test: target ref validation integrations tests for RLP and AP

Kuadrant · Dec 8, 2023 · a0a1d63 · a0a1d63
1 parent b2ada06
commit a0a1d63
Show file tree

Hide file tree

Showing 4 changed files with 183 additions and 116 deletions.
diff --git a/api/v1beta2/authpolicy_types_test.go b/api/v1beta2/authpolicy_types_test.go
@@ -247,74 +247,6 @@ func TestAuthPolicyValidate(t *testing.T) {
 		valid   bool
 		message string
 	}{
-		{
-			name: "valid policy targeting a httproute",
-			policy: &AuthPolicy{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "my-policy",
-					Namespace: "my-namespace",
-				},
-				Spec: AuthPolicySpec{
-					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
-						Group: "gateway.networking.k8s.io",
-						Kind:  "HTTPRoute",
-						Name:  "my-route",
-					},
-				},
-			},
-			valid: true,
-		},
-		{
-			name: "valid policy targeting a gateway",
-			policy: &AuthPolicy{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "my-policy",
-					Namespace: "my-namespace",
-				},
-				Spec: AuthPolicySpec{
-					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
-						Group: "gateway.networking.k8s.io",
-						Kind:  "Gateway",
-						Name:  "my-gw",
-					},
-				},
-			},
-			valid: true,
-		},
-		{
-			name: "invalid targetRef group",
-			policy: &AuthPolicy{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "my-policy",
-					Namespace: "my-namespace",
-				},
-				Spec: AuthPolicySpec{
-					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
-						Group: "not-gateway.networking.k8s.io.group",
-						Kind:  "HTTPRoute",
-						Name:  "my-non-gwapi-route",
-					},
-				},
-			},
-			message: "invalid targetRef.Group not-gateway.networking.k8s.io.group. The only supported group is gateway.networking.k8s.io",
-		},
-		{
-			name: "invalid targetRef kind",
-			policy: &AuthPolicy{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "my-policy",
-					Namespace: "my-namespace",
-				},
-				Spec: AuthPolicySpec{
-					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
-						Group: "gateway.networking.k8s.io",
-						Kind:  "TCPRoute",
-						Name:  "my-tcp-route",
-					},
-				},
-			},
-			message: "invalid targetRef.Kind TCPRoute. The only supported kinds are HTTPRoute and Gateway",
-		},
 		{
 			name: "invalid usage of top-level route selectors with a gateway targetRef",
 			policy: &AuthPolicy{

diff --git a/api/v1beta2/ratelimitpolicy_types_test.go b/api/v1beta2/ratelimitpolicy_types_test.go
@@ -44,49 +44,13 @@ func testBuildBasicHTTPRouteRLP(name string) *RateLimitPolicy {
 // TestRateLimitPolicyValidation calls rlp.Validate()
 // for a valid return value.
 func TestRateLimitPolicyValidation(t *testing.T) {
-	// valid httproute rlp
 	name := "httproute-a"
-	rlp := testBuildBasicHTTPRouteRLP(name)
-	err := rlp.Validate()
-	if err != nil {
-		t.Fatalf(`rlp.Validate() returned error "%v", wanted nil`, err)
-	}
-
-	// valid gateway rlp
-	name = "gateway-a"
-	rlp = testBuildBasicGatewayRLP(name)
-	err = rlp.Validate()
-	if err != nil {
-		t.Fatalf(`rlp.Validate() returned error "%v", wanted nil`, err)
-	}
-
-	// invalid group
-	rlp = testBuildBasicHTTPRouteRLP(name)
-	rlp.Spec.TargetRef.Group = gatewayapiv1.Group("foo.example.com")
-	err = rlp.Validate()
-	if err == nil {
-		t.Fatal(`rlp.Validate() did not return error and should`)
-	}
-	if !strings.Contains(err.Error(), "invalid targetRef.Group") {
-		t.Fatalf(`rlp.Validate() did not return expected error. Instead: %v`, err)
-	}
-
-	// invalid kind
-	rlp = testBuildBasicHTTPRouteRLP(name)
-	rlp.Spec.TargetRef.Kind = gatewayapiv1.Kind("Foo")
-	err = rlp.Validate()
-	if err == nil {
-		t.Fatal(`rlp.Validate() did not return error and should`)
-	}
-	if !strings.Contains(err.Error(), "invalid targetRef.Kind") {
-		t.Fatalf(`rlp.Validate() did not return expected error. Instead: %v`, err)
-	}
 
 	// Different namespace
-	rlp = testBuildBasicHTTPRouteRLP(name)
+	rlp := testBuildBasicHTTPRouteRLP(name)
 	otherNS := gatewayapiv1.Namespace(rlp.GetNamespace() + "other")
 	rlp.Spec.TargetRef.Namespace = &otherNS
-	err = rlp.Validate()
+	err := rlp.Validate()
 	if err == nil {
 		t.Fatal(`rlp.Validate() did not return error and should`)
 	}

diff --git a/controllers/authpolicy_controller_test.go b/controllers/authpolicy_controller_test.go
@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"
 
+	authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
+	api "github.com/kuadrant/kuadrant-operator/api/v1beta2"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	secv1beta1resources "istio.io/client-go/pkg/apis/security/v1beta1"
@@ -23,9 +25,6 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-
-	authorinoapi "github.com/kuadrant/authorino/api/v1beta2"
-	api "github.com/kuadrant/kuadrant-operator/api/v1beta2"
 )
 
 const (
@@ -1260,6 +1259,92 @@ var _ = Describe("AuthPolicy controller", func() {
 	Context("TODO: Targeted resource does not exist", func() {})
 })
 
+var _ = Describe("AuthPolicy CEL Validations", func() {
+	var testNamespace string
+
+	BeforeEach(func() {
+		CreateNamespace(&testNamespace)
+	})
+
+	AfterEach(DeleteNamespaceCallback(&testNamespace))
+
+	Context("Spec TargetRef Validations", func() {
+		It("Valid policy targeting HTTPRoute", func() {
+			policy := &api.AuthPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-policy",
+					Namespace: testNamespace,
+				},
+				Spec: api.AuthPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group: "gateway.networking.k8s.io",
+						Kind:  "HTTPRoute",
+						Name:  "my-route",
+					},
+				},
+			}
+			err := k8sClient.Create(context.Background(), policy)
+			Expect(err).To(BeNil())
+		})
+
+		It("Valid policy targeting Gateway", func() {
+			policy := &api.AuthPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-policy",
+					Namespace: testNamespace,
+				},
+				Spec: api.AuthPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group: "gateway.networking.k8s.io",
+						Kind:  "Gateway",
+						Name:  "my-gw",
+					},
+				},
+			}
+			err := k8sClient.Create(context.Background(), policy)
+			Expect(err).To(BeNil())
+		})
+
+		It("Invalid Target Ref Group", func() {
+			policy := &api.AuthPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-policy",
+					Namespace: testNamespace,
+				},
+				Spec: api.AuthPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group: "not-gateway.networking.k8s.io",
+						Kind:  "HTTPRoute",
+						Name:  "my-route",
+					},
+				},
+			}
+			err := k8sClient.Create(context.Background(), policy)
+			Expect(err).To(Not(BeNil()))
+			Expect(strings.Contains(err.Error(), "Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'")).To(BeTrue())
+		})
+
+		It("Invalid Target Ref Kind", func() {
+			policy := &api.AuthPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-policy",
+					Namespace: testNamespace,
+				},
+				Spec: api.AuthPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group: "gateway.networking.k8s.io",
+						Kind:  "TCPRoute",
+						Name:  "my-route",
+					},
+				},
+			}
+			err := k8sClient.Create(context.Background(), policy)
+			Expect(err).To(Not(BeNil()))
+			Expect(strings.Contains(err.Error(), "Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'")).To(BeTrue())
+		})
+	})
+})
+
 func testBasicAuthScheme() api.AuthSchemeSpec {
 	return api.AuthSchemeSpec{
 		Authentication: map[string]api.AuthenticationSpec{

diff --git a/controllers/ratelimitpolicy_controller_test.go b/controllers/ratelimitpolicy_controller_test.go
@@ -5,25 +5,25 @@ package controllers
 import (
 	"context"
 	"encoding/json"
+	"strings"
 	"time"
 
