kyverno/pkg/engine/overlayCondition_test.go

package engine

import (
	"encoding/json"
	"testing"

	"gotest.tools/assert"
)

func TestMeetConditions_NoAnchor(t *testing.T) {
	overlayRaw := []byte(`
	 {  
		"subsets":[  
		   {  
			  "ports":[  
				 {  
					"name":"secure-connection",
					"port":444,
					"protocol":"UDP"
				 }
			  ]
		   }
		]
	 }`)
	var overlay interface{}

	json.Unmarshal(overlayRaw, &overlay)

	res := meetConditions(nil, overlay)
	assert.Assert(t, res)
}

func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) {
	resourceRaw := []byte(`
	 {  
		"apiVersion":"v1",
		"kind":"Endpoints",
		"metadata":{  
		   "name":"test-endpoint",
		   "labels":{  
			  "label":"test"
		   }
		},
		"subsets":[  
		   {  
			  "addresses":[  
				 {  
					"ip":"192.168.10.171"
				 }
			  ],
			  "ports":[  
				 {  
					"name":"secure-connection",
					"port":443,
					"protocol":"TCP"
				 }
			  ]
		   }
		]
	 }`)

	overlayRaw := []byte(`
	 {  
		"subsets":[  
		   {  
			  "(ports)":[  
				 {  
					"name":"secure-connection",
					"port":444,
					"protocol":"UDP"
				 }
			  ]
		   }
		]
	 }`)

	var resource, overlay interface{}

	json.Unmarshal(resourceRaw, &resource)
	json.Unmarshal(overlayRaw, &overlay)

	res := meetConditions(resource, overlay)
	assert.Assert(t, !res)

	overlayRaw = []byte(`
	{  
	   "(subsets)":[  
		  {  
			 "ports":[  
				{  
				   "name":"secure-connection",
				   "port":443,
				   "protocol":"TCP"
				}
			 ]
		  }
	   ]
	}`)

	json.Unmarshal(overlayRaw, &overlay)

	res = meetConditions(resource, overlay)
	assert.Assert(t, res)
}

func TestMeetConditions_DifferentTypes(t *testing.T) {
	resourceRaw := []byte(`
	 {  
		"apiVersion":"v1",
		"kind":"Endpoints",
		"metadata":{  
		   "name":"test-endpoint",
		},
		"subsets":[  
		   {  
			  "addresses":[  
				 {  
					"ip":"192.168.10.171"
				 }
			  ],
		   }
		]
	 }`)

	overlayRaw := []byte(`
	 {  
		"subsets":[  
		   {  
			  "ports":[  
				 {  
					"(name)":"secure-connection",
					"port":444,
					"protocol":"UDP"
				 }
			  ]
		   }
		]
	 }`)
	var resource, overlay interface{}

	json.Unmarshal(resourceRaw, &resource)
	json.Unmarshal(overlayRaw, &overlay)

	// anchor exist
	res := meetConditions(resource, overlay)
	assert.Assert(t, !res)
}

func TestMeetConditions_anchosInSameObject(t *testing.T) {
	resourceRaw := []byte(`
	{  
	   "apiVersion":"v1",
	   "kind":"Endpoints",
	   "metadata":{  
		  "name":"test-endpoint",
		  "labels":{  
			 "label":"test"
		  }
	   },
	   "subsets":[  
		  {  
			 "addresses":[  
				{  
				   "ip":"192.168.10.171"
				}
			 ],
			 "ports":[  
				{  
				   "name":"secure-connection",
				   "port":443,
				   "protocol":"TCP"
				}
			 ]
		  }
	   ]
	}`)

	overlayRaw := []byte(`
	{  
	   "subsets":[  
		  {  
			 "ports":[  
				{  
				   "(name)":"secure-connection",
				   "(port)":444,
				   "protocol":"UDP"
				}
			 ]
		  }
	   ]
	}`)

	var resource, overlay interface{}

	json.Unmarshal(resourceRaw, &resource)
	json.Unmarshal(overlayRaw, &overlay)

