Skip to content

Commit

Permalink
test: target ref validation integrations tests for RLP and AP
Browse files Browse the repository at this point in the history
  • Loading branch information
KevFan committed Dec 8, 2023
1 parent b2ada06 commit ce7f1db
Show file tree
Hide file tree
Showing 4 changed files with 183 additions and 116 deletions.
68 changes: 0 additions & 68 deletions api/v1beta2/authpolicy_types_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -247,74 +247,6 @@ func TestAuthPolicyValidate(t *testing.T) {
valid bool
message string
}{
{
name: "valid policy targeting a httproute",
policy: &AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: "my-namespace",
},
Spec: AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "HTTPRoute",
Name: "my-route",
},
},
},
valid: true,
},
{
name: "valid policy targeting a gateway",
policy: &AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: "my-namespace",
},
Spec: AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "Gateway",
Name: "my-gw",
},
},
},
valid: true,
},
{
name: "invalid targetRef group",
policy: &AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: "my-namespace",
},
Spec: AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "not-gateway.networking.k8s.io.group",
Kind: "HTTPRoute",
Name: "my-non-gwapi-route",
},
},
},
message: "invalid targetRef.Group not-gateway.networking.k8s.io.group. The only supported group is gateway.networking.k8s.io",
},
{
name: "invalid targetRef kind",
policy: &AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: "my-namespace",
},
Spec: AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "TCPRoute",
Name: "my-tcp-route",
},
},
},
message: "invalid targetRef.Kind TCPRoute. The only supported kinds are HTTPRoute and Gateway",
},
{
name: "invalid usage of top-level route selectors with a gateway targetRef",
policy: &AuthPolicy{
Expand Down
40 changes: 2 additions & 38 deletions api/v1beta2/ratelimitpolicy_types_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,49 +44,13 @@ func testBuildBasicHTTPRouteRLP(name string) *RateLimitPolicy {
// TestRateLimitPolicyValidation calls rlp.Validate()
// for a valid return value.
func TestRateLimitPolicyValidation(t *testing.T) {
// valid httproute rlp
name := "httproute-a"
rlp := testBuildBasicHTTPRouteRLP(name)
err := rlp.Validate()
if err != nil {
t.Fatalf(`rlp.Validate() returned error "%v", wanted nil`, err)
}

// valid gateway rlp
name = "gateway-a"
rlp = testBuildBasicGatewayRLP(name)
err = rlp.Validate()
if err != nil {
t.Fatalf(`rlp.Validate() returned error "%v", wanted nil`, err)
}

// invalid group
rlp = testBuildBasicHTTPRouteRLP(name)
rlp.Spec.TargetRef.Group = gatewayapiv1.Group("foo.example.com")
err = rlp.Validate()
if err == nil {
t.Fatal(`rlp.Validate() did not return error and should`)
}
if !strings.Contains(err.Error(), "invalid targetRef.Group") {
t.Fatalf(`rlp.Validate() did not return expected error. Instead: %v`, err)
}

// invalid kind
rlp = testBuildBasicHTTPRouteRLP(name)
rlp.Spec.TargetRef.Kind = gatewayapiv1.Kind("Foo")
err = rlp.Validate()
if err == nil {
t.Fatal(`rlp.Validate() did not return error and should`)
}
if !strings.Contains(err.Error(), "invalid targetRef.Kind") {
t.Fatalf(`rlp.Validate() did not return expected error. Instead: %v`, err)
}

// Different namespace
rlp = testBuildBasicHTTPRouteRLP(name)
rlp := testBuildBasicHTTPRouteRLP(name)
otherNS := gatewayapiv1.Namespace(rlp.GetNamespace() + "other")
rlp.Spec.TargetRef.Namespace = &otherNS
err = rlp.Validate()
err := rlp.Validate()
if err == nil {
t.Fatal(`rlp.Validate() did not return error and should`)
}
Expand Down
91 changes: 88 additions & 3 deletions controllers/authpolicy_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ import (
"strings"
"time"

authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
api "github.com/kuadrant/kuadrant-operator/api/v1beta2"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
secv1beta1resources "istio.io/client-go/pkg/apis/security/v1beta1"
Expand All @@ -23,9 +25,6 @@ import (
logf "sigs.k8s.io/controller-runtime/pkg/log"
gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"

authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
api "github.com/kuadrant/kuadrant-operator/api/v1beta2"
)

const (
Expand Down Expand Up @@ -1260,6 +1259,92 @@ var _ = Describe("AuthPolicy controller", func() {
Context("TODO: Targeted resource does not exist", func() {})
})

var _ = Describe("AuthPolicy CEL Validations", func() {
var testNamespace string

BeforeEach(func() {
CreateNamespace(&testNamespace)
})

AfterEach(DeleteNamespaceCallback(&testNamespace))

