Test for changing targetRef field in policies (AuthPolicy and RateLimitPolicy)

Signed-off-by: emmaaroche <[email protected]>

Author: emmaaroche

testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/__init__.py

@@ -0,0 +1,95 @@
+"""
+Conftest for changing targetRef field in policies
+"""
+
+import pytest
+
+from testsuite.gateway import GatewayRoute, GatewayListener, Hostname, Exposer
+from testsuite.gateway.gateway_api.gateway import KuadrantGateway
+from testsuite.gateway.gateway_api.hostname import DNSPolicyExposer
+from testsuite.gateway.gateway_api.route import HTTPRoute
+from testsuite.kuadrant.policy.dns import DNSPolicy
+
+pytestmark = [pytest.mark.kuadrant_only, pytest.mark.dnspolicy]
+
+
+@pytest.fixture(scope="module")
+def exposer2(request, cluster) -> Exposer:
+    """Second DNSPolicyExposer setup for Gateway B"""
+    exposer = DNSPolicyExposer(cluster)
+    request.addfinalizer(exposer.delete)
+    exposer.commit()
+    return exposer
+
+
+@pytest.fixture(scope="module")
+def base_domain2(exposer2):
+    """Returns preconfigured base domain for the second Gateway"""
+    return exposer2.base_domain
+
+
+@pytest.fixture(scope="module")
+def wildcard_domain2(base_domain2):
+    """Wildcard domain for Gateway B"""
+    return f"*.{base_domain2}"
+
+
+@pytest.fixture(scope="module")
+def gateway(request, cluster, blame, wildcard_domain, module_label):
+    """Create and configure Gateway A"""
+    gw = KuadrantGateway.create_instance(cluster, blame("gw"), {"app": module_label})
+    gw.add_listener(GatewayListener(hostname=wildcard_domain))
+    request.addfinalizer(gw.delete)
+    gw.commit()
+    gw.wait_for_ready()
+    return gw
+
+
+@pytest.fixture(scope="module")
+def gateway2(request, cluster, blame, wildcard_domain2, module_label):
+    """Create and configure Gateway B"""
+    gw = KuadrantGateway.create_instance(cluster, blame("gw2"), {"app": module_label})
+    gw.add_listener(GatewayListener(hostname=wildcard_domain2))
+    request.addfinalizer(gw.delete)
+    gw.commit()
+    gw.wait_for_ready()
+    return gw
+
+
+@pytest.fixture(scope="module")
+def hostname2(gateway2, exposer2, blame) -> Hostname:
+    """Expose Hostname for Gateway B"""
+    hostname = exposer2.expose_hostname(blame("hostname2"), gateway2)
+    return hostname
+
+
+@pytest.fixture(scope="module")
+def route2(request, gateway2, blame, hostname2, module_label, backend) -> GatewayRoute:
+    """Create and configure Route B"""
+    route = HTTPRoute.create_instance(gateway2.cluster, blame("route2"), gateway2, {"app": module_label})
+    route.add_hostname(hostname2.hostname)
+    route.add_backend(backend)
+    request.addfinalizer(route.delete)
+    route.commit()
+    route.wait_for_ready()
+    return route
+
+
+@pytest.fixture(scope="module")
+def client2(route2, hostname2):  # pylint: disable=unused-argument
+    """Returns httpx client for Gateway B"""
+    client = hostname2.client()
+    yield client
+    client.close()
+
+
+@pytest.fixture(scope="module")
+def dns_policy2(blame, gateway2, module_label, dns_provider_secret, request):
+    """DNSPolicy fixture for Gateway B"""
+    policy = DNSPolicy.create_instance(
+        gateway2.cluster, blame("dns2"), gateway2, dns_provider_secret, labels={"app": module_label}
+    )
+    request.addfinalizer(policy.delete)
+    policy.commit()
+    policy.wait_for_ready()
+    return policy

testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/conftest.py

@@ -0,0 +1,42 @@
+"""
+Test for changing targetRef field in AuthPolicy
+"""
+
+import pytest
+
+from testsuite.kuadrant.policy.authorization.auth_policy import AuthPolicy
+
+pytestmark = [pytest.mark.kuadrant_only, pytest.mark.dnspolicy]
+
+
+@pytest.fixture(scope="module")
+def authorization(oidc_provider, gateway, cluster, blame, module_label, route):  # pylint: disable=unused-argument
+    """Overwrite the authorization fixture and attach it to the gateway"""
+    policy = AuthPolicy.create_instance(cluster, blame("authz"), gateway, labels={"testRun": module_label})
+    policy.identity.add_oidc("default", oidc_provider.well_known["issuer"])
+    return policy
+
+
+def test_update_auth_policy_target_ref(
+    gateway2, authorization, client, client2, auth, dns_policy, dns_policy2
+):  # pylint: disable=unused-argument
+    """Test updating the targetRef of an AuthPolicy from Gateway A to Gateway B"""
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    response = client.get("/get")
+    assert response.status_code == 401
+
+    response = client2.get("/get")
+    assert response.status_code == 200
+
+    authorization.refresh().model.spec.targetRef = gateway2.reference
+    res = authorization.apply()
+    assert res.status() == 0, res.err()
+    authorization.wait_for_ready()
+
+    response = client2.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    response = client2.get("/get")
+    assert response.status_code == 401

testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/test_update_authpolicy_target_ref.py

@@ -0,0 +1,47 @@
+"""
+Test for changing targetRef field in RateLimitPolicy
+"""
+
+import pytest
+
+from testsuite.kuadrant.policy.rate_limit import Limit, RateLimitPolicy
+
+pytestmark = [pytest.mark.kuadrant_only, pytest.mark.dnspolicy]
+
+
+@pytest.fixture(scope="module")
+def authorization():
+    """
+    Override the authorization fixture to prevent the creation of an AuthPolicy.
+    This ensures no authentication is enforced during the test
+    """
+    return None
+
+
+@pytest.fixture(scope="module")
+def rate_limit(cluster, blame, module_label, gateway, route):  # pylint: disable=unused-argument
+    """RateLimitPolicy for testing"""
+    policy = RateLimitPolicy.create_instance(cluster, blame("limit"), gateway, labels={"testRun": module_label})
+    policy.add_limit("basic", [Limit(2, "10s")])
+    return policy
+
+
+def test_update_ratelimit_policy_target_ref(
+    gateway2, rate_limit, client, client2, dns_policy, dns_policy2
+):  # pylint: disable=unused-argument
+    """Test updating the targetRef of a RateLimitPolicy from Gateway A to Gateway B"""
+    responses = client.get_many("/get", 2)
+    responses.assert_all(status_code=200)
+    assert client.get("/get").status_code == 429
+
+    responses = client2.get_many("/get", 3)
+    responses.assert_all(status_code=200)
+
+    rate_limit.refresh().model.spec.targetRef.name = gateway2.model.metadata.name
+    res = rate_limit.apply()
+    assert res.status() == 0, res.err()
+    rate_limit.wait_for_ready()
+
+    responses = client2.get_many("/get", 2)
+    responses.assert_all(status_code=200)
+    assert client2.get("/get").status_code == 429