	// no anchor
	res := meetConditions(resource, overlay)
	assert.Assert(t, !res)
}

func TestMeetConditions_anchorOnPeer(t *testing.T) {
	resourceRaw := []byte(`
	 {  
		"apiVersion":"v1",
		"kind":"Endpoints",
		"metadata":{  
		   "name":"test-endpoint",
		   "labels":{  
			  "label":"test"
		   }
		},
		"subsets":[  
		   {  
			  "addresses":[  
				 {  
					"ip":"192.168.10.171"
				 }
			  ],
			  "ports":[  
				 {  
					"name":"secure-connection",
					"port":443,
					"protocol":"TCP"
				 }
			  ]
		   }
		]
	 }`)

	overlayRaw := []byte(`
	 {  
		"subsets":[  
		   {  
			"addresses":[  
				{  
				   "(ip)":"192.168.10.171"
				}
			 ],
			  "ports":[  
				 {  
					"(name)":"secure-connection",
					"port":444,
					"protocol":"UDP"
				 }
			  ]
		   }
		]
	 }`)

	var resource, overlay interface{}

	json.Unmarshal(resourceRaw, &resource)
	json.Unmarshal(overlayRaw, &overlay)

	res := meetConditions(resource, overlay)
	assert.Assert(t, res)
}

func TestMeetConditions_anchorsOnMetaAndSpec(t *testing.T) {
	overlayRaw := []byte(`{
		"spec": {
			"template": {
				"metadata": {
					"labels": {
						"(app)": "nginx"
					}
				},
				"spec": {
					"containers": [
						{
							"(image)": "*:latest",
							"imagePullPolicy": "IfNotPresent",
							"ports": [
								{
									"containerPort": 8080
								}
							]
						}
					]
				}
			}
		}
	}`)
	resourceRaw := []byte(`{
		"apiVersion": "apps/v1",
		"kind": "Deployment",
		"metadata": {
			"name": "nginx-deployment",
			"labels": {
				"app": "nginx"
			}
		},
		"spec": {
			"replicas": 1,
			"selector": {
				"matchLabels": {
					"app": "nginx"
				}
			},
			"template": {
				"metadata": {
					"labels": {
						"app": "nginx"
					}
				},
				"spec": {
					"containers": [
						{
							"name": "nginx",
							"image": "nginx:latest",
							"ports": [
								{
									"containerPort": 80
								}
							]
						},
						{
							"name": "ghost",
							"image": "ghost:latest"
						}
					]
				}
			}
		}
	}`)

	var resource, overlay interface{}

	json.Unmarshal(resourceRaw, &resource)
	json.Unmarshal(overlayRaw, &overlay)

	res := meetConditions(resource, overlay)
	assert.Assert(t, res)
}

var resourceRawAnchorOnPeers = []byte(`{
	"apiVersion": "apps/v1",
	"kind": "Deployment",
	"metadata": {
	   "name": "psp-demo-unprivileged",
	   "labels": {
		  "app.type": "prod"
	   }
	},
	"spec": {
	   "replicas": 1,
	   "selector": {
		  "matchLabels": {
			 "app": "psp"
		  }
	   },
	   "template": {
		  "metadata": {
			 "labels": {
				"app": "psp"
			 }
		  },
		  "spec": {
			 "securityContext": {
				"runAsNonRoot": true
			 },
			 "containers": [
				{
				   "name": "sec-ctx-unprivileged",
				   "image": "nginxinc/nginx-unprivileged",
				   "securityContext": {
					  "runAsNonRoot": true,
					  "allowPrivilegeEscalation": false
				   },
				   "env": [
					  {
						 "name": "ENV_KEY",
						 "value": "ENV_VALUE"
					  }
				   ]
				}
			 ]
		  }
	   }
	}
 }`)

func TestMeetConditions_anchorsOnPeer_single(t *testing.T) {
	overlayRaw := []byte(`{
		"spec": {
		   "template": {
			  "spec": {
				 "containers": [
					{
					   "(image)": "*/nginx-unprivileged",
					   "securityContext": {
						  "runAsNonRoot": true,
						  "allowPrivilegeEscalation": false
					   },
					   "env": [
						  {
							 "name": "ENV_KEY",
							 "value": "ENV_VALUE"
						  }
					   ]
					}
				 ]
			  }
		   }
		}
	 }`)

