added restrictedadmin_replatement_role test to replace deprecated test

rancher · Feb 27, 2025 · 43a4b1c · 43a4b1c
1 parent 2dee4ee
commit 43a4b1c
Show file tree

Hide file tree

Showing 3 changed files with 305 additions and 0 deletions.
diff --git a/actions/rbac/rbac.go b/actions/rbac/rbac.go
@@ -70,6 +70,17 @@ func AddUserWithRoleToCluster(adminClient *rancher.Client, globalRole, role stri
 	return user, userClient, nil
 }
 
+func AddUserWithGlobalRole(adminClient *rancher.Client, globalRole string) (*management.User, *rancher.Client, error) {
+	// Create the user with the specified global role
+	user, userClient, err := SetupUser(adminClient, globalRole)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Return the created user and user client
+	return user, userClient, nil
+}
+
 // SetupUser is a helper to create a user with the specified global role and a client for the user.
 func SetupUser(client *rancher.Client, globalRole string) (user *management.User, userClient *rancher.Client, err error) {
 	user, err = users.CreateUserWithRole(client, users.UserConfig(), globalRole)

diff --git a/validation/rbac/clusterandprojectroles/restrictedadmin_replacement_role.go b/validation/rbac/clusterandprojectroles/restrictedadmin_replacement_role.go
@@ -0,0 +1,152 @@
+package clusterandprojectroles
+
+import (
+	v3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
+	rbac "github.com/rancher/tests/actions/rbac"
+	namegen "github.com/rancher/shepherd/pkg/namegenerator"
+	"github.com/rancher/shepherd/clients/rancher"
+	management "github.com/rancher/shepherd/clients/rancher/generated/management/v3"
+	"github.com/rancher/shepherd/extensions/users"
+	rbacv1 "k8s.io/api/rbac/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	kubeconfigSetting         = "kubeconfig-default-token-ttl-minutes"
+	updateValue               = "3"
+)
+
+var (
+	restrictedAdminReplacementRole = v3.GlobalRole{
+		ObjectMeta: v1.ObjectMeta{
+			Name: "",
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				APIGroups: []string{""},
+				Resources: []string{"secrets"},
+				Verbs:     []string{"create"},
+			},
+			{
+				APIGroups: []string{"catalog.cattle.io"},
+				Resources: []string{"clusterrepos"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"clustertemplates"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"clustertemplaterevisions"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"globalrolebindings"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"globalroles"},
+				Verbs: []string{
+					"delete", "deletecollection", "get", "list",
+					"patch", "create", "update", "watch",
+				},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"users", "userattribute", "groups", "groupmembers"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"podsecurityadmissionconfigurationtemplates"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"authconfigs"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"nodedrivers"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"kontainerdrivers"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"roletemplates"},
+				Verbs:     []string{"*"},
+			},
+			{
+				APIGroups: []string{"management.cattle.io"},
+				Resources: []string{"templates", "templateversions"},
+				Verbs:     []string{"*"},
+			},
+		},
+		InheritedClusterRoles: []string{
+			"cluster-owner",
+		},
+		InheritedFleetWorkspacePermissions: &v3.FleetWorkspacePermission{
+			ResourceRules: []rbacv1.PolicyRule{
+				{
+					APIGroups: []string{"fleet.cattle.io"},
+					Resources: []string{
+						"clusterregistrationtokens", "gitreporestrictions", "clusterregistrations",
+						"clusters", "gitrepos", "bundles", "bundledeployments", "clustergroups",
+					},
+					Verbs: []string{"*"},
+				},
+			},
+			WorkspaceVerbs: []string{"get", "list", "update", "create", "delete"},
+		},
+	}
+)
+
