github.com/cilium/cilium@v1.16.2/pkg/maps/policymap/policymap_privileged_test.go

github.com/cilium/cilium@v1.16.2/pkg/maps/policymap/policymap_privileged_test.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package policymap
     5  
     6  import (
     7  	"errors"
     8  	"os"
     9  	"testing"
    10  
    11  	"github.com/cilium/ebpf/rlimit"
    12  	"github.com/stretchr/testify/require"
    13  	"golang.org/x/sys/unix"
    14  
    15  	"github.com/cilium/cilium/pkg/bpf"
    16  
    17  	"github.com/cilium/cilium/pkg/policy/trafficdirection"
    18  	"github.com/cilium/cilium/pkg/testutils"
    19  	"github.com/cilium/cilium/pkg/u8proto"
    20  )
    21  
    22  func setupPolicyMapPrivilegedTestSuite(tb testing.TB) *PolicyMap {
    23  	testutils.PrivilegedTest(tb)
    24  
    25  	bpf.CheckOrMountFS("")
    26  
    27  	if err := rlimit.RemoveMemlock(); err != nil {
    28  		tb.Fatal(err)
    29  	}
    30  
    31  	testMap := newMap("cilium_policy_test")
    32  
    33  	_ = os.RemoveAll(bpf.MapPath("cilium_policy_test"))
    34  	err := testMap.CreateUnpinned()
    35  	require.NoError(tb, err)
    36  
    37  	tb.Cleanup(func() {
    38  		err := testMap.DeleteAll()
    39  		require.NoError(tb, err)
    40  	})
    41  
    42  	return testMap
    43  }
    44  
    45  func TestPolicyMapDumpToSlice(t *testing.T) {
    46  	testMap := setupPolicyMapPrivilegedTestSuite(t)
    47  
    48  	fooEntry := newKey(1, 1, SinglePortMask, 1, 1)
    49  	err := testMap.AllowKey(fooEntry, 0, 0)
    50  	require.Nil(t, err)
    51  
    52  	dump, err := testMap.DumpToSlice()
    53  	require.Nil(t, err)
    54  	require.Equal(t, 1, len(dump))
    55  
    56  	require.EqualValues(t, fooEntry, dump[0].Key)
    57  
    58  	// Special case: allow-all entry
    59  	barEntry := newKey(0, 0, SinglePortMask, 0, 0)
    60  	err = testMap.AllowKey(barEntry, 0, 0)
    61  	require.Nil(t, err)
    62  
    63  	dump, err = testMap.DumpToSlice()
    64  	require.Nil(t, err)
    65  	require.Equal(t, 2, len(dump))
    66  }
    67  
    68  func TestDeleteNonexistentKey(t *testing.T) {
    69  	testMap := setupPolicyMapPrivilegedTestSuite(t)
    70  	key := newKey(27, 80, SinglePortMask, u8proto.TCP, trafficdirection.Ingress)
    71  	err := testMap.Map.Delete(&key)
    72  	require.NotNil(t, err)
    73  	var errno unix.Errno
    74  	require.Equal(t, true, errors.As(err, &errno))
    75  	require.Equal(t, unix.ENOENT, errno)
    76  }
    77  
    78  func TestDenyPolicyMapDumpToSlice(t *testing.T) {
    79  	testMap := setupPolicyMapPrivilegedTestSuite(t)
    80  
    81  	fooKey := newKey(1, 1, SinglePortMask, 1, 1)
    82  	fooEntry := newDenyEntry(fooKey)
    83  	err := testMap.DenyKey(fooKey)
    84  	require.Nil(t, err)
    85  
    86  	dump, err := testMap.DumpToSlice()
    87  	require.Nil(t, err)
    88  	require.Equal(t, 1, len(dump))
    89  
    90  	require.EqualValues(t, fooKey, dump[0].Key)
    91  	require.EqualValues(t, fooEntry, dump[0].PolicyEntry)
    92  
    93  	// Special case: deny-all entry
    94  	barKey := newKey(0, 0, SinglePortMask, 0, 0)
    95  	err = testMap.DenyKey(barKey)
    96  	require.Nil(t, err)
    97  
    98  	dump, err = testMap.DumpToSlice()
    99  	require.Nil(t, err)
   100  	require.Equal(t, 2, len(dump))
   101  }