package v1 import ( "context" _ "embed" "os" "testing" "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "edge-infra.dev/test/f2" ) var ( fakeHardwareAddr = "ab:cd:ef:12:34:56" clusterFirewall = NewClusterFirewall("testClusterFirewall", []ClusterRule{}) ownerRef = *metav1.NewControllerRef(clusterFirewall, ClusterFirewallGVK) validNodeFirewalls = []*NodeFirewall{ NewNodeFirewall("test1-NodeFirewall", []NodeRule{{ID: "a388bde1", Name: "test1-rule1", InterfaceMAC: fakeHardwareAddr, Direction: Input, SourceRanges: []string{"172.23.1.1/16"}, DestinationRanges: []string{"172.23.1.10/32"}, Filters: []Filter{{IPProtocol: TCP, PortRange: "6443", Action: Allow}}}}, ownerRef), NewNodeFirewall("test2-NodeFirewall", []NodeRule{{ID: "91f9e605", Name: "test2-rule1", Direction: Output, InterfaceMAC: fakeHardwareAddr, SourceRanges: []string{"172.23.1.10/32"}, DestinationRanges: []string{"172.23.1.1/16"}, Filters: []Filter{{IPProtocol: UDP, PortRange: "67:70", Action: Allow}}}, {ID: "e52c9291", Name: "test2-rule2", Direction: Output, SourceRanges: []string{"172.23.1.10/32"}, DestinationRanges: []string{"172.23.1.1/32", "172.23.1.2/32", "172.23.1.3/32"}, Filters: []Filter{{IPProtocol: TCP, PortRange: "443", Action: Allow}, {IPProtocol: TCP, PortRange: "8080", Action: Deny}}}}, ownerRef), NewNodeFirewall("test3-NodeFirewall", []NodeRule{{ID: "6b1522a1", Name: "test3-rule1", Direction: Output, Filters: []Filter{{IPProtocol: TCP, PortRange: "80", Action: Allow}}}}, ownerRef), } invalidNodeFirewalls = []*NodeFirewall{ NewNodeFirewall("test4-NodeFirewall", []NodeRule{{Name: "test4-rule1", InterfaceMAC: "ab:cd:ef:gh", Direction: Input, Filters: []Filter{}}}, ownerRef), NewNodeFirewall("test5-NodeFirewall", []NodeRule{{Name: "test5-rule1", Direction: "bidirectional", Filters: []Filter{}}}, ownerRef), NewNodeFirewall("test6-NodeFirewall", []NodeRule{{Name: "test6-rule1", Direction: Output, Filters: []Filter{{IPProtocol: TCP, PortRange: "80 -j ALLOW\n-p tcp -m tcp --dport 1:65535 -j ALLOW\n-p tcp -m tcp --dport 81", Action: Allow}}}}, ownerRef), NewNodeFirewall("test7-NodeFirewall", []NodeRule{{Name: "test7-rule1", Direction: Input, Filters: []Filter{{IPProtocol: TCP, PortRange: "80", Action: "Open"}}}}, ownerRef), NewNodeFirewall("test8-NodeFirewall", []NodeRule{{Name: "test8-rule1", Direction: Input, Filters: []Filter{{IPProtocol: "TFTP", PortRange: "80", Action: Allow}}}}, ownerRef), } ) var f f2.Framework func TestMain(m *testing.M) { f = f2.New(context.Background(), f2.WithExtensions()). Setup(). Teardown() os.Exit(f.Run(m)) } func TestCreateNewNodeFirewalls(t *testing.T) { feature := f2.NewFeature("nodefirewall types validation"). Test("NodeFirewall validation", func(ctx f2.Context, t *testing.T) f2.Context { // valid rules pass for _, fw := range validNodeFirewalls { valid, _ := fw.ValidateRules() assert.True(t, valid) } // invalid rules are caught valid, reason := invalidNodeFirewalls[0].ValidateRules() assert.False(t, valid) assert.Equal(t, reason, "invalid InterfaceMAC") valid, reason = invalidNodeFirewalls[1].ValidateRules() assert.False(t, valid) assert.Equal(t, reason, "invalid Direction") valid, reason = invalidNodeFirewalls[2].ValidateRules() assert.False(t, valid) assert.Equal(t, reason, "invalid Filter") valid, reason = invalidNodeFirewalls[3].ValidateRules() assert.False(t, valid) assert.Equal(t, reason, "invalid Filter") valid, reason = invalidNodeFirewalls[4].ValidateRules() assert.False(t, valid) assert.Equal(t, reason, "invalid Filter") return ctx }). Feature() f.Test(t, feature) }