From 4994821ba9eb10f5cc5c7826756ed830efd659be Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Wed, 14 Sep 2022 16:56:19 +0300 Subject: [PATCH 1/2] feat: Delegate only needed roles to user in his namespace Signed-off-by: Anatolii Bazko --- .../namespace/KubernetesNamespace.java | 8 +- .../namespace/KubernetesNamespaceTest.java | 28 +++++-- infrastructures/openshift/pom.xml | 4 + .../openshift/OpenShiftInfraModule.java | 9 +-- .../openshift/project/OpenShiftProject.java | 34 ++------- ...penShiftStopWorkspaceRoleConfigurator.java | 49 ++++++------ .../project/OpenShiftProjectTest.java | 60 ++------------- ...hiftStopWorkspaceRoleConfiguratorTest.java | 75 ++++++------------- 8 files changed, 91 insertions(+), 176 deletions(-) diff --git a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespace.java b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespace.java index 29d269ff67..aaf326108c 100644 --- a/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespace.java +++ b/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespace.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2021 Red Hat, Inc. + * Copyright (c) 2012-2022 Red Hat, Inc. * This program and the accompanying materials are made * available under the terms of the Eclipse Public License 2.0 * which is available at https://www.eclipse.org/legal/epl-2.0/ @@ -153,10 +153,10 @@ public class KubernetesNamespace { throw new InfrastructureException( format("Creating the namespace '%s' is not allowed, yet it was not found.", name)); } - namespace = create(name, client); + create(name, client); } - label(namespace, labels); - annotate(namespace, annotations); + label(client.namespaces().withName(name).get(), labels); + annotate(client.namespaces().withName(name).get(), annotations); } /** diff --git a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceTest.java b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceTest.java index c31ffb0586..af083f63eb 100644 --- a/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceTest.java +++ b/infrastructures/kubernetes/src/test/java/org/eclipse/che/workspace/infrastructure/kubernetes/namespace/KubernetesNamespaceTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2021 Red Hat, Inc. + * Copyright (c) 2012-2022 Red Hat, Inc. * This program and the accompanying materials are made * available under the terms of the Eclipse Public License 2.0 * which is available at https://www.eclipse.org/legal/epl-2.0/ @@ -126,9 +126,14 @@ public class KubernetesNamespaceTest { @Test public void testKubernetesNamespacePreparingCreationWhenNamespaceDoesNotExist() throws Exception { // given + doThrow(new KubernetesClientException("error", 403, null)) + .doReturn(namespaceOperation) + .doReturn(namespaceOperation) + .when(kubernetesClient) + .namespaces(); + Resource namespaceResource = mock(Resource.class); + doReturn(namespaceResource).when(namespaceOperation).withName(anyString()); - Resource resource = prepareNamespaceResource(NAMESPACE); - doThrow(new KubernetesClientException("error", 403, null)).when(resource).get(); KubernetesNamespace namespace = new KubernetesNamespace(clientFactory, cheClientFactory, executor, NAMESPACE, WORKSPACE_ID); @@ -232,9 +237,15 @@ public class KubernetesNamespaceTest { @Test public void testStopsWaitingServiceAccountEventJustAfterEventReceived() throws Exception { + // given + doThrow(new KubernetesClientException("error", 403, null)) + .doReturn(namespaceOperation) + .doReturn(namespaceOperation) + .when(kubernetesClient) + .namespaces(); + Resource namespaceResource = mock(Resource.class); + doReturn(namespaceResource).when(namespaceOperation).withName(anyString()); - final Resource resource = prepareNamespaceResource(NAMESPACE); - doThrow(new KubernetesClientException("error", 403, null)).when(resource).get(); when(serviceAccountResource.get()).thenReturn(null); doAnswer( invocation -> { @@ -245,8 +256,11 @@ public class KubernetesNamespaceTest { .when(serviceAccountResource) .watch(any()); - new KubernetesNamespace(clientFactory, cheClientFactory, executor, NAMESPACE, WORKSPACE_ID) - .prepare(true, Map.of(), Map.of()); + KubernetesNamespace namespace = + new KubernetesNamespace(clientFactory, cheClientFactory, executor, NAMESPACE, WORKSPACE_ID); + + // when + namespace.prepare(true, Map.of(), Map.of()); verify(serviceAccountResource).get(); verify(serviceAccountResource).watch(any()); diff --git a/infrastructures/openshift/pom.xml b/infrastructures/openshift/pom.xml index d75b29871d..213912384f 100644 --- a/infrastructures/openshift/pom.xml +++ b/infrastructures/openshift/pom.xml @@ -50,6 +50,10 @@ io.fabric8 kubernetes-model-networking + + io.fabric8 + kubernetes-model-rbac + io.fabric8 openshift-client diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java index fd838c9320..92a9a42e13 100644 --- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java +++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java @@ -49,13 +49,7 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.devfile.KubernetesDev import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment; import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironmentFactory; import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.KubernetesNamespaceFactory; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.CredentialsSecretConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.GitconfigUserDataConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.NamespaceConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.PreferencesConfigMapConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.SshKeysConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPreferencesConfigurator; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserProfileConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.*; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.GatewayTlsProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.KubernetesCheApiExternalEnvVarProvider; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.KubernetesCheApiInternalEnvVarProvider; @@ -107,6 +101,7 @@ public class OpenShiftInfraModule extends AbstractModule { Multibinder namespaceConfigurators = Multibinder.newSetBinder(binder(), NamespaceConfigurator.class); + namespaceConfigurators.addBinding().to(UserPermissionConfigurator.class); namespaceConfigurators.addBinding().to(UserProfileConfigurator.class); namespaceConfigurators.addBinding().to(UserPreferencesConfigurator.class); namespaceConfigurators.addBinding().to(CredentialsSecretConfigurator.class); diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProject.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProject.java index 9009ea35d3..09af9ab683 100644 --- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProject.java +++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProject.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2021 Red Hat, Inc. + * Copyright (c) 2012-2022 Red Hat, Inc. * This program and the accompanying materials are made * available under the terms of the Eclipse Public License 2.0 * which is available at https://www.eclipse.org/legal/epl-2.0/ @@ -14,11 +14,9 @@ package org.eclipse.che.workspace.infrastructure.openshift.project; import static java.lang.String.format; import com.google.common.annotations.VisibleForTesting; -import io.fabric8.kubernetes.client.KubernetesClient; import io.fabric8.kubernetes.client.KubernetesClientException; import io.fabric8.openshift.api.model.Project; import io.fabric8.openshift.api.model.ProjectRequestBuilder; -import io.fabric8.openshift.api.model.RoleBindingBuilder; import io.fabric8.openshift.api.model.Route; import io.fabric8.openshift.client.OpenShiftClient; import java.util.Map; @@ -116,9 +114,7 @@ public class OpenShiftProject extends KubernetesNamespace { String workspaceId = getWorkspaceId(); String projectName = getName(); - KubernetesClient kubeClient = clientFactory.create(workspaceId); - OpenShiftClient osClient = clientFactory.createOC(workspaceId); - + OpenShiftClient osClient = cheServerOpenshiftClientFactory.createOC(); Project project = get(projectName, osClient); if (project == null) { @@ -130,27 +126,11 @@ public class OpenShiftProject extends KubernetesNamespace { } if (initWithCheServerSa) { - OpenShiftClient openshiftClient = cheServerOpenshiftClientFactory.createOC(); - create(projectName, openshiftClient); - waitDefaultServiceAccount(projectName, openshiftClient); - openshiftClient - .roleBindings() - .inNamespace(projectName) - .createOrReplace( - new