test: update tests

fabriziosestito · fabriziosestito · commit 40a870456232 · 2024-03-22T15:13:57.000+01:00
Signed-off-by: Fabrizio Sestito &lt;fabrizio.sestito@suse.com&gt;
diff --git a/src/evaluation/evaluation_environment.rs b/src/evaluation/evaluation_environment.rs
@@ -438,7 +438,7 @@ mod tests {
         let validate_request =
             ValidateRequest::AdmissionRequest(build_admission_review_request().request);
         assert!(matches!(
-            evaluation_environment.validate(policy_id, &validate_request).err().unwrap(),
+            evaluation_environment.validate(policy_id, &validate_request).unwrap_err(),
             EvaluationError::PolicyInitialization(error) if error == "error"
         ));
     }
diff --git a/src/policy_downloader.rs b/src/policy_downloader.rs
@@ -293,7 +293,7 @@ mod tests {
     }
 
     #[test]
-    fn download_and_verify_success() {
+    fn verify_success() {
         let verification_cfg_yml = r#"---
     allOf:
       - kind: pubKey
@@ -363,7 +363,7 @@ mod tests {
     }
 
     #[test]
-    fn download_and_verify_error() {
+    fn verify_error() {
         let verification_cfg_yml = r#"---
     allOf:
       - kind: githubAction
@@ -407,9 +407,11 @@ mod tests {
         // be downloaded
         assert_eq!(fetched_policies.len(), 1);
 
-        assert!(fetched_policies
-            .get("registry://ghcr.io/kubewarden/tests/pod-privileged:v0.1.9")
-            .unwrap()
-            .is_err());
+        assert!(matches!(
+            fetched_policies
+                .get("registry://ghcr.io/kubewarden/tests/pod-privileged:v0.1.9")
+                .unwrap(),
+            Err(error) if error.to_string().contains("Policy 'pod-privileged' cannot be verified: Image verification failed: missing signatures")
+        ));
     }
 }
diff --git a/tests/common/mod.rs b/tests/common/mod.rs
@@ -47,6 +47,29 @@ pub(crate) async fn app() -> Router {
                 context_aware_resources: BTreeSet::new(),
             },
         ),
+        (
+            "invalid_settings".to_owned(),
+            Policy {
+                url: "ghcr.io/kubewarden/tests/sleeping-policy:v0.1.0".to_owned(),
+                policy_mode: PolicyMode::Protect,
+                allowed_to_mutate: None,
+                settings: Some(HashMap::from([(
+                    "sleepMilliseconds".to_owned(),
+                    "abc".into(),
+                )])),
+                context_aware_resources: BTreeSet::new(),
+            },
+        ),
+        (
+            "wrong_url".to_owned(),
+            Policy {
+                url: "ghcr.io/kubewarden/tests/not_existing:v0.1.0".to_owned(),
+                policy_mode: PolicyMode::Protect,
+                allowed_to_mutate: None,
+                settings: None,
+                context_aware_resources: BTreeSet::new(),
+            },
+        ),
     ]);
 
     let config = Config {
diff --git a/tests/integration_test.rs b/tests/integration_test.rs
@@ -9,6 +9,7 @@ use axum::{
 use http_body_util::BodyExt;
 use policy_evaluator::admission_response::AdmissionResponseStatus;
 use policy_server::api::admission_review::AdmissionReviewResponse;
+use regex::Regex;
 use tower::ServiceExt;
 
 #[tokio::test]
@@ -252,3 +253,63 @@ async fn test_timeout_protection_reject() {
         )
     );
 }
+
+#[tokio::test]
+async fn test_policy_with_invalid_settings() {
+    let app = app().await;
+
+    let request = Request::builder()
+        .method(http::Method::POST)
+        .header(header::CONTENT_TYPE, "application/json")
+        .uri("/validate/invalid_settings")
+        .body(Body::from(include_str!("data/pod_sleep_100ms.json")))
+        .unwrap();
+
+    let response = app.oneshot(request).await.unwrap();
+
+    assert_eq!(response.status(), 200);
+
+    let admission_review_response: AdmissionReviewResponse =
+        serde_json::from_slice(&response.into_body().collect().await.unwrap().to_bytes()).unwrap();
+
+    assert!(!admission_review_response.response.allowed);
+
+    let pattern =
+        Regex::new(r"Policy settings are invalid:.*Error decoding validation payload.*invalid type: string.*expected u64.*")
+            .unwrap();
+
+    let status = admission_review_response.response.status.unwrap();
+
+    assert_eq!(status.code, Some(500));
+    assert!(pattern.is_match(&status.message.unwrap()));
+}
+
+#[tokio::test]
+async fn test_policy_with_wrong_url() {
+    let app = app().await;
+
+    let request = Request::builder()
+        .method(http::Method::POST)
+        .header(header::CONTENT_TYPE, "application/json")
+        .uri("/audit/wrong_url")
+        .body(Body::from(include_str!("data/pod_sleep_100ms.json")))
+        .unwrap();
+
+    let response = app.oneshot(request).await.unwrap();
+
+    assert_eq!(response.status(), 200);
+
+    let admission_review_response: AdmissionReviewResponse =
+        serde_json::from_slice(&response.into_body().collect().await.unwrap().to_bytes()).unwrap();
+
+    assert!(!admission_review_response.response.allowed);
+
+    let pattern =
+        Regex::new(r"Error while downloading policy 'wrong_url' from ghcr.io/kubewarden/tests/not_existing:v0.1.0.*")
+            .unwrap();
+
+    let status = admission_review_response.response.status.unwrap();
+
+    assert_eq!(status.code, Some(500));
+    assert!(pattern.is_match(&status.message.unwrap()));
+}

Original file line number	Diff line number	Diff line change
`@@ -438,7 +438,7 @@ mod tests {`
`438`	`438`	`let validate_request =`
`439`	`439`	`ValidateRequest::AdmissionRequest(build_admission_review_request().request);`
`440`	`440`	`assert!(matches!(`
`441`		`- evaluation_environment.validate(policy_id, &validate_request).err().unwrap(),`
	`441`	`+ evaluation_environment.validate(policy_id, &validate_request).unwrap_err(),`
`442`	`442`	`EvaluationError::PolicyInitialization(error) if error == "error"`
`443`	`443`	`));`
`444`	`444`	`}`