-
Notifications
You must be signed in to change notification settings - Fork 169
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validate required customer service principal permissions
- Loading branch information
1 parent
232d3bc
commit d719881
Showing
5 changed files
with
194 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
package cluster | ||
|
||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the Apache License 2.0. | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/Azure/ARO-RP/pkg/validate/dynamic" | ||
) | ||
|
||
/*************************************************************** | ||
Monitor the Cluster Service Prinicpal required permissions: | ||
- Network Contributor role on vnet | ||
****************************************************************/ | ||
|
||
func (mon *Monitor) emitValidatePermissions(ctx context.Context) error { | ||
subnets := []dynamic.Subnet{{ | ||
ID: mon.oc.Properties.MasterProfile.SubnetID, | ||
Path: "properties.masterProfile.subnetId", | ||
}} | ||
|
||
err := mon.validator.ValidateVnet(ctx, mon.oc.Location, subnets, mon.oc.Properties.NetworkProfile.PodCIDR, | ||
mon.oc.Properties.NetworkProfile.ServiceCIDR) | ||
|
||
if err != nil { | ||
mon.emitGauge("cluster.validateVnet.permissions", 1, map[string]string{ | ||
"vnetError": err.Error(), | ||
}) | ||
} | ||
|
||
err = mon.validator.ValidateSubnets(ctx, mon.oc, subnets) | ||
if err != nil { | ||
mon.emitGauge("cluster.validateSubnets.permissions", 1, map[string]string{ | ||
"subnetError": err.Error(), | ||
}) | ||
} | ||
|
||
err = mon.validator.ValidateDiskEncryptionSets(ctx, mon.oc) | ||
if err != nil { | ||
mon.emitGauge("cluster.validateDiskEncryptionSets.permissions", 1, map[string]string{ | ||
"diskEncryptionSetError": err.Error(), | ||
}) | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
package cluster | ||
|
||
// Copyright (c) Microsoft Corporation. | ||
// Licensed under the Apache License 2.0. | ||
|
||
import ( | ||
"context" | ||
"testing" | ||
|
||
"github.com/golang/mock/gomock" | ||
|
||
"github.com/Azure/ARO-RP/pkg/api" | ||
mock_authorization "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/mgmt/authorization" | ||
mock_dynamic "github.com/Azure/ARO-RP/pkg/util/mocks/dynamic" | ||
mock_metrics "github.com/Azure/ARO-RP/pkg/util/mocks/metrics" | ||
) | ||
|
||
var ( | ||
resourceGroupName = "testGroup" | ||
subscriptionID = "0000000-0000-0000-0000-000000000000" | ||
resourceGroupID = "/subscriptions/" + subscriptionID + "/resourceGroups/" + resourceGroupName | ||
vnetName = "testVnet" | ||
vnetID = resourceGroupID + "/providers/Microsoft.Network/virtualNetworks/" + vnetName | ||
) | ||
|
||
func TestEmitValidatePermissions(t *testing.T) { | ||
|
||
for _, tt := range []struct { | ||
name string | ||
mockVnetError error // Mock error for ValidateVnet | ||
mockSubnetError error // Mock error for ValidateVnet | ||
mockValidateDiskEncryptionSetsError error // Mock error for ValidateVnet | ||
expectedValidateVnet string | ||
expectedSubnet string | ||
expectedValidateDiskEncryptionSets string | ||
mocks func(*mock_authorization.MockPermissionsClient, context.CancelFunc) | ||
}{ | ||
{ | ||
name: "fail: missing permissions", | ||
mockVnetError: nil, | ||
expectedValidateVnet: "400: InvalidServicePrincipalPermissions: : The cluster service principal (Application ID: fff51942-b1f9-4119-9453-aaa922259eb7) does not have Network Contributor role on vnet '" + vnetID + "'.", | ||
}, | ||
} { | ||
t.Run(tt.name, func(t *testing.T) { | ||
ctx := context.Background() | ||
|
||
controller := gomock.NewController(t) | ||
defer controller.Finish() | ||
|
||
m := mock_metrics.NewMockEmitter(controller) | ||
validator := mock_dynamic.NewMockDynamic(controller) | ||
oc := &api.OpenShiftCluster{} | ||
mon := &Monitor{ | ||
m: m, | ||
oc: oc, | ||
validator: validator, // Set the mock validator | ||
} | ||
|
||
validator.EXPECT(). | ||
ValidateVnet(ctx, gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()). | ||
Return(tt.mockVnetError) | ||
|
||
validator.EXPECT(). | ||
ValidateSubnets(ctx, gomock.Any(), gomock.Any()). | ||
Return(tt.mockSubnetError) | ||
|
||
validator.EXPECT(). | ||
ValidateDiskEncryptionSets(ctx, gomock.Any()). | ||
Return(tt.mockValidateDiskEncryptionSetsError) | ||
|
||
if tt.mockVnetError == nil { | ||
m.EXPECT().EmitGauge("cluster.validateVnet.permissions", int64(1), map[string]string{ | ||
"vnetError": tt.expectedValidateVnet, | ||
}) | ||
} | ||
|
||
if tt.mockSubnetError != nil { | ||
m.EXPECT().EmitGauge("cluster.validateSubnets.permissions", int64(1), map[string]string{ | ||
"subnetError": tt.expectedSubnet, | ||
}) | ||
} | ||
|
||
if tt.mockValidateDiskEncryptionSetsError != nil { | ||
m.EXPECT().EmitGauge("cluster.validateDiskEncryptionSets.permissions", int64(1), map[string]string{ | ||
"diskEncryptionSetError": tt.expectedValidateDiskEncryptionSets, | ||
}) | ||
} | ||
err := mon.emitValidatePermissions(ctx) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters