github.com/kiali/kiali@v1.84.0/business/checkers/workloads/uncovered_workload_checker_test.go (about) 1 package workloads 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/assert" 7 security_v1beta1 "istio.io/client-go/pkg/apis/security/v1beta1" 8 9 "github.com/kiali/kiali/config" 10 "github.com/kiali/kiali/models" 11 "github.com/kiali/kiali/tests/data" 12 "github.com/kiali/kiali/tests/testutils/validations" 13 ) 14 15 const ( 16 ns1 = "bookinfo" 17 ns2 = "movieinfo" 18 ) 19 20 func TestCoveredworkloads(t *testing.T) { 21 conf := config.NewConfig() 22 config.Set(conf) 23 24 assert := assert.New(t) 25 var vals []*models.IstioCheck 26 var valid bool 27 28 for _, wl := range workloadListNS2().Workloads { 29 //firstCase - one authorization policy namespace is wide mesh and has no selector (covers all workloads including current workload), 30 // while other auths has diffrenet namespaces than current workload 31 vals, valid = UncoveredWorkloadChecker{ 32 Workload: wl, 33 Namespace: ns2, 34 AuthorizationPolicies: variedAuthPolicies1(), 35 }.Check() 36 37 assert.Empty(vals) 38 assert.True(valid) 39 40 // second case - one authorization policy has no selector but belongs to the curr workload ns (covers it), 41 // while other auths has diffrenet namespaces than current workload 42 vals, valid = UncoveredWorkloadChecker{ 43 Workload: wl, 44 Namespace: ns2, 45 AuthorizationPolicies: variedAuthPolicies2(), 46 }.Check() 47 48 assert.Empty(vals) 49 assert.True(valid) 50 51 } 52 53 // third case - curr workload in the same namespace and has a matching authorization policy (same ns and labels) 54 vals, valid = UncoveredWorkloadChecker{ 55 Workload: workloadListNS1().Workloads[1], 56 Namespace: ns1, 57 AuthorizationPolicies: authorizationPoliciesNS1(), 58 }.Check() 59 60 assert.Empty(vals) 61 assert.True(valid) 62 } 63 64 func TestUnCoveredWorkloads(t *testing.T) { 65 conf := config.NewConfig() 66 config.Set(conf) 67 68 assert := assert.New(t) 69 //case 1 - authpolicy in root ns with unmatching selector, other auths from another ns 70 testFailure(assert, ns2, 71 variedAuthPolicies3(), 72 workloadListNS2().Workloads[0]) 73 74 // case 2 - curr workload has different namespace than of all authpolicies 75 testFailure(assert, ns2, authorizationPoliciesNS1(), workloadListNS2().Workloads[1]) 76 77 //case3 - workload and authpolicies have same namespace but all auth policies have unmatching labels 78 testFailure(assert, ns1, 79 authorizationPoliciesNS1(), 80 workloadListNS1().Workloads[3]) 81 82 //case4 - no authorization policy found 83 testFailure(assert, ns2, []*security_v1beta1.AuthorizationPolicy{}, workloadListNS2().Workloads[0]) 84 } 85 86 func testFailure(assert *assert.Assertions, ns string, authpolicies []*security_v1beta1.AuthorizationPolicy, workload models.WorkloadListItem) { 87 vals, valid := UncoveredWorkloadChecker{ 88 Workload: workload, 89 Namespace: ns, 90 AuthorizationPolicies: authpolicies, 91 }.Check() 92 93 assert.NotEmpty(vals) 94 assert.True(valid) 95 assert.NoError(validations.ConfirmIstioCheckMessage("workload.authorizationpolicy.needstobecovered", vals[0])) 96 97 } 98 99 func workloadListNS1() models.WorkloadList { 100 wlitems := []models.WorkloadListItem{ 101 data.CreateWorkloadListItem("covered-workload1", map[string]string{"app": "ratings", "version": "v1"}), 102 data.CreateWorkloadListItem("covered-workload2", map[string]string{"app": "productpage", "version": "v1"}), 103 data.CreateWorkloadListItem("covered-workload3", map[string]string{"app": "details", "version": "v3"}), 104 data.CreateWorkloadListItem("uncovered-workload", map[string]string{"app": "wrong", "version": "v5"}), 105 } 106 107 return data.CreateWorkloadList(ns1, wlitems...) 108 } 109 110 func workloadListNS2() models.WorkloadList { 111 wlitems := []models.WorkloadListItem{ 112 data.CreateWorkloadListItem("uncovered-workload1", map[string]string{"app": "ratings", "version": "v1"}), 113 data.CreateWorkloadListItem("uncovered-workload2", map[string]string{"app": "details", "version": "v2"}), 114 } 115 return data.CreateWorkloadList(ns2, wlitems...) 116 } 117 118 func authorizationPoliciesNS1() []*security_v1beta1.AuthorizationPolicy { 119 auths := []*security_v1beta1.AuthorizationPolicy{ 120 data.CreateAuthorizationPolicyWithMetaAndSelector("auth-policy1", ns1, map[string]string{"app": "ratings", "version": "v1"}), 121 data.CreateAuthorizationPolicyWithMetaAndSelector("auth-policy2", ns1, map[string]string{"app": "productpage", "version": "v1"}), 122 data.CreateAuthorizationPolicyWithMetaAndSelector("auth-policy3", ns1, map[string]string{"app": "details", "version": "v3"}), 123 } 124 return auths 125 } 126 127 func variedAuthPolicies1() []*security_v1beta1.AuthorizationPolicy { 128 auths := []*security_v1beta1.AuthorizationPolicy{ 129 data.CreateEmptyMeshAuthorizationPolicy("test-root"), 130 } 131 auths = append(auths, authorizationPoliciesNS1()...) 132 133 return auths 134 } 135 136 func variedAuthPolicies2() []*security_v1beta1.AuthorizationPolicy { 137 auths := []*security_v1beta1.AuthorizationPolicy{ 138 data.CreateEmptyAuthorizationPolicy("test-ns", ns2), 139 } 140 auths = append(auths, authorizationPoliciesNS1()...) 141 142 return auths 143 } 144 145 func variedAuthPolicies3() []*security_v1beta1.AuthorizationPolicy { 146 auths := []*security_v1beta1.AuthorizationPolicy{ 147 data.CreateAuthorizationPolicyWithMetaAndSelector("test-root2", "istio-system", map[string]string{"app": "wrong", "version": "v4"}), 148 } 149 auths = append(auths, authorizationPoliciesNS1()...) 150 151 return auths 152 }