diff --git a/pkg/reconciler/broker/broker_test.go b/pkg/reconciler/broker/broker_test.go index 01ed141ea68..baa385f9d8e 100644 --- a/pkg/reconciler/broker/broker_test.go +++ b/pkg/reconciler/broker/broker_test.go @@ -857,6 +857,52 @@ func TestReconcile(t *testing.T) { feature.AuthorizationDefaultMode: feature.AuthorizationAllowSameNamespace, }), }, + { + Name: "Should respect setting default authorization mode", + Key: testKey, + Objects: []runtime.Object{ + makeDLSServiceAsUnstructured(), + NewBroker(brokerName, testNS, + WithBrokerClass(eventing.MTChannelBrokerClassValue), + WithBrokerConfig(config()), + WithDeadLeaderSink(sinkSVCDest), + WithInitBrokerConditions), + createChannel(withChannelReady, withChannelDeadLetterSink(sinkSVCDest)), + imcConfigMap(), + NewEndpoints(filterServiceName, systemNS, + WithEndpointsLabels(FilterLabels()), + WithEndpointsAddresses(corev1.EndpointAddress{IP: "127.0.0.1"})), + NewEndpoints(ingressServiceName, systemNS, + WithEndpointsLabels(IngressLabels()), + WithEndpointsAddresses(corev1.EndpointAddress{IP: "127.0.0.1"})), + }, + WantErr: false, + WantCreates: []runtime.Object{ + makeEventPolicy(), + }, + WantStatusUpdates: []clientgotesting.UpdateActionImpl{{ + Object: NewBroker(brokerName, testNS, + WithBrokerClass(eventing.MTChannelBrokerClassValue), + WithBrokerConfig(config()), + WithBrokerReadyWithDLS, + WithDeadLeaderSink(sinkSVCDest), + WithBrokerAddress(&duckv1.Addressable{ + URL: brokerAddress, + Audience: &brokerAudience, + }), + WithBrokerStatusDLS(dls), + WithChannelAddressAnnotation(triggerChannelURL), + WithChannelAPIVersionAnnotation(triggerChannelAPIVersion), + WithChannelKindAnnotation(triggerChannelKind), + WithChannelNameAnnotation(triggerChannelName), + WithBrokerEventPoliciesReadyAndDefaultAuthorizationMode(string(feature.AuthorizationDenyAll)), + ), + }}, + Ctx: feature.ToContext(context.Background(), feature.Flags{ + feature.OIDCAuthentication: feature.Enabled, + feature.AuthorizationDefaultMode: feature.AuthorizationDenyAll, + }), + }, { Name: "Should list applying EventPolicies", Key: testKey, diff --git a/pkg/reconciler/eventpolicy/eventpolicy_test.go b/pkg/reconciler/eventpolicy/eventpolicy_test.go index dcc7ab0ec44..cfdaedcccae 100644 --- a/pkg/reconciler/eventpolicy/eventpolicy_test.go +++ b/pkg/reconciler/eventpolicy/eventpolicy_test.go @@ -195,6 +195,35 @@ func TestReconcile(t *testing.T) { }, WantErr: false, }, + { + Name: "Multiple subjects found using glob style expression, status set to Ready", + Ctx: feature.ToContext(context.TODO(), feature.Flags{ + feature.OIDCAuthentication: feature.Enabled, + }), + Key: testNS + "/" + eventPolicyName, + Objects: []runtime.Object{ + apiServerSourceWithServiceAccount, + pingSourceWithServiceAccount, + NewEventPolicy(eventPolicyName, testNS, + WithInitEventPolicyConditions, + WithEventPolicyFromSub(fmt.Sprintf("system:serviceaccount:%s*", testNS)), + ), + }, + WantStatusUpdates: []clientgotesting.UpdateActionImpl{ + { + Object: NewEventPolicy(eventPolicyName, testNS, + WithEventPolicyFromSub(fmt.Sprintf("system:serviceaccount:%s*", testNS)), + WithEventPolicyStatusFromSub([]string{ + fmt.Sprintf("system:serviceaccount:%s*", testNS), + }), + WithEventPolicyAuthenticationEnabledCondition, + WithReadyEventPolicyCondition, + WithEventPolicySubjectsResolvedSucceeded, + ), + }, + }, + WantErr: false, + }, // test cases for authentication-oidc feature disabled afterwards { diff --git a/pkg/reconciler/testing/v1/broker.go b/pkg/reconciler/testing/v1/broker.go index b04ed910d96..a903259da50 100644 --- a/pkg/reconciler/testing/v1/broker.go +++ b/pkg/reconciler/testing/v1/broker.go @@ -336,3 +336,9 @@ func WithBrokerEventPoliciesReadyBecauseNoPolicyAndOIDCEnabled() BrokerOption { b.Status.MarkEventPoliciesTrueWithReason("DefaultAuthorizationMode", "Default authz mode is %q", feature.AuthorizationAllowSameNamespace) } } + +func WithBrokerEventPoliciesReadyAndDefaultAuthorizationMode(authMode string) BrokerOption { + return func(b *v1.Broker) { + b.Status.MarkEventPoliciesTrueWithReason("DefaultAuthorizationMode", "Default authz mode is %q", authMode) + } +}