From 4fcf82a69a52074de26d5c4290a030947fa6bad7 Mon Sep 17 00:00:00 2001 From: Martin Hesko Date: Thu, 25 Jul 2024 15:37:42 +0200 Subject: [PATCH] Add tests for overrides Signed-off-by: Martin Hesko --- .../tests/singlecluster/overrides/__init__.py | 0 .../overrides/test_basic_auth.py | 39 ++++++++++++ .../overrides/test_basic_rate_limit.py | 48 ++++++++++++++ .../overrides/test_route_override.py | 43 +++++++++++++ .../overrides/test_rules_exclusivity.py | 63 +++++++++++++++++++ 5 files changed, 193 insertions(+) create mode 100644 testsuite/tests/singlecluster/overrides/__init__.py create mode 100644 testsuite/tests/singlecluster/overrides/test_basic_auth.py create mode 100644 testsuite/tests/singlecluster/overrides/test_basic_rate_limit.py create mode 100644 testsuite/tests/singlecluster/overrides/test_route_override.py create mode 100644 testsuite/tests/singlecluster/overrides/test_rules_exclusivity.py diff --git a/testsuite/tests/singlecluster/overrides/__init__.py b/testsuite/tests/singlecluster/overrides/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/testsuite/tests/singlecluster/overrides/test_basic_auth.py b/testsuite/tests/singlecluster/overrides/test_basic_auth.py new file mode 100644 index 00000000..d00e083d --- /dev/null +++ b/testsuite/tests/singlecluster/overrides/test_basic_auth.py @@ -0,0 +1,39 @@ +"""Test basic enforcement of the rules inside the 'overrides' block of the RateLimitPolicy assigned to a Gateway""" + +import pytest + +from testsuite.httpx.auth import HttpxOidcClientAuth +from testsuite.kuadrant.policy.authorization.auth_policy import AuthPolicy + +pytestmark = [pytest.mark.kuadrant_only] + + +@pytest.fixture(scope="module") +def authorization(route, gateway, blame, cluster, label, oidc_provider): # pylint: disable=unused-argument + """Add oidc identity to overrides block of gateway-attached AuthPolicy""" + auth_policy = AuthPolicy.create_instance(cluster, blame("authz"), gateway, labels={"testRun": label}) + auth_policy.overrides.identity.add_oidc("override", oidc_provider.well_known["issuer"]) + return auth_policy + + +@pytest.fixture(scope="module") +def auth(oidc_provider): + """Returns Authentication object for HTTPX""" + return HttpxOidcClientAuth(oidc_provider.get_token, "authorization") + + +@pytest.fixture(scope="module") +def rate_limit(): + """No RateLimitPolicy is required for this test""" + return None + + +def test_basic_auth(route, authorization, client, auth): + """Test if rules inside overrides block of Gateway's AuthPolicy are inherited by the HTTPRoute + and enforced like any other normal rule""" + route.refresh() + assert route.is_affected_by(authorization) + + response = client.get("/get") + assert response.status_code == 401 + assert client.get("/get", auth=auth).status_code == 200 # assert that AuthPolicy is enforced diff --git a/testsuite/tests/singlecluster/overrides/test_basic_rate_limit.py b/testsuite/tests/singlecluster/overrides/test_basic_rate_limit.py new file mode 100644 index 00000000..f88656b6 --- /dev/null +++ b/testsuite/tests/singlecluster/overrides/test_basic_rate_limit.py @@ -0,0 +1,48 @@ +"""Test basic enforcement of the rules inside the 'overrides' block of the RateLimitPolicy assigned to a Gateway""" + +import pytest + +from testsuite.kuadrant.policy.rate_limit import Limit, RateLimitPolicy + +pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] + +GATEWAY_LIMIT = Limit(3, 5) +ROUTE_LIMIT = Limit(2, 5) + + +@pytest.fixture(scope="module") +def authorization(): + """No authorization is required for this test""" + return None + + +@pytest.fixture(scope="module") +def rate_limit_gw(request, cluster, blame, module_label, gateway): + """Add a RateLimitPolicy to the Gateway with an overrides block to override the Route-level policy.""" + rate_limit_gateway = RateLimitPolicy.create_instance( + cluster, blame("limit-gateway"), gateway, labels={"testRun": module_label} + ) + rate_limit_gateway.overrides.add_limit("basic", [GATEWAY_LIMIT]) + request.addfinalizer(rate_limit_gateway.delete) + rate_limit_gateway.commit() + rate_limit_gateway.wait_for_ready() + return rate_limit_gateway + + +@pytest.fixture(scope="module") +def rate_limit(rate_limit): + """Add basic requests limit to RateLimitPolicy""" + rate_limit.add_limit("basic", [ROUTE_LIMIT]) + return rate_limit + + +def test_basic_rate_limit(rate_limit, rate_limit_gw, route, client): + """Test if rules inside overrides block of Gateway's RateLimitPolicy are inherited by the HTTPRoute + and enforced like any other normal rule""" + route.refresh() + assert route.is_affected_by(rate_limit) + rate_limit_gw.wait_for_full_enforced() + + responses = client.get_many("/get", GATEWAY_LIMIT.limit) + responses.assert_all(status_code=200) + assert client.get("/get").status_code == 429 # assert that RateLimitPolicy is enforced diff --git a/testsuite/tests/singlecluster/overrides/test_route_override.py b/testsuite/tests/singlecluster/overrides/test_route_override.py new file mode 100644 index 00000000..2012043f --- /dev/null +++ b/testsuite/tests/singlecluster/overrides/test_route_override.py @@ -0,0 +1,43 @@ +"""Test that overrides block can not be defined in AuthPolicy and RateLimitPolicy attached to a HTTPRoute""" + +import pytest +from openshift_client import OpenShiftPythonException + +from testsuite.kuadrant.policy.rate_limit import Limit + +pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] + + +@pytest.fixture(scope="module") +def authorization(authorization, oidc_provider): + """Create AuthPolicy with basic oidc rules in the overrides block""" + authorization.overrides.identity.add_oidc("override", oidc_provider.well_known["issuer"]) + return authorization + + +@pytest.fixture(scope="module") +def rate_limit(rate_limit): + """Add basic rate limiting rules in the overrides block""" + rate_limit.overrides.add_limit("override", [Limit(2, 5)]) + return rate_limit + + +@pytest.fixture(scope="module") +def commit(): + """We need to try to commit objects during the actual test""" + return None + + +@pytest.mark.parametrize( + "component_fixture", + [ + pytest.param("authorization", id="AuthPolicy"), + pytest.param("rate_limit", id="RateLimitPolicy"), + ], +) +@pytest.mark.issue("https://github.com/Kuadrant/kuadrant-operator/issues/775") +def test_route_override(request, component_fixture): + """Test that server will reject policy attached to a HTTPRoute containing an overrides block""" + component = request.getfixturevalue(component_fixture) + with pytest.raises(OpenShiftPythonException, match="Overrides are.*"): + component.commit() diff --git a/testsuite/tests/singlecluster/overrides/test_rules_exclusivity.py b/testsuite/tests/singlecluster/overrides/test_rules_exclusivity.py new file mode 100644 index 00000000..299e7f9f --- /dev/null +++ b/testsuite/tests/singlecluster/overrides/test_rules_exclusivity.py @@ -0,0 +1,63 @@ +"""Test mutual exclusivity of overrides block with explicit and implicit defaults""" + +import pytest +from openshift_client import OpenShiftPythonException + +from testsuite.kuadrant.policy.authorization.auth_policy import AuthPolicy +from testsuite.kuadrant.policy.rate_limit import RateLimitPolicy, Limit + +pytestmark = [pytest.mark.kuadrant_only, pytest.mark.limitador] + + +@pytest.fixture(scope="module") +def commit(): + """We need to try to commit objects during the actual test""" + return None + + +@pytest.mark.issue("https://github.com/Kuadrant/kuadrant-operator/issues/775") +def test_rules_exclusivity_implicit_authorization(cluster, route, oidc_provider, module_label, blame): + """Test that server will reject an AuthPolicy with overrides and implicit defaults defined simultaneously""" + authorization = AuthPolicy.create_instance(cluster, blame("authz"), route, labels={"testRun": module_label}) + authorization.overrides.identity.add_oidc("overrides", oidc_provider.well_known["issuer"]) + authorization.identity.add_oidc("implicit-defaults", oidc_provider.well_known["issuer"]) + + with pytest.raises( + OpenShiftPythonException, match="Implicit defaults and explicit overrides are mutually exclusive" + ): + authorization.commit() + + +@pytest.mark.issue("https://github.com/Kuadrant/kuadrant-operator/issues/775") +def test_rules_exclusivity_explicit_authorization(cluster, route, oidc_provider, module_label, blame): + """Test that server will reject an AuthPolicy with overrides and implicit defaults defined simultaneously""" + authorization = AuthPolicy.create_instance(cluster, blame("authz"), route, labels={"testRun": module_label}) + authorization.overrides.identity.add_oidc("overrides", oidc_provider.well_known["issuer"]) + authorization.defaults.identity.add_oidc("explicit-defaults", oidc_provider.well_known["issuer"]) + + with pytest.raises( + OpenShiftPythonException, match="Explicit overrides and explicit defaults are mutually exclusive" + ): + authorization.commit() + + +@pytest.mark.issue("https://github.com/Kuadrant/kuadrant-operator/issues/775") +def test_rules_exclusivity_implicit_rate_limit(cluster, route, module_label, blame): + """Test that server will reject a RateLimitPolicy with overrides and implicit defaults defined simultaneously""" + rate_limit = RateLimitPolicy.create_instance(cluster, blame("limit"), route, labels={"testRun": module_label}) + rate_limit.overrides.add_limit("overrides", [Limit(2, 5)]) + rate_limit.add_limit("implicit-defaults", [Limit(2, 5)]) + + with pytest.raises(OpenShiftPythonException, match="Overrides and implicit defaults are mutually exclusive"): + rate_limit.commit() + + +@pytest.mark.issue("https://github.com/Kuadrant/kuadrant-operator/issues/775") +def test_rules_exclusivity_explicit_rate_limit(cluster, route, module_label, blame): + """Test that server will reject a RateLimitPolicy with overrides and explicit defaults defined simultaneously""" + rate_limit = RateLimitPolicy.create_instance(cluster, blame("limit"), route, labels={"testRun": module_label}) + rate_limit.overrides.add_limit("overrides", [Limit(2, 5)]) + rate_limit.defaults.add_limit("explicit-defaults", [Limit(2, 5)]) + + with pytest.raises(OpenShiftPythonException, match="Overrides and explicit defaults are mutually exclusive"): + rate_limit.commit()