Test webhook validations

Author: lucian-tosa

docker/mongodb-kubernetes-tests/tests/mixed/crd_validation.py

@@ -38,6 +38,7 @@ def test_mongodbmulti_crd_is_valid(crd_api: ApiextensionsV1Api):
     resource = crd_api.read_custom_resource_definition("mongodbmulticluster.mongodb.com")
     assert crd_has_expected_conditions(resource)
 
+
 @mark.e2e_crd_validation
 def test_clustermongodbrole_crd_is_valid(crd_api: ApiextensionsV1Api):
     resource = crd_api.read_custom_resource_definition("clustermongodbrole.mongodb.com")

docker/mongodb-kubernetes-tests/tests/webhooks/e2e_mongodb_roles_validation_webhook.py

@@ -3,6 +3,7 @@
 from kubernetes.client.rest import ApiException
 from kubetester.kubetester import fixture as yaml_fixture
 from kubetester.mongodb import MongoDB
+from kubetester.mongodb_role import ClusterMongoDBRole
 from kubetester.operator import Operator
 from pytest import fixture
 
@@ -14,200 +15,186 @@ def mdb(namespace: str, custom_mdb_version: str) -> MongoDB:
     return resource
 
 
+@fixture(scope="function")
+def mdbr() -> ClusterMongoDBRole:
+    resource = ClusterMongoDBRole.from_yaml(
+        yaml_fixture("cluster_mongodb_role_base.yaml"), namespace="", cluster_scoped=True
+    )
+    return resource
+
+
 @pytest.mark.e2e_mongodb_roles_validation_webhook
 def test_wait_for_webhook(namespace: str, default_operator: Operator):
     default_operator.wait_for_webhook()
 
