Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvements to mustrunas_test.go #41995

Merged
merged 1 commit into from
Apr 10, 2017
Merged

Improvements to mustrunas_test.go #41995

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
83 changes: 42 additions & 41 deletions pkg/security/podsecuritypolicy/capabilities/mustrunas_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,11 @@ import (

func TestGenerateAdds(t *testing.T) {
tests := map[string]struct {
defaultAddCaps []api.Capability
requiredDropCaps []api.Capability
containerCaps *api.Capabilities
expectedCaps *api.Capabilities
defaultAddCaps []api.Capability
containerCaps *api.Capabilities
expectedCaps *api.Capabilities
}{
"no required, no container requests": {
expectedCaps: nil,
},
"no required, no container requests": {},
"required, no container requests": {
defaultAddCaps: []api.Capability{"foo"},
expectedCaps: &api.Capabilities{
Expand Down Expand Up @@ -93,7 +90,7 @@ func TestGenerateAdds(t *testing.T) {
},
}

strategy, err := NewDefaultCapabilities(v.defaultAddCaps, v.requiredDropCaps, nil)
strategy, err := NewDefaultCapabilities(v.defaultAddCaps, nil, nil)
if err != nil {
t.Errorf("%s failed: %v", k, err)
continue
Expand Down Expand Up @@ -216,23 +213,19 @@ func TestGenerateDrops(t *testing.T) {

func TestValidateAdds(t *testing.T) {
tests := map[string]struct {
defaultAddCaps []api.Capability
requiredDropCaps []api.Capability
allowedCaps []api.Capability
containerCaps *api.Capabilities
shouldPass bool
defaultAddCaps []api.Capability
allowedCaps []api.Capability
containerCaps *api.Capabilities
expectedError string
}{
// no container requests
"no required, no allowed, no container requests": {
shouldPass: true,
},
"no required, no allowed, no container requests": {},
"no required, allowed, no container requests": {
allowedCaps: []api.Capability{"foo"},
shouldPass: true,
},
"required, no allowed, no container requests": {
defaultAddCaps: []api.Capability{"foo"},
shouldPass: false,
expectedError: `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`,
},

// container requests match required
Expand All @@ -241,14 +234,13 @@ func TestValidateAdds(t *testing.T) {
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
shouldPass: true,
},
"required, no allowed, container requests invalid": {
defaultAddCaps: []api.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"bar"},
},
shouldPass: false,
expectedError: `capabilities.add: Invalid value: "bar": capability may not be added`,
},

// container requests match allowed
Expand All @@ -257,14 +249,13 @@ func TestValidateAdds(t *testing.T) {
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
shouldPass: true,
},
"no required, allowed, container requests invalid": {
allowedCaps: []api.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"bar"},
},
shouldPass: false,
expectedError: `capabilities.add: Invalid value: "bar": capability may not be added`,
},

// required and allowed
Expand All @@ -274,30 +265,28 @@ func TestValidateAdds(t *testing.T) {
containerCaps: &api.Capabilities{
Add: []api.Capability{"foo"},
},
shouldPass: true,
},
"required, allowed, container requests valid allowed": {
defaultAddCaps: []api.Capability{"foo"},
allowedCaps: []api.Capability{"bar"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"bar"},
},
shouldPass: true,
},
"required, allowed, container requests invalid": {
defaultAddCaps: []api.Capability{"foo"},
allowedCaps: []api.Capability{"bar"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"baz"},
},
shouldPass: false,
expectedError: `capabilities.add: Invalid value: "baz": capability may not be added`,
},
"validation is case sensitive": {
defaultAddCaps: []api.Capability{"foo"},
containerCaps: &api.Capabilities{
Add: []api.Capability{"FOO"},
},
shouldPass: false,
expectedError: `capabilities.add: Invalid value: "FOO": capability may not be added`,
},
}

Expand All @@ -308,36 +297,41 @@ func TestValidateAdds(t *testing.T) {
},
}

strategy, err := NewDefaultCapabilities(v.defaultAddCaps, v.requiredDropCaps, v.allowedCaps)
strategy, err := NewDefaultCapabilities(v.defaultAddCaps, nil, v.allowedCaps)
if err != nil {
t.Errorf("%s failed: %v", k, err)
continue
}
errs := strategy.Validate(nil, container)
if v.shouldPass && len(errs) > 0 {
if v.expectedError == "" && len(errs) > 0 {
t.Errorf("%s should have passed but had errors %v", k, errs)
continue
}
if !v.shouldPass && len(errs) == 0 {
if v.expectedError != "" && len(errs) == 0 {
t.Errorf("%s should have failed but received no errors", k)
continue
}
if len(errs) == 1 && errs[0].Error() != v.expectedError {
t.Errorf("%s should have failed with %v but received %v", k, v.expectedError, errs[0])
continue
}
if len(errs) > 1 {
t.Errorf("%s should have failed with at most one error, but received %v: %v", k, len(errs), errs)
}
}
}

func TestValidateDrops(t *testing.T) {
tests := map[string]struct {
defaultAddCaps []api.Capability
requiredDropCaps []api.Capability
containerCaps *api.Capabilities
shouldPass bool
expectedError string
}{
// no container requests
"no required, no container requests": {
shouldPass: true,
},
"no required, no container requests": {},
"required, no container requests": {
requiredDropCaps: []api.Capability{"foo"},
shouldPass: false,
expectedError: `capabilities: Invalid value: "null": required capabilities are not set on the securityContext`,
},

// container requests match required
Expand All @@ -346,21 +340,20 @@ func TestValidateDrops(t *testing.T) {
containerCaps: &api.Capabilities{
Drop: []api.Capability{"foo"},
},
shouldPass: true,
},
"required, container requests invalid": {
requiredDropCaps: []api.Capability{"foo"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"bar"},
},
shouldPass: false,
expectedError: `capabilities.drop: Invalid value: []api.Capability{"bar"}: foo is required to be dropped but was not found`,
},
"validation is case sensitive": {
requiredDropCaps: []api.Capability{"foo"},
containerCaps: &api.Capabilities{
Drop: []api.Capability{"FOO"},
},
shouldPass: false,
expectedError: `capabilities.drop: Invalid value: []api.Capability{"FOO"}: foo is required to be dropped but was not found`,
},
}

Expand All @@ -371,18 +364,26 @@ func TestValidateDrops(t *testing.T) {
},
}

strategy, err := NewDefaultCapabilities(v.defaultAddCaps, v.requiredDropCaps, nil)
strategy, err := NewDefaultCapabilities(nil, v.requiredDropCaps, nil)
if err != nil {
t.Errorf("%s failed: %v", k, err)
continue
}
errs := strategy.Validate(nil, container)
if v.shouldPass && len(errs) > 0 {
if v.expectedError == "" && len(errs) > 0 {
t.Errorf("%s should have passed but had errors %v", k, errs)
continue
}
if !v.shouldPass && len(errs) == 0 {
if v.expectedError != "" && len(errs) == 0 {
t.Errorf("%s should have failed but received no errors", k)
continue
}
if len(errs) == 1 && errs[0].Error() != v.expectedError {
t.Errorf("%s should have failed with %v but received %v", k, v.expectedError, errs[0])
continue
}
if len(errs) > 1 {
t.Errorf("%s should have failed with at most one error, but received %v: %v", k, len(errs), errs)
}
}
}