Context("Spec TargetRef Validations", func() {
It("Valid policy targeting HTTPRoute", func() {
policy := &api.AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: testNamespace,
},
Spec: api.AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "HTTPRoute",
Name: "my-route",
},
},
}
err := k8sClient.Create(context.Background(), policy)
Expect(err).To(BeNil())
})

It("Valid policy targeting Gateway", func() {
policy := &api.AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: testNamespace,
},
Spec: api.AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "Gateway",
Name: "my-gw",
},
},
}
err := k8sClient.Create(context.Background(), policy)
Expect(err).To(BeNil())
})

It("Invalid Target Ref Group", func() {
policy := &api.AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: testNamespace,
},
Spec: api.AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "not-gateway.networking.k8s.io",
Kind: "HTTPRoute",
Name: "my-route",
},
},
}
err := k8sClient.Create(context.Background(), policy)
Expect(err).To(Not(BeNil()))
Expect(strings.Contains(err.Error(), "Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'")).To(BeTrue())
})

It("Invalid Target Ref Kind", func() {
policy := &api.AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: testNamespace,
},
Spec: api.AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "TCPRoute",
Name: "my-route",
},
},
}
err := k8sClient.Create(context.Background(), policy)
Expect(err).To(Not(BeNil()))
Expect(strings.Contains(err.Error(), "Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'")).To(BeTrue())
})
})
})

func testBasicAuthScheme() api.AuthSchemeSpec {
return api.AuthSchemeSpec{
Authentication: map[string]api.AuthenticationSpec{
Expand Down
100 changes: 93 additions & 7 deletions controllers/ratelimitpolicy_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,25 +5,25 @@ package controllers
import (
"context"
"encoding/json"
"strings"
"time"

kuadrantv1beta2 "github.com/kuadrant/kuadrant-operator/api/v1beta2"
"github.com/kuadrant/kuadrant-operator/pkg/common"
"github.com/kuadrant/kuadrant-operator/pkg/rlptools"
"github.com/kuadrant/kuadrant-operator/pkg/rlptools/wasm"
limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
istioclientgoextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/client"
logf "sigs.k8s.io/controller-runtime/pkg/log"
gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"

kuadrantv1beta2 "github.com/kuadrant/kuadrant-operator/api/v1beta2"
"github.com/kuadrant/kuadrant-operator/pkg/common"
"github.com/kuadrant/kuadrant-operator/pkg/rlptools"
"github.com/kuadrant/kuadrant-operator/pkg/rlptools/wasm"
limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1"
"k8s.io/utils/ptr"
)

var _ = Describe("RateLimitPolicy controller", func() {
Expand Down Expand Up @@ -622,6 +622,92 @@ var _ = Describe("RateLimitPolicy controller", func() {
})
})

var _ = Describe("RateLimitPolicy CEL Validations", func() {
var testNamespace string

BeforeEach(func() {
CreateNamespace(&testNamespace)
})

AfterEach(DeleteNamespaceCallback(&testNamespace))

Context("Spec TargetRef Validations", func() {
It("Valid policy targeting HTTPRoute", func() {
policy := &kuadrantv1beta2.RateLimitPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: testNamespace,
},
Spec: kuadrantv1beta2.RateLimitPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "HTTPRoute",
Name: "my-route",
},
},
}
err := k8sClient.Create(context.Background(), policy)
Expect(err).To(BeNil())
})

It("Valid policy targeting Gateway", func() {
policy := &kuadrantv1beta2.RateLimitPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: testNamespace,
},
Spec: kuadrantv1beta2.RateLimitPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "Gateway",
Name: "my-gw",
},
},
}
err := k8sClient.Create(context.Background(), policy)
Expect(err).To(BeNil())
})

It("Invalid Target Ref Group", func() {
policy := &kuadrantv1beta2.RateLimitPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: testNamespace,
},
Spec: kuadrantv1beta2.RateLimitPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "not-gateway.networking.k8s.io",
Kind: "HTTPRoute",
Name: "my-route",
},
},
}
err := k8sClient.Create(context.Background(), policy)
Expect(err).To(Not(BeNil()))
Expect(strings.Contains(err.Error(), "Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'")).To(BeTrue())
})

It("Invalid Target Ref Kind", func() {
policy := &kuadrantv1beta2.RateLimitPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "my-policy",
Namespace: testNamespace,
},
Spec: kuadrantv1beta2.RateLimitPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "TCPRoute",
Name: "my-route",
},
},
}
err := k8sClient.Create(context.Background(), policy)
Expect(err).To(Not(BeNil()))
Expect(strings.Contains(err.Error(), "Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'")).To(BeTrue())
})
})
})

func testRLPIsAvailable(rlpKey client.ObjectKey) func() bool {
return func() bool {
existingRLP := &kuadrantv1beta2.RateLimitPolicy{}
Expand Down

0 comments on commit ce7f1db

Please sign in to comment.