From dd545f49b66ded764364bdc9b882d236a63bf982 Mon Sep 17 00:00:00 2001
From: Qiyue Yao <yaoq@vmware.com>
Date: Thu, 14 Sep 2023 11:35:33 -0700
Subject: [PATCH] Add extended ANNP tests

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
---
 ci/kind/test-e2e-kind.sh      |  8 +++-
 test/e2e/antreapolicy_test.go | 77 +++++++++++++++++++++++++++++++++++
 test/e2e/fixtures.go          |  6 +++
 test/e2e/framework.go         |  1 +
 test/e2e/main_test.go         |  1 +
 5 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/ci/kind/test-e2e-kind.sh b/ci/kind/test-e2e-kind.sh
index 07ebcb288b3..9b01e16dff1 100755
--- a/ci/kind/test-e2e-kind.sh
+++ b/ci/kind/test-e2e-kind.sh
@@ -34,6 +34,7 @@ _usage="Usage: $0 [--encap-mode <mode>] [--ip-family <v4|v6>] [--coverage] [--he
         --flow-visibility             Only run flow visibility related e2e tests.
         --extra-network               Creates an extra network that worker Nodes will connect to. Cannot be specified with the hybrid mode.
         --skip                        A comma-separated list of keywords, with which tests should be skipped.
+        --extended                    Enables extended tests to run.
         --coverage                    Enables measure Antrea code coverage when run e2e tests on kind.
         --setup-only                  Only perform setting up the cluster and run test.
         --cleanup-only                Only perform cleaning up the cluster.
@@ -74,6 +75,7 @@ flow_visibility=false
 extra_network=false
 coverage=false
 skiplist=""
+extended_args=""
 setup_only=false
 cleanup_only=false
 test_only=false
@@ -131,6 +133,10 @@ case $key in
     skiplist="$2"
     shift 2
     ;;
+    --extended)
+    extended_args="--extended"
+    shift
+    ;;
     --setup-only)
     setup_only=true
     shift
@@ -306,7 +312,7 @@ function run_test {
   if [ -n "$run" ]; then
     RUN_OPT="-run $run"
   fi
-  go test -v -timeout=$timeout $RUN_OPT antrea.io/antrea/test/e2e $flow_visibility_args -provider=kind --logs-export-dir=$ANTREA_LOG_DIR --skip=$skiplist $coverage_args
+  go test -v -timeout=$timeout $RUN_OPT antrea.io/antrea/test/e2e $flow_visibility_args -provider=kind --logs-export-dir=$ANTREA_LOG_DIR --skip=$skiplist $extended_args $coverage_args
 }
 
 if [[ "$mode" == "" ]] || [[ "$mode" == "encap" ]]; then
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
index e61763203e2..b48584e0a38 100644
--- a/test/e2e/antreapolicy_test.go
+++ b/test/e2e/antreapolicy_test.go
@@ -3996,6 +3996,74 @@ func testACNPMulticastEgress(t *testing.T, data *TestData, acnpName, caseName, g
 	}
 }
 
