github.com/kiali/kiali@v1.84.0/business/tls_test.go (about) 1 package business 2 3 import ( 4 "context" 5 "testing" 6 7 osproject_v1 "github.com/openshift/api/project/v1" 8 "github.com/stretchr/testify/assert" 9 api_security_v1beta1 "istio.io/api/security/v1beta1" 10 networking_v1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1" 11 security_v1beta1 "istio.io/client-go/pkg/apis/security/v1beta1" 12 core_v1 "k8s.io/api/core/v1" 13 meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" 14 "k8s.io/apimachinery/pkg/runtime" 15 16 "github.com/kiali/kiali/config" 17 "github.com/kiali/kiali/kubernetes" 18 "github.com/kiali/kiali/kubernetes/kubetest" 19 "github.com/kiali/kiali/tests/data" 20 "github.com/kiali/kiali/util" 21 ) 22 23 func TestMeshStatusEnabled(t *testing.T) { 24 assert := assert.New(t) 25 26 conf := config.NewConfig() 27 conf.Deployment.ClusterWideAccess = true 28 kubernetes.SetConfig(t, *conf) 29 30 pa := fakeStrictMeshPeerAuthentication("default") 31 dr := []*networking_v1beta1.DestinationRule{ 32 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 33 data.CreateEmptyDestinationRule("test", "default", "*.local")), 34 } 35 36 objs := []runtime.Object{ 37 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "test"}}, 38 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "istio-system"}}, 39 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "default"}}, 40 } 41 objs = append(objs, kubernetes.ToRuntimeObjects(pa)...) 42 objs = append(objs, kubernetes.ToRuntimeObjects(dr)...) 43 44 k8s := kubetest.NewFakeK8sClient(objs...) 45 SetupBusinessLayer(t, k8s, *conf) 46 47 k8sclients := make(map[string]kubernetes.ClientInterface) 48 k8sclients[conf.KubernetesConfig.ClusterName] = k8s 49 50 tlsService := NewWithBackends(k8sclients, k8sclients, nil, nil).TLS 51 tlsService.enabledAutoMtls = util.AsPtr(false) 52 status, err := tlsService.MeshWidemTLSStatus(context.TODO(), []string{"test"}, conf.KubernetesConfig.ClusterName) 53 54 assert.NoError(err) 55 assert.Equal(MTLSEnabled, status.Status) 56 } 57 58 func TestMeshStatusEnabledAutoMtls(t *testing.T) { 59 assert := assert.New(t) 60 61 conf := config.NewConfig() 62 conf.Deployment.ClusterWideAccess = true 63 kubernetes.SetConfig(t, *conf) 64 65 pa := fakeStrictMeshPeerAuthentication("default") 66 dr := []*networking_v1beta1.DestinationRule{} 67 68 objs := []runtime.Object{ 69 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "test"}}, 70 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "istio-system"}}, 71 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "default"}}, 72 } 73 objs = append(objs, kubernetes.ToRuntimeObjects(pa)...) 74 objs = append(objs, kubernetes.ToRuntimeObjects(dr)...) 75 76 k8s := kubetest.NewFakeK8sClient(objs...) 77 SetupBusinessLayer(t, k8s, *conf) 78 79 k8sclients := make(map[string]kubernetes.ClientInterface) 80 k8sclients[conf.KubernetesConfig.ClusterName] = k8s 81 82 tlsService := NewWithBackends(k8sclients, k8sclients, nil, nil).TLS 83 tlsService.enabledAutoMtls = util.AsPtr(true) 84 status, err := tlsService.MeshWidemTLSStatus(context.TODO(), []string{"test"}, conf.KubernetesConfig.ClusterName) 85 86 assert.NoError(err) 87 assert.Equal(MTLSEnabled, status.Status) 88 } 89 90 func TestMeshStatusPartiallyEnabled(t *testing.T) { 91 assert := assert.New(t) 92 93 conf := config.NewConfig() 94 conf.Deployment.ClusterWideAccess = true 95 kubernetes.SetConfig(t, *conf) 96 97 pa := fakeStrictMeshPeerAuthentication("default") 98 dr := []*networking_v1beta1.DestinationRule{ 99 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 100 data.CreateEmptyDestinationRule("istio-system", "default", "sleep.foo.svc.cluster.local")), 101 } 102 103 objs := []runtime.Object{ 104 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "test"}}, 105 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "istio-system"}}, 106 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "default"}}, 107 } 108 objs = append(objs, kubernetes.ToRuntimeObjects(pa)...) 