github.com/cilium/cilium@v1.16.2/pkg/maps/policymap/policymap_test.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package policymap
     5  
     6  import (
     7  	"testing"
     8  
     9  	"github.com/stretchr/testify/require"
    10  
    11  	"github.com/cilium/cilium/pkg/byteorder"
    12  	"github.com/cilium/cilium/pkg/policy/trafficdirection"
    13  	"github.com/cilium/cilium/pkg/u8proto"
    14  )
    15  
    16  func TestPolicyEntriesDump_Less(t *testing.T) {
    17  	type args struct {
    18  		i int
    19  		j int
    20  	}
    21  	tests := []struct {
    22  		name string
    23  		p    PolicyEntriesDump
    24  		args args
    25  		want bool
    26  	}{
    27  		{
    28  			name: "Same element",
    29  			p: PolicyEntriesDump{
    30  				{
    31  					Key: PolicyKey{
    32  						Identity:         uint32(0),
    33  						DestPortNetwork:  0,
    34  						Nexthdr:          0,
    35  						TrafficDirection: uint8(trafficdirection.Ingress),
    36  					},
    37  				},
    38  			},
    39  			args: args{
    40  				i: 0,
    41  				j: 0,
    42  			},
    43  			want: false,
    44  		},
    45  		{
    46  			name: "Element #0 is less than #1 because identity is smaller",
    47  			p: PolicyEntriesDump{
    48  				{
    49  					Key: PolicyKey{
    50  						Identity:         uint32(0),
    51  						DestPortNetwork:  0,
    52  						Nexthdr:          0,
    53  						TrafficDirection: uint8(trafficdirection.Ingress),
    54  					},
    55  				},
    56  				{
    57  					Key: PolicyKey{
    58  						Identity:         uint32(1),
    59  						DestPortNetwork:  0,
    60  						Nexthdr:          0,
    61  						TrafficDirection: uint8(trafficdirection.Ingress),
    62  					},
    63  				},
    64  			},
    65  			args: args{
    66  				i: 0,
    67  				j: 1,
    68  			},
    69  			want: true,
    70  		},
    71  		{
    72  			name: "Element #0 is less than #1 because TrafficDirection is smaller",
    73  			p: PolicyEntriesDump{
    74  				{
    75  					Key: PolicyKey{
    76  						Identity:         uint32(0),
    77  						DestPortNetwork:  0,
    78  						Nexthdr:          0,
    79  						TrafficDirection: uint8(trafficdirection.Ingress),
    80  					},
    81  				},
    82  				{
    83  					Key: PolicyKey{
    84  						Identity:         uint32(1),
    85  						DestPortNetwork:  0,
    86  						Nexthdr:          0,
    87  						TrafficDirection: uint8(trafficdirection.Egress),
    88  					},
    89  				},
    90  			},
    91  			args: args{
    92  				i: 0,
    93  				j: 1,
    94  			},
    95  			want: true,
    96  		},
    97  		{
    98  			name: "Element #0 is not less than #1 because Identity is bigger",
    99  			p: PolicyEntriesDump{
   100  				{
   101  					Key: PolicyKey{
   102  						Identity:         uint32(1),
   103  						DestPortNetwork:  0,
   104  						Nexthdr:          0,
   105  						TrafficDirection: uint8(trafficdirection.Egress),
   106  					},
   107  				},
   108  				{
   109  					Key: PolicyKey{
   110  						Identity:         uint32(0),
   111  						DestPortNetwork:  0,
   112  						Nexthdr:          0,
   113  						TrafficDirection: uint8(trafficdirection.Egress),
   114  					},
   115  				},
   116  			},
   117  			args: args{
   118  				i: 0,
   119  				j: 1,
   120  			},
   121  			want: false,
   122  		},
   123  		{
   124  			name: "Element #0 is greater than #1 because it is not an allow (denies take precedence)",
   125  			p: PolicyEntriesDump{
   126  				{
   127  					Key: PolicyKey{
   128  						Identity:         uint32(1),
   129  						DestPortNetwork:  0,
   130  						Nexthdr:          0,
   131  						TrafficDirection: uint8(trafficdirection.Egress),
   132  					},
   133  				},
   134  				{
   135  					Key: PolicyKey{
   136  						Identity:         uint32(0),
   137  						DestPortNetwork:  0,
   138  						Nexthdr:          0,
   139  						TrafficDirection: uint8(trafficdirection.Egress),
   140  					},
   141  					PolicyEntry: PolicyEntry{
   142  						Flags: policyFlagDeny,
   143  					},
   144  				},
   145  			},
   146  			args: args{
   147  				i: 0,
   148  				j: 1,
   149  			},
   150  			want: false,
   151  		},
   152  	}
   153  	for _, tt := range tests {
   154  		got := tt.p.Less(tt.args.i, tt.args.j)
   155  		require.Equal(t, tt.want, got, "Test Name: %s", tt.name)
   156  	}
   157  }
   158  
   159  type opType int
   160  
   161  const (
   162  	allow opType = iota
   163  	deny
   164  )
   165  
   166  type direction int
   167  
   168  const (
   169  	ingress direction = iota
   170  	egress
   171  )
   172  
   173  func TestPolicyMapWildcarding(t *testing.T) {
   174  	type args struct {
   175  		op               opType
   176  		id               int
   177  		dport            int
   178  		proto            int
   179  		trafficDirection direction
   180  		authType         int
   181  		proxyPort        int
   182  	}
   183  	tests := []struct {
   184  		name string
   185  		args args
   186  	}{
   187  		{
   188  			name: "Allow, no wildcarding, no redirection",
   189  			args: args{allow, 42, 80, 6, ingress, 0, 0},
   190  		},
   191  		{
   192  			name: "Allow, no wildcarding, with redirection and auth",
   193  			args: args{allow, 42, 80, 6, ingress, 1, 23767},
   194  		},
   195  		{
   196  			name: "Allow, wildcarded port, no redirection",
   197  			args: args{allow, 42, 0, 6, ingress, 0, 0},
   198  		},
   199  		{
   200  			name: "Allow, wildcarded protocol, no redirection",
   201  			args: args{allow, 42, 0, 0, ingress, 0, 0},
   202  		},
   203  		{
   204  			name: "Deny, no wildcarding, no redirection",
   205  			args: args{deny, 42, 80, 6, ingress, 0, 0},
   206  		},
   207  		{
   208  			name: "Deny, no wildcarding, no redirection",
   209  			args: args{deny, 42, 80, 6, ingress, 0, 0},
   210  		},
   211  		{
   212  			name: "Deny, wildcarded port, no redirection",
   213  			args: args{deny, 42, 0, 6, ingress, 0, 0},
   214  		},
   215  		{
   216  			name: "Deny, wildcarded protocol, no redirection",
   217  			args: args{deny, 42, 0, 0, ingress, 0, 0},
   218  		},
   219  		{
   220  			name: "Allow, wildcarded id, no port wildcarding, no redirection",
   221  			args: args{allow, 0, 80, 6, ingress, 0, 0},
   222  		},
   223  		{
   224  			name: "Allow, wildcarded id, no port wildcarding, with redirection and auth",
   225  			args: args{allow, 0, 80, 6, ingress, 1, 23767},
   226  		},
   227  		{
   228  			name: "Allow, wildcarded id, wildcarded port, no redirection",
   229  			args: args{allow, 0, 0, 6, ingress, 0, 0},
   230  		},
   231  		{
   232  			name: "Allow, wildcarded id, wildcarded protocol, no redirection",
   233  			args: args{allow, 0, 0, 0, ingress, 0, 0},
   234  		},
   235  		{
   236  			name: "Deny, wildcarded id, no port wildcarding, no redirection",
   237  			args: args{deny, 0, 80, 6, ingress, 0, 0},
   238  		},
   239  		{
   240  			name: "Deny, wildcarded id, no port wildcarding, no redirection",
   241  			args: args{deny, 0, 80, 6, ingress, 0, 0},
   242  		},
   243  		{
   244  			name: "Deny, wildcarded id, wildcarded port, no redirection",
   245  			args: args{deny, 0, 0, 6, ingress, 0, 0},
   246  		},
   247  		{
   248  			name: "Deny, wildcarded id, wildcarded protocol, no redirection",
   249  			args: args{deny, 0, 0, 0, ingress, 0, 0},
   250  		},
   251  	}
   252  	for _, tt := range tests {
   253  		// Validate test data
   254  		if tt.args.proto == 0 {
   255  			require.Equal(t, 0, tt.args.dport, "Test: %s data error: dport must be wildcarded when protocol is wildcarded", tt.name)
   256  		}
   257  		if tt.args.dport == 0 {
   258  			require.Equal(t, 0, tt.args.proxyPort, "Test: %s data error: proxyPort must be zero when dport is wildcarded", tt.name)
   259  		}
   260  		if tt.args.op == deny {
   261  			require.Equal(t, 0, tt.args.proxyPort, "Test: %s data error: proxyPort must be zero with a deny key", tt.name)
   262  			require.Equal(t, 0, tt.args.authType, "Test: %s data error: authType must be zero with a deny key", tt.name)
   263  		}
   264  
   265  		// Get key
   266  		key := newKey(uint32(tt.args.id), uint16(tt.args.dport), SinglePortMask, u8proto.U8proto(tt.args.proto),
   267  			trafficdirection.TrafficDirection(tt.args.trafficDirection))
   268  
   269  		// Compure entry & validate key and entry
   270  		var entry PolicyEntry
   271  		switch tt.args.op {
   272  		case allow:
   273  			entry = newAllowEntry(key, uint8(tt.args.authType), uint16(tt.args.proxyPort))
   274  
   275  			require.Equal(t, policyEntryFlags(0), entry.Flags&policyFlagDeny)
   276  			require.Equal(t, uint8(tt.args.authType), entry.AuthType)
   277  			require.Equal(t, uint16(tt.args.proxyPort), byteorder.NetworkToHost16(entry.ProxyPortNetwork))
   278  		case deny:
   279  			entry = newDenyEntry(key)
   280  
   281  			require.Equal(t, policyFlagDeny, entry.Flags&policyFlagDeny)
   282  			require.Equal(t, uint8(0), entry.AuthType)
   283  			require.Equal(t, uint16(0), entry.ProxyPortNetwork)
   284  		}
   285  
   286  		require.Equal(t, uint32(tt.args.id), key.Identity)
   287  		require.Equal(t, uint8(tt.args.proto), key.Nexthdr)
   288  		if key.Nexthdr == 0 {
   289  			require.Equal(t, policyFlagWildcardNexthdr, entry.Flags&policyFlagWildcardNexthdr)
   290  			require.Equal(t, uint16(0), key.DestPortNetwork)
   291  			require.Equal(t, policyFlagWildcardDestPort, entry.Flags&policyFlagWildcardDestPort)
   292  			require.Equal(t, StaticPrefixBits, key.Prefixlen)
   293  		} else {
   294  			require.Equal(t, policyEntryFlags(0), entry.Flags&policyFlagWildcardNexthdr)
   295  			if key.DestPortNetwork == 0 {
   296  				require.Equal(t, policyFlagWildcardDestPort, entry.Flags&policyFlagWildcardDestPort)
   297  				require.Equal(t, StaticPrefixBits+NexthdrBits, key.Prefixlen)
   298  			} else {
   299  				require.Equal(t, uint16(tt.args.dport), byteorder.NetworkToHost16(key.DestPortNetwork))
   300  				require.Equal(t, policyEntryFlags(0), entry.Flags&policyFlagWildcardDestPort)
   301  				require.Equal(t, StaticPrefixBits+FullPrefixBits, key.Prefixlen)
   302  			}
   303  		}
   304  	}
   305  }