2023-09-04 15:58:48 +02:00
|
|
|
package test
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"errors"
|
2023-09-11 00:03:24 +02:00
|
|
|
"os"
|
2023-09-04 15:58:48 +02:00
|
|
|
"reflect"
|
|
|
|
|
"testing"
|
|
|
|
|
|
2023-09-11 00:03:24 +02:00
|
|
|
"github.com/go-git/go-billy/v5"
|
|
|
|
|
"github.com/go-git/go-billy/v5/memfs"
|
2023-09-04 15:58:48 +02:00
|
|
|
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
2023-09-05 19:50:52 +02:00
|
|
|
testapi "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/test"
|
2023-09-04 15:58:48 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestLoadTests(t *testing.T) {
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
dirPath string
|
|
|
|
|
fileName string
|
|
|
|
|
want TestCases
|
|
|
|
|
wantErr bool
|
|
|
|
|
}{{
|
|
|
|
|
name: "empty dir",
|
|
|
|
|
dirPath: "",
|
|
|
|
|
fileName: "kyverno-test.yaml",
|
|
|
|
|
want: nil,
|
|
|
|
|
wantErr: false,
|
|
|
|
|
}, {
|
|
|
|
|
name: "invalid dir",
|
2023-09-05 19:50:52 +02:00
|
|
|
dirPath: "../_testdata/tests/invalid",
|
2023-09-04 15:58:48 +02:00
|
|
|
fileName: "kyverno-test.yaml",
|
|
|
|
|
want: nil,
|
|
|
|
|
wantErr: true,
|
|
|
|
|
}, {
|
|
|
|
|
name: "invalid dir",
|
2023-09-05 19:50:52 +02:00
|
|
|
dirPath: "../_testdata/tests",
|
2023-09-04 15:58:48 +02:00
|
|
|
fileName: "kyverno-test-invalid.yaml",
|
|
|
|
|
want: []TestCase{{
|
2023-09-05 19:50:52 +02:00
|
|
|
Path: "../_testdata/tests/test-invalid/kyverno-test-invalid.yaml",
|
2023-09-04 15:58:48 +02:00
|
|
|
Err: errors.New("error unmarshaling JSON: while decoding JSON: json: unknown field \"foo\""),
|
|
|
|
|
}},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
}, {
|
|
|
|
|
name: "ok",
|
2023-09-05 19:50:52 +02:00
|
|
|
dirPath: "../_testdata/tests/test-1",
|
2023-09-04 15:58:48 +02:00
|
|
|
fileName: "kyverno-test.yaml",
|
|
|
|
|
want: []TestCase{{
|
2023-09-05 19:50:52 +02:00
|
|
|
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
|
|
|
|
Test: &testapi.Test{
|
2023-09-04 15:58:48 +02:00
|
|
|
Name: "test-registry",
|
|
|
|
|
Policies: []string{"image-example.yaml"},
|
|
|
|
|
Resources: []string{"resources.yaml"},
|
2023-09-12 16:33:26 +02:00
|
|
|
Results: []testapi.TestResult{{
|
|
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Pod",
|
|
|
|
|
Policy: "images",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "only-allow-trusted-images",
|
|
|
|
|
},
|
2023-09-04 15:58:48 +02:00
|
|
|
Resources: []string{"test-pod-with-non-root-user-image"},
|
|
|
|
|
}, {
|
2023-09-12 16:33:26 +02:00
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Pod",
|
|
|
|
|
Policy: "images",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "only-allow-trusted-images",
|
|
|
|
|
},
|
2023-09-04 15:58:48 +02:00
|
|
|
Resources: []string{"test-pod-with-trusted-registry"},
|
|
|
|
|
}},
|
|
|
|
|
},
|
|
|
|
|
}},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
}, {
|
|
|
|
|
name: "ok",
|
2023-09-05 19:50:52 +02:00
|
|
|
dirPath: "../_testdata/tests/test-2",
|
2023-09-04 15:58:48 +02:00
|
|
|
fileName: "kyverno-test.yaml",
|
|
|
|
|
want: []TestCase{{
|
2023-09-05 19:50:52 +02:00
|
|
|
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
|
|
|
|
|
Test: &testapi.Test{
|
2023-09-04 15:58:48 +02:00
|
|
|
Name: "add-quota",
|
|
|
|
|
Policies: []string{"policy.yaml"},
|
|
|
|
|
Resources: []string{"resource.yaml"},
|
2023-09-12 16:33:26 +02:00
|
|
|
Results: []testapi.TestResult{{
|
|
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Namespace",
|
|
|
|
|
Policy: "add-ns-quota",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "generate-resourcequota",
|
|
|
|
|
GeneratedResource: "generatedResourceQuota.yaml",