+// testANNPDropIngressEgress tests that an ANNP is able to drop ingress traffic
+// from X/B to Y/A and drop egress traffic from Y/A to Z/C for the provided protocol.
+func testANNPDropIngressEgress(t *testing.T, protocol AntreaPolicyProtocol) {
+	if protocol == ProtocolSCTP {
+		skipIfIPv6Cluster(t)
+	}
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(namespaces["y"], "annp-deny-xb-to-ya-ingress").
+		SetPriority(1.0).
+		SetAppliedToGroup([]ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}})
+	builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
+	builder.AddEgress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "c"}, map[string]string{"ns": namespaces["z"]}, nil,
+		nil, nil, nil, nil, crdv1beta1.RuleActionDrop, "", "")
+
+	reachability := NewReachability(allPods, Connected)
+	reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped)
+	reachability.Expect(Pod(namespaces["y"]+"/a"), Pod(namespaces["z"]+"/c"), Dropped)
+	testStep := []*TestStep{
+		{
+			Name:          "Port 80",
+			Reachability:  reachability,
+			TestResources: []metav1.Object{builder.Get()},
+			Ports:         []int32{80},
+			Protocol:      protocol,
+			Duration:      0,
+			CustomProbes:  nil,
+		},
+	}
+	testCase := []*TestCase{
+		{Name: "ANNP Drop Ingress From X/B to Y/A And Egress From Y/A to Z/C", Steps: testStep},
+	}
+	executeTests(t, testCase)
+}
+
+// testANNPMultipleRulesAppliedTo tests traffic from X/B to Y/A and Y/C will be dropped,
+// after applying Antrea NetworkPolicy that applies to multiple AppliedTos.
+func testANNPMultipleRulesAppliedTo(t *testing.T, protocol AntreaPolicyProtocol) {
+	if protocol == ProtocolSCTP {
+		skipIfIPv6Cluster(t)
+	}
+	builder := &AntreaNetworkPolicySpecBuilder{}
+	builder = builder.SetName(namespaces["y"], "np-multiple-appliedto").SetPriority(1.0)
+	builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil,
+		nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}}}, crdv1beta1.RuleActionDrop, "", "")
+	builder.AddIngress(protocol, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "b"}, map[string]string{"ns": namespaces["x"]}, nil,
+		nil, nil, nil, []ANNPAppliedToSpec{{PodSelector: map[string]string{"pod": "c"}}}, crdv1beta1.RuleActionDrop, "", "")
+
+	reachability := NewReachability(allPods, Connected)
+	reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/a"), Dropped)
+	reachability.Expect(Pod(namespaces["x"]+"/b"), Pod(namespaces["y"]+"/c"), Dropped)
+	testStep := []*TestStep{
+		{
+			Name:          "Port 80",
+			Reachability:  reachability,
+			TestResources: []metav1.Object{builder.Get()},
+			Ports:         []int32{80},
+			Protocol:      protocol,
+			Duration:      0,
+			CustomProbes:  nil,
+		},
+	}
+	testCase := []*TestCase{
+		{Name: "ANNP Drop Ingress From X/B to Y/A", Steps: testStep},
+	}
+	executeTests(t, testCase)
+}
+
 // the matchers parameter is a list of regular expressions which will be matched against the
 // contents of the audit logs. The call will "succeed" if all matches are successful.
 func checkAuditLoggingResult(t *testing.T, data *TestData, nodeName, logLocator string, matchers []*regexp.Regexp) {
@@ -4388,6 +4456,15 @@ func TestAntreaPolicy(t *testing.T) {
 		t.Run("Case=ACNPICMPSupport", func(t *testing.T) { testACNPICMPSupport(t, data) })
 		t.Run("Case=ACNPNodePortServiceSupport", func(t *testing.T) { testACNPNodePortServiceSupport(t, data, data.testNamespace) })
 	})
+	t.Run("ExtendedTestGroupANNP", func(t *testing.T) {
+		skipIfNoExtendedTests(t)
+		t.Run("Case=ANNPDropIngressEgressTCP", func(t *testing.T) { testANNPDropIngressEgress(t, ProtocolTCP) })
+		t.Run("Case=ANNPDropIngressEgressUDP", func(t *testing.T) { testANNPDropIngressEgress(t, ProtocolUDP) })
+		t.Run("Case=ANNPDropIngressEgressSCTP", func(t *testing.T) { testANNPDropIngressEgress(t, ProtocolSCTP) })
+		t.Run("Case=ANNPMultipleAppliedToTCP", func(t *testing.T) { testANNPMultipleRulesAppliedTo(t, ProtocolTCP) })
+		t.Run("Case=ANNPMultipleAppliedToUDP", func(t *testing.T) { testANNPMultipleRulesAppliedTo(t, ProtocolUDP) })
+		t.Run("Case=ANNPMultipleAppliedToSCTP", func(t *testing.T) { testANNPMultipleRulesAppliedTo(t, ProtocolSCTP) })
+	})
 	// print results for reachability tests
 	printResults()
 
diff --git a/test/e2e/fixtures.go b/test/e2e/fixtures.go
index 03785fedb20..acfc2263846 100644
--- a/test/e2e/fixtures.go
+++ b/test/e2e/fixtures.go
@@ -75,6 +75,12 @@ func skipIfNotRequired(tb testing.TB, keys ...string) {
 	}
 }
 
+func skipIfNoExtendedTests(tb testing.TB) {
+	if !testOptions.extendedCases {
+		tb.Skipf("Skipping extended tests when not required")
+	}
+}
+
 func skipIfNumNodesLessThan(tb testing.TB, required int) {
 	if clusterInfo.numNodes < required {
 		tb.Skipf("Skipping test as it requires %d different Nodes but cluster only has %d", required, clusterInfo.numNodes)
diff --git a/test/e2e/framework.go b/test/e2e/framework.go
index 744c46de926..6c875712c2b 100644
--- a/test/e2e/framework.go
+++ b/test/e2e/framework.go
@@ -199,6 +199,7 @@ type TestOptions struct {
 	flowVisibility      bool
 	coverageDir         string
 	skipCases           string
+	extendedCases       bool
 	linuxVMs            string
 	windowsVMs          string
 	// deployAntrea determines whether to deploy Antrea before running tests. It requires antrea.yml to be present in
diff --git a/test/e2e/main_test.go b/test/e2e/main_test.go
index 9caf6ec3a1c..3d4ee708c1c 100644
--- a/test/e2e/main_test.go
+++ b/test/e2e/main_test.go
@@ -93,6 +93,7 @@ func testMain(m *testing.M) int {
 	flag.BoolVar(&testOptions.deployAntrea, "deploy-antrea", true, "Deploy Antrea before running tests")
 	flag.StringVar(&testOptions.coverageDir, "coverage-dir", "", "Directory for coverage data files")
 	flag.StringVar(&testOptions.skipCases, "skip", "", "Key words to skip cases")
+	flag.BoolVar(&testOptions.extendedCases, "extended", false, "Run extended tests")
 	flag.StringVar(&testOptions.linuxVMs, "linuxVMs", "", "hostname of Linux VMs")
 	flag.StringVar(&testOptions.windowsVMs, "windowsVMs", "", "hostname of Windows VMs")
 	flag.Parse()