From 5e89f7d9f74654781cf0616946ec4394fe18090c Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Thu, 9 May 2024 17:22:04 -0700 Subject: [PATCH 1/2] Adding test for network policy regex Added e2e test for configure-network-policies-namespaces rule, test if whitelist-regex works as expected --- tests/e2e/framework/common.go | 8 ++ tests/e2e/serial/main_test.go | 163 ++++++++++++++++++++++++++++++++++ 2 files changed, 171 insertions(+) diff --git a/tests/e2e/framework/common.go b/tests/e2e/framework/common.go index 05a6b8e9b..0d04b00b0 100644 --- a/tests/e2e/framework/common.go +++ b/tests/e2e/framework/common.go @@ -1217,6 +1217,14 @@ func (f *Framework) AssertScanSettingBindingConditionIsReady(name string, namesp } +func (f *Framework) AssertVariableExists(name, namespace string) error { + v := &compv1alpha1.Variable{} + err := f.Client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: namespace}, v) + if err != nil { + return fmt.Errorf("Failed to get Variable %s: %w", name, err) + } + return nil +} func (f *Framework) AssertScanSettingBindingConditionIsSuspended(name string, namespace string) error { ssb := &compv1alpha1.ScanSettingBinding{} err := f.Client.Get(context.TODO(), types.NamespacedName{Name: name, Namespace: namespace}, ssb) diff --git a/tests/e2e/serial/main_test.go b/tests/e2e/serial/main_test.go index 62ec9992a..b13572081 100644 --- a/tests/e2e/serial/main_test.go +++ b/tests/e2e/serial/main_test.go @@ -6,6 +6,7 @@ import ( "log" "os" "runtime" + "strings" "testing" "time" @@ -1933,6 +1934,168 @@ func TestSuspendScanSettingDoesNotCreateScan(t *testing.T) { } } +func TestConfigureNetworkPolicy(t *testing.T) { + f := framework.Global + suiteName := "test-configure-network-policy" + suiteNameNoPass := "test-configure-network-policy-no-pass" + variableName := "ocp4-var-network-policies-namespaces-exempt-regex" + // Create a dummy namespace to test the network policy + ns := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-configure-network-policy", + }, + } + err := f.Client.Create(context.TODO(), ns, nil) + if err != nil { + t.Fatal(err) + } + defer f.Client.Delete(context.TODO(), ns) + + err = f.AssertVariableExists(variableName, f.OperatorNamespace) + if err != nil { + t.Fatal(err) + } + + nsList := corev1.NamespaceList{} + err = f.Client.List(context.TODO(), &nsList) + if err != nil { + t.Fatal(err) + } + + regextValue := "" + + for _, ns := range nsList.Items { + if strings.HasPrefix(ns.Name, "openshift-") || strings.HasPrefix(ns.Name, "kube-") { + continue + } + regextValue = regextValue + ns.Name + "|" + } + + regextValue = regextValue + ns.ObjectMeta.Name + + tp := &compv1alpha1.TailoredProfile{ + ObjectMeta: metav1.ObjectMeta{ + Name: suiteName, + Namespace: f.OperatorNamespace, + }, + Spec: compv1alpha1.TailoredProfileSpec{ + Title: "test-configure-network-policy", + Description: "A test tailored profile to test configure network policy", + EnableRules: []compv1alpha1.RuleReferenceSpec{ + { + Name: "ocp4-configure-network-policies-namespaces", + Rationale: "To be tested", + }, + { + Name: "ocp4-version-detect-in-ocp", + Rationale: "To be tested", + }, + }, + SetValues: []compv1alpha1.VariableValueSpec{ + { + Name: variableName, + Rationale: "Value to be set", + Value: regextValue, + }, + }, + }, + } + createTPErr := f.Client.Create(context.TODO(), tp, nil) + if createTPErr != nil { + t.Fatal(createTPErr) + } + defer f.Client.Delete(context.TODO(), tp) + + tpNoPass := &compv1alpha1.TailoredProfile{ + ObjectMeta: metav1.ObjectMeta{ + Name: suiteNameNoPass, + Namespace: f.OperatorNamespace, + }, + Spec: compv1alpha1.TailoredProfileSpec{ + Title: "test-configure-network-policy-no-pass", + Description: "A test tailored profile to test configure network policy", + EnableRules: []compv1alpha1.RuleReferenceSpec{ + { + Name: "ocp4-configure-network-policies-namespaces", + Rationale: "To be tested", + }, + { + Name: "ocp4-version-detect-in-ocp", + Rationale: "To be tested", + }, + }, + }, + } + + createTPErr = f.Client.Create(context.TODO(), tpNoPass, nil) + if createTPErr != nil { + t.Fatal(createTPErr) + } + defer f.Client.Delete(context.TODO(), tpNoPass) + + ssb := &compv1alpha1.ScanSettingBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: suiteName, + Namespace: f.OperatorNamespace, + }, + Profiles: []compv1alpha1.NamedObjectReference{ + { + APIGroup: "compliance.openshift.io/v1alpha1", + Kind: "TailoredProfile", + Name: suiteName, + }, + }, + SettingsRef: &compv1alpha1.NamedObjectReference{ + APIGroup: "compliance.openshift.io/v1alpha1", + Kind: "ScanSetting", + Name: "default", + }, + } + + err = f.Client.Create(context.TODO(), ssb, nil) + if err != nil { + t.Fatal(err) + } + defer f.Client.Delete(context.TODO(), ssb) + + ssbNoPass := &compv1alpha1.ScanSettingBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: suiteNameNoPass, + Namespace: f.OperatorNamespace, + }, + Profiles: []compv1alpha1.NamedObjectReference{ + { + APIGroup: "compliance.openshift.io/v1alpha1", + Kind: "TailoredProfile", + Name: suiteNameNoPass, + }, + }, + SettingsRef: &compv1alpha1.NamedObjectReference{ + APIGroup: "compliance.openshift.io/v1alpha1", + Kind: "ScanSetting", + Name: "default", + }, + } + + err = f.Client.Create(context.TODO(), ssbNoPass, nil) + if err != nil { + t.Fatal(err) + } + defer f.Client.Delete(context.TODO(), ssbNoPass) + + // Ensure that all the scans in the suite have finished and are marked as Done + err = f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteName, compv1alpha1.PhaseDone, compv1alpha1.ResultCompliant) + if err != nil { + t.Fatal(err) + } + + err = f.WaitForSuiteScansStatus(f.OperatorNamespace, suiteNameNoPass, compv1alpha1.PhaseDone, compv1alpha1.ResultNonCompliant) + if err != nil { + t.Fatal(err) + } + +} + //testExecution{ // Name: "TestNodeSchedulingErrorFailsTheScan", // IsParallel: false, From 6dd67e0295cfad3a02d828f6653c987fbcfdac7f Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Tue, 28 May 2024 07:40:17 -0700 Subject: [PATCH 2/2] Update tests/e2e/serial/main_test.go Co-authored-by: Watson Yuuma Sato --- tests/e2e/serial/main_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/e2e/serial/main_test.go b/tests/e2e/serial/main_test.go index b13572081..b41ce9a02 100644 --- a/tests/e2e/serial/main_test.go +++ b/tests/e2e/serial/main_test.go @@ -1953,7 +1953,8 @@ func TestConfigureNetworkPolicy(t *testing.T) { err = f.AssertVariableExists(variableName, f.OperatorNamespace) if err != nil { - t.Fatal(err) + t.Skip("Content doesn't have variable '%s' required for testing", variableName) + return } nsList := corev1.NamespaceList{}