tests(core): Add tests for SecurityIntent update and deletion

Signed-off-by: Anurag Rajawat <[email protected]>
5GSEC · Feb 28, 2024 · 5d342a7 · 5d342a7
1 parent 6eb1a59
commit 5d342a7
Show file tree

Hide file tree

Showing 27 changed files with 660 additions and 11 deletions.
diff --git a/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml b/tests/controllers/nimbuspolicy/delete/chainsaw-test.yaml
@@ -13,12 +13,12 @@ spec:
     - name: "Create a SecurityIntent"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-si.yaml
+            file: ../../resources/namespaced/dns-manipulation-si.yaml
 
     - name: "Create a SecurityIntentBinding"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-sib.yaml
+            file: ../../resources/namespaced/dns-manipulation-sib.yaml
 
     - name: "Verity NimbusPolicy creation"
       try:

diff --git a/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml b/tests/controllers/nimbuspolicy/update/chainsaw-test.yaml
@@ -13,12 +13,12 @@ spec:
     - name: "Create a SecurityIntent"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-si.yaml
+            file: ../../resources/namespaced/dns-manipulation-si.yaml
 
     - name: "Create a SecurityIntentBinding"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-sib.yaml
+            file: ../../resources/namespaced/dns-manipulation-sib.yaml
 
     - name: "Verity NimbusPolicy creation"
       try:

diff --git a/...ces/namespaced/1-dns-manipulation-si.yaml → ...urces/namespaced/dns-manipulation-si.yaml b/...ces/namespaced/1-dns-manipulation-si.yaml → ...urces/namespaced/dns-manipulation-si.yaml
diff --git a/...es/namespaced/1-dns-manipulation-sib.yaml → ...rces/namespaced/dns-manipulation-sib.yaml b/...es/namespaced/1-dns-manipulation-sib.yaml → ...rces/namespaced/dns-manipulation-sib.yaml
diff --git a/tests/controllers/resources/namespaced/multiple-sis.yaml b/tests/controllers/resources/namespaced/multiple-sis.yaml
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: pkg-mgr-exec-multiple
+spec:
+  intent:
+    id: swDeploymentTools
+    action: Block
+---
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: unauthorized-sa-token-access-multiple
+spec:
+  intent:
+    id: unAuthorizedSaTokenAccess
+    action: Audit
+---
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: dns-manipulation-multiple
+spec:
+  intent:
+    id: dnsManipulation
+    action: Block
diff --git a/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml b/tests/controllers/resources/namespaced/sib-for-multiple-sis.yaml
@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntentBinding
+metadata:
+  name: multiple-sis-binding
+spec:
+  intents:
+    - name: pkg-mgr-exec-multiple
+    - name: unauthorized-sa-token-access-multiple
+    - name: dns-manipulation-multiple
+  selector:
+    any:
+      - resources:
+          kind: Pod
+          namespace: default
+          matchLabels:
+            app: nginx
diff --git a/tests/controllers/securityintent/chainsaw-test.yaml b/tests/controllers/securityintent/chainsaw-test.yaml
@@ -13,7 +13,7 @@ spec:
     - name: "Create a SecurityIntent"
       try:
         - apply:
-            file: ../resources/namespaced/1-dns-manipulation-si.yaml
+            file: ../resources/namespaced/dns-manipulation-si.yaml
 
     - name: "Verify status of created SecurityIntent"
       try:

diff --git a/tests/controllers/securityintentbinding/create/chainsaw-test.yaml b/tests/controllers/securityintentbinding/create/chainsaw-test.yaml
@@ -13,12 +13,12 @@ spec:
     - name: "Create a SecurityIntent"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-si.yaml
+            file: ../../resources/namespaced/dns-manipulation-si.yaml
 
     - name: "Create a SecurityIntentBinding"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-sib.yaml
+            file: ../../resources/namespaced/dns-manipulation-sib.yaml
 
