github.com/cilium/cilium@v1.16.2/pkg/policy/api/rule_test.go

github.com/cilium/cilium@v1.16.2/pkg/policy/api/rule_test.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package api
     5  
     6  import (
     7  	"context"
     8  	"encoding/json"
     9  	"testing"
    10  
    11  	"github.com/stretchr/testify/require"
    12  )
    13  
    14  func checkMarshalUnmarshal(t *testing.T, r *Rule) {
    15  	jsonData, err := json.Marshal(r)
    16  	require.Nil(t, err)
    17  
    18  	newRule := Rule{}
    19  	err = json.Unmarshal(jsonData, &newRule)
    20  	require.Nil(t, err)
    21  
    22  	require.Equal(t, newRule.EndpointSelector.LabelSelector == nil, r.EndpointSelector.LabelSelector == nil)
    23  	require.Equal(t, newRule.NodeSelector.LabelSelector == nil, r.NodeSelector.LabelSelector == nil)
    24  }
    25  
    26  // This test ensures that the NodeSelector and EndpointSelector fields are kept
    27  // empty when the rule is marshalled/unmarshalled.
    28  func TestJSONMarshalling(t *testing.T) {
    29  	setUpSuite(t)
    30  
    31  	validEndpointRule := Rule{
    32  		EndpointSelector: WildcardEndpointSelector,
    33  	}
    34  	checkMarshalUnmarshal(t, &validEndpointRule)
    35  
    36  	validNodeRule := Rule{
    37  		NodeSelector: WildcardEndpointSelector,
    38  	}
    39  	checkMarshalUnmarshal(t, &validNodeRule)
    40  }
    41  
    42  func getEgressRuleWithToGroups() *Rule {
    43  	return &Rule{
    44  		Egress: []EgressRule{
    45  			{
    46  				EgressCommonRule: EgressCommonRule{
    47  					ToGroups: []Groups{
    48  						GetGroupsRule(),
    49  					},
    50  				},
    51  			},
    52  		},
    53  	}
    54  }
    55  
    56  func getEgressDenyRuleWithToGroups() *Rule {
    57  	return &Rule{
    58  		EgressDeny: []EgressDenyRule{
    59  			{
    60  				EgressCommonRule: EgressCommonRule{
    61  					ToGroups: []Groups{
    62  						GetGroupsRule(),
    63  					},
    64  				},
    65  			},
    66  		},
    67  	}
    68  }
    69  
    70  func getIngressRuleWithFromGroups() *Rule {
    71  	return &Rule{
    72  		Ingress: []IngressRule{
    73  			{
    74  				IngressCommonRule: IngressCommonRule{
    75  					FromGroups: []Groups{
    76  						GetGroupsRule(),
    77  					},
    78  				},
    79  			},
    80  		},
    81  	}
    82  }
    83  
    84  func getIngressDenyRuleWithFromGroups() *Rule {
    85  	return &Rule{
    86  		IngressDeny: []IngressDenyRule{
    87  			{
    88  				IngressCommonRule: IngressCommonRule{
    89  					FromGroups: []Groups{
    90  						GetGroupsRule(),
    91  					},
    92  				},
    93  			},
    94  		},
    95  	}
    96  }
    97  
    98  func TestRequiresDerivative(t *testing.T) {
    99  	setUpSuite(t)
   100  
   101  	egressWithoutToGroups := Rule{}
   102  	require.Equal(t, false, egressWithoutToGroups.RequiresDerivative())
   103  
   104  	egressRuleWithToGroups := getEgressRuleWithToGroups()
   105  	require.Equal(t, true, egressRuleWithToGroups.RequiresDerivative())
   106  
   107  	egressDenyRuleWithToGroups := getEgressDenyRuleWithToGroups()
   108  	require.Equal(t, true, egressDenyRuleWithToGroups.RequiresDerivative())
   109  
   110  	ingressRuleWithToGroups := getIngressRuleWithFromGroups()
   111  	require.Equal(t, true, ingressRuleWithToGroups.RequiresDerivative())
   112  
   113  	ingressDenyRuleWithToGroups := getIngressDenyRuleWithFromGroups()
   114  	require.Equal(t, true, ingressDenyRuleWithToGroups.RequiresDerivative())
   115  }
   116  
   117  func TestCreateDerivative(t *testing.T) {
   118  	setUpSuite(t)
   119  
   120  	egressWithoutToGroups := Rule{}
   121  	newRule, err := egressWithoutToGroups.CreateDerivative(context.TODO())
   122  	require.Nil(t, err)
   123  	require.Equal(t, 0, len(newRule.Egress))
   124  	require.Equal(t, 0, len(newRule.EgressDeny))
   125  
   126  	RegisterToGroupsProvider(AWSProvider, GetCallBackWithRule("192.168.1.1"))
   127  
   128  	egressRuleWithToGroups := getEgressRuleWithToGroups()
   129  	newRule, err = egressRuleWithToGroups.CreateDerivative(context.TODO())
   130  	require.Nil(t, err)
   131  	require.Equal(t, 0, len(newRule.EgressDeny))
   132  	require.Equal(t, 1, len(newRule.Egress))
   133  	require.Equal(t, 1, len(newRule.Egress[0].ToCIDRSet))
   134  
   135  	egressDenyRuleWithToGroups := getEgressDenyRuleWithToGroups()
   136  	newRule, err = egressDenyRuleWithToGroups.CreateDerivative(context.TODO())
   137  	require.Nil(t, err)
   138  	require.Equal(t, 0, len(newRule.Egress))
   139  	require.Equal(t, 1, len(newRule.EgressDeny))
   140  	require.Equal(t, 1, len(newRule.EgressDeny[0].ToCIDRSet))
   141  
   142  	ingressRuleWithToGroups := getIngressRuleWithFromGroups()
   143  	newRule, err = ingressRuleWithToGroups.CreateDerivative(context.TODO())
   144  	require.Nil(t, err)
   145  	require.Equal(t, 0, len(newRule.IngressDeny))
   146  	require.Equal(t, 1, len(newRule.Ingress))
   147  	require.Equal(t, 1, len(newRule.Ingress[0].FromCIDRSet))
   148  
   149  	ingressDenyRuleWithToGroups := getIngressDenyRuleWithFromGroups()
   150  	newRule, err = ingressDenyRuleWithToGroups.CreateDerivative(context.TODO())
   151  	require.Nil(t, err)
   152  	require.Equal(t, 0, len(newRule.Ingress))
   153  	require.Equal(t, 1, len(newRule.IngressDeny))
   154  	require.Equal(t, 1, len(newRule.IngressDeny[0].FromCIDRSet))
   155  }