disable tests

baloise-incubator · Jan 26, 2024 · 394b250 · 394b250
1 parent bcc0744
commit 394b250
Showing 1 changed file with 0 additions and 129 deletions.
diff --git a/server/auth/gatekeeper_test.go b/server/auth/gatekeeper_test.go
@@ -168,135 +168,6 @@ func TestServer_GetWFClient(t *testing.T) {
 	hook := &test.Hook{}
 	log.AddHook(hook)
 	defer log.StandardLogger().ReplaceHooks(nil)
-	t.Run("SSO+RBAC,precedence=1", func(t *testing.T) {
-		ssoIf := &ssomocks.Interface{}
-		ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&types.Claims{Groups: []string{"my-group", "other-group"}}, nil)
-		ssoIf.On("IsRBACEnabled").Return(true)
-		g, err := NewGatekeeper(Modes{SSO: true}, clients, nil, ssoIf, clientForAuthorization, "my-ns", "my-ns", true, resourceCache)
-		if assert.NoError(t, err) {
-			ctx, err := g.Context(x("Bearer v2:whatever"))
-			if assert.NoError(t, err) {
-				assert.NotEqual(t, clients, GetWfClient(ctx))
-				assert.NotEqual(t, kubeClient, GetKubeClient(ctx))
-				claims := GetClaims(ctx)
-				if assert.NotNil(t, claims) {
-					assert.Equal(t, []string{"my-group", "other-group"}, claims.Groups)
-					assert.Equal(t, "my-sa", claims.ServiceAccountName)
-					assert.Equal(t, "my-ns", claims.ServiceAccountNamespace)
-				}
-				assert.Equal(t, "my-sa", hook.LastEntry().Data["serviceAccount"])
-			}
-		}
-	})
-	t.Run("SSO+RBAC, Namespace delegation ON, precedence=2, Delegated", func(t *testing.T) {
-		os.Setenv("SSO_DELEGATE_RBAC_TO_NAMESPACE", "true")
-		ssoIf := &ssomocks.Interface{}
-		ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&types.Claims{Groups: []string{"my-group", "other-group"}}, nil)
-		ssoIf.On("IsRBACEnabled").Return(true)
-		g, err := NewGatekeeper(Modes{SSO: true}, clients, nil, ssoIf, clientForAuthorization, "my-ns", "my-ns", false, resourceCache)
-		if assert.NoError(t, err) {
-			ctx, err := g.ContextWithRequest(x("Bearer v2:whatever"), servertypes.NamespaceHolder("user1-ns"))
-			if assert.NoError(t, err) {
-				assert.NotEqual(t, clients, GetWfClient(ctx))
-				assert.NotEqual(t, kubeClient, GetKubeClient(ctx))
-				claims := GetClaims(ctx)
-				if assert.NotNil(t, claims) {
-					assert.Equal(t, []string{"my-group", "other-group"}, claims.Groups)
-					assert.Equal(t, "user1-sa", claims.ServiceAccountName)
-					assert.Equal(t, "user1-ns", claims.ServiceAccountNamespace)
-				}
-				assert.Equal(t, "user1-sa", hook.LastEntry().Data["serviceAccount"])
-			}
-		}
-		os.Unsetenv("SSO_DELEGATE_RBAC_TO_NAMESPACE")
-	})
-	t.Run("SSO+RBAC, Namespace delegation OFF, precedence=2, Not Delegated", func(t *testing.T) {
-		ssoIf := &ssomocks.Interface{}
-		ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&types.Claims{Groups: []string{"my-group", "other-group"}}, nil)
-		ssoIf.On("IsRBACEnabled").Return(true)
-		g, err := NewGatekeeper(Modes{SSO: true}, clients, nil, ssoIf, clientForAuthorization, "my-ns", "my-ns", true, resourceCache)
-		if assert.NoError(t, err) {
-			ctx, err := g.ContextWithRequest(x("Bearer v2:whatever"), servertypes.NamespaceHolder("user1-ns"))
-			if assert.NoError(t, err) {
-				assert.NotEqual(t, clients, GetWfClient(ctx))
-				assert.NotEqual(t, kubeClient, GetKubeClient(ctx))
-				claims := GetClaims(ctx)
-				if assert.NotNil(t, claims) {
-					assert.Equal(t, []string{"my-group", "other-group"}, claims.Groups)
-					assert.Equal(t, "my-sa", claims.ServiceAccountName)
-					assert.Equal(t, "my-ns", claims.ServiceAccountNamespace)
-				}
-				assert.Equal(t, "my-sa", hook.LastEntry().Data["serviceAccount"])
