ingress: Testing for FromGroups

In the previous commit and cilium#30708
the fromGroups resource was added, but testing was not covered properly.
This commit validates that we are working as expected.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>

pkg/policy/api/egress_test.go

@@ -23,7 +23,7 @@ func (s *PolicyAPITestSuite) TestRequiresDerivativeRuleWithoutToGroups(c *C) {
 func (s *PolicyAPITestSuite) TestRequiresDerivativeRuleWithToGroups(c *C) {
 	eg := EgressRule{}
 	eg.ToGroups = []Groups{
-		GetToGroupsRule(),
+		GetGroupsRule(),
 	}
 	c.Assert(eg.RequiresDerivative(), Equals, true)
 }
@@ -55,7 +55,7 @@ func (s *PolicyAPITestSuite) TestCreateDerivativeRuleWithToGroupsWitInvalidRegis
 	eg := &EgressRule{
 		EgressCommonRule: EgressCommonRule{
 			ToGroups: []Groups{
-				GetToGroupsRule(),
+				GetGroupsRule(),
 			},
 		},
 	}
@@ -70,7 +70,7 @@ func (s *PolicyAPITestSuite) TestCreateDerivativeRuleWithToGroupsAndToPorts(c *C
 	eg := &EgressRule{
 		EgressCommonRule: EgressCommonRule{
 			ToGroups: []Groups{
-				GetToGroupsRule(),
+				GetGroupsRule(),
 			},
 		},
 	}
@@ -93,7 +93,7 @@ func (s *PolicyAPITestSuite) TestCreateDerivativeWithoutErrorAndNoIPs(c *C) {
 	eg := &EgressRule{
 		EgressCommonRule: EgressCommonRule{
 			ToGroups: []Groups{
-				GetToGroupsRule(),
+				GetGroupsRule(),
 			},
 		},
 	}

pkg/policy/api/groups_test.go

@@ -14,7 +14,7 @@ import (
 	"github.com/cilium/cilium/pkg/checker"
 )
 
-func GetToGroupsRule() Groups {
+func GetGroupsRule() Groups {
 	return Groups{
 		AWS: &AWSGroup{
 			Labels: map[string]string{
@@ -48,7 +48,7 @@ func (s *PolicyAPITestSuite) TestGetCIDRSetWithValidValue(c *C) {
 
 	expectedCidrRule := []CIDRRule{
 		{Cidr: "192.168.1.1/32", ExceptCIDRs: []CIDR{}, Generated: true}}
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	c.Assert(cidr, checker.DeepEquals, expectedCidrRule)
 	c.Assert(err, IsNil)
@@ -61,7 +61,7 @@ func (s *PolicyAPITestSuite) TestGetCIDRSetWithMultipleSorted(c *C) {
 		{Cidr: "192.168.1.1/32", ExceptCIDRs: []CIDR{}, Generated: true},
 		{Cidr: "192.168.10.3/32", ExceptCIDRs: []CIDR{}, Generated: true},
 		{Cidr: "192.168.10.10/32", ExceptCIDRs: []CIDR{}, Generated: true}}
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	c.Assert(cidr, checker.DeepEquals, expectedCidrRule)
 	c.Assert(err, IsNil)
@@ -75,7 +75,7 @@ func (s *PolicyAPITestSuite) TestGetCIDRSetWithUniqueCIDRRule(c *C) {
 		{Cidr: "192.168.1.1/32", ExceptCIDRs: []CIDR{}, Generated: true},
 		{Cidr: "192.168.10.10/32", ExceptCIDRs: []CIDR{}, Generated: true}}
 
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	c.Assert(cidr, checker.DeepEquals, cidrRule)
 	c.Assert(err, IsNil)
@@ -86,7 +86,7 @@ func (s *PolicyAPITestSuite) TestGetCIDRSetWithError(c *C) {
 		return []netip.Addr{}, fmt.Errorf("Invalid credentials")
 	}
 	RegisterToGroupsProvider(AWSProvider, cb)
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	c.Assert(cidr, IsNil)
 	c.Assert(err, NotNil)
@@ -95,7 +95,7 @@ func (s *PolicyAPITestSuite) TestGetCIDRSetWithError(c *C) {
 
 func (s *PolicyAPITestSuite) TestWithoutProviderRegister(c *C) {
 	providers.Delete(AWSProvider)
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	c.Assert(cidr, IsNil)
 	c.Assert(err, NotNil)
@@ -104,7 +104,7 @@ func (s *PolicyAPITestSuite) TestWithoutProviderRegister(c *C) {
 func BenchmarkGetCIDRSet(b *testing.B) {
 	cb := GetCallBackWithRule("192.168.1.1", "192.168.10.10", "192.168.10.3")
 	RegisterToGroupsProvider(AWSProvider, cb)
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {

pkg/policy/api/ingress_test.go

@@ -4,13 +4,67 @@
 package api
 
 import (
+	"context"
+
 	. "github.com/cilium/checkmate"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/cilium/cilium/pkg/checker"
 	slim_metav1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1"
 )
 
