Skip to content

Commit

Permalink
tests: integration tests for policies only with unmatching route sele…
Browse files Browse the repository at this point in the history
…ctors
  • Loading branch information
guicassolato committed Oct 10, 2023
1 parent e3263ac commit d1dc7f4
Showing 1 changed file with 123 additions and 0 deletions.
123 changes: 123 additions & 0 deletions controllers/authpolicy_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"context"
"encoding/json"
"path/filepath"
"strings"
"time"

. "github.com/onsi/ginkgo/v2"
Expand Down Expand Up @@ -362,6 +363,128 @@ var _ = Describe("AuthPolicy controller", func() {
}, 30*time.Second, 5*time.Second).Should(BeTrue())
})

It("Rejects policy with only unmatching top-level route selectors while trying to configure the gateway", func() {
policy := &api.AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "toystore",
Namespace: testNamespace,
},
Spec: api.AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "HTTPRoute",
Name: testHTTPRouteName,
Namespace: ptr.To(gatewayapiv1beta1.Namespace(testNamespace)),
},
RouteSelectors: []api.RouteSelector{
{ // does not select any HTTPRouteRule
Matches: []gatewayapiv1alpha2.HTTPRouteMatch{
{
Method: ptr.To(gatewayapiv1alpha2.HTTPMethod("DELETE")),
},
},
},
},
AuthScheme: testBasicAuthScheme(),
},
}

err := k8sClient.Create(context.Background(), policy)
logf.Log.V(1).Info("Creating AuthPolicy", "key", client.ObjectKeyFromObject(policy).String(), "error", err)
Expect(err).ToNot(HaveOccurred())

// check policy status
Eventually(func() bool {
existingPolicy := &api.AuthPolicy{}
err := k8sClient.Get(context.Background(), client.ObjectKeyFromObject(policy), existingPolicy)
if err != nil {
return false
}
condition := meta.FindStatusCondition(existingPolicy.Status.Conditions, APAvailableConditionType)
return condition != nil && condition.Reason == "ReconciliationError" && strings.Contains(condition.Message, "cannot match any route rules, check for invalid route selectors in the policy")
}, 30*time.Second, 5*time.Second).Should(BeTrue())

// check istio authorizationpolicy
iapKey := types.NamespacedName{Name: istioAuthorizationPolicyName(testGatewayName, policy.Spec.TargetRef), Namespace: testNamespace}
Eventually(func() bool {
err := k8sClient.Get(context.Background(), iapKey, &secv1beta1resources.AuthorizationPolicy{})
logf.Log.V(1).Info("Fetching Istio's AuthorizationPolicy", "key", iapKey.String(), "error", err)
return apierrors.IsNotFound(err)
}, 2*time.Minute, 5*time.Second).Should(BeTrue())

// check authorino authconfig
authConfigKey := types.NamespacedName{Name: authConfigName(client.ObjectKeyFromObject(policy)), Namespace: testNamespace}
Eventually(func() bool {
err := k8sClient.Get(context.Background(), authConfigKey, &authorinoapi.AuthConfig{})
return apierrors.IsNotFound(err)
}, 30*time.Second, 5*time.Second).Should(BeTrue())
})

It("Rejects policy with only unmatching config-level route selectors post-configuring the gateway", func() {
policy := &api.AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: "toystore",
Namespace: testNamespace,
},
Spec: api.AuthPolicySpec{
TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
Group: "gateway.networking.k8s.io",
Kind: "HTTPRoute",
Name: testHTTPRouteName,
Namespace: ptr.To(gatewayapiv1beta1.Namespace(testNamespace)),
},
AuthScheme: testBasicAuthScheme(),
},
}
config := policy.Spec.AuthScheme.Authentication["apiKey"]
config.RouteSelectors = []api.RouteSelector{
{ // does not select any HTTPRouteRule
Matches: []gatewayapiv1alpha2.HTTPRouteMatch{
{
Method: ptr.To(gatewayapiv1alpha2.HTTPMethod("DELETE")),
},
},
},
}
policy.Spec.AuthScheme.Authentication["apiKey"] = config

err := k8sClient.Create(context.Background(), policy)
logf.Log.V(1).Info("Creating AuthPolicy", "key", client.ObjectKeyFromObject(policy).String(), "error", err)
Expect(err).ToNot(HaveOccurred())

// check policy status
Eventually(func() bool {
existingPolicy := &api.AuthPolicy{}
err := k8sClient.Get(context.Background(), client.ObjectKeyFromObject(policy), existingPolicy)
if err != nil {
return false
}
condition := meta.FindStatusCondition(existingPolicy.Status.Conditions, APAvailableConditionType)
return condition != nil && condition.Reason == "ReconciliationError" && strings.Contains(condition.Message, "cannot match any route rules, check for invalid route selectors in the policy")
}, 30*time.Second, 5*time.Second).Should(BeTrue())

iapKey := types.NamespacedName{Name: istioAuthorizationPolicyName(testGatewayName, policy.Spec.TargetRef), Namespace: testNamespace}
iap := &secv1beta1resources.AuthorizationPolicy{}
Eventually(func() bool {
err := k8sClient.Get(context.Background(), iapKey, iap)
logf.Log.V(1).Info("Fetching Istio's AuthorizationPolicy", "key", iapKey.String(), "error", err)
return err == nil
}, 2*time.Minute, 5*time.Second).Should(BeTrue())
Expect(iap.Spec.Rules).To(HaveLen(1))
Expect(iap.Spec.Rules[0].To).To(HaveLen(1))
Expect(iap.Spec.Rules[0].To[0].Operation).ShouldNot(BeNil())
Expect(iap.Spec.Rules[0].To[0].Operation.Hosts).To(Equal([]string{"*.toystore.com"}))
Expect(iap.Spec.Rules[0].To[0].Operation.Methods).To(Equal([]string{"GET"}))
Expect(iap.Spec.Rules[0].To[0].Operation.Paths).To(Equal([]string{"/toy*"}))

// check authorino authconfig
authConfigKey := types.NamespacedName{Name: authConfigName(client.ObjectKeyFromObject(policy)), Namespace: testNamespace}
Eventually(func() bool {
err := k8sClient.Get(context.Background(), authConfigKey, &authorinoapi.AuthConfig{})
return apierrors.IsNotFound(err)
}, 30*time.Second, 5*time.Second).Should(BeTrue())
})

It("Deletes resources when the policy is deleted", func() {
policy := &api.AuthPolicy{
ObjectMeta: metav1.ObjectMeta{
Expand Down

0 comments on commit d1dc7f4

Please sign in to comment.