generated from kubewarden/go-policy-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
e2e.bats
101 lines (77 loc) · 3.25 KB
/
e2e.bats
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env bats
@test "accept when no settings are provided" {
run kwctl run -r test_data/pod.json annotated-policy.wasm
# this prints the output when one the checks below fails
echo "output = ${output}"
# request is accepted
[ $(expr "$output" : '.*"allowed":true.*') -ne 0 ]
}
@test "accept when label is satisfying a constraint" {
run kwctl run annotated-policy.wasm \
-r test_data/pod.json \
--settings-json '{"constrained_labels": {"cc-center": "\\d+"}}'
# this prints the output when one the checks below fails
echo "output = ${output}"
[ "$status" -eq 0 ]
[ $(expr "$output" : '.*allowed.*true') -ne 0 ]
}
@test "accept when labels are not on deny list" {
run kwctl run \
-r test_data/pod.json \
--settings-json '{"denied_labels": ["foo", "bar"]}' \
annotated-policy.wasm
# this prints the output when one the checks below fails
echo "output = ${output}"
[ $(expr "$output" : '.*"allowed":true.*') -ne 0 ]
}
@test "reject when label is on deny list" {
run kwctl run annotated-policy.wasm \
-r test_data/pod.json \
--settings-json '{"denied_labels": ["foo", "owner"]}'
# this prints the output when one the checks below fails
echo "output = ${output}"
[ "$status" -eq 0 ]
[ $(expr "$output" : '.*allowed.*false') -ne 0 ]
[ $(expr "$output" : ".*label .*"owner.*" is on the deny list.*") -ne 0 ]
}
@test "reject when label is not satisfying a constraint" {
run kwctl run annotated-policy.wasm \
-r test_data/pod.json \
--settings-json '{"constrained_labels": {"cc-center": "team-\\d+"}}'
# this prints the output when one the checks below fails
echo "output = ${output}"
[ "$status" -eq 0 ]
[ $(expr "$output" : '.*allowed.*false') -ne 0 ]
[ $(expr "$output" : ".*label .*"cc-center.*" does not pass user-defined constraint.*") -ne 0 ]
}
@test "reject when constrained label is missing" {
run kwctl run annotated-policy.wasm \
-r test_data/pod.json \
--settings-json '{"constrained_labels": {"organization": "\\d+"}}'
# this prints the output when one the checks below fails
echo "output = ${output}"
[ "$status" -eq 0 ]
[ $(expr "$output" : '.*allowed.*false') -ne 0 ]
[ $(expr "$output" : ".*constrained label .*organization.* not found inside of Pod.*") -ne 0 ]
}
@test "fail settings validation because of conflicting labels" {
run kwctl run \
-r test_data/pod.json \
--settings-json '{"denied_labels": ["foo", "cc-center"], "constrained_labels": {"cc-center": "^cc-\\d+$"}}' \
annotated-policy.wasm
# this prints the output when one the checks below fails
echo "output = ${output}"
# settings validation failed
[ $(expr "$output" : '.*"valid":false.*') -ne 0 ]
[ $(expr "$output" : ".*Provided settings are not valid: the following labels cannot be constrained and denied at the same time: Set{cc-center}.*") -ne 0 ]
}
@test "fail settings validation because of invalid constraint" {
run kwctl run \
-r test_data/pod.json \
--settings-json '{"constrained_labels": {"cc-center": "^cc-[12$"}}' \
annotated-policy.wasm
# this prints the output when one the checks below fails
echo "output = ${output}"
[ $(expr "$output" : '.*"valid":false.*') -ne 0 ]
[ $(expr "$output" : ".*Provided settings are not valid: compiling regexp.*") -ne 0 ]
}