Skip to content

Commit

Permalink
wip fix tests
Browse files Browse the repository at this point in the history
  • Loading branch information
kozjan committed Dec 13, 2024
1 parent 582b6ed commit d7be6cd
Show file tree
Hide file tree
Showing 8 changed files with 48 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import java.util.function.Consumer

private class RbacLog(
val protocol: String,
val rule: String,
val path: String? = null,
val method: String? = null,
val clientName: String? = null,
Expand Down Expand Up @@ -41,6 +42,7 @@ fun ObjectAssert<EnvoyContainer>.hasNoRBACDenials(): ObjectAssert<EnvoyContainer
@Suppress("LongParameterList")
fun ObjectAssert<EnvoyContainer>.hasOneAccessDenialWithActionBlock(
protocol: String,
rule: String,
path: String,
method: String,
clientName: String,
Expand All @@ -53,6 +55,7 @@ fun ObjectAssert<EnvoyContainer>.hasOneAccessDenialWithActionBlock(
protocol = protocol,
logPredicate = RbacLog(
protocol = protocol,
rule = rule,
path = path,
method = method,
clientName = clientName,
Expand All @@ -67,6 +70,7 @@ fun ObjectAssert<EnvoyContainer>.hasOneAccessDenialWithActionBlock(

fun ObjectAssert<EnvoyContainer>.hasOneAccessAllowedWithActionLog(
protocol: String,
rule: String,
path: String? = null,
method: String? = null,
clientName: String? = null,
Expand All @@ -81,6 +85,7 @@ fun ObjectAssert<EnvoyContainer>.hasOneAccessAllowedWithActionLog(
shadowDenied = false,
logPredicate = RbacLog(
protocol = protocol,
rule = rule,
path = path,
method = method,
clientIp = clientIp,
Expand All @@ -95,6 +100,7 @@ fun ObjectAssert<EnvoyContainer>.hasOneAccessAllowedWithActionLog(

fun ObjectAssert<EnvoyContainer>.hasOneAccessDenialWithActionLog(
protocol: String,
rule: String,
path: String? = null,
method: String? = null,
clientName: String? = null,
Expand All @@ -109,6 +115,7 @@ fun ObjectAssert<EnvoyContainer>.hasOneAccessDenialWithActionLog(
shadowDenied = false,
logPredicate = RbacLog(
protocol = protocol,
rule = rule,
path = path,
method = method,
clientIp = clientIp,
Expand All @@ -123,7 +130,7 @@ fun ObjectAssert<EnvoyContainer>.hasOneAccessDenialWithActionLog(

