adding tests

Signed-off-by: Jaydip Gabani <[email protected]>
JaydipGabani · Mar 21, 2024 · 2fba3ff · 2fba3ff
1 parent cd4b7b6
commit 2fba3ff
Show file tree

Hide file tree

Showing 5 changed files with 137 additions and 4 deletions.
diff --git a/pkg/audit/manager_test.go b/pkg/audit/manager_test.go
@@ -101,27 +101,42 @@ func Test_auditFromCache(t *testing.T) {
 
 	_, err = client.AddTemplate(context.Background(), fakes.DenyAllRegoTemplate())
 	require.NoError(t, err, "adding denyall constraint template")
-	_, err = client.AddConstraint(context.Background(), fakes.DenyAllConstraint())
-	require.NoError(t, err, "adding denyall constraint")
 
 	tests := []struct {
 		name            string
 		processExcluder *process.Excluder
+		constraint      *unstructured.Unstructured
 		wantViolation   bool
 	}{
 		{
 			name:            "obj excluded from audit",
 			processExcluder: processExcluderFor([]string{"test-namespace-1"}),
+			constraint:      fakes.DenyAllConstraint(),
 		},
 		{
 			name:            "obj not excluded from audit",
 			processExcluder: processExcluderFor([]string{}),
+			constraint:      fakes.DenyAllConstraint(),
+			wantViolation:   true,
+		},
+		{
+			name:            "audit excluded from constraint",
+			processExcluder: processExcluderFor([]string{}),
+			constraint:      fakes.WebhookDenyAllConstraint(),
+		},
+		{
+			name:            "audit included in constraints",
+			processExcluder: processExcluderFor([]string{}),
+			constraint:      fakes.AuditDenyAllConstraint(),
 			wantViolation:   true,
 		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
+			_, err = client.AddConstraint(context.Background(), tc.constraint)
+			require.NoError(t, err, "adding denyall constraint")
+
 			am := &Manager{
 				processExcluder: tc.processExcluder,
 				auditCache:      testAuditCache,
@@ -131,11 +146,17 @@ func Test_auditFromCache(t *testing.T) {
 			results, errs := am.auditFromCache(context.Background())
 			require.Len(t, errs, 0)
 
+			// fmt.Println(results)
+
 			if tc.wantViolation {
 				require.Len(t, results, 1)
 			} else {
 				require.Len(t, results, 0)
 			}
+
+			if _, err := client.RemoveConstraint(context.Background(), tc.constraint); err != nil {
+				t.Fatal(err)
+			}
 		})
 	}
 }

diff --git a/pkg/fakes/fixtures.go b/pkg/fakes/fixtures.go
@@ -5,6 +5,7 @@ import (
 	templatesv1beta1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/core/templates"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -49,6 +50,43 @@ func DenyAllConstraint() *unstructured.Unstructured {
 	return ConstraintFor("denyall")
 }
 
+func AuditDenyAllConstraint() *unstructured.Unstructured {
+	return ScopedConstraintFor(util.AuditEnforcementPoint)
+}
+
+func WebhookDenyAllConstraint() *unstructured.Unstructured {
+	return ScopedConstraintFor(util.WebhookEnforcementPoint)
+}
+
+func ScopedConstraintFor(ep string) *unstructured.Unstructured {
+	u := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"spec": map[string]interface{}{
+				"enforcementAction": "scoped",
+				"scopedEnforcementActions": []interface{}{
+					map[string]interface{}{
+						"enforcementPoints": []interface{}{
+							map[string]interface{}{
+								"name": ep,
+							},
+						},
+						"action": "deny",
+					},
+				},
+			},
+		},
+	}
+
+	u.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   constraints.Group,
+		Version: "v1beta1",
+		Kind:    "denyall",
+	})
+	u.SetName("constraint")
+
+	return u
+}
+
 func ConstraintFor(kind string) *unstructured.Unstructured {
 	u := &unstructured.Unstructured{}
 

diff --git a/pkg/gator/fixtures/fixtures.go b/pkg/gator/fixtures/fixtures.go
@@ -214,6 +214,32 @@ metadata:
   name: always-fail
 `
 
