From fd72ee31787d21a4fbeefbf86f82e893bed7d11f Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Thu, 10 Oct 2019 17:34:20 -0700 Subject: [PATCH] add unit tests --- pkg/engine/anchor.go | 2 +- pkg/engine/validation_test.go | 173 ++++++++++++++++++++++++++++++++++ 2 files changed, 174 insertions(+), 1 deletion(-) diff --git a/pkg/engine/anchor.go b/pkg/engine/anchor.go index 48623a42a7..e3d604007a 100644 --- a/pkg/engine/anchor.go +++ b/pkg/engine/anchor.go @@ -50,7 +50,7 @@ func (nh NegationHandler) Handle(resourceMap map[string]interface{}, originPatte // if anchor is present in the resource then fail if _, ok := resourceMap[anchorKey]; ok { // no need to process elements in value as key cannot be present in resource - return currentPath, fmt.Errorf("validation rule failed at %s, field %s is disallowed", currentPath, anchorKey) + return currentPath, fmt.Errorf("Validation rule failed at %s, field %s is disallowed", currentPath, anchorKey) } // key is not defined in the resource return "", nil diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index 6c3462ba24..3fc8b60c4e 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -2767,3 +2767,176 @@ func TestValidate_existenceAnchor_pass(t *testing.T) { } assert.Assert(t, er.IsSuccesful()) } + +func TestValidate_negationAnchor_deny(t *testing.T) { + rawPolicy := []byte(` + { + "apiVersion": "kyverno.io/v1alpha1", + "kind": "ClusterPolicy", + "metadata": { + "name": "validate-host-path" + }, + "spec": { + "rules": [ + { + "name": "validate-host-path", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "message": "Host path is not allowed", + "pattern": { + "spec": { + "volumes": [ + { + "name": "*", + "X(hostPath)": null + } + ] + } + } + } + } + ] + } + } + `) + + rawResource := []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "image-with-hostpath", + "labels": { + "app.type": "prod", + "namespace": "my-namespace" + } + }, + "spec": { + "containers": [ + { + "name": "image-with-hostpath", + "image": "docker.io/nautiker/curl", + "volumeMounts": [ + { + "name": "var-lib-etcd", + "mountPath": "/var/lib" + } + ] + } + ], + "volumes": [ + { + "name": "var-lib-etcd", + "hostPath": { + "path": "/var/lib1" + } + } + ] + } + } `) + + var policy kyverno.ClusterPolicy + json.Unmarshal(rawPolicy, &policy) + + resourceUnstructured, err := ConvertToUnstructured(rawResource) + assert.NilError(t, err) + er := Validate(policy, *resourceUnstructured) + msgs := []string{"Validation rule 'validate-host-path' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed"} + + for index, r := range er.PolicyResponse.Rules { + assert.Equal(t, r.Message, msgs[index]) + } + assert.Assert(t, !er.IsSuccesful()) +} + +func TestValidate_negationAnchor_pass(t *testing.T) { + rawPolicy := []byte(` + { + "apiVersion": "kyverno.io/v1alpha1", + "kind": "ClusterPolicy", + "metadata": { + "name": "validate-host-path" + }, + "spec": { + "rules": [ + { + "name": "validate-host-path", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "message": "Host path is not allowed", + "pattern": { + "spec": { + "volumes": [ + { + "name": "*", + "X(hostPath)": null + } + ] + } + } + } + } + ] + } + } + `) + + rawResource := []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "image-with-hostpath", + "labels": { + "app.type": "prod", + "namespace": "my-namespace" + } + }, + "spec": { + "containers": [ + { + "name": "image-with-hostpath", + "image": "docker.io/nautiker/curl", + "volumeMounts": [ + { + "name": "var-lib-etcd", + "mountPath": "/var/lib" + } + ] + } + ], + "volumes": [ + { + "name": "var-lib-etcd", + "emptyDir": {} + } + ] + } + } + `) + + var policy kyverno.ClusterPolicy + json.Unmarshal(rawPolicy, &policy) + + resourceUnstructured, err := ConvertToUnstructured(rawResource) + assert.NilError(t, err) + er := Validate(policy, *resourceUnstructured) + msgs := []string{"Validation rule 'validate-host-path' succesfully validated"} + + for index, r := range er.PolicyResponse.Rules { + assert.Equal(t, r.Message, msgs[index]) + } + assert.Assert(t, er.IsSuccesful()) +}