add tests for proxy and banned user (#1036)

* add tests for proxy and banned user Signed-off-by: Francesco Ilario <[email protected]> * Update test/e2e/parallel/banned_user_test.go Co-authored-by: Francisc Munteanu <[email protected]> * fix linter complaints Signed-off-by: Francesco Ilario <[email protected]> * refactor tests Signed-off-by: Francesco Ilario <[email protected]> * fix CreateSpaceWithRoleSignupResult's comment Signed-off-by: Francesco Ilario <[email protected]> * update comment Signed-off-by: Francesco Ilario <[email protected]> * remove StatusProvisionedNamespaces Signed-off-by: Francesco Ilario <[email protected]> * rename test file and func Signed-off-by: Francesco Ilario <[email protected]> * move banned users test-cases in proxy_test Signed-off-by: Francesco Ilario <[email protected]> --------- Signed-off-by: Francesco Ilario <[email protected]> Co-authored-by: Francisc Munteanu <[email protected]>
codeready-toolchain · Aug 21, 2024 · 1c38d06 · 1c38d06
1 parent df38969
commit 1c38d06
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 1 deletion.
diff --git a/test/e2e/parallel/proxy_test.go b/test/e2e/parallel/proxy_test.go
@@ -37,6 +37,7 @@ import (
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	k8serr "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	kubewait "k8s.io/apimachinery/pkg/util/wait"
@@ -578,6 +579,54 @@ func TestProxyFlow(t *testing.T) {
 				require.EqualError(t, err, fmt.Sprintf(`invalid workspace request: access to namespace '%s' in workspace '%s' is forbidden (get applications.appstudio.redhat.com %s)`, primaryUserNamespace, workspaceName, applicationName))
 			})
 		})
+
+		t.Run("banned user", func(t *testing.T) {
+			// create an user and a space
+			sp, us, _ := testsupportspace.CreateSpaceWithRoleSignupResult(t, awaitilities, "admin",
+				testspace.WithSpecTargetCluster(memberAwait.ClusterName),
+				testspace.WithTierName("appstudio"),
+			)
+
+			// wait until the space has ProvisionedNamespaces
+			sp, err := hostAwait.WaitForSpace(t, sp.Name, wait.UntilSpaceHasAnyProvisionedNamespaces())
+			require.NoError(t, err)
+
+			// ban the user
+			_ = CreateBannedUser(t, hostAwait, us.UserSignup.Spec.IdentityClaims.Email)
+
+			// wait until the user is banned
+			_, err = hostAwait.
+				WithRetryOptions(wait.TimeoutOption(time.Second*10), wait.RetryInterval(time.Second*2)).
+				WaitForUserSignup(t, us.UserSignup.Name,
+					wait.UntilUserSignupHasConditions(
+						wait.ConditionSet(wait.Default(), wait.ApprovedByAdmin(), wait.Banned())...))
+			require.NoError(t, err)
+
+			// build proxy client
+			proxyWorkspaceURL := hostAwait.ProxyURLWithWorkspaceContext(sp.Name)
+			userProxyClient, err := hostAwait.CreateAPIProxyClient(t, us.Token, proxyWorkspaceURL)
+			require.NoError(t, err)
+
+			t.Run("banned user cannot list config maps from space", func(t *testing.T) {
+				// then
+				cms := corev1.ConfigMapList{}
+
+				err = userProxyClient.List(context.TODO(), &cms, client.InNamespace(sp.Status.ProvisionedNamespaces[0].Name))
+				require.True(t, meta.IsNoMatchError(err), "expected List ConfigMap to return a NoMatch error, actual: %v", err)
+			})
+
+			t.Run("banned user cannot create config maps into space", func(t *testing.T) {
+				cm := corev1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "test-cm",
+						Namespace: sp.Status.ProvisionedNamespaces[0].Name,
+					},
+				}
+
+				err = userProxyClient.Create(context.TODO(), &cm)
+				require.True(t, meta.IsNoMatchError(err), "expected Create ConfigMap to return a NoMatch error, actual: %v", err)
+			})
+		})
 	})
 }
 

diff --git a/testsupport/space/space.go b/testsupport/space/space.go
@@ -25,7 +25,16 @@ func CreateSpace(t *testing.T, awaitilities wait.Awaitilities, opts ...testspace
 
 // CreateSpaceWithRole initializes a new Space object using the NewSpace function, and then creates it in the cluster
 // It also automatically provisions MasterUserRecord and creates SpaceBinding for it
+// It returns the Space, the UserSignup, and the SpaceBinding.
 func CreateSpaceWithRole(t *testing.T, awaitilities wait.Awaitilities, role string, opts ...testspace.Option) (*toolchainv1alpha1.Space, *toolchainv1alpha1.UserSignup, *toolchainv1alpha1.SpaceBinding) {
+	sp, sr, sb := CreateSpaceWithRoleSignupResult(t, awaitilities, role, opts...)
+	return sp, sr.UserSignup, sb
+}
+
+// CreateSpaceWithRoleSignupResult initializes a new Space object using the NewSpace function, and then creates it in the cluster
+// It also automatically provisions MasterUserRecord and creates SpaceBinding for it.
+// It returns the Space, the SignupResult, and the SpaceBinding.
+func CreateSpaceWithRoleSignupResult(t *testing.T, awaitilities wait.Awaitilities, role string, opts ...testspace.Option) (*toolchainv1alpha1.Space, *testsupport.SignupResult, *toolchainv1alpha1.SpaceBinding) {
 	// we need to create a MUR & SpaceBinding, otherwise, the Space could be automatically deleted by the SpaceCleanup controller
 	username := uuid.Must(uuid.NewV4()).String()
 	user := testsupport.NewSignupRequest(awaitilities).
@@ -66,7 +75,7 @@ func CreateSpaceWithRole(t *testing.T, awaitilities wait.Awaitilities, role stri
 		require.NoError(t, err)
 	}
 
-	return space, signup, spaceBinding
+	return space, user, spaceBinding
 }
 
 // CreateSubSpace initializes a new Space object using the NewSpace function, and sets the parentSpace field value accordingly.