From 96962cb07ad7746ebb7d4b6b6818dc79f6e0c4ce Mon Sep 17 00:00:00 2001
From: Maciej Szulik <maszulik@redhat.com>
Date: Thu, 29 Sep 2016 12:14:46 +0200
Subject: [PATCH] Added missing policies for
 PodSecurityPolicy(Review|SelfSubjectReview|SubjectReview)

---
 pkg/cmd/server/bootstrappolicy/policy.go                 | 4 ++++
 pkg/security/registry/podsecuritypolicyreview/rest.go    | 4 ++--
 .../registry/podsecuritypolicyreview/rest_test.go        | 4 ++--
 .../registry/podsecuritypolicysubjectreview/rest.go      | 2 +-
 .../registry/podsecuritypolicysubjectreview/rest_test.go | 2 +-
 .../bootstrappolicy/bootstrap_cluster_roles.yaml         | 9 +++++++++
 6 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
index f41f225b8d86..0ec7074e4b1b 100644
--- a/pkg/cmd/server/bootstrappolicy/policy.go
+++ b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -23,6 +23,7 @@ import (
 	quotaapi "github.com/openshift/origin/pkg/quota/api"
 	routeapi "github.com/openshift/origin/pkg/route/api"
 	sdnapi "github.com/openshift/origin/pkg/sdn/api"
+	securityapi "github.com/openshift/origin/pkg/security/api"
 	templateapi "github.com/openshift/origin/pkg/template/api"
 	userapi "github.com/openshift/origin/pkg/user/api"
 )
@@ -38,6 +39,7 @@ var (
 	certificatesGroup = certificates.GroupName
 	extensionsGroup   = extensions.GroupName
 	policyGroup       = policy.GroupName
+	securityGroup     = securityapi.GroupName
 	storageGroup      = storage.GroupName
 	authzGroup        = authorizationapi.GroupName
 	buildGroup        = buildapi.GroupName
@@ -165,6 +167,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 				authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "resourceaccessreviews",
 					"selfsubjectrulesreviews", "subjectaccessreviews").RuleOrDie(),
 				authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),
+				// permissions to check PSP, these creates are non-mutating
+				authorizationapi.NewRule("create").Groups(securityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(),
 				// Allow read access to node metrics
 				authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource).RuleOrDie(),
 				// Allow read access to stats
diff --git a/pkg/security/registry/podsecuritypolicyreview/rest.go b/pkg/security/registry/podsecuritypolicyreview/rest.go
index 3715da4d6028..249e327b6681 100644
--- a/pkg/security/registry/podsecuritypolicyreview/rest.go
+++ b/pkg/security/registry/podsecuritypolicyreview/rest.go
@@ -43,7 +43,7 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, err
 		return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a PodSecurityPolicyReview: %#v", obj))
 	}
 	if errs := securityvalidation.ValidatePodSecurityPolicyReview(pspr); len(errs) > 0 {
-		return nil, kapierrors.NewInvalid(kapi.Kind("podsecuritypolicyreview"), "", errs)
+		return nil, kapierrors.NewInvalid(securityapi.Kind(pspr.Kind), "", errs)
 	}
 	ns, ok := kapi.NamespaceFrom(ctx)
 	if !ok {
@@ -56,7 +56,7 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, err
 
 	if len(serviceAccounts) == 0 {
 		glog.Errorf("No service accounts for namespace %s", ns)
-		return nil, kapierrors.NewBadRequest(fmt.Sprintf("no a ServiceAccount for namespace: %s", ns))
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("unable to find ServiceAccount for namespace: %s", ns))
 	}
 
 	errs := []error{}
diff --git a/pkg/security/registry/podsecuritypolicyreview/rest_test.go b/pkg/security/registry/podsecuritypolicyreview/rest_test.go
index de1ac4c75bbb..9c2f7b6f762f 100644
--- a/pkg/security/registry/podsecuritypolicyreview/rest_test.go
+++ b/pkg/security/registry/podsecuritypolicyreview/rest_test.go
@@ -178,7 +178,7 @@ func TestErrors(t *testing.T) {
 				},
 			},
 			serviceAccount: admissionttesting.CreateSAForTest(),
-			errorMessage:   "podsecuritypolicyreview \"\" is invalid: spec.podSpec.serviceAccountName: Invalid value: \"A.B.C.D.E\": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')",
+			errorMessage:   ` "" is invalid: spec.podSpec.serviceAccountName: Invalid value: "A.B.C.D.E": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`,
 		},
 		"no SA": {
 			request: &securityapi.PodSecurityPolicyReview{
@@ -194,7 +194,7 @@ func TestErrors(t *testing.T) {
 					},
 				},
 			},
-			errorMessage: "unable to retrieve ServiceAccount default: ServiceAccount \"default\" not found",
+			errorMessage: `unable to retrieve ServiceAccount default: ServiceAccount "default" not found`,
 		},
 	}
 	for testName, testcase := range testcases {
diff --git a/pkg/security/registry/podsecuritypolicysubjectreview/rest.go b/pkg/security/registry/podsecuritypolicysubjectreview/rest.go
index 5c9d357fbbb0..64a41f505a28 100644
--- a/pkg/security/registry/podsecuritypolicysubjectreview/rest.go
+++ b/pkg/security/registry/podsecuritypolicysubjectreview/rest.go
@@ -49,7 +49,7 @@ func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, err
 	}
 
 	if errs := securityvalidation.ValidatePodSecurityPolicySubjectReview(pspsr); len(errs) > 0 {
-		return nil, kapierrors.NewInvalid(kapi.Kind("podsecuritypolicysubjectreview"), "", errs)
+		return nil, kapierrors.NewInvalid(securityapi.Kind(pspsr.Kind), "", errs)
 	}
 
 	userInfo := &user.DefaultInfo{Name: pspsr.Spec.User, Groups: pspsr.Spec.Groups}
diff --git a/pkg/security/registry/podsecuritypolicysubjectreview/rest_test.go b/pkg/security/registry/podsecuritypolicysubjectreview/rest_test.go
index e1eb2172cd3e..af9108c0bbe2 100644
--- a/pkg/security/registry/podsecuritypolicysubjectreview/rest_test.go
+++ b/pkg/security/registry/podsecuritypolicysubjectreview/rest_test.go
@@ -170,7 +170,7 @@ func TestRequests(t *testing.T) {
 					Groups: []string{"bar", "baz"},
 				},
 			},
-			errorMessage: "podsecuritypolicysubjectreview \"\" is invalid: spec.podSpec.serviceAccountName: Invalid value: \"A.B.C.D\": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')",
+			errorMessage: ` "" is invalid: spec.podSpec.serviceAccountName: Invalid value: "A.B.C.D": must match the regex [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* (e.g. 'example.com')`,
 		},
 		"no provider": {
 			request: &securityapi.PodSecurityPolicySubjectReview{
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
index 00db69af1212..2f68f84a2fea 100644
--- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
+++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -323,6 +323,15 @@ items:
     - tokenreviews
     verbs:
     - create
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - podsecuritypolicyreviews
+    - podsecuritypolicyselfsubjectreviews
+    - podsecuritypolicysubjectreviews
+    verbs:
+    - create
   - apiGroups:
     - ""
     attributeRestrictions: null