1
1
mod common;
2
2
3
+ use std:: collections:: { BTreeSet , HashMap } ;
4
+
3
5
use common:: app;
4
6
5
7
use axum:: {
6
8
body:: Body ,
7
9
http:: { self , header, Request } ,
8
10
} ;
9
11
use http_body_util:: BodyExt ;
10
- use policy_evaluator:: admission_response:: AdmissionResponseStatus ;
11
- use policy_server:: api:: admission_review:: AdmissionReviewResponse ;
12
+ use policy_evaluator:: {
13
+ admission_response:: AdmissionResponseStatus ,
14
+ policy_fetcher:: verify:: config:: VerificationConfigV1 ,
15
+ } ;
16
+ use policy_server:: {
17
+ api:: admission_review:: AdmissionReviewResponse ,
18
+ config:: { Policy , PolicyMode } ,
19
+ } ;
12
20
use regex:: Regex ;
13
21
use tower:: ServiceExt ;
14
22
23
+ use crate :: common:: default_test_config;
24
+
15
25
#[ tokio:: test]
16
26
async fn test_validate ( ) {
17
- let app = app ( ) . await ;
27
+ let config = default_test_config ( ) ;
28
+ let app = app ( config) . await ;
18
29
19
30
let request = Request :: builder ( )
20
31
. method ( http:: Method :: POST )
@@ -46,7 +57,8 @@ async fn test_validate() {
46
57
47
58
#[ tokio:: test]
48
59
async fn test_validate_policy_not_found ( ) {
49
- let app = app ( ) . await ;
60
+ let config = default_test_config ( ) ;
61
+ let app = app ( config) . await ;
50
62
51
63
let request = Request :: builder ( )
52
64
. method ( http:: Method :: POST )
@@ -64,7 +76,8 @@ async fn test_validate_policy_not_found() {
64
76
65
77
#[ tokio:: test]
66
78
async fn test_validate_invalid_payload ( ) {
67
- let app = app ( ) . await ;
79
+ let config = default_test_config ( ) ;
80
+ let app = app ( config) . await ;
68
81
69
82
let request = Request :: builder ( )
70
83
. method ( http:: Method :: POST )
@@ -80,7 +93,8 @@ async fn test_validate_invalid_payload() {
80
93
81
94
#[ tokio:: test]
82
95
async fn test_validate_raw ( ) {
83
- let app = app ( ) . await ;
96
+ let config = default_test_config ( ) ;
97
+ let app = app ( config) . await ;
84
98
85
99
let request = Request :: builder ( )
86
100
. method ( http:: Method :: POST )
@@ -107,7 +121,8 @@ async fn test_validate_raw() {
107
121
108
122
#[ tokio:: test]
109
123
async fn test_validate_raw_policy_not_found ( ) {
110
- let app = app ( ) . await ;
124
+ let config = default_test_config ( ) ;
125
+ let app = app ( config) . await ;
111
126
112
127
let request = Request :: builder ( )
113
128
. method ( http:: Method :: POST )
@@ -125,7 +140,8 @@ async fn test_validate_raw_policy_not_found() {
125
140
126
141
#[ tokio:: test]
127
142
async fn test_validate_raw_invalid_payload ( ) {
128
- let app = app ( ) . await ;
143
+ let config = default_test_config ( ) ;
144
+ let app = app ( config) . await ;
129
145
130
146
let request = Request :: builder ( )
131
147
. method ( http:: Method :: POST )
@@ -141,7 +157,8 @@ async fn test_validate_raw_invalid_payload() {
141
157
142
158
#[ tokio:: test]
143
159
async fn test_audit ( ) {
144
- let app = app ( ) . await ;
160
+ let config = default_test_config ( ) ;
161
+ let app = app ( config) . await ;
145
162
146
163
let request = Request :: builder ( )
147
164
. method ( http:: Method :: POST )
@@ -171,7 +188,8 @@ async fn test_audit() {
171
188
172
189
#[ tokio:: test]
173
190
async fn test_audit_policy_not_found ( ) {
174
- let app = app ( ) . await ;
191
+ let config = default_test_config ( ) ;
192
+ let app = app ( config) . await ;
175
193
176
194
let request = Request :: builder ( )
177
195
. method ( http:: Method :: POST )
@@ -189,7 +207,8 @@ async fn test_audit_policy_not_found() {
189
207
190
208
#[ tokio:: test]
191
209
async fn test_audit_invalid_payload ( ) {
192
- let app = app ( ) . await ;
210
+ let config = default_test_config ( ) ;
211
+ let app = app ( config) . await ;
193
212
194
213
let request = Request :: builder ( )
195
214
. method ( http:: Method :: POST )
@@ -205,7 +224,8 @@ async fn test_audit_invalid_payload() {
205
224
206
225
#[ tokio:: test]
207
226
async fn test_timeout_protection_accept ( ) {
208
- let app = app ( ) . await ;
227
+ let config = default_test_config ( ) ;
228
