ingress: Testing for FromGroups

In the previous commit and cilium#30708 the fromGroups resource was added, but testing was not covered properly. This commit validates that we are working as expected. Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring · May 3, 2024 · c23a75e · c23a75e
1 parent 5d05593
commit c23a75e
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 16 deletions.
diff --git a/pkg/policy/api/egress_test.go b/pkg/policy/api/egress_test.go
@@ -23,7 +23,7 @@ func TestRequiresDerivativeRuleWithoutToGroups(t *testing.T) {
 func TestRequiresDerivativeRuleWithToGroups(t *testing.T) {
 	eg := EgressRule{}
 	eg.ToGroups = []Groups{
-		GetToGroupsRule(),
+		GetGroupsRule(),
 	}
 	require.Equal(t, true, eg.RequiresDerivative())
 }
@@ -55,7 +55,7 @@ func TestCreateDerivativeRuleWithToGroupsWitInvalidRegisterCallback(t *testing.T
 	eg := &EgressRule{
 		EgressCommonRule: EgressCommonRule{
 			ToGroups: []Groups{
-				GetToGroupsRule(),
+				GetGroupsRule(),
 			},
 		},
 	}
@@ -70,7 +70,7 @@ func TestCreateDerivativeRuleWithToGroupsAndToPorts(t *testing.T) {
 	eg := &EgressRule{
 		EgressCommonRule: EgressCommonRule{
 			ToGroups: []Groups{
-				GetToGroupsRule(),
+				GetGroupsRule(),
 			},
 		},
 	}
@@ -93,7 +93,7 @@ func TestCreateDerivativeWithoutErrorAndNoIPs(t *testing.T) {
 	eg := &EgressRule{
 		EgressCommonRule: EgressCommonRule{
 			ToGroups: []Groups{
-				GetToGroupsRule(),
+				GetGroupsRule(),
 			},
 		},
 	}

diff --git a/pkg/policy/api/groups_test.go b/pkg/policy/api/groups_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func GetToGroupsRule() Groups {
+func GetGroupsRule() Groups {
 	return Groups{
 		AWS: &AWSGroup{
 			Labels: map[string]string{
@@ -46,7 +46,7 @@ func TestGetCIDRSetWithValidValue(t *testing.T) {
 
 	expectedCidrRule := []CIDRRule{
 		{Cidr: "192.168.1.1/32", ExceptCIDRs: []CIDR{}, Generated: true}}
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	require.EqualValues(t, expectedCidrRule, cidr)
 	require.Nil(t, err)
@@ -59,7 +59,7 @@ func TestGetCIDRSetWithMultipleSorted(t *testing.T) {
 		{Cidr: "192.168.1.1/32", ExceptCIDRs: []CIDR{}, Generated: true},
 		{Cidr: "192.168.10.3/32", ExceptCIDRs: []CIDR{}, Generated: true},
 		{Cidr: "192.168.10.10/32", ExceptCIDRs: []CIDR{}, Generated: true}}
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	require.EqualValues(t, expectedCidrRule, cidr)
 	require.Nil(t, err)
@@ -73,7 +73,7 @@ func TestGetCIDRSetWithUniqueCIDRRule(t *testing.T) {
 		{Cidr: "192.168.1.1/32", ExceptCIDRs: []CIDR{}, Generated: true},
 		{Cidr: "192.168.10.10/32", ExceptCIDRs: []CIDR{}, Generated: true}}
 
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	require.EqualValues(t, cidrRule, cidr)
 	require.Nil(t, err)
@@ -86,7 +86,7 @@ func TestGetCIDRSetWithError(t *testing.T) {
 		return []netip.Addr{}, fmt.Errorf("Invalid credentials")
 	}
 	RegisterToGroupsProvider(AWSProvider, cb)
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	require.Nil(t, cidr)
 	require.Error(t, err)
@@ -96,7 +96,7 @@ func TestWithoutProviderRegister(t *testing.T) {
 	setUpSuite(t)
 
 	providers.Delete(AWSProvider)
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	cidr, err := group.GetCidrSet(context.TODO())
 	require.Nil(t, cidr)
 	require.Error(t, err)
@@ -105,7 +105,7 @@ func TestWithoutProviderRegister(t *testing.T) {
 func BenchmarkGetCIDRSet(b *testing.B) {
 	cb := GetCallBackWithRule("192.168.1.1", "192.168.10.10", "192.168.10.3")
 	RegisterToGroupsProvider(AWSProvider, cb)
-	group := GetToGroupsRule()
+	group := GetGroupsRule()
 	b.ReportAllocs()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {

diff --git a/pkg/policy/api/ingress_test.go b/pkg/policy/api/ingress_test.go
@@ -4,18 +4,70 @@
 package api
 
 import (
-	"fmt"
+	"context"
 	"testing"
 
+	"fmt"
+
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	slim_metav1 "github.com/cilium/cilium/pkg/k8s/slim/k8s/apis/meta/v1"
 )
 
