Skip to content

Instantly share code, notes, and snippets.

@someword

someword/rego test

Created January 17, 2019 16:49
Show Gist options
  • Save someword/86f08b3641767048ef5b20fe0ddaeb3c to your computer and use it in GitHub Desktop.
Save someword/86f08b3641767048ef5b20fe0ddaeb3c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rego test
package authorization
import data.k8s.matches
deny[{
"id": "user-kube-system",
"resource": {
"namespace": namespace,
},
"resolution": {"message": "Permission denied"},
}] {
matches[[namespace, resource]]
not re_match("^developer:", resource.spec.user)
resource.spec.resourceAttributes.namespace = "kube-system"
}
==== test file
package authorization
import data.authorization
test_sysadmin_allow {
count(data.authorization.deny) == 1 with input as {
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"spec": {
"resourceAttributes": {
"namespace": "secret_namespace",
"verb": "get",
"group": "core",
"resource": "secrets",
"name": "ciao"
},
"user": "sysadmin",
"group": [
"serviceacconts"
]
}
}
}
test_developer_deny {
deny = set() with input as {
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"spec": {
"resourceAttributes": {
"namespace": "secret_namespace",
"verb": "get",
"group": "core",
"resource": "secrets",
"name": "ciao"
},
"user": "developer",
"group": [
"serviceacconts"
]
}
}
}
==== test run
❯ docker run -it -v $PWD:/policy -w /policy openpolicyagent/opa test . -v
FAILURES
--------------------------------------------------------------------------------
data.authorization.test_sysadmin_allow: FAIL (690ns)
Enter data.authorization.test_sysadmin_allow = _
| Eval data.authorization.test_sysadmin_allow = _
| Index data.authorization.test_sysadmin_allow = _ (matched 1 rule)
| Enter test_sysadmin_allow = true { __local1__ = data.authorization.deny with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}; count(__local1__, __local0__) with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}; __local0__ = 1 with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}} }
| | Eval __local1__ = data.authorization.deny with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
| | Index __local1__ = data.authorization.deny with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}} (matched 1 rule)
| | Enter deny[{"id": "user-kube-system", "resource": {"namespace": namespace}, "resolution": {"message": "Permission denied"}}] { data.k8s.matches[[namespace, resource]]; __local0__ = resource.spec.user; not re_match("^developer:", __local0__); resource.spec.resourceAttributes.namespace = "kube-system" }
| | | Eval data.k8s.matches[[namespace, resource]]
| | | Fail data.k8s.matches[[namespace, resource]]
| | Eval count(__local1__, __local0__) with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
| | Eval __local0__ = 1 with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
| | Fail __local0__ = 1 with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
| | Redo count(__local1__, __local0__) with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
| | Redo __local1__ = data.authorization.deny with input as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
| Fail data.authorization.test_sysadmin_allow = _
SUMMARY
--------------------------------------------------------------------------------
data.authorization.test_sysadmin_allow: FAIL (690ns)
data.authorization.test_developer_deny: PASS (564ns)
--------------------------------------------------------------------------------
PASS: 1/2
FAIL: 1/2
@someword
Copy link
Author

someword commented Jan 17, 2019
edited
Loading

Updated test file -----

package authorization

import data.authorization

test_sysadmin_allow {
    count(data.authorization.deny) == 0 with data.kubernetes["pod"]["kube-system"]["blah"] as {
        "apiVersion": "authorization.k8s.io/v1beta1",
        "kind": "SubjectAccessReview",
        "spec": {
           "resourceAttributes": {
                "namespace": "secret_namespace",
                "verb": "get",
                "group": "core",
                "resource": "secrets",
                "name": "ciao"
            },
            "user": "sysadmin",
            "group": [
                "serviceacconts"
            ]
        }
    }
}


test_developer_deny {
    count(data.authorization.deny) == 1 with data.kubernetes["pod"]["kube-system"]["blah"] as {
        "apiVersion": "authorization.k8s.io/v1beta1",
        "kind": "SubjectAccessReview",
        "spec": {
           "resourceAttributes": {
                "namespace": "secret_namespace",
                "verb": "get",
                "group": "core",
                "resource": "secrets",
                "name": "ciao"
            },
            "user": "developer",
            "group": [
                "serviceacconts"
            ]
        }
    }
}

