ARO-RP/pkg/cluster/deploybaseresources_additio...

package cluster

// Copyright (c) Microsoft Corporation.
// Licensed under the Apache License 2.0.

import (
	"fmt"
	"reflect"
	"testing"

	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
	"github.com/Azure/go-autorest/autorest/to"
	"github.com/sirupsen/logrus"
	"go.uber.org/mock/gomock"

	"github.com/Azure/ARO-RP/pkg/api"
	"github.com/Azure/ARO-RP/pkg/util/arm"
	"github.com/Azure/ARO-RP/pkg/util/azureclient"
	mock_env "github.com/Azure/ARO-RP/pkg/util/mocks/env"
	"github.com/Azure/ARO-RP/pkg/util/rbac"
	utilerror "github.com/Azure/ARO-RP/test/util/error"
)

func TestDenyAssignment(t *testing.T) {
	m := &manager{
		log: logrus.NewEntry(logrus.StandardLogger()),
	}

	tests := []struct {
		Name                      string
		ClusterDocument           *api.OpenShiftClusterDocument
		ExpectedExcludePrincipals *[]mgmtauthorization.Principal
	}{
		{
			Name: "cluster with ServicePrincipalProfile",
			ClusterDocument: &api.OpenShiftClusterDocument{
				OpenShiftCluster: &api.OpenShiftCluster{
					Properties: api.OpenShiftClusterProperties{
						ClusterProfile: api.ClusterProfile{
							ResourceGroupID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-cluster",
						},
						ServicePrincipalProfile: &api.ServicePrincipalProfile{
							SPObjectID: fakeClusterSPObjectId,
						},
					},
				},
			},
			ExpectedExcludePrincipals: &[]mgmtauthorization.Principal{
				{
					ID:   to.StringPtr(fakeClusterSPObjectId),
					Type: to.StringPtr(string(mgmtauthorization.ServicePrincipal)),
				},
			},
		},
		{
			Name: "cluster with PlatformWorkloadIdentityProfile",
			ClusterDocument: &api.OpenShiftClusterDocument{
				OpenShiftCluster: &api.OpenShiftCluster{
					Properties: api.OpenShiftClusterProperties{
						ClusterProfile: api.ClusterProfile{
							ResourceGroupID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-cluster",
						},
						PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{
							PlatformWorkloadIdentities: map[string]api.PlatformWorkloadIdentity{
								"anything": {
									ObjectID:   "00000000-0000-0000-0000-000000000000",
									ClientID:   "11111111-1111-1111-1111-111111111111",
									ResourceID: "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/something/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name",
								},
							},
						},
					},
				},
			},
			ExpectedExcludePrincipals: &[]mgmtauthorization.Principal{
				{
					ID:   to.StringPtr("00000000-0000-0000-0000-000000000000"),
					Type: to.StringPtr(string(mgmtauthorization.ServicePrincipal)),
				},
			},
		},
	}

	for _, test := range tests {
		t.Run(test.Name, func(t *testing.T) {
			m.doc = test.ClusterDocument

			actualDenyAssignment := m.denyAssignment().Resource.(*mgmtauthorization.DenyAssignment)
			actualExcludePrincipals := actualDenyAssignment.ExcludePrincipals

			if !reflect.DeepEqual(test.ExpectedExcludePrincipals, actualExcludePrincipals) {
				t.Errorf("expected %+v, got %+v\n", test.ExpectedExcludePrincipals, actualExcludePrincipals)
			}
		})
	}
}

