-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added identical hostnames test for AuthPolicy
- Loading branch information
Showing
5 changed files
with
187 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
"""Conftest for "identical hostname" tests""" | ||
|
||
import pytest | ||
|
||
from testsuite.gateway import GatewayRoute | ||
from testsuite.gateway.envoy.route import EnvoyVirtualRoute | ||
from testsuite.gateway.gateway_api.route import HTTPRoute | ||
|
||
|
||
@pytest.fixture(scope="module", autouse=True) | ||
def route2(request, kuadrant, gateway, blame, hostname, backend, module_label) -> GatewayRoute: | ||
"""HTTPRoute object serving as a 2nd route declaring identical hostname but different path""" | ||
if kuadrant: | ||
route = HTTPRoute.create_instance(gateway.openshift, blame("route"), gateway, {"app": module_label}) | ||
else: | ||
route = EnvoyVirtualRoute.create_instance(gateway.openshift, blame("route"), gateway) | ||
route.add_hostname(hostname.hostname) | ||
route.add_backend(backend, "/anything/") | ||
request.addfinalizer(route.delete) | ||
route.commit() | ||
return route | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def authorization_name2(blame): | ||
"""Name of the 2nd Authorization resource""" | ||
return blame("authz2") |
63 changes: 63 additions & 0 deletions
63
testsuite/tests/kuadrant/identical_hostname/test_auth_on_gw_and_route.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
""" | ||
Tests behavior of using one HTTPRoute declaring the same hostname as parent Gateway related to AuthPolicy. | ||
https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/auth.md#limitation-multiple-network-resources-with-identical-hostnames | ||
(second topology mentioned there) | ||
""" | ||
|
||
import time | ||
|
||
import pytest | ||
|
||
from testsuite.policy.authorization.auth_policy import AuthPolicy | ||
|
||
pytestmark = [pytest.mark.kuadrant_only] | ||
|
||
|
||
@pytest.fixture(scope="class", autouse=True) | ||
def authorization2(request, kuadrant, gateway, authorization_name2, openshift, label): | ||
"""2nd Authorization object (In case of Kuadrant AuthPolicy)""" | ||
if kuadrant: | ||
auth_policy = AuthPolicy.create_instance(openshift, authorization_name2, gateway, labels={"testRun": label}) | ||
auth_policy.authorization.add_opa_policy("rego", "allow = false") | ||
request.addfinalizer(auth_policy.delete) | ||
auth_policy.commit() | ||
auth_policy.wait_for_ready() | ||
return auth_policy | ||
return None | ||
|
||
|
||
def test_gateway_authpolicy_ignored(client, authorization): | ||
""" | ||
Tests that Gateway-attached AuthPolicy is ignored on 'route2' if both 'route' and 'route2' declare | ||
identical hostname and there is another AuthPolicy already successfully enforced on 'route'. | ||
Setup: | ||
- Two HTTPRoutes declaring identical hostnames but different paths ('/' and '/anything/') | ||
- Empty AuthPolicy enforced on the '/' HTTPRoute | ||
- 'deny-all' AuthPolicy created after Empty AuthPolicy enforced on the Gateway | ||
Test: | ||
- Send a request via 'route' and assert that response status code is 200 | ||
- Send a request via 'route2' and assert that response status code is 200 | ||
- Delete the empty AuthPolicy created via fixture | ||
- Send a request via both routes | ||
- Assert that both response status codes are 403 (Forbidden) | ||
""" | ||
|
||
# Access via 'route' is allowed due to Empty AuthPolicy | ||
response = client.get("/get") | ||
assert response.status_code == 200 | ||
|
||
# Despite 'deny-all' Gateway AuthPolicy reporting being successfully enforced | ||
# it is still allowed to access the resources via 'route2' | ||
response = client.get("/anything/get") | ||
assert response.status_code == 200 | ||
|
||
# Deletion of Empty AuthPolicy should make the 'deny-all' Gateway AuthPolicy effectively enforced. | ||
# It might take some time hence the 15s sleep. | ||
authorization.delete() | ||
time.sleep(15) | ||
|
||
response = client.get("/get") | ||
assert response.status_code == 403 | ||
|
||
response = client.get("/anything/get") | ||
assert response.status_code == 403 |
87 changes: 87 additions & 0 deletions
87
testsuite/tests/kuadrant/identical_hostname/test_auth_on_two_routes.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
""" | ||
Tests behavior of using two HTTPRoutes declaring the same hostname related to AuthPolicy. | ||
https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/auth.md#limitation-multiple-network-resources-with-identical-hostnames | ||
(the first topology mentioned there) | ||
""" | ||
|
||
import pytest | ||
|
||
from testsuite.policy.authorization.auth_policy import AuthPolicy | ||
from testsuite.utils import has_condition | ||
|
||
pytestmark = [pytest.mark.kuadrant_only] | ||
|
||
|
||
@pytest.fixture(scope="class") | ||
def authorization2(request, kuadrant, route2, authorization_name2, openshift, label): | ||
"""2nd Authorization object (In case of Kuadrant AuthPolicy)""" | ||
if kuadrant: | ||
auth_policy = AuthPolicy.create_instance(openshift, authorization_name2, route2, labels={"testRun": label}) | ||
auth_policy.authorization.add_opa_policy("rego", "allow = false") | ||
request.addfinalizer(auth_policy.delete) | ||
auth_policy.commit() | ||
auth_policy.wait_for_accepted() | ||
return auth_policy | ||
return None | ||
|
||
|
||
def test_2nd_authpolicy_rejected(client, authorization, authorization2): | ||
""" | ||
Tests that 2nd AuthPolicy is rejected on 'route2' declaring identical hostname as 'route' with another | ||
AuthPolicy already successfully enforced on 'route'. | ||
Setup: | ||
- Two HTTPRoutes declaring identical hostnames but different paths ('/' and '/anything/') | ||
- Empty AuthPolicy enforced on the '/' HTTPRoute | ||
- 'deny-all' AuthPolicy created after Empty AuthPolicy enforced on the '/anything/' HTTPRoute | ||
Test: | ||
- Assert that 'deny-all' AuthPolicy reports an error | ||
- Send a request via 'route' and assert that response status code is 200 | ||
- Send a request via 'route2' and assert that response status code is 200 | ||
- Delete the Empty AuthPolicy | ||
- Change 'deny-all' AuthPolicy to trigger its reconciliation | ||
- Send a request via both routes | ||
- Assert that access via 'route' is 200 (OK) | ||
- Assert that access via 'route2 is 403 (Forbidden) | ||
""" | ||
assert authorization2.wait_until( | ||
has_condition( | ||
"Enforced", | ||
"False", | ||
"Unknown", | ||
"AuthPolicy has encountered some issues: AuthScheme is not ready yet", | ||
), | ||
timelimit=20, | ||
), ( | ||
f"AuthPolicy did not reach expected status (Enforced False), " | ||
f"instead it was: {authorization2.refresh().model.status.conditions}" | ||
) | ||
|
||
response = client.get("/get") | ||
assert response.status_code == 200 | ||
|
||
response = client.get("/anything/get") | ||
assert response.status_code == 200 | ||
|
||
# Deletion of Empty AuthPolicy should allow for 'deny-all' AuthPolicy to be enforced successfully. | ||
authorization.delete() | ||
|
||
# 2nd AuthPolicy only recovers from the "AuthScheme is not ready yet" error if reconciliation is explicitly | ||
# triggered, e.g. by changing the AuthPolicy CR content (changing AllValues to True in this particular case) | ||
authorization2.authorization.add_opa_policy("rego", "allow = false", True) | ||
authorization2.refresh() | ||
|
||
assert authorization2.wait_until( | ||
has_condition("Enforced", "True"), | ||
timelimit=20, | ||
), ( | ||
f"AuthPolicy did not reach expected status (Enforced True), " | ||
f"instead it was: {authorization2.refresh().model.status.conditions}" | ||
) | ||
|
||
# Access via 'route' is still allowed | ||
response = client.get("/get") | ||
assert response.status_code == 200 | ||
|
||
# Access via 'route2' is now not allowed due to 'deny-all' AuthPolicy being enforced on 'route2' | ||
response = client.get("/anything/get") | ||
assert response.status_code == 403 |