_failure_and_text "oc set env dc/test-deployment-config --list --resolve" "cannot get secrets in namespace" oc login -u system:admin # clean up os::cmd::expect_success "oc delete dc/test-deployment-config" diff --git a/test/cmd/policy.sh b/test/cmd/policy.sh index 6f277d04e213..0e4bccd6066a 100755 --- a/test/cmd/policy.sh +++ b/test/cmd/policy.sh @@ -234,7 +234,7 @@ os::cmd::expect_success_and_text 'oc policy scc-review -z default -f ${OS_ROOT} os::cmd::expect_success_and_text 'oc policy scc-review -z system:serviceaccount:policy-second:default -f ${OS_ROOT}/test/testdata/job.yaml --no-headers=true' 'Job/hello default lax' os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/extended/testdata/deployments/deployment-simple.yaml --no-headers=true' 'DeploymentConfig/deployment-simple default lax' os::cmd::expect_success_and_text 'oc policy scc-review -f ${OS_ROOT}/test/testdata/nginx_pod.yaml --no-headers=true' '' -os::cmd::expect_failure_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/job.yaml --namespace=no-exist' 'error: unable to compute Pod Security Policy Review for "hello": podsecuritypolicyreviews.security.openshift.io is forbidden: User "bob" cannot create podsecuritypolicyreviews.security.openshift.io in the namespace "no-exist": User "bob" cannot create podsecuritypolicyreviews.security.openshift.io in project "no-exist"' +os::cmd::expect_failure_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/job.yaml --namespace=no-exist' 'error: unable to compute Pod Security Policy Review for "hello": podsecuritypolicyreviews.security.openshift.io is forbidden: User "bob" cannot create podsecuritypolicyreviews.security.openshift.io in the namespace "no-exist"' os::cmd::expect_failure_and_text 'oc policy scc-review -z default -f ${OS_ROOT}/test/testdata/pspreview_unsupported_statefulset.yaml' 'error: StatefulSet "rd" with spec.volumeClaimTemplates currently not supported.' os::cmd::expect_failure_and_text 'oc policy scc-review -z no-exist -f ${OS_ROOT}/test/testdata/job.yaml' 'error: unable to compute Pod Security Policy Review for "hello": unable to retrieve ServiceAccount no-exist: serviceaccount "no-exist" not found' os::cmd::expect_success "oc login -u system:admin -n '${project}'" diff --git a/test/integration/authorization_test.go b/test/integration/authorization_test.go index 49ea2bf614d3..0649a0179d89 100644 --- a/test/integration/authorization_test.go +++ b/test/integration/authorization_test.go @@ -875,7 +875,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { kubeAuthInterface: clusterAdminSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "admin/hammer-project" of ClusterRole "admin" to User "harold"`, Namespace: "hammer-project", }, }.run(t) @@ -889,7 +889,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { kubeAuthInterface: clusterAdminSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "harold" cannot get horizontalpodautoscalers in project "hammer-project"`, + Reason: ``, Namespace: "hammer-project", }, }.run(t) @@ -903,7 +903,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { kubeAuthInterface: clusterAdminKubeClient.Authorization(), response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "harold" cannot get horizontalpodautoscalers.foo in project "hammer-project"`, + Reason: ``, Namespace: "hammer-project", }, }.run(t) @@ -917,7 +917,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { kubeAuthInterface: clusterAdminSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "harold" cannot get horizontalpodautoscalers.* in project "hammer-project"`, + Reason: ``, Namespace: "hammer-project", }, }.run(t) @@ -1068,7 +1068,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: clusterAdminLocalSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "view/default" of ClusterRole "view" to User "danny"`, Namespace: "default", }, }.run(t) @@ -1133,7 +1133,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: haroldSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "view/hammer-project" of ClusterRole "view" to User "valerie"`, Namespace: "hammer-project", }, }.run(t) @@ -1160,7 +1160,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: markSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "edit/mallet-project" of ClusterRole "edit" to User "edgar"`, Namespace: "mallet-project", }, }.run(t) @@ -1214,7 +1214,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: haroldSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "admin/hammer-project" of ClusterRole "admin" to User "harold"`, Namespace: "hammer-project", }, }.run(t) @@ -1253,7 +1253,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: haroldSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "admin/hammer-project" of ClusterRole "admin" to User "harold"`, Namespace: "hammer-project", }, }.run(t) @@ -1264,7 +1264,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { kubeAuthInterface: anonymousSARGetter, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, - Reason: "allowed by openshift authorizer", + Reason: `RBAC: allowed by RoleBinding "edit/hammer-project" of ClusterRole "edit" to User "system:anonymous"`, Namespace: "hammer-project", }, }.run(t) @@ -1368,8 +1368,8 @@ func TestBrowserSafeAuthorizer(t *testing.T) { if errProxy == nil { return false } - return strings.Contains(errProxy.Error(), `cannot "unsafeproxy" "pods" with name "podX1:8080" in project "ns"`) || - strings.Contains(errProxy.Error(), `cannot get pods/unsafeproxy in project "ns"`) + return strings.Contains(errProxy.Error(), `cannot proxy pods in namespace "ns"`) || + strings.Contains(errProxy.Error(), `cannot get pods/proxy in namespace "ns"`) } for _, tc := range []struct { diff --git a/test/integration/bootstrap_policy_test.go b/test/integration/bootstrap_policy_test.go index 9cc349c9a56b..ae8e83970753 100644 --- a/test/integration/bootstrap_policy_test.go +++ b/test/integration/bootstrap_policy_test.go @@ -98,7 +98,7 @@ func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) { kubeAuthInterface: valerieKubeClient.Authorization(), response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "valerie" cannot create policybindings in project "openshift"`, + Reason: ``, Namespace: "openshift", }, }.run(t) @@ -148,7 +148,7 @@ func TestSelfSubjectAccessReviewsNonExistingNamespace(t *testing.T) { kubeAuthInterface: valerieKubeClient.Authorization(), response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, - Reason: `User "valerie" cannot create pods in project "foo"`, + Reason: ``, Namespace: "foo", }, }.run(t) diff --git a/test/integration/oauth_cert_fallback_test.go b/test/integration/oauth_cert_fallback_test.go index 7cdd057db97e..3e8a867045be 100644 --- a/test/integration/oauth_cert_fallback_test.go +++ b/test/integration/oauth_cert_fallback_test.go @@ -35,7 +35,7 @@ func TestOAuthCertFallback(t *testing.T) { certUser = "system:admin" unauthorizedError = "Unauthorized" - anonymousError = `users.user.openshift.io "~" is forbidden: User "system:anonymous" cannot get users.user.openshift.io at the cluster scope: User "system:anonymous" cannot get users.user.openshift.io at the cluster scope` + anonymousError = `users.user.openshift.io "~" is forbidden: User "system:anonymous" cannot get users.user.openshift.io at the cluster scope` ) // Build master config