-func TestIsLabelBasedIngress(t *testing.T) {
-	setUpSuite(t)
+func TestIngressRequiresDerivativeRuleWithoutToGroups(t *testing.T) {
+	ig := IngressRule{}
+	require.Equal(t, false, ig.RequiresDerivative())
+}
+
+func TestRequiresDerivativeRuleWithFromGroups(t *testing.T) {
+	ig := IngressRule{}
+	ig.FromGroups = []Groups{
+		GetGroupsRule(),
+	}
+	require.Equal(t, true, ig.RequiresDerivative())
+}
+
+func TestCreateDerivativeRuleWithoutFromGroups(t *testing.T) {
+	ig := &IngressRule{
+		IngressCommonRule: IngressCommonRule{
+			FromEndpoints: []EndpointSelector{
+				{
+					LabelSelector: &slim_metav1.LabelSelector{MatchLabels: map[string]string{
+						"test": "true",
+					},
+					},
+				},
+			},
+		},
+	}
+	newRule, err := ig.CreateDerivative(context.TODO())
+	require.EqualValues(t, newRule, ig)
+	require.Nil(t, err)
+}
+
+func TestCreateDerivativeRuleWithFromGroups(t *testing.T) {
+	cb := GetCallBackWithRule("192.168.1.1")
+	RegisterToGroupsProvider(AWSProvider, cb)
+
+	ig := &IngressRule{
+		IngressCommonRule: IngressCommonRule{
+			FromGroups: []Groups{
+				GetGroupsRule(),
+			},
+		},
+	}
+
+	// Checking that the derivative rule is working correctly
+	require.Equal(t, true, ig.RequiresDerivative())
 
+	newRule, err := ig.CreateDerivative(context.TODO())
+	require.Nil(t, err)
+	require.Equal(t, 0, len(newRule.FromGroups))
+	require.Equal(t, 1, len(newRule.FromCIDRSet))
+}
+
+func TestIsLabelBasedIngress(t *testing.T) {
 	type args struct {
 		eg *IngressRule
 	}

diff --git a/pkg/policy/api/rule_test.go b/pkg/policy/api/rule_test.go
@@ -45,7 +45,7 @@ func getEgressRuleWithToGroups() *Rule {
 			{
 				EgressCommonRule: EgressCommonRule{
 					ToGroups: []Groups{
-						GetToGroupsRule(),
+						GetGroupsRule(),
 					},
 				},
 			},
@@ -59,7 +59,35 @@ func getEgressDenyRuleWithToGroups() *Rule {
 			{
 				EgressCommonRule: EgressCommonRule{
 					ToGroups: []Groups{
-						GetToGroupsRule(),
+						GetGroupsRule(),
+					},
+				},
+			},
+		},
+	}
+}
+
+func getIngressRuleWithFromGroups() *Rule {
+	return &Rule{
+		Ingress: []IngressRule{
+			{
+				IngressCommonRule: IngressCommonRule{
+					FromGroups: []Groups{
+						GetGroupsRule(),
+					},
+				},
+			},
+		},
+	}
+}
+
+func getIngressDenyRuleWithFromGroups() *Rule {
+	return &Rule{
+		IngressDeny: []IngressDenyRule{
+			{
+				IngressCommonRule: IngressCommonRule{
+					FromGroups: []Groups{
+						GetGroupsRule(),
 					},
 				},
 			},
@@ -78,6 +106,12 @@ func TestRequiresDerivative(t *testing.T) {
 
 	egressDenyRuleWithToGroups := getEgressDenyRuleWithToGroups()
 	require.Equal(t, true, egressDenyRuleWithToGroups.RequiresDerivative())
+
+	ingressRuleWithToGroups := getIngressRuleWithFromGroups()
+	require.Equal(t, true, ingressRuleWithToGroups.RequiresDerivative())
+
+	ingressDenyRuleWithToGroups := getIngressDenyRuleWithFromGroups()
+	require.Equal(t, true, ingressDenyRuleWithToGroups.RequiresDerivative())
 }
 
 func TestCreateDerivative(t *testing.T) {
@@ -104,4 +138,18 @@ func TestCreateDerivative(t *testing.T) {
 	require.Equal(t, 0, len(newRule.Egress))
 	require.Equal(t, 1, len(newRule.EgressDeny))
 	require.Equal(t, 1, len(newRule.EgressDeny[0].ToCIDRSet))
+
+	ingressRuleWithToGroups := getIngressRuleWithFromGroups()
+	newRule, err = ingressRuleWithToGroups.CreateDerivative(context.TODO())
+	require.Nil(t, err)
+	require.Equal(t, 0, len(newRule.IngressDeny))
+	require.Equal(t, 1, len(newRule.Ingress))
+	require.Equal(t, 1, len(newRule.Ingress[0].FromCIDRSet))
+
+	ingressDenyRuleWithToGroups := getIngressDenyRuleWithFromGroups()
+	newRule, err = ingressDenyRuleWithToGroups.CreateDerivative(context.TODO())
+	require.Nil(t, err)
+	require.Equal(t, 0, len(newRule.Ingress))
+	require.Equal(t, 1, len(newRule.IngressDeny))
+	require.Equal(t, 1, len(newRule.IngressDeny[0].FromCIDRSet))
 }