Skip to content

Commit d38b6c3

Browse files
authored
Merge pull request #739 from fabriziosestito/test/clean-up-update-integration-tests
test(integration): clean-up and update integration tests
2 parents 11dce18 + 5c18730 commit d38b6c3

File tree

2 files changed

+126
-42
lines changed

2 files changed

+126
-42
lines changed

tests/common/mod.rs

+6-27
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ use std::{
99
};
1010
use tempfile::tempdir;
1111

12-
pub(crate) async fn app() -> Router {
12+
pub(crate) fn default_test_config() -> Config {
1313
let policies = HashMap::from([
1414
(
1515
"pod-privileged".to_owned(),
@@ -47,32 +47,9 @@ pub(crate) async fn app() -> Router {
4747
context_aware_resources: BTreeSet::new(),
4848
},
4949
),
50-
(
51-
"invalid_settings".to_owned(),
52-
Policy {
53-
url: "ghcr.io/kubewarden/tests/sleeping-policy:v0.1.0".to_owned(),
54-
policy_mode: PolicyMode::Protect,
55-
allowed_to_mutate: None,
56-
settings: Some(HashMap::from([(
57-
"sleepMilliseconds".to_owned(),
58-
"abc".into(),
59-
)])),
60-
context_aware_resources: BTreeSet::new(),
61-
},
62-
),
63-
(
64-
"wrong_url".to_owned(),
65-
Policy {
66-
url: "ghcr.io/kubewarden/tests/not_existing:v0.1.0".to_owned(),
67-
policy_mode: PolicyMode::Protect,
68-
allowed_to_mutate: None,
69-
settings: None,
70-
context_aware_resources: BTreeSet::new(),
71-
},
72-
),
7350
]);
7451

75-
let config = Config {
52+
Config {
7653
addr: SocketAddr::from(([127, 0, 0, 1], 3001)),
7754
sources: None,
7855
policies,
@@ -93,9 +70,11 @@ pub(crate) async fn app() -> Router {
9370
daemon_stdout_file: None,
9471
daemon_stderr_file: None,
9572
enable_pprof: true,
96-
continue_on_errors: true,
97-
};
73+
continue_on_errors: false,
74+
}
75+
}
9876

77+
pub(crate) async fn app(config: Config) -> Router {
9978
let server = PolicyServer::new_from_config(config).await.unwrap();
10079

10180
server.router()

tests/integration_test.rs

+120-15
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,31 @@
11
mod common;
22

3+
use std::collections::{BTreeSet, HashMap};
4+
35
use common::app;
46

57
use axum::{
68
body::Body,
79
http::{self, header, Request},
810
};
911
use http_body_util::BodyExt;
10-
use policy_evaluator::admission_response::AdmissionResponseStatus;
11-
use policy_server::api::admission_review::AdmissionReviewResponse;
12+
use policy_evaluator::{
13+
admission_response::AdmissionResponseStatus,
14+
policy_fetcher::verify::config::VerificationConfigV1,
15+
};
16+
use policy_server::{
17+
api::admission_review::AdmissionReviewResponse,
18+
config::{Policy, PolicyMode},
19+
};
1220
use regex::Regex;
1321
use tower::ServiceExt;
1422

23+
use crate::common::default_test_config;
24+
1525
#[tokio::test]
1626
async fn test_validate() {
17-
let app = app().await;
27+
let config = default_test_config();
28+
let app = app(config).await;
1829

1930
let request = Request::builder()
2031
.method(http::Method::POST)
@@ -46,7 +57,8 @@ async fn test_validate() {
4657

4758
#[tokio::test]
4859
async fn test_validate_policy_not_found() {
49-
let app = app().await;
60+
let config = default_test_config();
61+
let app = app(config).await;
5062

5163
let request = Request::builder()
5264
.method(http::Method::POST)
@@ -64,7 +76,8 @@ async fn test_validate_policy_not_found() {
6476

6577
#[tokio::test]
6678
async fn test_validate_invalid_payload() {
67-
let app = app().await;
79+
let config = default_test_config();
80+
let app = app(config).await;
6881

6982
let request = Request::builder()
7083
.method(http::Method::POST)
@@ -80,7 +93,8 @@ async fn test_validate_invalid_payload() {
8093

8194
#[tokio::test]
8295
async fn test_validate_raw() {
83-
let app = app().await;
96+
let config = default_test_config();
97+
let app = app(config).await;
8498

8599
let request = Request::builder()
86100
.method(http::Method::POST)
@@ -107,7 +121,8 @@ async fn test_validate_raw() {
107121

108122
#[tokio::test]
109123
async fn test_validate_raw_policy_not_found() {
110-
let app = app().await;
124+
let config = default_test_config();
125+
let app = app(config).await;
111126

112127
let request = Request::builder()
113128
.method(http::Method::POST)
@@ -125,7 +140,8 @@ async fn test_validate_raw_policy_not_found() {
125140

126141
#[tokio::test]
127142
async fn test_validate_raw_invalid_payload() {
128-
let app = app().await;
143+
let config = default_test_config();
144+
let app = app(config).await;
129145

130146
let request = Request::builder()
131147
.method(http::Method::POST)
@@ -141,7 +157,8 @@ async fn test_validate_raw_invalid_payload() {
141157

142158
#[tokio::test]
143159
async fn test_audit() {
144-
let app = app().await;
160+
let config = default_test_config();
161+
let app = app(config).await;
145162