+func createRestrictedAdminReplacementGlobalRole(client *rancher.Client) (*v3.GlobalRole, error) {
+	restrictedAdminReplacementRole.Name = namegen.AppendRandomString("restricted-admin-replacement-")
+	createdGlobalRole, err := client.WranglerContext.Mgmt.GlobalRole().Create(&restrictedAdminReplacementRole)
+	if err != nil {
+		return nil, err
+	}
+
+	createdGlobalRole, err = rbac.GetGlobalRoleByName(client, createdGlobalRole.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	return createdGlobalRole, err
+}
+
+func createRestrictedAdminReplacementGlobalRoleAndUser(client *rancher.Client) (*v3.GlobalRole, *management.User, error) {
+	createdGlobalRole, err := createRestrictedAdminReplacementGlobalRole(client)
+
+	createdUser, err := users.CreateUserWithRole(client, users.UserConfig(), rbac.StandardUser.String(), createdGlobalRole.Name)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return createdGlobalRole, createdUser, err
+}
+
+func getGlobalSettings(client *rancher.Client, clusterID string) ([]string, error) {
+	context, err := client.WranglerContext.DownStreamClusterWranglerContext(clusterID)
+	settings, err := context.Mgmt.Setting().List(v1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	globalSettings := []string{}
+	for _, gs := range settings.Items {
+		globalSettings = append(globalSettings, gs.Name)
+	}
+
+	return globalSettings, nil
+}
diff --git a/validation/rbac/clusterandprojectroles/restrictedadmin_replacement_role_test.go b/validation/rbac/clusterandprojectroles/restrictedadmin_replacement_role_test.go
@@ -0,0 +1,142 @@
+package clusterandprojectroles
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/rancher/tests/actions/clusters"
+	"github.com/rancher/tests/actions/provisioning"
+	"github.com/rancher/tests/actions/provisioninginput"
+	//"github.com/rancher/tests/actions/rbac"
+
+	"github.com/rancher/shepherd/clients/rancher"
+	management "github.com/rancher/shepherd/clients/rancher/generated/management/v3"
+	extensionscluster "github.com/rancher/shepherd/extensions/clusters"
+	"github.com/rancher/shepherd/extensions/clusters/kubernetesversions"
+	//rbacv2 "github.com/rancher/tests/actions/kubeapi/rbac"
+	"github.com/rancher/shepherd/pkg/config"
+	"github.com/rancher/shepherd/pkg/session"
+	log "github.com/sirupsen/logrus"
+	//namegen "github.com/rancher/shepherd/pkg/namegenerator"
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type RestrictedAdminReplacementTestSuite struct {
+	suite.Suite
+	client  *rancher.Client
+	session *session.Session
+	cluster *management.Cluster
+}
+
+func (ra *RestrictedAdminReplacementTestSuite) TearDownSuite() {
+	ra.session.Cleanup()
+}
+
+func (ra *RestrictedAdminReplacementTestSuite) SetupSuite() {
+	ra.session = session.NewSession()
+
+	client, err := rancher.NewClient("", ra.session)
+	require.NoError(ra.T(), err)
+	ra.client = client
+
+	log.Info("Getting cluster name from the config file and append cluster details in the struct.")
+	clusterName := client.RancherConfig.ClusterName
+	require.NotEmptyf(ra.T(), clusterName, "Cluster name to install should be set")
+	clusterID, err := extensionscluster.GetClusterIDByName(ra.client, clusterName)
+	require.NoError(ra.T(), err, "Error getting cluster ID")
+	ra.cluster, err = ra.client.Management.Cluster.ByID(clusterID)
+	require.NoError(ra.T(), err)
+}
+
+func (ra *RestrictedAdminReplacementTestSuite) updateGlobalSetting(client *rancher.Client, settingName string, settingValue string) error {
+	setting, err := ra.client.WranglerContext.Mgmt.Setting().Get(settingName, v1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to get setting %s: %w", settingName, err)
+	}
+
+	setting.Value = settingValue
+	updatedSetting, err := client.WranglerContext.Mgmt.Setting().Update(setting)
+	if err != nil {
+		return fmt.Errorf("failed to update setting %s: %w", updatedSetting.Name, err)
+	}