|
|
|
|
|
},
|
|
|
|
|
Resources: []string{"hello-world-namespace"},
|
2023-09-04 15:58:48 +02:00
|
|
|
}, {
|
2023-09-12 16:33:26 +02:00
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Namespace",
|
|
|
|
|
Policy: "add-ns-quota",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "generate-limitrange",
|
|
|
|
|
GeneratedResource: "generatedLimitRange.yaml",
|
|
|
|
|
},
|
|
|
|
|
Resources: []string{"hello-world-namespace"},
|
2023-09-04 15:58:48 +02:00
|
|
|
}},
|
|
|
|
|
},
|
|
|
|
|
}},
|
|
|
|
|
wantErr: false,
|
|
|
|
|
}, {
|
|
|
|
|
name: "ok",
|
2023-09-05 19:50:52 +02:00
|
|
|
dirPath: "../_testdata/tests",
|
2023-09-04 15:58:48 +02:00
|
|
|
fileName: "kyverno-test.yaml",
|
|
|
|
|
want: []TestCase{{
|
2023-09-05 19:50:52 +02:00
|
|
|
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
|
|
|
|
Test: &testapi.Test{
|
2023-09-04 15:58:48 +02:00
|
|
|
Name: "test-registry",
|
|
|
|
|
Policies: []string{"image-example.yaml"},
|
|
|
|
|
Resources: []string{"resources.yaml"},
|
2023-09-12 16:33:26 +02:00
|
|
|
Results: []testapi.TestResult{{
|
|
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Pod",
|
|
|
|
|
Policy: "images",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "only-allow-trusted-images",
|
|
|
|
|
},
|
2023-09-04 15:58:48 +02:00
|
|
|
Resources: []string{"test-pod-with-non-root-user-image"},
|
|
|
|
|
}, {
|
2023-09-12 16:33:26 +02:00
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Pod",
|
|
|
|
|
Policy: "images",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "only-allow-trusted-images",
|
|
|
|
|
},
|
2023-09-04 15:58:48 +02:00
|
|
|
Resources: []string{"test-pod-with-trusted-registry"},
|
|
|
|
|
}},
|
|
|
|
|
},
|
|
|
|
|
}, {
|
2023-09-05 19:50:52 +02:00
|
|
|
Path: "../_testdata/tests/test-2/kyverno-test.yaml",
|
|
|
|
|
Test: &testapi.Test{
|
2023-09-04 15:58:48 +02:00
|
|
|
Name: "add-quota",
|
|
|
|
|
Policies: []string{"policy.yaml"},
|
|
|
|
|
Resources: []string{"resource.yaml"},
|
2023-09-12 16:33:26 +02:00
|
|
|
Results: []testapi.TestResult{{
|
|
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Namespace",
|
|
|
|
|
Policy: "add-ns-quota",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "generate-resourcequota",
|
|
|
|
|
GeneratedResource: "generatedResourceQuota.yaml",
|
|
|
|
|
},
|
|
|
|
|
Resources: []string{"hello-world-namespace"},
|
2023-09-04 15:58:48 +02:00
|
|
|
}, {
|
2023-09-12 16:33:26 +02:00
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Namespace",
|
|
|
|
|
Policy: "add-ns-quota",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "generate-limitrange",
|
|
|
|
|
GeneratedResource: "generatedLimitRange.yaml",
|
|
|
|
|
},
|
|
|
|
|
Resources: []string{"hello-world-namespace"},
|
2023-09-04 15:58:48 +02:00
|
|
|
}},
|
|
|
|
|
},
|
|
|
|
|
}},
|
|
|
|
|
wantErr: false,
|
2023-09-05 10:55:01 +02:00
|
|
|
}}
|
2023-09-04 15:58:48 +02:00
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
got, err := LoadTests(tt.dirPath, tt.fileName)
|
|
|
|
|
if (err != nil) != tt.wantErr {
|
|
|
|
|
t.Errorf("LoadTests() error = %v, wantErr %v", err, tt.wantErr)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !reflect.DeepEqual(got, tt.want) {
|
|
|
|
|
t.Errorf("LoadTests() = %v, want %v", got, tt.want)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-09-11 00:03:24 +02:00
|
|
|
|
|
|
|
|
func TestLoadTest(t *testing.T) {
|
|
|
|
|
mustReadFile := func(path string) []byte {
|
|
|
|
|
t.Helper()
|
|
|
|
|
data, err := os.ReadFile(path)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
return data
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
fs billy.Filesystem
|
|
|
|
|
path string
|
|
|
