|
| 1 | +package controller |
| 2 | + |
| 3 | +import ( |
| 4 | + "testing" |
| 5 | + |
| 6 | + "github.com/stretchr/testify/assert" |
| 7 | + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 8 | + "k8s.io/apimachinery/pkg/util/uuid" |
| 9 | + "k8s.io/utils/ptr" |
| 10 | + gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" |
| 11 | + gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" |
| 12 | + |
| 13 | + networkingv1alpha "go.datum.net/network-services-operator/api/v1alpha" |
| 14 | + "go.datum.net/network-services-operator/internal/config" |
| 15 | + gatewayutil "go.datum.net/network-services-operator/internal/util/gateway" |
| 16 | +) |
| 17 | + |
| 18 | +func TestCollectTrafficProtectionPolicyAttachments(t *testing.T) { |
| 19 | + |
| 20 | + operatorConfig := config.NetworkServicesOperator{ |
| 21 | + Gateway: config.GatewayConfig{ |
| 22 | + TargetDomain: "example.com", |
| 23 | + ListenerTLSOptions: map[gatewayv1.AnnotationKey]gatewayv1.AnnotationValue{ |
| 24 | + gatewayv1.AnnotationKey("gateway.networking.datumapis.com/certificate-issuer"): gatewayv1.AnnotationValue("test"), |
| 25 | + }, |
| 26 | + }, |
| 27 | + } |
| 28 | + |
| 29 | + newGatewayFunc := func(namespace, name string, opts ...func(*gatewayv1.Gateway)) gatewayv1.Gateway { |
| 30 | + return *newGateway(operatorConfig, namespace, name, opts...) |
| 31 | + } |
| 32 | + |
| 33 | + type testContext struct { |
| 34 | + *testing.T |
| 35 | + reconciler *TrafficProtectionPolicyReconciler |
| 36 | + gateways []gatewayv1.Gateway |
| 37 | + httpRoutes []gatewayv1.HTTPRoute |
| 38 | + } |
| 39 | + |
| 40 | + tests := []struct { |
| 41 | + name string |
| 42 | + gateways []gatewayv1.Gateway |
| 43 | + httpRoutes []gatewayv1.HTTPRoute |
| 44 | + trafficProtectionPolicies []networkingv1alpha.TrafficProtectionPolicy |
| 45 | + assert func(t *testContext, policyAttachments []policyAttachment) |
| 46 | + }{ |
| 47 | + { |
| 48 | + name: "direct gateway attachment", |
| 49 | + gateways: []gatewayv1.Gateway{ |
| 50 | + newGatewayFunc("default", "gateway-1"), |
| 51 | + }, |
| 52 | + trafficProtectionPolicies: []networkingv1alpha.TrafficProtectionPolicy{ |
| 53 | + newTrafficProtectionPolicy("default", "tpp-1", func(tpp *networkingv1alpha.TrafficProtectionPolicy) { |
| 54 | + tpp.Spec.TargetRefs = []gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName{ |
| 55 | + { |
| 56 | + LocalPolicyTargetReference: gatewayv1alpha2.LocalPolicyTargetReference{ |
| 57 | + Kind: "Gateway", |
| 58 | + Name: "gateway-1", |
| 59 | + }, |
| 60 | + }, |
| 61 | + } |
| 62 | + }), |
| 63 | + }, |
| 64 | + assert: func(t *testContext, policyAttachments []policyAttachment) { |
| 65 | + if assert.Len(t, policyAttachments, 1, "expected one policy attachment") { |
| 66 | + attachment := policyAttachments[0] |
| 67 | + |
| 68 | + assert.Equal(t, t.gateways[0].Name, attachment.Gateway.Name, "expected attachment to gateway-1") |
| 69 | + assert.Nil(t, attachment.Listener) |
| 70 | + assert.Nil(t, attachment.Route) |
| 71 | + assert.Nil(t, attachment.RuleSectionName) |
| 72 | + assert.Greater(t, len(attachment.CorazaDirectives), 0) |
| 73 | + } |
| 74 | + }, |
| 75 | + }, |
| 76 | + { |
| 77 | + name: "gateway listener attachment", |
| 78 | + gateways: []gatewayv1.Gateway{ |
| 79 | + newGatewayFunc("default", "gateway-1"), |
| 80 | + }, |
| 81 | + trafficProtectionPolicies: []networkingv1alpha.TrafficProtectionPolicy{ |