func TestFpspStorageBlobContributorRBAC(t *testing.T) {
	storageAccountName := "clustertest"
	fakePrincipalID := "fakeID"
	resourceType := "Microsoft.Storage/storageAccounts"
	resourceID := fmt.Sprintf("resourceId('%s', '%s')", resourceType, storageAccountName)
	tests := []struct {
		Name                string
		ClusterDocument     *api.OpenShiftClusterDocument
		ExpectedArmResource *arm.Resource
		wantErr             string
	}{
		{
			Name: "Fail : cluster with ServicePrincipalProfile",
			ClusterDocument: &api.OpenShiftClusterDocument{
				OpenShiftCluster: &api.OpenShiftCluster{
					Properties: api.OpenShiftClusterProperties{
						ClusterProfile: api.ClusterProfile{
							ResourceGroupID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-cluster",
						},
						ServicePrincipalProfile: &api.ServicePrincipalProfile{
							SPObjectID: fakeClusterSPObjectId,
						},
					},
				},
			},
			wantErr: "fpspStorageBlobContributorRBAC called for a Cluster Service Principal cluster",
		},
		{
			Name: "Success : cluster with PlatformWorkloadIdentityProfile",
			ClusterDocument: &api.OpenShiftClusterDocument{
				OpenShiftCluster: &api.OpenShiftCluster{
					Properties: api.OpenShiftClusterProperties{
						PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{},
					},
				},
			},
			ExpectedArmResource: &arm.Resource{
				Resource: mgmtauthorization.RoleAssignment{
					Name: to.StringPtr("[concat('clustertest', '/Microsoft.Authorization/', guid(" + resourceID + "))]"),
					Type: to.StringPtr(resourceType + "/providers/roleAssignments"),
					RoleAssignmentPropertiesWithScope: &mgmtauthorization.RoleAssignmentPropertiesWithScope{
						Scope:            to.StringPtr("[" + resourceID + "]"),
						RoleDefinitionID: to.StringPtr("[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '" + rbac.RoleStorageBlobDataContributor + "')]"),
						PrincipalID:      to.StringPtr("['" + fakePrincipalID + "']"),
						PrincipalType:    mgmtauthorization.ServicePrincipal,
					},
				},
				APIVersion: azureclient.APIVersion("Microsoft.Authorization"),
				DependsOn: []string{
					"[" + resourceID + "]",
				},
			},
		},
	}

	for _, tt := range tests {
		t.Run(tt.Name, func(t *testing.T) {
			controller := gomock.NewController(t)
			defer controller.Finish()

			env := mock_env.NewMockInterface(controller)

			m := &manager{
				doc: tt.ClusterDocument,
				env: env,
			}
			resource, err := m.fpspStorageBlobContributorRBAC(storageAccountName, fakePrincipalID)
			utilerror.AssertErrorMessage(t, err, tt.wantErr)

			if !reflect.DeepEqual(tt.ExpectedArmResource, resource) {
				t.Error("resultant ARM resource isn't the same as expected.")
			}
		})
	}
}
Exclude platform identities from permissions denial (#3653) * Exclude platform identities from permissions denial Add platform workload identities to the list of service principals excluded from the permissions denial so that those identities can manage Azure resources in the cluster's resource group * improve testing of deny assignment generation this confirms that ExcludePrincipals are generated correctly for the deny assignment based on the presence of a ServicePrincipalProfile or a PlatformWorkloadIdentityProfile * use UsesWorkloadIdentity() helper function instead of bespoke check * check empty ObjectID/SPObjectID values separately * prevent nil pointer dereference for missing ServicePrincipalProfile 2024-08-21 16:30:35 +03:00			`package cluster`

			`// Copyright (c) Microsoft Corporation.`
			`// Licensed under the Apache License 2.0.`

			`import (`
Migrate Storage sdk to Track2 for allowing Managed Identity Cluster feature to disable shared access keys (#3878) * ARO-9711 assign cluster storage blob contributor to fpsp/wimi * ARO-9711 migrate armstorage sdk to track2 * ARO-9711-use-non-account-key-auth-for-blobs-miwi-only * ARO-9711 update mock import to uber mocks * ARO-9711 fix e2e error for blob access * ARO-9711 resolve PR comments * ARO-9711 update Blob Client naming and comments * ARO-9711 resolved comments and removed repeated blobClient * ARO-9711 add clientOptions to blobManager constructor 2024-10-22 22:54:06 +03:00			`"fmt"`
Exclude platform identities from permissions denial (#3653) * Exclude platform identities from permissions denial Add platform workload identities to the list of service principals excluded from the permissions denial so that those identities can manage Azure resources in the cluster's resource group * improve testing of deny assignment generation this confirms that ExcludePrincipals are generated correctly for the deny assignment based on the presence of a ServicePrincipalProfile or a PlatformWorkloadIdentityProfile * use UsesWorkloadIdentity() helper function instead of bespoke check * check empty ObjectID/SPObjectID values separately * prevent nil pointer dereference for missing ServicePrincipalProfile 2024-08-21 16:30:35 +03:00			`"reflect"`
			`"testing"`

