diff --git a/pkg/proxy/handlers/spacelister_get_test.go b/pkg/proxy/handlers/spacelister_get_test.go index 086809a5..35aa5ef5 100644 --- a/pkg/proxy/handlers/spacelister_get_test.go +++ b/pkg/proxy/handlers/spacelister_get_test.go @@ -748,6 +748,7 @@ func TestSpaceListerGetPublicViewerEnabled(t *testing.T) { fakeSignupService := fake.NewSignupService( newSignup("batman", "batman.space", true), newSignup("robin", "robin.space", true), + newSignup("gordon", "gordon.no-space", false), ) fakeClient := fake.InitClient(t, @@ -797,11 +798,16 @@ func TestSpaceListerGetPublicViewerEnabled(t *testing.T) { expectedWorkspace: nil, expectedErr: "", }, - "gordon can get batman workspace": { - username: "gordon.space", + "gordon can get robin workspace": { + username: "gordon.no-space", workspaceRequest: "robin", expectedWorkspace: publicRobinWS, }, + "gordon can not get batman workspace": { + username: "gordon.no-space", + workspaceRequest: "batman", + expectedWorkspace: nil, + }, } for k, tc := range tests { @@ -848,11 +854,12 @@ func TestSpaceListerGetPublicViewerEnabled(t *testing.T) { } } -func TestSpaceListerGetWithBindingsWithPublicViewerEnabled(t *testing.T) { +func TestGetUserWorkspaceWithBindingsWithPublicViewerEnabled(t *testing.T) { fakeSignupService := fake.NewSignupService( newSignup("batman", "batman.space", true), newSignup("robin", "robin.space", true), + newSignup("gordon", "gordon.no-space", false), ) fakeClient := fake.InitClient(t, @@ -927,6 +934,21 @@ func TestSpaceListerGetWithBindingsWithPublicViewerEnabled(t *testing.T) { workspaceRequest: "batman", expectedWorkspace: nil, }, + "gordon can not get batman workspace": { + username: "gordon.no-space", + workspaceRequest: "batman", + expectedWorkspace: nil, + }, + "gordon can get robin workspace": { + username: "gordon.no-space", + workspaceRequest: "robin", + expectedWorkspace: func() *toolchainv1alpha1.Workspace { + batmansRobinWS := robinWS.DeepCopy() + batmansRobinWS.Status.Type = "" + batmansRobinWS.Status.Role = "viewer" + return batmansRobinWS + }(), + }, } for k, tc := range tests { diff --git a/pkg/proxy/proxy_community_test.go b/pkg/proxy/proxy_community_test.go index 8e2ed5e6..0a47165e 100644 --- a/pkg/proxy/proxy_community_test.go +++ b/pkg/proxy/proxy_community_test.go @@ -68,6 +68,8 @@ func (s *TestProxySuite) checkProxyCommunityOK(fakeApp *fake.ProxyFakeApp, p *Pr s.Run("successfully proxy", func() { owner := uuid.New() communityUser := uuid.New() + alice := uuid.New() + notReadyUser := uuid.New() httpTestServerResponse := "my response" // Start the member-2 API Server @@ -110,6 +112,24 @@ func (s *TestProxySuite) checkProxyCommunityOK(fakeApp *fake.ProxyFakeApp, p *Pr RequestPath: fmt.Sprintf("http://localhost:%s/workspaces/communityspace/api/communityspace/pods", port), ExpectedResponse: httpTestServerResponse, }, + // Given A not ready user exists + // When the not ready user requests the list of pods in workspace communityspace + // Then the request is forwarded from the proxy + // And the request impersonates the not ready user + // And the request's X-SSO-User Header is set to not ready user's ID + // And the request is successful + "plain http actual request as notReadyUser": { + ProxyRequestMethod: "GET", + ProxyRequestHeaders: map[string][]string{"Authorization": {"Bearer " + s.token(notReadyUser)}}, + ExpectedAPIServerRequestHeaders: map[string][]string{ + "Authorization": {"Bearer clusterSAToken"}, + "Impersonate-User": {toolchainv1alpha1.KubesawAuthenticatedUsername}, + "X-SSO-User": {"username-" + notReadyUser.String()}, + }, + ExpectedProxyResponseStatus: http.StatusOK, + RequestPath: fmt.Sprintf("http://localhost:%s/workspaces/communityspace/api/communityspace/pods", port), + ExpectedResponse: httpTestServerResponse, + }, // Given smith2 owns a workspace named communityspace // And communityspace is publicly visible (shared with PublicViewer) // And a user named communityuser exists @@ -187,13 +207,13 @@ func (s *TestProxySuite) checkProxyCommunityOK(fakeApp *fake.ProxyFakeApp, p *Pr Name: "communityUser", APIEndpoint: testServer.URL, ClusterName: "member-2", - CompliantUsername: "communityuser", + CompliantUsername: "communityUser", Username: "communityUser@", Status: signup.Status{ Ready: true, }, }), - fake.Signup(communityUser.String(), &signup.Signup{ + fake.Signup(alice.String(), &signup.Signup{ Name: "alice", APIEndpoint: testServer.URL, ClusterName: "member-2", @@ -203,6 +223,14 @@ func (s *TestProxySuite) checkProxyCommunityOK(fakeApp *fake.ProxyFakeApp, p *Pr Ready: true, }, }), + fake.Signup(notReadyUser.String(), &signup.Signup{ + Name: "notReadyUser", + CompliantUsername: "notReadyUser", + Username: "notReadyUser@", + Status: signup.Status{ + Ready: false, + }, + }), ) s.Application.MockSignupService(fakeApp.SignupServiceMock) inf := fake.NewFakeInformer()