tests: additional tests for auth, dns and tls

Signed-off-by: KevFan <[email protected]>
Kuadrant · Nov 5, 2024 · 70ddfdd · 70ddfdd
1 parent 511a2f7
commit 70ddfdd
Show file tree

Hide file tree

Showing 2 changed files with 151 additions and 14 deletions.
diff --git a/controllers/common.go b/controllers/common.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/kuadrant/policy-machinery/machinery"
 	"github.com/samber/lo"
-	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -58,8 +57,7 @@ func PolicyAffectedConditionType(policyKind string) string {
 func IsPolicyAccepted(ctx context.Context, p machinery.Policy, s *sync.Map) bool {
 	switch t := p.(type) {
 	case *kuadrantv1beta3.AuthPolicy:
-		// TODO: update when information is available in state
-		return meta.IsStatusConditionTrue(t.GetStatus().GetConditions(), string(gatewayapiv1alpha2.PolicyConditionAccepted))
+		return isAuthPolicyAcceptedFunc(s)(p)
 	case *kuadrantv1beta3.RateLimitPolicy:
 		return isRateLimitPolicyAcceptedFunc(s)(p)
 	case *kuadrantv1alpha1.TLSPolicy:

diff --git a/tests/common/targetstatus/target_status_controller_test.go b/tests/common/targetstatus/target_status_controller_test.go
@@ -313,6 +313,137 @@ var _ = Describe("Target status reconciler", func() {
 			Expect(k8sClient.Delete(ctx, routePolicy)).To(Succeed())
 			Eventually(policyAcceptedAndTargetsAffected(ctx, gatewayPolicy, otherRouteName, TestHTTPRouteName)).WithContext(ctx).Should(BeTrue())
 		}, testTimeOut)
+
+		It("adds section name polices only to specific listener status conditions", func(ctx SpecContext) {
+			policy := policyFactory(func(policy *kuadrantv1beta3.AuthPolicy) {
+				policy.Name = "section-ap"
+				policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReferenceWithSectionName{
+					LocalPolicyTargetReference: gatewayapiv1alpha2.LocalPolicyTargetReference{
+						Group: gatewayapiv1.GroupName,
+						Kind:  "Gateway",
+						Name:  TestGatewayName,
+					},
+					SectionName: ptr.To[gatewayapiv1.SectionName]("test-listener-toystore-com"),
+				}
+			})
+			policyKey := client.ObjectKeyFromObject(policy)
+			Expect(k8sClient.Create(ctx, policy)).To(Succeed())
+			Eventually(tests.IsAuthPolicyAccepted(ctx, testClient(), policy)).WithContext(ctx).Should(BeTrue())
+			Eventually(func(g Gomega) {
+				gateway := &gatewayapiv1.Gateway{}
+				g.Expect(k8sClient.Get(ctx, client.ObjectKey{Name: TestGatewayName, Namespace: testNamespace}, gateway)).To(Succeed())
+				condition := meta.FindStatusCondition(gateway.Status.Conditions, policyAffectedCondition)
+				// Should not be in gw conditions
+				g.Expect(condition).To(BeNil())
+
+				g.Expect(lo.EveryBy(gateway.Status.Listeners, func(item gatewayapiv1.ListenerStatus) bool {
+					lCond := meta.FindStatusCondition(item.Conditions, policyAffectedCondition)
+					if item.Name == *policy.Spec.TargetRef.SectionName {
+						// Target section should include condition
+						return lCond != nil && lCond.Status == metav1.ConditionTrue && strings.Contains(lCond.Message, policyKey.String())
+					}
+
+					// all other sections should not have the condition
+					return lCond == nil
+				})).To(BeTrue())
+			}).WithContext(ctx).Should(Succeed())
+		}, testTimeOut)
+
+		It("gateway policy is also listed with section policy", func(ctx SpecContext) {
+			gwPolicy := policyFactory(func(policy *kuadrantv1beta3.AuthPolicy) {
+				policy.Name = "gateway-ap"
+				policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReferenceWithSectionName{
+					LocalPolicyTargetReference: gatewayapiv1alpha2.LocalPolicyTargetReference{
+						Group: gatewayapiv1.GroupName,
+						Kind:  "Gateway",
+						Name:  TestGatewayName,
+					},
+				}
+			})
+			gwPolicyKey := client.ObjectKeyFromObject(gwPolicy)
+			Expect(k8sClient.Create(ctx, gwPolicy)).To(Succeed())
+			Eventually(tests.IsAuthPolicyAccepted(ctx, testClient(), gwPolicy)).WithContext(ctx).Should(BeTrue())
+
+			lPolicy := policyFactory(func(policy *kuadrantv1beta3.AuthPolicy) {
