github.com/kiali/kiali@v1.84.0/business/checkers/peerauthentications/mesh_mtls_checker_test.go (about) 1 package peerauthentications 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/assert" 7 networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1" 8 security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1" 9 10 "github.com/kiali/kiali/kubernetes" 11 "github.com/kiali/kiali/models" 12 "github.com/kiali/kiali/tests/data" 13 "github.com/kiali/kiali/tests/testutils/validations" 14 ) 15 16 // Describe the validation of a MeshPolicy that enables mTLS. The validation is risen when there isn't any 17 // Destination Rule enabling clients start mTLS connections. 18 19 // Context: MeshPolicy enables mTLS 20 // Context: There is one Destination Rule enabling mTLS mesh-wide 21 // It doesn't return any validation 22 func TestMeshPolicymTLSEnabled(t *testing.T) { 23 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")) 24 mTLSDetails := kubernetes.MTLSDetails{ 25 DestinationRules: []*networking_v1beta1.DestinationRule{ 26 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 27 data.CreateEmptyDestinationRule("default", "default", "*.local")), 28 }, 29 } 30 31 testValidationsNotAdded(t, meshPolicy, mTLSDetails) 32 } 33 34 // Context: MeshPolicy enables mTLS 35 // Context: There is one Destination Rule enabling mTLS namespace-wide 36 // It returns a validation 37 func TestMeshPolicyEnabledDRNamespaceWide(t *testing.T) { 38 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")) 39 mTLSDetails := kubernetes.MTLSDetails{ 40 DestinationRules: []*networking_v1beta1.DestinationRule{ 41 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 42 data.CreateEmptyDestinationRule("bookinfo", "default", "*.bookinfo.svc.cluster.local")), 43 }, 44 } 45 46 testValidationAdded(t, meshPolicy, mTLSDetails) 47 } 48 49 // Context: MeshPolicy enables mTLS 50 // Context: There is one Destination Rule not enabling any kind of mTLS 51 // It returns a validation 52 func TestMeshPolicyEnabledDRmTLSDisabled(t *testing.T) { 53 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")) 54 mTLSDetails := kubernetes.MTLSDetails{ 55 DestinationRules: []*networking_v1beta1.DestinationRule{ 56 data.CreateEmptyDestinationRule("bar", "default", "*.bar.svc.cluster.local"), 57 }, 58 } 59 60 testValidationAdded(t, meshPolicy, mTLSDetails) 61 } 62 63 // Context: MeshPolicy enables mTLS 64 // Context: There isn't any Destination Rule 65 // It returns a validation 66 func TestMeshPolicymTLSEnabledDestinationRuleMissing(t *testing.T) { 67 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")) 68 mTLSDetails := kubernetes.MTLSDetails{ 69 DestinationRules: []*networking_v1beta1.DestinationRule{}, 70 } 71 72 testValidationAdded(t, meshPolicy, mTLSDetails) 73 } 74 75 // Context: MeshPolicy doesn't enable mTLS 76 // Context: There is one Destination Rule enabling mTLS mesh-wide 77 // It doesn't return any validation 78 func TestMeshPolicymTLSDisabledDestinationRulePresent(t *testing.T) { 79 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("PERMISSIVE")) 80 mTLSDetails := kubernetes.MTLSDetails{ 81 DestinationRules: []*networking_v1beta1.DestinationRule{ 82 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 83 data.CreateEmptyDestinationRule("default", "default", "*.local")), 84 }, 85 } 86 87 testValidationsNotAdded(t, meshPolicy, mTLSDetails) 88 } 89 90 // Context: MeshPolicy doesn't enable mTLS 91 // Context: There is one Destination Rule enabling mTLS namespace-wide 92 // It doesn't return any validation 93 func TestMeshPolicyDisabledDRNamespaceWide(t *testing.T) { 94 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("PERMISSIVE")) 95 mTLSDetails := kubernetes.MTLSDetails{ 96 DestinationRules: []*networking_v1beta1.DestinationRule{ 97 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 98 data.CreateEmptyDestinationRule("bookinfo", "default", "*.bookinfo.svc.cluster.local")), 99 }, 100 } 101 102 testValidationsNotAdded(t, meshPolicy, mTLSDetails) 103 } 104 105 // Context: MeshPolicy doesn't enable mTLS 106 // Context: There is one Destination Rule not enabling any kind of mTLS 107 // It doesn't return any validation 108 func TestMeshPolicyDisabledDRmTLSDisabled(t *testing.T) { 109 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("PERMISSIVE")) 110 mTLSDetails := kubernetes.MTLSDetails{ 111 DestinationRules: []*networking_v1beta1.DestinationRule{ 112 data.CreateEmptyDestinationRule("bar", "default", "*.bar.svc.cluster.local"), 113 }, 114 } 115 116 testValidationsNotAdded(t, meshPolicy, mTLSDetails) 117 } 118 119 // Context: MeshPolicy doesn't enable mTLS 120 // Context: There isn't any Destination Rule 121 // It doesn't return a validation 122 func TestMeshPolicymTLSDisabledDestinationRuleMissing(t *testing.T) { 123 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("PERMISSIVE")) 124 mTLSDetails := kubernetes.MTLSDetails{ 125 DestinationRules: []*networking_v1beta1.DestinationRule{}, 126 } 127 128 testValidationsNotAdded(t, meshPolicy, mTLSDetails) 129 } 130 131 func testValidationAdded(t *testing.T, meshPolicy *security_v1beta.PeerAuthentication, mTLSDetails kubernetes.MTLSDetails) { 132 assert := assert.New(t) 133 134 vals, valid := MeshMtlsChecker{ 135 MeshPolicy: meshPolicy, 136 MTLSDetails: mTLSDetails, 137 }.Check() 138 139 assert.NotEmpty(vals) 140 assert.Equal(1, len(vals)) 141 assert.False(valid) 142 143 validation := vals[0] 144 assert.NotNil(validation) 145 assert.Equal(models.ErrorSeverity, validation.Severity) 146 assert.Equal("spec/mtls", validation.Path) 147 assert.NoError(validations.ConfirmIstioCheckMessage("peerauthentication.mtls.destinationrulemissing", validation)) 148 } 149 150 func testValidationsNotAdded(t *testing.T, meshPolicy *security_v1beta.PeerAuthentication, mTLSDetails kubernetes.MTLSDetails) { 151 assert := assert.New(t) 152 153 vals, valid := MeshMtlsChecker{ 154 MeshPolicy: meshPolicy, 155 MTLSDetails: mTLSDetails, 156 }.Check() 157 158 assert.Empty(vals) 159 assert.True(valid) 160 } 161 162 func TestNoValidationsAddedWhenStrictAndAutoMtlsEnabled(t *testing.T) { 163 assert := assert.New(t) 164 165 meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT")) 166 mTLSDetails := kubernetes.MTLSDetails{ 167 DestinationRules: []*networking_v1beta1.DestinationRule{}, 168 EnabledAutoMtls: true, 169 } 170 171 vals, valid := MeshMtlsChecker{ 172 MeshPolicy: meshPolicy, 173 MTLSDetails: mTLSDetails, 174 IsServiceMesh: true, 175 }.Check() 176 177 assert.Empty(vals) 178 assert.True(valid) 179 180 }