github.com/kiali/kiali@v1.84.0/business/checkers/peerauthentications/namespace_mtls_checker_test.go

github.com/kiali/kiali@v1.84.0/business/checkers/peerauthentications/namespace_mtls_checker_test.go (about)

     1  package peerauthentications
     2  
     3  import (
     4  	"testing"
     5  
     6  	"github.com/stretchr/testify/assert"
     7  	networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
     8  	security_v1beta "istio.io/client-go/pkg/apis/security/v1beta1"
     9  
    10  	"github.com/kiali/kiali/config"
    11  	"github.com/kiali/kiali/kubernetes"
    12  	"github.com/kiali/kiali/models"
    13  	"github.com/kiali/kiali/tests/data"
    14  	"github.com/kiali/kiali/tests/testutils/validations"
    15  )
    16  
    17  // Describe the validation of a PeerAuthn that enables mTLS for one namespace. The validation is risen when there isn't any
    18  // Destination Rule enabling clients start mTLS connections.
    19  
    20  // Context: PeerAuthn enables mTLS for a namespace
    21  // Context: There is one Destination Rule not enabling mTLS
    22  // It returns a validation
    23  func TestPeerAuthnmTLSEnabled(t *testing.T) {
    24  	assert := assert.New(t)
    25  	conf := config.NewConfig()
    26  	config.Set(conf)
    27  
    28  	policy := data.CreateEmptyPeerAuthentication("default", "bar", data.CreateMTLS("STRICT"))
    29  	mTLSDetails := kubernetes.MTLSDetails{
    30  		DestinationRules: []*networking_v1beta1.DestinationRule{
    31  			data.CreateEmptyDestinationRule("bar", "default", "*.bar.svc.cluster.local"),
    32  		},
    33  	}
    34  
    35  	vals, valid := NamespaceMtlsChecker{
    36  		PeerAuthn:   policy,
    37  		MTLSDetails: mTLSDetails,
    38  	}.Check()
    39  
    40  	assert.NotEmpty(vals)
    41  	assert.Equal(1, len(vals))
    42  	assert.False(valid)
    43  
    44  	validation := vals[0]
    45  	assert.NotNil(validation)
    46  	assert.Equal(models.ErrorSeverity, validation.Severity)
    47  	assert.Equal("spec/mtls", validation.Path)
    48  	assert.NoError(validations.ConfirmIstioCheckMessage("peerauthentications.mtls.destinationrulemissing", validation))
    49  }
    50  
    51  // Context: PeerAuthn enables mTLS for a namespace
    52  // Context: There is one Destination Rule enabling mTLS for the namespace
    53  // It returns doesn't return any validation
    54  func TestPolicyEnabledDRmTLSEnabled(t *testing.T) {
    55  	peerAuthn := data.CreateEmptyPeerAuthentication("default", "bar", data.CreateMTLS("STRICT"))
    56  	mTLSDetails := kubernetes.MTLSDetails{
    57  		DestinationRules: []*networking_v1beta1.DestinationRule{
    58  			data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(),
    59  				data.CreateEmptyDestinationRule("bar", "default", "*.bar.svc.cluster.local")),
    60  		},
    61  	}
    62  
    63  	assertNoValidations(t, peerAuthn, mTLSDetails)
    64  }
    65  
    66  // Context: PeerAuthn enables mTLS for a namespace
    67  // Context: There is one Destination Rule enabling mTLS for the namespace
    68  // Context: There is one Destination Rule enabling mTLS for the whole service-mesh
    69  // It returns doesn't return any validation
    70  func TestPolicyEnabledDRmTLSMeshWideEnabled(t *testing.T) {
    71  	peerAuthn := data.CreateEmptyPeerAuthentication("default", "bar", data.CreateMTLS("STRICT"))
    72  
    73  	mTLSDetails := kubernetes.MTLSDetails{
    74  		DestinationRules: []*networking_v1beta1.DestinationRule{
    75  			data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(),
    76  				data.CreateEmptyDestinationRule("bar", "default", "*.local")),
    77  		},
    78  	}
    79  
    80  	assertNoValidations(t, peerAuthn, mTLSDetails)
    81  
    82  }
    83  
    84  // Context: PeerAuthn enables mTLS in PERMISSIVE mode
    85  // Context: Any Destination Rule.
    86  // It doesn't return any validation
    87  func TestPolicyPermissive(t *testing.T) {
    88  	peerAuthn := data.CreateEmptyPeerAuthentication("default", "bar", data.CreateMTLS("PERMISSIVE"))
    89  	mTLSDetails := kubernetes.MTLSDetails{
    90  		DestinationRules: []*networking_v1beta1.DestinationRule{
    91  			data.CreateEmptyDestinationRule("bar", "default", "*.bar.svc.cluster.local"),
    92  		},
    93  	}
    94  	assertNoValidations(t, peerAuthn, mTLSDetails)
    95  }
    96  
    97  func assertNoValidations(t *testing.T, peerAuth *security_v1beta.PeerAuthentication, mTLSDetails kubernetes.MTLSDetails) {
    98  	assert := assert.New(t)
    99  	conf := config.NewConfig()
   100  	config.Set(conf)
   101  
   102  	vals, valid := NamespaceMtlsChecker{
   103  		PeerAuthn:   peerAuth,
   104  		MTLSDetails: mTLSDetails,
   105  	}.Check()
   106  
   107  	assert.Empty(vals)
   108  	assert.True(valid)
   109  }
   110  
   111  func TestNoNamespaceWideValidationsAddedWhenStrictAndAutoMtlsEnabled(t *testing.T) {
   112  	assert := assert.New(t)
   113  
   114  	meshPolicy := data.CreateEmptyMeshPeerAuthentication("default", data.CreateMTLS("STRICT"))
   115  	mTLSDetails := kubernetes.MTLSDetails{
   116  		DestinationRules: []*networking_v1beta1.DestinationRule{},
   117  		EnabledAutoMtls:  true,
   118  	}
   119  
   120  	vals, valid := MeshMtlsChecker{
   121  		MeshPolicy:  meshPolicy,
   122  		MTLSDetails: mTLSDetails,
   123  	}.Check()
   124  
   125  	assert.Empty(vals)
   126  	assert.True(valid)
   127  
   128  }