github.com/cilium/cilium@v1.16.2/pkg/maps/policymap/policymap_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package policymap 5 6 import ( 7 "testing" 8 9 "github.com/stretchr/testify/require" 10 11 "github.com/cilium/cilium/pkg/byteorder" 12 "github.com/cilium/cilium/pkg/policy/trafficdirection" 13 "github.com/cilium/cilium/pkg/u8proto" 14 ) 15 16 func TestPolicyEntriesDump_Less(t *testing.T) { 17 type args struct { 18 i int 19 j int 20 } 21 tests := []struct { 22 name string 23 p PolicyEntriesDump 24 args args 25 want bool 26 }{ 27 { 28 name: "Same element", 29 p: PolicyEntriesDump{ 30 { 31 Key: PolicyKey{ 32 Identity: uint32(0), 33 DestPortNetwork: 0, 34 Nexthdr: 0, 35 TrafficDirection: uint8(trafficdirection.Ingress), 36 }, 37 }, 38 }, 39 args: args{ 40 i: 0, 41 j: 0, 42 }, 43 want: false, 44 }, 45 { 46 name: "Element #0 is less than #1 because identity is smaller", 47 p: PolicyEntriesDump{ 48 { 49 Key: PolicyKey{ 50 Identity: uint32(0), 51 DestPortNetwork: 0, 52 Nexthdr: 0, 53 TrafficDirection: uint8(trafficdirection.Ingress), 54 }, 55 }, 56 { 57 Key: PolicyKey{ 58 Identity: uint32(1), 59 DestPortNetwork: 0, 60 Nexthdr: 0, 61 TrafficDirection: uint8(trafficdirection.Ingress), 62 }, 63 }, 64 }, 65 args: args{ 66 i: 0, 67 j: 1, 68 }, 69 want: true, 70 }, 71 { 72 name: "Element #0 is less than #1 because TrafficDirection is smaller", 73 p: PolicyEntriesDump{ 74 { 75 Key: PolicyKey{ 76 Identity: uint32(0), 77 DestPortNetwork: 0, 78 Nexthdr: 0, 79 TrafficDirection: uint8(trafficdirection.Ingress), 80 }, 81 }, 82 { 83 Key: PolicyKey{ 84 Identity: uint32(1), 85 DestPortNetwork: 0, 86 Nexthdr: 0, 87 TrafficDirection: uint8(trafficdirection.Egress), 88 }, 89 }, 90 }, 91 args: args{ 92 i: 0, 93 j: 1, 94 }, 95 want: true, 96 }, 97 { 98 name: "Element #0 is not less than #1 because Identity is bigger", 99 p: PolicyEntriesDump{ 100 { 101 Key: PolicyKey{ 102 Identity: uint32(1), 103 DestPortNetwork: 0, 104 Nexthdr: 0, 105 TrafficDirection: uint8(trafficdirection.Egress), 106 }, 107 }, 108 { 109 Key: PolicyKey{ 110 Identity: uint32(0), 111 DestPortNetwork: 0, 112 Nexthdr: 0, 113 TrafficDirection: uint8(trafficdirection.Egress), 114 }, 115 }, 116 }, 117 args: args{ 118 i: 0, 119 j: 1, 120 }, 121 want: false, 122 }, 123 { 124 name: "Element #0 is greater than #1 because it is not an allow (denies take precedence)", 125 p: PolicyEntriesDump{ 126 { 127 Key: PolicyKey{ 128 Identity: uint32(1), 129 DestPortNetwork: 0, 130 Nexthdr: 0, 131 TrafficDirection: uint8(trafficdirection.Egress), 132 }, 133 }, 134 { 135 Key: PolicyKey{ 136 Identity: uint32(0), 137 DestPortNetwork: 0, 138 Nexthdr: 0, 139 TrafficDirection: uint8(trafficdirection.Egress), 140 }, 141 PolicyEntry: PolicyEntry{ 142 Flags: policyFlagDeny, 143 }, 144 }, 145 }, 146 args: args{ 147 i: 0, 148 j: 1, 149 }, 150 want: false, 151 }, 152 } 153 for _, tt := range tests { 154 got := tt.p.Less(tt.args.i, tt.args.j) 155 require.Equal(t, tt.want, got, "Test Name: %s", tt.name) 156 } 157 } 158 159 type opType int 160 161 const ( 162 allow opType = iota 163 deny 164 ) 165 166 type direction int 167 168 const ( 169 ingress direction = iota 170 egress 171 ) 172 173 func TestPolicyMapWildcarding(t *testing.T) { 174 type args struct { 175 op opType 176 id int 177 dport int 178 proto int 179 trafficDirection direction 180 authType int 181 proxyPort int 182 } 183 tests := []struct { 184 name string 185 args args 186 }{ 187 { 188 name: "Allow, no wildcarding, no redirection", 189 args: args{allow, 42, 80, 6, ingress, 0, 0}, 190 }, 191 { 192 name: "Allow, no wildcarding, with redirection and auth", 193 args: args{allow, 42, 80, 6, ingress, 1, 23767}, 194 }, 195 { 196 name: "Allow, wildcarded port, no redirection", 197 args: args{allow, 42, 0, 6, ingress, 0, 0}, 198 }, 199 { 200 name: "Allow, wildcarded protocol, no redirection", 201 args: args{allow, 42, 0, 0, ingress, 0, 0}, 202 }, 203 { 204 name: "Deny, no wildcarding, no