check rbac for deleting mco

Signed-off-by: Coleen Iona Quadros <coleen.quadros27@gmail.com>

tests/pkg/tests/observability_rbac_test.go

@@ -16,17 +16,16 @@ import (
 	"k8s.io/klog"
 )
 
-var _ = Describe("Observability:", func() {
+var _ = Describe("Observability:", Ordered, func() {
+	BeforeAll(func() {
+		cmd := exec.Command("../../setup_rbac_test.sh")
+		var out bytes.Buffer
+		cmd.Stdout = &out
+		err = cmd.Run()
+		Expect(err).To(BeNil())
+		klog.V(1).Infof("the output of setup_rbac_test.sh: %v", out.String())
+	})
 	It("RHACM4K-1406 - Observability - RBAC - only authorized user could query managed cluster metrics data [Observability][Integration]@ocpInterop @non-ui-post-restore @non-ui-post-release @non-ui-pre-upgrade @non-ui-post-upgrade @post-upgrade @post-restore @e2e @post-release (requires-ocp/g0) (obs_rbac/g0)", func() {
-		By("Setting up users creation and rolebindings for RBAC", func() {
-			cmd := exec.Command("../../setup_rbac_test.sh")
-			var out bytes.Buffer
-			cmd.Stdout = &out
-			err = cmd.Run()
-			Expect(err).To(BeNil())
-			klog.V(1).Infof("the output of setup_rbac_test.sh: %v", out.String())
-
-		})
 		By("Logging in as admin and querying managed cluster metrics data", func() {
 			Eventually(func() error {
 				err = utils.LoginOCUser(testOptions, "admin", "admin")
@@ -80,14 +79,38 @@ var _ = Describe("Observability:", func() {
 				return nil
 			}, EventuallyTimeoutMinute*5, EventuallyIntervalSecond*5).Should(Succeed())
 		})
+
 	})
 
-	JustAfterEach(func() {
-		Expect(utils.IntegrityChecking(testOptions)).NotTo(HaveOccurred())
+	It("RHACM4K-1439 - Observability - RBAC - Verify only cluster-manager-admin role can deploy MCO CR [Observability][Integration]@ocpInterop @non-ui-post-restore @non-ui-post-release @non-ui-pre-upgrade @non-ui-post-upgrade @post-upgrade @post-restore @e2e @post-release (requires-ocp/g0) (obs_rbac/g0)", func() {
+		By("Logging as kube:admin checking if MCO can be deleted by user1 and e2eadmin", func() {
+			Eventually(func() error {
+				_, err = exec.Command("oc", "config", "use-context", testOptions.HubCluster.KubeContext).CombinedOutput()
+				if err != nil {
+					return err
+				}
+
+				cmd := exec.Command("oc", "policy", "who-can", "delete", "mco")
+				var out bytes.Buffer
+				cmd.Stdout = &out
+				err = cmd.Run()
+				if err != nil {
+					return err
+				}
+				if bytes.Contains(out.Bytes(), []byte("user1")) {
+					return fmt.Errorf("user1 can delete multiclusterobservabilities.multiclusterobservability.io")
+				}
+				if !bytes.Contains(out.Bytes(), []byte("e2eadmin")) {
+					return fmt.Errorf("e2eadmin can't delete multiclusterobservabilities.multiclusterobservability.io")
+				}
+				return nil
+			}, EventuallyTimeoutMinute*1, EventuallyIntervalSecond*5).Should(Succeed())
+		})
 	})
 
 	AfterEach(func() {
 		os.Unsetenv("USER_TOKEN")
+		_, _ = exec.Command("oc", "config", "use-context", testOptions.HubCluster.KubeContext).CombinedOutput()
 		if CurrentSpecReport().Failed() {
 			utils.LogFailingTestStandardDebugInfo(testOptions)
 		}

tests/setup_rbac_test.sh

@@ -4,9 +4,8 @@
 
 create_test_users() {
   echo CREATING USER PASSWORDS SECRET
-  htpasswd -c -B -b users.htpasswd admin admin
+  htpasswd -c -B -b users.htpasswd e2eadmin e2eadmin
   htpasswd -B -b users.htpasswd user1 user1
-  htpasswd -B -b users.htpasswd user2 user2
   oc create ns openshift-config
   oc delete secret htpass-user-test -n openshift-config &>/dev/null
   oc create secret generic htpass-user-test --from-file=htpasswd=users.htpasswd -n openshift-config
@@ -35,7 +34,7 @@ EOL
 
 create_role_bindings() {
   echo CREATING ROLE BINDINGS
-  oc create clusterrolebinding cluster-manager-admin-binding --clusterrole=open-cluster-management:cluster-manager-admin --user=admin
+  oc create clusterrolebinding cluster-manager-admin-binding --clusterrole=open-cluster-management:cluster-manager-admin --user=e2eadmin
   oc create rolebinding view-binding-user1 --clusterrole=view --user=user1 -n local-cluster
 }