109 objs = append(objs, kubernetes.ToRuntimeObjects(dr)...) 110 111 k8s := kubetest.NewFakeK8sClient(objs...) 112 SetupBusinessLayer(t, k8s, *conf) 113 114 k8sclients := make(map[string]kubernetes.ClientInterface) 115 k8sclients[conf.KubernetesConfig.ClusterName] = k8s 116 117 tlsService := NewWithBackends(k8sclients, k8sclients, nil, nil).TLS 118 tlsService.enabledAutoMtls = util.AsPtr(false) 119 status, err := tlsService.MeshWidemTLSStatus(context.TODO(), []string{"test"}, conf.KubernetesConfig.ClusterName) 120 121 assert.NoError(err) 122 assert.Equal(MTLSPartiallyEnabled, status.Status) 123 } 124 125 func TestMeshStatusNotEnabled(t *testing.T) { 126 assert := assert.New(t) 127 128 conf := config.NewConfig() 129 conf.Deployment.ClusterWideAccess = true 130 kubernetes.SetConfig(t, *conf) 131 132 ns := &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "test"}} 133 pa := []*security_v1beta1.PeerAuthentication{} 134 dr := []*networking_v1beta1.DestinationRule{ 135 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 136 data.CreateEmptyDestinationRule("istio-system", "default", "sleep.foo.svc.cluster.local")), 137 } 138 objs := []runtime.Object{ns} 139 objs = append(objs, kubernetes.ToRuntimeObjects(pa)...) 140 objs = append(objs, kubernetes.ToRuntimeObjects(dr)...) 141 142 k8s := kubetest.NewFakeK8sClient(objs...) 143 SetupBusinessLayer(t, k8s, *conf) 144 145 k8sclients := make(map[string]kubernetes.ClientInterface) 146 k8sclients[conf.KubernetesConfig.ClusterName] = k8s 147 148 tlsService := NewWithBackends(k8sclients, k8sclients, nil, nil).TLS 149 tlsService.enabledAutoMtls = util.AsPtr(false) 150 status, err := tlsService.MeshWidemTLSStatus(context.TODO(), []string{ns.Name}, conf.KubernetesConfig.ClusterName) 151 152 assert.NoError(err) 153 assert.Equal(MTLSNotEnabled, status.Status) 154 } 155 156 func TestMeshStatusDisabled(t *testing.T) { 157 assert := assert.New(t) 158 159 conf := config.NewConfig() 160 conf.Deployment.ClusterWideAccess = true 161 kubernetes.SetConfig(t, *conf) 162 163 pa := fakeMeshPeerAuthenticationWithMtlsMode("default", "DISABLE") 164 dr := []*networking_v1beta1.DestinationRule{ 165 data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 166 data.CreateEmptyDestinationRule("istio-system", "default", "*.local")), 167 } 168 objs := []runtime.Object{ 169 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "test"}}, 170 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "istio-system"}}, 171 &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "default"}}, 172 } 173 objs = append(objs, kubernetes.ToRuntimeObjects(pa)...) 174 objs = append(objs, kubernetes.ToRuntimeObjects(dr)...) 