diff --git a/api/v1beta2/authpolicy_types_test.go b/api/v1beta2/authpolicy_types_test.go index 5f11f3f86..a87f97207 100644 --- a/api/v1beta2/authpolicy_types_test.go +++ b/api/v1beta2/authpolicy_types_test.go @@ -247,74 +247,6 @@ func TestAuthPolicyValidate(t *testing.T) { valid bool message string }{ - { - name: "valid policy targeting a httproute", - policy: &AuthPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-policy", - Namespace: "my-namespace", - }, - Spec: AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ - Group: "gateway.networking.k8s.io", - Kind: "HTTPRoute", - Name: "my-route", - }, - }, - }, - valid: true, - }, - { - name: "valid policy targeting a gateway", - policy: &AuthPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-policy", - Namespace: "my-namespace", - }, - Spec: AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ - Group: "gateway.networking.k8s.io", - Kind: "Gateway", - Name: "my-gw", - }, - }, - }, - valid: true, - }, - { - name: "invalid targetRef group", - policy: &AuthPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-policy", - Namespace: "my-namespace", - }, - Spec: AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ - Group: "not-gateway.networking.k8s.io.group", - Kind: "HTTPRoute", - Name: "my-non-gwapi-route", - }, - }, - }, - message: "invalid targetRef.Group not-gateway.networking.k8s.io.group. The only supported group is gateway.networking.k8s.io", - }, - { - name: "invalid targetRef kind", - policy: &AuthPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "my-policy", - Namespace: "my-namespace", - }, - Spec: AuthPolicySpec{ - TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ - Group: "gateway.networking.k8s.io", - Kind: "TCPRoute", - Name: "my-tcp-route", - }, - }, - }, - message: "invalid targetRef.Kind TCPRoute. The only supported kinds are HTTPRoute and Gateway", - }, { name: "invalid usage of top-level route selectors with a gateway targetRef", policy: &AuthPolicy{ diff --git a/api/v1beta2/ratelimitpolicy_types_test.go b/api/v1beta2/ratelimitpolicy_types_test.go index b1fec0b24..af895e33b 100644 --- a/api/v1beta2/ratelimitpolicy_types_test.go +++ b/api/v1beta2/ratelimitpolicy_types_test.go @@ -44,49 +44,13 @@ func testBuildBasicHTTPRouteRLP(name string) *RateLimitPolicy { // TestRateLimitPolicyValidation calls rlp.Validate() // for a valid return value. func TestRateLimitPolicyValidation(t *testing.T) { - // valid httproute rlp name := "httproute-a" - rlp := testBuildBasicHTTPRouteRLP(name) - err := rlp.Validate() - if err != nil { - t.Fatalf(`rlp.Validate() returned error "%v", wanted nil`, err) - } - - // valid gateway rlp - name = "gateway-a" - rlp = testBuildBasicGatewayRLP(name) - err = rlp.Validate() - if err != nil { - t.Fatalf(`rlp.Validate() returned error "%v", wanted nil`, err) - } - - // invalid group - rlp = testBuildBasicHTTPRouteRLP(name) - rlp.Spec.TargetRef.Group = gatewayapiv1.Group("foo.example.com") - err = rlp.Validate() - if err == nil { - t.Fatal(`rlp.Validate() did not return error and should`) - } - if !strings.Contains(err.Error(), "invalid targetRef.Group") { - t.Fatalf(`rlp.Validate() did not return expected error. Instead: %v`, err) - } - - // invalid kind - rlp = testBuildBasicHTTPRouteRLP(name) - rlp.Spec.TargetRef.Kind = gatewayapiv1.Kind("Foo") - err = rlp.Validate() - if err == nil { - t.Fatal(`rlp.Validate() did not return error and should`) - } - if !strings.Contains(err.Error(), "invalid targetRef.Kind") { - t.Fatalf(`rlp.Validate() did not return expected error. Instead: %v`, err) - } // Different namespace - rlp = testBuildBasicHTTPRouteRLP(name) + rlp := testBuildBasicHTTPRouteRLP(name) otherNS := gatewayapiv1.Namespace(rlp.GetNamespace() + "other") rlp.Spec.TargetRef.Namespace = &otherNS - err = rlp.Validate() + err := rlp.Validate() if err == nil { t.Fatal(`rlp.Validate() did not return error and should`) } diff --git a/controllers/authpolicy_controller_test.go b/controllers/authpolicy_controller_test.go index dba7cd1fd..51706cdeb 100644 --- a/controllers/authpolicy_controller_test.go +++ b/controllers/authpolicy_controller_test.go @@ -10,6 +10,8 @@ import ( "strings" "time" + authorinoapi "github.com/kuadrant/authorino/api/v1beta2" + api "github.com/kuadrant/kuadrant-operator/api/v1beta2" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" secv1beta1resources "istio.io/client-go/pkg/apis/security/v1beta1" @@ -23,9 +25,6 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - - authorinoapi "github.com/kuadrant/authorino/api/v1beta2" - api "github.com/kuadrant/kuadrant-operator/api/v1beta2" ) const ( @@ -1260,6 +1259,92 @@ var _ = Describe("AuthPolicy controller", func() { Context("TODO: Targeted resource does not exist", func() {}) }) +var _ = Describe("AuthPolicy CEL Validations", func() { + var testNamespace string + + BeforeEach(func() { + CreateNamespace(&testNamespace) + }) + + AfterEach(DeleteNamespaceCallback(&testNamespace)) + + Context("Spec TargetRef Validations", func() { + It("Valid policy targeting HTTPRoute", func() { + policy := &api.AuthPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-policy", + Namespace: testNamespace, + }, + Spec: api.AuthPolicySpec{ + TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "HTTPRoute", + Name: "my-route", + }, + }, + } + err := k8sClient.Create(context.Background(), policy) + Expect(err).To(BeNil()) + }) + + It("Valid policy targeting Gateway", func() { + policy := &api.AuthPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-policy", + Namespace: testNamespace, + }, + Spec: api.AuthPolicySpec{ + TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "Gateway", + Name: "my-gw", + }, + }, + } + err := k8sClient.Create(context.Background(), policy) + Expect(err).To(BeNil()) + }) + + It("Invalid Target Ref Group", func() { + policy := &api.AuthPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-policy", + Namespace: testNamespace, + }, + Spec: api.AuthPolicySpec{ + TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ + Group: "not-gateway.networking.k8s.io", + Kind: "HTTPRoute", + Name: "my-route", + }, + }, + } + err := k8sClient.Create(context.Background(), policy) + Expect(err).To(Not(BeNil())) + Expect(strings.Contains(err.Error(), "Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'")).To(BeTrue()) + }) + + It("Invalid Target Ref Kind", func() { + policy := &api.AuthPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-policy", + Namespace: testNamespace, + }, + Spec: api.AuthPolicySpec{ + TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "TCPRoute", + Name: "my-route", + }, + }, + } + err := k8sClient.Create(context.Background(), policy) + Expect(err).To(Not(BeNil())) + Expect(strings.Contains(err.Error(), "Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'")).To(BeTrue()) + }) + }) +}) + func testBasicAuthScheme() api.AuthSchemeSpec { return api.AuthSchemeSpec{ Authentication: map[string]api.AuthenticationSpec{ diff --git a/controllers/ratelimitpolicy_controller_test.go b/controllers/ratelimitpolicy_controller_test.go index b59dc0fd3..f303f9c94 100644 --- a/controllers/ratelimitpolicy_controller_test.go +++ b/controllers/ratelimitpolicy_controller_test.go @@ -5,25 +5,25 @@ package controllers import ( "context" "encoding/json" + "strings" "time" + kuadrantv1beta2 "github.com/kuadrant/kuadrant-operator/api/v1beta2" + "github.com/kuadrant/kuadrant-operator/pkg/common" + "github.com/kuadrant/kuadrant-operator/pkg/rlptools" + "github.com/kuadrant/kuadrant-operator/pkg/rlptools/wasm" + limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" istioclientgoextensionv1alpha1 "istio.io/client-go/pkg/apis/extensions/v1alpha1" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" logf "sigs.k8s.io/controller-runtime/pkg/log" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - - kuadrantv1beta2 "github.com/kuadrant/kuadrant-operator/api/v1beta2" - "github.com/kuadrant/kuadrant-operator/pkg/common" - "github.com/kuadrant/kuadrant-operator/pkg/rlptools" - "github.com/kuadrant/kuadrant-operator/pkg/rlptools/wasm" - limitadorv1alpha1 "github.com/kuadrant/limitador-operator/api/v1alpha1" - "k8s.io/utils/ptr" ) var _ = Describe("RateLimitPolicy controller", func() { @@ -622,6 +622,92 @@ var _ = Describe("RateLimitPolicy controller", func() { }) }) +var _ = Describe("RateLimitPolicy CEL Validations", func() { + var testNamespace string + + BeforeEach(func() { + CreateNamespace(&testNamespace) + }) + + AfterEach(DeleteNamespaceCallback(&testNamespace)) + + Context("Spec TargetRef Validations", func() { + It("Valid policy targeting HTTPRoute", func() { + policy := &kuadrantv1beta2.RateLimitPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-policy", + Namespace: testNamespace, + }, + Spec: kuadrantv1beta2.RateLimitPolicySpec{ + TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "HTTPRoute", + Name: "my-route", + }, + }, + } + err := k8sClient.Create(context.Background(), policy) + Expect(err).To(BeNil()) + }) + + It("Valid policy targeting Gateway", func() { + policy := &kuadrantv1beta2.RateLimitPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-policy", + Namespace: testNamespace, + }, + Spec: kuadrantv1beta2.RateLimitPolicySpec{ + TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "Gateway", + Name: "my-gw", + }, + }, + } + err := k8sClient.Create(context.Background(), policy) + Expect(err).To(BeNil()) + }) + + It("Invalid Target Ref Group", func() { + policy := &kuadrantv1beta2.RateLimitPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-policy", + Namespace: testNamespace, + }, + Spec: kuadrantv1beta2.RateLimitPolicySpec{ + TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ + Group: "not-gateway.networking.k8s.io", + Kind: "HTTPRoute", + Name: "my-route", + }, + }, + } + err := k8sClient.Create(context.Background(), policy) + Expect(err).To(Not(BeNil())) + Expect(strings.Contains(err.Error(), "Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'")).To(BeTrue()) + }) + + It("Invalid Target Ref Kind", func() { + policy := &kuadrantv1beta2.RateLimitPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-policy", + Namespace: testNamespace, + }, + Spec: kuadrantv1beta2.RateLimitPolicySpec{ + TargetRef: gatewayapiv1alpha2.PolicyTargetReference{ + Group: "gateway.networking.k8s.io", + Kind: "TCPRoute", + Name: "my-route", + }, + }, + } + err := k8sClient.Create(context.Background(), policy) + Expect(err).To(Not(BeNil())) + Expect(strings.Contains(err.Error(), "Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'")).To(BeTrue()) + }) + }) +}) + func testRLPIsAvailable(rlpKey client.ObjectKey) func() bool { return func() bool { existingRLP := &kuadrantv1beta2.RateLimitPolicy{}