generated from kubewarden/go-policy-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathvalidate_test.go
120 lines (107 loc) · 3.32 KB
/
validate_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package main
import (
"encoding/json"
"testing"
mapset "github.com/deckarep/golang-set/v2"
kubewarden_protocol "github.com/kubewarden/policy-sdk-go/protocol"
kubewarden_testing "github.com/kubewarden/policy-sdk-go/testing"
)
func TestApproval(t *testing.T) {
for _, tcase := range []struct {
name string
testData string
settings Settings
}{
{
name: "empty settings allows safe sysctls",
testData: "test_data/request-pod-safe-sysctls.json",
settings: Settings{},
},
{
name: "pod without sysctl always allowed",
testData: "test_data/request-pod-no-sysctl.json",
settings: Settings{},
},
{
name: "pod with allowedUnsafe sysctl",
testData: "test_data/request-pod-somaxconn.json",
settings: Settings{
AllowedUnsafeSysctls: mapset.NewThreadUnsafeSet("net.core.somaxconn", "bar"),
ForbiddenSysctls: mapset.NewThreadUnsafeSet("net.*"),
},
},
} {
payload, err := kubewarden_testing.BuildValidationRequestFromFixture(
tcase.testData,
&tcase.settings)
if err != nil {
t.Errorf("on test %q, got unexpected error '%+v'", tcase.name, err)
}
responsePayload, err := validate(payload)
if err != nil {
t.Errorf("on test %q, got unexpected error '%+v'", tcase.name, err)
}
var response kubewarden_protocol.ValidationResponse
if err := json.Unmarshal(responsePayload, &response); err != nil {
t.Errorf("on test %q, got unexpected error '%+v'", tcase.name, err)
}
if response.Accepted != true {
t.Errorf("on test %q, got unexpected rejection", tcase.name)
}
}
}
func TestRejection(t *testing.T) {
for _, tcase := range []struct {
name string
testData string
settings Settings
error string
}{
{
name: "empty settings reject non safe sysctls",
testData: "test_data/request-pod-somaxconn.json",
settings: Settings{},
error: "sysctl net.core.somaxconn is not on safe list, nor is in the allowedUnsafeSysctls list",
},
{
name: "all sysctls forbidden",
testData: "test_data/request-pod-somaxconn.json",
settings: Settings{
AllowedUnsafeSysctls: mapset.NewThreadUnsafeSet[string](),
ForbiddenSysctls: mapset.NewThreadUnsafeSet("*"),
},
error: "sysctl net.core.somaxconn is on the forbidden list",
},
{
name: "net.* sysctls forbidden",
testData: "test_data/request-pod-somaxconn.json",
settings: Settings{
AllowedUnsafeSysctls: mapset.NewThreadUnsafeSet[string](),
ForbiddenSysctls: mapset.NewThreadUnsafeSet("net.*"),
},
error: "sysctl net.core.somaxconn is on the forbidden list",
},
} {
payload, err := kubewarden_testing.BuildValidationRequestFromFixture(
tcase.testData,
&tcase.settings)
if err != nil {
t.Errorf("on test %q, got unexpected error '%+v'", tcase.name, err)
}
responsePayload, err := validate(payload)
if err != nil {
t.Errorf("on test %q, got unexpected error '%+v'", tcase.name, err)
}
var response kubewarden_protocol.ValidationResponse
if err := json.Unmarshal(responsePayload, &response); err != nil {
t.Errorf("on test %q, got unexpected error '%+v'", tcase.name, err)
}
if response.Accepted != false {
t.Errorf("on test %q, got unexpected approval", tcase.name)
}
if *response.Message != tcase.error {
t.Errorf("on test %q, got '%s' instead of '%s'",
tcase.name, *response.Message, tcase.error)
}
}
}