From f2ff8547d68a3b862776ef80f1cc78dd588c3b58 Mon Sep 17 00:00:00 2001 From: Joseph Sims Date: Fri, 13 Feb 2026 09:15:04 -0600 Subject: [PATCH] modified VerifyUserCanCreateProjects helper function to add creatorID annotation for cluster member and VerifyUserCanCreateNamespace to handle 403 error explicitly. --- actions/rbac/verify.go | 30 +++++++++++++++++++----------- validation/rbac/rbac_test.go | 2 +- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/actions/rbac/verify.go b/actions/rbac/verify.go index dbf13875c2..0b449657a3 100644 --- a/actions/rbac/verify.go +++ b/actions/rbac/verify.go @@ -98,16 +98,22 @@ func VerifyUserCanGetProject(t *testing.T, client, standardClient *rancher.Clien } // VerifyUserCanCreateProjects validates a user with the required cluster permissions are able/not able to create projects in the downstream cluster -func VerifyUserCanCreateProjects(t *testing.T, client, standardClient *rancher.Client, clusterID string, role Role) { - memberProject, err := projectapi.CreateProject(standardClient, clusterID) - switch role { - case ClusterOwner, ClusterMember: - require.NoError(t, err) - log.Info("Created project as a ", role, " is ", memberProject.Name) - case ProjectOwner, ProjectMember: - require.Error(t, err) - assert.True(t, apierrors.IsForbidden(err)) - } +func VerifyUserCanCreateProjects(t *testing.T, client, standardClient *rancher.Client, standardUser *management.User, clusterID string, role Role) { + projectTemplate := projectapi.NewProjectTemplate(clusterID) + if role.String() == ClusterMember.String() { + projectTemplate.Annotations = map[string]string{ + "field.cattle.io/creatorId": standardUser.ID, + } + } + memberProject, err := standardClient.WranglerContext.Mgmt.Project().Create(projectTemplate) + switch role { + case ClusterOwner, ClusterMember: + require.NoError(t, err) + log.Info("Created project as a ", role, " is ", memberProject.Name) + case ProjectOwner, ProjectMember: + require.Error(t, err) + assert.True(t, apierrors.IsForbidden(err)) + } } // VerifyUserCanCreateNamespace validates a user with the required cluster permissions are able/not able to create namespaces in the project they do not own @@ -129,7 +135,9 @@ func VerifyUserCanCreateNamespace(t *testing.T, client, standardClient *rancher. assert.Equal(t, ActiveStatus, strings.ToLower(actualStatus)) case ClusterMember: require.Error(t, checkErr) - assert.True(t, apierrors.IsForbidden(checkErr)) + statusErr, ok := checkErr.(*apierrors.StatusError) + require.True(t, ok, "expected error to be a StatusError") + assert.Equal(t, int32(403), statusErr.ErrStatus.Code) } } diff --git a/validation/rbac/rbac_test.go b/validation/rbac/rbac_test.go index b81ee50a92..4735e8d73c 100644 --- a/validation/rbac/rbac_test.go +++ b/validation/rbac/rbac_test.go @@ -86,7 +86,7 @@ func (rb *RBTestSuite) sequentialTestRBAC(role rbac.Role, member string, user *m rbac.VerifyUserCanGetProject(rb.T(), rb.client, standardClient, rb.cluster.ID, adminProject.Name, role) }) rb.Run("Validating if members with role "+role.String()+" is able to create a project in the cluster", func() { - rbac.VerifyUserCanCreateProjects(rb.T(), rb.client, standardClient, rb.cluster.ID, role) + rbac.VerifyUserCanCreateProjects(rb.T(), rb.client, standardClient, user, rb.cluster.ID, role) }) rb.Run("Validating if "+role.String()+" can lists all namespaces in a cluster.", func() { rbac.VerifyUserCanListNamespace(rb.T(), rb.client, standardClient, adminProject, rb.cluster.ID, role)