Allow empty string for {Cluster,}Role apiGroups (#448)

* Validate SERVICE_ACCOUNT roles * Add check for resources and verbs in rules * Allow empty string for apiGroups
GoogleCloudPlatform · Dec 19, 2019 · 8e1511a · 8e1511a
1 parent 755e9ae
commit 8e1511a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 10 deletions.
diff --git a/marketplace/deployer_util/config_helper.py b/marketplace/deployer_util/config_helper.py
@@ -794,10 +794,10 @@ def __init__(self, dictionary):
           if rule.get('nonResourceURLs'):
             raise InvalidSchema(
                 'Only attributes for resourceRules are supported in rules')
-          if not rule.get('apiGroups') or not filter(lambda x: x,
-                                                     rule.get('apiGroups')):
-            raise InvalidSchema("Missing or empty apiGroups in rules. "
-                                "Did you mean [\"v1\"] or [\"*\"]?")
+          if not rule.get('apiGroups'):
+            raise InvalidSchema("Missing apiGroups in rules. "
+                                "Did you mean [\"\"] (only core APIs)"
+                                "or [\"*\"] (all)?")
           if not rule.get('resources') or not filter(lambda x: x,
                                                      rule.get('resources')):
             raise InvalidSchema('Missing or empty resources in rules.')

diff --git a/marketplace/deployer_util/config_helper_test.py b/marketplace/deployer_util/config_helper_test.py
@@ -599,6 +599,9 @@ def test_service_account(self):
                   - apiGroups: ['apps/v1']
                     resources: ['Deployment']
                     verbs: ['*']
+                  - apiGroups: ['']
+                    resources: ['Pods']
+                    verbs: ['*']
                   - apiGroups: ['apps/v1']
                     resources: ['StatefulSet']
                     verbs: ['*']
@@ -626,6 +629,11 @@ def test_service_account(self):
             'resources': ['Deployment'],
             'verbs': ['*']
         },
+        {
+            'apiGroups': [''],
+            'resources': ['Pods'],
+            'verbs': ['*']
+        },
         {
             'apiGroups': ['apps/v1'],
             'resources': ['StatefulSet'],
@@ -736,10 +744,9 @@ def test_service_account_custom_missingRules(self):
                     rulesType: CUSTOM
           """)
 
-  def test_service_account_custom_empty_apiGroups(self):
-    with self.assertRaisesRegexp(
-        config_helper.InvalidSchema,
-        r'^Missing or empty apiGroups in rules. Did you mean'):
+  def test_service_account_custom_missing_apiGroups(self):
+    with self.assertRaisesRegexp(config_helper.InvalidSchema,
+                                 r'^Missing apiGroups in rules. Did you mean'):
       config_helper.Schema.load_yaml("""
           properties:
             sa:
@@ -751,8 +758,7 @@ def test_service_account_custom_empty_apiGroups(self):
                   - type: Role
                     rulesType: CUSTOM
                     rules:
-                    - apiGroups: ['']
-                      resources: ['Pods']
+                    - resources: ['Pods']
                       verbs: ['*']
           """)