fun ObjectAssert<EnvoyContainer>.hasOneAccessDenialWithActionLog(
protocol: String,
path: String? = null,
rule: String,path: String? = null,
method: String? = null,
clientName: String? = null,
trustedClient: Boolean? = null,
Expand All @@ -138,6 +145,7 @@ fun ObjectAssert<EnvoyContainer>.hasOneAccessDenialWithActionLog(
protocol = protocol,
logPredicate = RbacLog(
protocol = protocol,
rule = rule,
path = path,
method = method,
clientIp = clientIp,
Expand Down Expand Up @@ -181,6 +189,7 @@ private fun ObjectAssert<String>.matchesRbacAccessDeniedLog(logPredicate: RbacLo
assertThat(parsed.protocol).isEqualTo(logPredicate.protocol)
assertEqualProperty(parsed, logPredicate, RbacLog::protocol)
assertEqualProperty(parsed, logPredicate, RbacLog::method)
assertEqualProperty(parsed, logPredicate, RbacLog::rule)
assertEqualProperty(parsed, logPredicate, RbacLog::path)
assertEqualProperty(parsed, logPredicate, RbacLog::clientIp)
assertEqualProperty(parsed, logPredicate, RbacLog::clientName)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ internal class IncomingPermissionsAllowedClientTest {
assertThat(echoResponse).isOk().isFrom(service)
assertThat(echoEnvoy.container).hasOneAccessAllowedWithActionLog(
protocol = "https",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
path = "/log-unlisted-clients",
method = "GET",
clientName = "echo3",
Expand Down Expand Up @@ -150,6 +151,7 @@ internal class IncomingPermissionsAllowedClientTest {
assertThat(echoResponse).isOk().isFrom(service)
assertThat(echoEnvoy.container).hasOneAccessAllowedWithActionLog(
protocol = "https",
rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/block-unlisted-clients",
method = "GET",
clientName = "echo3",
Expand Down Expand Up @@ -179,6 +181,7 @@ internal class IncomingPermissionsAllowedClientTest {
assertThat(echoResponse).isOk().isFrom(service)
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog(
protocol = "http",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
path = "/log-unlisted-clients",
method = "GET",
clientName = "echo3",
Expand Down Expand Up @@ -208,6 +211,7 @@ internal class IncomingPermissionsAllowedClientTest {
assertThat(echoResponse).isForbidden()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "http",
rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/block-unlisted-clients",
method = "GET",
clientName = "echo3",
Expand All @@ -232,6 +236,7 @@ internal class IncomingPermissionsAllowedClientTest {
assertThat(echo2Envoy.container.ingressTlsRequests()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "https",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"echo\",\"negated\":false}],\"unlistedClientsPolicy\":\"LOG\"}",
path = "/log-unlisted-endpoint",
method = "GET",
clientName = "echo3 (not trusted)",
Expand All @@ -255,6 +260,7 @@ internal class IncomingPermissionsAllowedClientTest {
assertThat(echoEnvoy.container.ingressTlsRequests()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "https",
rule = "",
path = "/block-and-log-unlisted-endpoint",
method = "GET",
clientName = "echo3 (not trusted)",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ internal class IncomingPermissionsEmptyClientsTest {
assertThat(echoResponse).isForbidden()
assertThat(envoy1.container).hasOneAccessDenialWithActionBlock(
protocol = "http",
rule = "{\"path\":\"/blocked-for-all\",\"pathMatchingType\":\"PATH\"}",
path = "/blocked-for-all",
method = "GET",
clientName = "",
Expand All @@ -105,6 +106,7 @@ internal class IncomingPermissionsEmptyClientsTest {
assertThat(echoResponse).isOk().isFrom(echo)
assertThat(envoy1.container).hasOneAccessDenialWithActionLog(
protocol = "http",
rule = "ALLOW_UNLISTED_POLICY",
path = "/unlisted",
method = "GET",
clientName = "",
Expand All @@ -121,6 +123,7 @@ internal class IncomingPermissionsEmptyClientsTest {
assertThat(echo2Response).isOk().isFrom(echo2)
assertThat(envoy2.container).hasOneAccessDenialWithActionLog(
protocol = "http",
rule = "{\"path\":\"/logged-for-all\",\"pathMatchingType\":\"PATH\", \"unlistedClientsPolicy\":\"LOG\"}",
path = "/logged-for-all",
method = "GET",
clientName = "",
Expand All @@ -137,6 +140,7 @@ internal class IncomingPermissionsEmptyClientsTest {
assertThat(echo2Response).isForbidden()
assertThat(envoy2.container).hasOneAccessDenialWithActionBlock(
protocol = "http",
rule = "?",
path = "/unlisted",
method = "GET",
clientName = "",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ internal class IncomingPermissionsEmptyEndpointsTest {
assertThat(echoResponse).isOk().isFrom(echo)
assertThat(envoy.container).hasOneAccessDenialWithActionLog(
protocol = "http",
rule = "ALLOW_LOGGED_POLICY",
path = "/some-endpoint",
method = "GET",
clientName = "",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "https",
rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/block-unlisted-clients",
method = "GET",
clientName = "echo2",
Expand All @@ -284,6 +285,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock(
protocol = "https",
rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/block-unlisted-clients",