146163
let request = Request::builder()
147164
.method(http::Method::POST)
@@ -171,7 +188,8 @@ async fn test_audit() {
171188

172189
#[tokio::test]
173190
async fn test_audit_policy_not_found() {
174-
let app = app().await;
191+
let config = default_test_config();
192+
let app = app(config).await;
175193

176194
let request = Request::builder()
177195
.method(http::Method::POST)
@@ -189,7 +207,8 @@ async fn test_audit_policy_not_found() {
189207

190208
#[tokio::test]
191209
async fn test_audit_invalid_payload() {
192-
let app = app().await;
210+
let config = default_test_config();
211+
let app = app(config).await;
193212

194213
let request = Request::builder()
195214
.method(http::Method::POST)
@@ -205,7 +224,8 @@ async fn test_audit_invalid_payload() {
205224

206225
#[tokio::test]
207226
async fn test_timeout_protection_accept() {
208-
let app = app().await;
227+
let config = default_test_config();
228+
let app = app(config).await;
209229

210230
let request = Request::builder()
211231
.method(http::Method::POST)
@@ -226,7 +246,8 @@ async fn test_timeout_protection_accept() {
226246

227247
#[tokio::test]
228248
async fn test_timeout_protection_reject() {
229-
let app = app().await;
249+
let config = default_test_config();
250+
let app = app(config).await;
230251

231252
let request = Request::builder()
232253
.method(http::Method::POST)
@@ -254,9 +275,80 @@ async fn test_timeout_protection_reject() {
254275
);
255276
}
256277

278+
#[tokio::test]
279+
async fn test_verified_policy() {
280+
let verification_cfg_yml = r#"---
281+
allOf:
282+
- kind: pubKey
283+
owner: pubkey1.pub
284+
key: |
285+
-----BEGIN PUBLIC KEY-----
286+
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQiTy5S+2JFvVlhUwWPLziM7iTM2j
287+
byLgh2IjpNQN0Uio/9pZOTP/CsJmXoUNshfpTUHd3OxgHgz/6adtf2nBwQ==
288+
-----END PUBLIC KEY-----
289+
annotations:
290+
env: prod
291+
stable: "true"
292+
- kind: pubKey
293+
owner: pubkey2.pub
294+
key: |
295+
-----BEGIN PUBLIC KEY-----
296+
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx0HuqSss8DUIIUg3I006b1EQjj3Q
297+
igsTrvZ/Q3+h+81DkNJg4LzID1rz0UJFUcdzI5NqlFLSTDIQw0gVKOiK7g==
298+
-----END PUBLIC KEY-----
299+
annotations:
300+
env: prod
301+
"#;
302+
let verification_config = serde_yaml::from_str::<VerificationConfigV1>(verification_cfg_yml)
303+
.expect("Cannot parse verification config");
304+
305+
let mut config = default_test_config();
306+
config.policies = HashMap::from([(
307+
"pod-privileged".to_owned(),
308+
Policy {
309+
url: "ghcr.io/kubewarden/tests/pod-privileged:v0.2.1".to_owned(),
310+
policy_mode: PolicyMode::Protect,
311+
allowed_to_mutate: None,
312+
settings: None,
313+
context_aware_resources: BTreeSet::new(),
314+
},
315+
)]);
316+
config.verification_config = Some(verification_config);
317+
318+
let app = app(config).await;
319+
320+
let request = Request::builder()
321+
.method(http::Method::POST)
322+
.header(header::CONTENT_TYPE, "application/json")
323+
.uri("/validate/pod-privileged")
324+
.body(Body::from(include_str!(
325+
"data/pod_with_privileged_containers.json"
326+
)))
327+
.unwrap();
328+
329+
let response = app.oneshot(request).await.unwrap();
330+
assert_eq!(response.status(), 200);
331+
}
332+
257333
#[tokio::test]
258334
async fn test_policy_with_invalid_settings() {
259-
let app = app().await;
335+
let mut config = default_test_config();
336+
config.policies.insert(
337+
"invalid_settings".to_owned(),
338+
Policy {
339+
url: "ghcr.io/kubewarden/tests/sleeping-policy:v0.1.0".to_owned(),
340+
policy_mode: PolicyMode::Protect,
341+
allowed_to_mutate: None,
342+
settings: Some(HashMap::from([(
343+
"sleepMilliseconds".to_owned(),
344+
"abc".into(),
345+
)])),
346+
context_aware_resources: BTreeSet::new(),
347+
},
348+
);
349+
config.continue_on_errors = true;
350+
351+
let app = app(config).await;
260352

261353
let request = Request::builder()
262354
.method(http::Method::POST)
@@ -286,7 +378,20 @@ async fn test_policy_with_invalid_settings() {
286378

287379
#[tokio::test]
288380
async fn test_policy_with_wrong_url() {
289-
let app = app().await;
381+
let mut config = default_test_config();
382+
config.policies.insert(
383+
"wrong_url".to_owned(),
384+
Policy {
385+
url: "ghcr.io/kubewarden/tests/not_existing:v0.1.0".to_owned(),
386+
policy_mode: PolicyMode::Protect,
387+
allowed_to_mutate: None,
388+
settings: None,
389+
context_aware_resources: BTreeSet::new(),
390+
},
391+
);
392+
config.continue_on_errors = true;
393+
394+
let app = app(config).await;
290395

291396
let request = Request::builder()
292397
.method(http::Method::POST)

0 commit comments

Comments
 (0)