forked from Kuadrant/testsuite
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Martin Hesko <[email protected]>
- Loading branch information
1 parent
95adf01
commit 1a94c98
Showing
5 changed files
with
209 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
42 changes: 42 additions & 0 deletions
42
testsuite/tests/singlecluster/overrides/test_basic_auth.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
"""Test basic enforcement of the rules inside the 'overrides' block of the RateLimitPolicy assigned to a Gateway""" | ||
|
||
import pytest | ||
|
||
from testsuite.httpx.auth import HttpxOidcClientAuth | ||
from testsuite.kuadrant.policy.authorization.auth_policy import AuthPolicy | ||
|
||
pytestmark = [pytest.mark.kuadrant_only] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization( | ||
request, kuadrant, route, gateway, blame, cluster, label, oidc_provider | ||
): # pylint: disable=unused-argument | ||
"""Add oidc identity to overrides block of gateway-attached AuthPolicy""" | ||
auth_policy = AuthPolicy.create_instance(cluster, blame("authz"), gateway, labels={"testRun": label}) | ||
auth_policy.overrides.identity.add_oidc("override", oidc_provider.well_known["issuer"]) | ||
return auth_policy | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def auth(oidc_provider): | ||
"""Returns Authentication object for HTTPX""" | ||
return HttpxOidcClientAuth(oidc_provider.get_token, "authorization") | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def rate_limit(): | ||
"""No RateLimitPolicy is required for this test""" | ||
return None | ||
|
||
|
||
@pytest.mark.parametrize("authorization", ["gateway"], indirect=True) | ||
def test_basic_auth(route, authorization, client, auth): | ||
"""Test if rules inside overrides block of Gateway's AuthPolicy are inherited by the HTTPRoute | ||
and enforced like any other normal rule""" | ||
route.refresh() | ||
assert route.is_affected_by(authorization) | ||
|
||
response = client.get("/get") | ||
assert response.status_code == 401 | ||
assert client.get("/get", auth=auth).status_code == 200 # assert that AuthPolicy is enforced |
48 changes: 48 additions & 0 deletions
48
testsuite/tests/singlecluster/overrides/test_basic_rate_limit.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
"""Test basic enforcement of the rules inside the 'overrides' block of the RateLimitPolicy assigned to a Gateway""" | ||
|
||
import pytest | ||
|
||
from testsuite.kuadrant.policy.rate_limit import Limit, RateLimitPolicy | ||
|
||
pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] | ||
|
||
GATEWAY_LIMIT = Limit(3, 5) | ||
ROUTE_LIMIT = Limit(2, 5) | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization(): | ||
"""No authorization is required for this test""" | ||
return None | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def rate_limit_gw(request, kuadrant, cluster, blame, module_label, route, gateway): # pylint: disable=unused-argument | ||
"""Add a RateLimitPolicy to the Gateway with an overrides block to override the Route-level policy.""" | ||
rate_limit_gateway = RateLimitPolicy.create_instance( | ||
cluster, blame("limit-gateway"), gateway, labels={"testRun": module_label} | ||
) | ||
rate_limit_gateway.overrides.add_limit("basic", [GATEWAY_LIMIT]) | ||
request.addfinalizer(rate_limit_gateway.delete) | ||
rate_limit_gateway.commit() | ||
rate_limit_gateway.wait_for_ready() | ||
return rate_limit_gateway | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def rate_limit(rate_limit): | ||
"""Add basic requests limit to RateLimitPolicy""" | ||
rate_limit.add_limit("basic", [ROUTE_LIMIT]) | ||
return rate_limit | ||
|
||
|
||
def test_basic_rate_limit(rate_limit, rate_limit_gw, route, client): | ||
"""Test if rules inside overrides block of Gateway's RateLimitPolicy are inherited by the HTTPRoute | ||
and enforced like any other normal rule""" | ||
route.refresh() | ||
assert route.is_affected_by(rate_limit) | ||
rate_limit_gw.wait_for_full_enforced() | ||
|
||
responses = client.get_many("/get", GATEWAY_LIMIT.limit) | ||
responses.assert_all(status_code=200) | ||
assert client.get("/get").status_code == 429 # assert that RateLimitPolicy is enforced |
43 changes: 43 additions & 0 deletions
43
testsuite/tests/singlecluster/overrides/test_route_override.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
"""Test that overrides block can not be defined in AuthPolicy and RateLimitPolicy attached to a HTTPRoute""" | ||
|
||
import pytest | ||
from openshift_client import OpenShiftPythonException | ||
|
||
from testsuite.kuadrant.policy.rate_limit import Limit | ||
|
||
pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization(authorization, oidc_provider): | ||
"""Create AuthPolicy with basic oidc rules in the overrides block""" | ||
authorization.overrides.identity.add_oidc("override", oidc_provider.well_known["issuer"]) | ||
return authorization | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def rate_limit(rate_limit): | ||
"""Add basic rate limiting rules in the overrides block""" | ||
rate_limit.overrides.add_limit("override", [Limit(2, 5)]) | ||
return rate_limit | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def commit(): | ||
"""We need to try to commit objects during the actual test""" | ||
return None | ||
|
||
|
||
@pytest.mark.parametrize( | ||
"component_fixture", | ||
[ | ||
pytest.param("authorization", id="AuthPolicy"), | ||
pytest.param("rate_limit", id="RateLimitPolicy"), | ||
], | ||
) | ||
@pytest.mark.issue("https://github.com/Kuadrant/kuadrant-operator/issues/775") | ||
def test_route_override(request, component_fixture): | ||
"""Test that server will reject policy attached to a HTTPRoute containing an overrides block""" | ||
component = request.getfixturevalue(component_fixture) | ||
with pytest.raises(OpenShiftPythonException, match="Overrides are.*"): | ||
component.commit() |
76 changes: 76 additions & 0 deletions
76
testsuite/tests/singlecluster/overrides/test_rules_exclusivity.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
"""Test mutual exclusivity of overrides block with explicit and implicit defaults""" | ||
|
||
import pytest | ||
from openshift_client import OpenShiftPythonException | ||
|
||
from testsuite.kuadrant.policy.rate_limit import Limit | ||
|
||
pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization_implicit(authorization, oidc_provider): | ||
"""Create AuthPolicy with basic oidc rules inside and outside defaults block""" | ||
authorization.overrides.identity.add_oidc("overrides", oidc_provider.well_known["issuer"]) | ||
authorization.rules.identity.add_oidc("implicit-defaults", oidc_provider.well_known["issuer"]) | ||
return authorization | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def rate_limit_implicit(rate_limit): | ||
"""Add basic rate limiting rules inside and outside defaults block""" | ||
rate_limit.overrides.add_limit("overrides", [Limit(2, 5)]) | ||
rate_limit.add_limit("implicit-defaults", [Limit(2, 5)]) | ||
return rate_limit | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization_explicit(authorization, oidc_provider): | ||
"""Create AuthPolicy with basic oidc rules inside and outside defaults block""" | ||
authorization.overrides.identity.add_oidc("overrides", oidc_provider.well_known["issuer"]) | ||
authorization.defaults.identity.add_oidc("explicit-defaults", oidc_provider.well_known["issuer"]) | ||
return authorization | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def rate_limit_explicit(rate_limit): | ||
"""Add basic rate limiting rules inside and outside defaults block""" | ||
rate_limit.overrides.add_limit("overrides", [Limit(2, 5)]) | ||
rate_limit.defaults.add_limit("explicit-defaults", [Limit(2, 5)]) | ||
return rate_limit | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def commit(): | ||
"""We need to try to commit objects during the actual test""" | ||
return None | ||
|
||
|
||
@pytest.mark.parametrize( | ||
"component_fixture", | ||
[ | ||
pytest.param("authorization_implicit", id="AuthPolicyImplicitDefault"), | ||
pytest.param("rate_limit_implicit", id="RateLimitPolicyImplicitDefault"), | ||
], | ||
) | ||
@pytest.mark.issue("https://github.com/Kuadrant/kuadrant-operator/issues/775") | ||
def test_rules_exclusivity_implicit(request, component_fixture): | ||
"""Test that server will reject object with overrides and implicit defaults defined simultaneously""" | ||
component = request.getfixturevalue(component_fixture) | ||
with pytest.raises(OpenShiftPythonException, match=r".*are mutually exclusive"): | ||
component.commit() | ||
|
||
|
||
@pytest.mark.parametrize( | ||
"component_fixture", | ||
[ | ||
pytest.param("authorization_explicit", id="AuthPolicyExplicitDefault"), | ||
pytest.param("rate_limit_explicit", id="RateLimitPolicyExplicitDefault"), | ||
], | ||
) | ||
@pytest.mark.issue("https://github.com/Kuadrant/kuadrant-operator/issues/775") | ||
def test_rules_exclusivity_explicit(request, component_fixture): | ||
"""Test that server will reject object with overrides and explicit defaults defined simultaneously""" | ||
component = request.getfixturevalue(component_fixture) | ||
with pytest.raises(OpenShiftPythonException, match=r".*verrides and explicit defaults are mutually exclusive"): | ||
component.commit() |