			`mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"`
			`"github.com/Azure/go-autorest/autorest/to"`
			`"github.com/sirupsen/logrus"`
Migrate Storage sdk to Track2 for allowing Managed Identity Cluster feature to disable shared access keys (#3878) * ARO-9711 assign cluster storage blob contributor to fpsp/wimi * ARO-9711 migrate armstorage sdk to track2 * ARO-9711-use-non-account-key-auth-for-blobs-miwi-only * ARO-9711 update mock import to uber mocks * ARO-9711 fix e2e error for blob access * ARO-9711 resolve PR comments * ARO-9711 update Blob Client naming and comments * ARO-9711 resolved comments and removed repeated blobClient * ARO-9711 add clientOptions to blobManager constructor 2024-10-22 22:54:06 +03:00			`"go.uber.org/mock/gomock"`
Exclude platform identities from permissions denial (#3653) * Exclude platform identities from permissions denial Add platform workload identities to the list of service principals excluded from the permissions denial so that those identities can manage Azure resources in the cluster's resource group * improve testing of deny assignment generation this confirms that ExcludePrincipals are generated correctly for the deny assignment based on the presence of a ServicePrincipalProfile or a PlatformWorkloadIdentityProfile * use UsesWorkloadIdentity() helper function instead of bespoke check * check empty ObjectID/SPObjectID values separately * prevent nil pointer dereference for missing ServicePrincipalProfile 2024-08-21 16:30:35 +03:00
			`"github.com/Azure/ARO-RP/pkg/api"`
Migrate Storage sdk to Track2 for allowing Managed Identity Cluster feature to disable shared access keys (#3878) * ARO-9711 assign cluster storage blob contributor to fpsp/wimi * ARO-9711 migrate armstorage sdk to track2 * ARO-9711-use-non-account-key-auth-for-blobs-miwi-only * ARO-9711 update mock import to uber mocks * ARO-9711 fix e2e error for blob access * ARO-9711 resolve PR comments * ARO-9711 update Blob Client naming and comments * ARO-9711 resolved comments and removed repeated blobClient * ARO-9711 add clientOptions to blobManager constructor 2024-10-22 22:54:06 +03:00			`"github.com/Azure/ARO-RP/pkg/util/arm"`
			`"github.com/Azure/ARO-RP/pkg/util/azureclient"`
			`mock_env "github.com/Azure/ARO-RP/pkg/util/mocks/env"`
			`"github.com/Azure/ARO-RP/pkg/util/rbac"`
			`utilerror "github.com/Azure/ARO-RP/test/util/error"`
Exclude platform identities from permissions denial (#3653) * Exclude platform identities from permissions denial Add platform workload identities to the list of service principals excluded from the permissions denial so that those identities can manage Azure resources in the cluster's resource group * improve testing of deny assignment generation this confirms that ExcludePrincipals are generated correctly for the deny assignment based on the presence of a ServicePrincipalProfile or a PlatformWorkloadIdentityProfile * use UsesWorkloadIdentity() helper function instead of bespoke check * check empty ObjectID/SPObjectID values separately * prevent nil pointer dereference for missing ServicePrincipalProfile 2024-08-21 16:30:35 +03:00			`)`

			`func TestDenyAssignment(t *testing.T) {`
			`m := &manager{`
			`log: logrus.NewEntry(logrus.StandardLogger()),`
			`}`

