github.com/oam-dev/kubevela@v1.9.11/pkg/webhook/core.oam.dev/v1beta1/application/mutating_handler_test.go (about) 1 /* 2 Copyright 2022 The KubeVela Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package application 18 19 import ( 20 "fmt" 21 22 . "github.com/onsi/ginkgo/v2" 23 . "github.com/onsi/gomega" 24 "gomodules.xyz/jsonpatch/v2" 25 admissionv1 "k8s.io/api/admission/v1" 26 authv1 "k8s.io/api/authentication/v1" 27 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 28 "k8s.io/apimachinery/pkg/runtime" 29 utilfeature "k8s.io/apiserver/pkg/util/feature" 30 "sigs.k8s.io/controller-runtime/pkg/webhook/admission" 31 32 "github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1" 33 "github.com/oam-dev/kubevela/apis/types" 34 "github.com/oam-dev/kubevela/pkg/features" 35 "github.com/oam-dev/kubevela/pkg/oam" 36 ) 37 38 var _ = Describe("Test Application Mutator", func() { 39 40 var mutatingHandler *MutatingHandler 41 42 BeforeEach(func() { 43 mutatingHandler = &MutatingHandler{skipUsers: []string{types.VelaCoreName}} 44 Expect(mutatingHandler.InjectDecoder(decoder)).Should(BeNil()) 45 }) 46 47 It("Test Application Mutator [no authentication]", func() { 48 Expect(utilfeature.DefaultMutableFeatureGate.Set(fmt.Sprintf("%s=false", features.AuthenticateApplication))).Should(Succeed()) 49 resp := mutatingHandler.Handle(ctx, admission.Request{ 50 AdmissionRequest: admissionv1.AdmissionRequest{ 51 Object: runtime.RawExtension{Raw: []byte(`{}`)}, 52 }, 53 }) 54 Expect(resp.Allowed).Should(BeTrue()) 55 Expect(resp.Patches).Should(BeNil()) 56 }) 57 58 It("Test Application Mutator [ignore authentication]", func() { 59 Expect(utilfeature.DefaultMutableFeatureGate.Set(fmt.Sprintf("%s=true", features.AuthenticateApplication))).Should(Succeed()) 60 resp := mutatingHandler.Handle(ctx, admission.Request{ 61 AdmissionRequest: admissionv1.AdmissionRequest{ 62 UserInfo: authv1.UserInfo{Username: types.VelaCoreName}, 63 Object: runtime.RawExtension{Raw: []byte(`{}`)}, 64 }}) 65 Expect(resp.Allowed).Should(BeTrue()) 66 Expect(resp.Patches).Should(BeNil()) 67 }) 68 69 It("Test Application Mutator [bad request]", func() { 70 Expect(utilfeature.DefaultMutableFeatureGate.Set(fmt.Sprintf("%s=true", features.AuthenticateApplication))).Should(Succeed()) 71 req := admission.Request{ 72 AdmissionRequest: admissionv1.AdmissionRequest{ 73 Operation: admissionv1.Create, 74 Resource: metav1.GroupVersionResource{Group: v1beta1.Group, Version: v1beta1.Version, Resource: "applications"}, 75 Object: runtime.RawExtension{Raw: []byte("bad request")}, 76 }, 77 } 78 resp := mutatingHandler.Handle(ctx, req) 79 Expect(resp.Allowed).Should(BeFalse()) 80 }) 81 82 It("Test Application Mutator [bad request with service-account]", func() { 83 Expect(utilfeature.DefaultMutableFeatureGate.Set(fmt.Sprintf("%s=true", features.AuthenticateApplication))).Should(Succeed()) 84 req := admission.Request{ 85 AdmissionRequest: admissionv1.AdmissionRequest{ 86 Operation: admissionv1.Create, 87 Resource: metav1.GroupVersionResource{Group: v1beta1.Group, Version: v1beta1.Version, Resource: "applications"}, 88 Object: runtime.RawExtension{Raw: []byte(`{"apiVersion":"core.oam.dev/v1beta1","kind":"Application","metadata":{"name":"example","annotations":{"app.oam.dev/service-account-name":"default"}}}`)}, 89 }, 90 } 91 resp := mutatingHandler.Handle(ctx, req) 92 Expect(resp.Allowed).Should(BeFalse()) 93 Expect(resp.Result.Message).Should(ContainSubstring("service-account annotation is not permitted when authentication enabled")) 94 }) 95 96 It("Test Application Mutator [with patch]", func() { 97 Expect(utilfeature.DefaultMutableFeatureGate.Set(fmt.Sprintf("%s=true", features.AuthenticateApplication))).Should(Succeed()) 98 req := admission.Request{ 99 AdmissionRequest: admissionv1.AdmissionRequest{ 100 Operation: admissionv1.Create, 101 Resource: metav1.GroupVersionResource{Group: v1beta1.Group, Version: v1beta1.Version, Resource: "applications"}, 102 Object: runtime.RawExtension{Raw: []byte(`{"apiVersion":"core.oam.dev/v1beta1","kind":"Application","metadata":{"name":"example"},"spec":{"workflow":{"steps":[{"properties":{"duration":"3s"},"type":"suspend"}]}}}`)}, 103 UserInfo: authv1.UserInfo{ 104 Username: "example-user", 105 Groups: []string{"kubevela:example-group1", "kubevela:example-group2"}, 106 }, 107 }, 108 } 109 resp := mutatingHandler.Handle(ctx, req) 110 Expect(resp.Allowed).Should(BeTrue()) 111 Expect(resp.Patches).Should(ContainElement(jsonpatch.JsonPatchOperation{ 112 Operation: "add", 113 Path: "/metadata/annotations", 114 Value: map[string]interface{}{ 115 oam.AnnotationApplicationGroup: "kubevela:example-group1,kubevela:example-group2", 116 }, 117 })) 118 Expect(resp.Patches).Should(ContainElement(jsonpatch.JsonPatchOperation{ 119 Operation: "add", 120 Path: "/spec/workflow/steps/0/name", 121 Value: "step-0", 122 })) 123 }) 124 })