Test for changing targetRef field in policies (AuthPolicy and RateLimitPolicy)

emmaaroche · emmaaroche · commit cb69252cdd36 · 2025-02-11T12:44:40.000Z
Signed-off-by: emmaaroche &lt;eroche@redhat.com&gt;
diff --git a/testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/__init__.py b/testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/__init__.py
diff --git a/testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/conftest.py b/testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/conftest.py
@@ -0,0 +1,95 @@
+"""
+Test for changing targetRef field in policies
+"""
+
+import pytest
+
+from testsuite.gateway import GatewayRoute, GatewayListener, Hostname, Exposer
+from testsuite.gateway.gateway_api.gateway import KuadrantGateway
+from testsuite.gateway.gateway_api.hostname import DNSPolicyExposer
+from testsuite.gateway.gateway_api.route import HTTPRoute
+from testsuite.kuadrant.policy.dns import DNSPolicy
+
+pytestmark = [pytest.mark.kuadrant_only, pytest.mark.dnspolicy]
+
+
+@pytest.fixture(scope="module")
+def exposer2(request, cluster) -> Exposer:
+    """Second DNSPolicyExposer setup for Gateway B"""
+    exposer = DNSPolicyExposer(cluster)
+    request.addfinalizer(exposer.delete)
+    exposer.commit()
+    return exposer
+
+
+@pytest.fixture(scope="module")
+def base_domain2(exposer2):
+    """Returns preconfigured base domain for the second Gateway"""
+    return exposer2.base_domain
+
+
+@pytest.fixture(scope="module")
+def wildcard_domain2(base_domain2):
+    """Wildcard domain for Gateway B"""
+    return f"*.{base_domain2}"
+
+
+@pytest.fixture(scope="module")
+def gateway(request, cluster, blame, wildcard_domain, module_label):
+    """Create and configure Gateway A"""
+    gw = KuadrantGateway.create_instance(cluster, blame("gw"), {"app": module_label})
+    gw.add_listener(GatewayListener(hostname=wildcard_domain))
+    request.addfinalizer(gw.delete)
+    gw.commit()
+    gw.wait_for_ready()
+    return gw
+
+
+@pytest.fixture(scope="module")
+def gateway_b(request, cluster, blame, wildcard_domain2, module_label):
+    """Create and configure Gateway B"""
+    gw = KuadrantGateway.create_instance(cluster, blame("gw-b"), {"app": module_label})
+    gw.add_listener(GatewayListener(hostname=wildcard_domain2))
+    request.addfinalizer(gw.delete)
+    gw.commit()
+    gw.wait_for_ready()
+    return gw
+
+
+@pytest.fixture(scope="module")
+def hostname_b(gateway_b, exposer2, blame) -> Hostname:
+    """Expose Hostname for Gateway B"""
+    hostname = exposer2.expose_hostname(blame("hostname-b"), gateway_b)
+    return hostname
+
+
+@pytest.fixture(scope="module")
+def route_b(request, gateway_b, blame, hostname_b, module_label, backend) -> GatewayRoute:
+    """Create and configure Route B"""
+    route = HTTPRoute.create_instance(gateway_b.cluster, blame("route-b"), gateway_b, {"app": module_label})
+    route.add_hostname(hostname_b.hostname)
+    route.add_backend(backend)
+    request.addfinalizer(route.delete)
+    route.commit()
+    route.wait_for_ready()
+    return route
+
+
+@pytest.fixture(scope="module")
+def client_b(route_b, hostname_b):  # pylint: disable=unused-argument
+    """Returns httpx client for Gateway B"""
+    client = hostname_b.client()
+    yield client
+    client.close()
+
+
+@pytest.fixture(scope="module")
+def dns_policy_b(blame, gateway_b, module_label, dns_provider_secret, request):
+    """DNSPolicy fixture for Gateway B"""
+    policy = DNSPolicy.create_instance(
+        gateway_b.cluster, blame("dns-b"), gateway_b, dns_provider_secret, labels={"app": module_label}
+    )
+    request.addfinalizer(policy.delete)
+    policy.commit()
+    policy.wait_for_ready()
+    return policy