+	return nil
+}
+
+func (ra *RestrictedAdminReplacementTestSuite) TestRestrictedAdminReplacementCreateCluster() {
+	subSession := ra.session.NewSession()
+	defer subSession.Cleanup()
+
+	log.Info("Create the replacement restricted admin global role")
+	createdRAReplacementRole, createdUser, err := createRestrictedAdminReplacementGlobalRoleAndUser(ra.client)
+	require.NoError(ra.T(), err, "failed to create global role and user")
+
+	createdRAReplacementUserClient, err := ra.client.AsUser(createdUser)
+	require.NoError(ra.T(), err)
+
+	ra.T().Logf("Validating user with %s role %s can create a downstream cluster", createdUser.Name, createdRAReplacementRole.Name)
+	userConfig := new(provisioninginput.Config)
+	config.LoadConfig(provisioninginput.ConfigurationFileKey, userConfig)
+	nodeProviders := userConfig.NodeProviders[0]
+	nodeAndRoles := []provisioninginput.NodePools{
+		provisioninginput.AllRolesNodePool,
+	}
+	externalNodeProvider := provisioning.ExternalNodeProviderSetup(nodeProviders)
+	clusterConfig := clusters.ConvertConfigToClusterConfig(userConfig)
+	clusterConfig.NodePools = nodeAndRoles
+	kubernetesVersion, err := kubernetesversions.Default(createdRAReplacementUserClient, extensionscluster.RKE1ClusterType.String(), []string{})
+	require.NoError(ra.T(), err)
+
+	clusterConfig.KubernetesVersion = kubernetesVersion[0]
+	clusterConfig.CNI = userConfig.CNIs[0]
+	clusterObject, _, err := provisioning.CreateProvisioningRKE1CustomCluster(createdRAReplacementUserClient, &externalNodeProvider, clusterConfig)
+	require.NoError(ra.T(), err)
+	provisioning.VerifyRKE1Cluster(ra.T(), createdRAReplacementUserClient, clusterConfig, clusterObject)
+}
+
+func (ra *RestrictedAdminReplacementTestSuite) TestRestrictedAdminReplacementGlobalSettings() {
+	subSession := ra.session.NewSession()
+	defer subSession.Cleanup()
+
+	log.Info("Create the replacement restricted admin global role")
+	_, createdUser, err := createRestrictedAdminReplacementGlobalRoleAndUser(ra.client)
+	require.NoError(ra.T(), err, "failed to create global role and user")
+
+	createdRAReplacementUserClient, err := ra.client.AsUser(createdUser)
+	require.NoError(ra.T(), err)
+
+
+	log.Infof("Verifying the restricted-admin-replacement user %s  can list global settings", createdUser.Name)
+	raReplacementUserSettingsList, err := getGlobalSettings(createdRAReplacementUserClient, ra.cluster.ID)
+	require.NoError(ra.T(), err)
+	adminGlobalSettingsList, err := getGlobalSettings(ra.client, ra.cluster.ID)
+	require.NoError(ra.T(), err)
+
+	require.Equal(ra.T(), adminGlobalSettingsList, raReplacementUserSettingsList)
+	require.Equal(ra.T(), len(adminGlobalSettingsList), len(raReplacementUserSettingsList))
+}
+
+func (ra *RestrictedAdminReplacementTestSuite) TestRestrictedAdminReplacementCantUpdateGlobalSettings() {
+	subSession := ra.session.NewSession()
+	defer subSession.Cleanup()
+
+	log.Info("Create the replacement restricted admin global role")
+	_, createdUser, err := createRestrictedAdminReplacementGlobalRoleAndUser(ra.client)
+	require.NoError(ra.T(), err, "failed to create global role and user")
+
+	createdRAReplacementUserClient, err := ra.client.AsUser(createdUser)
+	require.NoError(ra.T(), err)
+
+	kubeConfigTokenSetting, err := ra.client.WranglerContext.Mgmt.Setting().Get(kubeconfigSetting, v1.GetOptions{})
+	require.NoError(ra.T(), err)
+
+	ra.T().Logf("Validating restrictedAdmin replacement user %s cannot update global settings", createdUser.Name)
+	err = ra.updateGlobalSetting(createdRAReplacementUserClient,kubeConfigTokenSetting.Name, updateValue)
+	require.Error(ra.T(), err)
+	require.Contains(ra.T(), err.Error(), "failed to update setting :  (put settings.meta.k8s.io kubeconfig-default-token-ttl-minutes)")
+}
+
+func TestRestrictedAdminReplacementTestSuite(t *testing.T) {
+	suite.Run(t, new(RestrictedAdminReplacementTestSuite))
+}