method = "GET",
clientName = "echo",
Expand Down Expand Up @@ -325,6 +327,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "http",
rule = "{\"path\":\"/block-unlisted-clients-by-default\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}]}",
path = "/block-unlisted-clients-by-default",
method = "GET",
clientName = "",
Expand All @@ -344,6 +347,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock(
protocol = "http",
rule = "{\"path\":\"/block-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/block-unlisted-clients",
method = "GET",
clientName = "",
Expand Down Expand Up @@ -386,6 +390,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog(
protocol = "https",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/log-unlisted-clients",
method = "GET",
clientName = "echo2",
Expand All @@ -405,6 +410,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "https",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/log-unlisted-clients",
method = "GET",
clientName = "echo",
Expand Down Expand Up @@ -444,6 +450,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionLog(
protocol = "http",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/log-unlisted-clients",
method = "GET",
clientName = "",
Expand All @@ -461,6 +468,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "http",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/log-unlisted-clients",
method = "GET",
clientName = "",
Expand Down Expand Up @@ -505,6 +513,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "https",
rule = "{\"path\":\"/block-unlisted-clients-by-default\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}]}",
path = "/block-unlisted-clients-by-default",
method = "GET",
clientName = "echo2",
Expand All @@ -524,6 +533,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock(
protocol = "http",
rule = "{\"path\":\"/block-unlisted-clients-by-default\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}]}",
path = "/block-unlisted-clients-by-default",
method = "GET",
clientName = "",
Expand All @@ -543,6 +553,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "https",
rule = "?",
path = "/unlisted-endpoint",
method = "GET",
clientName = "echo3",
Expand All @@ -562,6 +573,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "https",
rule = "ALLOW_LOGGED_POLICY",
path = "/unlisted-endpoint",
method = "GET",
clientName = "echo3",
Expand All @@ -581,6 +593,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "https",
rule = "?",
path = "/unlisted-endpoint",
method = "GET",
clientName = "echo2",
Expand All @@ -601,6 +614,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "https",
rule = "ALLOW_LOGGED_POLICY",
path = "/unlisted-endpoint",
method = "GET",
clientName = "echo",
Expand All @@ -620,6 +634,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "http",
rule = "?",
path = "/unlisted-endpoint",
method = "GET",
clientName = "",
Expand All @@ -639,6 +654,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "http",
rule = "ALLOW_LOGGED_POLICY",
path = "/unlisted-endpoint",
method = "GET",
clientName = "",
Expand All @@ -657,6 +673,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "http",
rule = "?",
path = "/unlisted-endpoint",
method = "GET",
clientName = "",
Expand All @@ -676,6 +693,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_http.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "http",
rule = "ALLOW_UNLISTED_POLICY",
path = "/unlisted-endpoint",
method = "GET",
clientName = "",
Expand All @@ -699,6 +717,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echoEnvoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echoEnvoy.container).hasOneAccessDenialWithActionBlock(
protocol = "https",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/log-unlisted-clients",
method = "POST",
clientName = "echo3",
Expand All @@ -723,6 +742,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "https",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/log-unlisted-clients",
method = "POST",
clientName = "echo3",
Expand All @@ -746,6 +766,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionLog(
protocol = "https",
rule = "{\"path\":\"/log-unlisted-clients\",\"pathMatchingType\":\"PATH\",\"methods\":[\"GET\"],\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}],\"unlistedClientsPolicy\":\"BLOCKANDLOG\"}",
path = "/log-unlisted-clients",
method = "GET",
clientName = "service-name-from-header (not trusted)",
Expand All @@ -766,6 +787,7 @@ class IncomingPermissionsLoggingModeTest {
assertThat(echo2Envoy.container.admin().statValue("http.ingress_https.downstream_rq_completed")?.toInt()).isOne()
assertThat(echo2Envoy.container).hasOneAccessDenialWithActionBlock(
protocol = "https",
rule = "{\"path\":\"/block-unlisted-clients-by-default\",\"pathMatchingType\":\"PATH\",\"clients\":[{\"name\":\"authorized-clients\",\"negated\":false}]}",
path = "/block-unlisted-clients-by-default",
method = "GET",
clientName = "echo",
Expand Down
Loading

0 comments on commit d7be6cd

Please sign in to comment.