+	kuadrantv1beta2 "github.com/kuadrant/kuadrant-operator/api/v1beta2"
+	"github.com/kuadrant/kuadrant-operator/pkg/common"
+	"github.com/kuadrant/kuadrant-operator/pkg/rlptools"
+	"github.com/kuadrant/kuadrant-operator/pkg/rlptools/wasm"
+	limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	istioclientgoextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
-
-	kuadrantv1beta2 "github.com/kuadrant/kuadrant-operator/api/v1beta2"
-	"github.com/kuadrant/kuadrant-operator/pkg/common"
-	"github.com/kuadrant/kuadrant-operator/pkg/rlptools"
-	"github.com/kuadrant/kuadrant-operator/pkg/rlptools/wasm"
-	limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1"
-	"k8s.io/utils/ptr"
 )
 
 var _ = Describe("RateLimitPolicy controller", func() {
@@ -622,6 +622,92 @@ var _ = Describe("RateLimitPolicy controller", func() {
 	})
 })
 
+var _ = Describe("RateLimitPolicy CEL Validations", func() {
+	var testNamespace string
+
+	BeforeEach(func() {
+		CreateNamespace(&testNamespace)
+	})
+
+	AfterEach(DeleteNamespaceCallback(&testNamespace))
+
+	Context("Spec TargetRef Validations", func() {
+		It("Valid policy targeting HTTPRoute", func() {
+			policy := &kuadrantv1beta2.RateLimitPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-policy",
+					Namespace: testNamespace,
+				},
+				Spec: kuadrantv1beta2.RateLimitPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group: "gateway.networking.k8s.io",
+						Kind:  "HTTPRoute",
+						Name:  "my-route",
+					},
+				},
+			}
+			err := k8sClient.Create(context.Background(), policy)
+			Expect(err).To(BeNil())
+		})
+
+		It("Valid policy targeting Gateway", func() {
+			policy := &kuadrantv1beta2.RateLimitPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-policy",
+					Namespace: testNamespace,
+				},
+				Spec: kuadrantv1beta2.RateLimitPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group: "gateway.networking.k8s.io",
+						Kind:  "Gateway",
+						Name:  "my-gw",
+					},
+				},
+			}
+			err := k8sClient.Create(context.Background(), policy)
+			Expect(err).To(BeNil())
+		})
+
+		It("Invalid Target Ref Group", func() {
+			policy := &kuadrantv1beta2.RateLimitPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-policy",
+					Namespace: testNamespace,
+				},
+				Spec: kuadrantv1beta2.RateLimitPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group: "not-gateway.networking.k8s.io",
+						Kind:  "HTTPRoute",
+						Name:  "my-route",
+					},
+				},
+			}
+			err := k8sClient.Create(context.Background(), policy)
+			Expect(err).To(Not(BeNil()))
+			Expect(strings.Contains(err.Error(), "Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'")).To(BeTrue())
+		})
+
+		It("Invalid Target Ref Kind", func() {
+			policy := &kuadrantv1beta2.RateLimitPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-policy",
+					Namespace: testNamespace,
+				},
+				Spec: kuadrantv1beta2.RateLimitPolicySpec{
+					TargetRef: gatewayapiv1alpha2.PolicyTargetReference{
+						Group: "gateway.networking.k8s.io",
+						Kind:  "TCPRoute",
+						Name:  "my-route",
+					},
+				},
+			}
+			err := k8sClient.Create(context.Background(), policy)
+			Expect(err).To(Not(BeNil()))
+			Expect(strings.Contains(err.Error(), "Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'")).To(BeTrue())
+		})
+	})
+})
+
 func testRLPIsAvailable(rlpKey client.ObjectKey) func() bool {
 	return func() bool {
 		existingRLP := &kuadrantv1beta2.RateLimitPolicy{}