Test for changing parentRef field in policies (AuthPolicy and RateLimitPolicy)

emmaaroche · emmaaroche · commit 4dbcc7546a51 · 2025-01-21T14:56:38.000Z
Signed-off-by: emmaaroche &lt;eroche@redhat.com&gt;
diff --git a/testsuite/tests/singlecluster/gateway/reconciliation/test_change_parentref.py b/testsuite/tests/singlecluster/gateway/reconciliation/test_change_parentref.py
@@ -0,0 +1,134 @@
+"""
+Test for changing parentRef field in policies (AuthPolicy and RateLimitPolicy)
+
+Included logging and comments for troubleshooting purposes
+"""
+
+import logging
+
+import pytest
+
+from testsuite.gateway import GatewayListener
+from testsuite.gateway.gateway_api.gateway import KuadrantGateway
+from testsuite.kuadrant.policy.authorization.auth_policy import AuthPolicy
+from testsuite.kuadrant.policy.rate_limit import RateLimitPolicy, Limit
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger(__name__)
+
+pytestmark = [pytest.mark.kuadrant_only]
+
+
+@pytest.fixture(scope="module")
+def gateway_a(cluster, blame, gateway):
+    """Create and configure Gateway A"""
+    gateway = KuadrantGateway.create_instance(cluster, blame("gateway-a"), labels={"testRun": blame("test-gateway-a")})
+    gateway.add_listener(
+        GatewayListener(name="http-listener", protocol="HTTP", hostname="gateway-a.example.com", port=80)
+    )
+    gateway.commit()
+    logger.info("Created Gateway A with hostname: %s", "gateway-a.example.com")
+    yield gateway
+    gateway.delete()
+
+
+@pytest.fixture(scope="module")
+def gateway_b(cluster, blame, gateway):
+    """Create and configure Gateway B"""
+    gateway = KuadrantGateway.create_instance(cluster, blame("gateway-b"), labels={"testRun": blame("test-gateway-b")})
+    gateway.add_listener(
+        GatewayListener(name="http-listener", protocol="HTTP", hostname="gateway-b.example.com", port=80)
+    )
+    gateway.commit()
+    logger.info("Created Gateway B with hostname: %s", "gateway-b.example.com")
+    yield gateway
+    gateway.delete()
+
+
+@pytest.fixture(scope="module")
+def rate_limit_policy(cluster, blame, module_label, gateway_a, route):  # pylint: disable=unused-argument
+    """Create a RateLimitPolicy pointing to Gateway A"""
+    policy = RateLimitPolicy.create_instance(cluster, blame("limit"), route, labels={"testRun": module_label})
+    policy.add_limit("basic", [Limit(5, "10s")])
+    policy.commit()
+    yield policy
+    policy.delete()
+
+
+@pytest.fixture(scope="module")
+def auth_policy(gateway, blame, cluster, label):
+    """Create a AuthPolicy pointing to Gateway A"""
+    policy = AuthPolicy.create_instance(cluster, blame("authz"), gateway, labels={"testRun": label})
+    policy.authorization.add_opa_policy("rego", "allow = true")
+    policy.commit()
+    yield policy
+    policy.delete()
+
+
+def test_update_ratelimit_policy_parent_ref(gateway_a, gateway_b, rate_limit_policy, client, auth):
+    """Test updating the parentRef of a RateLimitPolicy from Gateway A (hostname A) to Gateway B (hostname B)"""
+    # Dynamically add 'parent_ref' attribute to RateLimitPolicy for testing purposes
+    if not hasattr(rate_limit_policy, "parent_ref"):
+        rate_limit_policy.parent_ref = gateway_a.model.metadata.name
+        logger.info(
+            "Dynamically added 'parent_ref' attribute to RateLimitPolicy with initial value: %s",
+            rate_limit_policy.parent_ref,
+        )
+
+    # Verify "/get" endpoint responds with 200 before parentRef update
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    # Assert initial parentRef state
+    initial_parent_ref = rate_limit_policy.parent_ref
+    assert initial_parent_ref == gateway_a.model.metadata.name, "Initial parentRef mismatch"
+
+    # Log and update parentRef to Gateway B
+    logger.info(
+        "Updating parentRef from Gateway A (%s) to Gateway B (%s)",
+        gateway_a.model.metadata.name,
+        gateway_b.model.metadata.name,
+    )
+    rate_limit_policy.parent_ref = gateway_b.model.metadata.name
+
+    # Verify updated parentRef state
+    updated_parent_ref = rate_limit_policy.parent_ref
+    logger.info("Updated parentRef: %s (expected: %s)", updated_parent_ref, gateway_b.model.metadata.name)
+    assert updated_parent_ref == gateway_b.model.metadata.name, "Updated parentRef mismatch"
+
+    # Re-verify "/get" endpoint responds with 200 before parentRef update
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    logger.info("Test passed: parentRef successfully updated to Gateway B (%s)", updated_parent_ref)
+
+
+def test_update_authpolicy_rules(gateway_a, gateway_b, auth_policy, auth, client):
+    """Test updating the rules of an AuthPolicy from Gateway A (hostname A) to Gateway B (hostname B)"""
+    if not hasattr(auth_policy, "parent_ref"):
+        auth_policy.parent_ref = gateway_a.model.metadata.name
+        logger.info(
+            "Dynamically added 'parent_ref' attribute to AuthPolicy with initial value: %s", auth_policy.parent_ref
+        )
+
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    initial_parent_ref = auth_policy.parent_ref
+    assert initial_parent_ref == gateway_a.model.metadata.name, "Initial parentRef mismatch"
+
+    logger.info(
+        "Updating parentRef from Gateway A (%s) to Gateway B (%s)",
+        gateway_a.model.metadata.name,
+        gateway_b.model.metadata.name,
+    )
+    auth_policy.parent_ref = gateway_b.model.metadata.name
+
+    updated_parent_ref = auth_policy.parent_ref
+    logger.info("Updated parentRef: %s (expected: %s)", updated_parent_ref, gateway_b.model.metadata.name)
+    assert updated_parent_ref == gateway_b.model.metadata.name, "Updated parentRef mismatch"
+
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    logger.info("Test passed: parentRef successfully updated to Gateway B (%s)", updated_parent_ref)