			`tests := []struct {`
			`Name string`
			`ClusterDocument *api.OpenShiftClusterDocument`
			`ExpectedExcludePrincipals *[]mgmtauthorization.Principal`
			`}{`
			`{`
			`Name: "cluster with ServicePrincipalProfile",`
			`ClusterDocument: &api.OpenShiftClusterDocument{`
			`OpenShiftCluster: &api.OpenShiftCluster{`
			`Properties: api.OpenShiftClusterProperties{`
			`ClusterProfile: api.ClusterProfile{`
			`ResourceGroupID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-cluster",`
			`},`
			`ServicePrincipalProfile: &api.ServicePrincipalProfile{`
			`SPObjectID: fakeClusterSPObjectId,`
			`},`
			`},`
			`},`
			`},`
			`ExpectedExcludePrincipals: &[]mgmtauthorization.Principal{`
			`{`
			`ID: to.StringPtr(fakeClusterSPObjectId),`
			`Type: to.StringPtr(string(mgmtauthorization.ServicePrincipal)),`
			`},`
			`},`
			`},`
			`{`
			`Name: "cluster with PlatformWorkloadIdentityProfile",`
			`ClusterDocument: &api.OpenShiftClusterDocument{`
			`OpenShiftCluster: &api.OpenShiftCluster{`
			`Properties: api.OpenShiftClusterProperties{`
			`ClusterProfile: api.ClusterProfile{`
			`ResourceGroupID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-cluster",`
			`},`
			`PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{`
Incorporate CI and ARM feedback from azure-rest-api-specs to v2024-08-12-preview API (#3727) * api changes fix tag package-2023-11 this was wrong in the readme remove UserAssignedIdentities top level fields must not have additionalproperties update the default tag to latest define a new IdentityType with x-ms-enum modelAsString on identityType x-ms-enum should be false rename IdentityType to ResourceIdentityType to match v3/types.json make client add descriptions to all new API fields make client fix unit test that was failing as a result of removing the UserAssignedIdentity type from the API Adjust a doc comment according to feedback make client * add platformworkloadidentityroleset to API definition and examples Update client generation to account for swagger subfolder make client fix pwip and validatestatic unit tests fix relative path to common-types migrate from common-types/v3 to common-types/v6 it was requested that we use the latest version of common types. This involves some changes to our examples to match the UUID expected. move from Identity to ManagedServiceIdentity type defined in common-types/v6 use modelerfour.lenient-model-deduplication=true avoids python client generation issues convert PlatformWorkloadIdentity to map ARO-4382 fix unit test cases make generate swagger fix unit tests revert naming openShiftCluster.ManagedServiceIdentity to Identity fix prod code and unit tests post-rebase, reference common-types directly for the identity property * more swagger CI fixes * fix examples to contain identity and type * remove PlatformWorkloadIdentityRoleSetUpdate oct 16th changes oct 17th changes fix issues post-rebase * update readme to contain suppression for avoidAdditionalProperties * fix ModelValidation error by converting example IDs to resourceIDs * Update python/go clients * Update az aro extension to enumerate platform_workload_identities as a dict instead of a list * Fix python linter issues * configure suppression for PatchBodyParametersSchema appease the linter, fix subscriptionID type in util/azureclient appease the linter again correct log statement, use better naming * regenerate examples * changes operatorName and roleDefinitionName in PWIRS_List.json --------- Co-authored-by: Tanmay Satam <tsatam@redhat.com> 2024-10-30 00:08:36 +03:00			`PlatformWorkloadIdentities: map[string]api.PlatformWorkloadIdentity{`
			`"anything": {`
			`ObjectID: "00000000-0000-0000-0000-000000000000",`
			`ClientID: "11111111-1111-1111-1111-111111111111",`
			`ResourceID: "/subscriptions/22222222-2222-2222-2222-222222222222/resourceGroups/something/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name",`
Exclude platform identities from permissions denial (#3653) * Exclude platform identities from permissions denial Add platform workload identities to the list of service principals excluded from the permissions denial so that those identities can manage Azure resources in the cluster's resource group * improve testing of deny assignment generation this confirms that ExcludePrincipals are generated correctly for the deny assignment based on the presence of a ServicePrincipalProfile or a PlatformWorkloadIdentityProfile * use UsesWorkloadIdentity() helper function instead of bespoke check * check empty ObjectID/SPObjectID values separately * prevent nil pointer dereference for missing ServicePrincipalProfile 2024-08-21 16:30:35 +03:00			`},`
			`},`
			`},`
			`},`
			`},`
			`},`
			`ExpectedExcludePrincipals: &[]mgmtauthorization.Principal{`
			`{`
			`ID: to.StringPtr("00000000-0000-0000-0000-000000000000"),`
			`Type: to.StringPtr(string(mgmtauthorization.ServicePrincipal)),`
			`},`
			`},`
			`},`
			`}`

			`for _, test := range tests {`
			`t.Run(test.Name, func(t *testing.T) {`
			`m.doc = test.ClusterDocument`

			`actualDenyAssignment := m.denyAssignment().Resource.(*mgmtauthorization.DenyAssignment)`
			`actualExcludePrincipals := actualDenyAssignment.ExcludePrincipals`