+	ConstraintGatorValidate = `
+kind: NeverValidate
+apiVersion: constraints.gatekeeper.sh/v1beta1
+metadata:
+  name: always-fail-gator
+spec:
+  enforcementAction: scoped
+  scopedEnforcementActions:
+  - enforcementPoints:
+    - name: gator.gatekeeper.sh
+    action: deny
+`
+
+	ConstraintAuditValidate = `
+kind: NeverValidate
+apiVersion: constraints.gatekeeper.sh/v1beta1
+metadata:
+  name: always-pass-gator
+spec:
+  enforcementAction: scoped
+  scopedEnforcementActions:
+  - enforcementPoints:
+    - name: audit.gatekeeper.sh
+    action: deny
+`
+
 	ConstraintNeverValidateTwice = `
 kind: NeverValidateTwice
 apiVersion: constraints.gatekeeper.sh/v1beta1

diff --git a/pkg/gator/test/test.go b/pkg/gator/test/test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
 	mutationtypes "github.com/open-policy-agent/gatekeeper/v3/pkg/mutation/types"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -113,7 +114,7 @@ func Test(objs []*unstructured.Unstructured, tOpts Opts) (*GatorResponses, error
 			Source:    mutationtypes.SourceTypeOriginal,
 		}
 
-		review, err := client.Review(ctx, au, "gator.gatekeeper.sh")
+		review, err := client.Review(ctx, au, util.GatorEnforcementPoint)
 		if err != nil {
 			return nil, fmt.Errorf("reviewing %v %s/%s: %w",
 				obj.GroupVersionKind(), obj.GetNamespace(), obj.GetName(), err)
@@ -130,7 +131,7 @@ func Test(objs []*unstructured.Unstructured, tOpts Opts) (*GatorResponses, error
 				Namespace: ns,
 				Source:    mutationtypes.SourceTypeGenerated,
 			}
-			resultantReview, err := client.Review(ctx, au, "gator.gatekeeper.sh")
+			resultantReview, err := client.Review(ctx, au, util.GatorEnforcementPoint)
 			if err != nil {
 				return nil, fmt.Errorf("reviewing expanded resource %v %s/%s: %w",
 					resultant.Obj.GroupVersionKind(), resultant.Obj.GetNamespace(), resultant.Obj.GetName(), err)

diff --git a/pkg/gator/test/test_test.go b/pkg/gator/test/test_test.go
@@ -19,6 +19,7 @@ import (
 var (
 	templateNeverValidate      *unstructured.Unstructured
 	constraintNeverValidate    *unstructured.Unstructured
+	constraintGatorValidate    *unstructured.Unstructured
 	constraintReferential      *unstructured.Unstructured
 	object                     *unstructured.Unstructured
 	objectReferentialInventory *unstructured.Unstructured
@@ -37,6 +38,11 @@ func init() {
 		panic(err)
 	}
 
+	constraintGatorValidate, err = readUnstructured([]byte(fixtures.ConstraintGatorValidate))
+	if err != nil {
+		panic(err)
+	}
+
 	constraintReferential, err = readUnstructured([]byte(fixtures.ConstraintReferential))
 	if err != nil {
 		panic(err)
@@ -180,6 +186,47 @@ func TestTest(t *testing.T) {
 			},
 			err: constraintclient.ErrMissingConstraintTemplate,
 		},
+		{
+			name: "constraint with gator EP",
+			inputs: []string{
+				fixtures.TemplateNeverValidate,
+				fixtures.ConstraintGatorValidate,
+				fixtures.Object,
+			},
+			want: []*GatorResult{
+				{
+					Result: types.Result{
+						Target:     target.Name,
+						Msg:        "never validate",
+						Constraint: constraintGatorValidate,
+					},
+				},
+				{
+					Result: types.Result{
+						Target:     target.Name,
+						Msg:        "never validate",
+						Constraint: constraintGatorValidate,
+					},
+				},
+				{
+					Result: types.Result{
+						Target:     target.Name,
+						Msg:        "never validate",
+						Constraint: constraintGatorValidate,
+					},
+				},
+			},
+			cmpOption: ignoreGatorResultFields(),
+		},
+		{
+			name: "constraint with audit EP",
+			inputs: []string{
+				fixtures.TemplateNeverValidate,
+				fixtures.ConstraintAuditValidate,
+				fixtures.Object,
+			},
+			cmpOption: ignoreGatorResultFields(),
+		},
 	}
 
 	for _, tc := range tcs {