	var resource, overlay interface{}

	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
	json.Unmarshal(overlayRaw, &overlay)

	res := meetConditions(resource, overlay)
	assert.Assert(t, res)
}

func TestMeetConditions_anchorsOnPeer_two(t *testing.T) {
	overlayRaw := []byte(`{
		"spec": {
		   "template": {
			  "spec": {
				 "containers": [
					{
					   "(image)": "*/nginx-unprivileged",
					   "securityContext": {
						  "(runAsNonRoot)": true,
						  "allowPrivilegeEscalation": false
					   },
					   "env": [
						  {
							 "name": "ENV_KEY",
							 "value": "ENV_VALUE"
						  }
					   ]
					}
				 ]
			  }
		   }
		}
	 }`)

	var resource, overlay interface{}

	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
	json.Unmarshal(overlayRaw, &overlay)

	res := meetConditions(resource, overlay)
	assert.Assert(t, res)

	overlayRaw = []byte(`{
		"spec": {
		   "template": {
			  "spec": {
				 "containers": [
					{
					   "(image)": "*/nginx-unprivileged",
					   "securityContext": {
						  "runAsNonRoot": true,
						  "allowPrivilegeEscalation": false
					   },
					   "env": [
						  {
							 "(name)": "ENV_KEY",
							 "value": "ENV_VALUE"
						  }
					   ]
					}
				 ]
			  }
		   }
		}
	 }`)

	json.Unmarshal(overlayRaw, &overlay)

	res = meetConditions(resource, overlay)
	assert.Assert(t, res)

	overlayRaw = []byte(`{
		"spec": {
		   "template": {
			  "spec": {
				 "containers": [
					{
					   "image": "*/nginx-unprivileged",
					   "securityContext": {
						  "runAsNonRoot": true,
						  "(allowPrivilegeEscalation)": false
					   },
					   "env": [
						  {
							 "(name)": "ENV_KEY",
							 "value": "ENV_VALUE"
						  }
					   ]
					}
				 ]
			  }
		   }
		}
	 }`)

	json.Unmarshal(overlayRaw, &overlay)

	res = meetConditions(resource, overlay)
	assert.Assert(t, res)
}

func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) {
	overlayRaw := []byte(`{
		"spec": {
		   "template": {
			  "spec": {
				 "containers": [
					{
					   "(image)": "*/nginx-unprivileged",
					   "securityContext": {
						  "(runAsNonRoot)": true,
						  "allowPrivilegeEscalation": false
					   },
					   "env": [
						  {
							 "(name)": "ENV_KEY",
							 "value": "ENV_VALUE"
						  }
					   ]
					}
				 ]
			  }
		   }
		}
	 }`)

	var resource, overlay interface{}

	json.Unmarshal(resourceRawAnchorOnPeers, &resource)
	json.Unmarshal(overlayRaw, &overlay)

	res := meetConditions(resource, overlay)
	assert.Assert(t, res)

	overlayRaw = []byte(`{
		"spec": {
		   "template": {
			  "spec": {
				 "containers": [
					{
					   "(image)": "*/nginx-unprivileged",
					   "securityContext": {
						  "runAsNonRoot": true,
						  "(allowPrivilegeEscalation)": false
					   },
					   "env": [
						  {
							 "(name)": "ENV_KEY",
							 "value": "ENV_VALUE"
						  }
					   ]
					}
				 ]
			  }
		   }
		}
	 }`)

	json.Unmarshal(overlayRaw, &overlay)

	res = meetConditions(resource, overlay)
	assert.Assert(t, res)

	overlayRaw = []byte(`{
		"spec": {
		   "template": {
			  "spec": {
				 "containers": [
					{
					   "(image)": "*/nginx-unprivileged",
					   "securityContext": {
						  "runAsNonRoot": true,
						  "(allowPrivilegeEscalation)": false
					   },
					   "env": [
						  {
							 "(name)": "ENV_KEY",
							 "(value)": "ENV_VALUE"
						  }
					   ]
					}
				 ]
			  }
		   }
		}
	 }`)

	json.Unmarshal(overlayRaw, &overlay)

	res = meetConditions(resource, overlay)
	assert.Assert(t, res)

}