RoleBindingBuilder() - .withNewMetadata() - .withName("admin") - .endMetadata() - .addToUserNames(osClient.currentUser().getMetadata().getName()) - .withNewRoleRef() - .withApiVersion("rbac.authorization.k8s.io") - .withKind("RoleBinding") - .withName("admin") - .endRoleRef() - .build()); - } else { create(projectName, osClient); - waitDefaultServiceAccount(projectName, kubeClient); + waitDefaultServiceAccount(projectName, osClient); + } else { + create(projectName, clientFactory.createOC(workspaceId)); + waitDefaultServiceAccount(projectName, clientFactory.create(workspaceId)); } } label(osClient.namespaces().withName(projectName).get(), labels); @@ -167,7 +147,7 @@ public class OpenShiftProject extends KubernetesNamespace { String workspaceId = getWorkspaceId(); String projectName = getName(); - OpenShiftClient osClient = clientFactory.createOC(workspaceId); + OpenShiftClient osClient = cheServerOpenshiftClientFactory.createOC(workspaceId); try { delete(projectName, osClient); diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfigurator.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfigurator.java index b3cd80391e..0f1e65dacd 100644 --- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfigurator.java +++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfigurator.java @@ -13,23 +13,18 @@ package org.eclipse.che.workspace.infrastructure.openshift.project.configurator; import static com.google.common.base.Strings.isNullOrEmpty; -import io.fabric8.kubernetes.api.model.ObjectReferenceBuilder; +import io.fabric8.kubernetes.api.model.rbac.*; +import io.fabric8.kubernetes.client.KubernetesClient; import io.fabric8.kubernetes.client.KubernetesClientException; -import io.fabric8.openshift.api.model.PolicyRuleBuilder; -import io.fabric8.openshift.api.model.Role; -import io.fabric8.openshift.api.model.RoleBinding; -import io.fabric8.openshift.api.model.RoleBindingBuilder; -import io.fabric8.openshift.api.model.RoleBuilder; -import io.fabric8.openshift.client.OpenShiftClient; import javax.inject.Inject; import javax.inject.Named; import javax.inject.Singleton; import org.eclipse.che.api.workspace.server.spi.InfrastructureException; import org.eclipse.che.api.workspace.server.spi.NamespaceResolutionContext; import org.eclipse.che.commons.annotation.Nullable; +import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory; import org.eclipse.che.workspace.infrastructure.kubernetes.environment.CheInstallationLocation; import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.NamespaceConfigurator; -import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftClientFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -42,7 +37,7 @@ import org.slf4j.LoggerFactory; @Singleton public class OpenShiftStopWorkspaceRoleConfigurator implements NamespaceConfigurator { - private final OpenShiftClientFactory clientFactory; + private final CheServerKubernetesClientFactory cheClientFactory; private final String installationLocation; private final boolean stopWorkspaceRoleEnabled; private final String oAuthIdentityProvider; @@ -52,12 +47,12 @@ public class OpenShiftStopWorkspaceRoleConfigurator implements NamespaceConfigur @Inject public OpenShiftStopWorkspaceRoleConfigurator( - OpenShiftClientFactory clientFactory, + CheServerKubernetesClientFactory cheClientFactory, CheInstallationLocation installationLocation, @Named("che.workspace.stop.role.enabled") boolean stopWorkspaceRoleEnabled, @Nullable @Named("che.infra.openshift.oauth_identity_provider") String oAuthIdentityProvider) throws InfrastructureException { - this.clientFactory = clientFactory; + this.cheClientFactory = cheClientFactory; this.installationLocation = installationLocation.getInstallationLocationNamespace(); this.stopWorkspaceRoleEnabled = stopWorkspaceRoleEnabled; this.oAuthIdentityProvider = oAuthIdentityProvider; @@ -72,19 +67,20 @@ public class OpenShiftStopWorkspaceRoleConfigurator implements NamespaceConfigur try { if (stopWorkspaceRoleEnabled && installationLocation != null) { - OpenShiftClient osClient = clientFactory.createOC(); + KubernetesClient client = cheClientFactory.create(); String stopWorkspacesRoleName = "workspace-stop"; - if (osClient.roles().inNamespace(projectName).withName(stopWorkspacesRoleName).get() - == null) { - osClient - .roles() - .inNamespace(projectName) - .createOrReplace(createStopWorkspacesRole(stopWorkspacesRoleName)); - } - osClient + + client + .rbac() + .roles() + .inNamespace(projectName) + .createOrReplace(createStopWorkspacesRole(stopWorkspacesRoleName)); + + client + .rbac() .roleBindings() .inNamespace(projectName) - .createOrReplace(createStopWorkspacesRoleBinding(projectName)); + .createOrReplace(createStopWorkspacesRoleBinding(stopWorkspacesRoleName)); } } catch (KubernetesClientException e) { LOG.warn( @@ -124,18 +120,17 @@ public class OpenShiftStopWorkspaceRoleConfigurator implements NamespaceConfigur .build(); } - protected RoleBinding createStopWorkspacesRoleBinding(String projectName) { + protected RoleBinding createStopWorkspacesRoleBinding(String name) { return new RoleBindingBuilder() .withNewMetadata() - .withName("che-workspace-stop") - .withNamespace(projectName) + .withName(name) .endMetadata() .withNewRoleRef() - .withName("workspace-stop") - .withNamespace(projectName) + .withKind("Role") + .withName(name) .endRoleRef() .withSubjects( - new ObjectReferenceBuilder() + new SubjectBuilder() .withKind("ServiceAccount") .withName("che") .withNamespace(installationLocation) diff --git a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectTest.java b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectTest.java index 1e8ad7820b..368c71472a 100644 --- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectTest.java +++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2021 Red Hat, Inc. + * Copyright (c) 2012-2022 Red Hat, Inc. * This program and the accompanying materials are made * available under the terms of the Eclipse Public License 2.0 * which is available at https://www.eclipse.org/legal/epl-2.0/ @@ -26,7 +26,6 @@ import static org.testng.Assert.assertEquals; import static org.testng.Assert.assertNotNull; import static org.testng.Assert.assertTrue; -import com.google.common.collect.ImmutableList; import io.fabric8.kubernetes.api.model.Namespace; import io.fabric8.kubernetes.api.model.NamespaceBuilder; import io.fabric8.kubernetes.api.model.ServiceAccount; @@ -42,7 +41,6 @@ import io.fabric8.openshift.api.model.ProjectRequest; import io.fabric8.openshift.api.model.ProjectRequestFluent.MetadataNested; import io.fabric8.openshift.api.model.RoleBinding; import io.fabric8.openshift.api.model.RoleBindingList; -import io.fabric8.openshift.api.model.UserBuilder; import io.fabric8.openshift.client.OpenShiftClient; import io.fabric8.openshift.client.dsl.ProjectOperation; import io.fabric8.openshift.client.dsl.ProjectRequestOperation; @@ -112,6 +110,9 @@ public class OpenShiftProjectTest { lenient().when(clientFactory.createOC(anyString())).thenReturn(openShiftClient); lenient().when(cheServerOpenshiftClientFactory.createOC()).thenReturn(openShiftCheServerClient); + lenient() + .when(cheServerOpenshiftClientFactory.createOC(anyString())) + .thenReturn(openShiftCheServerClient); lenient().when(openShiftClient.adapt(OpenShiftClient.class)).thenReturn(openShiftClient); @@ -202,13 +203,6 @@ public class OpenShiftProjectTest { when(namespaceOperation.withName(anyString())).thenReturn(serviceAccountResource); when(serviceAccountResource.get()).thenReturn(mock(ServiceAccount.class)); doReturn(projectRequestOperation).when(openShiftCheServerClient).projectrequests(); - // doReturn(metadataNested).when(metadataNested).withName(anyString()); - when(openShiftCheServerClient.roleBindings()).thenReturn(mixedRoleBindingOperation); - lenient() - .when(mixedRoleBindingOperation.inNamespace(anyString())) - .thenReturn(nonNamespaceRoleBindingOperation); - when(openShiftClient.currentUser()) - .thenReturn(new UserBuilder().withNewMetadata().withName("user").endMetadata().build()); // when openShiftProject.prepare(true, true, Map.of(), Map.of()); @@ -218,46 +212,6 @@ public class OpenShiftProjectTest { Assert.assertEquals(captor.getValue().getMetadata().getName(), PROJECT_NAME); verifyNoMoreInteractions(openShiftCheServerClient); verifyNoMoreInteractions(kubernetesClient); - ArgumentCaptor roleBindingArgumentCaptor = - ArgumentCaptor.forClass(RoleBinding.class); - verify(nonNamespaceRoleBindingOperation).createOrReplace(roleBindingArgumentCaptor.capture()); - assertNotNull(roleBindingArgumentCaptor.getValue()); - } - - @Test(dependsOnMethods = "testOpenShiftProjectPreparingWhenProjectDoesNotExistWithCheServerSA") - public void testOpenShiftProjectPreparingRoleBindingWhenProjectDoesNotExistWithCheServerSA() - throws Exception { - // given - prepareNamespaceGet(PROJECT_NAME); - - Resource resource = prepareProjectResource(PROJECT_NAME); - doThrow(new KubernetesClientException("error", 403, null)).when(resource).get(); - final MixedOperation mixedOperation = mock(MixedOperation.class); - final NonNamespaceOperation namespaceOperation = mock(NonNamespaceOperation.class); - doReturn(mixedOperation).when(openShiftCheServerClient).serviceAccounts(); - when(mixedOperation.inNamespace(anyString())).thenReturn(namespaceOperation); - when(namespaceOperation.withName(anyString())).thenReturn(serviceAccountResource); - when(serviceAccountResource.get()).thenReturn(mock(ServiceAccount.class)); - doReturn(projectRequestOperation).when(openShiftCheServerClient).projectrequests(); - // doReturn(metadataNested).when(metadataNested).withName(anyString()); - when(openShiftCheServerClient.roleBindings()).thenReturn(mixedRoleBindingOperation); - lenient() - .when(mixedRoleBindingOperation.inNamespace(anyString())) - .thenReturn(nonNamespaceRoleBindingOperation); - when(openShiftClient.currentUser()) - .thenReturn(new UserBuilder().withNewMetadata().withName("jdoe").endMetadata().build()); - // when - openShiftProject.prepare(true, true, Map.of(), Map.of()); - - // then - ArgumentCaptor roleBindingArgumentCaptor = - ArgumentCaptor.forClass(RoleBinding.class); - verify(nonNamespaceRoleBindingOperation).createOrReplace(roleBindingArgumentCaptor.capture()); - RoleBinding roleBinding = roleBindingArgumentCaptor.getValue(); - assertNotNull(roleBinding); - assertEquals(roleBinding.getMetadata().getName(), "admin"); - assertEquals(roleBinding.getRoleRef().getName(), "admin"); - assertEquals(roleBinding.getUserNames(), ImmutableList.of("jdoe")); } @Test(expectedExceptions = InfrastructureException.class) @@ -596,13 +550,13 @@ public class OpenShiftProjectTest { ProjectOperation projectOperation = mock(ProjectOperation.class); doReturn(projectResource).when(projectOperation).withName(projectName); - doReturn(projectOperation).when(openShiftClient).projects(); + doReturn(projectOperation).when(openShiftCheServerClient).projects(); when(projectResource.get()) .thenReturn( new ProjectBuilder().withNewMetadata().withName(projectName).endMetadata().build()); - openShiftClient.projects().withName(projectName).get(); + openShiftCheServerClient.projects().withName(projectName).get(); return projectResource; } @@ -611,7 +565,7 @@ public class OpenShiftProjectTest { new NamespaceBuilder().withNewMetadata().withName(namespaceName).endMetadata().build(); NonNamespaceOperation nsOperation = mock(NonNamespaceOperation.class); - doReturn(nsOperation).when(openShiftClient).namespaces(); + doReturn(nsOperation).when(openShiftCheServerClient).namespaces(); Resource nsResource = mock(Resource.class); doReturn(nsResource).when(nsOperation).withName(namespaceName); diff --git a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfiguratorTest.java b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfiguratorTest.java index e59f0888bc..6e8af087d2 100644 --- a/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfiguratorTest.java +++ b/infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/configurator/OpenShiftStopWorkspaceRoleConfiguratorTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2021 Red Hat, Inc. + * Copyright (c) 2012-2022 Red Hat, Inc. * This program and the accompanying materials are made * available under the terms of the Eclipse Public License 2.0 * which is available at https://www.eclipse.org/legal/epl-2.0/ @@ -20,22 +20,15 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; import static org.testng.Assert.assertEquals; -import io.fabric8.kubernetes.api.model.ObjectReferenceBuilder; +import io.fabric8.kubernetes.api.model.rbac.