github.com/kiali/kiali@v1.84.0/business/checkers/authorization/principals_checker_test.go (about) 1 package authorization 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/assert" 7 security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1" 8 9 "github.com/kiali/kiali/config" 10 "github.com/kiali/kiali/models" 11 "github.com/kiali/kiali/tests/data" 12 "github.com/kiali/kiali/tests/testutils/validations" 13 ) 14 15 func TestPresentServiceAccount(t *testing.T) { 16 conf := config.NewConfig() 17 config.Set(conf) 18 19 assert := assert.New(t) 20 21 validations, valid := PrincipalsChecker{ 22 AuthorizationPolicy: authPolicyWithPrincipals([]string{"cluster.local/ns/bookinfo/sa/default", "cluster.local/ns/bookinfo/sa/test"}), 23 Cluster: config.DefaultClusterID, 24 ServiceAccounts: map[string][]string{config.DefaultClusterID: {"cluster.local/ns/bookinfo/sa/default", "cluster.local/ns/bookinfo/sa/test"}}, 25 }.Check() 26 27 // Well configured object 28 assert.True(valid) 29 assert.Empty(validations) 30 } 31 32 func TestRegexPrincipalFound(t *testing.T) { 33 assert := assert.New(t) 34 35 validations, valid := PrincipalsChecker{ 36 AuthorizationPolicy: authPolicyWithPrincipals([]string{"*local/ns/bookinfo/sa/default*", "*.local/ns/bookinfo/sa/test*"}), 37 Cluster: config.DefaultClusterID, 38 ServiceAccounts: map[string][]string{config.DefaultClusterID: {"cluster.local/ns/bookinfo/sa/default-a", "cluster.local/ns/bookinfo/sa/test-1"}}, 39 }.Check() 40 41 // regex matches 42 assert.True(valid) 43 assert.Empty(validations) 44 } 45 46 func TestRegexPrincipalNotFound(t *testing.T) { 47 assert := assert.New(t) 48 49 vals, valid := PrincipalsChecker{ 50 AuthorizationPolicy: authPolicyWithPrincipals([]string{"*wronglocal/ns/bookinfo/sa/default*", "*.local/ns/bookinfo/sa/test1*"}), 51 Cluster: config.DefaultClusterID, 52 ServiceAccounts: map[string][]string{config.DefaultClusterID: {"cluster.local/ns/bookinfo/sa/default-a", "cluster.local/ns/bookinfo/sa/test-1"}}, 53 }.Check() 54 55 assert.False(valid) 56 assert.NotEmpty(vals) 57 assert.Len(vals, 2) 58 assert.Equal(models.ErrorSeverity, vals[0].Severity) 59 assert.Error(validations.ConfirmIstioCheckMessage("authorizationpolicy.nodest.principalnotfound", vals[0])) 60 assert.Equal("spec/rules[0]/from[0]/source/principals[0]", vals[0].Path) 61 assert.Equal(models.ErrorSeverity, vals[1].Severity) 62 assert.Error(validations.ConfirmIstioCheckMessage("authorizationpolicy.nodest.principalnotfound", vals[1])) 63 assert.Equal("spec/rules[0]/from[0]/source/principals[1]", vals[1].Path) 64 } 65 66 func TestEmptyPrincipals(t *testing.T) { 67 assert := assert.New(t) 68 69 validations, valid := PrincipalsChecker{ 70 AuthorizationPolicy: authPolicyWithPrincipals([]string{}), 71 Cluster: config.DefaultClusterID, 72 ServiceAccounts: map[string][]string{config.DefaultClusterID: {"cluster.local/ns/bookinfo/sa/default", "cluster.local/ns/bookinfo/sa/test"}}, 73 }.Check() 74 75 // Well configured object 76 assert.True(valid) 77 assert.Empty(validations) 78 } 79 80 func TestNotPresentServiceAccount(t *testing.T) { 81 assert := assert.New(t) 82 83 vals, valid := PrincipalsChecker{ 84 AuthorizationPolicy: authPolicyWithPrincipals([]string{"cluster.local/ns/bookinfo/sa/wrong", "test"}), 85 Cluster: config.DefaultClusterID, 86 ServiceAccounts: map[string][]string{config.DefaultClusterID: {"cluster.local/ns/bookinfo/sa/default", "cluster.local/ns/bookinfo/sa/test"}}, 87 }.Check() 88 89 // Wrong host is not present 90 assert.False(valid) 91 assert.NotEmpty(vals) 92 assert.Len(vals, 2) 93 assert.Equal(models.ErrorSeverity, vals[0].Severity) 94 assert.Error(validations.ConfirmIstioCheckMessage("authorizationpolicy.nodest.principalnotfound", vals[0])) 95 assert.Equal("spec/rules[0]/from[0]/source/principals[0]", vals[0].Path) 96 assert.Equal(models.ErrorSeverity, vals[1].Severity) 97 assert.Error(validations.ConfirmIstioCheckMessage("authorizationpolicy.nodest.principalnotfound", vals[1])) 98 assert.Equal("spec/rules[0]/from[0]/source/principals[1]", vals[1].Path) 99 } 100 101 func TestRemoteClusterServiceAccount(t *testing.T) { 102 assert := assert.New(t) 103 104 vals, valid := PrincipalsChecker{ 105 AuthorizationPolicy: authPolicyWithPrincipals([]string{"cluster.local/ns/bookinfo/sa/default", "cluster.local/ns/bookinfo/sa/test"}), 106 Cluster: "east", 107 ServiceAccounts: map[string][]string{"west": {"cluster.local/ns/bookinfo/sa/default"}, "east": {"cluster.local/ns/bookinfo/sa/test"}}, 108 }.Check() 109 110 // service account is on remote cluster 111 assert.False(valid) 112 assert.NotEmpty(vals) 113 assert.Len(vals, 1) 114 assert.Equal(models.WarningSeverity, vals[0].Severity) 115 assert.Error(validations.ConfirmIstioCheckMessage("authorizationpolicy.nodest.principalremote", vals[0])) 116 assert.Equal("spec/rules[0]/from[0]/source/principals[0]", vals[0].Path) 117 } 118 119 func TestEmptyServiceAccount(t *testing.T) { 120 assert := assert.New(t) 121 122 vals, valid := PrincipalsChecker{ 123 AuthorizationPolicy: authPolicyWithPrincipals([]string{"cluster.local/ns/bookinfo/sa/wrong"}), 124 ServiceAccounts: map[string][]string{}, 125 }.Check() 126 127 // Wrong host is not present 128 assert.False(valid) 129 assert.NotEmpty(vals) 130 assert.Len(vals, 1) 131 assert.Equal(models.ErrorSeverity, vals[0].Severity) 132 assert.Error(validations.ConfirmIstioCheckMessage("authorizationpolicy.nodest.principalnotfound", vals[0])) 133 assert.Equal("spec/rules[0]/from[0]/source/principals[0]", vals[0].Path) 134 } 135 136 func authPolicyWithPrincipals(principalsList []string) *security_v1beta.AuthorizationPolicy { 137 return data.CreateAuthorizationPolicyWithPrincipals("auth-policy", "bookinfo", principalsList) 138 }