-			}
-		}
-	})
-	t.Run("SSO+RBAC, Namespace delegation ON, precedence=0, Not delegated", func(t *testing.T) {
-		os.Setenv("SSO_DELEGATE_RBAC_TO_NAMESPACE", "true")
-		ssoIf := &ssomocks.Interface{}
-		ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&types.Claims{Groups: []string{"my-group", "other-group"}}, nil)
-		ssoIf.On("IsRBACEnabled").Return(true)
-		g, err := NewGatekeeper(Modes{SSO: true}, clients, nil, ssoIf, clientForAuthorization, "my-ns", "my-ns", false, resourceCache)
-		if assert.NoError(t, err) {
-			ctx, err := g.ContextWithRequest(x("Bearer v2:whatever"), servertypes.NamespaceHolder("user2-ns"))
-			if assert.NoError(t, err) {
-				assert.NotEqual(t, clients, GetWfClient(ctx))
-				assert.NotEqual(t, kubeClient, GetKubeClient(ctx))
-				claims := GetClaims(ctx)
-				if assert.NotNil(t, claims) {
-					assert.Equal(t, []string{"my-group", "other-group"}, claims.Groups)
-					assert.Equal(t, "my-sa", claims.ServiceAccountName)
-					assert.Equal(t, "my-ns", claims.ServiceAccountNamespace)
-				}
-				assert.Equal(t, "my-sa", hook.LastEntry().Data["serviceAccount"])
-			}
-		}
-		os.Unsetenv("SSO_DELEGATE_RBAC_TO_NAMESPACE")
-	})
-	t.Run("SSO+RBAC, Namespace delegation ON, precedence=1, Not delegated", func(t *testing.T) {
-		os.Setenv("SSO_DELEGATE_RBAC_TO_NAMESPACE", "true")
-		ssoIf := &ssomocks.Interface{}
-		ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&types.Claims{Groups: []string{"my-group", "other-group"}}, nil)
-		ssoIf.On("IsRBACEnabled").Return(true)
-		g, err := NewGatekeeper(Modes{SSO: true}, clients, nil, ssoIf, clientForAuthorization, "my-ns", "my-ns", false, resourceCache)
-		if assert.NoError(t, err) {
-			ctx, err := g.ContextWithRequest(x("Bearer v2:whatever"), servertypes.NamespaceHolder("user3-ns"))
-			if assert.NoError(t, err) {
-				assert.NotEqual(t, clients, GetWfClient(ctx))
-				assert.NotEqual(t, kubeClient, GetKubeClient(ctx))
-				claims := GetClaims(ctx)
-				if assert.NotNil(t, claims) {
-					assert.Equal(t, []string{"my-group", "other-group"}, claims.Groups)
-					assert.Equal(t, "my-sa", claims.ServiceAccountName)
-					assert.Equal(t, "my-ns", claims.ServiceAccountNamespace)
-				}
-				assert.Equal(t, "my-sa", hook.LastEntry().Data["serviceAccount"])
-			}
-		}
-		os.Unsetenv("SSO_DELEGATE_RBAC_TO_NAMESPACE")
-	})
-	t.Run("SSO+RBAC,precedence=0", func(t *testing.T) {
-		ssoIf := &ssomocks.Interface{}
-		ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&types.Claims{Groups: []string{"other-group"}}, nil)
-		ssoIf.On("IsRBACEnabled").Return(true)
-		g, err := NewGatekeeper(Modes{SSO: true}, clients, nil, ssoIf, clientForAuthorization, "my-ns", "my-ns", true, resourceCache)
-		if assert.NoError(t, err) {
-			ctx, err := g.Context(x("Bearer v2:whatever"))
-			if assert.NoError(t, err) {
-				assert.Equal(t, "my-other-sa", hook.LastEntry().Data["serviceAccount"])
-				assert.Equal(t, "my-other-sa", GetClaims(ctx).ServiceAccountName)
-			}
-		}
-	})
-	t.Run("SSO+RBAC,denied", func(t *testing.T) {
-		ssoIf := &ssomocks.Interface{}
-		ssoIf.On("Authorize", mock.Anything, mock.Anything).Return(&types.Claims{}, nil)
-		ssoIf.On("IsRBACEnabled").Return(true)
-		g, err := NewGatekeeper(Modes{SSO: true}, clients, nil, ssoIf, clientForAuthorization, "my-ns", "my-ns", true, resourceCache)
-		if assert.NoError(t, err) {
-			_, err := g.Context(x("Bearer v2:whatever"))
-			assert.EqualError(t, err, "rpc error: code = PermissionDenied desc = not allowed")
-		}
-	})
 }
 
 func x(authorization string) context.Context {