+				policy.Name = "section-ap"
+				policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReferenceWithSectionName{
+					LocalPolicyTargetReference: gatewayapiv1alpha2.LocalPolicyTargetReference{
+						Group: gatewayapiv1.GroupName,
+						Kind:  "Gateway",
+						Name:  TestGatewayName,
+					},
+					SectionName: ptr.To[gatewayapiv1.SectionName]("test-listener-toystore-com"),
+				}
+			})
+			lPolicyKey := client.ObjectKeyFromObject(lPolicy)
+			Expect(k8sClient.Create(ctx, lPolicy)).To(Succeed())
+			Eventually(tests.IsAuthPolicyAccepted(ctx, testClient(), lPolicy)).WithContext(ctx).Should(BeTrue())
+
+			Eventually(func(g Gomega) {
+				gateway := &gatewayapiv1.Gateway{}
+				g.Expect(k8sClient.Get(ctx, client.ObjectKey{Name: TestGatewayName, Namespace: testNamespace}, gateway)).To(Succeed())
+				condition := meta.FindStatusCondition(gateway.Status.Conditions, policyAffectedCondition)
+				// Gateway should list the condition with only the gw policy
+				g.Expect(condition).ToNot(BeNil())
+				g.Expect(condition.Status).To(Equal(metav1.ConditionTrue))
+				g.Expect(condition.Message).To(ContainSubstring(gwPolicyKey.String()))
+				g.Expect(condition.Message).ToNot(ContainSubstring(lPolicyKey.String()))
+
+				// Listeners
+				g.Expect(lo.EveryBy(gateway.Status.Listeners, func(item gatewayapiv1.ListenerStatus) bool {
+					lCond := meta.FindStatusCondition(item.Conditions, policyAffectedCondition)
+					if item.Name == *lPolicy.Spec.TargetRef.SectionName {
+						// Target section should include condition
+						return lCond != nil && lCond.Status == metav1.ConditionTrue && strings.Contains(lCond.Message, lPolicyKey.String()) && strings.Contains(lCond.Message, gwPolicyKey.String())
+					}
+
+					// all other sections list only the gw policy
+					return lCond != nil && lCond.Status == metav1.ConditionTrue && !strings.Contains(lCond.Message, lPolicyKey.String()) && strings.Contains(lCond.Message, gwPolicyKey.String())
+				})).To(BeTrue())
+			}).WithContext(ctx).Should(Succeed())
+		}, testTimeOut)
+
+		It("route should list it's own policy and the parent policies", func(ctx SpecContext) {
+			gwPolicy := policyFactory(func(policy *kuadrantv1beta3.AuthPolicy) {
+				policy.Name = "gateway-ap"
+				policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReferenceWithSectionName{
+					LocalPolicyTargetReference: gatewayapiv1alpha2.LocalPolicyTargetReference{
+						Group: gatewayapiv1.GroupName,
+						Kind:  "Gateway",
+						Name:  TestGatewayName,
+					},
+				}
+			})
+			gwPolicyKey := client.ObjectKeyFromObject(gwPolicy)
+			Expect(k8sClient.Create(ctx, gwPolicy)).To(Succeed())
+			Eventually(tests.IsAuthPolicyAccepted(ctx, testClient(), gwPolicy)).WithContext(ctx).Should(BeTrue())
+
+			lPolicy := policyFactory(func(policy *kuadrantv1beta3.AuthPolicy) {
+				policy.Name = "section-ap"
+				policy.Spec.TargetRef = gatewayapiv1alpha2.LocalPolicyTargetReferenceWithSectionName{
+					LocalPolicyTargetReference: gatewayapiv1alpha2.LocalPolicyTargetReference{
+						Group: gatewayapiv1.GroupName,
+						Kind:  "Gateway",
+						Name:  TestGatewayName,
+					},
+					SectionName: ptr.To[gatewayapiv1.SectionName]("test-listener-toystore-com"),
+				}
+			})
+			lPolicyKey := client.ObjectKeyFromObject(lPolicy)
+			Expect(k8sClient.Create(ctx, lPolicy)).To(Succeed())
+			Eventually(tests.IsAuthPolicyAccepted(ctx, testClient(), lPolicy)).WithContext(ctx).Should(BeTrue())
+
+			rPolicy := policyFactory(func(policy *kuadrantv1beta3.AuthPolicy) {
+				policy.Name = "route-ap"
+			})
+			rPolicyKey := client.ObjectKeyFromObject(rPolicy)
+			Expect(k8sClient.Create(ctx, rPolicy)).To(Succeed())
+			Eventually(tests.IsAuthPolicyAccepted(ctx, testClient(), rPolicy)).WithContext(ctx).Should(BeTrue())
+
+			Eventually(func(g Gomega) {
+				g.Expect(routeAffected(ctx, TestHTTPRouteName, policyAffectedCondition, gwPolicyKey, lPolicyKey, rPolicyKey)).To(BeTrue())
+			}).WithContext(ctx).Should(Succeed())
+		}, testTimeOut)
 	})
 
 	Context("RateLimitPolicy", func() {
@@ -638,10 +769,10 @@ var _ = Describe("Target status reconciler", func() {
 
 		// policyAcceptedAndTargetsAffected returns an assertion function that checks if a DNSPolicy is accepted
 		// and the statuses of its target object has been all updated as affected by the policy
-		policyAcceptedAndTargetsAffected := func(ctx context.Context, policy *kuadrantv1alpha1.DNSPolicy) func() bool {
+		policyAcceptedAndTargetsAffected := func(ctx context.Context, policy *kuadrantv1alpha1.DNSPolicy, routeNames ...string) func() bool {
 			return func() bool {
 				policyKey := client.ObjectKeyFromObject(policy)
-				return isDNSPolicyAccepted(ctx, policyKey) && targetsAffected(ctx, policyKey, policyAffectedCondition, policy.Spec.TargetRef.LocalPolicyTargetReference)
+				return isDNSPolicyAccepted(ctx, policyKey) && targetsAffected(ctx, policyKey, policyAffectedCondition, policy.Spec.TargetRef.LocalPolicyTargetReference, routeNames...)
 			}
 		}
 
@@ -662,7 +793,7 @@ var _ = Describe("Target status reconciler", func() {
 			}).WithContext(ctx).Should(Succeed())
 		}, afterEachTimeOut)
 
-		It("adds PolicyAffected status condition to the targeted gateway", func(ctx SpecContext) {
+		It("adds PolicyAffected status condition to the targeted gateway and child routes", func(ctx SpecContext) {
 			policy := policyFactory(func(policy *kuadrantv1alpha1.DNSPolicy) {
 				policy.Spec.ProviderRefs = append(policy.Spec.ProviderRefs, kuadrantdnsv1alpha1.ProviderRef{
 					Name: dnsProviderSecret.Name,
@@ -672,10 +803,10 @@ var _ = Describe("Target status reconciler", func() {
 			Expect(k8sClient.Create(ctx, policy)).To(Succeed())
 			// policy should not be enforced since DNS Record is not ready because of the missing secret on the MZ
 			Eventually(isDNSPolicyEnforced(ctx, client.ObjectKeyFromObject(policy))).WithContext(ctx).ShouldNot(BeTrue())
-			Eventually(policyAcceptedAndTargetsAffected(ctx, policy)).WithContext(ctx).Should(BeTrue())
+			Eventually(policyAcceptedAndTargetsAffected(ctx, policy, TestHTTPRouteName)).WithContext(ctx).Should(BeTrue())
 		}, testTimeOut)
 
