Skip to content

Commit

Permalink
Adds unit tests for pkg/controller/networkpolicy/validate.go
Browse files Browse the repository at this point in the history 
Signed-off-by: Harshitha U R <harshithaur1611@gmail.com>
Signed-off-by: Pulkit Jain <jainpu@vmware.com>
  • Loading branch information
@urharshitha
urharshitha authored and Pulkit Jain committed Apr 28, 2023
1 parent 38a689d commit 9234b72
Showing 1 changed file with 189 additions and 19 deletions.
208 changes: 189 additions & 19 deletions pkg/controller/networkpolicy/validate_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,16 @@ import (
"antrea.io/antrea/pkg/features"
)

func TestValidateAntreaPolicy(t *testing.T) {
allowAction := crdv1alpha1.RuleActionAllow
passAction := crdv1alpha1.RuleActionPass
int32For80 := int32(80)
var (
query = crdv1alpha1.IGMPQuery
report = crdv1alpha1.IGMPReportV1
allowAction = crdv1alpha1.RuleActionAllow
passAction = crdv1alpha1.RuleActionPass
portNum80 = int32(80)
)

func TestValidateAntreaPolicy(t *testing.T) {
operation := admv1.Create
tests := []struct {
name string
featureGates map[featuregate.Feature]bool
Expand Down Expand Up @@ -884,7 +889,7 @@ func TestValidateAntreaPolicy(t *testing.T) {
Action: &allowAction,
Ports: []crdv1alpha1.NetworkPolicyPort{
{
EndPort: &int32For80,
EndPort: &portNum80,
},
},
},
Expand Down Expand Up @@ -913,7 +918,7 @@ func TestValidateAntreaPolicy(t *testing.T) {
Ports: []crdv1alpha1.NetworkPolicyPort{
{
Port: &int81,
EndPort: &int32For80,
EndPort: &portNum80,
},
},
},
Expand Down Expand Up @@ -942,7 +947,7 @@ func TestValidateAntreaPolicy(t *testing.T) {
Ports: []crdv1alpha1.NetworkPolicyPort{
{
Port: &strHTTP,
EndPort: &int32For80,
EndPort: &portNum80,
},
},
},
Expand Down Expand Up @@ -1437,15 +1442,15 @@ func TestValidateAntreaPolicy(t *testing.T) {
expectedReason: "layer 7 protocols can only be used when L7NetworkPolicy is enabled",
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
for feature, value := range tt.featureGates {
defer featuregatetesting.SetFeatureGateDuringTest(t, features.DefaultFeatureGate, feature, value)()
}

_, c := newController()
v := NewNetworkPolicyValidator(c.NetworkPolicyController)
actualReason, allowed := v.validateAntreaPolicy(tt.policy, nil, admv1.Create, authenticationv1.UserInfo{})
_, controller := newController()
validator := NewNetworkPolicyValidator(controller.NetworkPolicyController)
actualReason, allowed := validator.validateAntreaPolicy(tt.policy, "", operation, authenticationv1.UserInfo{})
assert.Equal(t, tt.expectedReason, actualReason)
if tt.expectedReason == "" {
assert.True(t, allowed)
Expand Down Expand Up @@ -1493,9 +1498,9 @@ func TestValidateAntreaClusterGroup(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, c := newController()
v := NewNetworkPolicyValidator(c.NetworkPolicyController)
actualReason, allowed := v.validateAntreaGroup(tt.group, nil, admv1.Create, authenticationv1.UserInfo{})
_, controller := newController()
validator := NewNetworkPolicyValidator(controller.NetworkPolicyController)
actualReason, allowed := validator.validateAntreaGroup(tt.group, nil, admv1.Create, authenticationv1.UserInfo{})
assert.Equal(t, tt.expectedReason, actualReason)
if tt.expectedReason == "" {
assert.True(t, allowed)
Expand All @@ -1509,12 +1514,14 @@ func TestValidateAntreaClusterGroup(t *testing.T) {
func TestValidateAntreaGroup(t *testing.T) {
tests := []struct {
name string
group *crdv1alpha3.Group
curGroup *crdv1alpha3.Group
oldGroup *crdv1alpha3.Group
operation admv1.Operation
expectedReason string
}{
{
name: "anp-group-set-with-podselector-and-ipblock",
group: &crdv1alpha3.Group{
curGroup: &crdv1alpha3.Group{
ObjectMeta: metav1.ObjectMeta{
Name: "anp-group-set-with-podselector-and-ipblock",
Namespace: "x",
Expand All @@ -1528,14 +1535,177 @@ func TestValidateAntreaGroup(t *testing.T) {
},
},
},
operation: admv1.Create,
expectedReason: "At most one of podSelector, externalEntitySelector, serviceReference, ipBlocks or childGroups can be set for a Group",
},
{
name: "anp-group-to-delete",
oldGroup: &crdv1alpha3.Group{
ObjectMeta: metav1.ObjectMeta{
Name: "anp-group-set-with-podselector-specified",
Namespace: "x",
},
Spec: crdv1alpha3.GroupSpec{
PodSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{"foo=": "bar"},
},
},
},
operation: admv1.Delete,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, controller := newController()
validator := NewNetworkPolicyValidator(controller.NetworkPolicyController)
actualReason, allowed := validator.validateAntreaGroup(tt.curGroup, tt.oldGroup, tt.operation, authenticationv1.UserInfo{})
assert.Equal(t, tt.expectedReason, actualReason)
if tt.expectedReason == "" {
assert.True(t, allowed)
} else {
assert.False(t, allowed)
}
})
}
}

