Test service account RBAC too #327
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Broadly, these are the same as users, but ServiceAccounts can only have permissions in their parent org, so that's checked explicitly. Creating service accounts needs an issuer, and this is a faff to set up; so I have recreated what the handler does, by using `conversion.NewObjectMetadata(...)`. This means the accounts get a fresh UID every time, so the IDs get wrapped in a hold-all fixture. (Usually this is a good idea anyway, because it means you can generate names and IDs, and check everything still works.)
squaremo
force-pushed
the
test-for-service-accounts
branch
from
5f01b21 to
8c56e4a
Compare
spjmurray
approved these changes
Nov 10, 2025
Contributor
spjmurray
left a comment
spjmurray
left a comment
There was a problem hiding this comment.
In the words of Bruce... "Groovy"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Broadly, these are the same as users, but ServiceAccounts can only belong to one org and cannot have permissions for another, so that's checked explicitly.
Creating service accounts needs an issuer, and this is a faff to set up; so I have recreated what the handler does, by using
conversion.NewObjectMetadata(...). This means the accounts get a fresh UID every time, so the IDs get wrapped in a hold-all fixture. (Usually this is a good idea anyway, because it means you can generate names and IDs, and check everything still works.)This is cherry-picked from #317, but since that already made a lot of changes (notably: authz is done only on information in the userinfo), I rewrote a substantial part of this. I removed some tests that are for malformed tokens (e.g., including more than one org), which aren't a possibility here. Those will go back in once that branch is rebased.