1 package v1
2
3 import (
4 "context"
5 _ "embed"
6 "os"
7 "testing"
8
9 "github.com/stretchr/testify/assert"
10 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
11
12 "edge-infra.dev/test/f2"
13 )
14
15 var (
16 fakeHardwareAddr = "ab:cd:ef:12:34:56"
17
18 clusterFirewall = NewClusterFirewall("testClusterFirewall", []ClusterRule{})
19 ownerRef = *metav1.NewControllerRef(clusterFirewall, ClusterFirewallGVK)
20
21 validNodeFirewalls = []*NodeFirewall{
22 NewNodeFirewall("test1-NodeFirewall", []NodeRule{{ID: "a388bde1", Name: "test1-rule1", InterfaceMAC: fakeHardwareAddr, Direction: Input, SourceRanges: []string{"172.23.1.1/16"}, DestinationRanges: []string{"172.23.1.10/32"}, Filters: []Filter{{IPProtocol: TCP, PortRange: "6443", Action: Allow}}}}, ownerRef),
23 NewNodeFirewall("test2-NodeFirewall", []NodeRule{{ID: "91f9e605", Name: "test2-rule1", Direction: Output, InterfaceMAC: fakeHardwareAddr, SourceRanges: []string{"172.23.1.10/32"}, DestinationRanges: []string{"172.23.1.1/16"}, Filters: []Filter{{IPProtocol: UDP, PortRange: "67:70", Action: Allow}}}, {ID: "e52c9291", Name: "test2-rule2", Direction: Output, SourceRanges: []string{"172.23.1.10/32"}, DestinationRanges: []string{"172.23.1.1/32", "172.23.1.2/32", "172.23.1.3/32"}, Filters: []Filter{{IPProtocol: TCP, PortRange: "443", Action: Allow}, {IPProtocol: TCP, PortRange: "8080", Action: Deny}}}}, ownerRef),
24 NewNodeFirewall("test3-NodeFirewall", []NodeRule{{ID: "6b1522a1", Name: "test3-rule1", Direction: Output, Filters: []Filter{{IPProtocol: TCP, PortRange: "80", Action: Allow}}}}, ownerRef),
25 }
26 invalidNodeFirewalls = []*NodeFirewall{
27 NewNodeFirewall("test4-NodeFirewall", []NodeRule{{Name: "test4-rule1", InterfaceMAC: "ab:cd:ef:gh", Direction: Input, Filters: []Filter{}}}, ownerRef),
28 NewNodeFirewall("test5-NodeFirewall", []NodeRule{{Name: "test5-rule1", Direction: "bidirectional", Filters: []Filter{}}}, ownerRef),
29 NewNodeFirewall("test6-NodeFirewall", []NodeRule{{Name: "test6-rule1", Direction: Output, Filters: []Filter{{IPProtocol: TCP, PortRange: "80 -j ALLOW\n-p tcp -m tcp --dport 1:65535 -j ALLOW\n-p tcp -m tcp --dport 81", Action: Allow}}}}, ownerRef),
30 NewNodeFirewall("test7-NodeFirewall", []NodeRule{{Name: "test7-rule1", Direction: Input, Filters: []Filter{{IPProtocol: TCP, PortRange: "80", Action: "Open"}}}}, ownerRef),
31 NewNodeFirewall("test8-NodeFirewall", []NodeRule{{Name: "test8-rule1", Direction: Input, Filters: []Filter{{IPProtocol: "TFTP", PortRange: "80", Action: Allow}}}}, ownerRef),
32 }
33 )
34
35 var f f2.Framework
36
37 func TestMain(m *testing.M) {
38 f = f2.New(context.Background(), f2.WithExtensions()).
39 Setup().
40 Teardown()
41 os.Exit(f.Run(m))
42 }
43
44 func TestCreateNewNodeFirewalls(t *testing.T) {
45 feature := f2.NewFeature("nodefirewall types validation").
46 Test("NodeFirewall validation", func(ctx f2.Context, t *testing.T) f2.Context {
47
48 for _, fw := range validNodeFirewalls {
49 valid, _ := fw.ValidateRules()
50 assert.True(t, valid)
51 }
52
53
54 valid, reason := invalidNodeFirewalls[0].ValidateRules()
55 assert.False(t, valid)
56 assert.Equal(t, reason, "invalid InterfaceMAC")
57 valid, reason = invalidNodeFirewalls[1].ValidateRules()
58 assert.False(t, valid)
59 assert.Equal(t, reason, "invalid Direction")
60 valid, reason = invalidNodeFirewalls[2].ValidateRules()
61 assert.False(t, valid)
62 assert.Equal(t, reason, "invalid Filter")
63 valid, reason = invalidNodeFirewalls[3].ValidateRules()
64 assert.False(t, valid)
65 assert.Equal(t, reason, "invalid Filter")
66 valid, reason = invalidNodeFirewalls[4].ValidateRules()
67 assert.False(t, valid)
68 assert.Equal(t, reason, "invalid Filter")
69
70 return ctx
71 }).
72 Feature()
73
74 f.Test(t, feature)
75 }
76
View as plain text