----- still getting errors

❯ docker run -it -v $PWD:/policy -w /policy openpolicyagent/opa test . -v
FAILURES
--------------------------------------------------------------------------------
data.authorization.test_sysadmin_allow: FAIL (833ns)

  Enter data.authorization.test_sysadmin_allow = _
  | Eval data.authorization.test_sysadmin_allow = _
  | Index data.authorization.test_sysadmin_allow = _ (matched 1 rule)
  | Enter test_sysadmin_allow = true { __local1__ = data.authorization.deny with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}; count(__local1__, __local0__) with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}; __local0__ = 1 with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}} }
  | | Eval __local1__ = data.authorization.deny with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
  | | Index __local1__ = data.authorization.deny with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}} (matched 1 rule)
  | | Enter deny[{"id": "user-kube-system", "resource": {"kind": kind, "namespace": namespace, "name": name}, "resolution": {"message": "Permission denied"}}] { data.k8s.matches[[kind, namespace, name, resource]]; __local0__ = resource.spec.user; not re_match("^developer:", __local0__); resource.spec.resourceAttributes.namespace = "kube-system" }
  | | | Eval data.k8s.matches[[kind, namespace, name, resource]]
  | | | Index data.k8s.matches[[kind, namespace, name, resource]] (matched 2 rules)
  | | | Enter matches[[kind, namespace, name, __local0__]] { __local0__ = data.kubernetes[kind][namespace][name].object }
  | | | | Eval __local0__ = data.kubernetes[kind][namespace][name].object
  | | | | Fail __local0__ = data.kubernetes[kind][namespace][name].object
  | | | Enter matches[[kind, namespace, name, __local1__]] { __local1__ = data.kubernetes[kind][namespace][name] }
  | | | | Eval __local1__ = data.kubernetes[kind][namespace][name]
  | | | | Exit matches[[kind, namespace, name, __local1__]] { __local1__ = data.kubernetes[kind][namespace][name] }
  | | | Eval __local0__ = resource.spec.user
  | | | Eval not re_match("^developer:", __local0__)
  | | | | Eval re_match("^developer:", __local0__)
  | | | | Fail re_match("^developer:", __local0__)
  | | | Eval resource.spec.resourceAttributes.namespace = "kube-system"
  | | | Fail resource.spec.resourceAttributes.namespace = "kube-system"
  | | | Redo __local0__ = resource.spec.user
  | | | Redo data.k8s.matches[[kind, namespace, name, resource]]
  | | | Redo matches[[kind, namespace, name, __local1__]] { __local1__ = data.kubernetes[kind][namespace][name] }
  | | | | Redo __local1__ = data.kubernetes[kind][namespace][name]
  | | Eval count(__local1__, __local0__) with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
  | | Eval __local0__ = 1 with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
  | | Fail __local0__ = 1 with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
  | | Redo count(__local1__, __local0__) with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
  | | Redo __local1__ = data.authorization.deny with data.kubernetes.pod["kube-system"].blah as {"apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": {"group": ["serviceacconts"], "resourceAttributes": {"group": "core", "name": "ciao", "namespace": "secret_namespace", "resource": "secrets", "verb": "get"}, "user": "sysadmin"}}
  | Fail data.authorization.test_sysadmin_allow = _

SUMMARY
--------------------------------------------------------------------------------
data.authorization.test_sysadmin_allow: FAIL (833ns)
data.authorization.test_developer_deny: PASS (488ns)
--------------------------------------------------------------------------------
PASS: 1/2
FAIL: 1/2

~/tmp/opa/rbac

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment