From 7982c808eec311ea6de0c68f31beba774654eabc Mon Sep 17 00:00:00 2001
From: Guilherme Cassolato <guicassolato@gmail.com>
Date: Thu, 5 Oct 2023 18:39:39 +0100
Subject: [PATCH] tests: integration tests for policies only with unmatching
 route selectors

---
 controllers/authpolicy_controller_test.go | 43 +++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/controllers/authpolicy_controller_test.go b/controllers/authpolicy_controller_test.go
index fb1ebdf7e..c2c9260c6 100644
--- a/controllers/authpolicy_controller_test.go
+++ b/controllers/authpolicy_controller_test.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"encoding/json"
 	"path/filepath"
+	"strings"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
@@ -362,6 +363,48 @@ var _ = Describe("AuthPolicy controller", func() {
 			}, 30*time.Second, 5*time.Second).Should(BeTrue())
 		})
 
+		It("Rejects policy only with unmatching route selectors", func() {
+			policy := &api.AuthPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "toystore",
+					Namespace: testNamespace,
+				},
+				Spec: api.AuthPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group:     "gateway.networking.k8s.io",
+						Kind:      "HTTPRoute",
+						Name:      testHTTPRouteName,
+						Namespace: ptr.To(gatewayapiv1beta1.Namespace(testNamespace)),
+					},
+					RouteSelectors: []api.RouteSelector{
+						{ // does not select any HTTPRouteRule
+							Matches: []gatewayapiv1alpha2.HTTPRouteMatch{
+								{
+									Method: ptr.To(gatewayapiv1alpha2.HTTPMethod("DELETE")),
+								},
+							},
+						},
+					},
+					AuthScheme: testBasicAuthScheme(),
+				},
+			}
+
+			err := k8sClient.Create(context.Background(), policy)
+			logf.Log.V(1).Info("Creating AuthPolicy", "key", client.ObjectKeyFromObject(policy).String(), "error", err)
+			Expect(err).ToNot(HaveOccurred())
+
+			// check policy status
+			Eventually(func() bool {
+				existingPolicy := &api.AuthPolicy{}
+				err := k8sClient.Get(context.Background(), client.ObjectKeyFromObject(policy), existingPolicy)
+				if err != nil {
+					return false
+				}
+				condition := meta.FindStatusCondition(existingPolicy.Status.Conditions, APAvailableConditionType)
+				return condition != nil && condition.Reason == "ReconciliationError" && strings.Contains(condition.Message, "cannot match any route rules, check for invalid route selectors in the policy")
+			}, 30*time.Second, 5*time.Second).Should(BeTrue())
+		})
+
 		It("Deletes resources when the policy is deleted", func() {
 			policy := &api.AuthPolicy{
 				ObjectMeta: metav1.ObjectMeta{