+func (s *PolicyAPITestSuite) TestIngressRequiresDerivativeRuleWithoutToGroups(c *C) {
+	ig := IngressRule{}
+	c.Assert(ig.RequiresDerivative(), Equals, false)
+}
+
+func (s *PolicyAPITestSuite) TestRequiresDerivativeRuleWithFromGroups(c *C) {
+	ig := IngressRule{}
+	ig.FromGroups = []Groups{
+		GetGroupsRule(),
+	}
+	c.Assert(ig.RequiresDerivative(), Equals, true)
+}
+
+func (s *PolicyAPITestSuite) TestCreateDerivativeRuleWithoutFromGroups(c *C) {
+	ig := &IngressRule{
+		IngressCommonRule: IngressCommonRule{
+			FromEndpoints: []EndpointSelector{
+				{
+					LabelSelector: &slim_metav1.LabelSelector{MatchLabels: map[string]string{
+						"test": "true",
+					},
+					},
+				},
+			},
+		},
+	}
+	newRule, err := ig.CreateDerivative(context.TODO())
+	c.Assert(ig, checker.DeepEquals, newRule)
+	c.Assert(err, IsNil)
+}
+
+func (s *PolicyAPITestSuite) TestCreateDerivativeRuleWithFromGroups(c *C) {
+	cb := GetCallBackWithRule("192.168.1.1")
+	RegisterToGroupsProvider(AWSProvider, cb)
+
+	ig := &IngressRule{
+		IngressCommonRule: IngressCommonRule{
+			FromGroups: []Groups{
+				GetGroupsRule(),
+			},
+		},
+	}
+
+	// Checking that the derivative rule is working correctly
+	c.Assert(ig.RequiresDerivative(), Equals, true)
+
+	newRule, err := ig.CreateDerivative(context.TODO())
+	c.Assert(err, IsNil)
+	c.Assert(len(newRule.FromGroups), Equals, 0)
+	c.Assert(len(newRule.FromCIDRSet), Equals, 1)
+}
+
 func (s *PolicyAPITestSuite) TestIsLabelBasedIngress(c *C) {
 	type args struct {
 		eg *IngressRule

pkg/policy/api/rule_test.go

@@ -42,7 +42,7 @@ func getEgressRuleWithToGroups() *Rule {
 			{
 				EgressCommonRule: EgressCommonRule{
 					ToGroups: []Groups{
-						GetToGroupsRule(),
+						GetGroupsRule(),
 					},
 				},
 			},
@@ -56,7 +56,35 @@ func getEgressDenyRuleWithToGroups() *Rule {
 			{
 				EgressCommonRule: EgressCommonRule{
 					ToGroups: []Groups{
-						GetToGroupsRule(),
+						GetGroupsRule(),
+					},
+				},
+			},
+		},
+	}
+}
+
+func getIngressRuleWithFromGroups() *Rule {
+	return &Rule{
+		Ingress: []IngressRule{
+			{
+				IngressCommonRule: IngressCommonRule{
+					FromGroups: []Groups{
+						GetGroupsRule(),
+					},
+				},
+			},
+		},
+	}
+}
+
+func getIngressDenyRuleWithFromGroups() *Rule {
+	return &Rule{
+		IngressDeny: []IngressDenyRule{
+			{
+				IngressCommonRule: IngressCommonRule{
+					FromGroups: []Groups{
+						GetGroupsRule(),
 					},
 				},
 			},
@@ -73,6 +101,12 @@ func (s *PolicyAPITestSuite) TestRequiresDerivative(c *C) {
 
 	egressDenyRuleWithToGroups := getEgressDenyRuleWithToGroups()
 	c.Assert(egressDenyRuleWithToGroups.RequiresDerivative(), Equals, true)
+
+	ingressRuleWithToGroups := getIngressRuleWithFromGroups()
+	c.Assert(ingressRuleWithToGroups.RequiresDerivative(), Equals, true)
+
+	ingressDenyRuleWithToGroups := getIngressDenyRuleWithFromGroups()
+	c.Assert(ingressDenyRuleWithToGroups.RequiresDerivative(), Equals, true)
 }
 
 func (s *PolicyAPITestSuite) TestCreateDerivative(c *C) {
@@ -97,4 +131,18 @@ func (s *PolicyAPITestSuite) TestCreateDerivative(c *C) {
 	c.Assert(len(newRule.Egress), Equals, 0)
 	c.Assert(len(newRule.EgressDeny), Equals, 1)
 	c.Assert(len(newRule.EgressDeny[0].ToCIDRSet), Equals, 1)
+
+	ingressRuleWithToGroups := getIngressRuleWithFromGroups()
+	newRule, err = ingressRuleWithToGroups.CreateDerivative(context.TODO())
+	c.Assert(err, IsNil)
+	c.Assert(len(newRule.IngressDeny), Equals, 0)
+	c.Assert(len(newRule.Ingress), Equals, 1)
+	c.Assert(len(newRule.Ingress[0].FromCIDRSet), Equals, 1)
+
+	ingressDenyRuleWithToGroups := getIngressDenyRuleWithFromGroups()
+	newRule, err = ingressDenyRuleWithToGroups.CreateDerivative(context.TODO())
+	c.Assert(err, IsNil)
+	c.Assert(len(newRule.Ingress), Equals, 0)
+	c.Assert(len(newRule.IngressDeny), Equals, 1)
+	c.Assert(len(newRule.IngressDeny[0].FromCIDRSet), Equals, 1)
 }