175 176 k8s := kubetest.NewFakeK8sClient(objs...) 177 SetupBusinessLayer(t, k8s, *conf) 178 179 k8sclients := make(map[string]kubernetes.ClientInterface) 180 k8sclients[conf.KubernetesConfig.ClusterName] = k8s 181 182 tlsService := NewWithBackends(k8sclients, k8sclients, nil, nil).TLS 183 tlsService.enabledAutoMtls = util.AsPtr(false) 184 status, err := tlsService.MeshWidemTLSStatus(context.TODO(), []string{"test"}, conf.KubernetesConfig.ClusterName) 185 186 assert.NoError(err) 187 assert.Equal(MTLSDisabled, status.Status) 188 } 189 190 func TestMeshStatusNotEnabledAutoMtls(t *testing.T) { 191 assert := assert.New(t) 192 conf := config.NewConfig() 193 conf.Deployment.ClusterWideAccess = true 194 kubernetes.SetConfig(t, *conf) 195 196 ns := &core_v1.Namespace{ObjectMeta: meta_v1.ObjectMeta{Name: "test"}} 197 k8s := kubetest.NewFakeK8sClient(ns) 198 SetupBusinessLayer(t, k8s, *conf) 199 200 k8sclients := make(map[string]kubernetes.ClientInterface) 201 k8sclients[conf.KubernetesConfig.ClusterName] = k8s 202 203 tlsService := NewWithBackends(k8sclients, k8sclients, nil, nil).TLS 204 tlsService.enabledAutoMtls = util.AsPtr(true) 205 status, err := tlsService.MeshWidemTLSStatus(context.TODO(), []string{ns.Name}, conf.KubernetesConfig.ClusterName) 206 207 assert.NoError(err) 208 assert.Equal(MTLSNotEnabled, status.Status) 209 } 210 211 func TestNamespaceHasMTLSEnabled(t *testing.T) { 212 ps := fakeStrictPeerAuthn("default", "bookinfo") 213 drs := []*networking_v1beta1.DestinationRule{ 214 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 215 data.CreateEmptyDestinationRule("bookinfo", "allow-mtls", "*.bookinfo.svc.cluster.local")), 216 } 217 218 testNamespaceScenario(MTLSEnabled, drs, ps, false, t) 219 testNamespaceScenario(MTLSEnabled, drs, ps, true, t) 220 testNamespaceScenario(MTLSEnabled, []*networking_v1beta1.DestinationRule{}, ps, true, t) 221 } 222 223 func TestNamespaceHasPeerAuthnDisabled(t *testing.T) { 224 ps := fakePeerAuthnWithMtlsMode("default", "bookinfo", "DISABLE") 225 drs := []*networking_v1beta1.DestinationRule{ 226 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 227 data.CreateEmptyDestinationRule("bookinfo", "allow-mtls", "*.bookinfo.svc.cluster.local")), 228 } 229 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, false, t) 230 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, true, t) 231 testNamespaceScenario(MTLSDisabled, []*networking_v1beta1.DestinationRule{}, ps, true, t) 232 } 233 234 func TestNamespaceHasDestinationRuleDisabled(t *testing.T) { 235 ps := fakeStrictPeerAuthn("default", "bookinfo") 236 drs := []*networking_v1beta1.DestinationRule{ 237 data.CreateEmptyDestinationRule("bookinfo", "dr-1", "*.bookinfo.svc.cluster.local"), 238 } 239 240 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, false, t) 241 testNamespaceScenario(MTLSEnabled, drs, ps, true, t) 242 testNamespaceScenario(MTLSEnabled, []*networking_v1beta1.DestinationRule{}, ps, true, t) 243 } 244 245 func TestNamespaceHasNoDestinationRulesNoPolicy(t *testing.T) { 246 var drs []*networking_v1beta1.DestinationRule 247 var ps []*security_v1beta1.PeerAuthentication 248 249 testNamespaceScenario(MTLSNotEnabled, drs, ps, true, t) 250 testNamespaceScenario(MTLSNotEnabled, drs, ps, false, t) 251 252 ps = fakePeerAuthnWithSelector("default", "bookinfo", "productpage") 253 drs = []*networking_v1beta1.DestinationRule{ 254 data.CreateEmptyDestinationRule("bookinfo", "dr-1", "*.bookinfo.svc.cluster.local"), 255 } 256 257 testNamespaceScenario(MTLSNotEnabled, drs, ps, false, t) 258 testNamespaceScenario(MTLSNotEnabled, drs, ps, true, t) 259 testNamespaceScenario(MTLSNotEnabled, []*networking_v1beta1.DestinationRule{}, ps, true, t) 260 } 261 262 func TestNamespaceHasPermissivePeerAuthDisableDestRule(t *testing.T) { 263 ps := fakePermissivePeerAuthn("default", "bookinfo") 264 drs := []*networking_v1beta1.DestinationRule{ 265 data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 266 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")), 