mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
a205bc3e2e
* Fix webhook rules equality when internal is empty The current implementation of the 'webhookRulesEqual' didn't check for the corner case were both the internal representation and the API have length of one, but the internal representation has 1 rule with no selectors. In this case the 'webhookRulesEqual' should return false, as the 2 configurations are not the same. Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com> * Fix tests Add a small time delay when checking if a Policy is ready in tests to ensure that the Policy is actually ready. Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>
143 lines
4.4 KiB
Go
143 lines
4.4 KiB
Go
package webhookconfig
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"gotest.tools/assert"
|
|
)
|
|
|
|
var (
|
|
emptyInternalRules []interface{}
|
|
emptyAPIRules []interface{}
|
|
|
|
configmapsInternalRules []interface{}
|
|
configmapsAPIRules []interface{}
|
|
|
|
configmapsSecretsInternalRules []interface{}
|
|
configmapsSecretsAPIRules []interface{}
|
|
|
|
secretsConfigmapsInternalRules []interface{}
|
|
secretsConfigmapsAPIRules []interface{}
|
|
|
|
badAPIRules []interface{}
|
|
)
|
|
|
|
func init() {
|
|
// No rules.
|
|
// Internal representation is a rule with no selectors.
|
|
// API server representation is no rule (nil).
|
|
emptyInternalRules = []interface{}{map[string]interface{}{}}
|
|
emptyAPIRules = nil
|
|
|
|
// Rule selecting configmaps.
|
|
// API server representation matches the internal
|
|
// representation but has extra fields "operations" and "scope",
|
|
// and is of interface types instead of strings.
|
|
configmapsInternalRules = []interface{}{
|
|
map[string]interface{}{
|
|
"apiGroups": []string{""},
|
|
"apiVersions": []string{"v1"},
|
|
"resources": []string{"configmaps"},
|
|
},
|
|
}
|
|
configmapsAPIRules = []interface{}{
|
|
map[string]interface{}{
|
|
"apiGroups": []interface{}{""},
|
|
"apiVersions": []interface{}{"v1"},
|
|
"resources": []interface{}{"configmaps"},
|
|
"operations": []interface{}{"CREATE", "UPDATE", "DELETE", "CONNECT"},
|
|
"scope": "*",
|
|
},
|
|
}
|
|
|
|
// Rule selecting configmaps and secrets.
|
|
// API server representation matches the internal
|
|
// representation but has extra fields "operations" and "scope",
|
|
// and is of interface types instead of strings.
|
|
configmapsSecretsInternalRules = []interface{}{
|
|
map[string]interface{}{
|
|
"apiGroups": []string{""},
|
|
"apiVersions": []string{"v1"},
|
|
"resources": []string{"configmaps", "secrets"},
|
|
},
|
|
}
|
|
configmapsSecretsAPIRules = []interface{}{
|
|
map[string]interface{}{
|
|
"apiGroups": []interface{}{""},
|
|
"apiVersions": []interface{}{"v1"},
|
|
"resources": []interface{}{"configmaps", "secrets"},
|
|
"operations": []interface{}{"CREATE", "UPDATE", "DELETE", "CONNECT"},
|
|
"scope": "*",
|
|
},
|
|
}
|
|
|
|
// Same as previous but reversing the order of configmaps and secrets.
|
|
secretsConfigmapsInternalRules = []interface{}{
|
|
map[string]interface{}{
|
|
"apiGroups": []string{""},
|
|
"apiVersions": []string{"v1"},
|
|
"resources": []string{"secrets", "configmaps"},
|
|
},
|
|
}
|
|
secretsConfigmapsAPIRules = []interface{}{
|
|
map[string]interface{}{
|
|
"apiGroups": []interface{}{""},
|
|
"apiVersions": []interface{}{"v1"},
|
|
"resources": []interface{}{"secrets", "configmaps"},
|
|
"operations": []interface{}{"CREATE", "UPDATE", "DELETE", "CONNECT"},
|
|
"scope": "*",
|
|
},
|
|
}
|
|
|
|
// API rules with missing fields.
|
|
badAPIRules = []interface{}{
|
|
map[string]interface{}{
|
|
"apiGroups": []interface{}{""},
|
|
},
|
|
}
|
|
}
|
|
|
|
func TestRulesEqual(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
internal []interface{}
|
|
apiserver []interface{}
|
|
equal bool
|
|
shouldErr bool
|
|
}{
|
|
// Both empty. Should be equal.
|
|
{"empty-equal", emptyInternalRules, emptyAPIRules, true, false},
|
|
|
|
// Both rules select configmaps. Should be equal.
|
|
{"configmaps-equal", configmapsInternalRules, configmapsAPIRules, true, false},
|
|
|
|
// Both rules select configmaps and secrets. Should be equal.
|
|
{"cm-secrets-equal", configmapsSecretsInternalRules, configmapsSecretsAPIRules, true, false},
|
|
|
|
// Both rules select secrets and configmaps (reversed compared to previous). Should be equal.
|
|
{"secrets-cm-equal", secretsConfigmapsInternalRules, secretsConfigmapsAPIRules, true, false},
|
|
|
|
// Internal empty, API has one rule. Not equal.
|
|
{"internal-empty-api-single", emptyInternalRules, configmapsSecretsAPIRules, false, false},
|
|
|
|
// Internal is updated from nothing to configmaps. Not equal.
|
|
{"add-configmaps", configmapsInternalRules, emptyAPIRules, false, false},
|
|
|
|
// Internal is updated from configmaps to configmaps and secrets. Not equal.
|
|
{"add-secrets", configmapsSecretsInternalRules, configmapsAPIRules, false, false},
|
|
|
|
// Order of configmaps and secrets is switched. Not equal.
|
|
{"order-switched", configmapsSecretsInternalRules, secretsConfigmapsAPIRules, false, false},
|
|
|
|
// Malformed API rules, if modified by user or something like that. Not equal.
|
|
{"bad-api-rules", configmapsInternalRules, badAPIRules, false, false},
|
|
}
|
|
|
|
for _, test := range tests {
|
|
t.Run(test.name, func(t *testing.T) {
|
|
equal, err := webhookRulesEqual(test.apiserver, test.internal)
|
|
assert.Equal(t, err != nil, test.shouldErr)
|
|
assert.Equal(t, equal, test.equal)
|
|
})
|
|
}
|
|
}
|