kubelatte-ce

1
package validation
2

3
import (
4
	"context"
5
	"github.com/stretchr/testify/assert"
6
	"gitverse.ru/synapse/kubelatte/pkg/api/v1alpha1"
7
	"gitverse.ru/synapse/kubelatte/pkg/observability/logger/lib"
8
	"gitverse.ru/synapse/kubelatte/pkg/storage"
9
	"go.uber.org/zap"
10
	"os"
11
	"testing"
12
)
13

14
func TestMain(m *testing.M) {
15
	// test context initialization here
16
	lib.ZapLogger = zap.NewNop()
17
	os.Exit(m.Run())
18
}
19

20
func Test_checkScopeNewLogic(t *testing.T) {
21
	type args struct {
22
		result interface{}
23
		simple v1alpha1.Simple
24
		action string
25
	}
26
	tests := []struct {
27
		name   string
28
		args   args
29
		result bool
30
	}{
31
		{
32
			name: ".* 1",
33
			args: args{
34
				result: []string{"annot", "key"},
35
				simple: v1alpha1.Simple{
36
					Name:  "disallowed-containers",
37
					Path:  "spec.containers",
38
					Value: ".*",
39
				},
40
				action: Deny,
41
			},
42
			result: false,
43
		},
44
		{
45
			name: ".* 2",
46
			args: args{
47
				result: []string{"annot", "key"},
48
				simple: v1alpha1.Simple{
49
					Name:  "disallowed-containers",
50
					Path:  "spec.containers",
51
					Value: ".*",
52
				},
53
				action: Allow,
54
			},
55
			result: true,
56
		},
57
		{
58
			name: "empty res",
59
			args: args{
60
				result: nil,
61
				simple: v1alpha1.Simple{
62
					Name:  "disallowed-containers",
63
					Path:  "spec.containers",
64
					Value: ".*",
65
				},
66
				action: Deny,
67
			},
68
			result: true,
69
		},
70
	}
71
	for _, tt := range tests {
72
		t.Run(tt.name, func(t *testing.T) {
73
			assert.Equalf(t, tt.result, validateValue(context.Background(), tt.args.result, tt.args.simple.Path, tt.args.simple.Value, tt.args.action),
74
				"validateValue(%v, %v, %v)", tt.args.result, tt.args.simple, tt.args.action)
75
		})
76
	}
77
}
78

79
func TestCheckRegoRule(t *testing.T) {
80
	t.Run("with rule", func(t *testing.T) {
81
		storage.Storage = &storage.StorageController{}
82
		storage.Storage.Start(true, false)
83
		orig := map[string]interface{}{
84
			"apiVersion": "v1",
85
			"kind":       "Pod",
86
			"metadata": map[string]interface{}{
87
				"name":      "test",
88
				"namespace": "test"},
89
		}
90
		item := v1alpha1.Item{
91
			Name: "rule",
92
			Match: v1alpha1.Match{
93
				Kinds: []v1alpha1.Kind{{
94
					Kind:      []string{"Pod"},
95
					ApiGroups: []string{"*"},
96
				}},
97
			},
98
			Rule: v1alpha1.Rule{
99
				Rego: v1alpha1.Rego{
100
					Template:   "import future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nviolation contains {\"msg\": msg} if {\n  params := object.get(input, \"parameters\", {})\n  name := object.get(params, \"name\", [])\n  objName := input.review.name\n  objName == name\n  msg := sprintf(\"Creating this pod is prohibited! Do not create %v\", [objName])\n}",
101
					Parameters: "name: test",
102
				},
103
			},
104
		}
105
		if gotErr := CheckRegoRule(context.Background(), orig, item); gotErr == nil {
106
			t.Errorf("CheckRegoRule() error: %v, expected nil", gotErr)
107
		}
108
		storage.Storage.UpdateRegoRule("test", v1alpha1.TemplateSpec{
109
			Kind:       "Scope",
110
			ApiVersion: "test",
111
			Data:       "import future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nviolation contains {\"msg\": msg} if {\n  params := object.get(input, \"parameters\", {})\n  name := object.get(params, \"name\", [])\n  objName := input.review.name\n  objName == name\n  msg := sprintf(\"Creating this pod is prohibited! Do not create %v\", [objName])\n}",
112
			Type:       "rego",
113
		})
114
		if gotErr := CheckRegoRule(context.Background(), orig, item); gotErr == nil {
115
			t.Errorf("CheckRegoRule() error: %v, expected nil", gotErr)
116
		}
117
	})
118
}
119