| 82 | + newTrafficProtectionPolicy("default", "tpp-1", func(tpp *networkingv1alpha.TrafficProtectionPolicy) { |
| 83 | + tpp.Spec.TargetRefs = []gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName{ |
| 84 | + { |
| 85 | + LocalPolicyTargetReference: gatewayv1alpha2.LocalPolicyTargetReference{ |
| 86 | + Kind: "Gateway", |
| 87 | + Name: "gateway-1", |
| 88 | + }, |
| 89 | + SectionName: ptr.To(gatewayv1.SectionName(gatewayutil.DefaultHTTPListenerName)), |
| 90 | + }, |
| 91 | + } |
| 92 | + }), |
| 93 | + }, |
| 94 | + assert: func(t *testContext, policyAttachments []policyAttachment) { |
| 95 | + if assert.Len(t, policyAttachments, 1, "expected one policy attachment") { |
| 96 | + attachment := policyAttachments[0] |
| 97 | + |
| 98 | + assert.Equal(t, t.gateways[0].Name, attachment.Gateway.Name, "expected attachment to gateway-1") |
| 99 | + assert.Equal(t, gatewayv1.SectionName(gatewayutil.DefaultHTTPListenerName), ptr.Deref(attachment.Listener, "")) |
| 100 | + assert.Nil(t, attachment.Route) |
| 101 | + assert.Nil(t, attachment.RuleSectionName) |
| 102 | + assert.Greater(t, len(attachment.CorazaDirectives), 0) |
| 103 | + } |
| 104 | + }, |
| 105 | + }, |
| 106 | + { |
| 107 | + name: "direct httproute attachment", |
| 108 | + gateways: []gatewayv1.Gateway{ |
| 109 | + newGatewayFunc("default", "gateway-1"), |
| 110 | + }, |
| 111 | + httpRoutes: []gatewayv1.HTTPRoute{ |
| 112 | + *newHTTPRoute("default", "route-1", func(route *gatewayv1.HTTPRoute) { |
| 113 | + route.Spec.ParentRefs = []gatewayv1.ParentReference{ |
| 114 | + { |
| 115 | + Name: gatewayv1.ObjectName("gateway-1"), |
| 116 | + }, |
| 117 | + } |
| 118 | + }), |
| 119 | + }, |
| 120 | + trafficProtectionPolicies: []networkingv1alpha.TrafficProtectionPolicy{ |
| 121 | + newTrafficProtectionPolicy("default", "tpp-1", func(tpp *networkingv1alpha.TrafficProtectionPolicy) { |
| 122 | + tpp.Spec.TargetRefs = []gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName{ |
| 123 | + { |
| 124 | + LocalPolicyTargetReference: gatewayv1alpha2.LocalPolicyTargetReference{ |
| 125 | + Kind: "HTTPRoute", |
| 126 | + Name: "route-1", |
| 127 | + }, |
| 128 | + }, |
| 129 | + } |
| 130 | + }), |
| 131 | + }, |
| 132 | + assert: func(t *testContext, policyAttachments []policyAttachment) { |
| 133 | + if assert.Len(t, policyAttachments, 1, "expected one policy attachment") { |
| 134 | + attachment := policyAttachments[0] |
| 135 | + |
| 136 | + assert.Equal(t, t.gateways[0].Name, attachment.Gateway.Name, "expected attachment to gateway-1") |
| 137 | + assert.Equal(t, t.httpRoutes[0].Name, attachment.Route.Name, "expected attachment to route-1") |
| 138 | + assert.Nil(t, attachment.Listener) |
| 139 | + assert.Nil(t, attachment.RuleSectionName) |
| 140 | + assert.Greater(t, len(attachment.CorazaDirectives), 0) |
| 141 | + } |
| 142 | + }, |
| 143 | + }, |
| 144 | + { |
| 145 | + name: "httproute rule attachment", |
| 146 | + gateways: []gatewayv1.Gateway{ |
| 147 | + newGatewayFunc("default", "gateway-1"), |
| 148 | + }, |
| 149 | + httpRoutes: []gatewayv1.HTTPRoute{ |
| 150 | + *newHTTPRoute("default", "route-1", func(route *gatewayv1.HTTPRoute) { |
| 151 | + route.Spec.ParentRefs = []gatewayv1.ParentReference{ |
| 152 | + { |
| 153 | + Name: gatewayv1.ObjectName("gateway-1"), |
| 154 | + }, |
| 155 | + } |
| 156 | + route.Spec.Rules = []gatewayv1.HTTPRouteRule{ |
| 157 | + { |
| 158 | + Name: ptr.To(gatewayv1.SectionName("rule-1")), |
