forked from open-policy-agent/frameworks
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: adding scopedenforcementactions (open-policy-agent#403)
* adding scopedenforcementactions Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * adding tests Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * fixing tests Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * refactoring template client and query Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * refatoring queryopts to reviewopts Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * updating ccomments Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * removing EP variables Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * generic webhook EP Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * simplifying constraintToBinding Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * adding comments Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * checking lowercase eps, fixing nil variable access Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * fixing file perm Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * adding tests for case sensitivity and missing enforcementaction Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * updating gk-webhook EP Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * fixing test Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * adding enforcement action and scoped enforcement actions in result and response spec Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * fixing faulty test Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * refactoring code for simplycity Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * removing comments, removing * from review opts and client opts Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * mandating client to be initialized with enforcment point Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * case sensitive check for actions Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * updating code comments Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * removing comments Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * removing enforcement action check while adding constriant to template client Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * removing all enforcement points from matches Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> * preserving enforcement point names Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> --------- Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> Signed-off-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com>
- Loading branch information
1 parent
a05810c
commit 97d977e
Showing
31 changed files
with
979 additions
and
199 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,213 @@ | ||
package constraints | ||
|
||
import ( | ||
"reflect" | ||
"testing" | ||
|
||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" | ||
) | ||
|
||
const ( | ||
// WebhookEnforcementPoint is the enforcement point for admission. | ||
WebhookEnforcementPoint = "validation.gatekeeper.sh" | ||
|
||
// AuditEnforcementPoint is the enforcement point for audit. | ||
AuditEnforcementPoint = "audit.gatekeeper.sh" | ||
|
||
// GatorEnforcementPoint is the enforcement point for gator cli. | ||
GatorEnforcementPoint = "gator.gatekeeper.sh" | ||
) | ||
|
||
func TestGetEnforcementActionsForEP(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
constraint *unstructured.Unstructured | ||
eps []string | ||
expected map[string]map[string]bool | ||
err error | ||
}{ | ||
{ | ||
name: "wildcard enforcement point", | ||
constraint: &unstructured.Unstructured{ | ||
Object: map[string]interface{}{ | ||
"spec": map[string]interface{}{ | ||
"scopedEnforcementActions": []interface{}{ | ||
map[string]interface{}{ | ||
"enforcementPoints": []interface{}{ | ||
map[string]interface{}{ | ||
"name": AuditEnforcementPoint, | ||
}, | ||
map[string]interface{}{ | ||
"name": WebhookEnforcementPoint, | ||
}, | ||
}, | ||
"action": "warn", | ||
}, | ||
map[string]interface{}{ | ||
"enforcementPoints": []interface{}{ | ||
map[string]interface{}{ | ||
"name": "*", | ||
}, | ||
}, | ||
"action": "deny", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
expected: map[string]map[string]bool{ | ||
AuditEnforcementPoint: { | ||
"warn": true, | ||
"deny": true, | ||
}, | ||
WebhookEnforcementPoint: { | ||
"warn": true, | ||
"deny": true, | ||
}, | ||
GatorEnforcementPoint: { | ||
"deny": true, | ||
}, | ||
}, | ||
eps: []string{AuditEnforcementPoint, WebhookEnforcementPoint, GatorEnforcementPoint}, | ||
}, | ||
{ | ||
name: "Actions for selective enforcement point with case sensitive input", | ||
constraint: &unstructured.Unstructured{ | ||
Object: map[string]interface{}{ | ||
"spec": map[string]interface{}{ | ||
"scopedEnforcementActions": []interface{}{ | ||
map[string]interface{}{ | ||
"enforcementPoints": []interface{}{ | ||
map[string]interface{}{ | ||
"name": AuditEnforcementPoint, | ||
}, | ||
map[string]interface{}{ | ||
"name": "Validation.Gatekeeper.Sh", | ||
}, | ||
}, | ||
"action": "warn", | ||
}, | ||
map[string]interface{}{ | ||
"enforcementPoints": []interface{}{ | ||
map[string]interface{}{ | ||
"name": "*", | ||
}, | ||
}, | ||
"action": "deny", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
expected: map[string]map[string]bool{ | ||
WebhookEnforcementPoint: { | ||
"deny": true, | ||
}, | ||
GatorEnforcementPoint: { | ||
"deny": true, | ||
}, | ||
}, | ||
eps: []string{WebhookEnforcementPoint, GatorEnforcementPoint}, | ||
}, | ||
{ | ||
name: "wildcard enforcement point in scoped enforcement action, get actions for two enforcement points", | ||
constraint: &unstructured.Unstructured{ | ||
Object: map[string]interface{}{ | ||
"spec": map[string]interface{}{ | ||
"scopedEnforcementActions": []interface{}{ | ||
map[string]interface{}{ | ||
"enforcementPoints": []interface{}{ | ||
map[string]interface{}{ | ||
"name": AuditEnforcementPoint, | ||
}, | ||
map[string]interface{}{ | ||
"name": WebhookEnforcementPoint, | ||
}, | ||
}, | ||
"action": "warn", | ||
}, | ||
map[string]interface{}{ | ||
"enforcementPoints": []interface{}{ | ||
map[string]interface{}{ | ||
"name": AllEnforcementPoints, | ||
}, | ||
}, | ||
"action": "deny", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
expected: map[string]map[string]bool{ | ||
AuditEnforcementPoint: { | ||
"warn": true, | ||
"deny": true, | ||
}, | ||
WebhookEnforcementPoint: { | ||
"warn": true, | ||
"deny": true, | ||
}, | ||
}, | ||
eps: []string{WebhookEnforcementPoint, AuditEnforcementPoint}, | ||
}, | ||
} | ||
|
||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
actions, err := GetEnforcementActionsForEP(tt.constraint, tt.eps) | ||
if err != nil { | ||
t.Errorf("Unexpected error: %v", err) | ||
} | ||
|
||
got := make(map[string]map[string]bool) | ||
for ep, actions := range actions { | ||
got[ep] = make(map[string]bool) | ||
for _, action := range actions { | ||
got[ep][action] = true | ||
} | ||
} | ||
|
||
if !reflect.DeepEqual(got, tt.expected) { | ||
t.Errorf("Expected %v, got %v", tt.expected, actions) | ||
} | ||
}) | ||
} | ||
} | ||
|
||
func TestIsEnforcementActionScoped(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
action string | ||
want bool | ||
}{ | ||
{ | ||
name: "scoped enforcement action", | ||
action: "scoped", | ||
want: true, | ||
}, | ||
{ | ||
name: "Scoped enforcement action", | ||
action: "Scoped", | ||
want: false, | ||
}, | ||
{ | ||
name: "Non-scoped enforcement action", | ||
action: "Deny", | ||
want: false, | ||
}, | ||
{ | ||
name: "Empty enforcement action", | ||
action: "", | ||
want: false, | ||
}, | ||
} | ||
|
||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
got := IsEnforcementActionScoped(tt.action) | ||
if got != tt.want { | ||
t.Errorf("Expected %v, got %v", tt.want, got) | ||
} | ||
}) | ||
} | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.