github.com/kiali/kiali@v1.84.0/business/checkers/destinationrules/disabled_namespacewide_mtls_checker_test.go (about) 1 package destinationrules 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/assert" 7 networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1" 8 security_v1beta1 "istio.io/client-go/pkg/apis/security/v1beta1" 9 10 "github.com/kiali/kiali/config" 11 "github.com/kiali/kiali/kubernetes" 12 "github.com/kiali/kiali/models" 13 "github.com/kiali/kiali/tests/data" 14 "github.com/kiali/kiali/tests/testutils/validations" 15 ) 16 17 // Context: DestinationRule ns-wide disabling mTLS connections 18 // Context: PeerAuthn ns-wide in permissive mode 19 // It doesn't return any validation 20 func TestDRNSWideDisablingTLSPolicyPermissive(t *testing.T) { 21 conf := config.NewConfig() 22 config.Set(conf) 23 24 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 25 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")) 26 27 mTlsDetails := kubernetes.MTLSDetails{ 28 PeerAuthentications: []*security_v1beta1.PeerAuthentication{ 29 data.CreateEmptyPeerAuthentication("default", "bookinfo", data.CreateMTLS("PERMISSIVE")), 30 }, 31 } 32 33 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, false) 34 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, true) 35 } 36 37 // Context: DestinationRule ns-wide disabling mTLS connections 38 // Context: PeerAuthn ns-wide in disable mode 39 // It doesn't return any validation 40 func TestDRNSWideDisablingTLSPolicyDisable(t *testing.T) { 41 conf := config.NewConfig() 42 config.Set(conf) 43 44 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 45 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")) 46 47 mTlsDetails := kubernetes.MTLSDetails{ 48 PeerAuthentications: []*security_v1beta1.PeerAuthentication{ 49 data.CreateEmptyPeerAuthentication("default", "bookinfo", data.CreateMTLS("DISABLE")), 50 }, 51 } 52 53 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, false) 54 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, true) 55 } 56 57 // Context: DestinationRule ns-wide disabling mTLS connections 58 // Context: PeerAuthn ns-wide in permissive mode 59 // Context: Does have a MeshPolicy in strict mode 60 // It doesn't return any validation 61 func TestDRNSWideDisablingTLSPolicyPermissiveMeshStrict(t *testing.T) { 62 conf := config.NewConfig() 63 config.Set(conf) 64 65 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 66 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")) 67 68 mTlsDetails := kubernetes.MTLSDetails{ 69 PeerAuthentications: []*security_v1beta1.PeerAuthentication{ 70 data.CreateEmptyPeerAuthentication("default", "bookinfo", data.CreateMTLS("PERMISSIVE")), 71 }, 72 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 73 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")), 74 }, 75 } 76 77 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, false) 78 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, true) 79 } 80 81 // Context: DestinationRule ns-wide disabling mTLS connections 82 // Context: PeerAuthn ns-wide in strict mode 83 // It returns a policymtlsenabled validation 84 func TestDRNSWideDisablingTLSPolicyStrict(t *testing.T) { 85 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 86 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")) 87 88 mTlsDetails := kubernetes.MTLSDetails{ 89 PeerAuthentications: []*security_v1beta1.PeerAuthentication{ 90 data.CreateEmptyPeerAuthentication("default", "bookinfo", data.CreateMTLS("STRICT")), 91 }, 92 } 93 94 testDisabledMtlsValidationsFound(t, "destinationrules.mtls.policymtlsenabled", destinationRule, mTlsDetails, false) 95 testDisabledMtlsValidationsFound(t, "destinationrules.mtls.policymtlsenabled", destinationRule, mTlsDetails, true) 96 } 97 98 // Context: DestinationRule ns-wide disabling mTLS connections 99 // Context: Doesn't have PeerAuthn ns-wide defining TLS settings 100 // Context: Does have a MeshPolicy in strict mode 101 // It returns a meshpolicymtlsenabled validation 102 func TestDRNSWideDisablingTLSMeshPolicyStrict(t *testing.T) { 103 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 104 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")) 105 106 mTlsDetails := kubernetes.MTLSDetails{ 107 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 108 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")), 109 }, 110 } 111 112 testDisabledMtlsValidationsFound(t, "destinationrules.mtls.meshpolicymtlsenabled", destinationRule, mTlsDetails, false) 