| 159 | + }, |
| 160 | + } |
| 161 | + }), |
| 162 | + }, |
| 163 | + trafficProtectionPolicies: []networkingv1alpha.TrafficProtectionPolicy{ |
| 164 | + newTrafficProtectionPolicy("default", "tpp-1", func(tpp *networkingv1alpha.TrafficProtectionPolicy) { |
| 165 | + tpp.Spec.TargetRefs = []gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName{ |
| 166 | + { |
| 167 | + LocalPolicyTargetReference: gatewayv1alpha2.LocalPolicyTargetReference{ |
| 168 | + Kind: "HTTPRoute", |
| 169 | + Name: "route-1", |
| 170 | + }, |
| 171 | + SectionName: ptr.To(gatewayv1.SectionName("rule-1")), |
| 172 | + }, |
| 173 | + } |
| 174 | + }), |
| 175 | + }, |
| 176 | + assert: func(t *testContext, policyAttachments []policyAttachment) { |
| 177 | + if assert.Len(t, policyAttachments, 1, "expected one policy attachment") { |
| 178 | + attachment := policyAttachments[0] |
| 179 | + |
| 180 | + assert.Equal(t, t.gateways[0].Name, attachment.Gateway.Name, "expected attachment to gateway-1") |
| 181 | + assert.Equal(t, t.httpRoutes[0].Name, attachment.Route.Name, "expected attachment to route-1") |
| 182 | + assert.Nil(t, attachment.Listener) |
| 183 | + assert.Equal(t, gatewayv1.SectionName("rule-1"), ptr.Deref(attachment.RuleSectionName, "")) |
| 184 | + assert.Greater(t, len(attachment.CorazaDirectives), 0) |
| 185 | + } |
| 186 | + }, |
| 187 | + }, |
| 188 | + } |
| 189 | + for _, tt := range tests { |
| 190 | + t.Run(tt.name, func(t *testing.T) { |
| 191 | + |
| 192 | + reconciler := &TrafficProtectionPolicyReconciler{Config: operatorConfig} |
| 193 | + attachments := reconciler.collectTrafficProtectionPolicyAttachments( |
| 194 | + t.Context(), |
| 195 | + reconciler.getTrafficProtectionPolicyContexts(tt.trafficProtectionPolicies), |
| 196 | + tt.gateways, |
| 197 | + tt.httpRoutes, |
| 198 | + ) |
| 199 | + |
| 200 | + testCtx := &testContext{ |
| 201 | + T: t, |
| 202 | + reconciler: reconciler, |
| 203 | + gateways: tt.gateways, |
| 204 | + httpRoutes: tt.httpRoutes, |
| 205 | + } |
| 206 | + |
| 207 | + tt.assert(testCtx, attachments) |
| 208 | + |
| 209 | + }) |
| 210 | + } |
| 211 | +} |
| 212 | + |
| 213 | +func newTrafficProtectionPolicy( |
| 214 | + namespace, |
| 215 | + name string, |
| 216 | + opts ...func(*networkingv1alpha.TrafficProtectionPolicy), |
| 217 | +) networkingv1alpha.TrafficProtectionPolicy { |
| 218 | + tpp := networkingv1alpha.TrafficProtectionPolicy{ |
| 219 | + ObjectMeta: metav1.ObjectMeta{ |
| 220 | + Namespace: namespace, |
| 221 | + Name: name, |
| 222 | + UID: uuid.NewUUID(), |
| 223 | + }, |
| 224 | + Spec: networkingv1alpha.TrafficProtectionPolicySpec{ |
| 225 | + Mode: networkingv1alpha.TrafficProtectionPolicyObserve, |
| 226 | + SamplingPercentage: 100, |
| 227 | + RuleSets: []networkingv1alpha.TrafficProtectionPolicyRuleSet{ |
| 228 | + { |
| 229 | + Type: "OWASPCoreRuleSet", |
| 230 | + OWASPCoreRuleSet: networkingv1alpha.OWASPCRS{ |
| 231 | + ParanoiaLevels: networkingv1alpha.ParanoiaLevels{ |
| 232 | + Blocking: 1, |
| 233 | + Detection: 1, |
| 234 | + }, |
| 235 | + ScoreThresholds: networkingv1alpha.OWASPScoreThresholds{ |
| 236 | + Inbound: 5, |
| 237 | + Outbound: 4, |
| 238 | + }, |
| 239 | + }, |
| 240 | + }, |
| 241 | + }, |
| 242 | + }, |
| 243 | + } |
| 244 | + |
| 245 | + for _, opt := range opts { |
| 246 | + opt(&tpp) |
| 247 | + } |
| 248 | + |
| 249 | + return tpp |
| 250 | +} |
0 commit comments