diff --git a/testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/test_update_authpolicy_target_ref.py b/testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/test_update_authpolicy_target_ref.py
@@ -0,0 +1,44 @@
+"""
+Test for changing targetRef field in AuthPolicy
+"""
+
+import pytest
+
+from testsuite.kuadrant.policy.authorization.auth_policy import AuthPolicy
+
+pytestmark = [pytest.mark.kuadrant_only, pytest.mark.dnspolicy]
+
+
+@pytest.fixture(scope="module")
+def authorization(
+    oidc_provider, gateway, cluster, blame, module_label, route, route_b
+):  # pylint: disable=unused-argument
+    """Overwrite the authorization fixture and attach it to the gateway"""
+    policy = AuthPolicy.create_instance(cluster, blame("authz"), gateway, labels={"testRun": module_label})
+    policy.identity.add_oidc("default", oidc_provider.well_known["issuer"])
+    return policy
+
+
+def test_update_auth_policy_target_ref(
+    gateway, gateway_b, authorization, client, client_b, auth, blame, dns_policy_b, dns_policy
+):  # pylint: disable=unused-argument
+    """Test updating the targetRef of an AuthPolicy from Gateway A to Gateway B"""
+    response = client.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    response = client.get("/get")
+    assert response.status_code == 401
+
+    response = client_b.get("/get")
+    assert response.status_code == 200
+
+    authorization.refresh().model.spec.targetRef = gateway_b.reference
+    res = authorization.apply()
+    assert res.status() == 0, res.err()
+    authorization.wait_for_ready()
+
+    response = client_b.get("/get", auth=auth)
+    assert response.status_code == 200
+
+    response = client_b.get("/get")
+    assert response.status_code == 401
diff --git a/testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/test_update_ratelimitpolicy_target_ref.py b/testsuite/tests/singlecluster/gateway/reconciliation/change_targetref/test_update_ratelimitpolicy_target_ref.py
@@ -0,0 +1,49 @@
+"""
+Test for changing targetRef field in RateLimitPolicy
+"""
+
+import pytest
+
+from testsuite.kuadrant.policy.rate_limit import Limit, RateLimitPolicy
+
+pytestmark = [pytest.mark.kuadrant_only, pytest.mark.dnspolicy]
+
+
+@pytest.fixture(scope="module")
+def authorization():
+    """
+    Override the authorization fixture to prevent the creation of an AuthPolicy.
+    This ensures no authentication is enforced during the test
+    """
+    return None
+
+
+@pytest.fixture(scope="module")
+def rate_limit_policy(request, cluster, blame, module_label, gateway, route_b):  # pylint: disable=unused-argument
+    """RateLimitPolicy for testing"""
+    policy = RateLimitPolicy.create_instance(cluster, blame("limit"), gateway, labels={"testRun": module_label})
+    policy.add_limit("basic", [Limit(5, "10s")])
+    request.addfinalizer(policy.delete)
+    policy.commit()
+    return policy
+
+
+def test_update_ratelimit_policy_target_ref(
+    gateway, gateway_b, rate_limit_policy, client, client_b, blame, dns_policy_b, dns_policy
+):  # pylint: disable=unused-argument
+    """Test updating the targetRef of a RateLimitPolicy from Gateway A to Gateway B"""
+    responses = client.get_many("/get", 5)
+    responses.assert_all(status_code=200)
+    assert client.get("/get").status_code == 429
+
+    responses = client_b.get_many("/get", 6)
+    responses.assert_all(status_code=200)
+
+    rate_limit_policy.refresh().model.spec.targetRef.name = gateway_b.model.metadata.name
+    res = rate_limit_policy.apply()
+    assert res.status() == 0, res.err()
+    rate_limit_policy.wait_for_ready()
+
+    responses = client_b.get_many("/get", 5)
+    responses.assert_all(status_code=200)
+    assert client_b.get("/get").status_code == 429