			`if !reflect.DeepEqual(test.ExpectedExcludePrincipals, actualExcludePrincipals) {`
			`t.Errorf("expected %+v, got %+v\n", test.ExpectedExcludePrincipals, actualExcludePrincipals)`
			`}`
			`})`
			`}`
			`}`
Migrate Storage sdk to Track2 for allowing Managed Identity Cluster feature to disable shared access keys (#3878) * ARO-9711 assign cluster storage blob contributor to fpsp/wimi * ARO-9711 migrate armstorage sdk to track2 * ARO-9711-use-non-account-key-auth-for-blobs-miwi-only * ARO-9711 update mock import to uber mocks * ARO-9711 fix e2e error for blob access * ARO-9711 resolve PR comments * ARO-9711 update Blob Client naming and comments * ARO-9711 resolved comments and removed repeated blobClient * ARO-9711 add clientOptions to blobManager constructor 2024-10-22 22:54:06 +03:00
			`func TestFpspStorageBlobContributorRBAC(t *testing.T) {`
			`storageAccountName := "clustertest"`
			`fakePrincipalID := "fakeID"`
			`resourceType := "Microsoft.Storage/storageAccounts"`
			`resourceID := fmt.Sprintf("resourceId('%s', '%s')", resourceType, storageAccountName)`
			`tests := []struct {`
			`Name string`
			`ClusterDocument *api.OpenShiftClusterDocument`
			`ExpectedArmResource *arm.Resource`
			`wantErr string`
			`}{`
			`{`
			`Name: "Fail : cluster with ServicePrincipalProfile",`
			`ClusterDocument: &api.OpenShiftClusterDocument{`
			`OpenShiftCluster: &api.OpenShiftCluster{`
			`Properties: api.OpenShiftClusterProperties{`
			`ClusterProfile: api.ClusterProfile{`
			`ResourceGroupID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-cluster",`
			`},`
			`ServicePrincipalProfile: &api.ServicePrincipalProfile{`
			`SPObjectID: fakeClusterSPObjectId,`
			`},`
			`},`
			`},`
			`},`
			`wantErr: "fpspStorageBlobContributorRBAC called for a Cluster Service Principal cluster",`
			`},`
			`{`
			`Name: "Success : cluster with PlatformWorkloadIdentityProfile",`
			`ClusterDocument: &api.OpenShiftClusterDocument{`
			`OpenShiftCluster: &api.OpenShiftCluster{`
			`Properties: api.OpenShiftClusterProperties{`
			`PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{},`
			`},`
			`},`
			`},`
			`ExpectedArmResource: &arm.Resource{`
			`Resource: mgmtauthorization.RoleAssignment{`
			`Name: to.StringPtr("[concat('clustertest', '/Microsoft.Authorization/', guid(" + resourceID + "))]"),`
			`Type: to.StringPtr(resourceType + "/providers/roleAssignments"),`
			`RoleAssignmentPropertiesWithScope: &mgmtauthorization.RoleAssignmentPropertiesWithScope{`
			`Scope: to.StringPtr("[" + resourceID + "]"),`
			`RoleDefinitionID: to.StringPtr("[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '" + rbac.RoleStorageBlobDataContributor + "')]"),`
			`PrincipalID: to.StringPtr("['" + fakePrincipalID + "']"),`
			`PrincipalType: mgmtauthorization.ServicePrincipal,`
			`},`
			`},`
			`APIVersion: azureclient.APIVersion("Microsoft.Authorization"),`
			`DependsOn: []string{`
			`"[" + resourceID + "]",`
			`},`
			`},`
			`},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.Name, func(t *testing.T) {`
			`controller := gomock.NewController(t)`
			`defer controller.Finish()`

			`env := mock_env.NewMockInterface(controller)`

			`m := &manager{`
			`doc: tt.ClusterDocument,`
			`env: env,`
			`}`
			`resource, err := m.fpspStorageBlobContributorRBAC(storageAccountName, fakePrincipalID)`
			`utilerror.AssertErrorMessage(t, err, tt.wantErr)`

			`if !reflect.DeepEqual(tt.ExpectedArmResource, resource) {`
			`t.Error("resultant ARM resource isn't the same as expected.")`
			`}`
			`})`
			`}`
			`}`