redirection", 205 args: args{deny, 42, 80, 6, ingress, 0, 0}, 206 }, 207 { 208 name: "Deny, no wildcarding, no redirection", 209 args: args{deny, 42, 80, 6, ingress, 0, 0}, 210 }, 211 { 212 name: "Deny, wildcarded port, no redirection", 213 args: args{deny, 42, 0, 6, ingress, 0, 0}, 214 }, 215 { 216 name: "Deny, wildcarded protocol, no redirection", 217 args: args{deny, 42, 0, 0, ingress, 0, 0}, 218 }, 219 { 220 name: "Allow, wildcarded id, no port wildcarding, no redirection", 221 args: args{allow, 0, 80, 6, ingress, 0, 0}, 222 }, 223 { 224 name: "Allow, wildcarded id, no port wildcarding, with redirection and auth", 225 args: args{allow, 0, 80, 6, ingress, 1, 23767}, 226 }, 227 { 228 name: "Allow, wildcarded id, wildcarded port, no redirection", 229 args: args{allow, 0, 0, 6, ingress, 0, 0}, 230 }, 231 { 232 name: "Allow, wildcarded id, wildcarded protocol, no redirection", 233 args: args{allow, 0, 0, 0, ingress, 0, 0}, 234 }, 235 { 236 name: "Deny, wildcarded id, no port wildcarding, no redirection", 237 args: args{deny, 0, 80, 6, ingress, 0, 0}, 238 }, 239 { 240 name: "Deny, wildcarded id, no port wildcarding, no redirection", 241 args: args{deny, 0, 80, 6, ingress, 0, 0}, 242 }, 243 { 244 name: "Deny, wildcarded id, wildcarded port, no redirection", 245 args: args{deny, 0, 0, 6, ingress, 0, 0}, 246 }, 247 { 248 name: "Deny, wildcarded id, wildcarded protocol, no redirection", 249 args: args{deny, 0, 0, 0, ingress, 0, 0}, 250 }, 251 } 252 for _, tt := range tests { 253 // Validate test data 254 if tt.args.proto == 0 { 255 require.Equal(t, 0, tt.args.dport, "Test: %s data error: dport must be wildcarded when protocol is wildcarded", tt.name) 256 } 257 if tt.args.dport == 0 { 258 require.Equal(t, 0, tt.args.proxyPort, "Test: %s data error: proxyPort must be zero when dport is wildcarded", tt.name) 259 } 260 if tt.args.op == deny { 261 require.Equal(t, 0, tt.args.proxyPort, "Test: %s data error: proxyPort must be zero with a deny key", tt.name) 262 require.Equal(t, 0, tt.args.authType, "Test: %s data error: authType must be zero with a deny key", tt.name) 263 } 264 265 // Get key 266 key := newKey(uint32(tt.args.id), uint16(tt.args.dport), SinglePortMask, u8proto.U8proto(tt.args.proto), 267 trafficdirection.TrafficDirection(tt.args.trafficDirection)) 268 269 // Compure entry & validate key and entry 270 var entry PolicyEntry 271 switch tt.args.op { 272 case allow: 273 entry = newAllowEntry(key, uint8(tt.args.authType), uint16(tt.args.proxyPort)) 274 275 require.Equal(t, policyEntryFlags(0), entry.Flags&policyFlagDeny) 276 require.Equal(t, uint8(tt.args.authType), entry.AuthType) 277 require.Equal(t, uint16(tt.args.proxyPort), byteorder.NetworkToHost16(entry.ProxyPortNetwork)) 278 case deny: 279 entry = newDenyEntry(key) 280 281 require.Equal(t, policyFlagDeny, entry.Flags&policyFlagDeny) 282 require.Equal(t, uint8(0), entry.AuthType) 283 require.Equal(t, uint16(0), entry.ProxyPortNetwork) 284 } 285 286 require.Equal(t, uint32(tt.args.id), key.Identity) 287 require.Equal(t, uint8(tt.args.proto), key.Nexthdr) 288 if key.Nexthdr == 0 { 289 require.Equal(t, policyFlagWildcardNexthdr, entry.Flags&policyFlagWildcardNexthdr) 290 require.Equal(t, uint16(0), key.DestPortNetwork) 291 require.Equal(t, policyFlagWildcardDestPort, entry.Flags&policyFlagWildcardDestPort) 292 require.Equal(t, StaticPrefixBits, key.Prefixlen) 293 } else { 294 require.Equal(t, policyEntryFlags(0), entry.Flags&policyFlagWildcardNexthdr) 295 if key.DestPortNetwork == 0 { 296 require.Equal(t, policyFlagWildcardDestPort, entry.Flags&policyFlagWildcardDestPort) 297 require.Equal(t, StaticPrefixBits+NexthdrBits, key.Prefixlen) 298 } else { 299 require.Equal(t, uint16(tt.args.dport), byteorder.NetworkToHost16(key.DestPortNetwork)) 300 require.Equal(t, policyEntryFlags(0), entry.Flags&policyFlagWildcardDestPort) 301 require.Equal(t, StaticPrefixBits+FullPrefixBits, key.Prefixlen) 302 } 303 } 304 } 305 }