|
|
want TestCase
|
|
|
|
|
wantErr bool
|
|
|
|
|
}{{
|
|
|
|
|
name: "empty",
|
|
|
|
|
path: "",
|
|
|
|
|
wantErr: true,
|
|
|
|
|
}, {
|
|
|
|
|
name: "ok",
|
|
|
|
|
path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
|
|
|
|
want: TestCase{
|
|
|
|
|
Path: "../_testdata/tests/test-1/kyverno-test.yaml",
|
|
|
|
|
Test: &testapi.Test{
|
|
|
|
|
Name: "test-registry",
|
|
|
|
|
Policies: []string{"image-example.yaml"},
|
|
|
|
|
Resources: []string{"resources.yaml"},
|
2023-09-12 16:33:26 +02:00
|
|
|
Results: []testapi.TestResult{{
|
|
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Pod",
|
|
|
|
|
Policy: "images",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "only-allow-trusted-images",
|
|
|
|
|
},
|
2023-09-11 00:03:24 +02:00
|
|
|
Resources: []string{"test-pod-with-non-root-user-image"},
|
|
|
|
|
}, {
|
2023-09-12 16:33:26 +02:00
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Pod",
|
|
|
|
|
Policy: "images",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "only-allow-trusted-images",
|
|
|
|
|
},
|
2023-09-11 00:03:24 +02:00
|
|
|
Resources: []string{"test-pod-with-trusted-registry"},
|
|
|
|
|
}},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}, {
|
|
|
|
|
name: "ok (billy)",
|
|
|
|
|
path: "kyverno-test.yaml",
|
|
|
|
|
want: TestCase{
|
|
|
|
|
Path: "kyverno-test.yaml",
|
|
|
|
|
Test: &testapi.Test{
|
|
|
|
|
Name: "test-registry",
|
|
|
|
|
Policies: []string{"image-example.yaml"},
|
|
|
|
|
Resources: []string{"resources.yaml"},
|
2023-09-12 16:33:26 +02:00
|
|
|
Results: []testapi.TestResult{{
|
|
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Pod",
|
|
|
|
|
Policy: "images",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "only-allow-trusted-images",
|
|
|
|
|
},
|
2023-09-11 00:03:24 +02:00
|
|
|
Resources: []string{"test-pod-with-non-root-user-image"},
|
|
|
|
|
}, {
|
2023-09-12 16:33:26 +02:00
|
|
|
TestResultBase: testapi.TestResultBase{
|
|
|
|
|
Kind: "Pod",
|
|
|
|
|
Policy: "images",
|
|
|
|
|
Result: policyreportv1alpha2.StatusPass,
|
|
|
|
|
Rule: "only-allow-trusted-images",
|
|
|
|
|
},
|
2023-09-11 00:03:24 +02:00
|
|
|
Resources: []string{"test-pod-with-trusted-registry"},
|
|
|
|
|
}},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
fs: func() billy.Filesystem {
|
|
|
|
|
f := memfs.New()
|
|
|
|
|
file, err := f.Create("kyverno-test.yaml")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
defer file.Close()
|
|
|
|
|
if _, err := file.Write(mustReadFile("../_testdata/tests/test-1/kyverno-test.yaml")); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
return f
|
|
|
|
|
}(),
|
|
|
|
|
}, {
|
|
|
|
|
name: "bad file (billy)",
|
|
|
|
|
path: "kyverno-test-bad.yaml",
|
|
|
|
|
fs: func() billy.Filesystem {
|
|
|
|
|
f := memfs.New()
|
|
|
|
|
file, err := f.Create("kyverno-test.yaml")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
defer file.Close()
|
|
|
|
|
if _, err := file.Write(mustReadFile("../_testdata/tests/test-1/kyverno-test.yaml")); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
return f
|
|
|
|
|
}(),
|
|
|
|
|
want: TestCase{
|
|
|
|
|
Path: "kyverno-test-bad.yaml",
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
}}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
got := LoadTest(tt.fs, tt.path)
|
|
|
|
|
if (got.Err != nil) != tt.wantErr {
|
|
|
|
|
t.Errorf("LoadTest() error = %v, wantErr %v", got.Err, tt.wantErr)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
got.Err = nil
|
|
|
|
|
tt.want.Fs = tt.fs
|
|
|
|
|
if !reflect.DeepEqual(got, tt.want) {
|
|
|
|
|
t.Errorf("LoadTest() = %v, want %v", got, tt.want)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