 
 # Basic testing for invalid empty values
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_empty_role_name(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "",
-            "db": "admin",
-            "privileges": [
-                {
-                    "actions": ["insert"],
-                    "resource": {"collection": "foo", "db": "admin"},
-                }
-            ],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - Cannot create a role with an empty name",
-    ):
-        mdb.create()
+def test_empty_role_name(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "",
+        "db": "admin",
+        "privileges": [
+            {
+                "actions": ["insert"],
+                "resource": {"collection": "foo", "db": "admin"},
+            }
+        ],
+    }
+
+    err_msg = "Error validating role - Cannot create a role with an empty name"
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_empty_db_name(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "role",
-            "db": "",
-            "privileges": [
-                {
-                    "actions": ["insert"],
-                    "resource": {"collection": "foo", "db": "admin"},
-                }
-            ],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - Cannot create a role with an empty db",
-    ):
-        mdb.create()
+def test_empty_db_name(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "role",
+        "db": "",
+        "privileges": [
+            {
+                "actions": ["insert"],
+                "resource": {"collection": "foo", "db": "admin"},
+            }
+        ],
+    }
+
+    err_msg = "Error validating role - Cannot create a role with an empty db"
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_inherited_role_empty_name(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "role",
-            "db": "admin",
-            "privileges": [
-                {
-                    "actions": ["insert"],
-                    "resource": {"collection": "foo", "db": "admin"},
-                }
-            ],
-            "roles": [{"db": "admin", "role": ""}],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - Cannot inherit from a role with an empty name",
-    ):
-        mdb.create()
+def test_inherited_role_empty_name(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "role",
+        "db": "admin",
+        "privileges": [
+            {
+                "actions": ["insert"],
+                "resource": {"collection": "foo", "db": "admin"},
+            }
+        ],
+        "roles": [{"db": "admin", "role": ""}],
+    }
+
+    err_msg = "Error validating role - Cannot inherit from a role with an empty name"
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_inherited_role_empty_db(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "role",
-            "db": "admin",
-            "privileges": [
-                {
-                    "actions": ["insert"],
-                    "resource": {"collection": "foo", "db": "admin"},
-                }
-            ],
-            "roles": [{"db": "", "role": "role"}],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - Cannot inherit from a role with an empty db",
-    ):
-        mdb.create()
+def test_inherited_role_empty_db(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "role",
+        "db": "admin",
+        "privileges": [
+            {
+                "actions": ["insert"],
+                "resource": {"collection": "foo", "db": "admin"},
+            }
+        ],
+        "roles": [{"db": "", "role": "role"}],
+    }
+
+    err_msg = "Error validating role - Cannot inherit from a role with an empty db"
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 # Testing for invalid authentication Restrictions
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_invalid_client_source(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "role",
-            "db": "admin",
-            "privileges": [
-                {
-                    "actions": ["insert"],
-                    "resource": {"collection": "foo", "db": "admin"},
-                }
-            ],
-            "authenticationRestrictions": [{"clientSource": ["355.127.0.1"]}],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - AuthenticationRestriction is invalid - clientSource 355.127.0.1 is neither a valid IP address nor a valid CIDR range",
-    ):
-        mdb.create()
+def test_invalid_client_source(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "role",
+        "db": "admin",
+        "privileges": [
+            {
+                "actions": ["insert"],
+                "resource": {"collection": "foo", "db": "admin"},
+            }
+        ],
+        "authenticationRestrictions": [{"clientSource": ["355.127.0.1"]}],
+    }
+
+    err_msg = "Error validating role - AuthenticationRestriction is invalid - clientSource 355.127.0.1 is neither a valid IP address nor a valid CIDR range"
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_invalid_server_address(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "role",
-            "db": "admin",
-            "privileges": [
-                {
-                    "actions": ["insert"],
-                    "resource": {"collection": "foo", "db": "admin"},
-                }
-            ],
-            "authenticationRestrictions": [{"serverAddress": ["355.127.0.1"]}],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - AuthenticationRestriction is invalid - serverAddress 355.127.0.1 is neither a valid IP address nor a valid CIDR range",
-    ):
-        mdb.create()
+def test_invalid_server_address(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "role",
+        "db": "admin",
+        "privileges": [
+            {
+                "actions": ["insert"],
+                "resource": {"collection": "foo", "db": "admin"},
+            }
+        ],
+        "authenticationRestrictions": [{"serverAddress": ["355.127.0.1"]}],
+    }
+
+    err_msg = "Error validating role - AuthenticationRestriction is invalid - serverAddress 355.127.0.1 is neither a valid IP address nor a valid CIDR range"
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 # Testing for invalid privileges
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_invalid_cluster_and_db_collection(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "role",
-            "db": "admin",
-            "privileges": [
-                {
-                    "actions": ["insert"],
-                    "resource": {"collection": "foo", "db": "admin", "cluster": True},
-                }
-            ],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - Privilege is invalid - Cluster: true is not compatible with setting db/collection",
-    ):
-        mdb.create()
+def test_invalid_cluster_and_db_collection(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "role",
+        "db": "admin",
+        "privileges": [
+            {
+                "actions": ["insert"],
+                "resource": {"collection": "foo", "db": "admin", "cluster": True},
+            }
+        ],
+    }
+
+    err_msg = (
+        "Error validating role - Privilege is invalid - Cluster: true is not compatible with setting db/collection"
+    )
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_invalid_cluster_not_true(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "role",
-            "db": "admin",
-            "privileges": [{"actions": ["insert"], "resource": {"cluster": False}}],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - Privilege is invalid - The only valid value for privilege.cluster, if set, is true",
-    ):
-        mdb.create()
+def test_invalid_cluster_not_true(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "role",
+        "db": "admin",
+        "privileges": [{"actions": ["insert"], "resource": {"cluster": False}}],
+    }
+
+    err_msg = (
+        "Error validating role - Privilege is invalid - The only valid value for privilege.cluster, if set, is true"
+    )
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 @pytest.mark.e2e_mongodb_roles_validation_webhook
-def test_invalid_action(mdb: MongoDB):
-    mdb["spec"]["security"]["roles"] = [
-        {
-            "role": "role",
-            "db": "admin",
-            "privileges": [
-                {
-                    "actions": ["insertFoo"],
-                    "resource": {"collection": "foo", "db": "admin"},
-                }
-            ],
-        }
-    ]
-    with pytest.raises(
-        client.rest.ApiException,
-        match="Error validating role - Privilege is invalid - Actions are not valid - insertFoo is not a valid db action",
-    ):
-        mdb.create()
+def test_invalid_action(mdb: MongoDB, mdbr: ClusterMongoDBRole):
+    role = {
+        "role": "role",
+        "db": "admin",
+        "privileges": [
+            {
+                "actions": ["insertFoo"],
+                "resource": {"collection": "foo", "db": "admin"},
+            }
+        ],
+    }
+    err_msg = (
+        "Error validating role - Privilege is invalid - Actions are not valid - insertFoo is not a valid db action"
+    )
+
+    _assert_role_error(mdb, mdbr, role, err_msg)
 
 
 @pytest.mark.e2e_mongodb_roles_validation_webhook
@@ -235,3 +222,20 @@ def test_roles_and_role_refs(mdb: MongoDB):
         match="At most one of roles or roleRefs can be non-empty",
     ):
         mdb.create()
+
+
+def _assert_role_error(mdb: MongoDB, mdbr: ClusterMongoDBRole, role, err_msg):
+    mdb["spec"]["security"]["roles"] = [role]
+
+    with pytest.raises(
+        client.rest.ApiException,
+        match=err_msg,
+    ):
+        mdb.create()
+
+    mdbr["spec"] = role
+    with pytest.raises(
+        client.rest.ApiException,
+        match=err_msg,
+    ):
+        mdbr.create()

docker/mongodb-kubernetes-tests/tests/webhooks/fixtures/cluster_mongodb_role_base.yaml

@@ -0,0 +1,10 @@
+apiVersion: mongodb.com/v1
+kind: ClusterMongoDBRole
+metadata:
+  name: test-customrole
+spec:
+  role: ""
+  db: ""
+  roles: []
+  privileges: []
+  authenticationRestrictions: []