From 71f128a14e02e02a19c3f4c2e2b937d3693800f7 Mon Sep 17 00:00:00 2001
From: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
Date: Thu, 15 Sep 2022 10:08:35 -0400
Subject: [PATCH] (psa) add unit test cases for registry pod config (#2860)

This PR adds unit tests to test the pod+container securityContext configs
introduced in #2854

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>

Signed-off-by: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
---
 .../registry/reconciler/reconciler_test.go    | 94 +++++++++++++++----
 1 file changed, 77 insertions(+), 17 deletions(-)

diff --git a/pkg/controller/registry/reconciler/reconciler_test.go b/pkg/controller/registry/reconciler/reconciler_test.go
index 1ed7eed2fa..4edfd882ff 100644
--- a/pkg/controller/registry/reconciler/reconciler_test.go
+++ b/pkg/controller/registry/reconciler/reconciler_test.go
@@ -6,6 +6,7 @@ import (
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
 
 	"github.com/operator-framework/api/pkg/operators/v1alpha1"
 )
@@ -80,26 +81,85 @@ func TestPullPolicy(t *testing.T) {
 }
 
 func TestPodContainerSecurityContext(t *testing.T) {
-	expectedReadOnlyRootFilesystem := false
-	allowPrivilegeEscalation := false
-	expectedContainerSecCtx := &corev1.SecurityContext{
-		ReadOnlyRootFilesystem:   &expectedReadOnlyRootFilesystem,
-		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
-		Capabilities: &corev1.Capabilities{
-			Drop: []corev1.Capability{"ALL"},
+	testcases := []struct {
+		title                            string
+		inputCatsrc                      *v1alpha1.CatalogSource
+		expectedSecurityContext          *corev1.PodSecurityContext
+		expectedContainerSecurityContext *corev1.SecurityContext
+	}{
+		{
+			title: "NoSpecDefined/PodContainsSecurityConfigForPSARestricted",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+			},
+			expectedContainerSecurityContext: &corev1.SecurityContext{
+				ReadOnlyRootFilesystem:   pointer.Bool(false),
+				AllowPrivilegeEscalation: pointer.Bool(false),
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{"ALL"},
+				},
+			},
+			expectedSecurityContext: &corev1.PodSecurityContext{
+				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				RunAsUser:      pointer.Int64(workloadUserID),
+				RunAsNonRoot:   pointer.Bool(true),
+			},
 		},
-	}
-
-	catsrc := &v1alpha1.CatalogSource{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "testns",
+		{
+			title: "SpecDefined/SecurityContextConfig:Restricted/PodContainsSecurityConfigForPSARestricted",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: v1alpha1.CatalogSourceSpec{
+					GrpcPodConfig: &v1alpha1.GrpcPodConfig{
+						SecurityContextConfig: v1alpha1.Restricted,
+					},
+				},
+			},
+			expectedContainerSecurityContext: &corev1.SecurityContext{
+				ReadOnlyRootFilesystem:   pointer.Bool(false),
+				AllowPrivilegeEscalation: pointer.Bool(false),
+				Capabilities: &corev1.Capabilities{
+					Drop: []corev1.Capability{"ALL"},
+				},
+			},
+			expectedSecurityContext: &corev1.PodSecurityContext{
+				SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+				RunAsUser:      pointer.Int64(workloadUserID),
+				RunAsNonRoot:   pointer.Bool(true),
+			},
+		},
+		{
+			title: "SpecDefined/SecurityContextConfig:Legacy/PodDoesNotContainsSecurityConfig",
+			inputCatsrc: &v1alpha1.CatalogSource{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "testns",
+				},
+				Spec: v1alpha1.CatalogSourceSpec{
+					GrpcPodConfig: &v1alpha1.GrpcPodConfig{
+						SecurityContextConfig: v1alpha1.Legacy,
+					},
+				},
+			},
+			expectedContainerSecurityContext: nil,
+			expectedSecurityContext:          nil,
 		},
 	}
-
-	gotPod := Pod(catsrc, "hello", "busybox", "", map[string]string{}, map[string]string{}, int32(0), int32(0), int64(workloadUserID))
-	gotContainerSecCtx := gotPod.Spec.Containers[0].SecurityContext
-	require.Equal(t, expectedContainerSecCtx, gotContainerSecCtx)
+	for _, testcase := range testcases {
+		outputPod := Pod(testcase.inputCatsrc, "hello", "busybox", "", map[string]string{}, map[string]string{}, int32(0), int32(0), int64(workloadUserID))
+		if testcase.expectedSecurityContext != nil {
+			require.Equal(t, testcase.expectedSecurityContext, outputPod.Spec.SecurityContext)
+		}
+		if testcase.expectedContainerSecurityContext != nil {
+			require.Equal(t, testcase.expectedContainerSecurityContext, outputPod.Spec.Containers[0].SecurityContext)
+		}
+	}
 }
 
 // TestPodAvoidsConcurrentWrite is a regression test for