+ let app = app ( config) . await ;
209
229
210
230
let request = Request :: builder ( )
211
231
. method ( http:: Method :: POST )
@@ -226,7 +246,8 @@ async fn test_timeout_protection_accept() {
226
246
227
247
#[ tokio:: test]
228
248
async fn test_timeout_protection_reject ( ) {
229
- let app = app ( ) . await ;
249
+ let config = default_test_config ( ) ;
250
+ let app = app ( config) . await ;
230
251
231
252
let request = Request :: builder ( )
232
253
. method ( http:: Method :: POST )
@@ -254,9 +275,80 @@ async fn test_timeout_protection_reject() {
254
275
) ;
255
276
}
256
277
278
+ #[ tokio:: test]
279
+ async fn test_verified_policy ( ) {
280
+ let verification_cfg_yml = r#"---
281
+ allOf:
282
+ - kind: pubKey
283
+ owner: pubkey1.pub
284
+ key: |
285
+ -----BEGIN PUBLIC KEY-----
286
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQiTy5S+2JFvVlhUwWPLziM7iTM2j
287
+ byLgh2IjpNQN0Uio/9pZOTP/CsJmXoUNshfpTUHd3OxgHgz/6adtf2nBwQ==
288
+ -----END PUBLIC KEY-----
289
+ annotations:
290
+ env: prod
291
+ stable: "true"
292
+ - kind: pubKey
293
+ owner: pubkey2.pub
294
+ key: |
295
+ -----BEGIN PUBLIC KEY-----
296
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx0HuqSss8DUIIUg3I006b1EQjj3Q
297
+ igsTrvZ/Q3+h+81DkNJg4LzID1rz0UJFUcdzI5NqlFLSTDIQw0gVKOiK7g==
298
+ -----END PUBLIC KEY-----
299
+ annotations:
300
+ env: prod
301
+ "# ;
302
+ let verification_config = serde_yaml:: from_str :: < VerificationConfigV1 > ( verification_cfg_yml)
303
+ . expect ( "Cannot parse verification config" ) ;
304
+
305
+ let mut config = default_test_config ( ) ;
306
+ config. policies = HashMap :: from ( [ (
307
+ "pod-privileged" . to_owned ( ) ,
308
+ Policy {
309
+ url : "ghcr.io/kubewarden/tests/pod-privileged:v0.2.1" . to_owned ( ) ,
310
+ policy_mode : PolicyMode :: Protect ,
311
+ allowed_to_mutate : None ,
312
+ settings : None ,
313
+ context_aware_resources : BTreeSet :: new ( ) ,
314
+ } ,
315
+ ) ] ) ;
316
+ config. verification_config = Some ( verification_config) ;
317
+
318
+ let app = app ( config) . await ;
319
+
320
+ let request = Request :: builder ( )
321
+ . method ( http:: Method :: POST )
322
+ . header ( header:: CONTENT_TYPE , "application/json" )
323
+ . uri ( "/validate/pod-privileged" )
324
+ . body ( Body :: from ( include_str ! (
325
+ "data/pod_with_privileged_containers.json"
326
+ ) ) )
327
+ . unwrap ( ) ;
328
+
329
+ let response = app. oneshot ( request) . await . unwrap ( ) ;
330
+ assert_eq ! ( response. status( ) , 200 ) ;
331
+ }
332
+
257
333
#[ tokio:: test]
258
334
async fn test_policy_with_invalid_settings ( ) {
259
- let app = app ( ) . await ;
335
+ let mut config = default_test_config ( ) ;
336
+ config. policies . insert (
337
+ "invalid_settings" . to_owned ( ) ,
338
+ Policy {
339
+ url : "ghcr.io/kubewarden/tests/sleeping-policy:v0.1.0" . to_owned ( ) ,
340
+ policy_mode : PolicyMode :: Protect ,
341
+ allowed_to_mutate : None ,
342
+ settings : Some ( HashMap :: from ( [ (
343
+ "sleepMilliseconds" . to_owned ( ) ,
344
+ "abc" . into ( ) ,
345
+ ) ] ) ) ,
346
+ context_aware_resources : BTreeSet :: new ( ) ,
347
+ } ,
348
+ ) ;
349
+ config. continue_on_errors = true ;
350
+
351
+ let app = app ( config) . await ;
260
352
261
353
let request = Request :: builder ( )
262
354
. method ( http:: Method :: POST )
@@ -286,7 +378,20 @@ async fn test_policy_with_invalid_settings() {
286
378
287
379
#[ tokio:: test]
288
380
async fn test_policy_with_wrong_url ( ) {
289
- let app = app ( ) . await ;
381
+ let mut config = default_test_config ( ) ;
382
+ config. policies . insert (
383
+ "wrong_url" . to_owned ( ) ,
384
+ Policy {
385
+ url : "ghcr.io/kubewarden/tests/not_existing:v0.1.0" . to_owned ( ) ,
386
+ policy_mode : PolicyMode :: Protect ,
387
+ allowed_to_mutate : None ,
388
+ settings : None ,
389
+ context_aware_resources : BTreeSet :: new ( ) ,
390
+ } ,
391
+ ) ;
392
+ config. continue_on_errors = true ;
393
+
394
+ let app = app ( config) . await ;
290
395
291
396
let request = Request :: builder ( )
292
397
. method ( http:: Method :: POST )
0 commit comments