267 } 268 269 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, false, t) 270 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, true, t) 271 testNamespaceScenario(MTLSPartiallyEnabled, []*networking_v1beta1.DestinationRule{}, ps, true, t) 272 } 273 274 func TestNamespaceHasPermissivePeerAuthStrictDestRule(t *testing.T) { 275 ps := fakePermissivePeerAuthn("default", "bookinfo") 276 drs := []*networking_v1beta1.DestinationRule{ 277 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 278 data.CreateEmptyDestinationRule("bookinfo", "strict-mtls", "*.bookinfo.svc.cluster.local")), 279 } 280 281 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, false, t) 282 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, true, t) 283 testNamespaceScenario(MTLSPartiallyEnabled, []*networking_v1beta1.DestinationRule{}, ps, true, t) 284 } 285 286 func TestNamespaceHasMTLSDisabled(t *testing.T) { 287 ps := fakePeerAuthnWithMtlsMode("default", "bookinfo", "DISABLE") 288 drs := []*networking_v1beta1.DestinationRule{ 289 data.AddTrafficPolicyToDestinationRule(data.CreateDisabledMTLSTrafficPolicyForDestinationRules(), 290 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")), 291 } 292 293 testNamespaceScenario(MTLSDisabled, drs, ps, false, t) 294 testNamespaceScenario(MTLSDisabled, drs, ps, true, t) 295 testNamespaceScenario(MTLSDisabled, []*networking_v1beta1.DestinationRule{}, ps, true, t) 296 } 297 298 func TestNamespaceHasPeerAuthnDisabledMtlsDestRule(t *testing.T) { 299 ps := fakePeerAuthnWithMtlsMode("default", "bookinfo", "DISABLE") 300 drs := []*networking_v1beta1.DestinationRule{ 301 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 302 data.CreateEmptyDestinationRule("bookinfo", "disable-mtls", "*.bookinfo.svc.cluster.local")), 303 } 304 305 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, false, t) 306 testNamespaceScenario(MTLSPartiallyEnabled, drs, ps, true, t) 307 testNamespaceScenario(MTLSDisabled, []*networking_v1beta1.DestinationRule{}, ps, true, t) 308 } 309 310 func TestNamespaceHasDestinationRuleEnabledDifferentNs(t *testing.T) { 311 assert := assert.New(t) 312 313 ps := fakeStrictPeerAuthn("default", "bookinfo") 314 drs := []*networking_v1beta1.DestinationRule{ 315 data.AddTrafficPolicyToDestinationRule(data.CreateMTLSTrafficPolicyForDestinationRules(), 316 data.CreateEmptyDestinationRule("foo", "allow-mtls", "*.bookinfo.svc.cluster.local")), 317 } 318 319 var objs []runtime.Object 320 objs = append(objs, kubernetes.ToRuntimeObjects(ps)...) 321 objs = append(objs, kubernetes.ToRuntimeObjects(drs)...) 322 objs = append(objs, kubernetes.ToRuntimeObjects(fakeProjects())...) 323 k8s := kubetest.NewFakeK8sClient(objs...) 324 k8s.OpenShift = true 325 conf := config.NewConfig() 326 conf.Deployment.AccessibleNamespaces = []string{"**"} 327 kubernetes.SetConfig(t, *conf) 328 SetupBusinessLayer(t, k8s, *conf) 329 330 k8sclients := make(map[string]kubernetes.ClientInterface) 331 k8sclients[conf.KubernetesConfig.ClusterName] = k8s 332 tlsService := NewWithBackends(k8sclients, k8sclients, nil, nil).TLS 333 tlsService.enabledAutoMtls = util.AsPtr(false) 334 status, err := tlsService.NamespaceWidemTLSStatus(context.TODO(), "bookinfo", conf.KubernetesConfig.ClusterName) 335 336 assert.NoError(err) 337 assert.Equal(MTLSEnabled, status.Status) 338 339 statuses, err := tlsService.ClusterWideNSmTLSStatus(context.TODO(), []string{"bookinfo"}, conf.KubernetesConfig.ClusterName) 340 assert.NoError(err) 341 assert.NotEmpty(statuses) 342 for _, status := range statuses { 343 assert.Equal(MTLSEnabled, status.Status) 344 } 345 } 346 347 func testNamespaceScenario(exStatus string, drs []*networking_v1beta1.DestinationRule, ps []*security_v1beta1.PeerAuthentication, autoMtls bool, t *testing.T) { 348 assert := assert.New(t) 349 conf := config.NewConfig() 350 conf.Deployment.ClusterWideAccess = true 351 kubernetes.SetConfig(t, *conf) 352 353 var objs []runtime.Object 354 objs = append(objs, kubernetes.ToRuntimeObjects(ps)...) 