     - name: "Verity NimbusPolicy creation"
       try:

diff --git a/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml b/tests/controllers/securityintentbinding/delete/chainsaw-test.yaml
@@ -13,12 +13,12 @@ spec:
     - name: "Create a SecurityIntent"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-si.yaml
+            file: ../../resources/namespaced/dns-manipulation-si.yaml
 
     - name: "Create a SecurityIntentBinding"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-sib.yaml
+            file: ../../resources/namespaced/dns-manipulation-sib.yaml
       # This resource is intentionally left undeleted by chainsaw to avoid unnecessary errors during its cleanup phase, as it will be explicitly deleted in the following step.
       skipDelete: true
 

diff --git a/tests/controllers/securityintentbinding/update/chainsaw-test.yaml b/tests/controllers/securityintentbinding/update/chainsaw-test.yaml
@@ -11,12 +11,12 @@ spec:
     - name: "Create a SecurityIntent"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-si.yaml
+            file: ../../resources/namespaced/dns-manipulation-si.yaml
 
     - name: "Create a SecurityIntentBinding"
       try:
         - apply:
-            file: ../../resources/namespaced/1-dns-manipulation-sib.yaml
+            file: ../../resources/namespaced/dns-manipulation-sib.yaml
 
     - name: "Update existing SecurityIntentBinding"
       try:

diff --git a/tests/controllers/sis-and-sibs/create/README.md b/tests/controllers/sis-and-sibs/create/README.md
@@ -0,0 +1,76 @@
+# Test: `securityintentbinding-and-securityintent-independent-creation`
+
+This test verifies the independent creation of SecurityIntent and SecurityIntentBinding custom resources. It ensures users can create these custom resources individually without requiring one to exist beforehand.
+
+
+### Steps
+
+| # | Name | Try | Catch | Finally |
+|:-:|---|:-:|:-:|:-:|
+| 1 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 |
+| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 |
+| 3 | [Verity NimbusPolicy creation](#step-Verity NimbusPolicy creation) | 1 | 0 | 0 |
+| 4 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 1 | 0 | 0 |
+| 5 | [Verify status of created SecurityIntent](#step-Verify status of created SecurityIntent) | 1 | 0 | 0 |
+| 6 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 1 | 0 | 0 |
+
+## Step: `Create a SecurityIntentBinding`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `apply` | *No description* |
+
+## Step: `Create a SecurityIntent`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `apply` | *No description* |
+
+## Step: `Verity NimbusPolicy creation`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `assert` | *No description* |
+
+## Step: `Verify status of created SecurityIntentBinding`
+
+Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents,  along with the generated NimbusPolicy name.
+
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `assert` | *No description* |
+
+## Step: `Verify status of created SecurityIntent`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `assert` | *No description* |
+
+## Step: `Verify status of created NimbusPolicy`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `assert` | *No description* |
diff --git a/tests/controllers/sis-and-sibs/create/chainsaw-test.yaml b/tests/controllers/sis-and-sibs/create/chainsaw-test.yaml
@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: securityintentbinding-and-securityintent-independent-creation
+spec:
+  description: >
+    This test verifies the independent creation of SecurityIntent and SecurityIntentBinding custom resources.
+    It ensures users can create these custom resources individually without requiring one to exist beforehand.
+
+  steps:
+    - name: "Create a SecurityIntentBinding"
+      try:
+        - apply:
+            file: ../../resources/namespaced/dns-manipulation-sib.yaml
+
+    - name: "Create a SecurityIntent"
+      try:
+        - apply:
+            file: ../../resources/namespaced/dns-manipulation-si.yaml
+
+    - name: "Verity NimbusPolicy creation"
+      try:
+        - assert:
+            file: ../nimbus-policy-assert.yaml
+
+    - name: "Verify status of created SecurityIntentBinding"
+      description: >
+        Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, 
+        along with the generated NimbusPolicy name.
+      try:
+        - assert:
+            file: ../sib-status-assert.yaml
+
+    - name: "Verify status of created SecurityIntent"
+      try:
+        - assert:
+            file: ../si-status-assert.yaml
+
+    - name: "Verify status of created NimbusPolicy"
+      try:
+        - assert:
+            file: ../np-status-assert.yaml
diff --git a/tests/controllers/sis-and-sibs/delete/README.md b/tests/controllers/sis-and-sibs/delete/README.md
@@ -0,0 +1,76 @@
+# Test: `securityintent-deletion-after-creation-of-nimbuspolicy`
+
+This test verifies that when a SecurityIntent is the only one referenced by a SecurityIntentBinding, and that  SecurityIntent is deleted, the corresponding NimbusPolicy is also automatically deleted.
+
+
+### Steps
+
+| # | Name | Try | Catch | Finally |
+|:-:|---|:-:|:-:|:-:|
+| 1 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 1 | 0 | 0 |
+| 2 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 1 | 0 | 0 |
+| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 1 | 0 | 0 |
+| 4 | [Delete previously created SecurityIntent](#step-Delete previously created SecurityIntent) | 1 | 0 | 0 |
+| 5 | [Verify the NimbusPolicy deletion](#step-Verify the NimbusPolicy deletion) | 1 | 0 | 0 |
+| 6 | [Verify status of SecurityIntentBinding](#step-Verify status of SecurityIntentBinding) | 1 | 0 | 0 |
+
+## Step: `Create a SecurityIntentBinding`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `apply` | *No description* |
+
+## Step: `Create a SecurityIntent`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `apply` | *No description* |
+
+## Step: `Verify NimbusPolicy creation`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `assert` | *No description* |
+
+## Step: `Delete previously created SecurityIntent`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `delete` | *No description* |
+
+## Step: `Verify the NimbusPolicy deletion`
+
+*No description*
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `script` | *No description* |
+
+## Step: `Verify status of SecurityIntentBinding`
+
+This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is updated to reflect the current information.
+
+
+### Try
+
+| # | Operation | Description |
+|:-:|---|---|
+| 1 | `assert` | *No description* |
diff --git a/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml b/tests/controllers/sis-and-sibs/delete/chainsaw-test.yaml
@@ -0,0 +1,58 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: securityintent-deletion-after-creation-of-nimbuspolicy
+spec:
+  description: >
+    This test verifies that when a SecurityIntent is the only one referenced by a SecurityIntentBinding, and that 
+    SecurityIntent is deleted, the corresponding NimbusPolicy is also automatically deleted.
+
+  steps:
+    - name: "Create a SecurityIntentBinding"
+      try:
+        - apply:
+            file: ../../resources/namespaced/dns-manipulation-sib.yaml
+
+    - name: "Create a SecurityIntent"
+      try:
+        - apply:
+            file: ../../resources/namespaced/dns-manipulation-si.yaml
+      skipDelete: true
+
+    - name: "Verify NimbusPolicy creation"
+      try:
+        - assert:
+            file: ../nimbus-policy-assert.yaml
+
+    - name: "Delete previously created SecurityIntent"
+      try:
+        - delete:
+            ref:
+              apiVersion: intent.security.nimbus.com/v1
+              kind: SecurityIntent
+              name: dns-manipulation
+            expect:
+              - match:
+                  apiVersion: intent.security.nimbus.com/v1
+                  kind: SecurityIntent
+                  name: dns-manipulation
+                check:
+                  ($error != null): true
+
+    - name: "Verify the NimbusPolicy deletion"
+      try:
+        - script:
+            content: kubectl get np -n $NAMESPACE dns-manipulation-binding
+            check:
+              ($error != null): true
+
+    - name: "Verify status of SecurityIntentBinding"
+      description: >
+        This verifies that upon deletion of a NimbusPolicy, the corresponding SecurityIntentBinding's status subresource is
+        updated to reflect the current information.
+      try:
+        - assert:
+            file: sib-status-after-si-deletion-assert.yaml