Fix identical hostnames tests

Signed-off-by: Jakub Smolar <[email protected]>

testsuite/tests/singlecluster/identical_hostnames/auth/conftest.py

@@ -0,0 +1,18 @@
+import pytest
+
+
+@pytest.fixture(scope="module")
+def authorization(authorization):
+    """2nd Authorization object"""
+    authorization.authorization.add_opa_policy("rego", "allow = true")
+    return authorization
+
+
+@pytest.fixture(scope="module", autouse=True)
+def commit(request, authorization, authorization2):
+    """Ensure Authorization is created. All commits are handled manually in these tests"""
+    for auth in [authorization, authorization2]:
+        if auth is not None:
+            request.addfinalizer(auth.delete)
+            auth.commit()
+            auth.wait_for_accepted()

testsuite/tests/singlecluster/identical_hostnames/test_identical_hostnames_auth_on_gw_and_route.py → testsuite/tests/singlecluster/identical_hostnames/auth/test_auth_on_gw_and_route.py

@@ -11,15 +11,12 @@
 pytestmark = [pytest.mark.kuadrant_only]
 
 
-@pytest.fixture(scope="class", autouse=True)
+@pytest.fixture(scope="module", autouse=True)
 def authorization2(request, gateway, blame, cluster, label):
     """2nd Authorization object"""
-    auth_policy = AuthPolicy.create_instance(cluster, blame("authz2"), gateway, labels={"testRun": label})
-    auth_policy.authorization.add_opa_policy("rego", "allow = false")
-    request.addfinalizer(auth_policy.delete)
-    auth_policy.commit()
-    auth_policy.wait_for_ready()
-    return auth_policy
+    auth = AuthPolicy.create_instance(cluster, blame("authz2"), gateway, labels={"testRun": label})
+    auth.authorization.add_opa_policy("rego", "allow = false")
+    return auth
 
 
 def test_identical_hostnames_auth_on_gw_and_route_ignored(client, authorization, hostname):
@@ -51,7 +48,7 @@ def test_identical_hostnames_auth_on_gw_and_route_ignored(client, authorization,
     assert response.status_code == 200
 
     # Deletion of Empty AuthPolicy should make the 'deny-all' Gateway AuthPolicy effectively enforced on both routes.
-    # It might take some time hence the use of retry client.
+    # It might take some time hence the use of retry client.AuthPolicy is not in the path to any existing routes
     authorization.delete()
     with hostname.client(retry_codes={200}) as retry_client:
         response = retry_client.get("/anything/route1/get")

testsuite/tests/singlecluster/identical_hostnames/test_identical_hostnames_auth_on_routes.py → testsuite/tests/singlecluster/identical_hostnames/auth/test_auth_on_routes.py

@@ -12,15 +12,12 @@
 pytestmark = [pytest.mark.kuadrant_only]
 
 
-@pytest.fixture(scope="class")
+@pytest.fixture(scope="module")
 def authorization2(request, route2, blame, cluster, label):
     """2nd Authorization object"""
-    auth_policy = AuthPolicy.create_instance(cluster, blame("authz2"), route2, labels={"testRun": label})
-    auth_policy.authorization.add_opa_policy("rego", "allow = false")
-    request.addfinalizer(auth_policy.delete)
-    auth_policy.commit()
-    auth_policy.wait_for_accepted()
-    return auth_policy
+    auth = AuthPolicy.create_instance(cluster, blame("authz2"), route2, labels={"testRun": label})
+    auth.authorization.add_opa_policy("rego", "allow = false")
+    return auth
 
 
 def test_identical_hostnames_auth_on_routes_rejected(client, authorization, authorization2):
@@ -41,39 +38,8 @@ def test_identical_hostnames_auth_on_routes_rejected(client, authorization, auth
         - Assert that access via 'route' is 200 (OK)
         - Assert that access via 'route2 is 403 (Forbidden)
     """
-    assert authorization2.wait_until(
-        has_condition(
-            "Enforced",
-            "False",
-            "Unknown",
-            "AuthPolicy has encountered some issues: AuthScheme is not ready yet",
-        ),
-        timelimit=20,
-    ), (
-        f"AuthPolicy did not reach expected status (Enforced False), "
-        f"instead it was: {authorization2.refresh().model.status.conditions}"
-    )
-
-    response = client.get("/anything/route1/get")
-    assert response.status_code == 200
-
-    response = client.get("/anything/route2/get")
-    assert response.status_code == 200
-
-    # Deletion of Empty AuthPolicy should allow for 'deny-all' AuthPolicy to be enforced successfully.
-    authorization.delete()
-
-    # 2nd AuthPolicy only recovers from the "AuthScheme is not ready yet" error if reconciliation is explicitly
-    # triggered, e.g. by changing the AuthPolicy CR content (changing AllValues to True in this particular case)
-    # Reported as bug https://github.com/Kuadrant/kuadrant-operator/issues/702
-    authorization2.authorization.add_opa_policy("rego", "allow = false", True)
-    authorization2.refresh()
-    authorization2.wait_for_ready()
-
-    # Access via 'route' is still allowed
     response = client.get("/anything/route1/get")
     assert response.status_code == 200
 
-    # Access via 'route2' is now not allowed due to 'deny-all' AuthPolicy being enforced on 'route2'
     response = client.get("/anything/route2/get")
     assert response.status_code == 403