113 testDisabledMtlsValidationsFound(t, "destinationrules.mtls.meshpolicymtlsenabled", destinationRule, mTlsDetails, true) 114 } 115 116 // Context: DestinationRule ns-wide disabling mTLS connections 117 // Context: Doesn't have PeerAuthn ns-wide defining TLS settings 118 // Context: Does have a MeshPolicy in permissive mode 119 // It doesn't return any validation 120 func TestDRNSWideDisablingTLSMeshPolicyPermissive(t *testing.T) { 121 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 122 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")) 123 124 mTlsDetails := kubernetes.MTLSDetails{ 125 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 126 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("PERMISSIVE")), 127 }, 128 } 129 130 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, false) 131 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, true) 132 } 133 134 // Context: DestinationRule ns-wide disabling mTLS connections 135 // Context: Doesn't have PeerAuthn ns-wide defining TLS settings 136 // Context: Doesn't have a MeshPolicy defining TLS settings 137 // It doesn't return any validation 138 func TestDRNSWideDisablingTLSWithoutPolicy(t *testing.T) { 139 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 140 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")) 141 142 mTlsDetails := kubernetes.MTLSDetails{} 143 144 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, false) 145 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, true) 146 } 147 148 // Context: There isn't any ns-wide DestinationRule defining mTLS connections 149 // It doesn't return any validation 150 func TestDRNonTLSRelated(t *testing.T) { 151 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 152 data.CreateEmptyDestinationRule("bookinfo", "dr-mtls", "*.local")) 153 154 mTlsDetails := kubernetes.MTLSDetails{} 155 156 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, false) 157 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, true) 158 } 159 160 // Context: mTLS is strict at MESH-level 161 // Context: mTLS is disabled at namespace-level 162 // It doesn't return any validation 163 func TestMtlsStrictNsDisable(t *testing.T) { 164 destinationRule := data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), data.CreateEmptyDestinationRule("bookinfo", "dr-mtls-disabled", "*.bookinfo.svc.cluster.local")) 165 166 mTlsDetails := kubernetes.MTLSDetails{ 167 MeshPeerAuthentications: []*security_v1beta1.PeerAuthentication{ 168 data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")), 169 }, 170 PeerAuthentications: []*security_v1beta1.PeerAuthentication{ 171 data.CreateEmptyPeerAuthentication("disable-bookinfo", "bookinfo", data.CreateMTLS("DISABLE")), 172 }, 173 DestinationRules: []*networking_v1beta1.DestinationRule{ 174 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), data.CreateEmptyDestinationRule("istio-system", "dr-mtls", "*.local")), 175 }, 176 } 177 178 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, false) 179 testNoDisabledMtlsValidationsFound(t, destinationRule, mTlsDetails, true) 180 } 181 182 func testNoDisabledMtlsValidationsFound(t *testing.T, destinationRule *networking_v1beta1.DestinationRule, mTLSDetails kubernetes.MTLSDetails, autoMtls bool) { 183 conf := config.NewConfig() 184 config.Set(conf) 185 186 assert := assert.New(t) 187 188 mTLSDetails.EnabledAutoMtls = autoMtls 189 190 validations, valid := DisabledNamespaceWideMTLSChecker{ 191 DestinationRule: destinationRule, 192 MTLSDetails: mTLSDetails, 193 }.Check() 194 195 assert.Empty(validations) 196 assert.True(valid) 197 } 198 199 func testDisabledMtlsValidationsFound(t *testing.T, validationId string, destinationRule *networking_v1beta1.DestinationRule, mTLSDetails kubernetes.MTLSDetails, autoMtls bool) { 200 conf := config.NewConfig() 201 config.Set(conf) 202 203 assert := assert.New(t) 204 205 mTLSDetails.EnabledAutoMtls = autoMtls 206 207 vals, valid := DisabledNamespaceWideMTLSChecker{ 208 DestinationRule: destinationRule, 209 MTLSDetails: mTLSDetails, 210 }.Check() 211 212 assert.NotEmpty(vals) 213 assert.Equal(1, len(vals)) 214 assert.False(valid) 215 216 validation := vals[0] 217 assert.NotNil(validation) 218 assert.Equal(models.ErrorSeverity, validation.Severity) 219 assert.Equal("spec/trafficPolicy/tls/mode", validation.Path) 220 assert.NoError(validations.ConfirmIstioCheckMessage(validationId, validation)) 221 }