*; import io.fabric8.kubernetes.client.KubernetesClient; import io.fabric8.kubernetes.client.dsl.MixedOperation; import io.fabric8.kubernetes.client.dsl.NonNamespaceOperation; +import io.fabric8.kubernetes.client.dsl.RbacAPIGroupDSL; import io.fabric8.kubernetes.client.dsl.Resource; -import io.fabric8.openshift.api.model.PolicyRuleBuilder; -import io.fabric8.openshift.api.model.Role; -import io.fabric8.openshift.api.model.RoleBinding; -import io.fabric8.openshift.api.model.RoleBindingBuilder; -import io.fabric8.openshift.api.model.RoleBindingList; -import io.fabric8.openshift.api.model.RoleBuilder; -import io.fabric8.openshift.api.model.RoleList; -import io.fabric8.openshift.client.OpenShiftClient; import org.eclipse.che.api.workspace.server.spi.InfrastructureException; +import org.eclipse.che.workspace.infrastructure.kubernetes.CheServerKubernetesClientFactory; import org.eclipse.che.workspace.infrastructure.kubernetes.environment.CheInstallationLocation; -import org.eclipse.che.workspace.infrastructure.openshift.OpenShiftClientFactory; import org.mockito.Mock; import org.mockito.testng.MockitoTestNGListener; import org.testng.annotations.BeforeMethod; @@ -54,9 +47,8 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { @Mock private CheInstallationLocation cheInstallationLocation; private OpenShiftStopWorkspaceRoleConfigurator stopWorkspaceRoleProvisioner; - @Mock private OpenShiftClientFactory clientFactory; - @Mock private OpenShiftClient osClient; - @Mock private KubernetesClient kubernetesClient; + @Mock private CheServerKubernetesClientFactory cheClientFactory; + @Mock private KubernetesClient client; @Mock private MixedOperation> mixedRoleOperation; @@ -74,6 +66,7 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { @Mock private Resource roleBindingResource; @Mock private Role mockRole; @Mock private RoleBinding mockRoleBinding; + @Mock private RbacAPIGroupDSL rbacAPIGroupDSL; private final Role expectedRole = new RoleBuilder() @@ -106,15 +99,14 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { private final RoleBinding expectedRoleBinding = new RoleBindingBuilder() .withNewMetadata() - .withName("che-workspace-stop") - .withNamespace("developer-che") + .withName("workspace-stop") .endMetadata() .withNewRoleRef() + .withKind("Role") .withName("workspace-stop") - .withNamespace("developer-che") .endRoleRef() .withSubjects( - new ObjectReferenceBuilder() + new SubjectBuilder() .withKind("ServiceAccount") .withName("che") .withNamespace("che") @@ -126,10 +118,11 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { lenient().when(cheInstallationLocation.getInstallationLocationNamespace()).thenReturn("che"); stopWorkspaceRoleProvisioner = new OpenShiftStopWorkspaceRoleConfigurator( - clientFactory, cheInstallationLocation, true, "yes"); - lenient().when(clientFactory.createOC()).thenReturn(osClient); - lenient().when(osClient.roles()).thenReturn(mixedRoleOperation); - lenient().when(osClient.roleBindings()).thenReturn(mixedRoleBindingOperation); + cheClientFactory, cheInstallationLocation, true, "yes"); + lenient().when(cheClientFactory.create()).thenReturn(client); + lenient().when(client.rbac()).thenReturn(rbacAPIGroupDSL); + lenient().when(rbacAPIGroupDSL.roles()).thenReturn(mixedRoleOperation); + lenient().when(rbacAPIGroupDSL.roleBindings()).thenReturn(mixedRoleBindingOperation); lenient() .when(mixedRoleOperation.inNamespace(anyString())) .thenReturn(nonNamespaceRoleOperation); @@ -156,7 +149,7 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { @Test public void shouldCreateRoleBinding() throws InfrastructureException { assertEquals( - stopWorkspaceRoleProvisioner.createStopWorkspacesRoleBinding("developer-che"), + stopWorkspaceRoleProvisioner.createStopWorkspacesRoleBinding("workspace-stop"), expectedRoleBinding); } @@ -164,24 +157,8 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { public void shouldCreateRoleAndRoleBindingWhenRoleDoesNotYetExist() throws InfrastructureException { stopWorkspaceRoleProvisioner.configure(null, "developer-che"); - verify(osClient, times(2)).roles(); - verify(osClient.roles(), times(2)).inNamespace("developer-che"); - verify(osClient.roles().inNamespace("developer-che")).withName("workspace-stop"); - verify(osClient.roles().inNamespace("developer-che")).createOrReplace(expectedRole); - verify(osClient).roleBindings(); - verify(osClient.roleBindings()).inNamespace("developer-che"); - verify(osClient.roleBindings().inNamespace("developer-che")) - .createOrReplace(expectedRoleBinding); - } - - @Test - public void shouldCreateRoleBindingWhenRoleAlreadyExists() throws InfrastructureException { - lenient().when(roleResource.get()).thenReturn(expectedRole); - stopWorkspaceRoleProvisioner.configure(null, "developer-che"); - verify(osClient, times(1)).roles(); - verify(osClient).roleBindings(); - verify(osClient.roleBindings()).inNamespace("developer-che"); - verify(osClient.roleBindings().inNamespace("developer-che")) + verify(client.rbac().roles().inNamespace("developer-che")).createOrReplace(expectedRole); + verify(client.rbac().roleBindings().inNamespace("developer-che")) .createOrReplace(expectedRoleBinding); } @@ -190,11 +167,9 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { throws InfrastructureException { OpenShiftStopWorkspaceRoleConfigurator disabledStopWorkspaceRoleProvisioner = new OpenShiftStopWorkspaceRoleConfigurator( - clientFactory, cheInstallationLocation, false, "yes"); + cheClientFactory, cheInstallationLocation, false, "yes"); disabledStopWorkspaceRoleProvisioner.configure(null, "developer-che"); - verify(osClient, never()).roles(); - verify(osClient, never()).roleBindings(); - verify(osClient.roleBindings(), never()).inNamespace("developer-che"); + verify(client, never()).rbac(); } @Test @@ -204,11 +179,9 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { OpenShiftStopWorkspaceRoleConfigurator stopWorkspaceRoleProvisionerWithoutValidInstallationLocation = new OpenShiftStopWorkspaceRoleConfigurator( - clientFactory, cheInstallationLocation, true, "yes"); + cheClientFactory, cheInstallationLocation, true, "yes"); stopWorkspaceRoleProvisionerWithoutValidInstallationLocation.configure(null, "developer-che"); - verify(osClient, never()).roles(); - verify(osClient, never()).roleBindings(); - verify(osClient.roleBindings(), never()).inNamespace("developer-che"); + verify(client, never()).rbac(); } @Test @@ -217,10 +190,10 @@ public class OpenShiftStopWorkspaceRoleConfiguratorTest { when(cheInstallationLocation.getInstallationLocationNamespace()).thenReturn("something"); OpenShiftStopWorkspaceRoleConfigurator configurator = new OpenShiftStopWorkspaceRoleConfigurator( - clientFactory, cheInstallationLocation, true, null); + cheClientFactory, cheInstallationLocation, true, null); configurator.configure(null, "something"); - verify(clientFactory, times(0)).createOC(); + verify(cheClientFactory, times(0)).create(); } } From dfe5b372c239a1467f716ddf94bd5c18e3c9c948 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Thu, 6 Oct 2022 09:57:38 +0300 Subject: [PATCH 2/2] Fix import Signed-off-by: Anatolii Bazko --- .../infrastructure/openshift/OpenShiftInfraModule.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java index 92a9a42e13..154ded2873 100644 --- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java +++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/OpenShiftInfraModule.java @@ -49,7 +49,14 @@ import org.eclipse.che.workspace.infrastructure.kubernetes.devfile.KubernetesDev import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironment; import org.eclipse.che.workspace.infrastructure.kubernetes.environment.KubernetesEnvironmentFactory; import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.KubernetesNamespaceFactory; -import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.*; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.CredentialsSecretConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.GitconfigUserDataConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.NamespaceConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.PreferencesConfigMapConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.SshKeysConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPermissionConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserPreferencesConfigurator; +import org.eclipse.che.workspace.infrastructure.kubernetes.namespace.configurator.UserProfileConfigurator; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.GatewayTlsProvisioner; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.KubernetesCheApiExternalEnvVarProvider; import org.eclipse.che.workspace.infrastructure.kubernetes.provision.KubernetesCheApiInternalEnvVarProvider;