-		It("removes PolicyAffected status condition from the targeted gateway when the policy is deleted", func(ctx SpecContext) {
+		It("removes PolicyAffected status condition from the targeted gateway and child routes when the policy is deleted", func(ctx SpecContext) {
 			policy := policyFactory(func(policy *kuadrantv1alpha1.DNSPolicy) {
 				policy.Spec.ProviderRefs = append(policy.Spec.ProviderRefs, kuadrantdnsv1alpha1.ProviderRef{
 					Name: dnsProviderSecret.Name,
@@ -697,6 +828,10 @@ var _ = Describe("Target status reconciler", func() {
 				condition := meta.FindStatusCondition(gateway.Status.Conditions, TestGatewayName)
 				return condition == nil || !strings.Contains(condition.Message, policyKey.String()) || condition.Status == metav1.ConditionFalse
 			}).WithContext(ctx).Should(BeTrue())
+
+			Eventually(func(g Gomega) {
+				g.Expect(routeAffected(ctx, TestHTTPRouteName, policyAffectedCondition, policyKey)).Should(BeFalse())
+			}).WithContext(ctx).Should(Succeed())
 		}, testTimeOut)
 
 		It("adds section name polices only to specific listener status conditions", func(ctx SpecContext) {
@@ -807,13 +942,13 @@ var _ = Describe("Target status reconciler", func() {
 
 		// policyAcceptedAndTargetsAffected returns an assertion function that checks if a TLSPolicy is accepted
 		// and the statuses of its target object has been all updated as affected by the policy
-		policyAcceptedAndTargetsAffected := func(ctx context.Context, policy *kuadrantv1alpha1.TLSPolicy) func() bool {
+		policyAcceptedAndTargetsAffected := func(ctx context.Context, policy *kuadrantv1alpha1.TLSPolicy, routeNames ...string) func() bool {
 			return func() bool {
 				policyKey := client.ObjectKeyFromObject(policy)
 				if !isTLSPolicyAccepted(ctx, policyKey) {
 					return false
 				}
-				return targetsAffected(ctx, policyKey, policyAffectedCondition, policy.Spec.TargetRef)
+				return targetsAffected(ctx, policyKey, policyAffectedCondition, policy.Spec.TargetRef, routeNames...)
 			}
 		}
 
@@ -829,17 +964,17 @@ var _ = Describe("Target status reconciler", func() {
 			}
 		}, afterEachTimeOut)
 
-		It("adds PolicyAffected status condition to the targeted gateway", func(ctx SpecContext) {
+		It("adds PolicyAffected status condition to the targeted gateway and child routes", func(ctx SpecContext) {
 			policy := policyFactory()
 			Expect(k8sClient.Create(ctx, policy)).To(Succeed())
-			Eventually(policyAcceptedAndTargetsAffected(ctx, policy)).WithContext(ctx).Should(BeTrue())
+			Eventually(policyAcceptedAndTargetsAffected(ctx, policy, TestHTTPRouteName)).WithContext(ctx).Should(BeTrue())
 		}, testTimeOut)
 
-		It("removes PolicyAffected status condition from the targeted gateway when the policy is deleted", func(ctx SpecContext) {
+		It("removes PolicyAffected status condition from the targeted gateway and child routes when the policy is deleted", func(ctx SpecContext) {
 			policy := policyFactory()
 			policyKey := client.ObjectKeyFromObject(policy)
 			Expect(k8sClient.Create(ctx, policy)).To(Succeed())
-			Eventually(policyAcceptedAndTargetsAffected(ctx, policy)).WithContext(ctx).Should(BeTrue())
+			Eventually(policyAcceptedAndTargetsAffected(ctx, policy, TestHTTPRouteName)).WithContext(ctx).Should(BeTrue())
 
 			Expect(k8sClient.Delete(ctx, policy)).To(Succeed())
 
@@ -852,6 +987,10 @@ var _ = Describe("Target status reconciler", func() {
 				condition := meta.FindStatusCondition(gateway.Status.Conditions, TestGatewayName)
 				return condition == nil || !strings.Contains(condition.Message, policyKey.String()) || condition.Status == metav1.ConditionFalse
 			}).WithContext(ctx).Should(BeTrue())
+
+			Eventually(func(g Gomega) {
+				g.Expect(routeAffected(ctx, TestHTTPRouteName, policyAffectedCondition, policyKey)).Should(BeFalse())
+			}).WithContext(ctx).Should(Succeed())
 		}, testTimeOut)
 	})
 })