CLOUDP-349078: custom roles regression tests

Author: lsierant

controllers/operator/common_controller_test.go

@@ -406,6 +406,98 @@ func TestDontSendNilPrivileges(t *testing.T) {
 	assert.NotNil(t, roles[0].Privileges)
 }
 
+func TestCheckEmptyStringsInPrivilegesEquivalentToNotPassingFields(t *testing.T) {
+	ctx := context.Background()
+
+	roleWithEmptyStrings := mdbv1.MongoDBRole{
+		Role: "withEmptyStrings",
+		Db:   "admin",
+		Roles: []mdbv1.InheritedRole{{
+			Db:   "admin",
+			Role: "read",
+		}},
+		Privileges: []mdbv1.Privilege{
+			{
+				Resource: mdbv1.Resource{
+					Db:         "config",
+					Collection: "", // Explicit empty string
+				},
+				Actions: []string{"find", "update", "insert", "remove"},
+			},
+			{
+				Resource: mdbv1.Resource{
+					Db:         "users",
+					Collection: "usersCollection",
+				},
+				Actions: []string{"update", "insert", "remove"},
+			},
+			{
+				Resource: mdbv1.Resource{
+					Db:         "", // Explicit empty string
+					Collection: "", // Explicit empty string
+				},
+				Actions: []string{"find"},
+			},
+		},
+	}
+
+	// Role without empty strings (fields omitted, which should result in empty strings for string types)
+	roleWithoutEmptyStrings := mdbv1.MongoDBRole{
+		Role: "withoutEmptyFields",
+		Db:   "admin",
+		Roles: []mdbv1.InheritedRole{{
+			Db:   "admin",
+			Role: "read",
+		}},
+		Privileges: []mdbv1.Privilege{
+			{
+				Resource: mdbv1.Resource{
+					Db: "config",
+					// field not set, should pass ""
+				},
+				Actions: []string{"find", "update", "insert", "remove"},
+			},
+			{
+				Resource: mdbv1.Resource{
+					Db:         "users",
+					Collection: "usersCollection",
+				},
+				Actions: []string{"update", "insert", "remove"},
+			},
+			{
+				Resource: mdbv1.Resource{
+					// fields not set, should be passed as empty strings
+				},
+				Actions: []string{"find"},
+			},
+		},
+	}
+
+	rs := DefaultReplicaSetBuilder().SetRoles([]mdbv1.MongoDBRole{roleWithEmptyStrings, roleWithoutEmptyStrings}).Build()
+	kubeClient, omConnectionFactory := mock.NewDefaultFakeClient()
+	controller := NewReconcileCommonController(ctx, kubeClient)
+	mockOm, _ := prepareConnection(ctx, controller, omConnectionFactory.GetConnectionFunc, t)
+
+	controller.ensureRoles(ctx, rs.Spec.DbCommonSpec, true, mockOm, kube.ObjectKeyFromApiObject(rs), zap.S())
+
+	ac, err := mockOm.ReadAutomationConfig()
+	assert.NoError(t, err)
+	roles, ok := ac.Deployment["roles"].([]mdbv1.MongoDBRole)
+	assert.True(t, ok)
+	require.Len(t, roles, 2)
+
+	assert.Equal(t, "config", roles[0].Privileges[0].Resource.Db)
+	assert.Equal(t, "", roles[0].Privileges[0].Resource.Collection)
+
+	assert.Equal(t, "users", roles[0].Privileges[1].Resource.Db)
+	assert.Equal(t, "usersCollection", roles[0].Privileges[1].Resource.Collection)
+
+	assert.Equal(t, "", roles[0].Privileges[2].Resource.Db)
+	assert.Equal(t, "", roles[0].Privileges[2].Resource.Collection)
+
+	assert.True(t, reflect.DeepEqual(roles[0].Privileges, roles[1].Privileges))
+}
+
 func TestSecretWatcherWithAllResources(t *testing.T) {
 	ctx := context.Background()
 	caName := "custom-ca"

docker/mongodb-kubernetes-tests/tests/authentication/fixtures/cluster-mongodb-role-with-empty-strings.yaml

@@ -0,0 +1,36 @@
+apiVersion: mongodb.com/v1
+kind: ClusterMongoDBRole
+metadata:
+  name: customrole-with-empty-strings
+spec:
+  role: "myClusterwideAdminWithEmptyStrings"
+  db: "admin"
+  roles:
+    - db: "admin"
+      role: "read"
+  privileges:
+    - resource:
+        db: "config"
+        collection: ""
+      actions:
+        - "find"
+        - "update"
+        - "insert"
+        - "remove"
+    - resource:
+        db: "users"
+        collection: "usersCollection"
+      actions:
+        - "update"
+        - "insert"
+        - "remove"
+    - resource:
+        db: ""
+        collection: ""
+      actions:
+        - "find"
+  authenticationRestrictions:
+    - clientSource:
+        - "127.0.0.0/8"
+      serverAddress:
+        - "10.0.0.0/8"

docker/mongodb-kubernetes-tests/tests/authentication/fixtures/cluster-mongodb-role.yaml renamed to docker/mongodb-kubernetes-tests/tests/authentication/fixtures/cluster-mongodb-role-without-empty-strings.yaml

@@ -1,26 +1,31 @@
 apiVersion: mongodb.com/v1
 kind: ClusterMongoDBRole
 metadata:
-  name: test-customrole
+  name: customrole-without-empty-strings
 spec:
-  role: "test-customrole"
+  role: "myClusterwideAdminWithoutEmptyStrings"
   db: "admin"
   roles:
     - db: "admin"
-      role: "root"
+      role: "read"
   privileges:
     - resource:
-        db: "admin"
-        collection: "system.users"
+        db: "config"
       actions:
         - "find"
         - "update"
+        - "insert"
+        - "remove"
     - resource:
-        db: "admin"
-        collection: "system.roles"
+        db: "users"
+        collection: "usersCollection"
       actions:
-        - "find"
         - "update"
+        - "insert"
+        - "remove"
+    - resource: {}
+      actions:
+        - "find"
   authenticationRestrictions:
     - clientSource:
         - "127.0.0.0/8"

docker/mongodb-kubernetes-tests/tests/authentication/fixtures/replica-set-scram.yaml

@@ -12,7 +12,7 @@ spec:
       name: my-project
   credentials: my-credentials
   logLevel: DEBUG
-  persistent: false
+  persistent: true
   security:
     authentication:
       agents: