Kuadrant · pehala · Mar 27, 2023 · Jan 16, 2023
diff --git a/testsuite/openshift/objects/rate_limit.py b/testsuite/openshift/objects/rate_limit.py
@@ -0,0 +1,56 @@
+"""RateLimitPolicy related objects"""
+from time import sleep
+
+import openshift as oc
+from testsuite.openshift.client import OpenShiftClient
+from testsuite.openshift.objects import OpenShiftObject, modify
+from testsuite.openshift.objects.gateway_api import Referencable
+
+
+class RateLimitPolicy(OpenShiftObject):
+    """RateLimitPolicy (or RLP for short) object, used for applying rate limiting rules to an Gateway/HTTPRoute"""
+
+    @classmethod
+    def create_instance(cls, openshift: OpenShiftClient, name, route: Referencable, labels: dict[str, str] = None):
+        """Creates new instance of RateLimitPolicy"""
+        model = {
+            "apiVersion": "kuadrant.io/v1beta1",
+            "kind": "RateLimitPolicy",
+            "metadata": {"name": name, "namespace": openshift.project, "labels": labels},
+            "spec": {
+                "targetRef": route.reference,
+                "rateLimits": [
+                    {
+                        "configurations": [
+                            {"actions": [{"generic_key": {"descriptor_key": "limited", "descriptor_value": "1"}}]}
+                        ]
+                    }
+                ],
+            },
+        }
+
+        return cls(model, context=openshift.context)
+
+    @modify
+    def add_limit(self, max_value, seconds, conditions: list[str] = None):
+        """Add another limit"""
+        conditions = conditions or []
+        limits = self.model.spec.rateLimits[0].setdefault("limits", [])
+        limit = {"maxValue": max_value, "seconds": seconds, "conditions": conditions, "variables": []}
+        limits.append(limit)
+
+    def commit(self):
+        result = super().commit()
+
+        # wait for RLP to be actually applied, conditions itself is not enough, sleep is needed
+        def _policy_is_ready(obj):
+            return "conditions" in obj.model.status and obj.model.status.conditions[0].status == "True"
+
+        with oc.timeout(60):
+            success, _, _ = self.self_selector().until_all(success_func=_policy_is_ready, tolerate_failures=5)
+            assert success
+
+        # https://github.com/Kuadrant/kuadrant-operator/issues/140
+        sleep(60)
+
+        return result
diff --git a/testsuite/tests/kuadrant/authorino/conftest.py b/testsuite/tests/kuadrant/authorino/conftest.py
@@ -76,3 +76,10 @@ def _create_secret(name, label_selector, api_key, ocp: OpenShiftClient = openshi
         return secret
 
     return _create_secret
+
+
+@pytest.fixture(scope="module", autouse=True)
+def commit(request, authorization):
+    """Commits all important stuff before tests"""
+    request.addfinalizer(authorization.delete)
+    authorization.commit()
diff --git a/testsuite/tests/kuadrant/conftest.py b/testsuite/tests/kuadrant/conftest.py
@@ -3,6 +3,7 @@
 import pytest
 
 from testsuite.openshift.objects.auth_config.auth_policy import AuthPolicy
+from testsuite.openshift.objects.rate_limit import RateLimitPolicy
 
 
 @pytest.fixture(scope="session")
@@ -35,26 +36,45 @@ def authorization_name(blame):
 
 
 @pytest.fixture(scope="module")
-def authorization(authorino, kuadrant, envoy, authorization_name, openshift, module_label):
+def authorization(authorino, kuadrant, oidc_provider, envoy, authorization_name, openshift, module_label):
     """Authorization object (In case of Kuadrant AuthPolicy)"""
     if kuadrant:
         policy = AuthPolicy.create_instance(
             openshift, authorization_name, envoy.route, labels={"testRun": module_label}
         )
+        policy.identity.oidc("rhsso", oidc_provider.well_known["issuer"])
         return policy
     return None
 
 
 @pytest.fixture(scope="module")
-def client(envoy):
-    """Returns httpx client to be used for requests"""
-    client = envoy.client()
-    yield client
-    client.close()
+def rate_limit_name(blame):
+    """Name of the rate limit"""
+    return blame("limit")
+
+
+@pytest.fixture(scope="module")
+def rate_limit(kuadrant, openshift, rate_limit_name, envoy, module_label):
+    """Rate limit"""
+    if kuadrant:
+        return RateLimitPolicy.create_instance(
+            openshift, rate_limit_name, envoy.route, labels={"testRun": module_label}
+        )
+    return None
 
 
 @pytest.fixture(scope="module", autouse=True)
-def commit(request, authorization):
+def commit(request, authorization, rate_limit):
     """Commits all important stuff before tests"""
-    request.addfinalizer(authorization.delete)
-    authorization.commit()
+    for component in [authorization, rate_limit]:
+        if component is not None:
+            request.addfinalizer(component.delete)
+            component.commit()
+
+
+@pytest.fixture(scope="module")
+def client(envoy):
+    """Returns httpx client to be used for requests, it also commits AuthConfig"""
+    client = envoy.client()
+    yield client
+    client.close()
diff --git a/testsuite/tests/kuadrant/limitador/__init__.py b/testsuite/tests/kuadrant/limitador/__init__.py
diff --git a/testsuite/tests/kuadrant/limitador/conftest.py b/testsuite/tests/kuadrant/limitador/conftest.py
@@ -0,0 +1,17 @@
+"""Conftest for all limitador tests"""
+import pytest
+
+
+@pytest.fixture(scope="module")
+def kuadrant(kuadrant):
+    """Skip if not running on Kuadrant"""
+    if not kuadrant:
+        pytest.skip("Limitador test can only run on Kuadrant for now")
+    return kuadrant
+
+
+@pytest.fixture(scope="module", autouse=True)
+def commit(request, rate_limit):
+    """Commits all important stuff before tests"""
+    request.addfinalizer(rate_limit.delete)
+    rate_limit.commit()
diff --git a/testsuite/tests/kuadrant/limitador/test_basic_limit.py b/testsuite/tests/kuadrant/limitador/test_basic_limit.py
@@ -0,0 +1,41 @@
+"""
+Tests that a single limit is enforced as expected over one iteration
+"""
+import pytest
+
+from testsuite.utils import fire_requests
+
+
+@pytest.fixture(
+    scope="module",
+    params=[
+        pytest.param((2, 20), id="2 requests every 20 sec"),
+        pytest.param((5, 15), id="5 requests every 15 sec"),
+        pytest.param((3, 10), id="3 request every 10 sec"),
+    ],
+)
+def limit_time(request):
+    """Combination of max requests and time period"""
+    return request.param
+
+
+# pylint: disable=unused-argument
+@pytest.fixture(scope="module")
+def rate_limit_name(blame, limit_time):
+    """Generate name for each combination of limit_time"""
+    return blame("limit")
+
+
+@pytest.fixture(scope="module")
+def rate_limit(rate_limit, limit_time):
+    """Add limit to the policy"""
+    limit, time = limit_time
+    rate_limit.add_limit(limit, time)
+    return rate_limit
+
+
+def test_limit(client, limit_time):
+    """Tests that simple limit is applied successfully"""
+    limit, time = limit_time
+
+    fire_requests(client, limit, time, grace_requests=1)
diff --git a/testsuite/tests/kuadrant/limitador/test_multiple_iterations.py b/testsuite/tests/kuadrant/limitador/test_multiple_iterations.py
@@ -0,0 +1,18 @@
+"""
+Tests that a single limit is enforced as expected over multiple iterations
+"""
+import pytest
+
+from testsuite.utils import fire_requests
+
+
+@pytest.fixture(scope="module")
+def rate_limit(rate_limit):
+    """Add limit to the policy"""
+    rate_limit.add_limit(5, 10)
+    return rate_limit
+
+
+def test_multiple_iterations(client):
+    """Tests that simple limit is applied successfully and works for multiple iterations"""
+    fire_requests(client, 5, 10, iterations=10)
diff --git a/testsuite/utils.py b/testsuite/utils.py
@@ -6,9 +6,12 @@
 from collections.abc import Collection
 from importlib import resources
 from io import StringIO
+from time import sleep
 from typing import Dict, Union
 from urllib.parse import urlparse, ParseResult
 
+import httpx
+
 from testsuite.certificates import Certificate, CFSSLClient, CertInfo
 from testsuite.config import settings
 
@@ -105,3 +108,31 @@ def create_csv_file(rows: list) -> StringIO:
     csv.writer(file, delimiter=",", quotechar='"', quoting=csv.QUOTE_ALL).writerows(rows)
     file.seek(0)
     return file
+
+
+def fire_requests(client, max_requests, period, grace_requests=0, iterations=1, path="/get"):
+    """
+    Fires requests meant to test if it is correctly rate-limited
+    :param client: Client instance
+    :param max_requests: Max allowed requests
+    :param period: Time period after which the counter should reset
+    :param grace_requests: Number of requests on top of max_requests
+     which will be made but not checked, improves stability
+    :param iterations: Number of periods to tests
+    :param path: URL path of the request
+    :return:
+    """
+    url = f"{client.base_url}/{path}"
+    for iteration in range(iterations):
+        sleep(period)
+        for i in range(max_requests):
+            assert (
+                httpx.get(url).status_code == 200
+            ), f"{i + 1}/{max_requests} request from {iteration + 1} iteration failed"
+
+        for i in range(grace_requests):
+            httpx.get(url)
+
+        assert httpx.get(url).status_code == 429, f"Iteration {iteration + 1} failed to start limiting"
+        sleep(period)
+        assert httpx.get(url).status_code == 200, f"Iteration {iteration + 1} failed to reset limits"