func TestValidateTier(t *testing.T) {
tests := []struct {
name string
curTier *crdv1alpha1.Tier
oldTier *crdv1alpha1.Tier
operation admv1.Operation
expectedReason string
}{
{
name: "create-tier-pass",
curTier: &crdv1alpha1.Tier{
ObjectMeta: metav1.ObjectMeta{
Name: "tier-priority-3",
},
Spec: crdv1alpha1.TierSpec{
Priority: 3,
},
},
operation: admv1.Create,
},
{
name: "create-tier-failed-with-reserved-priority",
curTier: &crdv1alpha1.Tier{
ObjectMeta: metav1.ObjectMeta{
Name: "tier-priority-251",
},
Spec: crdv1alpha1.TierSpec{
Priority: 251,
},
},
operation: admv1.Create,
expectedReason: "tier tier-priority-251 priority 251 is reserved",
},
{
name: "delete-tier-pass",
oldTier: &crdv1alpha1.Tier{
ObjectMeta: metav1.ObjectMeta{
Name: "tier-priority-3",
},
Spec: crdv1alpha1.TierSpec{
Priority: 3,
},
},
operation: admv1.Delete,
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, controller := newController()
validator := NewNetworkPolicyValidator(controller.NetworkPolicyController)
actualReason, allowed := validator.validateTier(tt.curTier, tt.oldTier, tt.operation, authenticationv1.UserInfo{})
assert.Equal(t, tt.expectedReason, actualReason)
if tt.expectedReason == "" {
assert.True(t, allowed)
} else {
assert.False(t, allowed)
}
})
}
}

func TestValidateMulticastIGMP(t *testing.T) {
tests := []struct {
name string
ingressRules []crdv1alpha1.Rule
egressRules []crdv1alpha1.Rule
expectedReason string
}{
{
name: "igmp-icmp-both-specified",
ingressRules: []crdv1alpha1.Rule{
{
Protocols: []crdv1alpha1.NetworkPolicyProtocol{
{
ICMP: &crdv1alpha1.ICMPProtocol{
ICMPType: &icmpType8,
ICMPCode: &icmpCode0,
},
IGMP: &crdv1alpha1.IGMPProtocol{
IGMPType: &query,
GroupAddress: "224.0.0.1",
},
},
},
Action: &allowAction,
},
},
expectedReason: "protocol IGMP can not be used with other protocols or other properties like from, to",
},
{
name: "only-icmp-specified",
ingressRules: []crdv1alpha1.Rule{
{
Protocols: []crdv1alpha1.NetworkPolicyProtocol{
{
ICMP: &crdv1alpha1.ICMPProtocol{
ICMPType: &icmpType8,
ICMPCode: &icmpCode0,
},
},
},
},
},
egressRules: []crdv1alpha1.Rule{
{
Protocols: []crdv1alpha1.NetworkPolicyProtocol{
{
ICMP: &crdv1alpha1.ICMPProtocol{},
},
},
},
},
},
{
name: "icmp-specified-and-action-set-to-fail",
egressRules: []crdv1alpha1.Rule{
{
Protocols: []crdv1alpha1.NetworkPolicyProtocol{
{
IGMP: &crdv1alpha1.IGMPProtocol{
IGMPType: &report,
GroupAddress: "225.1.2.3",
},
},
},
Action: &passAction,
},
},
expectedReason: "protocol IGMP does not support Pass or Reject",
},
}

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, c := newController()
v := NewNetworkPolicyValidator(c.NetworkPolicyController)
actualReason, allowed := v.validateAntreaGroup(tt.group, nil, admv1.Create, authenticationv1.UserInfo{})
var validator *antreaPolicyValidator
actualReason, allowed := validator.validateMulticastIGMP(tt.ingressRules, tt.egressRules)
assert.Equal(t, tt.expectedReason, actualReason)
if tt.expectedReason == "" {
assert.True(t, allowed)
Expand Down

0 comments on commit 9234b72

Please sign in to comment.