def test_wait_for_workflow(self):
with open(os.path.join(self.test_dir, "iam_bindings.yaml")) as bd:
iam_bindings = yaml.load(bd)
self.assertTrue(len(iam_bindings['bindings']) == 3)
members = iam_bindings['bindings'][0]['members']
for act in [
'*****@*****.**',
'*****@*****.**',
'*****@*****.**'
]:
self.assertTrue('serviceAccount:' + act in members)
cleanup_ci.trim_unused_bindings(
iam_bindings,
['*****@*****.**'])
# One binding is deleted as it lost all members.
self.assertTrue(len(iam_bindings['bindings']) == 2)
trimed_members = iam_bindings['bindings'][0]['members']
# binding to non-match service account still exists as it is not created by ci tests.
self.assertTrue(
'serviceAccount:[email protected]' in
trimed_members)
# binding to existing service account still exists.
self.assertTrue(
'serviceAccount:[email protected]'
in trimed_members)
# binding to unexist service account is deleted.
self.assertTrue(
'serviceAccount:[email protected]'
not in trimed_members)
def test_trim_unused_bindings():
this_dir = os.path.dirname(__file__)
test_data_dir = os.path.join(this_dir, "test_data")
with open(os.path.join(test_data_dir, "trim_bindings.input.yaml")) as hf:
policy = yaml.load(hf)
accounts = ["*****@*****.**"]
expected = set([
"serviceAccount:[email protected]",
"serviceAccount:[email protected]",
"serviceAccount:[email protected]",
"serviceAccount:kubeflow-releasing@kubeflow-releasing"
".iam.gserviceaccount.com"
])
project = "someproject"
cleanup_ci.trim_unused_bindings(policy, accounts, project)
actual_bindings = set(policy["bindings"][0]["members"])
assert actual_bindings == expected