355 objs = append(objs, kubernetes.ToRuntimeObjects(drs)...) 356 objs = append(objs, kubernetes.ToRuntimeObjects(fakeProjects())...) 357 k8s := kubetest.NewFakeK8sClient(objs...) 358 k8s.OpenShift = true 359 SetupBusinessLayer(t, k8s, *conf) 360 361 k8sclients := make(map[string]kubernetes.ClientInterface) 362 k8sclients[conf.KubernetesConfig.ClusterName] = k8s 363 tlsService := NewWithBackends(k8sclients, k8sclients, nil, nil).TLS 364 tlsService.enabledAutoMtls = &autoMtls 365 status, err := tlsService.NamespaceWidemTLSStatus(context.TODO(), "bookinfo", conf.KubernetesConfig.ClusterName) 366 367 assert.NoError(err) 368 assert.Equal(exStatus, status.Status) 369 370 statuses, err := tlsService.ClusterWideNSmTLSStatus(context.TODO(), []string{"bookinfo"}, conf.KubernetesConfig.ClusterName) 371 assert.NoError(err) 372 assert.NotEmpty(statuses) 373 for _, status := range statuses { 374 assert.Equal(exStatus, status.Status) 375 } 376 } 377 378 func fakeProjects() []*osproject_v1.Project { 379 return []*osproject_v1.Project{ 380 { 381 ObjectMeta: meta_v1.ObjectMeta{ 382 Name: "bookinfo", 383 }, 384 }, 385 { 386 ObjectMeta: meta_v1.ObjectMeta{ 387 Name: "foo", 388 }, 389 }, 390 } 391 } 392 393 func fakeStrictPeerAuthn(name, namespace string) []*security_v1beta1.PeerAuthentication { 394 return fakePeerAuthnWithMtlsMode(name, namespace, "STRICT") 395 } 396 397 func fakePeerAuthnWithSelector(name, namespace, target string) []*security_v1beta1.PeerAuthentication { 398 return []*security_v1beta1.PeerAuthentication{data.CreateEmptyPeerAuthenticationWithSelector(name, namespace, data.CreateOneLabelSelector(target))} 399 } 400 401 func fakePermissivePeerAuthn(name, namespace string) []*security_v1beta1.PeerAuthentication { 402 return fakePeerAuthnWithMtlsMode(name, namespace, "PERMISSIVE") 403 } 404 405 func fakePeerAuthnWithMtlsMode(name, namespace, mTLSmode string) []*security_v1beta1.PeerAuthentication { 406 return fakePeerAuthn(name, namespace, data.CreateMTLS(mTLSmode)) 407 } 408 409 func fakePeerAuthn(name, namespace string, peers *api_security_v1beta1.PeerAuthentication_MutualTLS) []*security_v1beta1.PeerAuthentication { 410 return []*security_v1beta1.PeerAuthentication{data.CreateEmptyPeerAuthentication(name, namespace, peers)} 411 } 412 413 func fakeStrictMeshPeerAuthentication(name string) []*security_v1beta1.PeerAuthentication { 414 return fakeMeshPeerAuthenticationWithMtlsMode(name, "STRICT") 415 } 416 417 func fakeMeshPeerAuthenticationWithMtlsMode(name, mTLSmode string) []*security_v1beta1.PeerAuthentication { 418 mtls := &api_security_v1beta1.PeerAuthentication_MutualTLS{ 419 Mode: api_security_v1beta1.PeerAuthentication_MutualTLS_Mode(api_security_v1beta1.PeerAuthentication_MutualTLS_Mode_value[mTLSmode]), 420 } 421 return fakeMeshPeerAuthentication(name, mtls) 422 } 423 424 func fakeMeshPeerAuthentication(name string, mtls *api_security_v1beta1.PeerAuthentication_MutualTLS) []*security_v1beta1.PeerAuthentication { 425 return []*security_v1beta1.PeerAuthentication{data.CreateEmptyMeshPeerAuthentication(name, mtls)} 426 }