Skip to content

Commit

Permalink
feat(tests): webhook integration tests.
Browse files Browse the repository at this point in the history 
Adds tests to ensure that the function used by the webhooks server is
calling the correct validation functions.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
  • Loading branch information
@jvanz
jvanz committed Jan 10, 2025
1 parent 6306fe5 commit 533f54e
Show file tree
Hide file tree
Showing 5 changed files with 492 additions and 0 deletions.
117 changes: 117 additions & 0 deletions api/policies/v1/admissionpolicy_webhook_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"testing"

"github.com/stretchr/testify/require"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"

"github.com/kubewarden/kubewarden-controller/internal/constants"
)
Expand All @@ -43,6 +44,37 @@ func TestAdmissionPolicyValidateUpdate(t *testing.T) {
warnings, err := newPolicy.ValidateUpdate(oldPolicy)
require.NoError(t, err)
require.Empty(t, warnings)

oldPolicy = NewAdmissionPolicyFactory().
WithMode("monitor").
Build()
newPolicy = NewAdmissionPolicyFactory().
WithMode("protect").
Build()
warnings, err = newPolicy.ValidateUpdate(oldPolicy)
require.NoError(t, err)
require.Empty(t, warnings)
}

func TestInvalidAdmissionPolicyValidateUpdate(t *testing.T) {
oldPolicy := NewAdmissionPolicyFactory().
WithPolicyServer("old").
Build()
newPolicy := NewAdmissionPolicyFactory().
WithPolicyServer("new").
Build()
warnings, err := newPolicy.ValidateUpdate(oldPolicy)
require.Error(t, err)
require.Empty(t, warnings)

newPolicy = NewAdmissionPolicyFactory().
WithPolicyServer("new").
WithMode("monitor").
Build()

warnings, err = newPolicy.ValidateUpdate(oldPolicy)
require.Error(t, err)
require.Empty(t, warnings)
}

func TestAdmissionPolicyValidateUpdateWithInvalidOldPolicy(t *testing.T) {
Expand All @@ -52,3 +84,88 @@ func TestAdmissionPolicyValidateUpdateWithInvalidOldPolicy(t *testing.T) {
require.Empty(t, warnings)
require.ErrorContains(t, err, "object is not of type AdmissionPolicy")
}

func TestInvalidAdmissionPolicyCreation(t *testing.T) {
policy := NewAdmissionPolicyFactory().
WithPolicyServer("").
WithRules([]admissionregistrationv1.RuleWithOperations{
{},
{
Operations: []admissionregistrationv1.OperationType{},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*/*"},
}},
{
Operations: nil,
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*/*"},
},
},
{
Operations: []admissionregistrationv1.OperationType{""},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*/*"},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{},
Resources: []string{"*/*"},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{""},
Resources: []string{"*/*"},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{""},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{""},
APIVersions: []string{"v1"},
Resources: []string{"", "pods"},
},
},
}).
WithMatchConditions([]admissionregistrationv1.MatchCondition{
{
Name: "foo",
Expression: "1 + 1",
},
{
Name: "foo",
Expression: "invalid expression",
},
}).
Build()
warnings, err := policy.ValidateCreate()
require.Error(t, err)
require.Empty(t, warnings)
}
117 changes: 117 additions & 0 deletions api/policies/v1/admissionpolicygroup_webhook_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"testing"

"github.com/stretchr/testify/require"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"

"github.com/kubewarden/kubewarden-controller/internal/constants"
)
Expand Down Expand Up @@ -52,6 +53,37 @@ func TestAdmissionPolicyGroupValidateUpdate(t *testing.T) {
warnings, err := newPolicy.ValidateUpdate(oldPolicy)
require.NoError(t, err)
require.Empty(t, warnings)

oldPolicy = NewAdmissionPolicyGroupFactory().
WithMode("monitor").
Build()
newPolicy = NewAdmissionPolicyGroupFactory().
WithMode("protect").
Build()
warnings, err = newPolicy.ValidateUpdate(oldPolicy)
require.NoError(t, err)
require.Empty(t, warnings)
}

func TestInvalidAdmissionPolicyGroupValidateUpdate(t *testing.T) {
oldPolicy := NewAdmissionPolicyFactory().
WithPolicyServer("old").
Build()
newPolicy := NewAdmissionPolicyFactory().
WithPolicyServer("new").
Build()
warnings, err := newPolicy.ValidateUpdate(oldPolicy)
require.Error(t, err)
require.Empty(t, warnings)

newPolicy = NewAdmissionPolicyFactory().
WithPolicyServer("new").
WithMode("monitor").
Build()

warnings, err = newPolicy.ValidateUpdate(oldPolicy)
require.Error(t, err)
require.Empty(t, warnings)
}

func TestAdmissionPolicyGroupValidateUpdateWithInvalidOldPolicy(t *testing.T) {
Expand All @@ -61,3 +93,88 @@ func TestAdmissionPolicyGroupValidateUpdateWithInvalidOldPolicy(t *testing.T) {
require.Empty(t, warnings)
require.ErrorContains(t, err, "object is not of type AdmissionPolicyGroup")
}

func TestInvalidAdmissionPolicyGroupCreation(t *testing.T) {
policy := NewAdmissionPolicyGroupFactory().
WithPolicyServer("").
WithRules([]admissionregistrationv1.RuleWithOperations{
{},
{
Operations: []admissionregistrationv1.OperationType{},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*/*"},
}},
{
Operations: nil,
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*/*"},
},
},
{
Operations: []admissionregistrationv1.OperationType{""},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*/*"},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{},
Resources: []string{"*/*"},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{""},
Resources: []string{"*/*"},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{""},
},
},
{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.OperationAll},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{""},
APIVersions: []string{"v1"},
Resources: []string{"", "pods"},
},
},
}).
WithMatchConditions([]admissionregistrationv1.MatchCondition{
{
Name: "foo",
Expression: "1 + 1",
},
{
Name: "foo",
Expression: "invalid expression",
},
}).
Build()
warnings, err := policy.ValidateCreate()
require.Error(t, err)
require.Empty(t, warnings)
}
Loading

0 comments on commit 533f54e

Please sign in to comment.